From 823caecc59d5eadf8cd8eee12895a292174684b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sat, 29 Nov 2025 23:32:50 +0800 Subject: [PATCH 01/24] feat(vm): Fix shutdown --- configuration/hardware-specific/vm.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix index aa360aa..7696439 100644 --- a/configuration/hardware-specific/vm.nix +++ b/configuration/hardware-specific/vm.nix @@ -7,6 +7,8 @@ networking.hostName = "testvm"; + systemd.services.matrix-hookshot.enable = lib.mkForce false; + services = { # Sets the base domain for nginx to a local domain so that we can # easily test locally with the VM. From 4894f056e5eb09268c3b998e231ee61e5be59202 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sun, 30 Nov 2025 15:53:28 +0800 Subject: [PATCH 02/24] feat(grafana): Provision ntfy as a contact point --- configuration/services/metrics/grafana.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix index 765a364..078f27c 100644 --- a/configuration/services/metrics/grafana.nix +++ b/configuration/services/metrics/grafana.nix @@ -57,6 +57,19 @@ in access = "proxy"; } ]; + + alerting.contactPoints.settings.contactPoints = [ + { + name = "ntfy"; + receivers = [ + { + uid = "ntfy"; + type = "webhook"; + settings.url = "http://${config.services.ntfy-sh.settings.listen-http}/local-alerts?template=grafana"; + } + ]; + } + ]; }; }; From 642dad3afa2536c9c42e7e96a10da5e815f6f2bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Mon, 1 Dec 2025 16:22:00 +0800 Subject: [PATCH 03/24] update(treewide): Update to NixOS 25.11 --- configuration/hardware-specific/vm.nix | 8 +++++ configuration/nginx/ssl.nix | 34 +++++++++---------- configuration/services/foundryvtt.nix | 2 +- configuration/services/nextcloud.nix | 4 +-- configuration/services/ntfy-sh/default.nix | 1 - configuration/services/starbound.nix | 2 +- configuration/services/webserver.nix | 2 +- flake.lock | 32 +++++------------ flake.nix | 8 ++--- modules/crowdsec/default.nix | 2 +- .../remediations/cs-firewall-bouncer.nix | 2 +- pkgs/default.nix | 7 ++-- 12 files changed, 44 insertions(+), 60 deletions(-) diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix index aa360aa..70c1b58 100644 --- a/configuration/hardware-specific/vm.nix +++ b/configuration/hardware-specific/vm.nix @@ -43,6 +43,14 @@ source = ../../keys/hosts/staging.key; }; + # Pretend the acme renew succeeds. + # + # TODO(tlater): Set up pebble to retrieve certs "properly" + # instead + systemd.services."acme-order-renew-tlater.net".script = '' + touch out/acme-success + ''; + virtualisation.vmVariant = { virtualisation = { memorySize = 3941; diff --git a/configuration/nginx/ssl.nix b/configuration/nginx/ssl.nix index 56bfa78..f3fac13 100644 --- a/configuration/nginx/ssl.nix +++ b/configuration/nginx/ssl.nix @@ -51,20 +51,9 @@ paths = [ "/var/lib/acme/tlater.net" ]; }; - systemd.services = { - nginx.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."tlater.net".group ]; - - # Don't attempt to retrieve a certificate if the domain name - # doesn't *actually* match the cert name - # - # TODO(tlater): Set up pebble to retrieve certs "properly" - # instead - "acme-tlater.net".serviceConfig.ExecCondition = - let - confirm = ''[[ "tlater.net" = "${config.services.nginx.domain}" ]]''; - in - ''${pkgs.runtimeShell} -c '${confirm}' ''; - }; + systemd.services.nginx.serviceConfig.SupplementaryGroups = [ + config.security.acme.certs."tlater.net".group + ]; sops.secrets = { "porkbun/api-key".owner = "acme"; @@ -85,10 +74,18 @@ security.acme.certs."tlater.net".extraDomainNames = [ config.services.nginx.domain ]; - services.nginx = { - domain = "testHost"; + # Pretend the acme renew succeeds. + # + # TODO(tlater): Set up pebble to retrieve certs "properly" + # instead + systemd.services."acme-order-renew-tlater.net".script = '' + touch out/acme-success + ''; - virtualHosts."${config.services.nginx.domain}" = { + services.nginx = { + domain = "testHost.test"; + + virtualHosts."${config.services.nginx.domain}.local" = { useACMEHost = "tlater.net"; onlySSL = true; enableHSTS = true; @@ -109,6 +106,7 @@ { pkgs, ... }: { environment.systemPackages = [ pkgs.curl ]; + networking.hosts."192.168.1.2" = [ "testHost.test" ]; }; }; @@ -125,7 +123,7 @@ "--silent", "--dump-header -", "--cacert /certs/tlater.net/fullchain.pem", - "https://testHost", + "https://testHost.test", "-o /dev/null" ])) diff --git a/configuration/services/foundryvtt.nix b/configuration/services/foundryvtt.nix index 5c8a21f..d7b9d02 100644 --- a/configuration/services/foundryvtt.nix +++ b/configuration/services/foundryvtt.nix @@ -23,7 +23,7 @@ in minifyStaticFiles = true; proxySSL = true; proxyPort = 443; - package = flake-inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_13; + package = flake-inputs.foundryvtt.packages.${pkgs.stdenv.hostPlatform.system}.foundryvtt_13; }; nginx.virtualHosts."${domain}" = diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index 77cfa4c..30f79ed 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -5,7 +5,7 @@ ... }: let - nextcloud = pkgs.nextcloud31; + nextcloud = pkgs.nextcloud32; hostName = "nextcloud.${config.services.nginx.domain}"; in { @@ -104,7 +104,7 @@ in }; # Ensure that this service doesn't start before postgres is ready - systemd.services.nextcloud-setup.after = [ "postgresql.service" ]; + systemd.services.nextcloud-setup.after = [ "postgresql.target" ]; sops.secrets."nextcloud/tlater" = { owner = "nextcloud"; diff --git a/configuration/services/ntfy-sh/default.nix b/configuration/services/ntfy-sh/default.nix index aacec91..39ace90 100644 --- a/configuration/services/ntfy-sh/default.nix +++ b/configuration/services/ntfy-sh/default.nix @@ -17,7 +17,6 @@ in services.ntfy-sh = { enable = true; - package = flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.ntfy-sh; environmentFile = config.sops.secrets."ntfy/users".path; diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix index 6b97471..888fc3e 100644 --- a/configuration/services/starbound.nix +++ b/configuration/services/starbound.nix @@ -19,7 +19,7 @@ in serviceConfig = { ExecStart = "${ - flake-inputs.self.packages.${pkgs.system}.starbound + flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.starbound }/bin/launch-starbound ${./configs/starbound.json}"; Type = "simple"; diff --git a/configuration/services/webserver.nix b/configuration/services/webserver.nix index e8daeaf..ffe7480 100644 --- a/configuration/services/webserver.nix +++ b/configuration/services/webserver.nix @@ -20,7 +20,7 @@ in after = [ "network.target" ]; script = '' - ${lib.getExe flake-inputs.self.packages.${pkgs.system}.webserver} + ${lib.getExe flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.webserver} ''; environment = { diff --git a/flake.lock b/flake.lock index 3c65247..9ca0388 100644 --- a/flake.lock +++ b/flake.lock @@ -255,28 +255,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1763509821, - "narHash": "sha256-ibZr0ONEUA1W2WAdTzgm9/6jBE+tM20j1YW2FK4RZ/k=", - "rev": "659aa6fa27619d04de231b4cc0c938905dfa01e9", + "lastModified": 1764522689, + "narHash": "sha256-GzkEBSHGkj8EyOxnxQvl9sx0x2S7JzH0hwCziF176T8=", + "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f", "type": "tarball", - "url": "https://releases.nixos.org/nixos/25.05-small/nixos-25.05.812929.659aa6fa2761/nixexprs.tar.xz?lastModified=1763509821&rev=659aa6fa27619d04de231b4cc0c938905dfa01e9" + "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.650.8bb5646e0bed/nixexprs.tar.xz?lastModified=1764522689&rev=8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f" }, "original": { "type": "tarball", - "url": "https://channels.nixos.org/nixos-25.05-small/nixexprs.tar.xz" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1763835633, - "narHash": "sha256-nzRnw0UkYQpDm0o20AKvG/5oHCXy5qEGOsFAVhB5NmA=", - "rev": "050e09e091117c3d7328c7b2b7b577492c43c134", - "type": "tarball", - "url": "https://releases.nixos.org/nixos/unstable/nixos-25.11pre900642.050e09e09111/nixexprs.tar.xz?lastModified=1763835633&rev=050e09e091117c3d7328c7b2b7b577492c43c134" - }, - "original": { - "type": "tarball", - "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz" + "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz" } }, "pre-commit-hooks": { @@ -325,7 +312,6 @@ "flint": "flint", "foundryvtt": "foundryvtt", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", "sonnenshift": "sonnenshift", "sops-nix": "sops-nix" } @@ -338,11 +324,11 @@ ] }, "locked": { - "lastModified": 1763619077, - "narHash": "sha256-dlfamaoIzFEgwgtzPJuw5Tl5SqjbWcV8CsbP2hVBeuI=", + "lastModified": 1764578400, + "narHash": "sha256-8V0SpIcYyjpP+nAHfYJDof7CofLTwVVDo5QLZ0epjOQ=", "ref": "refs/heads/main", - "rev": "64a2c8a3743ea6897ecac6692fba8aebc3389fca", - "revCount": 26, + "rev": "bf17617899692c9c2bfebfce87320a4174e6dc28", + "revCount": 27, "type": "git", "url": "ssh://git@github.com/sonnenshift/battery-manager" }, diff --git a/flake.nix b/flake.nix index 951eef5..10b52ec 100644 --- a/flake.nix +++ b/flake.nix @@ -2,8 +2,7 @@ description = "tlater.net host configuration"; inputs = { - nixpkgs.url = "https://channels.nixos.org/nixos-25.05-small/nixexprs.tar.xz"; - nixpkgs-unstable.url = "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"; + nixpkgs.url = "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"; ## Nix/OS utilities @@ -138,10 +137,7 @@ packages.${system} = { default = vm.config.system.build.vm; } - // import ./pkgs { - pkgs = nixpkgs.legacyPackages.${system}; - flake-inputs = inputs; - }; + // import ./pkgs { pkgs = nixpkgs.legacyPackages.${system}; }; ################### # Utility scripts # diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix index 44e6bc5..9cb26f9 100644 --- a/modules/crowdsec/default.nix +++ b/modules/crowdsec/default.nix @@ -271,7 +271,7 @@ in # To add completions; sadly need to hand-roll this since # neither `symlinkJoin` nor `buildEnv` have collision # handling. - (pkgs.runCommandNoCCLocal "cscli" { } '' + (pkgs.runCommandLocal "cscli" { } '' mkdir -p $out ln -s ${cscli}/bin $out/bin ln -s ${cfg.package}/share $out/share diff --git a/modules/crowdsec/remediations/cs-firewall-bouncer.nix b/modules/crowdsec/remediations/cs-firewall-bouncer.nix index 42accc6..bdc6da8 100644 --- a/modules/crowdsec/remediations/cs-firewall-bouncer.nix +++ b/modules/crowdsec/remediations/cs-firewall-bouncer.nix @@ -6,7 +6,7 @@ ... }: let - inherit (flake-inputs.self.packages.${pkgs.system}) crowdsec-firewall-bouncer; + inherit (flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}) crowdsec-firewall-bouncer; crowdsecCfg = config.security.crowdsec; cfg = crowdsecCfg.remediationComponents.firewallBouncer; diff --git a/pkgs/default.nix b/pkgs/default.nix index 1ce8cd2..31335a6 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,8 +1,5 @@ -{ pkgs, flake-inputs }: -let - inherit (flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}) ast-grep; -in +{ pkgs }: pkgs.lib.packagesFromDirectoryRecursive { - callPackage = pkgs.lib.callPackageWith (pkgs // { inherit ast-grep; }); + inherit (pkgs) callPackage; directory = ./packages; } From 4b9da36a2502fc383684809ec9d5aceec746c24f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sun, 30 Nov 2025 15:53:28 +0800 Subject: [PATCH 04/24] feat(grafana): Use ntfy for alerts instead of matrix-hookshot --- configuration/services/conduit/default.nix | 5 +- .../services/conduit/matrix-hookshot.nix | 172 ------------------ configuration/services/metrics/grafana.nix | 13 ++ .../services/metrics/victoriametrics.nix | 4 - keys/production.yaml | 7 +- keys/staging.yaml | 7 +- 6 files changed, 18 insertions(+), 190 deletions(-) delete mode 100644 configuration/services/conduit/matrix-hookshot.nix diff --git a/configuration/services/conduit/default.nix b/configuration/services/conduit/default.nix index b6f8f27..a4c91d3 100644 --- a/configuration/services/conduit/default.nix +++ b/configuration/services/conduit/default.nix @@ -12,10 +12,7 @@ let turn-realm = "turn.${config.services.nginx.domain}"; in { - imports = [ - ./heisenbridge.nix - ./matrix-hookshot.nix - ]; + imports = [ ./heisenbridge.nix ]; networking.firewall = { allowedTCPPorts = [ diff --git a/configuration/services/conduit/matrix-hookshot.nix b/configuration/services/conduit/matrix-hookshot.nix deleted file mode 100644 index c1fec82..0000000 --- a/configuration/services/conduit/matrix-hookshot.nix +++ /dev/null @@ -1,172 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: -let - matrixLib = pkgs.callPackage ./lib.nix { }; - - cfg = config.services.matrix-hookshot; - conduitCfg = config.services.matrix-conduit; - - domain = conduitCfg.settings.global.server_name; - - registration = matrixLib.writeRegistrationScript { - id = "matrix-hookshot"; - url = "http://127.0.0.1:9993"; - sender_localpart = "hookshot"; - - namespaces = { - aliases = [ ]; - rooms = [ ]; - users = [ - { - regex = "@${cfg.settings.generic.userIdPrefix}.*:${domain}"; - exclusive = true; - } - ]; - }; - - # Encryption support - # TODO(tlater): Enable when - # https://github.com/matrix-org/matrix-hookshot/issues/1060 is - # fixed - # extraSettings = { - # "de.sorunome.msc2409.push_ephemeral" = true; - # push_ephemeral = true; - # "org.matrix.msc3202" = true; - # }; - - runtimeRegistration = "${cfg.registrationFile}"; - }; -in -{ - # users = { - # users.matrix-hookshot = { - # home = "/run/matrix-hookshot"; - # group = "matrix-hookshot"; - # isSystemUser = true; - # }; - - # groups.matrix-hookshot = { }; - # }; - - systemd.services.matrix-hookshot = { - serviceConfig = { - Type = lib.mkForce "exec"; - - LoadCredential = "matrix-hookshot:/run/secrets/matrix-hookshot"; - inherit (registration) ExecStartPre; - - # Some library in matrix-hookshot wants a home directory - Environment = [ "HOME=/run/matrix-hookshot" ]; - - # User = "matrix-hookshot"; - DynamicUser = true; - StateDirectory = "matrix-hookshot"; - RuntimeDirectory = "matrix-hookshot"; - RuntimeDirectoryMode = "0700"; - - RestrictNamespaces = true; - PrivateUsers = true; - ProtectHostname = true; - ProtectClock = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - RestrictAddressFamilies = [ - # "AF_UNIX" - "AF_INET" - "AF_INET6" - ]; - LockPersonality = true; - RestrictRealtime = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - UMask = 77; - }; - }; - - # services.redis.servers.matrix-hookshot = { - # enable = true; - # user = "matrix-hookshot"; - # }; - - services.matrix-hookshot = { - enable = true; - - serviceDependencies = [ "conduit.service" ]; - - registrationFile = "/run/matrix-hookshot/registration.yaml"; - - settings = { - bridge = { - inherit domain; - url = "http://localhost:${toString conduitCfg.settings.global.port}"; - mediaUrl = conduitCfg.settings.global.well_known.client; - port = 9993; - bindAddress = "127.0.0.1"; - }; - - bot.displayname = "Hookshot"; - - # cache.redisUri = "redis://${config.services.redis.servers.matrix-hookshot.unixSocket}"; - - generic = { - enabled = true; - outbound = false; - # Only allow webhooks from localhost for the moment - urlPrefix = "http://127.0.0.1:9000/webhook"; - userIdPrefix = "_webhooks_"; - allowJsTransformationFunctions = true; - }; - - # TODO(tlater): Enable when - # https://github.com/matrix-org/matrix-hookshot/issues/1060 is - # fixed - # encryption.storagePath = "/var/lib/matrix-hookshot/cryptostore"; - - permissions = [ - { - actor = "matrix.tlater.net"; - services = [ - { - service = "*"; - level = "notifications"; - } - ]; - } - { - actor = "@tlater:matrix.tlater.net"; - services = [ - { - service = "*"; - level = "admin"; - } - ]; - } - ]; - - listeners = [ - { - port = 9000; - resources = [ "webhooks" ]; - } - { - port = 9001; - resources = [ "metrics" ]; - } - ]; - - metrics.enabled = true; - }; - }; - - sops.secrets = { - # Accessed via systemd cred through /run/secrets/matrix-hookshot - "matrix-hookshot/as-token" = { }; - "matrix-hookshot/hs-token" = { }; - }; -} diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix index 765a364..078f27c 100644 --- a/configuration/services/metrics/grafana.nix +++ b/configuration/services/metrics/grafana.nix @@ -57,6 +57,19 @@ in access = "proxy"; } ]; + + alerting.contactPoints.settings.contactPoints = [ + { + name = "ntfy"; + receivers = [ + { + uid = "ntfy"; + type = "webhook"; + settings.url = "http://${config.services.ntfy-sh.settings.listen-http}/local-alerts?template=grafana"; + } + ]; + } + ]; }; }; diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix index 96e09e5..71741b5 100644 --- a/configuration/services/metrics/victoriametrics.nix +++ b/configuration/services/metrics/victoriametrics.nix @@ -89,10 +89,6 @@ in "127.0.0.1:8082" ]; - # Configured in the hookshot listeners, but it's hard to filter - # the correct values out of that config. - matrixHookshot.targets = [ "127.0.0.1:9001" ]; - victorialogs.targets = [ config.services.victorialogs.bindAddress ]; }; }; diff --git a/keys/production.yaml b/keys/production.yaml index ccbee64..6a60c40 100644 --- a/keys/production.yaml +++ b/keys/production.yaml @@ -20,9 +20,6 @@ steam: heisenbridge: as-token: ENC[AES256_GCM,data:+2yo6T18j34622H8ZWblAFB2phLw1q0k0vUQEZ5sFj7dQaRnkEiAMi0R3p17Zq0pOtGEC0RRZuPLYkcZ1oKP0w==,iv:lGwrQYp//FufpmJocrLIVyy9RK7lEEVcpAi0wmkjr34=,tag:yV06UbhAYJQz36O2XdhY+A==,type:str] hs-token: ENC[AES256_GCM,data:u52WpkQFd/J7JFoE/rfNluebyZQLOokvkVdL7+AEAvrhJhrkJli1ztkD79lbC+6tGUH4tT3T+nX9wvGKnrRUQg==,iv:as+9fVuvMg2IoE2WIKD9mHi+znhNcWRh5Zq+yr0xcDQ=,tag:mZ7fh7U0MfgI8hyq/28Bcg==,type:str] -matrix-hookshot: - as-token: ENC[AES256_GCM,data:nXTanPhDyDF7R3AllLqpM5dzljBrHwlh1KJnTGIi5PhbDY2lPj4+uXkMEwvm1u+hQjPyM7vKZPfK+0/dms6Y7A==,iv:fSakJN+yai0gfOJKFxxaxgyUtk0pNmIeqVgrdq92/24=,tag:Qc7+SUnm5/Nq5+QIScR9kQ==,type:str] - hs-token: ENC[AES256_GCM,data:Bwyj0JTTN0NNnwOs1zA8CqbtZSNcvlINeT7QVc2eJiHda92J6vQk7bSxy6KuqCN9DxlUsK13ggYjNORY2vic5w==,iv:Npnp8arYQ3Yb6CXrnKgE03hD7ZjGINPa/DwFI8D+5tA=,tag:FqNE6yI0nF4puEUw9MGAjQ==,type:str] wireguard: server-key: ENC[AES256_GCM,data:mXb7ZznJHf5CgV8rI4uzPBATMRbmd7LimgtCkQM9kAjbIaGwUBqJZBN3fXs=,iv:3Po1Orinzov9rnEm9cLzgJY1PeD+5Jl9115MriABHh8=,tag:E/2CjDO1JCvJzxCnqKcNyw==,type:str] restic: @@ -32,8 +29,8 @@ turn: env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str] secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str] sops: - lastmodified: "2025-11-29T14:52:24Z" - mac: ENC[AES256_GCM,data:RC18s48jxRFQMtbmu74P7G4uhm2yHk9TB0wN7z4g8SNE3nfkYMvHAJqPr3A3dO+T33zkTFcSRm7fhWItUahTCW3fO10u6kDvWbnyjlSuAy86Tkz2iqeW4iSOzKswDptAgb/B+juAHhEMxDnkG5vpPlIcD0SVP89NlflXftogOqw=,iv:2vN2TJvzePzBJfUeBxvGXwGmRsB5sopqyWm9uUv/rzA=,tag:C6UOWrUxVsRMFncL1y1eTQ==,type:str] + lastmodified: "2025-12-01T11:39:17Z" + mac: ENC[AES256_GCM,data:TwhGOW/V9/IoBifzh1MSwy/ff7ONTnxEmwERD8Yl2E27WG/6dTVz0/nIlZ8KsEKLC6vB2m+sJT+14Q9KCj4Cn/bWV1PmhytktGPxLQpgF55+pZlSK1aLUPLq0hwE93b4MAeOvzoOXtCQguh1dsB2RkinabFoMeZ2xJ7Kc+jHlfA=,iv:Ri8aEA4tssGDv2UuKeza8vs94IovM9GARLIEapb9Ya0=,tag:MDgAffj7ndmMwpw7mBXNRg==,type:str] pgp: - created_at: "2025-10-03T21:38:48Z" enc: |- diff --git a/keys/staging.yaml b/keys/staging.yaml index 20ee3db..b5c8533 100644 --- a/keys/staging.yaml +++ b/keys/staging.yaml @@ -21,9 +21,6 @@ steam: heisenbridge: as-token: ENC[AES256_GCM,data:tXbOeo7nv8I=,iv:wJAKcOXX9nGIw4n38ThOoj29u7dUWhsxSQG/p79JlEw=,tag:rTVaGS2UuWcea1uBa8YX2g==,type:str] hs-token: ENC[AES256_GCM,data:VBwvwomv0Xg=,iv:q6INtJ+rg+QiXj8uBdBzQYQZUBBXp+9odxDHwvu8Jxc=,tag:XKhm8nxygAkKaiVPJ2Fcdg==,type:str] -matrix-hookshot: - as-token: ENC[AES256_GCM,data:uSUOo4f2KqA=,iv:Xb9G8Ecv6m59m51kDw2bOfq3SMJt4g9/6/EdH74R+KM=,tag:K9MSfO2c2Y4rlf0eYrmTnw==,type:str] - hs-token: ENC[AES256_GCM,data:0KsyA06InL4=,iv:zAR0Y1fk8SyodcSLBHlQ8I+BAmttz9Hkd8Q3OREFqs4=,tag:t1Et8N/3seq95DeGoUd7Sw==,type:str] wireguard: server-key: ENC[AES256_GCM,data:FvY897XdKoa/mckE8JQLCkklsnYD6Wz1wpsu5t3uhEnW3iarnDQxF9msuYU=,iv:jqGXfekM+Vs+J9b5nlZ5Skd1ZKHajoUo2Dc4tMYPm1w=,tag:EehikjI/FCU8wqtpvJRamQ==,type:str] restic: @@ -33,8 +30,8 @@ turn: env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str] secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str] sops: - lastmodified: "2025-11-29T11:54:33Z" - mac: ENC[AES256_GCM,data:SaTvwxfARVou/ZjrWfdC8J6je8l89Zuumdz7PkmY2Tl2CQVxZmEt4AyV4bWiCtWhJmfH1Qa8m4Q+DyqimjapgYT5cUB1yxlknp233bB/+5C5k3KozU2hmh80KYgR496FtQvI74p0qw/lw00CGCR3WHNcIc0dbTiDzC90HlOpafg=,iv:vxMCAjpgyWvxk18LalmFhwOb5b2ThCDq1KTaX2OPvpM=,tag:QMA+tC4hs/FBnuVDye38Vg==,type:str] + lastmodified: "2025-12-01T11:39:26Z" + mac: ENC[AES256_GCM,data:11VQAYk8Am0k8OO6BtU17qpuEhcJ8ylRhJWQNHVAsmi5BCFjD1zU3NkWhtSstPrBcqHMenG+9XuEzpNnbccHI2ru0qlILsQvNj5OKo96FnvYtzApYlApoAzOetCx08Lfxa4RGLN/XCUSuccjBIU2PZRWEK+z+Cm1wHUFeqc1xPc=,iv:6y9j55Cld+GoOVGWAqsEgURRna6dHA2mGZwHVA+ZOE8=,tag:bSZi3nYmYrn3nFT2+RBPUQ==,type:str] pgp: - created_at: "2025-10-03T21:38:26Z" enc: |- From 4d773ef9e23e65c36899d35dc5fb82c0e3e534fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Mon, 1 Dec 2025 20:06:01 +0800 Subject: [PATCH 05/24] feat(immich): Migrate to vectorchord --- configuration/services/immich.