diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix index 70c1b58..7696439 100644 --- a/configuration/hardware-specific/vm.nix +++ b/configuration/hardware-specific/vm.nix @@ -7,6 +7,8 @@ networking.hostName = "testvm"; + systemd.services.matrix-hookshot.enable = lib.mkForce false; + services = { # Sets the base domain for nginx to a local domain so that we can # easily test locally with the VM. @@ -43,14 +45,6 @@ source = ../../keys/hosts/staging.key; }; - # Pretend the acme renew succeeds. - # - # TODO(tlater): Set up pebble to retrieve certs "properly" - # instead - systemd.services."acme-order-renew-tlater.net".script = '' - touch out/acme-success - ''; - virtualisation.vmVariant = { virtualisation = { memorySize = 3941; diff --git a/configuration/nginx/ssl.nix b/configuration/nginx/ssl.nix index f3fac13..56bfa78 100644 --- a/configuration/nginx/ssl.nix +++ b/configuration/nginx/ssl.nix @@ -51,9 +51,20 @@ paths = [ "/var/lib/acme/tlater.net" ]; }; - systemd.services.nginx.serviceConfig.SupplementaryGroups = [ - config.security.acme.certs."tlater.net".group - ]; + systemd.services = { + nginx.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."tlater.net".group ]; + + # Don't attempt to retrieve a certificate if the domain name + # doesn't *actually* match the cert name + # + # TODO(tlater): Set up pebble to retrieve certs "properly" + # instead + "acme-tlater.net".serviceConfig.ExecCondition = + let + confirm = ''[[ "tlater.net" = "${config.services.nginx.domain}" ]]''; + in + ''${pkgs.runtimeShell} -c '${confirm}' ''; + }; sops.secrets = { "porkbun/api-key".owner = "acme"; @@ -74,18 +85,10 @@ security.acme.certs."tlater.net".extraDomainNames = [ config.services.nginx.domain ]; - # Pretend the acme renew succeeds. - # - # TODO(tlater): Set up pebble to retrieve certs "properly" - # instead - systemd.services."acme-order-renew-tlater.net".script = '' - touch out/acme-success - ''; - services.nginx = { - domain = "testHost.test"; + domain = "testHost"; - virtualHosts."${config.services.nginx.domain}.local" = { + virtualHosts."${config.services.nginx.domain}" = { useACMEHost = "tlater.net"; onlySSL = true; enableHSTS = true; @@ -106,7 +109,6 @@ { pkgs, ... }: { environment.systemPackages = [ pkgs.curl ]; - networking.hosts."192.168.1.2" = [ "testHost.test" ]; }; }; @@ -123,7 +125,7 @@ "--silent", "--dump-header -", "--cacert /certs/tlater.net/fullchain.pem", - "https://testHost.test", + "https://testHost", "-o /dev/null" ])) diff --git a/configuration/services/conduit/default.nix b/configuration/services/conduit/default.nix index a4c91d3..b6f8f27 100644 --- a/configuration/services/conduit/default.nix +++ b/configuration/services/conduit/default.nix @@ -12,7 +12,10 @@ let turn-realm = "turn.