diff --git a/flake.lock b/flake.lock index 2dfc4c8..3110420 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1699040089, - "narHash": "sha256-EEBYKHZgC3ecjEZno+a/ZbFRCCln2PrkVVzLJDXquZ4=", + "lastModified": 1701429257, + "narHash": "sha256-qogV2s6wU1KrFaPUPdUdRNYMLnuRJ19lnF8+bqqA5YE=", "owner": "fsr", "repo": "course-management", - "rev": "28f2eedcf0be82f5b718dc2077c6fba0f444d971", + "rev": "a0342bef0d833ef2175769e6cf3475a210fa3b94", "type": "github" }, "original": { @@ -47,11 +47,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1687709756, - "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "owner": "numtide", "repo": "flake-utils", - "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "type": "github" }, "original": { @@ -65,11 +65,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1687709756, - "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "owner": "numtide", "repo": "flake-utils", - "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "type": "github" }, "original": { @@ -98,6 +98,28 @@ "type": "github" } }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "course-management", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1698974481, + "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "4bb5e752616262457bc7ca5882192a564c0472d2", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -105,11 +127,11 @@ ] }, "locked": { - "lastModified": 1700363379, - "narHash": "sha256-fBEVPFwSZ6AmBE1s1oT7E9WVuqRghruxTnSQ8UUlMkw=", + "lastModified": 1702291765, + "narHash": "sha256-kfxavgLKPIZdYVPUPcoDZyr5lleymrqbr5G9PVfQ2NY=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "27920146e671a0d565aaa7452907383be14d8d82", + "rev": "45d82e0a8b9dd6c5dd9da835ac0c072239af7785", "type": "github" }, "original": { @@ -120,27 +142,27 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700403855, - "narHash": "sha256-Q0Uzjik9kUTN9pd/kp52XJi5kletBhy29ctBlAG+III=", + "lastModified": 1702346276, + "narHash": "sha256-eAQgwIWApFQ40ipeOjVSoK4TEHVd6nbSd9fApiHIw5A=", "owner": "nixos", "repo": "nixpkgs", - "rev": "0c5678df521e1407884205fe3ce3cf1d7df297db", + "rev": "cf28ee258fd5f9a52de6b9865cdb93a1f96d09b7", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-stable": { "locked": { - "lastModified": 1700342017, - "narHash": "sha256-HaibwlWH5LuqsaibW3sIVjZQtEM/jWtOHX4Nk93abGE=", + "lastModified": 1702148972, + "narHash": "sha256-h2jODFP6n+ABrUWcGRSVPRFfLOkM9TJ2pO+h+9JcaL0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "decdf666c833a325cb4417041a90681499e06a41", + "rev": "b8f33c044e51de6dde3ad80a9676945e0e4e3227", "type": "github" }, "original": { @@ -153,17 +175,20 @@ "poetry2nix": { "inputs": { "flake-utils": "flake-utils_2", + "nix-github-actions": "nix-github-actions", "nixpkgs": [ "course-management", "nixpkgs" - ] + ], + "systems": "systems_3", + "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1688440303, - "narHash": "sha256-hFfOyityHdVFI0HNM+sqZfpi9Fbvjvy0N9O7FjuqPWY=", + "lastModified": 1701399357, + "narHash": "sha256-QSGP2J73HQ4gF5yh+MnClv2KUKzcpTmikdmV8ULfq2E=", "owner": "nix-community", "repo": "poetry2nix", - "rev": "04714155bae013fb9b207e54d1faf9f0c3d08706", + "rev": "7acb78166a659d6afe9b043bb6fe5cb5e86bb75e", "type": "github" }, "original": { @@ -190,11 +215,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1700362823, - "narHash": "sha256-/H7XgvrYM0IbkpWkcdfkOH0XyBM5ewSWT1UtaLvOgKY=", + "lastModified": 1702177193, + "narHash": "sha256-J2409SyXROoUHYXVy9h4Pj0VU8ReLuy/mzBc9iK4DBg=", "owner": "Mic92", "repo": "sops-nix", - "rev": "49a87c6c827ccd21c225531e30745a9a6464775c", + "rev": "d806e546f96c88cd9f7d91c1c19ebc99ba6277d9", "type": "github" }, "original": { @@ -232,6 +257,42 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "id": "systems", + "type": "indirect" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "course-management", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699786194, + "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 