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/configuration/services/immich.nix b/configuration/services/immich.nix index 39673d0..1255490 100644 --- a/configuration/services/immich.nix +++ b/configuration/services/immich.nix @@ -18,6 +18,9 @@ in enable = true; settings.server.externalDomain = "https://${hostName}"; + # We're using vectorchord now + database.enableVectors = false; + environment.IMMICH_TELEMETRY_INCLUDE = "all"; }; From 35c74ed36980f7f5becd78a6395680795c574276 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Mon, 1 Dec 2025 20:08:07 +0800 Subject: [PATCH 06/24] bump(flake.lock): Update other inputs --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 9ca0388..d5305b0 100644 --- a/flake.lock +++ b/flake.lock @@ -123,11 +123,11 @@ ] }, "locked": { - "lastModified": 1762276996, - "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=", + "lastModified": 1764350888, + "narHash": "sha256-6Rp18zavTlnlZzcoLoBTJMBahL2FycVkw2rAEs3cQvo=", "owner": "nix-community", "repo": "disko", - "rev": "af087d076d3860760b3323f6b583f4d828c1ac17", + "rev": "2055a08fd0e2fd41318279a5355eb8a161accf26", "type": "github" }, "original": { @@ -201,11 +201,11 @@ ] }, "locked": { - "lastModified": 1761916399, - "narHash": "sha256-wLZ8km5ftKlIDdHJrFiDQivXc5b+7DRxmBp2347H5g8=", + "lastModified": 1764578815, + "narHash": "sha256-WZ8+pH/cLjv3geonV3VFwtfa8IuTkPHb60a1ACQpOmc=", "owner": "reckenrode", "repo": "nix-foundryvtt", - "rev": "8cceb7af3dfbe465b5108db5c098b097edf85790", + "rev": "1b875fb942c4ef926fd7aade7db327be363f7179", "type": "github" }, "original": { @@ -344,11 +344,11 @@ ] }, "locked": { - "lastModified": 1763607916, - "narHash": "sha256-VefBA1JWRXM929mBAFohFUtQJLUnEwZ2vmYUNkFnSjE=", + "lastModified": 1764483358, + "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "877bb495a6f8faf0d89fc10bd142c4b7ed2bcc0b", + "rev": "5aca6ff67264321d47856a2ed183729271107c9c", "type": "github" }, "original": { From 0539da6ac3bec49b3c4cafaa3b02f8c37cd7dd1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sun, 14 Dec 2025 03:11:04 +0800 Subject: [PATCH 07/24] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/2055a08fd0e2fd41318279a5355eb8a161accf26?narHash=sha256-6Rp18zavTlnlZzcoLoBTJMBahL2FycVkw2rAEs3cQvo%3D' (2025-11-28) → 'github:nix-community/disko/d64e5cdca35b5fad7c504f615357a7afe6d9c49e?narHash=sha256-fTLX9kDwLr9Y0rH/nG%2Bh1XG5UU%2BjBcy0PFYn5eneRX8%3D' (2025-12-10) • Updated input 'nixpkgs': 'https://releases.nixos.org/nixos/25.11/nixos-25.11.650.8bb5646e0bed/nixexprs.tar.xz?lastModified=1764522689&narHash=sha256-GzkEBSHGkj8EyOxnxQvl9sx0x2S7JzH0hwCziF176T8%3D&rev=8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f' (2025-11-30) → 'https://releases.nixos.org/nixos/25.11/nixos-25.11.1335.09eb77e94fa2/nixexprs.tar.xz?narHash=sha256-3bKCEc1JWOn8aj48H1yHKU6WDw0eSU2t7cKCL3FC%2BLo%3D' (2025-12-09) • Updated input 'sops-nix': 'github:Mic92/sops-nix/5aca6ff67264321d47856a2ed183729271107c9c?narHash=sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4%3D' (2025-11-30) → 'github:Mic92/sops-nix/496a6f625f63b780ce849891868f2fad22fd49c6?narHash=sha256-Ii16Nq5jL2wURXpV3D3tOM3vPpbKh18roHLkyZCHK4Q%3D' (2025-12-12) --- flake.lock | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index d5305b0..9394ffb 100644 --- a/flake.lock +++ b/flake.lock @@ -123,11 +123,11 @@ ] }, "locked": { - "lastModified": 1764350888, - "narHash": "sha256-6Rp18zavTlnlZzcoLoBTJMBahL2FycVkw2rAEs3cQvo=", + "lastModified": 1765326679, + "narHash": "sha256-fTLX9kDwLr9Y0rH/nG+h1XG5UU+jBcy0PFYn5eneRX8=", "owner": "nix-community", "repo": "disko", - "rev": "2055a08fd0e2fd41318279a5355eb8a161accf26", + "rev": "d64e5cdca35b5fad7c504f615357a7afe6d9c49e", "type": "github" }, "original": { @@ -255,11 +255,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1764522689, - "narHash": "sha256-GzkEBSHGkj8EyOxnxQvl9sx0x2S7JzH0hwCziF176T8=", - "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f", + "lastModified": 1765311797, + "narHash": "sha256-3bKCEc1JWOn8aj48H1yHKU6WDw0eSU2t7cKCL3FC+Lo=", + "rev": "09eb77e94fa25202af8f3e81ddc7353d9970ac1b", "type": "tarball", - "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.650.8bb5646e0bed/nixexprs.tar.xz?lastModified=1764522689&rev=8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f" + "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.1335.09eb77e94fa2/nixexprs.tar.xz" }, "original": { "type": "tarball", @@ -344,11 +344,11 @@ ] }, "locked": { - "lastModified": 1764483358, - "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", + "lastModified": 1765553226, + "narHash": "sha256-Ii16Nq5jL2wURXpV3D3tOM3vPpbKh18roHLkyZCHK4Q=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5aca6ff67264321d47856a2ed183729271107c9c", + "rev": "496a6f625f63b780ce849891868f2fad22fd49c6", "type": "github" }, "original": { From d8c52f4f1b311832ca0efd3422f76bbb6a2b05a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sun, 14 Dec 2025 03:15:25 +0800 Subject: [PATCH 08/24] update(pkgs): Update sources of all downstream packages --- pkgs/packages/crowdsec-hub.nix | 4 +- pkgs/packages/webserver/Cargo.lock | 241 ++++++++++++++++++---------- pkgs/packages/webserver/package.nix | 1 + pkgs/update.nu | 2 +- 4 files changed, 159 insertions(+), 89 deletions(-) diff --git a/pkgs/packages/crowdsec-hub.nix b/pkgs/packages/crowdsec-hub.nix index 3d0ad28..1a3a7b7 100644 --- a/pkgs/packages/crowdsec-hub.nix +++ b/pkgs/packages/crowdsec-hub.nix @@ -14,8 +14,8 @@ stdenvNoCC.mkDerivation (drv: { src = fetchFromGitHub { owner = "crowdsecurity"; repo = "hub"; - rev = "b63d9e925cfdd70f818a6a136ea53d5c8ca96d9a"; - hash = "sha256-FMArGnR/pI/QlzsznStp8vzs/LbXooVgLdoTw+eSbec="; + rev = "a7b7e3791525943a746068dee1e77da928db2707"; + hash = "sha256-dNUwTdCPqc7kB3uFTMCWwrQ9a+mPNmBget6NPff+jsY="; }; installPhase = '' diff --git a/pkgs/packages/webserver/Cargo.lock b/pkgs/packages/webserver/Cargo.lock index a6db6ec..c9c3ef5 100644 --- a/pkgs/packages/webserver/Cargo.lock +++ b/pkgs/packages/webserver/Cargo.lock @@ -40,6 +40,12 @@ dependencies = [ "pin-project-lite", ] +[[package]] +name = "async-once-cell" +version = "0.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4288f83726785267c6f2ef073a3d83dc3f9b81464e9f99898240cced85fce35a" + [[package]] name = "async-trait" version = "0.1.89" @@ -164,6 +170,12 @@ dependencies = [ "syn", ] +[[package]] +name = "base16" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d27c3610c36aee21ce8ac510e6224498de4228ad772a171ed65643a24693a5a8" + [[package]] name = "base64" version = "0.22.1" @@ -211,9 +223,9 @@ checksum = "276a59bf2b2c967788139340c9f0c5b12d7fd6630315c15c217e559de85d2609" [[package]] name = "cc" -version = "1.2.47" +version = "1.2.49" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cd405d82c84ff7f35739f175f67d8b9fb7687a0e84ccdc78bd3568839827cf07" +checksum = "90583009037521a116abf44494efecd645ba48b6622457080f080b85544e2215" dependencies = [ "find-msvc-tools", "shlex", @@ -233,9 +245,9 @@ checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" [[package]] name = "codee" -version = "0.3.4" +version = "0.3.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "30b61b7a19443f478176473b0c35acf7f9f7e2752c781dea55820343826f366c" +checksum = "a9dbbdc4b4d349732bc6690de10a9de952bd39ba6a065c586e26600b6b0b91f5" dependencies = [ "serde", "serde_json", @@ -768,12 +780,11 @@ dependencies = [ [[package]] name = "http" -version = "1.3.1" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f4a85d31aea989eead29a3aaf9e1115a180df8282431156e533de47660892565" +checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a" dependencies = [ "bytes", - "fnv", "itoa", ] @@ -892,9 +903,9 @@ dependencies = [ [[package]] name = "hyper-util" -version = "0.1.18" +version = "0.1.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "52e9a2a24dc5c6821e71a7030e1e14b7b632acac55c40e9d2e082c621261bb56" +checksum = "727805d60e7938b76b826a6ef209eb70eaa1812794f9424d4a4e2d740662df5f" dependencies = [ "base64", "bytes", @@ -964,9 +975,9 @@ checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a" [[package]] name = "icu_properties" -version = "2.1.1" +version = "2.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e93fcd3157766c0c8da2f8cff6ce651a31f0810eaa1c51ec363ef790bbb5fb99" +checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec" dependencies = [ "icu_collections", "icu_locale_core", @@ -978,9 +989,9 @@ dependencies = [ [[package]] name = "icu_properties_data" -version = "2.1.1" +version = "2.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "02845b3647bb045f1100ecd6480ff52f34c35f82d9880e029d329c21d1054899" +checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af" [[package]] name = "icu_provider" @@ -1092,9 +1103,9 @@ dependencies = [ [[package]] name = "leptos" -version = "0.8.3" +version = "0.8.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c202a7897aa73c90ac4ce73713512d871f75e79847558d9e88f778659b164dc" +checksum = "87c98f6d751e524ff425ad9d63d53e120ed68311ffbc22bbd9c0b3c4005a421e" dependencies = [ "any_spawner", "base64", @@ -1117,23 +1128,26 @@ dependencies = [ "rustc_version", "send_wrapper", "serde", + "serde_json", "serde_qs", "server_fn", "slotmap", "tachys", "thiserror 2.0.17", "throw_error", - "typed-builder", - "typed-builder-macro", + "typed-builder 0.22.0", + "typed-builder-macro 0.22.0", "wasm-bindgen", + "wasm-bindgen-futures", + "wasm_split_helpers", "web-sys", ] [[package]] name = "leptos_axum" -version = "0.8.3" +version = "0.8.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a84872a7df15ec047f8b27b27e35354752a8cc62ab8b789e3dc9d4ed5613bcea" +checksum = "f0caa95760f87f3067e05025140becefdbdfd36cbc2adac4519f06e1f1edf4af" dependencies = [ "any_spawner", "axum", @@ -1155,22 +1169,22 @@ dependencies = [ [[package]] name = "leptos_config" -version = "0.8.3" +version = "0.8.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74eec2103dfa808f4b13c149dfbd3842f13a5948489fda3de31cc565fb28dbec" +checksum = "071fc40aeb9fcab885965bad1887990477253ad51f926cd19068f45a44c59e89" dependencies = [ "config", "regex", "serde", "thiserror 2.0.17", - "typed-builder", + "typed-builder 0.21.2", ] [[package]] name = "leptos_dom" -version = "0.8.3" +version = "0.8.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25b845379c33884f0dead9abb5aa3d258d7bd507789fc2527a5972f82c0757c7" +checksum = "78f4330c88694c5575e0bfe4eecf81b045d14e76a4f8b00d5fd2a63f8779f895" dependencies = [ "js-sys", "or_poisoned", @@ -1183,9 +1197,9 @@ dependencies = [ [[package]] name = "leptos_hot_reload" -version = "0.8.3" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fae732329192df886803f076515d73c883166a4c8cbc5532584d0d1e43539300" +checksum = "0d61ec3e1ff8aaee8c5151688550c0363f85bc37845450764c31ff7584a33f38" dependencies = [ "anyhow", "camino", @@ -1201,9 +1215,9 @@ dependencies = [ [[package]] name = "leptos_integration_utils" -version = "0.8.3" +version = "0.8.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "51059fee81537ba299323e2b58c9d721f66fd8a2d42df710a020efbdfb8efae2" +checksum = "13cccc9305df53757bae61bf15641bfa6a667b5f78456ace4879dfe0591ae0e8" dependencies = [ "futures", "hydration_context", @@ -1216,9 +1230,9 @@ dependencies = [ [[package]] name = "leptos_macro" -version = "0.8.3" +version = "0.8.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e32ae8783d4b64838167e026ef773dbc53399e9e6658e9c2f65e0ce67a5ccec" +checksum = "9d199fafe14b7925fd392764fdd851215909604955acfda7c0263b8722d57c23" dependencies = [ "attribute-derive", "cfg-if", @@ -1239,9 +1253,9 @@ dependencies = [ [[package]] name = "leptos_meta" -version = "0.8.3" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ef0521aeb2e73cbae8e6278287da485020b971e0b2cd471c5de5eb8cbcaa8802" +checksum = "2d489e38d3f541e9e43ecc2e3a815527840345a2afca629b3e23fcc1dd254578" dependencies = [ "futures", "indexmap", @@ -1254,9 +1268,9 @@ dependencies = [ [[package]] name = "leptos_router" -version = "0.8.3" +version = "0.8.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e1b6df1b107c301bd39c114768a1196a8dfcbdae869364b3f0247e3f554b503a" +checksum = "19b824cae28db1551b71f8c2a45eab7bb98d61407f5adcc368cfe7b671e4a71d" dependencies = [ "any_spawner", "either_of", @@ -1279,9 +1293,9 @@ dependencies = [ [[package]] name = "leptos_router_macro" -version = "0.8.3" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0d35d4bb7922e74546fac3e852b0f3252e9996e04fca12c359aba1e5958cfda8" +checksum = "409c0bd99f986c3cfa1a4db2443c835bc602ded1a12784e22ecb28c3ed5a2ae2" dependencies = [ "proc-macro-error2", "proc-macro2", @@ -1291,9 +1305,9 @@ dependencies = [ [[package]] name = "leptos_server" -version = "0.8.3" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26851048e161998b8f9fb3261a833ec64df2a2669ea95f360c54b7f47a1e07cb" +checksum = "dbf1045af93050bf3388d1c138426393fc131f6d9e46a65519da884c033ed730" dependencies = [ "any_spawner", "base64", @@ -1311,9 +1325,9 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.177" +version = "0.2.178" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976" +checksum = "37c93d8daa9d8a012fd8ab92f088405fb202ea0b6ab73ee2482ae66af4f42091" [[package]] name = "linear-map" @@ -1344,9 +1358,9 @@ dependencies = [ [[package]] name = "log" -version = "0.4.28" +version = "0.4.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34080505efa8e45a4b816c349525ebe327ceaa8559756f0356cba97ef3bf7432" +checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897" [[package]] name = "lru-slab" @@ -1379,9 +1393,9 @@ dependencies = [ [[package]] name = "markdown_view_leptos" -version = "0.1.3" +version = "0.1.83" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f75ce57ac1fcfcb0e31a39dd92f2c7f529c9840670b47d2516b4c037fd00689" +checksum = "b66d6cf3687d19bf331413559d3d159bb1c95d72beb71b982cd61009380c79a5" dependencies = [ "proc-macro2", "pulldown-cmark", @@ -1420,9 +1434,9 @@ dependencies = [ [[package]] name = "mio" -version = "1.1.0" +version = "1.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69d83b0086dc8ecf3ce9ae2874b2d1290252e2a30720bea58a5c6639b0092873" +checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc" dependencies = [ "libc", "wasi", @@ -1481,12 +1495,12 @@ dependencies = [ [[package]] name = "oco_ref" -version = "0.2.0" +version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "64b94982fe39a861561cf67ff17a7849f2cedadbbad960a797634032b7abb998" +checksum = "ed0423ff9973dea4d6bd075934fdda86ebb8c05bdf9d6b0507067d4a1226371d" dependencies = [ "serde", - "thiserror 1.0.69", + "thiserror 2.0.17", ] [[package]] @@ -1877,16 +1891,18 @@ dependencies = [ [[package]] name = "reactive_graph" -version = "0.2.3" +version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c79f7561c7c246e2c2feab3b0b63502b213e589d7768032bbfc5ea7b267140b9" +checksum = "4043190442021086719fb9183daacb050f44d4ed8d3a1c8534e366d45dd95c29" dependencies = [ "any_spawner", "async-lock", "futures", "guardian", "hydration_context", + "indexmap", "or_poisoned", + "paste", "pin-project-lite", "rustc-hash", "rustc_version", @@ -1899,9 +1915,9 @@ dependencies = [ [[package]] name = "reactive_stores" -version = "0.2.3" +version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9edd67f166cfec4ffc6abf271bada268c13dac0b0318f4c6a76a877490d0617a" +checksum = "25b73d94139821e0a2f31fb4e0eaf6ebbcf4d15c5e2fb353dc3babd4f6d35674" dependencies = [ "dashmap", "guardian", @@ -1916,9 +1932,9 @@ dependencies = [ [[package]] name = "reactive_stores_macro" -version = "0.2.3" +version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2418b703f385f35481737d8f2ccd9ae3de850dd778bce09817f30338f3cb5ca2" +checksum = "4fa40919eb2975100283b2a70e68eafce1e8bcf81f0622ff168e4c2b3f8d46bb" dependencies = [ "convert_case 0.8.0", "proc-macro-error2", @@ -1967,9 +1983,9 @@ checksum = "7a2d987857b319362043e95f5353c0535c1f58eec5336fdfcf626430af7def58" [[package]] name = "reqwest" -version = "0.12.24" +version = "0.12.25" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d0946410b9f7b082a427e4ef5c8ff541a88b357bc6c637c40db3a68ac70a36f" +checksum = "b6eff9328d40131d43bd911d42d79eb6a47312002a4daefc9e37f17e74a7701a" dependencies = [ "base64", "bytes", @@ -2084,9 +2100,9 @@ dependencies = [ [[package]] name = "rustls-pki-types" -version = "1.13.0" +version = "1.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94182ad936a0c91c324cd46c6511b9510ed16af436d7b5bab34beab0afd55f7a" +checksum = "708c0f9d5f54ba0272468c1d306a52c495b31fa155e91bc25371e6df7996908c" dependencies = [ "web-time", "zeroize", @@ -2274,9 +2290,9 @@ dependencies = [ [[package]] name = "server_fn" -version = "0.8.3" +version = "0.8.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c27fbd25ecc066481e383e2ed62ab2480e708aa3fe46cba36e95f58e61dfd04" +checksum = "fdc30228718f62d80a376964baf990edbcb5e97688fdc71183a8ef3d44cb6c89" dependencies = [ "axum", "base64", @@ -2348,6 +2364,17 @@ dependencies = [ "digest", ] +[[package]] +name = "sha2" +version = "0.10.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283" +dependencies = [ + "cfg-if", + "cpufeatures", + "digest", +] + [[package]] name = "shlex" version = "1.3.0" @@ -2362,9 +2389,9 @@ checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589" [[package]] name = "slotmap" -version = "1.0.7" +version = "1.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dbff4acf519f630b3a3ddcfaea6c06b42174d9a44bc70c620e9ed1649d58b82a" +checksum = "bdd58c3c93c3d278ca835519292445cb4b0d4dc59ccfdf7ceadaab3f8aeb4038" dependencies = [ "version_check", ] @@ -2405,9 +2432,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "syn" -version = "2.0.110" +version = "2.0.111" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a99801b5bd34ede4cf3fc688c5919368fea4e4814a4664359503e6015b280aea" +checksum = "390cc9a294ab71bdb1aa2e99d13be9c753cd2d7bd6560c77118597410c4d2e87" dependencies = [ "proc-macro2", "quote", @@ -2469,9 +2496,9 @@ dependencies = [ [[package]] name = "tachys" -version = "0.2.4" +version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d706b2ab0fa7e14b878d638faee3dafed08a2ab9ff7f116ad2445cce04bfaaa" +checksum = "f2b2db11e455f7e84e2cc3e76f8a3f3843f7956096265d5ecff781eabe235077" dependencies = [ "any_spawner", "async-trait", @@ -2556,9 +2583,9 @@ dependencies = [ [[package]] name = "throw_error" -version = "0.3.0" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "41e42a6afdde94f3e656fae18f837cb9bbe500a5ac5de325b09f3ec05b9c28e3" +checksum = "dc0ed6038fcbc0795aca7c92963ddda636573b956679204e044492d2b13c8f64" dependencies = [ "pin-project-lite", ] @@ -2770,9 +2797,9 @@ dependencies = [ [[package]] name = "tower-http" -version = "0.6.6" +version = "0.6.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "adc82fd73de2a9722ac5da747f12383d2bfdb93591ee6c58486e0097890f05f2" +checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8" dependencies = [ "bitflags", "bytes", @@ -2810,9 +2837,9 @@ checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3" [[package]] name = "tracing" -version = "0.1.41" +version = "0.1.43" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0" +checksum = "2d15d90a0b5c19378952d479dc858407149d7bb45a14de0142f6c534b16fc647" dependencies = [ "log", "pin-project-lite", @@ -2821,9 +2848,9 @@ dependencies = [ [[package]] name = "tracing-core" -version = "0.1.34" +version = "0.1.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b9d12581f227e93f094d3af2ae690a574abb8a2b9b7a96e7cfe9647b2b617678" +checksum = "7a04e24fab5c89c6a36eb8558c9656f30d81de51dfa4d3b45f26b21d61fa0a6c" dependencies = [ "once_cell", ] @@ -2857,7 +2884,16 @@ version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fef81aec2ca29576f9f6ae8755108640d0a86dd3161b2e8bca6cfa554e98f77d" dependencies = [ - "typed-builder-macro", + "typed-builder-macro 0.21.2", +] + +[[package]] +name = "typed-builder" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "398a3a3c918c96de527dc11e6e846cd549d4508030b8a33e1da12789c856b81a" +dependencies = [ + "typed-builder-macro 0.22.0", ] [[package]] @@ -2871,6 +2907,17 @@ dependencies = [ "syn", ] +[[package]] +name = "typed-builder-macro" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0e48cea23f68d1f78eb7bc092881b6bb88d3d6b5b7e6234f6f9c911da1ffb221" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "typenum" version = "1.19.0" @@ -2936,9 +2983,9 @@ checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9" [[package]] name = "utf8-width" -version = "0.1.7" +version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "86bd8d4e895da8537e5315b8254664e6b769c4ff3db18321b297a1e7004392e3" +checksum = "1292c0d970b54115d14f2492fe0170adf21d68a1de108eebc51c1df4f346a091" [[package]] name = "utf8_iter" @@ -2948,9 +2995,9 @@ checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" [[package]] name = "uuid" -version = "1.18.1" +version = "1.