${config.services.nginx.domain}"; in { - imports = [ ./heisenbridge.nix ]; + imports = [ + ./heisenbridge.nix + ./matrix-hookshot.nix + ]; networking.firewall = { allowedTCPPorts = [ diff --git a/configuration/services/conduit/matrix-hookshot.nix b/configuration/services/conduit/matrix-hookshot.nix new file mode 100644 index 0000000..c1fec82 --- /dev/null +++ b/configuration/services/conduit/matrix-hookshot.nix @@ -0,0 +1,172 @@ +{ + pkgs, + lib, + config, + ... +}: +let + matrixLib = pkgs.callPackage ./lib.nix { }; + + cfg = config.services.matrix-hookshot; + conduitCfg = config.services.matrix-conduit; + + domain = conduitCfg.settings.global.server_name; + + registration = matrixLib.writeRegistrationScript { + id = "matrix-hookshot"; + url = "http://127.0.0.1:9993"; + sender_localpart = "hookshot"; + + namespaces = { + aliases = [ ]; + rooms = [ ]; + users = [ + { + regex = "@${cfg.settings.generic.userIdPrefix}.*:${domain}"; + exclusive = true; + } + ]; + }; + + # Encryption support + # TODO(tlater): Enable when + # https://github.com/matrix-org/matrix-hookshot/issues/1060 is + # fixed + # extraSettings = { + # "de.sorunome.msc2409.push_ephemeral" = true; + # push_ephemeral = true; + # "org.matrix.msc3202" = true; + # }; + + runtimeRegistration = "${cfg.registrationFile}"; + }; +in +{ + # users = { + # users.matrix-hookshot = { + # home = "/run/matrix-hookshot"; + # group = "matrix-hookshot"; + # isSystemUser = true; + # }; + + # groups.matrix-hookshot = { }; + # }; + + systemd.services.matrix-hookshot = { + serviceConfig = { + Type = lib.mkForce "exec"; + + LoadCredential = "matrix-hookshot:/run/secrets/matrix-hookshot"; + inherit (registration) ExecStartPre; + + # Some library in matrix-hookshot wants a home directory + Environment = [ "HOME=/run/matrix-hookshot" ]; + + # User = "matrix-hookshot"; + DynamicUser = true; + StateDirectory = "matrix-hookshot"; + RuntimeDirectory = "matrix-hookshot"; + RuntimeDirectoryMode = "0700"; + + RestrictNamespaces = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ + # "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; + LockPersonality = true; + RestrictRealtime = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + UMask = 77; + }; + }; + + # services.redis.servers.matrix-hookshot = { + # enable = true; + # user = "matrix-hookshot"; + # }; + + services.matrix-hookshot = { + enable = true; + + serviceDependencies = [ "conduit.service" ]; + + registrationFile = "/run/matrix-hookshot/registration.yaml"; + + settings = { + bridge = { + inherit domain; + url = "http://localhost:${toString conduitCfg.settings.global.port}"; + mediaUrl = conduitCfg.settings.global.well_known.client; + port = 9993; + bindAddress = "127.0.0.1"; + }; + + bot.displayname = "Hookshot"; + + # cache.redisUri = "redis://${config.services.redis.servers.matrix-hookshot.unixSocket}"; + + generic = { + enabled = true; + outbound = false; + # Only allow webhooks from localhost for the moment + urlPrefix = "http://127.0.0.1:9000/webhook"; + userIdPrefix = "_webhooks_"; + allowJsTransformationFunctions = true; + }; + + # TODO(tlater): Enable when + # https://github.com/matrix-org/matrix-hookshot/issues/1060 is + # fixed + # encryption.storagePath = "/var/lib/matrix-hookshot/cryptostore"; + + permissions = [ + { + actor = "matrix.tlater.net"; + services = [ + { + service = "*"; + level = "notifications"; + } + ]; + } + { + actor = "@tlater:matrix.tlater.net"; + services = [ + { + service = "*"; + level = "admin"; + } + ]; + } + ]; + + listeners = [ + { + port = 9000; + resources = [ "webhooks" ]; + } + { + port = 9001; + resources = [ "metrics" ]; + } + ]; + + metrics.enabled = true; + }; + }; + + sops.secrets = { + # Accessed via systemd cred through /run/secrets/matrix-hookshot + "matrix-hookshot/as-token" = { }; + "matrix-hookshot/hs-token" = { }; + }; +} diff --git a/configuration/services/foundryvtt.nix b/configuration/services/foundryvtt.nix index d7b9d02..5c8a21f 100644 --- a/configuration/services/foundryvtt.nix +++ b/configuration/services/foundryvtt.nix @@ -23,7 +23,7 @@ in minifyStaticFiles = true; proxySSL = true; proxyPort = 443; - package = flake-inputs.foundryvtt.packages.${pkgs.stdenv.hostPlatform.system}.foundryvtt_13; + package = flake-inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_13; }; nginx.virtualHosts."${domain}" = diff --git a/configuration/services/immich.nix b/configuration/services/immich.nix index 1255490..39673d0 100644 --- a/configuration/services/immich.nix +++ b/configuration/services/immich.nix @@ -18,9 +18,6 @@ in enable = true; settings.server.externalDomain = "https://${hostName}"; - # We're using vectorchord now - database.enableVectors = false; - environment.IMMICH_TELEMETRY_INCLUDE = "all"; }; diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix index 71741b5..96e09e5 100644 --- a/configuration/services/metrics/victoriametrics.nix +++ b/configuration/services/metrics/victoriametrics.nix @@ -89,6 +89,10 @@ in "127.0.0.1:8082" ]; + # Configured in the hookshot listeners, but it's hard to filter + # the correct values out of that config. + matrixHookshot.targets = [ "127.0.0.1:9001" ]; + victorialogs.targets = [ config.services.victorialogs.bindAddress ]; }; }; diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index 30f79ed..77cfa4c 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -5,7 +5,7 @@ ... }: let - nextcloud = pkgs.nextcloud32; + nextcloud = pkgs.nextcloud31; hostName = "nextcloud.${config.services.nginx.domain}"; in { @@ -104,7 +104,7 @@ in }; # Ensure that this service doesn't start before postgres is ready - systemd.services.nextcloud-setup.after = [ "postgresql.target" ]; + systemd.services.nextcloud-setup.after = [ "postgresql.service" ]; sops.secrets."nextcloud/tlater" = { owner = "nextcloud"; diff --git a/configuration/services/ntfy-sh/default.nix b/configuration/services/ntfy-sh/default.nix index 39ace90..aacec91 100644 --- a/configuration/services/ntfy-sh/default.nix +++ b/configuration/services/ntfy-sh/default.nix @@ -17,6 +17,7 @@ in services.ntfy-sh = { enable = true; + package = flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.ntfy-sh; environmentFile = config.sops.secrets."ntfy/users".path; diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix index 888fc3e..6b97471 100644 --- a/configuration/services/starbound.nix +++ b/configuration/services/starbound.nix @@ -19,7 +19,7 @@ in serviceConfig = { ExecStart = "${ - flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.starbound + flake-inputs.self.packages.${pkgs.system}.starbound }/bin/launch-starbound ${./configs/starbound.json}"; Type = "simple"; diff --git a/configuration/services/webserver.nix b/configuration/services/webserver.nix index ffe7480..e8daeaf 100644 --- a/configuration/services/webserver.nix +++ b/configuration/services/webserver.nix @@ -20,7 +20,7 @@ in after = [ "network.target" ]; script = '' - ${lib.getExe flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.webserver} + ${lib.getExe flake-inputs.self.packages.