From 642dad3afa2536c9c42e7e96a10da5e815f6f2bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Mon, 1 Dec 2025 16:22:00 +0800 Subject: [PATCH] update(treewide): Update to NixOS 25.11 --- configuration/hardware-specific/vm.nix | 8 +++++ configuration/nginx/ssl.nix | 34 +++++++++---------- configuration/services/foundryvtt.nix | 2 +- configuration/services/nextcloud.nix | 4 +-- configuration/services/ntfy-sh/default.nix | 1 - configuration/services/starbound.nix | 2 +- configuration/services/webserver.nix | 2 +- flake.lock | 32 +++++------------ flake.nix | 8 ++--- modules/crowdsec/default.nix | 2 +- .../remediations/cs-firewall-bouncer.nix | 2 +- pkgs/default.nix | 7 ++-- 12 files changed, 44 insertions(+), 60 deletions(-) diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix index aa360aa..70c1b58 100644 --- a/configuration/hardware-specific/vm.nix +++ b/configuration/hardware-specific/vm.nix @@ -43,6 +43,14 @@ source = ../../keys/hosts/staging.key; }; + # Pretend the acme renew succeeds. + # + # TODO(tlater): Set up pebble to retrieve certs "properly" + # instead + systemd.services."acme-order-renew-tlater.net".script = '' + touch out/acme-success + ''; + virtualisation.vmVariant = { virtualisation = { memorySize = 3941; diff --git a/configuration/nginx/ssl.nix b/configuration/nginx/ssl.nix index 56bfa78..f3fac13 100644 --- a/configuration/nginx/ssl.nix +++ b/configuration/nginx/ssl.nix @@ -51,20 +51,9 @@ paths = [ "/var/lib/acme/tlater.net" ]; }; - systemd.services = { - nginx.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."tlater.net".group ]; - - # Don't attempt to retrieve a certificate if the domain name - # doesn't *actually* match the cert name - # - # TODO(tlater): Set up pebble to retrieve certs "properly" - # instead - "acme-tlater.net".serviceConfig.ExecCondition = - let - confirm = ''[[ "tlater.net" = "${config.services.nginx.domain}" ]]''; - in - ''${pkgs.runtimeShell} -c '${confirm}' ''; - }; + systemd.services.nginx.serviceConfig.SupplementaryGroups = [ + config.security.acme.certs."tlater.net".group + ]; sops.secrets = { "porkbun/api-key".owner = "acme"; @@ -85,10 +74,18 @@ security.acme.certs."tlater.net".extraDomainNames = [ config.services.nginx.domain ]; - services.nginx = { - domain = "testHost"; + # Pretend the acme renew succeeds. + # + # TODO(tlater): Set up pebble to retrieve certs "properly" + # instead + systemd.services."acme-order-renew-tlater.net".script = '' + touch out/acme-success + ''; - virtualHosts."${config.services.nginx.domain}" = { + services.nginx = { + domain = "testHost.test"; + + virtualHosts."${config.services.nginx.domain}.local" = { useACMEHost = "tlater.net"; onlySSL = true; enableHSTS = true; @@ -109,6 +106,7 @@ { pkgs, ... }: { environment.systemPackages = [ pkgs.curl ]; + networking.hosts."192.168.1.2" = [ "testHost.test" ]; }; }; @@ -125,7 +123,7 @@ "--silent", "--dump-header -", "--cacert /certs/tlater.net/fullchain.pem", - "https://testHost", + "https://testHost.test", "-o /dev/null" ])) diff --git a/configuration/services/foundryvtt.nix b/configuration/services/foundryvtt.nix index 5c8a21f..d7b9d02 100644 --- a/configuration/services/foundryvtt.nix +++ b/configuration/services/foundryvtt.nix @@ -23,7 +23,7 @@ in minifyStaticFiles = true; proxySSL = true; proxyPort = 443; - package = flake-inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_13; + package = flake-inputs.foundryvtt.packages.${pkgs.stdenv.hostPlatform.system}.foundryvtt_13; }; nginx.virtualHosts."${domain}" = diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index 77cfa4c..30f79ed 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -5,7 +5,7 @@ ... }: let - nextcloud = pkgs.nextcloud31; + nextcloud = pkgs.nextcloud32; hostName = "nextcloud.${config.services.nginx.domain}"; in { @@ -104,7 +104,7 @@ in }; # Ensure that this service doesn't start before postgres is ready - systemd.services.nextcloud-setup.after = [ "postgresql.service" ]; + systemd.services.nextcloud-setup.after = [ "postgresql.target" ]; sops.secrets."nextcloud/tlater" = { owner = "nextcloud"; diff --git a/configuration/services/ntfy-sh/default.nix b/configuration/services/ntfy-sh/default.nix index aacec91..39ace90 100644 --- a/configuration/services/ntfy-sh/default.nix +++ b/configuration/services/ntfy-sh/default.nix @@ -17,7 +17,6 @@ in services.ntfy-sh = { enable = true; - package = flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.ntfy-sh; environmentFile = config.sops.secrets."ntfy/users".path; diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix index 6b97471..888fc3e 100644 --- a/configuration/services/starbound.nix +++ b/configuration/services/starbound.nix @@ -19,7 +19,7 @@ in serviceConfig = { ExecStart = "${ - flake-inputs.self.packages.