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f87b8aa10b915a06587d0dec516c282ff295b475d94abf425d62b57710070a2" +checksum = "e2e054861b4bd027cd373e18e8d8d8e6548085000e41290d95ce0c373a654b4a" dependencies = [ "getrandom 0.3.4", "js-sys", @@ -3087,6 +3134,28 @@ dependencies = [ "web-sys", ] +[[package]] +name = "wasm_split_helpers" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a114b3073258dd5de3d812cdd048cca6842342755e828a14dbf15f843f2d1b84" +dependencies = [ + "async-once-cell", + "wasm_split_macros", +] + +[[package]] +name = "wasm_split_macros" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56481f8ed1a9f9ae97ea7b08a5e2b12e8adf9a7818a6ba952b918e09c7be8bf0" +dependencies = [ + "base16", + "quote", + "sha2", + "syn", +] + [[package]] name = "web-sys" version = "0.3.77" @@ -3318,9 +3387,9 @@ checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650" [[package]] name = "winnow" -version = "0.7.13" +version = "0.7.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "21a0236b59786fed61e2a80582dd500fe61f18b5dca67a4a067d0bc9039339cf" +checksum = "5a5364e9d77fcdeeaa6062ced926ee3381faa2ee02d3eb83a5c27a8825540829" dependencies = [ "memchr", ] @@ -3374,18 +3443,18 @@ dependencies = [ [[package]] name = "zerocopy" -version = "0.8.28" +version = "0.8.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "43fa6694ed34d6e57407afbccdeecfa268c470a7d2a5b0cf49ce9fcc345afb90" +checksum = "fd74ec98b9250adb3ca554bdde269adf631549f51d8a8f8f0a10b50f1cb298c3" dependencies = [ "zerocopy-derive", ] [[package]] name = "zerocopy-derive" -version = "0.8.28" +version = "0.8.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c640b22cd9817fae95be82f0d2f90b11f7605f6c319d16705c459b27ac2cbc26" +checksum = "d8a8d209fdf45cf5138cbb5a506f6b52522a25afccc534d1475dad8e31105c6a" dependencies = [ "proc-macro2", "quote", diff --git a/pkgs/packages/webserver/package.nix b/pkgs/packages/webserver/package.nix index 00ebf58..111dc38 100644 --- a/pkgs/packages/webserver/package.nix +++ b/pkgs/packages/webserver/package.nix @@ -288,6 +288,7 @@ rustPlatform.buildRustPackage (drv: { (lib.makeBinPath [ ast-grep nix-prefetch-github + cargo ]) ]; } ./update.nu; diff --git a/pkgs/update.nu b/pkgs/update.nu index 0ed1bc1..7ae7d26 100644 --- a/pkgs/update.nu +++ b/pkgs/update.nu @@ -5,7 +5,7 @@ let packages_with_updatescript = ( | from json | $in.packages.x86_64-linux | columns - | filter {|p| nix eval $'.#($p)' --apply 'builtins.hasAttr "updateScript"' | $in == 'true' } + | where {|p| nix eval $'.#($p)' --apply 'builtins.hasAttr "updateScript"' | $in == 'true' } ) for $package in $packages_with_updatescript { From c860d5fa72c30e43c39a98be63ed17c5189f8c1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sat, 20 Dec 2025 15:02:27 +0800 Subject: [PATCH 09/24] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'deploy-rs': 'github:serokell/deploy-rs/9c870f63e28ec1e83305f7f6cb73c941e699f74f?narHash=sha256-9I2H9x5We6Pl%2BDBYHjR1s3UT8wgwcpAH03kn9CqtdQc%3D' (2025-11-04) → 'github:serokell/deploy-rs/d5eff7f948535b9c723d60cd8239f8f11ddc90fa?narHash=sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik%3D' (2025-12-18) • Updated input 'disko': 'github:nix-community/disko/d64e5cdca35b5fad7c504f615357a7afe6d9c49e?narHash=sha256-fTLX9kDwLr9Y0rH/nG%2Bh1XG5UU%2BjBcy0PFYn5eneRX8%3D' (2025-12-10) → 'github:nix-community/disko/916506443ecd0d0b4a0f4cf9d40a3c22ce39b378?narHash=sha256-P0kM%2B5o%2BDKnB6raXgFEk3azw8Wqg5FL6wyl9jD%2BG5a4%3D' (2025-12-19) • Updated input 'nixpkgs': 'https://releases.nixos.org/nixos/25.11/nixos-25.11.1335.09eb77e94fa2/nixexprs.tar.xz?narHash=sha256-3bKCEc1JWOn8aj48H1yHKU6WDw0eSU2t7cKCL3FC%2BLo%3D' (2025-12-09) → 'https://releases.nixos.org/nixos/25.11/nixos-25.11.1948.c6f52ebd45e5/nixexprs.tar.xz?narHash=sha256-Rgx3RPys4DTsfZPBbJa2QpJGbjnWVC7V2Rlviyp4qMI%3D' (2025-12-15) • Updated input 'sops-nix': 'github:Mic92/sops-nix/496a6f625f63b780ce849891868f2fad22fd49c6?narHash=sha256-Ii16Nq5jL2wURXpV3D3tOM3vPpbKh18roHLkyZCHK4Q%3D' (2025-12-12) → 'github:Mic92/sops-nix/443a7f2e7e118c4fc63b7fae05ab3080dd0e5c63?narHash=sha256-hWRYfdH2ONI7HXbqZqW8Q1y9IRbnXWvtvt/ONZovSNY%3D' (2025-12-15) --- flake.lock | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/flake.lock b/flake.lock index 9394ffb..b90709f 100644 --- a/flake.lock +++ b/flake.lock @@ -77,11 +77,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1762286984, - "narHash": "sha256-9I2H9x5We6Pl+DBYHjR1s3UT8wgwcpAH03kn9CqtdQc=", + "lastModified": 1766051518, + "narHash": "sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik=", "owner": "serokell", "repo": "deploy-rs", - "rev": "9c870f63e28ec1e83305f7f6cb73c941e699f74f", + "rev": "d5eff7f948535b9c723d60cd8239f8f11ddc90fa", "type": "github" }, "original": { @@ -123,11 +123,11 @@ ] }, "locked": { - "lastModified": 1765326679, - "narHash": "sha256-fTLX9kDwLr9Y0rH/nG+h1XG5UU+jBcy0PFYn5eneRX8=", + "lastModified": 1766150702, + "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=", "owner": "nix-community", "repo": "disko", - "rev": "d64e5cdca35b5fad7c504f615357a7afe6d9c49e", + "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378", "type": "github" }, "original": { @@ -255,11 +255,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1765311797, - "narHash": "sha256-3bKCEc1JWOn8aj48H1yHKU6WDw0eSU2t7cKCL3FC+Lo=", - "rev": "09eb77e94fa25202af8f3e81ddc7353d9970ac1b", + "lastModified": 1765838191, + "narHash": "sha256-Rgx3RPys4DTsfZPBbJa2QpJGbjnWVC7V2Rlviyp4qMI=", + "rev": "c6f52ebd45e5925c188d1a20119978aa4ffd5ef6", "type": "tarball", - "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.1335.09eb77e94fa2/nixexprs.tar.xz" + "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.1948.c6f52ebd45e5/nixexprs.tar.xz" }, "original": { "type": "tarball", @@ -344,11 +344,11 @@ ] }, "locked": { - "lastModified": 1765553226, - "narHash": "sha256-Ii16Nq5jL2wURXpV3D3tOM3vPpbKh18roHLkyZCHK4Q=", + "lastModified": 1765836173, + "narHash": "sha256-hWRYfdH2ONI7HXbqZqW8Q1y9IRbnXWvtvt/ONZovSNY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "496a6f625f63b780ce849891868f2fad22fd49c6", + "rev": "443a7f2e7e118c4fc63b7fae05ab3080dd0e5c63", "type": "github" }, "original": { From 4fa3646b81b68fc89b3e81b654c2eba890bab857 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sat, 20 Dec 2025 15:08:59 +0800 Subject: [PATCH 10/24] update(pkgs): Update sources of all downstream packages --- pkgs/packages/crowdsec-hub.nix | 4 +- pkgs/packages/webserver/Cargo.lock | 65 +++++++++++++++++------------- 2 files changed, 39 insertions(+), 30 deletions(-) diff --git a/pkgs/packages/crowdsec-hub.nix b/pkgs/packages/crowdsec-hub.nix index 1a3a7b7..135888a 100644 --- a/pkgs/packages/crowdsec-hub.nix +++ b/pkgs/packages/crowdsec-hub.nix @@ -14,8 +14,8 @@ stdenvNoCC.mkDerivation (drv: { src = fetchFromGitHub { owner = "crowdsecurity"; repo = "hub"; - rev = "a7b7e3791525943a746068dee1e77da928db2707"; - hash = "sha256-dNUwTdCPqc7kB3uFTMCWwrQ9a+mPNmBget6NPff+jsY="; + rev = "b3876876c50f060428d20c0f68f264d73c262871"; + hash = "sha256-uAvMASbWOk9c9qjg+h16GHHp2d7FvHF0paHpZSf7/Ds="; }; installPhase = '' diff --git a/pkgs/packages/webserver/Cargo.lock b/pkgs/packages/webserver/Cargo.lock index c9c3ef5..a4bb8a7 100644 --- a/pkgs/packages/webserver/Cargo.lock +++ b/pkgs/packages/webserver/Cargo.lock @@ -199,9 +199,9 @@ dependencies = [ [[package]] name = "bumpalo" -version = "3.19.0" +version = "3.19.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "46c5e41b57b8bba42a04676d81cb89e9ee8e859a1a66f80a5a72e1cb76b34d43" +checksum = "5dd9dc738b7a8311c7ade152424974d8115f2cdad61e8dab8dac9f2362298510" [[package]] name = "bytemuck" @@ -217,15 +217,15 @@ checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3" [[package]] name = "camino" -version = "1.2.1" +version = "1.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "276a59bf2b2c967788139340c9f0c5b12d7fd6630315c15c217e559de85d2609" +checksum = "e629a66d692cb9ff1a1c664e41771b3dcaf961985a9774c0eb0bd1b51cf60a48" [[package]] name = "cc" -version = "1.2.49" +version = "1.2.50" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "90583009037521a116abf44494efecd645ba48b6622457080f080b85544e2215" +checksum = "9f50d563227a1c37cc0a263f64eca3334388c01c5e4c4861a9def205c614383c" dependencies = [ "find-msvc-tools", "shlex", @@ -278,7 +278,7 @@ dependencies = [ "convert_case 0.6.0", "pathdiff", "serde_core", - "toml 0.9.8", + "toml 0.9.10+spec-1.1.0", "winnow", ] @@ -342,6 +342,15 @@ dependencies = [ "unicode-segmentation", ] +[[package]] +name = "convert_case" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "633458d4ef8c78b72454de2d54fd6ab2e60f9e02be22f3c6104cdc8a4e0fceb9" +dependencies = [ + "unicode-segmentation", +] + [[package]] name = "core-foundation" version = "0.9.4" @@ -1230,13 +1239,13 @@ dependencies = [ [[package]] name = "leptos_macro" -version = "0.8.12" +version = "0.8.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d199fafe14b7925fd392764fdd851215909604955acfda7c0263b8722d57c23" +checksum = "c86ffd2e9cf3e264e9b3e16bdb086cefa26bd0fa7bc6a26b0cc5f6c1fd3178ed" dependencies = [ "attribute-derive", "cfg-if", - "convert_case 0.8.0", + "convert_case 0.10.0", "html-escape", "itertools", "leptos_hot_reload", @@ -1983,9 +1992,9 @@ checksum = "7a2d987857b319362043e95f5353c0535c1f58eec5336fdfcf626430af7def58" [[package]] name = "reqwest" -version = "0.12.25" +version = "0.12.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6eff9328d40131d43bd911d42d79eb6a47312002a4daefc9e37f17e74a7701a" +checksum = "3b4c14b2d9afca6a60277086b0cc6a6ae0b568f6f7916c943a8cdc79f8be240f" dependencies = [ "base64", "bytes", @@ -2100,9 +2109,9 @@ dependencies = [ [[package]] name = "rustls-pki-types" -version = "1.13.1" +version = "1.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "708c0f9d5f54ba0272468c1d306a52c495b31fa155e91bc25371e6df7996908c" +checksum = "21e6f2ab2928ca4291b86736a8bd920a277a399bba1589409d72154ff87c1282" dependencies = [ "web-time", "zeroize", @@ -2269,9 +2278,9 @@ dependencies = [ [[package]] name = "serde_spanned" -version = "1.0.3" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e24345aa0fe688594e73770a5f6d1b216508b4f93484c0026d521acd30134392" +checksum = "f8bbf91e5a4d6315eee45e704372590b30e260ee83af6639d64557f51b067776" dependencies = [ "serde_core", ] @@ -2721,13 +2730,13 @@ dependencies = [ [[package]] name = "toml" -version = "0.9.8" +version = "0.9.10+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0dc8b1fb61449e27716ec0e1bdf0f6b8f3e8f6b05391e8497b8b6d7804ea6d8" +checksum = "0825052159284a1a8b4d6c0c86cbc801f2da5afd2b225fa548c72f2e74002f48" dependencies = [ "serde_core", - "serde_spanned 1.0.3", - "toml_datetime 0.7.3", + "serde_spanned 1.0.4", + "toml_datetime 0.7.5+spec-1.1.0", "toml_parser", "winnow", ] @@ -2743,9 +2752,9 @@ dependencies = [ [[package]] name = "toml_datetime" -version = "0.7.3" +version = "0.7.5+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f2cdb639ebbc97961c51720f858597f7f24c4fc295327923af55b74c3c724533" +checksum = "92e1cfed4a3038bc5a127e35a2d360f145e1f4b971b551a2ba5fd7aedf7e1347" dependencies = [ "serde_core", ] @@ -2766,9 +2775,9 @@ dependencies = [ [[package]] name = "toml_parser" -version = "1.0.4" +version = "1.0.6+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c0cbe268d35bdb4bb5a56a2de88d0ad0eb70af5384a99d648cd4b3d04039800e" +checksum = "a3198b4b0a8e11f09dd03e133c0280504d0801269e9afa46362ffde1cbeebf44" dependencies = [ "winnow", ] @@ -2837,9 +2846,9 @@ checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3" [[package]] name = "tracing" -version = "0.1.43" +version = "0.1.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d15d90a0b5c19378952d479dc858407149d7bb45a14de0142f6c534b16fc647" +checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100" dependencies = [ "log", "pin-project-lite", @@ -2848,9 +2857,9 @@ dependencies = [ [[package]] name = "tracing-core" -version = "0.1.35" +version = "0.1.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a04e24fab5c89c6a36eb8558c9656f30d81de51dfa4d3b45f26b21d61fa0a6c" +checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a" dependencies = [ "once_cell", ] From 6f5f9cbe0cd26bfc4ca2f4413e0b9f31bee33f4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sun, 28 Dec 2025 15:25:19 +0800 Subject: [PATCH 11/24] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'https://releases.nixos.org/nixos/25.11/nixos-25.11.1948.c6f52ebd45e5/nixexprs.tar.xz?narHash=sha256-Rgx3RPys4DTsfZPBbJa2QpJGbjnWVC7V2Rlviyp4qMI%3D' (2025-12-15) → 'https://releases.nixos.org/nixos/25.11/nixos-25.11.2561.f560ccec6b11/nixexprs.tar.xz?narHash=sha256-b6Ar71wSPahmaDr7L8gCvAPsuvd7UM4NvKldKB7V8KI%3D' (2025-12-26) • Updated input 'sops-nix': 'github:Mic92/sops-nix/443a7f2e7e118c4fc63b7fae05ab3080dd0e5c63?narHash=sha256-hWRYfdH2ONI7HXbqZqW8Q1y9IRbnXWvtvt/ONZovSNY%3D' (2025-12-15) → 'github:Mic92/sops-nix/61b39c7b657081c2adc91b75dd3ad8a91d6f07a7?narHash=sha256-pn8AxxfajqyR/Dmr1wnZYdUXHgM3u6z9x0Z1Ijmz2UQ%3D' (2025-12-28) --- flake.lock | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index b90709f..8335053 100644 --- a/flake.lock +++ b/flake.lock @@ -255,11 +255,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1765838191, - "narHash": "sha256-Rgx3RPys4DTsfZPBbJa2QpJGbjnWVC7V2Rlviyp4qMI=", - "rev": "c6f52ebd45e5925c188d1a20119978aa4ffd5ef6", + "lastModified": 1766736597, + "narHash": "sha256-b6Ar71wSPahmaDr7L8gCvAPsuvd7UM4NvKldKB7V8KI=", + "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852", "type": "tarball", - "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.1948.c6f52ebd45e5/nixexprs.tar.xz" + "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.2561.f560ccec6b11/nixexprs.tar.xz" }, "original": { "type": "tarball", @@ -344,11 +344,11 @@ ] }, "locked": { - "lastModified": 1765836173, - "narHash": "sha256-hWRYfdH2ONI7HXbqZqW8Q1y9IRbnXWvtvt/ONZovSNY=", + "lastModified": 1766894905, + "narHash": "sha256-pn8AxxfajqyR/Dmr1wnZYdUXHgM3u6z9x0Z1Ijmz2UQ=", "owner": "Mic92", "repo": "sops-nix", - "rev": "443a7f2e7e118c4fc63b7fae05ab3080dd0e5c63", + "rev": "61b39c7b657081c2adc91b75dd3ad8a91d6f07a7", "type": "github" }, "original": { From d11e69c1eade0229d93c2e27c77b55ecdf8affd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sun, 28 Dec 2025 15:26:50 +0800 Subject: [PATCH 12/24] update(pkgs): Update sources of all downstream packages --- pkgs/packages/crowdsec-hub.nix | 4 +- pkgs/packages/webserver/Cargo.lock | 60 ++++++++++++++++-------------- 2 files changed, 35 insertions(+), 29 deletions(-) diff --git a/pkgs/packages/crowdsec-hub.nix b/pkgs/packages/crowdsec-hub.nix index 135888a..9725951 100644 --- a/pkgs/packages/crowdsec-hub.nix +++ b/pkgs/packages/crowdsec-hub.nix @@ -14,8 +14,8 @@ stdenvNoCC.mkDerivation (drv: { src = fetchFromGitHub { owner = "crowdsecurity"; repo = "hub"; - rev = "b3876876c50f060428d20c0f68f264d73c262871"; - hash = "sha256-uAvMASbWOk9c9qjg+h16GHHp2d7FvHF0paHpZSf7/Ds="; + rev = "a0cac2433e16cb8de28667aca3b2719641849ab7"; + hash = "sha256-JlE8r1hiyWerWPpGIvQz/gNaGKyZ3VOZsMKp1MIrxRY="; }; installPhase = '' diff --git a/pkgs/packages/webserver/Cargo.lock b/pkgs/packages/webserver/Cargo.lock index a4bb8a7..5ad7e66 100644 --- a/pkgs/packages/webserver/Cargo.lock +++ b/pkgs/packages/webserver/Cargo.lock @@ -31,9 +31,9 @@ checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61" [[package]] name = "async-lock" -version = "3.4.1" +version = "3.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5fd03604047cee9b6ce9de9f70c6cd540a0520c813cbd49bae61f33ab80ed1dc" +checksum = "290f7f2596bd5b78a9fec8088ccd89180d7f9f55b94b0576823bbbdc72ee8311" dependencies = [ "event-listener", "event-listener-strategy", @@ -104,9 +104,9 @@ dependencies = [ [[package]] name = "axum" -version = "0.8.7" +version = "0.8.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b098575ebe77cb6d14fc7f32749631a6e44edbef6b796f89b020e99ba20d425" +checksum = "8b52af3cb4058c895d37317bb27508dccc8e5f2d39454016b297bf4a400597b8" dependencies = [ "axum-core", "axum-macros", @@ -142,9 +142,9 @@ dependencies = [ [[package]] name = "axum-core" -version = "0.5.5" +version = "0.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "59446ce19cd142f8833f856eb31f3eb097812d1479ab224f54d72428ca21ea22" +checksum = "08c78f31d7b1291f7ee735c1c6780ccde7785daae9a9206026862dab7d8792d1" dependencies = [ "bytes", "futures-core", @@ -223,9 +223,9 @@ checksum = "e629a66d692cb9ff1a1c664e41771b3dcaf961985a9774c0eb0bd1b51cf60a48" [[package]] name = "cc" -version = "1.2.50" +version = "1.2.51" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f50d563227a1c37cc0a263f64eca3334388c01c5e4c4861a9def205c614383c" +checksum = "7a0aeaff4ff1a90589618835a598e545176939b97874f7abc7851caa0618f203" dependencies = [ "find-msvc-tools", "shlex", @@ -540,9 +540,9 @@ dependencies = [ [[package]] name = "find-msvc-tools" -version = "0.1.5" +version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3a3076410a55c90011c298b04d0cfa770b00fa04e1e3c97d3f6c9de105a03844" +checksum = "645cbb3a84e60b7531617d5ae4e57f7e27308f6445f5abf653209ea76dec8dff" [[package]] name = "fnv" @@ -1096,9 +1096,9 @@ dependencies = [ [[package]] name = "itoa" -version = "1.0.15" +version = "1.0.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c" +checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2" [[package]] name = "js-sys" @@ -1402,9 +1402,9 @@ dependencies = [ [[package]] name = "markdown_view_leptos" -version = "0.1.83" +version = "0.1.92" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b66d6cf3687d19bf331413559d3d159bb1c95d72beb71b982cd61009380c79a5" +checksum = "e163223791290ed4ab63635ccd579e251264f3b1421d98591c2b0ea3908e1952" dependencies = [ "proc-macro2", "pulldown-cmark", @@ -1739,9 +1739,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.103" +version = "1.0.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5ee95bc4ef87b8d5ba32e8b7714ccc834865276eab0aed5c9958d00ec45f49e8" +checksum = "9695f8df41bb4f3d222c95a67532365f569318332d03d5f3f67f37b20e6ebdf0" dependencies = [ "unicode-ident", ] @@ -1992,9 +1992,9 @@ checksum = "7a2d987857b319362043e95f5353c0535c1f58eec5336fdfcf626430af7def58" [[package]] name = "reqwest" -version = "0.12.26" +version = "0.12.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3b4c14b2d9afca6a60277086b0cc6a6ae0b568f6f7916c943a8cdc79f8be240f" +checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147" dependencies = [ "base64", "bytes", @@ -2082,9 +2082,9 @@ dependencies = [ [[package]] name = "rustix" -version = "1.1.2" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cd15f8a2c5551a84d56efdc1cd049089e409ac19a3072d5037a17fd70719ff3e" +checksum = "146c9e247ccc180c1f61615433868c99f3de3ae256a30a43b49f67c2d9171f34" dependencies = [ "bitflags", "errno", @@ -2136,9 +2136,9 @@ checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d" [[package]] name = "ryu" -version = "1.0.20" +version = "1.0.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f" +checksum = "a50f4cf475b65d88e057964e0e9bb1f0aa9bbb2036dc65c64596b42932536984" [[package]] name = "same-file" @@ -2234,15 +2234,15 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.145" +version = "1.0.148" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c" +checksum = "3084b546a1dd6289475996f182a22aba973866ea8e8b02c51d9f46b1336a22da" dependencies = [ "itoa", "memchr", - "ryu", "serde", "serde_core", + "zmij", ] [[package]] @@ -2539,9 +2539,9 @@ dependencies = [ [[package]] name = "tempfile" -version = "3.23.0" +version = "3.24.