${pkgs.system}.webserver} ''; environment = { diff --git a/flake.lock b/flake.lock index d5305b0..3c65247 100644 --- a/flake.lock +++ b/flake.lock @@ -123,11 +123,11 @@ ] }, "locked": { - "lastModified": 1764350888, - "narHash": "sha256-6Rp18zavTlnlZzcoLoBTJMBahL2FycVkw2rAEs3cQvo=", + "lastModified": 1762276996, + "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=", "owner": "nix-community", "repo": "disko", - "rev": "2055a08fd0e2fd41318279a5355eb8a161accf26", + "rev": "af087d076d3860760b3323f6b583f4d828c1ac17", "type": "github" }, "original": { @@ -201,11 +201,11 @@ ] }, "locked": { - "lastModified": 1764578815, - "narHash": "sha256-WZ8+pH/cLjv3geonV3VFwtfa8IuTkPHb60a1ACQpOmc=", + "lastModified": 1761916399, + "narHash": "sha256-wLZ8km5ftKlIDdHJrFiDQivXc5b+7DRxmBp2347H5g8=", "owner": "reckenrode", "repo": "nix-foundryvtt", - "rev": "1b875fb942c4ef926fd7aade7db327be363f7179", + "rev": "8cceb7af3dfbe465b5108db5c098b097edf85790", "type": "github" }, "original": { @@ -255,15 +255,28 @@ }, "nixpkgs": { "locked": { - "lastModified": 1764522689, - "narHash": "sha256-GzkEBSHGkj8EyOxnxQvl9sx0x2S7JzH0hwCziF176T8=", - "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f", + "lastModified": 1763509821, + "narHash": "sha256-ibZr0ONEUA1W2WAdTzgm9/6jBE+tM20j1YW2FK4RZ/k=", + "rev": "659aa6fa27619d04de231b4cc0c938905dfa01e9", "type": "tarball", - "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.650.8bb5646e0bed/nixexprs.tar.xz?lastModified=1764522689&rev=8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f" + "url": "https://releases.nixos.org/nixos/25.05-small/nixos-25.05.812929.659aa6fa2761/nixexprs.tar.xz?lastModified=1763509821&rev=659aa6fa27619d04de231b4cc0c938905dfa01e9" }, "original": { "type": "tarball", - "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz" + "url": "https://channels.nixos.org/nixos-25.05-small/nixexprs.tar.xz" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1763835633, + "narHash": "sha256-nzRnw0UkYQpDm0o20AKvG/5oHCXy5qEGOsFAVhB5NmA=", + "rev": "050e09e091117c3d7328c7b2b7b577492c43c134", + "type": "tarball", + "url": "https://releases.nixos.org/nixos/unstable/nixos-25.11pre900642.050e09e09111/nixexprs.tar.xz?lastModified=1763835633&rev=050e09e091117c3d7328c7b2b7b577492c43c134" + }, + "original": { + "type": "tarball", + "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz" } }, "pre-commit-hooks": { @@ -312,6 +325,7 @@ "flint": "flint", "foundryvtt": "foundryvtt", "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", "sonnenshift": "sonnenshift", "sops-nix": "sops-nix" } @@ -324,11 +338,11 @@ ] }, "locked": { - "lastModified": 1764578400, - "narHash": "sha256-8V0SpIcYyjpP+nAHfYJDof7CofLTwVVDo5QLZ0epjOQ=", + "lastModified": 1763619077, + "narHash": "sha256-dlfamaoIzFEgwgtzPJuw5Tl5SqjbWcV8CsbP2hVBeuI=", "ref": "refs/heads/main", - "rev": "bf17617899692c9c2bfebfce87320a4174e6dc28", - "revCount": 27, + "rev": "64a2c8a3743ea6897ecac6692fba8aebc3389fca", + "revCount": 26, "type": "git", "url": "ssh://git@github.com/sonnenshift/battery-manager" }, @@ -344,11 +358,11 @@ ] }, "locked": { - "lastModified": 1764483358, - "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", + "lastModified": 1763607916, + "narHash": "sha256-VefBA1JWRXM929mBAFohFUtQJLUnEwZ2vmYUNkFnSjE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5aca6ff67264321d47856a2ed183729271107c9c", + "rev": "877bb495a6f8faf0d89fc10bd142c4b7ed2bcc0b", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 10b52ec..951eef5 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,8 @@ description = "tlater.net host configuration"; inputs = { - nixpkgs.url = "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"; + nixpkgs.url = "https://channels.nixos.org/nixos-25.05-small/nixexprs.tar.xz"; + nixpkgs-unstable.url = "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"; ## Nix/OS utilities @@ -137,7 +138,10 @@ packages.${system} = { default = vm.config.system.build.vm; } - // import ./pkgs { pkgs = nixpkgs.legacyPackages.${system}; }; + // import ./pkgs { + pkgs = nixpkgs.legacyPackages.${system}; + flake-inputs = inputs; + }; ################### # Utility scripts # diff --git a/keys/production.yaml b/keys/production.yaml index 6a60c40..ccbee64 100644 --- a/keys/production.yaml +++ b/keys/production.yaml @@ -20,6 +20,9 @@ steam: heisenbridge: as-token: ENC[AES256_GCM,data:+2yo6T18j34622H8ZWblAFB2phLw1q0k0vUQEZ5sFj7dQaRnkEiAMi0R3p17Zq0pOtGEC0RRZuPLYkcZ1oKP0w==,iv:lGwrQYp//FufpmJocrLIVyy9RK7lEEVcpAi0wmkjr34=,tag:yV06UbhAYJQz36O2XdhY+A==,type:str] hs-token: ENC[AES256_GCM,data:u52WpkQFd/J7JFoE/rfNluebyZQLOokvkVdL7+AEAvrhJhrkJli1ztkD79lbC+6tGUH4tT3T+nX9wvGKnrRUQg==,iv:as+9fVuvMg2IoE2WIKD9mHi+znhNcWRh5Zq+yr0xcDQ=,tag:mZ7fh7U0MfgI8hyq/28Bcg==,type:str] +matrix-hookshot: + as-token: ENC[AES256_GCM,data:nXTanPhDyDF7R3AllLqpM5dzljBrHwlh1KJnTGIi5PhbDY2lPj4+uXkMEwvm1u+hQjPyM7vKZPfK+0/dms6Y7A==,iv:fSakJN+yai0gfOJKFxxaxgyUtk0pNmIeqVgrdq92/24=,tag:Qc7+SUnm5/Nq5+QIScR9kQ==,type:str] + hs-token: ENC[AES256_GCM,data:Bwyj0JTTN0NNnwOs1zA8CqbtZSNcvlINeT7QVc2eJiHda92J6vQk7bSxy6KuqCN9DxlUsK13ggYjNORY2vic5w==,iv:Npnp8arYQ3Yb6CXrnKgE03hD7ZjGINPa/DwFI8D+5tA=,tag:FqNE6yI0nF4puEUw9MGAjQ==,type:str] wireguard: server-key: ENC[AES256_GCM,data:mXb7ZznJHf5CgV8rI4uzPBATMRbmd7LimgtCkQM9kAjbIaGwUBqJZBN3fXs=,iv:3Po1Orinzov9rnEm9cLzgJY1PeD+5Jl9115MriABHh8=,tag:E/2CjDO1JCvJzxCnqKcNyw==,type:str] restic: @@ -29,8 +32,8 @@ turn: env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str] secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str] sops: - lastmodified: "2025-12-01T11:39:17Z" - mac: ENC[AES256_GCM,data:TwhGOW/V9/IoBifzh1MSwy/ff7ONTnxEmwERD8Yl2E27WG/6dTVz0/nIlZ8KsEKLC6vB2m+sJT+14Q9KCj4Cn/bWV1PmhytktGPxLQpgF55+pZlSK1aLUPLq0hwE93b4MAeOvzoOXtCQguh1dsB2RkinabFoMeZ2xJ7Kc+jHlfA=,iv:Ri8aEA4tssGDv2UuKeza8vs94IovM9GARLIEapb9Ya0=,tag:MDgAffj7ndmMwpw7mBXNRg==,type:str] + lastmodified: "2025-11-29T14:52:24Z" + mac: ENC[AES256_GCM,data:RC18s48jxRFQMtbmu74P7G4uhm2yHk9TB0wN7z4g8SNE3nfkYMvHAJqPr3A3dO+T33zkTFcSRm7fhWItUahTCW3fO10u6kDvWbnyjlSuAy86Tkz2iqeW4iSOzKswDptAgb/B+juAHhEMxDnkG5vpPlIcD0SVP89NlflXftogOqw=,iv:2vN2TJvzePzBJfUeBxvGXwGmRsB5sopqyWm9uUv/rzA=,tag:C6UOWrUxVsRMFncL1y1eTQ==,type:str] pgp: - created_at: "2025-10-03T21:38:48Z" enc: |- diff --git a/keys/staging.yaml