99931d8..4f04668 100755 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { inputs = { - nixpkgs.url = github:nixos/nixpkgs/nixos-23.05; - sops-nix.url = github:Mic92/sops-nix; + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; nix-index-database.url = "github:nix-community/nix-index-database"; nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; @@ -22,6 +22,7 @@ formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; hydraJobs."x86-64-linux".quitte = self.packages."x86_64-linux".quitte; + overlays.default = import ./overlays; nixosConfigurations = { quitte = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -67,6 +68,7 @@ ./modules/sharepic.nix ./modules/zammad.nix { + nixpkgs.overlays = [ self.overlays.default ]; sops.defaultSopsFile = ./secrets/quitte.yaml; } ]; diff --git a/modules/bacula.nix b/modules/bacula.nix index fd03eb7..d28e3a8 100644 --- a/modules/bacula.nix +++ b/modules/bacula.nix @@ -1,41 +1,4 @@ { pkgs, config, lib, ... }: -with lib; - -let - # We write a custom config file because the upstream config has some flaws - fd_cfg = config.services.bacula-fd; - fd_conf = pkgs.writeText "bacula-fd.conf" '' - Client { - Name = ${fd_cfg.name} - FDPort = ${toString fd_cfg.port} - WorkingDirectory = /var/lib/bacula - Pid Directory = /run - ${fd_cfg.extraClientConfig} - } - - ${concatStringsSep "\n" (mapAttrsToList (name: value: '' - Director { - Name = ${name} - Password = ${value.password} - Monitor = ${value.monitor} - } - '') fd_cfg.director)} - - Messages { - Name = Standard; - syslog = all, !skipped, !restored - ${fd_cfg.extraMessagesConfig} - } - ''; - # AGDSN is running an outdated version that we have to comply to - bacula_package = (pkgs.bacula.overrideAttrs (old: rec { - version = "9.6.7"; - src = pkgs.fetchurl { - url = "mirror://sourceforge/bacula/${old.pname}-${version}.tar.gz"; - sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4="; - }; - })); -in { sops.secrets = { "bacula/password".owner = "bacula"; @@ -56,7 +19,7 @@ in ''; extraMessagesConfig = '' director = abel-dir = all, !skipped, !restored - mailcommand = "${bacula_package}/bin/bsmtp -f \"Bacula \" -s \"Bacula report" %r" + mailcommand = "${pkgs.bacula}/bin/bsmtp -f \"Bacula \" -s \"Bacula report" %r" mail = root+backup = all, !skipped ''; director."abel-dir".password = "@${config.sops.secrets."bacula/password".path}"; @@ -73,5 +36,4 @@ in Password = @${config.sops.secrets."bacula/password".path} } ''; - systemd.services.bacula-fd.serviceConfig.ExecStart = lib.mkForce "${bacula_package}/sbin/bacula-fd -f -u root -g bacula -c ${fd_conf}"; } diff --git a/modules/base.nix b/modules/base.nix index 348aa2c..c9b4db8 100755 --- a/modules/base.nix +++ b/modules/base.nix @@ -93,7 +93,7 @@ sysstat tree whois - exa + eza zsh ]; } diff --git a/modules/course-management.nix b/modules/course-management.nix index d5ed99a..098d40e 100644 --- a/modules/course-management.nix +++ b/modules/course-management.nix @@ -38,9 +38,7 @@ in enable = lib.mkForce true; # upstream bacula config wants to disable it, so we need to force ensureUsers = [{ name = "course-management"; - ensurePermissions = { - "DATABASE \"course-management\"" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; }]; ensureDatabases = [ "course-management" ]; }; diff --git a/modules/courses-phil.nix b/modules/courses-phil.nix index 8b358dc..78c03b1 100644 --- a/modules/courses-phil.nix +++ b/modules/courses-phil.nix @@ -67,9 +67,7 @@ in enableTCPIP = lib.mkForce false; ensureUsers = [{ name = "course-management"; - ensurePermissions = { - "DATABASE \"course-management\"" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; }]; ensureDatabases = [ "course-management" ]; }; diff --git a/modules/gitea.nix b/modules/gitea.nix index 9924f61..1d49a8f 100644 --- a/modules/gitea.nix +++ b/modules/gitea.nix @@ -1,40 +1,43 @@ { config, lib, pkgs, ... }: let domain = "git.