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d31c77bdf42a745371d260a26ca7163f1e0924b64afa0b688e61b5a9fa02f16" +checksum = "655da9c7eb6305c55742045d5a8d2037996d61d8de95806335c7c86ce0f82e9c" dependencies = [ "fastrand", "getrandom 0.3.4", @@ -3529,3 +3529,9 @@ dependencies = [ "quote", "syn", ] + +[[package]] +name = "zmij" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e6d6085d62852e35540689d1f97ad663e3971fc19cf5eceab364d62c646ea167" From 67b7a937f6bcf69da77a7bd53da32dff562e0095 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Tue, 3 Feb 2026 05:29:46 +0800 Subject: [PATCH 13/24] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'deploy-rs': 'github:serokell/deploy-rs/d5eff7f948535b9c723d60cd8239f8f11ddc90fa?narHash=sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik%3D' (2025-12-18) → 'github:serokell/deploy-rs/77c906c0ba56aabdbc72041bf9111b565cdd6171?narHash=sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY%3D' (2026-02-02) • Updated input 'disko': 'github:nix-community/disko/916506443ecd0d0b4a0f4cf9d40a3c22ce39b378?narHash=sha256-P0kM%2B5o%2BDKnB6raXgFEk3azw8Wqg5FL6wyl9jD%2BG5a4%3D' (2025-12-19) → 'github:nix-community/disko/71a3fc97d80881e91710fe721f1158d3b96ae14d?narHash=sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE%3D' (2026-01-27) • Updated input 'flint': 'github:NotAShelf/flint/36c565edd971166718d21ae973c792b194ca737d?narHash=sha256-nQ2ItqrkvOYEjJr1HcXkIEFS4SEy5q1ax0Y1CTuKhHs%3D' (2025-11-06) → 'github:NotAShelf/flint/7832a5b5f5ef1243818f8f5e357ad1ee2d35d2b7?narHash=sha256-ug37Jt6r8LP3161suTh6IW%2Bfkx0a7kiSAhAPsVcPrkA%3D' (2026-01-03) • Updated input 'foundryvtt': 'github:reckenrode/nix-foundryvtt/1b875fb942c4ef926fd7aade7db327be363f7179?narHash=sha256-WZ8%2BpH/cLjv3geonV3VFwtfa8IuTkPHb60a1ACQpOmc%3D' (2025-12-01) → 'github:reckenrode/nix-foundryvtt/35e789ba383fbfaa9039005b9b24669c5be6b8ab?narHash=sha256-/Nldo9ILD7T5aQKuyeUccNPXjhNBrovGXEoi5k7m9Bo%3D' (2026-01-04) • Updated input 'nixpkgs': 'https://releases.nixos.org/nixos/25.11/nixos-25.11.2561.f560ccec6b11/nixexprs.tar.xz?narHash=sha256-b6Ar71wSPahmaDr7L8gCvAPsuvd7UM4NvKldKB7V8KI%3D' (2025-12-26) → 'https://releases.nixos.org/nixos/25.11/nixos-25.11.5065.41e216c0ca66/nixexprs.tar.xz?narHash=sha256-OGuC%2BgtMQt8j7FPOx3p5ASig%2BSkaXnpf9yNjRpetg4Y%3D' (2026-01-31) • Updated input 'sops-nix': 'github:Mic92/sops-nix/61b39c7b657081c2adc91b75dd3ad8a91d6f07a7?narHash=sha256-pn8AxxfajqyR/Dmr1wnZYdUXHgM3u6z9x0Z1Ijmz2UQ%3D' (2025-12-28) → 'github:Mic92/sops-nix/1e89149dcfc229e7e2ae24a8030f124a31e4f24f?narHash=sha256-twBMKGQvaztZQxFxbZnkg7y/50BW9yjtCBWwdjtOZew%3D' (2026-02-01) --- flake.lock | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/flake.lock b/flake.lock index 8335053..19b5cf5 100644 --- a/flake.lock +++ b/flake.lock @@ -77,11 +77,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1766051518, - "narHash": "sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik=", + "lastModified": 1770019181, + "narHash": "sha256-hwsYgDnby50JNVpTRYlF3UR/Rrpt01OrxVuryF40CFY=", "owner": "serokell", "repo": "deploy-rs", - "rev": "d5eff7f948535b9c723d60cd8239f8f11ddc90fa", + "rev": "77c906c0ba56aabdbc72041bf9111b565cdd6171", "type": "github" }, "original": { @@ -123,11 +123,11 @@ ] }, "locked": { - "lastModified": 1766150702, - "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=", + "lastModified": 1769524058, + "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", "owner": "nix-community", "repo": "disko", - "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378", + "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", "type": "github" }, "original": { @@ -181,11 +181,11 @@ ] }, "locked": { - "lastModified": 1762437643, - "narHash": "sha256-nQ2ItqrkvOYEjJr1HcXkIEFS4SEy5q1ax0Y1CTuKhHs=", + "lastModified": 1767431140, + "narHash": "sha256-ug37Jt6r8LP3161suTh6IW+fkx0a7kiSAhAPsVcPrkA=", "owner": "NotAShelf", "repo": "flint", - "rev": "36c565edd971166718d21ae973c792b194ca737d", + "rev": "7832a5b5f5ef1243818f8f5e357ad1ee2d35d2b7", "type": "github" }, "original": { @@ -201,11 +201,11 @@ ] }, "locked": { - "lastModified": 1764578815, - "narHash": "sha256-WZ8+pH/cLjv3geonV3VFwtfa8IuTkPHb60a1ACQpOmc=", + "lastModified": 1767491610, + "narHash": "sha256-/Nldo9ILD7T5aQKuyeUccNPXjhNBrovGXEoi5k7m9Bo=", "owner": "reckenrode", "repo": "nix-foundryvtt", - "rev": "1b875fb942c4ef926fd7aade7db327be363f7179", + "rev": "35e789ba383fbfaa9039005b9b24669c5be6b8ab", "type": "github" }, "original": { @@ -255,11 +255,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1766736597, - "narHash": "sha256-b6Ar71wSPahmaDr7L8gCvAPsuvd7UM4NvKldKB7V8KI=", - "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852", + "lastModified": 1769900590, + "narHash": "sha256-OGuC+gtMQt8j7FPOx3p5ASig+SkaXnpf9yNjRpetg4Y=", + "rev": "41e216c0ca66c83b12ab7a98cc326b5db01db646", "type": "tarball", - "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.2561.f560ccec6b11/nixexprs.tar.xz" + "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.5065.41e216c0ca66/nixexprs.tar.xz" }, "original": { "type": "tarball", @@ -344,11 +344,11 @@ ] }, "locked": { - "lastModified": 1766894905, - "narHash": "sha256-pn8AxxfajqyR/Dmr1wnZYdUXHgM3u6z9x0Z1Ijmz2UQ=", + "lastModified": 1769921679, + "narHash": "sha256-twBMKGQvaztZQxFxbZnkg7y/50BW9yjtCBWwdjtOZew=", "owner": "Mic92", "repo": "sops-nix", - "rev": "61b39c7b657081c2adc91b75dd3ad8a91d6f07a7", + "rev": "1e89149dcfc229e7e2ae24a8030f124a31e4f24f", "type": "github" }, "original": { From aa7abbb9c06c4b2b2cf9fc4a2215212347219ca7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Tue, 3 Feb 2026 05:32:28 +0800 Subject: [PATCH 14/24] update(pkgs): Update sources of all downstream packages --- pkgs/packages/crowdsec-hub.nix | 4 +- pkgs/packages/webserver/Cargo.lock | 179 ++++++++++++++--------------- 2 files changed, 91 insertions(+), 92 deletions(-) diff --git a/pkgs/packages/crowdsec-hub.nix b/pkgs/packages/crowdsec-hub.nix index 9725951..f551f1f 100644 --- a/pkgs/packages/crowdsec-hub.nix +++ b/pkgs/packages/crowdsec-hub.nix @@ -14,8 +14,8 @@ stdenvNoCC.mkDerivation (drv: { src = fetchFromGitHub { owner = "crowdsecurity"; repo = "hub"; - rev = "a0cac2433e16cb8de28667aca3b2719641849ab7"; - hash = "sha256-JlE8r1hiyWerWPpGIvQz/gNaGKyZ3VOZsMKp1MIrxRY="; + rev = "acfabfa095700d52735d0359037e51ea8dd25297"; + hash = "sha256-dcPMyMvxLYQV0AFDbzsLW7HLvUUFUSFRTxw1dOy70vk="; }; installPhase = '' diff --git a/pkgs/packages/webserver/Cargo.lock b/pkgs/packages/webserver/Cargo.lock index 5ad7e66..34ef787 100644 --- a/pkgs/packages/webserver/Cargo.lock +++ b/pkgs/packages/webserver/Cargo.lock @@ -18,7 +18,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1384d3fe1eecb464229fcf6eebb72306591c56bf27b373561489458a7c73027d" dependencies = [ "futures", - "thiserror 2.0.17", + "thiserror 2.0.18", "tokio", "wasm-bindgen-futures", ] @@ -205,9 +205,9 @@ checksum = "5dd9dc738b7a8311c7ade152424974d8115f2cdad61e8dab8dac9f2362298510" [[package]] name = "bytemuck" -version = "1.24.0" +version = "1.25.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1fbdf580320f38b612e485521afda1ee26d10cc9884efaaa750d383e13e3c5f4" +checksum = "c8efb64bd706a16a1bdde310ae86b351e4d21550d98d056f22f8a7f7a2183fec" [[package]] name = "bytes" @@ -223,9 +223,9 @@ checksum = "e629a66d692cb9ff1a1c664e41771b3dcaf961985a9774c0eb0bd1b51cf60a48" [[package]] name = "cc" -version = "1.2.51" +version = "1.2.55" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a0aeaff4ff1a90589618835a598e545176939b97874f7abc7851caa0618f203" +checksum = "47b26a0954ae34af09b50f0de26458fa95369a0d478d8236d3f93082b219bd29" dependencies = [ "find-msvc-tools", "shlex", @@ -251,7 +251,7 @@ checksum = "a9dbbdc4b4d349732bc6690de10a9de952bd39ba6a065c586e26600b6b0b91f5" dependencies = [ "serde", "serde_json", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -278,7 +278,7 @@ dependencies = [ "convert_case 0.6.0", "pathdiff", "serde_core", - "toml 0.9.10+spec-1.1.0", + "toml 0.9.11+spec-1.1.0", "winnow", ] @@ -408,9 +408,9 @@ dependencies = [ [[package]] name = "data-encoding" -version = "2.9.0" +version = "2.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2a2330da5de22e8a3cb63252ce2abb30116bf5265e89c0e01bc17015ce30a476" +checksum = "d7a1e2f27636f116493b8b860f5546edb47c8d8f8ea73e1d2a20be88e28d1fea" [[package]] name = "derive-where" @@ -540,9 +540,9 @@ dependencies = [ [[package]] name = "find-msvc-tools" -version = "0.1.6" +version = "0.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "645cbb3a84e60b7531617d5ae4e57f7e27308f6445f5abf653209ea76dec8dff" +checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582" [[package]] name = "fnv" @@ -676,9 +676,9 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.16" +version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "335ff9f135e4384c8150d6f27c6daed433577f86b4750418338c01a1a2528592" +checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0" dependencies = [ "cfg-if", "js-sys", @@ -743,9 +743,9 @@ checksum = "17e2ac29387b1aa07a1e448f7bb4f35b500787971e965b02842b900afa5c8f6f" [[package]] name = "h2" -version = "0.4.12" +version = "0.4.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3c0b69cfcb4e1b9f1bf2f53f95f766e4661169728ec61cd3fe5a0166f2d1386" +checksum = "2f44da3a8150a6703ed5d34e164b875fd14c2cdab9af1252a9a1020bde2bdc54" dependencies = [ "atomic-waker", "bytes", @@ -912,14 +912,13 @@ dependencies = [ [[package]] name = "hyper-util" -version = "0.1.19" +version = "0.1.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "727805d60e7938b76b826a6ef209eb70eaa1812794f9424d4a4e2d740662df5f" +checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0" dependencies = [ "base64", "bytes", "futures-channel", - "futures-core", "futures-util", "http", "http-body", @@ -1040,9 +1039,9 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.12.1" +version = "2.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ad4bb2b565bca0645f4d68c5c9af97fba094e9791da685bf83cb5f3ce74acf2" +checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017" dependencies = [ "equivalent", "hashbrown 0.16.1", @@ -1077,9 +1076,9 @@ checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130" [[package]] name = "iri-string" -version = "0.7.9" +version = "0.7.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4f867b9d1d896b67beb18518eda36fdb77a32ea590de864f1325b294a6d14397" +checksum = "c91338f0783edbd6195decb37bae672fd3b165faffb89bf7b9e6942f8b1a731a" dependencies = [ "memchr", "serde", @@ -1142,7 +1141,7 @@ dependencies = [ "server_fn", "slotmap", "tachys", - "thiserror 2.0.17", + "thiserror 2.0.18", "throw_error", "typed-builder 0.22.0", "typed-builder-macro 0.22.0", @@ -1185,7 +1184,7 @@ dependencies = [ "config", "regex", "serde", - "thiserror 2.0.17", + "thiserror 2.0.18", "typed-builder 0.21.2", ] @@ -1294,7 +1293,7 @@ dependencies = [ "rustc_version", "send_wrapper", "tachys", - "thiserror 2.0.17", + "thiserror 2.0.18", "url", "wasm-bindgen", "web-sys", @@ -1334,9 +1333,9 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.178" +version = "0.2.180" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "37c93d8daa9d8a012fd8ab92f088405fb202ea0b6ab73ee2482ae66af4f42091" +checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc" [[package]] name = "linear-map" @@ -1509,7 +1508,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ed0423ff9973dea4d6bd075934fdda86ebb8c05bdf9d6b0507067d4a1226371d" dependencies = [ "serde", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -1739,9 +1738,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.104" +version = "1.0.106" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9695f8df41bb4f3d222c95a67532365f569318332d03d5f3f67f37b20e6ebdf0" +checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934" dependencies = [ "unicode-ident", ] @@ -1791,7 +1790,7 @@ dependencies = [ "rustc-hash", "rustls", "socket2", - "thiserror 2.0.17", + "thiserror 2.0.18", "tokio", "tracing", "web-time", @@ -1812,7 +1811,7 @@ dependencies = [ "rustls", "rustls-pki-types", "slab", - "thiserror 2.0.17", + "thiserror 2.0.18", "tinyvec", "tracing", "web-time", @@ -1834,9 +1833,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.42" +version = "1.0.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a338cc41d27e6cc6dce6cefc13a0729dfbb81c262b1f519331575dd80ef3067f" +checksum = "21b2ebcf727b7760c461f091f9f0f539b77b8e87f2fd88131e7f1b433b3cece4" dependencies = [ "proc-macro2", ] @@ -1891,9 +1890,9 @@ dependencies = [ [[package]] name = "rand_core" -version = "0.9.3" +version = "0.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38" +checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c" dependencies = [ "getrandom 0.3.4", ] @@ -1918,7 +1917,7 @@ dependencies = [ "send_wrapper", "serde", "slotmap", - "thiserror 2.0.17", + "thiserror 2.0.18", "web-sys", ] @@ -2044,7 +2043,7 @@ checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7" dependencies = [ "cc", "cfg-if", - "getrandom 0.2.16", + "getrandom 0.2.17", "libc", "untrusted", "windows-sys 0.52.0", @@ -2062,7 +2061,7 @@ dependencies = [ "quote", "syn", "syn_derive", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -2095,9 +2094,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.35" +version = "0.23.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "533f54bc6a7d4f647e46ad909549eda97bf5afc1585190ef692b4286b198bd8f" +checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b" dependencies = [ "once_cell", "ring", @@ -2109,9 +2108,9 @@ dependencies = [ [[package]] name = "rustls-pki-types" -version = "1.13.2" +version = "1.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "21e6f2ab2928ca4291b86736a8bd920a277a399bba1589409d72154ff87c1282" +checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd" dependencies = [ "web-time", "zeroize", @@ -2119,9 +2118,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.103.8" +version = "0.103.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2ffdfa2f5286e2247234e03f680868ac2815974dc39e00ea15adc445d0aafe52" +checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53" dependencies = [ "ring", "rustls-pki-types", @@ -2234,9 +2233,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.148" +version = "1.0.149" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3084b546a1dd6289475996f182a22aba973866ea8e8b02c51d9f46b1336a22da" +checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86" dependencies = [ "itoa", "memchr", @@ -2264,7 +2263,7 @@ checksum = "f3faaf9e727533a19351a43cc5a8de957372163c7d35cc48c90b75cdda13c352" dependencies = [ "percent-encoding", "serde", - "thiserror 2.0.17", + "thiserror 2.0.18", ] [[package]] @@ -2324,7 +2323,7 @@ dependencies = [ "serde_json", "serde_qs", "server_fn_macro_default", - "thiserror 2.0.17", + "thiserror 2.0.18", "throw_error", "tokio", "tower", @@ -2392,9 +2391,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "slab" -version = "0.4.11" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589" +checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5" [[package]] name = "slotmap" @@ -2413,9 +2412,9 @@ checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03" [[package]] name = "socket2" -version = "0.6.1" +version = "0.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "17129e116933cf371d018bb80ae557e889637989d8638274fb25622827b03881" +checksum = "86f4aa3ad99f2088c990dfa82d367e19cb29268ed67c574d10d0a4bfe71f07e0" dependencies = [ "libc", "windows-sys 0.60.2", @@ -2441,9 +2440,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "syn" -version = "2.0.111" +version = "2.0.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "390cc9a294ab71bdb1aa2e99d13be9c753cd2d7bd6560c77118597410c4d2e87" +checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a" dependencies = [ "proc-macro2", "quote", @@ -2484,9 +2483,9 @@ dependencies = [ [[package]] name = "system-configuration" -version = "0.6.1" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c879d448e9d986b661742763247d3693ed13609438cf3d006f51f5368a5ba6b" +checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b" dependencies = [ "bitflags", "core-foundation", @@ -2561,11 +2560,11 @@ dependencies = [ [[package]] name = "thiserror" -version = "2.0.17" +version = "2.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8" +checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4" dependencies = [ - "thiserror-impl 2.0.17", + "thiserror-impl 2.0.18", ] [[package]] @@ -2581,9 +2580,9 @@ dependencies = [ [[package]] name = "thiserror-impl" -version = "2.0.17" +version = "2.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913" +checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5" dependencies = [ "proc-macro2", "quote", @@ -2638,7 +2637,7 @@ dependencies = [ "markdown_view_leptos", "reqwest", "serde", - "thiserror 2.0.17", + "thiserror 2.0.18", "tokio", "url", "wasm-bindgen", @@ -2647,9 +2646,9 @@ dependencies = [ [[package]] name = "tokio" -version = "1.48.0" +version = "1.49.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ff360e02eab121e0bc37a2d3b4d4dc622e6eda3a8e5253d5435ecf5bd4c68408" +checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86" dependencies = [ "bytes", "libc", @@ -2705,9 +2704,9 @@ dependencies = [ [[package]] name = "tokio-util" -version = "0.7.17" +version = "0.7.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2efa149fe76073d6e8fd97ef4f4eca7b67f599660115591483572e406e165594" +checksum = "9ae9cec805b01e8fc3fd2fe289f89149a9b66dd16786abd8b19cfa7b48cb0098" dependencies = [ "bytes", "futures-core", @@ -2730,9 +2729,9 @@ dependencies = [ [[package]] name = "toml" -version = "0.9.10+spec-1.1.0" +version = "0.9.11+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0825052159284a1a8b4d6c0c86cbc801f2da5afd2b225fa548c72f2e74002f48" +checksum = "f3afc9a848309fe1aaffaed6e1546a7a14de1f935dc9d89d32afd9a44bab7c46" dependencies = [ "serde_core", "serde_spanned 1.0.4", @@ -2790,9 +2789,9 @@ checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801" [[package]] name = "tower" -version = "0.5.2" +version = "0.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9" +checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4" dependencies = [ "futures-core", "futures-util", @@ -2883,7 +2882,7 @@ dependencies = [ "log", "rand", "sha1", - "thiserror 2.0.17", + "thiserror 2.0.18", "utf-8", ] @@ -2944,9 +2943,9 @@ dependencies = [ [[package]] name = "unicase" -version = "2.8.1" +version = "2.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75b844d17643ee918803943289730bec8aac480150456169e647ed0b576ba539" +checksum = "dbc4bc3a9f746d862c45cb89d705aa10f187bb96c76001afab07a0d35ce60142" [[package]] name = "unicode-ident" @@ -2974,9 +2973,9 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" [[package]] name = "url" -version = "2.5.7" +version = "2.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08bc136a29a3d1758e07a9cca267be308aeebf5cfd5a10f3f67ab2097683ef5b" +checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed" dependencies = [ "form_urlencoded", "idna", @@ -3004,9 +3003,9 @@ checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" [[package]] name = "uuid" -version = "1.19.0" +version = "1.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2e054861b4bd027cd373e18e8d8d8e6548085000e41290d95ce0c373a654b4a" +checksum = "ee48d38b119b0cd71fe4141b30f5ba9c7c5d9f4e7a3a8b4a674e4b6ef789976f" dependencies = [ "getrandom 0.3.4", "js-sys", @@ -3052,9 +3051,9 @@ checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b" [[package]] name = "wasip2" -version = "1.0.1+wasi-0.2.4" +version = "1.0.2+wasi-0.2.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0562428422c63773dad2c345a1882263bbf4d65cf3f42e90921f787ef5ad58e7" +checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5" dependencies = [ "wit-bindgen", ] @@ -3187,9 +3186,9 @@ dependencies = [ [[package]] name = "webpki-roots" -version = "1.0.4" +version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b2878ef029c47c6e8cf779119f20fcf52bde7ad42a731b2a304bc221df17571e" +checksum = "12bed680863276c63889429bfd6cab3b99943659923822de1c8a39c49e4d722c" dependencies = [ "rustls-pki-types", ] @@ -3405,9 +3404,9 @@ dependencies = [ [[package]] name = "wit-bindgen" -version = "0.46.0" +version = "0.51.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f17a85883d4e6d00e8a97c586de764dabcc06133f7f1d55dce5cdc070ad7fe59" +checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5" [[package]] name = "writeable" @@ -3452,18 +3451,18 @@ dependencies = [ [[package]] name = "zerocopy" -version = "0.8.31" +version = "0.8.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd74ec98b9250adb3ca554bdde269adf631549f51d8a8f8f0a10b50f1cb298c3" +checksum = "7456cf00f0685ad319c5b1693f291a650eaf345e941d082fc4e03df8a03996ac" dependencies = [ "zerocopy-derive", ] [[package]] name = "zerocopy-derive" -version = "0.8.31" +version = "0.8.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8a8d209fdf45cf5138cbb5a506f6b52522a25afccc534d1475dad8e31105c6a" +checksum = "1328722bbf2115db7e19d69ebcc15e795719e2d66b60827c6a69a117365e37a0" dependencies = [ "proc-macro2", "quote", @@ -3532,6 +3531,6 @@ dependencies = [ [[package]] name = "zmij" -version = "1.0.0" +version = "1.0.