From fc6be0c4c27dd00283bacb7c5cd3bcf1d5bab09c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net> Date: Sat, 24 May 2025 22:53:33 +0800 Subject: [PATCH] chore(treewide): Upgrade to NixOS 25.05 --- configuration/services/conduit/default.nix | 3 +- .../services/conduit/matrix-hookshot.nix | 42 +++++++++++++++---- configuration/services/metrics/grafana.nix | 9 +--- configuration/services/nextcloud.nix | 6 +-- flake.nix | 7 +--- modules/crowdsec/default.nix | 5 +-- 6 files changed, 43 insertions(+), 29 deletions(-) diff --git a/configuration/services/conduit/default.nix b/configuration/services/conduit/default.nix index 58abc49..4ba5271 100644 --- a/configuration/services/conduit/default.nix +++ b/configuration/services/conduit/default.nix @@ -1,6 +1,5 @@ { pkgs, - flake-inputs, config, lib, ... @@ -21,7 +20,7 @@ in services = { matrix-conduit = { enable = true; - package = flake-inputs.continuwuity.packages.${pkgs.system}.default; + package = pkgs.matrix-continuwuity; settings.global = { address = "127.0.0.1"; server_name = domain; diff --git a/configuration/services/conduit/matrix-hookshot.nix b/configuration/services/conduit/matrix-hookshot.nix index 6846d99..6b788b2 100644 --- a/configuration/services/conduit/matrix-hookshot.nix +++ b/configuration/services/conduit/matrix-hookshot.nix @@ -29,16 +29,29 @@ let }; # Encryption support - extraSettings = { - "de.sorunome.msc2409.push_ephemeral" = true; - push_ephemeral = true; - "org.matrix.msc3202" = true; - }; + # TODO(tlater): Enable when + # https://github.com/matrix-org/matrix-hookshot/issues/1060 is + # fixed + # extraSettings = { + # "de.sorunome.msc2409.push_ephemeral" = true; + # push_ephemeral = true; + # "org.matrix.msc3202" = true; + # }; runtimeRegistration = "${cfg.registrationFile}"; }; in { + # users = { + # users.matrix-hookshot = { + # home = "/run/matrix-hookshot"; + # group = "matrix-hookshot"; + # isSystemUser = true; + # }; + + # groups.matrix-hookshot = { }; + # }; + systemd.services.matrix-hookshot = { serviceConfig = { Type = lib.mkForce "exec"; @@ -49,6 +62,7 @@ in # Some library in matrix-hookshot wants a home directory Environment = [ "HOME=/run/matrix-hookshot" ]; + # User = "matrix-hookshot"; DynamicUser = true; StateDirectory = "matrix-hookshot"; RuntimeDirectory = "matrix-hookshot"; @@ -62,7 +76,11 @@ in ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; - RestrictAddressFamilies = [ "AF_INET AF_INET6" ]; + RestrictAddressFamilies = [ + # "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; LockPersonality = true; RestrictRealtime = true; ProtectProc = "invisible"; @@ -71,6 +89,11 @@ in }; }; + # services.redis.servers.matrix-hookshot = { + # enable = true; + # user = "matrix-hookshot"; + # }; + services.matrix-hookshot = { enable = true; @@ -89,6 +112,8 @@ in bot.displayname = "Hookshot"; + # cache.redisUri = "redis://${config.services.redis.servers.matrix-hookshot.unixSocket}"; + generic = { enabled = true; outbound = false; @@ -98,7 +123,10 @@ in allowJsTransformationFunctions = true; }; - encryption.storagePath = "/var/lib/matrix-hookshot/cryptostore"; + # TODO(tlater): Enable when + # https://github.com/matrix-org/matrix-hookshot/issues/1060 is + # fixed + # encryption.storagePath = "/var/lib/matrix-hookshot/cryptostore"; permissions = [ { diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix index b872833..b30806c 100644 --- a/configuration/services/metrics/grafana.nix +++ b/configuration/services/metrics/grafana.nix @@ -1,9 +1,4 @@ -{ - pkgs, - config, - flake-inputs, - ... -}: +{ pkgs, config, ... }: let domain = "metrics.${config.services.nginx.domain}"; in @@ -35,7 +30,7 @@ in declarativePlugins = [ pkgs.grafanaPlugins.victoriametrics-metrics-datasource - flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.grafanaPlugins.victoriametrics-logs-datasource + pkgs.grafanaPlugins.victoriametrics-logs-datasource ]; provision = { diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index 2f8fa76..4af77a9 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -5,7 +5,7 @@ ... }: let - nextcloud = pkgs.nextcloud30; + nextcloud = pkgs.nextcloud31; hostName = "nextcloud.${config.services.nginx.domain}"; in { @@ -19,10 +19,10 @@ in packageOverrides = _: prev: { extensions = prev.extensions // { pgsql = prev.extensions.pgsql.overrideAttrs (_: { - configureFlags = [ "--with-pgsql=${lib.getDev config.services.postgresql.package}" ]; + configureFlags = [ "--with-pgsql=${lib.getDev config.services.postgresql.package.pg_config}" ]; }); pdo_pgsql = prev.extensions.pdo_pgsql.overrideAttrs (_: { - configureFlags = [ "--with-pdo-pgsql=${lib.getDev config.services.postgresql.package}" ]; + configureFlags = [ "--with-pdo-pgsql=${lib.getDev config.services.postgresql.package.pg_config}" ]; }); }; }; diff --git a/flake.nix b/flake.nix index 90716e5..da8455f 100644 --- a/flake.nix +++ b/flake.nix @@ -2,12 +2,7 @@ description = "tlater.net host configuration"; inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; - continuwuity = { - url = "git+https://forgejo.ellis.link/continuwuation/continuwuity.git?ref=refs/tags/v0.5.0-rc.5"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05-small"; disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix index ac93c4a..44e6bc5 100644 --- a/modules/crowdsec/default.nix +++ b/modules/crowdsec/default.nix @@ -247,10 +247,7 @@ in online_client = { # By default, we don't let crowdsec phone home, since # this is usually within NixOS users' concerns. - # - # TODO: Enable when this option becomes available - # (1.6.4, current nixpkgs-unstable) - # sharing = lib.mkDefault false; + sharing = lib.mkDefault false; credentials_path = cfg.centralApiCredentials; }; };