${pkgs.system}.starbound + flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.starbound }/bin/launch-starbound ${./configs/starbound.json}"; Type = "simple"; diff --git a/configuration/services/webserver.nix b/configuration/services/webserver.nix index e8daeaf..ffe7480 100644 --- a/configuration/services/webserver.nix +++ b/configuration/services/webserver.nix @@ -20,7 +20,7 @@ in after = [ "network.target" ]; script = '' - ${lib.getExe flake-inputs.self.packages.${pkgs.system}.webserver} + ${lib.getExe flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.webserver} ''; environment = { diff --git a/flake.lock b/flake.lock index 3c65247..9ca0388 100644 --- a/flake.lock +++ b/flake.lock @@ -255,28 +255,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1763509821, - "narHash": "sha256-ibZr0ONEUA1W2WAdTzgm9/6jBE+tM20j1YW2FK4RZ/k=", - "rev": "659aa6fa27619d04de231b4cc0c938905dfa01e9", + "lastModified": 1764522689, + "narHash": "sha256-GzkEBSHGkj8EyOxnxQvl9sx0x2S7JzH0hwCziF176T8=", + "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f", "type": "tarball", - "url": "https://releases.nixos.org/nixos/25.05-small/nixos-25.05.812929.659aa6fa2761/nixexprs.tar.xz?lastModified=1763509821&rev=659aa6fa27619d04de231b4cc0c938905dfa01e9" + "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.650.8bb5646e0bed/nixexprs.tar.xz?lastModified=1764522689&rev=8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f" }, "original": { "type": "tarball", - "url": "https://channels.nixos.org/nixos-25.05-small/nixexprs.tar.xz" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1763835633, - "narHash": "sha256-nzRnw0UkYQpDm0o20AKvG/5oHCXy5qEGOsFAVhB5NmA=", - "rev": "050e09e091117c3d7328c7b2b7b577492c43c134", - "type": "tarball", - "url": "https://releases.nixos.org/nixos/unstable/nixos-25.11pre900642.050e09e09111/nixexprs.tar.xz?lastModified=1763835633&rev=050e09e091117c3d7328c7b2b7b577492c43c134" - }, - "original": { - "type": "tarball", - "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz" + "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz" } }, "pre-commit-hooks": { @@ -325,7 +312,6 @@ "flint": "flint", "foundryvtt": "foundryvtt", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", "sonnenshift": "sonnenshift", "sops-nix": "sops-nix" } @@ -338,11 +324,11 @@ ] }, "locked": { - "lastModified": 1763619077, - "narHash": "sha256-dlfamaoIzFEgwgtzPJuw5Tl5SqjbWcV8CsbP2hVBeuI=", + "lastModified": 1764578400, + "narHash": "sha256-8V0SpIcYyjpP+nAHfYJDof7CofLTwVVDo5QLZ0epjOQ=", "ref": "refs/heads/main", - "rev": "64a2c8a3743ea6897ecac6692fba8aebc3389fca", - "revCount": 26, + "rev": "bf17617899692c9c2bfebfce87320a4174e6dc28", + "revCount": 27, "type": "git", "url": "ssh://git@github.com/sonnenshift/battery-manager" }, diff --git a/flake.nix b/flake.nix index 951eef5..10b52ec 100644 --- a/flake.nix +++ b/flake.nix @@ -2,8 +2,7 @@ description = "tlater.net host configuration"; inputs = { - nixpkgs.url = "https://channels.nixos.org/nixos-25.05-small/nixexprs.tar.xz"; - nixpkgs-unstable.url = "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"; + nixpkgs.url = "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"; ## Nix/OS utilities @@ -138,10 +137,7 @@ packages.${system} = { default = vm.config.system.build.vm; } - // import ./pkgs { - pkgs = nixpkgs.legacyPackages.${system}; - flake-inputs = inputs; - }; + // import ./pkgs { pkgs = nixpkgs.legacyPackages.${system}; }; ################### # Utility scripts # diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix index 44e6bc5..9cb26f9 100644 --- a/modules/crowdsec/default.nix +++ b/modules/crowdsec/default.nix @@ -271,7 +271,7 @@ in # To add completions; sadly need to hand-roll this since # neither `symlinkJoin` nor `buildEnv` have collision # handling. - (pkgs.runCommandNoCCLocal "cscli" { } '' + (pkgs.runCommandLocal "cscli" { } '' mkdir -p $out ln -s ${cscli}/bin $out/bin ln -s ${cfg.package}/share $out/share diff --git a/modules/crowdsec/remediations/cs-firewall-bouncer.nix b/modules/crowdsec/remediations/cs-firewall-bouncer.nix index 42accc6..bdc6da8 100644 --- a/modules/crowdsec/remediations/cs-firewall-bouncer.nix +++ b/modules/crowdsec/remediations/cs-firewall-bouncer.nix @@ -6,7 +6,7 @@ ... }: let - inherit (flake-inputs.self.packages.${pkgs.system}) crowdsec-firewall-bouncer; + inherit (flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}) crowdsec-firewall-bouncer; crowdsecCfg = config.security.crowdsec; cfg = crowdsecCfg.remediationComponents.firewallBouncer; diff --git a/pkgs/default.nix b/pkgs/default.nix index 1ce8cd2..31335a6 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,8 +1,5 @@ -{ pkgs, flake-inputs }: -let - inherit (flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}) ast-grep; -in +{ pkgs }: pkgs.lib.packagesFromDirectoryRecursive { - callPackage = pkgs.lib.callPackageWith (pkgs // { inherit ast-grep; }); + inherit (pkgs) callPackage; directory = ./packages; }