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e6d6085d62852e35540689d1f97ad663e3971fc19cf5eceab364d62c646ea167" +checksum = "3ff05f8caa9038894637571ae6b9e29466c1f4f829d26c9b28f869a29cbe3445" From 30d6a499c6ec01b81f3cc259c467d7c691b203eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Tue, 3 Feb 2026 06:18:17 +0800 Subject: [PATCH 15/24] fix(ntfy tests): Tweak timeouts a bit --- configuration/services/ntfy-sh/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configuration/services/ntfy-sh/default.nix b/configuration/services/ntfy-sh/default.nix index 39ace90..9cca567 100644 --- a/configuration/services/ntfy-sh/default.nix +++ b/configuration/services/ntfy-sh/default.nix @@ -137,17 +137,17 @@ in "curl", "--silent", "--show-error", - f"--max-time {timeout}", + f"--max-time {2 + timeout}", "-u tlater:insecure", f"http://ntfy.testHost/{topic}/json", - "> messages" + "-o messages" ] client.succeed(f'{" ".join(systemd_invocation)} "{" ".join(curl)}"') # Give some slack so the host doesn't send messages before # we're listening - time.sleep(1) + time.sleep(2) yield From 95c752b3aa92ef7667b9e3b878c06b2d4d22a229 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Tue, 3 Feb 2026 06:35:46 +0800 Subject: [PATCH 16/24] fix(webserver): Explicitly add serde feature to `url` --- pkgs/packages/webserver/Cargo.lock | 1 + pkgs/packages/webserver/Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/packages/webserver/Cargo.lock b/pkgs/packages/webserver/Cargo.lock index 34ef787..9604787 100644 --- a/pkgs/packages/webserver/Cargo.lock +++ b/pkgs/packages/webserver/Cargo.lock @@ -2981,6 +2981,7 @@ dependencies = [ "idna", "percent-encoding", "serde", + "serde_derive", ] [[package]] diff --git a/pkgs/packages/webserver/Cargo.toml b/pkgs/packages/webserver/Cargo.toml index 6b53991..107cf18 100644 --- a/pkgs/packages/webserver/Cargo.toml +++ b/pkgs/packages/webserver/Cargo.toml @@ -19,7 +19,7 @@ reqwest = "0.12.24" serde = { version = "1.0.228", features = ["derive"] } thiserror = "2.0.17" tokio = { version = "1.48.0", features = ["rt-multi-thread"], optional = true } -url = "2.5.7" +url = { version = "2.5.7", features = ["serde"] } wasm-bindgen = { version = "=0.2.100", optional = true } web-sys = "^0.3.77" From 710fe841d6fb55d7640e40b4ae900f30b1bad07d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Tue, 3 Feb 2026 06:36:05 +0800 Subject: [PATCH 17/24] fix(webserver): Fix warnings during the build --- pkgs/packages/webserver/package.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/packages/webserver/package.nix b/pkgs/packages/webserver/package.nix index 111dc38..9deeb2b 100644 --- a/pkgs/packages/webserver/package.nix +++ b/pkgs/packages/webserver/package.nix @@ -237,7 +237,11 @@ rustPlatform.buildRustPackage (drv: { buildPhase = '' runHook preBuild + + # dart-sass and wasm-pack want a home directory to put cache files + export HOME=$(mktemp -d) cargo leptos build --release + runHook postBuild ''; From 23bb3f091e0d64a477d27e2276423931f74c8b7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Wed, 18 Feb 2026 16:19:57 +0800 Subject: [PATCH 18/24] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/71a3fc97d80881e91710fe721f1158d3b96ae14d?narHash=sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE%3D' (2026-01-27) → 'github:nix-community/disko/92fceb111901a6f13e81199be4fab95fce86a5c9?narHash=sha256-89m5VKxIs8QNiIvLsxHu5NpyhDsoXTtoN801IAurnW4%3D' (2026-02-17) • Updated input 'nixpkgs': 'https://releases.nixos.org/nixos/25.11/nixos-25.11.5065.41e216c0ca66/nixexprs.tar.xz?narHash=sha256-OGuC%2BgtMQt8j7FPOx3p5ASig%2BSkaXnpf9yNjRpetg4Y%3D' (2026-01-31) → 'https://releases.nixos.org/nixos/25.11/nixos-25.11.6074.fa56d7d6de78/nixexprs.tar.xz?narHash=sha256-G2qGwj2t77kM0hZatRrTp2%2B50obn4ssSXoLCrJKZtgQ%3D' (2026-02-16) • Updated input 'sops-nix': 'github:Mic92/sops-nix/1e89149dcfc229e7e2ae24a8030f124a31e4f24f?narHash=sha256-twBMKGQvaztZQxFxbZnkg7y/50BW9yjtCBWwdjtOZew%3D' (2026-02-01) → 'github:Mic92/sops-nix/2d0cf89b4404529778bc82de7e42b5754e0fe4fa?narHash=sha256-UFc4lfGBr%2BwJmwgDGJDn1cVD6DTr0/8TdronNUiyXlU%3D' (2026-02-15) --- flake.lock | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index 19b5cf5..b7ae789 100644 --- a/flake.lock +++ b/flake.lock @@ -123,11 +123,11 @@ ] }, "locked": { - "lastModified": 1769524058, - "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", + "lastModified": 1771355198, + "narHash": "sha256-89m5VKxIs8QNiIvLsxHu5NpyhDsoXTtoN801IAurnW4=", "owner": "nix-community", "repo": "disko", - "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", + "rev": "92fceb111901a6f13e81199be4fab95fce86a5c9", "type": "github" }, "original": { @@ -255,11 +255,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1769900590, - "narHash": "sha256-OGuC+gtMQt8j7FPOx3p5ASig+SkaXnpf9yNjRpetg4Y=", - "rev": "41e216c0ca66c83b12ab7a98cc326b5db01db646", + "lastModified": 1771208521, + "narHash": "sha256-G2qGwj2t77kM0hZatRrTp2+50obn4ssSXoLCrJKZtgQ=", + "rev": "fa56d7d6de78f5a7f997b0ea2bc6efd5868ad9e8", "type": "tarball", - "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.5065.41e216c0ca66/nixexprs.tar.xz" + "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.6074.fa56d7d6de78/nixexprs.tar.xz" }, "original": { "type": "tarball", @@ -344,11 +344,11 @@ ] }, "locked": { - "lastModified": 1769921679, - "narHash": "sha256-twBMKGQvaztZQxFxbZnkg7y/50BW9yjtCBWwdjtOZew=", + "lastModified": 1771166946, + "narHash": "sha256-UFc4lfGBr+wJmwgDGJDn1cVD6DTr0/8TdronNUiyXlU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "1e89149dcfc229e7e2ae24a8030f124a31e4f24f", + "rev": "2d0cf89b4404529778bc82de7e42b5754e0fe4fa", "type": "github" }, "original": { From f7a64063bb3a461c13a4e7636a8925f991d172b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Wed, 18 Feb 2026 16:25:58 +0800 Subject: [PATCH 19/24] update(pkgs): Update sources of all downstream packages --- pkgs/packages/crowdsec-hub.nix | 4 +- pkgs/packages/webserver/Cargo.lock | 427 ++++++++++++++++++++--------- 2 files changed, 299 insertions(+), 132 deletions(-) diff --git a/pkgs/packages/crowdsec-hub.nix b/pkgs/packages/crowdsec-hub.nix index f551f1f..2b193fd 100644 --- a/pkgs/packages/crowdsec-hub.nix +++ b/pkgs/packages/crowdsec-hub.nix @@ -14,8 +14,8 @@ stdenvNoCC.mkDerivation (drv: { src = fetchFromGitHub { owner = "crowdsecurity"; repo = "hub"; - rev = "acfabfa095700d52735d0359037e51ea8dd25297"; - hash = "sha256-dcPMyMvxLYQV0AFDbzsLW7HLvUUFUSFRTxw1dOy70vk="; + rev = "7f724f92c79ce743ef9c7020cce228f98cca6afa"; + hash = "sha256-xWl3gmDicwjjrK3kto5tIJB/LLttaf+GYYgFqo8r9sw="; }; installPhase = '' diff --git a/pkgs/packages/webserver/Cargo.lock b/pkgs/packages/webserver/Cargo.lock index 9604787..790783b 100644 --- a/pkgs/packages/webserver/Cargo.lock +++ b/pkgs/packages/webserver/Cargo.lock @@ -25,9 +25,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.100" +version = "1.0.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61" +checksum = "5f0e0fee31ef5ed1ba1316088939cea399010ed7731dba877ed44aeb407a75ea" [[package]] name = "async-lock" @@ -184,9 +184,9 @@ checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" [[package]] name = "bitflags" -version = "2.10.0" +version = "2.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3" +checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af" [[package]] name = "block-buffer" @@ -211,9 +211,9 @@ checksum = "c8efb64bd706a16a1bdde310ae86b351e4d21550d98d056f22f8a7f7a2183fec" [[package]] name = "bytes" -version = "1.11.0" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3" +checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33" [[package]] name = "camino" @@ -223,9 +223,9 @@ checksum = "e629a66d692cb9ff1a1c664e41771b3dcaf961985a9774c0eb0bd1b51cf60a48" [[package]] name = "cc" -version = "1.2.55" +version = "1.2.56" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "47b26a0954ae34af09b50f0de26458fa95369a0d478d8236d3f93082b219bd29" +checksum = "aebf35691d1bfb0ac386a69bac2fde4dd276fb618cf8bf4f5318fe285e821bb2" dependencies = [ "find-msvc-tools", "shlex", @@ -278,7 +278,7 @@ dependencies = [ "convert_case 0.6.0", "pathdiff", "serde_core", - "toml 0.9.11+spec-1.1.0", + "toml 0.9.12+spec-1.1.0", "winnow", ] @@ -344,13 +344,22 @@ dependencies = [ [[package]] name = "convert_case" -version = "0.10.0" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "633458d4ef8c78b72454de2d54fd6ab2e60f9e02be22f3c6104cdc8a4e0fceb9" +checksum = "affbf0190ed2caf063e3def54ff444b449371d55c58e513a95ab98eca50adb49" dependencies = [ "unicode-segmentation", ] +[[package]] +name = "convert_case_extras" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "589c70f0faf8aa9d17787557d5eae854d7755cac50f5c3d12c81d3d57661cebb" +dependencies = [ + "convert_case 0.11.0", +] + [[package]] name = "core-foundation" version = "0.9.4" @@ -361,6 +370,16 @@ dependencies = [ "libc", ] +[[package]] +name = "core-foundation" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "core-foundation-sys" version = "0.8.7" @@ -550,6 +569,12 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foldhash" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2" + [[package]] name = "foreign-types" version = "0.3.2" @@ -576,9 +601,9 @@ dependencies = [ [[package]] name = "futures" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876" +checksum = "8b147ee9d1f6d097cef9ce628cd2ee62288d963e16fb287bd9286455b241382d" dependencies = [ "futures-channel", "futures-core", @@ -591,9 +616,9 @@ dependencies = [ [[package]] name = "futures-channel" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10" +checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d" dependencies = [ "futures-core", "futures-sink", @@ -601,33 +626,32 @@ dependencies = [ [[package]] name = "futures-core" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e" +checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d" [[package]] name = "futures-executor" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e28d1d997f585e54aebc3f97d39e72338912123a67330d723fdbb564d646c9f" +checksum = "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d" dependencies = [ "futures-core", "futures-task", "futures-util", - "num_cpus", ] [[package]] name = "futures-io" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6" +checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718" [[package]] name = "futures-macro" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650" +checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b" dependencies = [ "proc-macro2", "quote", @@ -636,21 +660,21 @@ dependencies = [ [[package]] name = "futures-sink" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7" +checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893" [[package]] name = "futures-task" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988" +checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393" [[package]] name = "futures-util" -version = "0.3.31" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81" +checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6" dependencies = [ "futures-channel", "futures-core", @@ -660,7 +684,6 @@ dependencies = [ "futures-task", "memchr", "pin-project-lite", - "pin-utils", "slab", ] @@ -701,6 +724,19 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "getrandom" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "139ef39800118c7683f2fd3c98c1b23c09ae076556b435f8e9064ae108aaeeec" +dependencies = [ + "cfg-if", + "libc", + "r-efi", + "wasip2", + "wasip3", +] + [[package]] name = "gloo-net" version = "0.6.0" @@ -766,6 +802,15 @@ version = "0.14.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1" +[[package]] +name = "hashbrown" +version = "0.15.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1" +dependencies = [ + "foldhash", +] + [[package]] name = "hashbrown" version = "0.16.1" @@ -773,10 +818,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100" [[package]] -name = "hermit-abi" -version = "0.5.2" +name = "heck" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fc0fef456e4baa96da950455cd02c081ca953b141298e41db3fc7e36b1da849c" +checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" [[package]] name = "html-escape" @@ -1016,6 +1061,12 @@ dependencies = [ "zerovec", ] +[[package]] +name = "id-arena" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954" + [[package]] name = "idna" version = "1.1.0" @@ -1045,6 +1096,8 @@ checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017" dependencies = [ "equivalent", "hashbrown 0.16.1", + "serde", + "serde_core", ] [[package]] @@ -1109,6 +1162,12 @@ dependencies = [ "wasm-bindgen", ] +[[package]] +name = "leb128fmt" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2" + [[package]] name = "leptos" version = "0.8.14" @@ -1177,22 +1236,22 @@ dependencies = [ [[package]] name = "leptos_config" -version = "0.8.8" +version = "0.8.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "071fc40aeb9fcab885965bad1887990477253ad51f926cd19068f45a44c59e89" +checksum = "19a2ac32008dda0d657f2147cc33336f4e743e091597db10f7a99d668e92a46d" dependencies = [ "config", "regex", "serde", "thiserror 2.0.18", - "typed-builder 0.21.2", + "typed-builder 0.23.2", ] [[package]] name = "leptos_dom" -version = "0.8.7" +version = "0.8.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "78f4330c88694c5575e0bfe4eecf81b045d14e76a4f8b00d5fd2a63f8779f895" +checksum = "35742e9ed8f8aaf9e549b454c68a7ac0992536e06856365639b111f72ab07884" dependencies = [ "js-sys", "or_poisoned", @@ -1205,14 +1264,14 @@ dependencies = [ [[package]] name = "leptos_hot_reload" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0d61ec3e1ff8aaee8c5151688550c0363f85bc37845450764c31ff7584a33f38" +checksum = "9d2a0f220c8a5ef3c51199dfb9cdd702bc0eb80d52fbe70c7890adfaaae8a4b1" dependencies = [ "anyhow", "camino", "indexmap", - "parking_lot", + "or_poisoned", "proc-macro2", "quote", "rstml", @@ -1238,13 +1297,14 @@ dependencies = [ [[package]] name = "leptos_macro" -version = "0.8.14" +version = "0.8.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c86ffd2e9cf3e264e9b3e16bdb086cefa26bd0fa7bc6a26b0cc5f6c1fd3178ed" +checksum = "712325a77f1d050bf2897061ccaf2b075930aab36954980d658f04452686c474" dependencies = [ "attribute-derive", "cfg-if", - "convert_case 0.10.0", + "convert_case 0.11.0", + "convert_case_extras", "html-escape", "itertools", "leptos_hot_reload", @@ -1333,15 +1393,9 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.180" +version = "0.2.182" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc" - -[[package]] -name = "linear-map" -version = "1.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bfae20f6b19ad527b550c223fddc3077a547fc70cda94b9b566575423fd303ee" +checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112" [[package]] name = "linux-raw-sys" @@ -1420,9 +1474,9 @@ checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3" [[package]] name = "memchr" -version = "2.7.6" +version = "2.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f52b00d39961fc5b2736ea853c9cc86238e165017a493d1d5c8eac6bdc4cc273" +checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79" [[package]] name = "mime" @@ -1470,9 +1524,9 @@ dependencies = [ [[package]] name = "native-tls" -version = "0.2.14" +version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87de3442987e9dbec73158d5c715e7ad9072fda936bb03d19d7fa10e00520f0e" +checksum = "9d5d26952a508f321b4d3d2e80e78fc2603eaefcdf0c30783867f19586518bdc" dependencies = [ "libc", "log", @@ -1491,16 +1545,6 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "60993920e071b0c9b66f14e2b32740a4e27ffc82854dcd72035887f336a09a28" -[[package]] -name = "num_cpus" -version = "1.17.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91df4bbde75afed763b708b7eee1e8e7651e02d97f6d5dd763e89367e957b23b" -dependencies = [ - "hermit-abi", - "libc", -] - [[package]] name = "oco_ref" version = "0.2.1" @@ -1545,9 +1589,9 @@ dependencies = [ [[package]] name = "openssl-probe" -version = "0.1.6" +version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e" +checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe" [[package]] name = "openssl-sys" @@ -1899,9 +1943,9 @@ dependencies = [ [[package]] name = "reactive_graph" -version = "0.2.11" +version = "0.2.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4043190442021086719fb9183daacb050f44d4ed8d3a1c8534e366d45dd95c29" +checksum = "35774620b3da884a07341e9e36612e1509b1eb0553ef3bb76f1547dd1b797417" dependencies = [ "any_spawner", "async-lock", @@ -1923,9 +1967,9 @@ dependencies = [ [[package]] name = "reactive_stores" -version = "0.3.0" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25b73d94139821e0a2f31fb4e0eaf6ebbcf4d15c5e2fb353dc3babd4f6d35674" +checksum = "35372f05664a62a3dd389503371a15b8feb3396f99f6ec000de651fddb030942" dependencies = [ "dashmap", "guardian", @@ -1962,9 +2006,9 @@ dependencies = [ [[package]] name = "regex" -version = "1.12.2" +version = "1.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "843bc0191f75f3e22651ae5f1e72939ab2f72a4bc30fa80a066bd66edefc24d4" +checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276" dependencies = [ "aho-corasick", "memchr", @@ -1974,9 +2018,9 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.13" +version = "0.4.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5276caf25ac86c8d810222b3dbb938e512c55c6831a10f3e6ed1c93b84041f1c" +checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f" dependencies = [ "aho-corasick", "memchr", @@ -1985,9 +2029,9 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.8.8" +version = "0.8.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a2d987857b319362043e95f5353c0535c1f58eec5336fdfcf626430af7def58" +checksum = "a96887878f22d7bad8a3b6dc5b7440e0ada9a245242924394987b21cf2210a4c" [[package]] name = "reqwest" @@ -2135,9 +2179,9 @@ checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d" [[package]] name = "ryu" -version = "1.0.22" +version = "1.0.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a50f4cf475b65d88e057964e0e9bb1f0aa9bbb2036dc65c64596b42932536984" +checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f" [[package]] name = "same-file" @@ -2165,12 +2209,12 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] name = "security-framework" -version = "2.11.1" +version = "3.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02" +checksum = "d17b898a6d6948c3a8ee4372c17cb384f90d2e6e912ef00895b14fd7ab54ec38" dependencies = [ "bitflags", - "core-foundation", + "core-foundation 0.10.1", "core-foundation-sys", "libc", "security-framework-sys", @@ -2178,9 +2222,9 @@ dependencies = [ [[package]] name = "security-framework-sys" -version = "2.15.0" +version = "2.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc1f0cbffaac4852523ce30d8bd3c5cdc873501d96ff467ca09b6767bb8cd5c0" +checksum = "321c8673b092a9a42605034a9879d73cb79101ed5fd117bc9a597b89b4e9e61a" dependencies = [ "core-foundation-sys", "libc", @@ -2338,12 +2382,12 @@ dependencies = [ [[package]] name = "server_fn_macro" -version = "0.8.8" +version = "0.8.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "950b8cfc9ff5f39ca879c5a7c5e640de2695a199e18e424c3289d0964cabe642" +checksum = "14faf423aab09f8c3eb2d9785bb37f11a255cdf01857d3c6083eacc82269c191" dependencies = [ "const_format", - "convert_case 0.8.0", + "convert_case 0.11.0", "proc-macro2", "quote", "rustc_version", @@ -2440,9 +2484,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "syn" -version = "2.0.114" +version = "2.0.116" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a" +checksum = "3df424c70518695237746f84cede799c9c58fcb37450d7b23716568cc8bc69cb" dependencies = [ "proc-macro2", "quote", @@ -2488,7 +2532,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b" dependencies = [ "bitflags", - "core-foundation", + "core-foundation 0.9.4", "system-configuration-sys", ] @@ -2504,9 +2548,9 @@ dependencies = [ [[package]] name = "tachys" -version = "0.2.11" +version = "0.2.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f2b2db11e455f7e84e2cc3e76f8a3f3843f7956096265d5ecff781eabe235077" +checksum = "14691ce610071757bd17bd8d572065192c9c93f9f169125390aaea345a4c56b9" dependencies = [ "any_spawner", "async-trait", @@ -2519,11 +2563,9 @@ dependencies = [ "indexmap", "itertools", "js-sys", - "linear-map", "next_tuple", "oco_ref", "or_poisoned", - "parking_lot", "paste", "reactive_graph", "reactive_stores", @@ -2538,12 +2580,12 @@ dependencies = [ [[package]] name = "tempfile" -version = "3.24.0" +version = "3.25.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "655da9c7eb6305c55742045d5a8d2037996d61d8de95806335c7c86ce0f82e9c" +checksum = "0136791f7c95b1f6dd99f9cc786b91bb81c3800b639b3478e561ddb7be95e5f1" dependencies = [ "fastrand", - "getrandom 0.3.4", + "getrandom 0.4.1", "once_cell", "rustix", "windows-sys 0.61.2", @@ -2729,9 +2771,9 @@ dependencies = [ [[package]] name = "toml" -version = "0.9.11+spec-1.1.0" +version = "0.9.12+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3afc9a848309fe1aaffaed6e1546a7a14de1f935dc9d89d32afd9a44bab7c46" +checksum = "cf92845e79fc2e2def6a5d828f0801e29a2f8acc037becc5ab08595c7d5e9863" dependencies = [ "serde_core", "serde_spanned 1.0.4", @@ -2774,9 +2816,9 @@ dependencies = [ [[package]] name = "toml_parser" -version = "1.0.6+spec-1.1.0" +version = "1.0.9+spec-1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a3198b4b0a8e11f09dd03e133c0280504d0801269e9afa46362ffde1cbeebf44" +checksum = "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4" dependencies = [ "winnow", ] @@ -2886,15 +2928,6 @@ dependencies = [ "utf-8", ] -[[package]] -name = "typed-builder" -version = "0.21.