b/keys/staging.yaml index b5c8533..20ee3db 100644 --- a/keys/staging.yaml +++ b/keys/staging.yaml @@ -21,6 +21,9 @@ steam: heisenbridge: as-token: ENC[AES256_GCM,data:tXbOeo7nv8I=,iv:wJAKcOXX9nGIw4n38ThOoj29u7dUWhsxSQG/p79JlEw=,tag:rTVaGS2UuWcea1uBa8YX2g==,type:str] hs-token: ENC[AES256_GCM,data:VBwvwomv0Xg=,iv:q6INtJ+rg+QiXj8uBdBzQYQZUBBXp+9odxDHwvu8Jxc=,tag:XKhm8nxygAkKaiVPJ2Fcdg==,type:str] +matrix-hookshot: + as-token: ENC[AES256_GCM,data:uSUOo4f2KqA=,iv:Xb9G8Ecv6m59m51kDw2bOfq3SMJt4g9/6/EdH74R+KM=,tag:K9MSfO2c2Y4rlf0eYrmTnw==,type:str] + hs-token: ENC[AES256_GCM,data:0KsyA06InL4=,iv:zAR0Y1fk8SyodcSLBHlQ8I+BAmttz9Hkd8Q3OREFqs4=,tag:t1Et8N/3seq95DeGoUd7Sw==,type:str] wireguard: server-key: ENC[AES256_GCM,data:FvY897XdKoa/mckE8JQLCkklsnYD6Wz1wpsu5t3uhEnW3iarnDQxF9msuYU=,iv:jqGXfekM+Vs+J9b5nlZ5Skd1ZKHajoUo2Dc4tMYPm1w=,tag:EehikjI/FCU8wqtpvJRamQ==,type:str] restic: @@ -30,8 +33,8 @@ turn: env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str] secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str] sops: - lastmodified: "2025-12-01T11:39:26Z" - mac: ENC[AES256_GCM,data:11VQAYk8Am0k8OO6BtU17qpuEhcJ8ylRhJWQNHVAsmi5BCFjD1zU3NkWhtSstPrBcqHMenG+9XuEzpNnbccHI2ru0qlILsQvNj5OKo96FnvYtzApYlApoAzOetCx08Lfxa4RGLN/XCUSuccjBIU2PZRWEK+z+Cm1wHUFeqc1xPc=,iv:6y9j55Cld+GoOVGWAqsEgURRna6dHA2mGZwHVA+ZOE8=,tag:bSZi3nYmYrn3nFT2+RBPUQ==,type:str] + lastmodified: "2025-11-29T11:54:33Z" + mac: ENC[AES256_GCM,data:SaTvwxfARVou/ZjrWfdC8J6je8l89Zuumdz7PkmY2Tl2CQVxZmEt4AyV4bWiCtWhJmfH1Qa8m4Q+DyqimjapgYT5cUB1yxlknp233bB/+5C5k3KozU2hmh80KYgR496FtQvI74p0qw/lw00CGCR3WHNcIc0dbTiDzC90HlOpafg=,iv:vxMCAjpgyWvxk18LalmFhwOb5b2ThCDq1KTaX2OPvpM=,tag:QMA+tC4hs/FBnuVDye38Vg==,type:str] pgp: - created_at: "2025-10-03T21:38:26Z" enc: |- diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix index 9cb26f9..44e6bc5 100644 --- a/modules/crowdsec/default.nix +++ b/modules/crowdsec/default.nix @@ -271,7 +271,7 @@ in # To add completions; sadly need to hand-roll this since # neither `symlinkJoin` nor `buildEnv` have collision # handling. - (pkgs.runCommandLocal "cscli" { } '' + (pkgs.runCommandNoCCLocal "cscli" { } '' mkdir -p $out ln -s ${cscli}/bin $out/bin ln -s ${cfg.package}/share $out/share diff --git a/modules/crowdsec/remediations/cs-firewall-bouncer.nix b/modules/crowdsec/remediations/cs-firewall-bouncer.nix index bdc6da8..42accc6 100644 --- a/modules/crowdsec/remediations/cs-firewall-bouncer.nix +++ b/modules/crowdsec/remediations/cs-firewall-bouncer.nix @@ -6,7 +6,7 @@ ... }: let - inherit (flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}) crowdsec-firewall-bouncer; + inherit (flake-inputs.self.packages.${pkgs.system}) crowdsec-firewall-bouncer; crowdsecCfg = config.security.crowdsec; cfg = crowdsecCfg.remediationComponents.firewallBouncer; diff --git a/pkgs/default.nix b/pkgs/default.nix index 31335a6..1ce8cd2 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,5 +1,8 @@ -{ pkgs }: +{ pkgs, flake-inputs }: +let + inherit (flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}) ast-grep; +in pkgs.lib.packagesFromDirectoryRecursive { - inherit (pkgs) callPackage; + callPackage = pkgs.lib.callPackageWith (pkgs // { inherit ast-grep; }); directory = ./packages; }