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fef81aec2ca29576f9f6ae8755108640d0a86dd3161b2e8bca6cfa554e98f77d" -dependencies = [ - "typed-builder-macro 0.21.2", -] - [[package]] name = "typed-builder" version = "0.22.0" @@ -2905,10 +2938,19 @@ dependencies = [ ] [[package]] -name = "typed-builder-macro" -version = "0.21.2" +name = "typed-builder" +version = "0.23.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ecb9ecf7799210407c14a8cfdfe0173365780968dc57973ed082211958e0b18" +checksum = "31aa81521b70f94402501d848ccc0ecaa8f93c8eb6999eb9747e72287757ffda" +dependencies = [ + "typed-builder-macro 0.23.2", +] + +[[package]] +name = "typed-builder-macro" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0e48cea23f68d1f78eb7bc092881b6bb88d3d6b5b7e6234f6f9c911da1ffb221" dependencies = [ "proc-macro2", "quote", @@ -2917,9 +2959,9 @@ dependencies = [ [[package]] name = "typed-builder-macro" -version = "0.22.0" +version = "0.23.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0e48cea23f68d1f78eb7bc092881b6bb88d3d6b5b7e6234f6f9c911da1ffb221" +checksum = "076a02dc54dd46795c2e9c8282ed40bcfb1e22747e955de9389a1de28190fb26" dependencies = [ "proc-macro2", "quote", @@ -2949,9 +2991,9 @@ checksum = "dbc4bc3a9f746d862c45cb89d705aa10f187bb96c76001afab07a0d35ce60142" [[package]] name = "unicode-ident" -version = "1.0.22" +version = "1.0.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9312f7c4f6ff9069b165498234ce8be658059c6728633667c526e27dc2cf1df5" +checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75" [[package]] name = "unicode-segmentation" @@ -3004,11 +3046,11 @@ checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" [[package]] name = "uuid" -version = "1.20.0" +version = "1.21.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ee48d38b119b0cd71fe4141b30f5ba9c7c5d9f4e7a3a8b4a674e4b6ef789976f" +checksum = "b672338555252d43fd2240c714dc444b8c6fb0a5c5335e65a07bba7742735ddb" dependencies = [ - "getrandom 0.3.4", + "getrandom 0.4.1", "js-sys", "wasm-bindgen", ] @@ -3059,6 +3101,15 @@ dependencies = [ "wit-bindgen", ] +[[package]] +name = "wasip3" +version = "0.4.0+wasi-0.3.0-rc-2026-01-06" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5" +dependencies = [ + "wit-bindgen", +] + [[package]] name = "wasm-bindgen" version = "0.2.100" @@ -3130,6 +3181,28 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "wasm-encoder" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319" +dependencies = [ + "leb128fmt", + "wasmparser", +] + +[[package]] +name = "wasm-metadata" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909" +dependencies = [ + "anyhow", + "indexmap", + "wasm-encoder", + "wasmparser", +] + [[package]] name = "wasm-streams" version = "0.4.2" @@ -3165,6 +3238,18 @@ dependencies = [ "syn", ] +[[package]] +name = "wasmparser" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe" +dependencies = [ + "bitflags", + "hashbrown 0.15.5", + "indexmap", + "semver", +] + [[package]] name = "web-sys" version = "0.3.77" @@ -3187,9 +3272,9 @@ dependencies = [ [[package]] name = "webpki-roots" -version = "1.0.5" +version = "1.0.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "12bed680863276c63889429bfd6cab3b99943659923822de1c8a39c49e4d722c" +checksum = "22cfaf3c063993ff62e73cb4311efde4db1efb31ab78a3e5c457939ad5cc0bed" dependencies = [ "rustls-pki-types", ] @@ -3408,6 +3493,88 @@ name = "wit-bindgen" version = "0.51.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5" +dependencies = [ + "wit-bindgen-rust-macro", +] + +[[package]] +name = "wit-bindgen-core" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc" +dependencies = [ + "anyhow", + "heck", + "wit-parser", +] + +[[package]] +name = "wit-bindgen-rust" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21" +dependencies = [ + "anyhow", + "heck", + "indexmap", + "prettyplease", + "syn", + "wasm-metadata", + "wit-bindgen-core", + "wit-component", +] + +[[package]] +name = "wit-bindgen-rust-macro" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a" +dependencies = [ + "anyhow", + "prettyplease", + "proc-macro2", + "quote", + "syn", + "wit-bindgen-core", + "wit-bindgen-rust", +] + +[[package]] +name = "wit-component" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2" +dependencies = [ + "anyhow", + "bitflags", + "indexmap", + "log", + "serde", + "serde_derive", + "serde_json", + "wasm-encoder", + "wasm-metadata", + "wasmparser", + "wit-parser", +] + +[[package]] +name = "wit-parser" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736" +dependencies = [ + "anyhow", + "id-arena", + "indexmap", + "log", + "semver", + "serde", + "serde_derive", + "serde_json", + "unicode-xid", + "wasmparser", +] [[package]] name = "writeable" @@ -3452,18 +3619,18 @@ dependencies = [ [[package]] name = "zerocopy" -version = "0.8.37" +version = "0.8.39" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7456cf00f0685ad319c5b1693f291a650eaf345e941d082fc4e03df8a03996ac" +checksum = "db6d35d663eadb6c932438e763b262fe1a70987f9ae936e60158176d710cae4a" dependencies = [ "zerocopy-derive", ] [[package]] name = "zerocopy-derive" -version = "0.8.37" +version = "0.8.39" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1328722bbf2115db7e19d69ebcc15e795719e2d66b60827c6a69a117365e37a0" +checksum = "4122cd3169e94605190e77839c9a40d40ed048d305bfdc146e7df40ab0f3e517" dependencies = [ "proc-macro2", "quote", @@ -3532,6 +3699,6 @@ dependencies = [ [[package]] name = "zmij" -version = "1.0.19" +version = "1.0.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3ff05f8caa9038894637571ae6b9e29466c1f4f829d26c9b28f869a29cbe3445" +checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa" From 10e72d3c19cb99731f678758510bbf377eabf65b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Fri, 20 Feb 2026 05:33:26 +0800 Subject: [PATCH 20/24] refactor(flake.nix): Use flake-parts to simplify flake.nix --- checks/default.nix | 113 +++++++++----- checks/lib.nix | 35 ----- .../hardware-specific/hetzner/default.nix | 1 + .../hardware-specific/hetzner/vm.nix | 70 +++++++++ configuration/hardware-specific/vm.nix | 69 --------- dev-utils.nix | 43 ++++++ flake.lock | 32 ++-- flake.nix | 139 +++--------------- flakeModules/deploy-rs.nix | 136 +++++++++++++++++ pkgs/default.nix | 13 +- 10 files changed, 380 insertions(+), 271 deletions(-) delete mode 100644 checks/lib.nix create mode 100644 configuration/hardware-specific/hetzner/vm.nix delete mode 100644 configuration/hardware-specific/vm.nix create mode 100644 dev-utils.nix create mode 100644 flakeModules/deploy-rs.nix diff --git a/checks/default.nix b/checks/default.nix index 737313d..03e5b6b 100644 --- a/checks/default.nix +++ b/checks/default.nix @@ -1,47 +1,82 @@ -{ flake-inputs }: -let - inherit (flake-inputs.nixpkgs) lib; - pkgs = flake-inputs.nixpkgs.legacyPackages.x86_64-linux; - checkLib = pkgs.callPackage ./lib.nix { }; -in +{ self, ... }: { - x86_64-linux = lib.mergeAttrsList [ - flake-inputs.self.nixosConfigurations.hetzner-1.config.serviceTests - + perSystem = { - nix = checkLib.mkLint { - name = "nix-lints"; - fileset = lib.fileset.fileFilter (file: file.hasExt "nix") ../.; + inputs', + lib, + pkgs, + ... + }: + let + mkLint = + { + name, + fileset, + checkInputs ? [ ], + script, + }: + pkgs.stdenvNoCC.mkDerivation { + inherit name; - checkInputs = lib.attrValues { - inherit (pkgs) deadnix nixfmt-rfc-style; + src = lib.fileset.toSource { + root = ../.; + fileset = lib.fileset.difference fileset ( + lib.fileset.fileFilter ( + file: file.type != "regular" || file.name == "hardware-configuration.nix" + ) ../. + ); + }; - statix = pkgs.statix.overrideAttrs (old: { - patches = old.patches ++ [ - (pkgs.fetchpatch { - url = "https://github.com/oppiliappan/statix/commit/925dec39bb705acbbe77178b4d658fe1b752abbb.patch"; - hash = "sha256-0wacO6wuYJ4ufN9PGucRVJucFdFFNF+NoHYIrLXsCWs="; - }) - ]; - }); + checkInputs = [ pkgs.nushell ] ++ checkInputs; + + checkPhase = '' + nu -c '${script}' | tee $out + ''; + + dontPatch = true; + dontConfigure = true; + dontBuild = true; + dontInstall = true; + dontFixup = true; + doCheck = true; + }; + in + { + checks = { + nix = mkLint { + name = "nix-lints"; + fileset = lib.fileset.fileFilter (file: file.hasExt "nix") ../.; + + checkInputs = lib.attrValues { + inherit (pkgs) deadnix nixfmt-rfc-style; + + statix = pkgs.statix.overrideAttrs (old: { + patches = old.patches ++ [ + (pkgs.fetchpatch { + url = "https://github.com/oppiliappan/statix/commit/925dec39bb705acbbe77178b4d658fe1b752abbb.patch"; + hash = "sha256-0wacO6wuYJ4ufN9PGucRVJucFdFFNF+NoHYIrLXsCWs="; + }) + ]; + }); + }; + + script = /* bash */ '' + statix check **/*.nix + deadnix --fail **/*.nix + nixfmt --check --strict **/*.nix + ''; }; - script = '' - statix check **/*.nix - deadnix --fail **/*.nix - nixfmt --check --strict **/*.nix - ''; - }; + lockfile = mkLint { + name = "nix-lockfile"; + fileset = ../flake.lock; + checkInputs = lib.attrValues { inherit (inputs'.flint.packages) flint; }; - lockfile = checkLib.mkLint { - name = "nix-lockfile"; - fileset = ../flake.lock; - checkInputs = lib.attrValues { inherit (flake-inputs.flint.packages.x86_64-linux) flint; }; - - script = '' - flint --fail-if-multiple-versions - ''; - }; - } - ]; + script = /* bash */ '' + flint --fail-if-multiple-versions + ''; + }; + } + // self.nixosConfigurations.hetzner-1.config.serviceTests; + }; } diff --git a/checks/lib.nix b/checks/lib.nix deleted file mode 100644 index d38cd21..0000000 --- a/checks/lib.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ pkgs, lib, ... }: -{ - mkLint = - { - name, - fileset, - checkInputs ? [ ], - script, - }: - pkgs.stdenvNoCC.mkDerivation { - inherit name; - - src = lib.fileset.toSource { - root = ../.; - fileset = lib.fileset.difference fileset ( - lib.fileset.fileFilter ( - file: file.type != "regular" || file.name == "hardware-configuration.nix" - ) ../. - ); - }; - - checkInputs = [ pkgs.nushell ] ++ checkInputs; - - checkPhase = '' - nu -c '${script}' | tee $out - ''; - - dontPatch = true; - dontConfigure = true; - dontBuild = true; - dontInstall = true; - dontFixup = true; - doCheck = true; - }; -} diff --git a/configuration/hardware-specific/hetzner/default.nix b/configuration/hardware-specific/hetzner/default.nix index 4d0408c..3b60011 100644 --- a/configuration/hardware-specific/hetzner/default.nix +++ b/configuration/hardware-specific/hetzner/default.nix @@ -2,6 +2,7 @@ imports = [ ./hardware-configuration.nix ./disko.nix + ./vm.nix ]; # Intel's special encrypted memory<->CPU feature. Hetzner's BIOS diff --git a/configuration/hardware-specific/hetzner/vm.nix b/configuration/hardware-specific/hetzner/vm.nix new file mode 100644 index 0000000..7ecf8f8 --- /dev/null +++ b/configuration/hardware-specific/hetzner/vm.nix @@ -0,0 +1,70 @@ +{ lib, ... }: +{ + virtualisation.vmVariant = { + users.users.tlater.password = "insecure"; + + # Disable graphical tty so -curses works + boot.kernelParams = [ "nomodeset" ]; + + networking.hostName = lib.mkForce "testvm"; + + services = { + # Sets the base domain for nginx to a local domain so that we can + # easily test locally with the VM. + nginx.domain = lib.mkForce "dev.local"; + + # Don't run this + batteryManager.enable = lib.mkForce false; + btrfs.autoScrub.enable = lib.mkForce false; + + openssh.hostKeys = lib.mkForce [ + { + type = "rsa"; + bits = 4096; + path = "/etc/staging.key"; + } + ]; + }; + + # Use the staging secrets + sops.defaultSopsFile = lib.mkOverride 99 ../../../keys/staging.yaml; + + systemd.network.networks."10-eth0" = { + matchConfig.Name = "eth0"; + gateway = [ "192.168.9.1" ]; + networkConfig = { + Address = "192.168.9.2/24"; + }; + }; + + # Both so we have a predictable key for the staging env, as well as + # to have a static key for decrypting the sops secrets for the + # staging env. + environment.etc."staging.key" = { + mode = "0400"; + source = ../../../keys/hosts/staging.key; + }; + + # Pretend the acme renew succeeds. + # + # TODO(tlater): Set up pebble to retrieve certs "properly" + # instead + systemd.services."acme-order-renew-tlater.net".script = '' + touch out/acme-success + ''; + + virtualisation = { + memorySize = 3941; + cores = 2; + graphics = false; + diskSize = 1024 * 20; + + qemu = { + networkingOptions = lib.mkForce [ + "-device virtio-net,netdev=n1" + "-netdev bridge,id=n1,br=br0,helper=$(which qemu-bridge-helper)" + ]; + }; + }; + }; +} diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix deleted file mode 100644 index 70c1b58..0000000 --- a/configuration/hardware-specific/vm.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ lib, ... }: -{ - users.users.tlater.password = "insecure"; - - # Disable graphical tty so -curses works - boot.kernelParams = [ "nomodeset" ]; - - networking.hostName = "testvm"; - - services = { - # Sets the base domain for nginx to a local domain so that we can - # easily test locally with the VM. - nginx.domain = "dev.local"; - - # Don't run this - batteryManager.enable = lib.mkForce false; - - openssh.hostKeys = lib.mkForce [ - { - type = "rsa"; - bits = 4096; - path = "/etc/staging.key"; - } - ]; - }; - - # Use the staging secrets - sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml; - - systemd.network.networks."10-eth0" = { - matchConfig.Name = "eth0"; - gateway = [ "192.168.9.1" ]; - networkConfig = { - Address = "192.168.9.2/24"; - }; - }; - - # Both so we have a predictable key for the staging env, as well as - # to have a static key for decrypting the sops secrets for the - # staging env. - environment.etc."staging.key" = { - mode = "0400"; - source = ../../keys/hosts/staging.key; - }; - - # Pretend the acme renew succeeds. - # - # TODO(tlater): Set up pebble to retrieve certs "properly" - # instead - systemd.services."acme-order-renew-tlater.net".script = '' - touch out/acme-success - ''; - - virtualisation.vmVariant = { - virtualisation = { - memorySize = 3941; - cores = 2; - graphics = false; - diskSize = 1024 * 20; - }; - - virtualisation.qemu = { - networkingOptions = lib.mkForce [ - "-device virtio-net,netdev=n1" - "-netdev bridge,id=n1,br=br0,helper=$(which qemu-bridge-helper)" - ]; - }; - }; -} diff --git a/dev-utils.nix b/dev-utils.nix new file mode 100644 index 0000000..bfa0d17 --- /dev/null +++ b/dev-utils.nix @@ -0,0 +1,43 @@ +{ self, ... }: +{ + # Systems on which to make dev utilities runnable; anything + # NixOS-related encodes its own system. + systems = [ "x86_64-linux" ]; + + perSystem = + { + inputs', + self', + pkgs, + lib, + ... + }: + { + apps = { + default = self'.apps.runVm; + + runVm = { + type = "app"; + program = lib.getExe self.nixosConfigurations.hetzner-1.config.system.build.vm; + meta.description = "Run the test VM"; + }; + }; + + devShells = { + default = pkgs.mkShell { + sopsPGPKeyDirs = [ + "./keys/hosts/" + "./keys/users/" + ]; + + packages = lib.attrValues { + inherit (inputs'.sops-nix.packages) sops-import-keys-hook sops-init-gpg-key; + inherit (pkgs) deploy-rs; + }; + }; + + minecraft = pkgs.mkShell { packages = lib.attrValues { inherit (pkgs) packwiz; }; }; + webserver = self'.packages.webserver.devShell; + }; + }; +} diff --git a/flake.lock b/flake.lock index b7ae789..3094d19 100644 --- a/flake.lock +++ b/flake.lock @@ -46,7 +46,9 @@ "deploy-rs", "flake-compat" ], - "flake-parts": "flake-parts", + "flake-parts": [ + "flake-parts" + ], "nix-test-runner": "nix-test-runner", "nixpkgs": [ "sonnenshift", @@ -154,18 +156,14 @@ }, "flake-parts": { "inputs": { - "nixpkgs-lib": [ - "sonnenshift", - "crate2nix", - "nixpkgs" - ] + "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1712014858, - "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "lastModified": 1769996383, + "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "rev": "57928607ea566b5db3ad13af0e57e921e6b12381", "type": "github" }, "original": { @@ -266,6 +264,21 @@ "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz" } }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1769909678, + "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "72716169fe93074c333e8d0173151350670b824c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, "pre-commit-hooks": { "inputs": { "flake-compat": [ @@ -309,6 +322,7 @@ "inputs": { "deploy-rs": "deploy-rs", "disko": "disko", + "flake-parts": "flake-parts", "flint": "flint", "foundryvtt": "foundryvtt", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 10b52ec..8680b59 100644 --- a/flake.nix +++ b/flake.nix @@ -1,8 +1,7 @@ { - description = "tlater.net host configuration"; - inputs = { nixpkgs.url = "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"; + flake-parts.url = "github:hercules-ci/flake-parts"; ## Nix/OS utilities @@ -42,139 +41,49 @@ crate2nix.inputs = { flake-compat.follows = "deploy-rs/flake-compat"; devshell.inputs.flake-utils.follows = "deploy-rs/utils"; + flake-parts.follows = "flake-parts"; }; }; }; }; outputs = - { - self, - nixpkgs, - sops-nix, - ... - }@inputs: - let - system = "x86_64-linux"; - - vm = nixpkgs.lib.nixosSystem { - inherit system; - specialArgs.flake-inputs = inputs; - - modules = [ - ./configuration - ./configuration/hardware-specific/vm.nix + { flake-parts, ... }@inputs: + flake-parts.lib.mkFlake { inherit inputs; } ( + { self, ... }@args: + { + imports = [ + (flake-parts.lib.importApply ./flakeModules/deploy-rs.nix args) + ./checks + ./dev-utils.nix + ./pkgs ]; - }; - # deploy-rs unfortunately uses an `import nixpkgs`, and its - # library functions depend on an instantiated nixpkgs, so we - # can't get around multi-nixpkgs-eval. - inherit - (import nixpkgs { - inherit system; - overlays = [ - inputs.deploy-rs.overlays.default - (_: prev: { - deploy-rs = { - inherit (nixpkgs.legacyPackages.${system}) deploy-rs; - inherit (prev.deploy-rs) lib; - }; - }) - ]; - }) - deploy-rs - ; - in - { - ################## - # Configurations # - ################## - nixosConfigurations = { - # The actual system definition - hetzner-1 = nixpkgs.lib.nixosSystem { - inherit system; + flake.nixosConfigurations.hetzner-1 = inputs.nixpkgs.lib.nixosSystem { specialArgs.flake-inputs = inputs; - modules = [ ./configuration ./configuration/hardware-specific/hetzner ]; }; - }; - ############################ - # Deployment configuration # - ############################ - deploy.nodes = { - hetzner-1 = { + deploy.nodes.hetzner-1 = { hostname = "116.202.158.55"; profiles.system = { user = "root"; - path = deploy-rs.lib.activate.nixos self.nixosConfigurations.hetzner-1; + activation = "nixos"; + closure = self.nixosConfigurations.hetzner-1; + + sshUser = "tlater"; + sshOpts = [ + "-p" + "2222" + "-o" + "ForwardAgent=yes" + ]; }; - - sshUser = "tlater"; - sshOpts = [ - "-p" - "2222" - "-o" - "ForwardAgent=yes" - ]; }; - }; - - ######### - # Tests # - ######### - checks = import ./checks { flake-inputs = inputs; }; - - ########################### - # Garbage collection root # - ########################### - - packages.${system} = { - default = vm.config.system.build.vm; } - // import ./pkgs { pkgs = nixpkgs.legacyPackages.${system}; }; - - ################### - # Utility scripts # - ################### - apps.${system} = { - default = self.apps.${system}.run-vm; - - run-vm = { - type = "app"; - program = - (nixpkgs.legacyPackages.${system}.writeShellScript "" '' - ${vm.config.system.build.vm.outPath}/bin/run-testvm-vm - '').outPath; - }; - }; - - ########################### - # Development environment # - ########################### - devShells.${system} = { - default = nixpkgs.legacyPackages.${system}.mkShell { - sopsPGPKeyDirs = [ - "./keys/hosts/" - "./keys/users/" - ]; - - packages = nixpkgs.lib.attrValues { - inherit (sops-nix.packages.${system}) sops-import-keys-hook sops-init-gpg-key; - inherit (deploy-rs) deploy-rs; - }; - }; - - minecraft = nixpkgs.legacyPackages.${system}.mkShell { - packages = nixpkgs.lib.attrValues { inherit (nixpkgs.legacyPackages.${system}) packwiz; }; - }; - - webserver = self.packages.${system}.webserver.devShell; - }; - }; + ); } diff --git a/flakeModules/deploy-rs.nix b/flakeModules/deploy-rs.nix new file mode 100644 index 0000000..abee5a8 --- /dev/null +++ b/flakeModules/deploy-rs.nix @@ -0,0 +1,136 @@ +{ lib, ... }@exportingFlake: +let + inherit (lib) mkOption types; + + deploy-rs-for-system = + system: + (import exportingFlake.inputs.nixpkgs { + inherit system; + overlays = [ + exportingFlake.inputs.deploy-rs.overlays.default + (_final: prev: { + deploy-rs = { + inherit (exportingFlake.inputs.nixpkgs.legacyPackages.${system}) deploy-rs; + inherit (prev.deploy-rs) lib; + }; + }) + ]; + }).deploy-rs; +in +{ config, ... }: +let + cfg = config.deploy; +in +{ + options.deploy = + let + genericOptions = + let + mkGenericOption = + type: + mkOption { + type = types.nullOr type; + default = null; + }; + in + { + options = { + sshUser = mkGenericOption types.str; + user = mkGenericOption types.str; + sshOpts = mkGenericOption (types.listOf types.str); + fastConnection = mkGenericOption types.bool; + autoRollback = mkGenericOption types.bool; + magicRollback = mkGenericOption types.bool; + confirmTimeout = mkGenericOption types.int; + activationTimeout = mkGenericOption types.int; + tempPath = mkGenericOption types.str; + interactiveSudo = mkGenericOption types.bool; + }; + }; + + profileModule = + { config, ... }: + { + imports = [ genericOptions ]; + + options = { + activation = mkOption { + type = types.oneOf [ + (types.enum [ + "nixos" + "home-manager" + "darwin" + "noop" + ]) + ]; + }; + + closure = mkOption { type = types.raw; }; + + profilePath = mkOption { + type = types.nullOr types.str; + default = null; + }; + + path = mkOption { + type = types.raw; + internal = true; + }; + }; + + config = + let + inherit (config.closure.config.nixpkgs.hostPlatform) system; + deploy-rs = deploy-rs-for-system system; + in + lib.mkMerge [ + (lib.mkIf (lib.elem config.activation [ + "nixos" + "home-manager" + "darwin" + "noop" + ]) { path = deploy-rs.lib.activate.${config.activation} config.closure; }) + ]; + }; + + nodeModule = { + imports = [ genericOptions ]; + + options = { + hostname = mkOption { type = types.str; }; + + profilesOrder = mkOption { + type = types.listOf types.str; + default = [ ]; + }; + + profiles = mkOption { + type = types.attrsOf (types.submoduleWith { modules = [ profileModule ]; }); + + apply = lib.mapAttrs ( + _: profile: + lib.filterAttrs ( + name: val: + !(lib.elem name [ + "activation" + "closure" + ]) + && val != null + ) profile + ); + + default = { }; + }; + }; + }; + in + { + nodes = mkOption { + default = { }; + type = types.attrsOf (types.submoduleWith { modules = [ nodeModule ]; }); + apply = lib.mapAttrs (_: node: lib.filterAttrs (_: val: val != null) node); + }; + }; + + config = lib.mkIf (cfg.nodes != { }) { flake.deploy.nodes = cfg.nodes; }; +} diff --git a/pkgs/default.nix b/pkgs/default.nix index 31335a6..46a9b61 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,5 +1,10 @@ -{ pkgs }: -pkgs.lib.packagesFromDirectoryRecursive { - inherit (pkgs) callPackage; - directory = ./packages; +{ + perSystem = + { pkgs, ... }: + { + packages = pkgs.lib.packagesFromDirectoryRecursive { + inherit (pkgs) callPackage; + directory = ./packages; + }; + }; } From 13dc31c671936e2470129b3801bb9b07c55be267 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Tue, 24 Feb 2026 23:39:46 +0800 Subject: [PATCH 21/24] chore: Remove starbound --- configuration/services/configs/starbound.json | 50 ------- configuration/services/default.nix | 1 - configuration/services/starbound.nix | 129 ------------------ 3 files changed, 180 deletions(-) delete mode 100644 configuration/services/configs/starbound.json delete mode 100644 configuration/services/starbound.nix diff --git a/configuration/services/configs/starbound.json b/configuration/services/configs/starbound.json deleted file mode 100644 index d995fdf..0000000 --- a/configuration/services/configs/starbound.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "allowAdminCommands" : true, - "allowAdminCommandsFromAnyone" : false, - "allowAnonymousConnections" : true, - "allowAssetsMismatch" : true, - "anonymousConnectionsAreAdmin" : false, - "bannedIPs" : [], - "bannedUuids" : [], - "checkAssetsDigest" : false, - "clearPlayerFiles" : false, - "clearUniverseFiles" : false, - "clientIPJoinable" : false, - "clientP2PJoinable" : true, - "configurationVersion" : { - "basic" : 2, - "server" : 4 - }, - "crafting" : { - "filterHaveMaterials" : false - }, - "gameServerBind" : "::", - "gameServerPort" : 21025, - "interactiveHighlight" : true, - "inventory" : { - "pickupToActionBar" : true - }, - "maxPlayers" : 8, - "maxTeamSize" : 4, - "monochromeLighting" : false, - "playerBackupFileCount" : 3, - "queryServerBind" : "::", - "queryServerPort" : 21025, - "rconServerBind" : "::", - "rconServerPassword" : "", - "rconServerPort" : 21026, - "rconServerTimeout" : 1000, - "runQueryServer" : false, - "runRconServer" : false, - "safeScripts" : true, - "scriptInstructionLimit" : 10000000, - "scriptInstructionMeasureInterval" : 10000, - "scriptProfilingEnabled" : false, - "scriptRecursionLimit" : 100, - "serverFidelity" : "automatic", - "serverName" : "tlater.net", - "serverOverrideAssetsDigest" : null, - "serverUsers" : { - }, - "tutorialMessages" : true -} diff --git a/configuration/services/default.nix b/configuration/services/default.nix index 1624653..1f343f0 100644 --- a/configuration/services/default.nix +++ b/configuration/services/default.nix @@ -12,7 +12,6 @@ ./minecraft.nix ./nextcloud.nix ./postgres.nix - # ./starbound.nix -- Not currently used ./webserver.nix ./wireguard.nix ]; diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix deleted file mode 100644 index 888fc3e..0000000 --- a/configuration/services/starbound.nix +++ /dev/null @@ -1,129 +0,0 @@ -{ - flake-inputs, - pkgs, - lib, - ... -}: -let - inherit (lib) concatStringsSep; -in -{ - networking.firewall.allowedTCPPorts = [ 21025 ]; - - # Sadly, steam-run requires some X libs - environment.noXlibs = false; - - systemd.services.starbound = { - description = "Starbound"; - after = [ "network.target" ]; - - serviceConfig = { - ExecStart = "${ - flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.starbound - }/bin/launch-starbound ${./configs/starbound.json}"; - - Type = "simple"; - - # Credential loading for steam auth (if necessary; prefer - # anonymous login wherever possible). - LoadCredential = "steam:/run/secrets/steam/tlater"; - - # Security settings - DynamicUser = true; - - # This is where the StateDirectory ends up - WorkingDirectory = "/var/lib/starbound"; - # Creates /var/lib/starbound (or rather, a symlink there to - # /var/lib/private/starbound), and sets it up to be writeable to - # by the dynamic user. - StateDirectory = "starbound"; - - # Note some settings below are basically tautologous with - # `NoNewPrivileges`, but they all work slightly differently so - # add additional layers in case of bugs. - - ## THESE SETTINGS ARE A GOOD IDEA BUT THE STEAM CLIENT IS - ## REALLY, REALLY BAD, AND FOR SOME REASON I NEED TO USE IT TO - ## DOWNLOAD GAME SERVERS AS WELL: - ## - # To guarantee the above (only permits 64-bit syscalls, 32-bit - # syscalls can circumvent the above restrictions). - # - # Obviously, if running a 32 bit game server, change this. - # SystemCallArchitectures = "native"; - # Game servers shouldn't need to create new namespaces ever. - # - # TODO: Since steam uses namespaces for things *entirely - # unrelated* to installing game servers, we need to allow - # namespace access. Ideally I'd instead do this in an - # ExecStartPre, but alas, this isn't possible because of - # https://github.com/systemd/systemd/issues/19604. - # - # RestrictNamespaces = true; - - # Don't need to let the game server see other user accounts - PrivateUsers = true; - # *Probably* not harmful for game servers, which probably don't update dynamically - ProtectHostname = true; - # Yeah, if a game server tries to edit the hardware clock something's fishy - ProtectClock = true; - # Don't let game servers modify kernel settings, duh - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - # Game servers shouldn't use cgroups themselves either - ProtectControlGroups = true; - # Most game servers will never need other socket types - RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; - # Also a no-brainer, no game server should ever need this - LockPersonality = true; - # Some game servers will probably try to set this, but they - # don't need it. It's only required for audio processing and - # such, which the server end doesn't need to do. - RestrictRealtime = true; - # Don't allow a variety of syscalls that gameservers have no - # business using anyway - SystemCallFilter = - "~" - + (concatStringsSep " " [ - "@clock" - "@cpu-emulation" - "@debug" - "@keyring" - "@memlock" - "@module" - # "@mount" TODO: Consider adding when steamcmd is run in ExecStartPre - "@obsolete" - "@raw-io" - "@reboot" - # "@resources" TODO: Ditto - "@setuid" - "@swap" - ]); - # Normally only "read-only", but steamcmd will puke if there is - # no home directory to write to (though the nix package will - # implicitly symlink to the path that we set in its override, so - # no actual files are created, besides a symlink). - ProtectHome = "tmpfs"; - - # Implied by DynamicUser anyway, but it doesn't hurt to add - # these explicitly, at least for reference. - RemoveIPC = true; - PrivateTmp = true; - PrivateDevices = true; - NoNewPrivileges = true; - RestrictSUIDSGID = true; - ProtectSystem = "strict"; - # ProtectHome = "read-only"; # See further up - }; - }; - - services.backups.starbound = { - user = "root"; - paths = [ "/var/lib/private/starbound/storage/universe/" ]; - pauseServices = [ "starbound.service" ]; - }; - - # Accessed via systemd cred through /run/secrets/steam - sops.secrets."steam/tlater" = { }; -} From 2a9b08f1e6f467ae82ea7841c490661fb6b2de48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Tue, 24 Feb 2026 23:45:18 +0800 Subject: [PATCH 22/24] refactor(postgres): Split postgres module --- configuration/default.nix | 14 ++ configuration/services/default.nix | 1 - configuration/services/metrics/grafana.nix | 147 +++++++++++---------- configuration/services/nextcloud.nix | 11 ++ configuration/services/postgres.nix | 35 ----- 5 files changed, 105 insertions(+), 103 deletions(-) delete mode 100644 configuration/services/postgres.nix diff --git a/configuration/default.nix b/configuration/default.nix index 456d12d..ef68727 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -1,4 +1,5 @@ { + pkgs, lib, modulesPath, flake-inputs, @@ -53,6 +54,19 @@ }; logrotate.enable = true; + + postgresql = { + package = pkgs.postgresql_14; + enable = true; + + # Only enable connections via the unix socket, and check with the + # OS to make sure the user matches the database name. + # + # See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html + authentication = '' + local sameuser all peer + ''; + }; }; security = { diff --git a/configuration/services/default.nix b/configuration/services/default.nix index 1f343f0..bee8f44 100644 --- a/configuration/services/default.nix +++ b/configuration/services/default.nix @@ -11,7 +11,6 @@ ./ntfy-sh ./minecraft.nix ./nextcloud.nix - ./postgres.nix ./webserver.nix ./wireguard.nix ]; diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix index 078f27c..3b757df 100644 --- a/configuration/services/metrics/grafana.nix +++ b/configuration/services/metrics/grafana.nix @@ -8,80 +8,93 @@ in 443 ]; - services.grafana = { - enable = true; - settings = { - server = { - http_port = 3001; # Default overlaps with gitea - root_url = "https://metrics.tlater.net"; - }; - - security = { - admin_user = "tlater"; - admin_password = "$__file{${config.sops.secrets."grafana/adminPassword".path}}"; - secret_key = "$__file{${config.sops.secrets."grafana/secretKey".path}}"; - cookie_secure = true; - cookie_samesite = "strict"; - content_security_policy = true; - }; - - database = { - user = "grafana"; - name = "grafana"; - type = "postgres"; - host = "/run/postgresql"; - }; - }; - - declarativePlugins = [ - pkgs.grafanaPlugins.victoriametrics-metrics-datasource - pkgs.grafanaPlugins.victoriametrics-logs-datasource - ]; - - provision = { + services = { + grafana = { enable = true; + settings = { + server = { + http_port = 3001; # Default overlaps with gitea + root_url = "https://metrics.tlater.net"; + }; - datasources.settings.datasources = [ - { - name = "Victoriametrics - tlater.net"; - url = "http://localhost:8428"; - type = "victoriametrics-metrics-datasource"; - access = "proxy"; - isDefault = true; - } + security = { + admin_user = "tlater"; + admin_password = "$__file{${config.sops.secrets."grafana/adminPassword".path}}"; + secret_key = "$__file{${config.sops.secrets."grafana/secretKey".path}}"; + cookie_secure = true; + cookie_samesite = "strict"; + content_security_policy = true; + }; - { - name = "Victorialogs - tlater.net"; - url = "http://${config.services.victorialogs.bindAddress}"; - type = "victoriametrics-logs-datasource"; - access = "proxy"; - } + database = { + user = "grafana"; + name = "grafana"; + type = "postgres"; + host = "/run/postgresql"; + }; + }; + + declarativePlugins = [ + pkgs.grafanaPlugins.victoriametrics-metrics-datasource + pkgs.grafanaPlugins.victoriametrics-logs-datasource ]; - alerting.contactPoints.settings.contactPoints = [ - { - name = "ntfy"; - receivers = [ - { - uid = "ntfy"; - type = "webhook"; - settings.url = "http://${config.services.ntfy-sh.settings.listen-http}/local-alerts?template=grafana"; - } - ]; - } - ]; + provision = { + enable = true; + + datasources.settings.datasources = [ + { + name = "Victoriametrics - tlater.net"; + url = "http://localhost:8428"; + type = "victoriametrics-metrics-datasource"; + access = "proxy"; + isDefault = true; + } + + { + name = "Victorialogs - tlater.net"; + url = "http://${config.services.victorialogs.bindAddress}"; + type = "victoriametrics-logs-datasource"; + access = "proxy"; + } + ]; + + alerting.contactPoints.settings.contactPoints = [ + { + name = "ntfy"; + receivers = [ + { + uid = "ntfy"; + type = "webhook"; + settings.url = "http://${config.services.ntfy-sh.settings.listen-http}/local-alerts?template=grafana"; + } + ]; + } + ]; + }; }; - }; - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - useACMEHost = "tlater.net"; - enableHSTS = true; - locations = { - "/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; - "/api/live" = { - proxyWebsockets = true; - proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; + postgresql = { + ensureUsers = [ + { + name = "grafana"; + ensureDBOwnership = true; + } + ]; + + ensureDatabases = [ "grafana" ]; + }; + + nginx.virtualHosts."${domain}" = { + forceSSL = true; + useACMEHost = "tlater.net"; + enableHSTS = true; + locations = { + "/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; + "/api/live" = { + proxyWebsockets = true; + proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; + }; }; }; }; diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index 30f79ed..6628d07 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -103,6 +103,17 @@ in }; }; + services.postgresql = { + ensureUsers = [ + { + name = "nextcloud"; + ensureDBOwnership = true; + } + ]; + + ensureDatabases = [ "nextcloud" ]; + }; + # Ensure that this service doesn't start before postgres is ready systemd.services.nextcloud-setup.after = [ "postgresql.target" ]; diff --git a/configuration/services/postgres.nix b/configuration/services/postgres.nix deleted file mode 100644 index 85a6843..0000000 --- a/configuration/services/postgres.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ pkgs, ... }: -{ - services.postgresql = { - package = pkgs.postgresql_14; - enable = true; - - # Only enable connections via the unix socket, and check with the - # OS to make sure the user matches the database name. - # - # See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html - authentication = '' - local sameuser all peer - ''; - - # Note: The following options with ensure.* are set-only; i.e., - # when permissions/users/databases are removed from these lists, - # that operation needs to be performed manually on the system as - # well. - ensureUsers = [ - { - name = "grafana"; - ensureDBOwnership = true; - } - { - name = "nextcloud"; - ensureDBOwnership = true; - } - ]; - - ensureDatabases = [ - "grafana" - "nextcloud" - ]; - }; -} From 4667044ea5f77579db895486a060dca2bf87fe85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Wed, 25 Feb 2026 00:07:34 +0800 Subject: [PATCH 23/24] chore(crowdsec): Switch to upstream module --- configuration/services/crowdsec.nix | 151 ++++--- .../services/metrics/victoriametrics.nix | 16 - modules/crowdsec/default.nix | 383 ------------------ .../remediations/cs-firewall-bouncer.nix | 87 ---- modules/crowdsec/remediations/default.nix | 1 - modules/default.nix | 7 +- pkgs/packages/crowdsec-firewall-bouncer.nix | 51 --- pkgs/packages/crowdsec-hub.nix | 38 -- 8 files changed, 87 insertions(+), 647 deletions(-) delete mode 100644 modules/crowdsec/default.nix delete mode 100644 modules/crowdsec/remediations/cs-firewall-bouncer.nix delete mode 100644 modules/crowdsec/remediations/default.nix delete mode 100644 pkgs/packages/crowdsec-firewall-bouncer.nix delete mode 100644 pkgs/packages/crowdsec-hub.nix diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix index 174115b..819403d 100644 --- a/configuration/services/crowdsec.nix +++ b/configuration/services/crowdsec.nix @@ -1,45 +1,80 @@ +{ config, lib, ... }: { - pkgs, - config, - lib, - ... -}: -{ - security.crowdsec = { - enable = true; + services = { + crowdsec = { + enable = true; + autoUpdateService = true; - parserWhitelist = [ "10.45.249.2" ]; + settings = { + general.api.server = { + enable = true; + online_client.sharing = false; + }; - extraGroups = [ - "systemd-journal" - "nginx" - ]; + lapi.credentialsFile = "/var/lib/crowdsec/state/local_credentials.yaml"; + }; - acquisitions = [ - { - source = "journalctl"; - labels.type = "syslog"; - journalctl_filter = [ "SYSLOG_IDENTIFIER=Nextcloud" ]; - } + hub = { + collections = [ + "crowdsecurity/base-http-scenarios" + "crowdsecurity/http-cve" + "crowdsecurity/linux" + "crowdsecurity/nextcloud" + "crowdsecurity/nginx" + "crowdsecurity/sshd" + ]; + }; - { - source = "journalctl"; - labels.type = "syslog"; - journalctl_filter = [ "SYSLOG_IDENTIFIER=sshd-session" ]; - } + localConfig = { + acquisitions = [ + { + labels.type = "syslog"; + journalctl_filter = [ + "SYSLOG_IDENTIFIER=Nextcloud" + "SYSLOG_IDENTIFIER=sshd-session" + ]; + source = "journalctl"; + } - { - labels.type = "nginx"; - filenames = [ - "/var/log/nginx/*.log" - ] - ++ lib.mapAttrsToList ( - vHost: _: "/var/log/nginx/${vHost}/access.log" - ) config.services.nginx.virtualHosts; - } - ]; + { + labels.type = "nginx"; + filenames = [ + "/var/log/nginx/*.log" + ] + ++ lib.mapAttrsToList ( + vHost: _: "/var/log/nginx/${vHost}/access.log" + ) config.services.nginx.virtualHosts; + } + ]; - remediationComponents.firewallBouncer = { + parsers.s02Enrich = [ + { + name = "nixos/parser-whitelist"; + description = "Parser whitelist generated by the crowdsec NixOS module"; + whitelist = { + reason = "Filtered by NixOS whitelist"; + ip = [ "10.45.249.2" ]; + }; + } + ]; + + postOverflows.s01Whitelist = [ + { + description = "custom matrix whitelist"; + name = "tetsumaki/matrix"; + whitelist = { + reason = "whitelist false positive for matrix"; + expression = [ + "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'" + "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']" + ]; + }; + } + ]; + }; + }; + + crowdsec-firewall-bouncer = { enable = true; settings.prometheus = { enabled = true; @@ -47,37 +82,23 @@ listen_port = "60601"; }; }; - }; - # Add whitelists for matrix - systemd.tmpfiles.settings."10-matrix" = - let - stateDir = config.security.crowdsec.stateDirectory; - in - { - "${stateDir}/config/postoverflows".d = { - user = "crowdsec"; - group = "crowdsec"; - mode = "0700"; - }; + victoriametrics.scrapeConfigs = { + crowdsec.targets = + let + cfg = config.services.crowdsec.settings.general; + address = cfg.prometheus.listen_addr; + port = cfg.prometheus.listen_port; + in + [ "${address}:${toString port}" ]; - "${stateDir}/config/postoverflows/s01-whitelist".d = { - user = "crowdsec"; - group = "crowdsec"; - mode = "0700"; - }; - - "${stateDir}/config/postoverflows/s01-whitelist/matrix-whitelist.yaml"."L+".argument = - ((pkgs.formats.yaml { }).generate "crowdsec-matrix-whitelist.yaml" { - name = "tetsumaki/matrix"; - description = "custom matrix whitelist"; - whitelist = { - reason = "whitelist false positive for matrix"; - expression = [ - "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'" - "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']" - ]; - }; - }).outPath; + csFirewallBouncer.targets = + let + cfg = config.services.crowdsec-firewall-bouncer.settings; + address = cfg.prometheus.listen_addr; + port = cfg.prometheus.listen_port; + in + [ "${address}:${toString port}" ]; }; + }; } diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix index 71741b5..3befec0 100644 --- a/configuration/services/metrics/victoriametrics.nix +++ b/configuration/services/metrics/victoriametrics.nix @@ -68,22 +68,6 @@ in coturn.targets = [ "127.0.0.1:9641" ]; - crowdsec.targets = - let - address = config.security.crowdsec.settings.prometheus.listen_addr; - port = config.security.crowdsec.settings.prometheus.listen_port; - in - [ "${address}:${toString port}" ]; - - csFirewallBouncer.targets = - let - address = - config.security.crowdsec.remediationComponents.firewallBouncer.settings.prometheus.listen_addr; - port = - config.security.crowdsec.remediationComponents.firewallBouncer.settings.prometheus.listen_port; - in - [ "${address}:${toString port}" ]; - immich.targets = [ "127.0.0.1:8081" "127.0.0.1:8082" diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix deleted file mode 100644 index 9cb26f9..0000000 --- a/modules/crowdsec/default.nix +++ /dev/null @@ -1,383 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: -let - cfg = config.security.crowdsec; - settingsFormat = pkgs.formats.yaml { }; - - hub = pkgs.fetchFromGitHub { - owner = "crowdsecurity"; - repo = "hub"; - rev = "7a3b4753f4577257c0cbeb8f8f90c7f17d2ae008"; - hash = "sha256-HB4jHyhiO8gjBkLmpo6bDbwhfm5m5nAtNlKhDkZjt2I="; - }; - - cscli = pkgs.writeShellScriptBin "cscli" '' - export PATH="$PATH:${cfg.package}/bin/" - - sudo=exec - if [ "$USER" != "crowdsec" ]; then - sudo='exec /run/wrappers/bin/sudo -u crowdsec' - fi - - $sudo ${cfg.package}/bin/cscli "$@" - ''; - - acquisitions = '' - --- - ${lib.concatMapStringsSep "\n---\n" builtins.toJSON cfg.acquisitions} - --- - ''; -in -{ - imports = [ ./remediations ]; - - options.security.crowdsec = - let - inherit (lib.types) - nullOr - listOf - package - path - str - ; - in - { - enable = lib.mkEnableOption "crowdsec"; - - package = lib.mkOption { - type = package; - default = pkgs.crowdsec; - }; - - stateDirectory = lib.mkOption { - type = path; - readOnly = true; - - description = '' - The state directory of the crowdsec instance. Cannot be - changed, but is exposed for downstream use. - ''; - }; - - settings = lib.mkOption { - inherit (settingsFormat) type; - default = { }; - - description = '' - The crowdsec configuration. Refer to - - for details on supported values. - ''; - }; - - parserWhitelist = lib.mkOption { - type = listOf str; - default = [ ]; - description = '' - Set of IP addresses to add to a parser-based whitelist. - - Addresses can be specified either as plain IP addresses or - in CIDR notation. - ''; - }; - - acquisitions = lib.mkOption { - type = listOf settingsFormat.type; - default = [ ]; - description = '' - Log acquisitions. - ''; - }; - - extraGroups = lib.mkOption { - type = listOf str; - default = [ ]; - description = '' - Additional groups to make the service part of. - - Required to permit reading from various log sources. - ''; - }; - - hubConfigurations = { - collections = lib.mkOption { - type = listOf str; - description = '' - List of pre-made crowdsec collections to install. - ''; - }; - - scenarios = lib.mkOption { - type = listOf str; - description = '' - List of pre-made crowdsec scenarios to install. - ''; - }; - - parsers = lib.mkOption { - type = listOf str; - description = '' - List of pre-made crowdsec parsers to install. - ''; - }; - - postoverflows = lib.mkOption { - type = listOf str; - description = '' - List of pre-made crowdsec postoverflows to install. - ''; - }; - - appsecConfigs = lib.mkOption { - type = listOf str; - description = '' - List of pre-made crowdsec appsec configurations to install. - ''; - }; - - appsecRules = lib.mkOption { - type = listOf str; - description = '' - List of pre-made crowdsec appsec rules to install. - ''; - }; - }; - - centralApiCredentials = lib.mkOption { - type = nullOr path; - default = null; - - description = '' - The API key to access crowdsec's central API - this is - required to access any of the shared blocklists. - - Use of this feature is optional, entering no API key (the - default) turns all sharing or receiving of blocked IPs off. - - Note that adding the API key by itself does not enable - sharing of blocked IPs with the central API. This limits the - types of blocklists this instance can access. - - To also turn sharing blocked IPs on, set - `api.server.online_client.sharing = true;`. - ''; - }; - - ctiApiKey = lib.mkOption { - type = nullOr path; - default = null; - - description = '' - The API key for crowdsec's CTI offering. - ''; - }; - }; - - config = lib.mkIf cfg.enable { - # Set up default settings; anything that *shouldn't* be changed is - # set to the default priority so that users need to use - # `lib.mkForce`. - security.crowdsec = { - stateDirectory = "/var/lib/crowdsec"; - - settings = { - common = { - daemonize = true; - # The default logs to files, which isn't the preferred way - # on NixOS - log_media = "stdout"; - }; - - config_paths = { - config_dir = "${cfg.stateDirectory}/config/"; - data_dir = "${cfg.stateDirectory}/data/"; - # This "config" file is intended to be written to using the - # cscli tool, so you can temporarily make it so rules don't - # do anything but log what they *would* do for - # experimentation. - simulation_path = "${cfg.stateDirectory}/config/simulation.yaml"; - - pattern_dir = lib.mkDefault "${cfg.package}/share/crowdsec/config/patterns"; - - hub_dir = hub; - index_path = "${hub}/.index.json"; - - # Integrations aren't supported for now - notification_dir = lib.mkDefault "/var/empty/"; - plugin_dir = lib.mkDefault "/var/empty/"; - }; - - crowdsec_service.acquisition_path = - # Using an if/else here because `mkMerge` does not work in - # YAML-type options - if cfg.acquisitions == [ ] then - "${cfg.package}/share/crowdsec/config/acquis.yaml" - else - pkgs.writeText "acquis.yaml" acquisitions; - - cscli = { - prometheus_uri = lib.mkDefault "127.0.0.1:6060"; - }; - - db_config = { - type = lib.mkDefault "sqlite"; - db_path = lib.mkDefault "${cfg.stateDirectory}/data/crowdsec.db"; - use_wal = lib.mkDefault true; - flush = { - max_items = lib.mkDefault 5000; - max_age = lib.mkDefault "7d"; - }; - }; - - api = { - cti = { - enabled = cfg.ctiApiKey != null; - key = cfg.ctiApiKey; - }; - client.credentials_path = "${cfg.stateDirectory}/local_credentials.yaml"; - server = { - listen_uri = lib.mkDefault "127.0.0.1:8080"; - profiles_path = lib.mkDefault "${cfg.package}/share/crowdsec/config/profiles.yaml"; - console_path = lib.mkDefault "${cfg.package}/share/crowdsec/config/console.yaml"; - - online_client = { - # By default, we don't let crowdsec phone home, since - # this is usually within NixOS users' concerns. - sharing = lib.mkDefault false; - credentials_path = cfg.centralApiCredentials; - }; - }; - }; - - # We enable prometheus by default, since cscli relies on it - # for metrics - prometheus = { - enabled = lib.mkDefault true; - level = lib.mkDefault "full"; - listen_addr = lib.mkDefault "127.0.0.1"; - listen_port = lib.mkDefault 6060; - }; - }; - }; - - systemd.packages = [ cfg.package ]; - - environment = { - systemPackages = [ - # To add completions; sadly need to hand-roll this since - # neither `symlinkJoin` nor `buildEnv` have collision - # handling. - (pkgs.runCommandLocal "cscli" { } '' - mkdir -p $out - ln -s ${cscli}/bin $out/bin - ln -s ${cfg.package}/share $out/share - '') - ]; - - etc."crowdsec/config.yaml".source = settingsFormat.generate "crowdsec-settings.yaml" cfg.settings; - }; - - systemd = { - tmpfiles.settings."10-crowdsec" = { - "${cfg.stateDirectory}".d = { - user = "crowdsec"; - group = "crowdsec"; - mode = "0700"; - }; - - # This must be created for the setup service to work - "${cfg.stateDirectory}/config".d = { - user = "crowdsec"; - group = "crowdsec"; - mode = "0700"; - }; - - "${cfg.stateDirectory}/config/parsers".d = lib.mkIf (cfg.parserWhitelist != [ ]) { - user = "crowdsec"; - group = "crowdsec"; - mode = "0700"; - }; - - "${cfg.stateDirectory}/config/parsers/s02-enrich".d = lib.mkIf (cfg.parserWhitelist != [ ]) { - user = "crowdsec"; - group = "crowdsec"; - mode = "0700"; - }; - - "${cfg.stateDirectory}/config/parsers/s02-enrich/nixos-whitelist.yaml" = - lib.mkIf (cfg.parserWhitelist != [ ]) - { - "L+".argument = - (settingsFormat.generate "crowdsec-nixos-whitelist.yaml" { - name = "nixos/parser-whitelist"; - description = "Parser whitelist generated by the crowdsec NixOS module"; - whitelist = { - reason = "Filtered by NixOS whitelist"; - ip = lib.lists.filter (ip: !(lib.hasInfix "/" ip)) cfg.parserWhitelist; - cidr = lib.lists.filter (ip: lib.hasInfix "/" ip) cfg.parserWhitelist; - }; - }).outPath; - }; - }; - - services = { - crowdsec-setup = { - # TODO(tlater): Depend on tmpfiles path for - # /var/lib/crowdsec/config - description = "Crowdsec database and config preparation"; - - script = '' - if [ ! -e '${cfg.settings.config_paths.simulation_path}' ]; then - cp '${cfg.package}/share/crowdsec/config/simulation.yaml' '${cfg.settings.config_paths.simulation_path}' - fi - - if [ ! -e '${cfg.settings.api.client.credentials_path}' ]; then - ${cfg.package}/bin/cscli machines add --auto --file '${cfg.settings.api.client.credentials_path}' - fi - ''; - - serviceConfig = { - User = "crowdsec"; - Group = "crowdsec"; - StateDirectory = "crowdsec"; - - Type = "oneshot"; - RemainAfterExit = true; - }; - }; - - # Note that the service basics are already defined upstream - crowdsec = { - enable = true; - - after = [ "crowdsec-setup.service" ]; - bindsTo = [ "crowdsec-setup.service" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - User = "crowdsec"; - Group = "crowdsec"; - SupplementaryGroups = cfg.extraGroups; - - StateDirectory = "crowdsec"; - }; - }; - }; - }; - - users = { - users.crowdsec = { - isSystemUser = true; - home = cfg.stateDirectory; - group = "crowdsec"; - }; - groups = { - crowdsec = { }; - }; - }; - }; -} diff --git a/modules/crowdsec/remediations/cs-firewall-bouncer.nix b/modules/crowdsec/remediations/cs-firewall-bouncer.nix deleted file mode 100644 index bdc6da8..0000000 --- a/modules/crowdsec/remediations/cs-firewall-bouncer.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ - flake-inputs, - pkgs, - lib, - config, - ... -}: -let - inherit (flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}) crowdsec-firewall-bouncer; - - crowdsecCfg = config.security.crowdsec; - cfg = crowdsecCfg.remediationComponents.firewallBouncer; - settingsFormat = pkgs.formats.yaml { }; -in -{ - options.security.crowdsec.remediationComponents.firewallBouncer = { - enable = lib.mkEnableOption "cs-firewall-bouncer"; - - settings = lib.mkOption { - inherit (settingsFormat) type; - default = { }; - - description = '' - The bouncer configuration. Refer to - for details - on supported values. - ''; - }; - }; - - config = lib.mkIf cfg.enable { - security.crowdsec.remediationComponents.firewallBouncer.settings = { - mode = lib.mkDefault "${if config.networking.nftables.enable then "nftables" else "iptables"}"; - log_mode = "stdout"; - iptables_chains = [ "nixos-fw" ]; - - # Don't let users easily override this; unfortunately we need to - # set up this key through substitution at runtime. - api_key = lib.mkForce "\${API_KEY}"; - api_url = lib.mkDefault "http://${crowdsecCfg.settings.api.server.listen_uri}"; - }; - - systemd = { - packages = [ crowdsec-firewall-bouncer ]; - - services = { - crowdsec-firewall-bouncer-setup = { - description = "Crowdsec firewall bouncer config preparation"; - script = '' - if [ ! -e '${crowdsecCfg.stateDirectory}/firewall_bouncer_credentials.yaml' ]; then - ${crowdsecCfg.package}/bin/cscli -oraw bouncers add "cs-firewall-bouncer-$(${pkgs.coreutils}/bin/date +%s)" > \ - ${crowdsecCfg.stateDirectory}/firewall_bouncer_credentials.yaml - fi - - # Stdout redirection is deliberately used to forcibly - # overwrite the file if it exists - API_KEY="$(<${crowdsecCfg.stateDirectory}/firewall_bouncer_credentials.yaml)" \ - ${lib.getExe pkgs.envsubst} \ - -i ${settingsFormat.generate "crowdsec-firewall-bouncer.yaml" cfg.settings} \ - > /var/lib/crowdsec/config/crowdsec-firewall-bouncer.yaml - ''; - - serviceConfig = { - User = "crowdsec"; - Group = "crowdsec"; - - Type = "oneshot"; - RemainAfterExit = true; - }; - }; - - crowdsec-firewall-bouncer = { - enable = true; - - after = [ "crowdsec-firewall-bouncer-setup.service" ]; - bindsTo = [ "crowdsec-firewall-bouncer-setup.service" ]; - requiredBy = [ "crowdsec.service" ]; - - path = - lib.optionals (cfg.settings.mode == "ipset" || cfg.settings.mode == "iptables") [ pkgs.ipset ] - ++ lib.optional (cfg.settings.mode == "iptables") pkgs.iptables - ++ lib.optional (cfg.settings.mode == "nftables") pkgs.nftables; - }; - }; - }; - }; -} diff --git a/modules/crowdsec/remediations/default.nix b/modules/crowdsec/remediations/default.nix deleted file mode 100644 index c3c0790..0000000 --- a/modules/crowdsec/remediations/default.nix +++ /dev/null @@ -1 +0,0 @@ -{ imports = [ ./cs-firewall-bouncer.nix ]; } diff --git a/modules/default.nix b/modules/default.nix index 1bf5314..c03a700 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,6 +1 @@ -{ - imports = [ - ./crowdsec - ./serviceTests/stub.nix - ]; -} +{ imports = [ ./serviceTests/stub.nix ]; } diff --git a/pkgs/packages/crowdsec-firewall-bouncer.nix b/pkgs/packages/crowdsec-firewall-bouncer.nix deleted file mode 100644 index 41bba86..0000000 --- a/pkgs/packages/crowdsec-firewall-bouncer.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ - lib, - fetchFromGitHub, - buildGoModule, - envsubst, - coreutils, - - writers, - nix-update, -}: -let - envsubstBin = lib.getExe envsubst; -in -buildGoModule (drv: { - pname = "crowdsec-firewall-bouncer"; - version = drv.src.rev; - - src = fetchFromGitHub { - owner = "crowdsecurity"; - repo = "cs-firewall-bouncer"; - rev = "0.0.34"; - sha256 = "sha256-lDO9pwPkbI+FDTdXBv03c0p8wbkRUiIDNl1ip3AZo2g="; - }; - - vendorHash = "sha256-SbpclloBgd9vffC0lBduGRqPOqmzQ0J91/KeDHCh0jo="; - - postInstall = '' - mkdir -p $out/lib/systemd/system - - CFG=/var/lib/crowdsec/config BIN=$out/bin/cs-firewall-bouncer ${envsubstBin} \ - -i ./config/crowdsec-firewall-bouncer.service \ - -o $out/lib/systemd/system/crowdsec-firewall-bouncer.service - - substituteInPlace $out/lib/systemd/system/crowdsec-firewall-bouncer.service \ - --replace-fail /bin/sleep ${coreutils}/bin/sleep - ''; - - passthru.updateScript = - writers.writeNuBin "update-crowdsec-firewall-bouncer" - { - makeWrapperArgs = [ - "--prefix" - "PATH" - ":" - (lib.makeBinPath [ nix-update ]) - ]; - } - '' - nix-update --flake --format crowdsec-firewall-bouncer - ''; -}) diff --git a/pkgs/packages/crowdsec-hub.nix b/pkgs/packages/crowdsec-hub.nix deleted file mode 100644 index 2b193fd..0000000 --- a/pkgs/packages/crowdsec-hub.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - lib, - fetchFromGitHub, - stdenvNoCC, - - writers, - nix-update, -}: -# Using `mkDerivation` so nix-update can pick up the version -stdenvNoCC.mkDerivation (drv: { - pname = "crowdsec-hub"; - version = drv.src.rev; - - src = fetchFromGitHub { - owner = "crowdsecurity"; - repo = "hub"; - rev = "7f724f92c79ce743ef9c7020cce228f98cca6afa"; - hash = "sha256-xWl3gmDicwjjrK3kto5tIJB/LLttaf+GYYgFqo8r9sw="; - }; - - installPhase = '' - cp -r $src $out - ''; - - passthru.updateScript = - writers.writeNuBin "update-crowdsec-hub" - { - makeWrapperArgs = [ - "--prefix" - "PATH" - ":" - (lib.makeBinPath [ nix-update ]) - ]; - } - '' - nix-update --flake --format --version=branch crowdsec-hub - ''; -}) From 3011625e51106ba9272701417b6561bdae6f7fd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Wed, 25 Feb 2026 01:56:32 +0800 Subject: [PATCH 24/24] chore(continuwuity): Switch to new upstream module --- .../hardware-specific/hetzner/disko.nix | 4 +-- configuration/services/conduit/default.nix | 27 ++++++++----------- .../services/conduit/heisenbridge.nix | 4 +-- configuration/services/crowdsec.nix | 2 +- 4 files changed, 16 insertions(+), 21 deletions(-) diff --git a/configuration/hardware-specific/hetzner/disko.nix b/configuration/hardware-specific/hetzner/disko.nix index 7e1acd7..6b769d2 100644 --- a/configuration/hardware-specific/hetzner/disko.nix +++ b/configuration/hardware-specific/hetzner/disko.nix @@ -80,7 +80,7 @@ inherit mountOptions; mountpoint = "/var"; }; - "/volume/var/lib/private/matrix-conduit" = { + "/volume/var/lib/private/continuwuity" = { mountOptions = [ # Explicitly don't compress here, since # conduwuit's database does compression by @@ -89,7 +89,7 @@ # if btrfs compresses it) "noatime" ]; - mountpoint = "/var/lib/private/matrix-conduit"; + mountpoint = "/var/lib/private/continuwuity"; }; "/volume/nix-store" = { inherit mountOptions; diff --git a/configuration/services/conduit/default.nix b/configuration/services/conduit/default.nix index a4c91d3..e1a5f60 100644 --- a/configuration/services/conduit/default.nix +++ b/configuration/services/conduit/default.nix @@ -7,7 +7,7 @@ let inherit (lib.strings) concatMapStringsSep; - cfg = config.services.matrix-conduit; + cfg = config.services.matrix-continuwuity; domain = "matrix.${config.services.nginx.domain}"; turn-realm = "turn.${config.services.nginx.domain}"; in @@ -45,14 +45,14 @@ in }; services = { - matrix-conduit = { + matrix-continuwuity = { enable = true; package = pkgs.matrix-continuwuity; settings.global = { - address = "127.0.0.1"; + address = [ "127.0.0.1" ]; server_name = domain; new_user_displayname_suffix = "🦆"; - allow_check_for_updates = true; + turn_secret_file = "/run/credentials/continuwuity.service/turn-secret"; # Set up delegation: https://docs.conduit.rs/delegation.html#automatic-recommended # This is primarily to make sliding sync work @@ -173,35 +173,30 @@ in locations = { "/_matrix" = { - proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}"; + proxyPass = "http://${lib.head cfg.settings.global.address}:${toString cfg.settings.global.port}"; # Recommended by conduit extraConfig = '' proxy_buffering off; ''; }; "/.well-known/matrix" = { - proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}"; + proxyPass = "http://${lib.head cfg.settings.global.address}:${toString cfg.settings.global.port}"; }; }; }; backups.conduit = { user = "root"; - paths = [ "/var/lib/private/matrix-conduit/" ]; + paths = [ "/var/lib/private/matrix-continuwuity/" ]; # Other services store their data in conduit, so no other services # need to be shut down currently. - pauseServices = [ "conduit.service" ]; + pauseServices = [ "continuwuity.service" ]; }; }; - systemd.services.conduit.serviceConfig = { - ExecStart = lib.mkForce "${config.services.matrix-conduit.package}/bin/conduwuit"; - # Pass in the TURN secret via EnvironmentFile, not supported by - # upstream module currently. - # - # See also https://gitlab.com/famedly/conduit/-/issues/314 - EnvironmentFile = config.sops.secrets."turn/env".path; - }; + systemd.services.continuwuity.serviceConfig.LoadCredential = "turn-secret:${ + config.sops.secrets."turn/env".path + }"; systemd.services.coturn.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."tlater.net".group diff --git a/configuration/services/conduit/heisenbridge.nix b/configuration/services/conduit/heisenbridge.nix index 5441639..0fe6bc5 100644 --- a/configuration/services/conduit/heisenbridge.nix +++ b/configuration/services/conduit/heisenbridge.nix @@ -5,7 +5,7 @@ ... }: let - conduitCfg = config.services.matrix-conduit; + conduitCfg = config.services.matrix-continuwuity; matrixLib = pkgs.callPackage ./lib.nix { }; in { @@ -36,7 +36,7 @@ in { description = "Matrix<->IRC bridge"; wantedBy = [ "multi-user.target" ]; - after = [ "conduit.service" ]; + after = [ "continuwuity.service" ]; serviceConfig = { Type = "exec"; diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix index 819403d..99eaa11 100644 --- a/configuration/services/crowdsec.nix +++ b/configuration/services/crowdsec.nix @@ -65,7 +65,7 @@ whitelist = { reason = "whitelist false positive for matrix"; expression = [ - "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-conduit.settings.global.server_name}'" + "evt.Overflow.Alert.Events[0].GetMeta('target_fqdn') == '${config.services.matrix-continuwuity.settings.global.server_name}'" "evt.Overflow.Alert.GetScenario() in ['crowdsecurity/http-probing', 'crowdsecurity/http-crawl-non_statics']" ]; };