${config.networking.domain}"; - giteaUser = "git"; + gitUser = "git"; in { sops.secrets.gitea_ldap_search = { key = "portunus/search-password"; - owner = config.services.gitea.user; + owner = config.services.forgejo.user; }; - users.users.${giteaUser} = { + users.users.${gitUser} = { isSystemUser = true; home = config.services.gitea.stateDir; - group = giteaUser; + group = gitUser; useDefaultShell = true; }; - users.groups.${giteaUser} = { }; + users.groups.${gitUser} = { }; - services.gitea = { + services.forgejo = { enable = true; - package = pkgs.forgejo; # community fork - user = giteaUser; - group = giteaUser; - appName = "iFSR Git"; + # package = pkgs.forgejo; # community fork + user = gitUser; + group = gitUser; lfs.enable = true; database = { type = "postgres"; + name = "git"; # legacy createDatabase = true; - user = giteaUser; + user = gitUser; }; # TODO: enable periodic dumps of the DB and repos, maybe use this for backups? # dump = { }; settings = { + DEFAULT = { + APP_NAME = "iFSR Git"; + }; server = { PROTOCOL = "http+unix"; DOMAIN = domain; @@ -68,7 +71,7 @@ in systemd.services.gitea.preStart = let - exe = lib.getExe config.services.gitea.package; + exe = lib.getExe config.services.forgejo.package; portunus = config.services.portunus; basedn = "ou=users,${portunus.ldap.suffix}"; ldapConfigArgs = '' @@ -108,7 +111,7 @@ in enableACME = true; forceSSL = true; locations."/" = { - proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}:/"; + proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; proxyWebsockets = true; }; locations."/api/v1/users/search".return = "403"; diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index bbe2c47..3061aba 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -14,9 +14,7 @@ in ensureUsers = [ { name = "hedgedoc"; - ensurePermissions = { - "DATABASE hedgedoc" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; } ]; ensureDatabases = [ "hedgedoc" ]; diff --git a/modules/mailman.nix b/modules/mailman.nix index efaee90..90b2767 100644 --- a/modules/mailman.nix +++ b/modules/mailman.nix @@ -20,7 +20,7 @@ webSettings = { DATABASES.default = { ENGINE = "django.db.backends.postgresql"; - NAME = "mailmanweb"; + NAME = "mailman-web"; }; }; ldap = { @@ -45,18 +45,14 @@ ensureUsers = [ { name = "mailman"; - ensurePermissions = { - "DATABASE mailman" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; } { name = "mailman-web"; - ensurePermissions = { - "DATABASE mailmanweb" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; } ]; - ensureDatabases = [ "mailman" "mailmanweb" ]; + ensureDatabases = [ "mailman" "mailman-web" ]; }; services.nginx.virtualHosts."lists.${config.networking.domain}" = { enableACME = true; diff --git a/modules/mautrix-telegram.nix b/modules/mautrix-telegram.nix index f17f29b..270ccc7 100644 --- a/modules/mautrix-telegram.nix +++ b/modules/mautrix-telegram.nix @@ -10,9 +10,7 @@ in enable = true; ensureUsers = [{ name = "mautrix-telegram"; - ensurePermissions = { - "DATABASE \"mautrix-telegram\"" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; }]; ensureDatabases = [ "mautrix-telegram" ]; }; diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 268fbb5..ec60b7b 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -17,7 +17,6 @@ in enable = true; configureRedis = true; package = pkgs.nextcloud27; - enableBrokenCiphersForSSE = false; # disable the openssl warning hostName = domain; https = true; # Use https for all urls phpExtraExtensions = all: [ diff --git a/modules/sogo.nix b/modules/sogo.nix index 8b2490b..cc45369 100644 --- a/modules/sogo.nix +++ b/modules/sogo.nix @@ -51,9 +51,7 @@ in ensureUsers = [ { name = "sogo"; - ensurePermissions = { - "DATABASE sogo" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; } ]; ensureDatabases = [ "sogo" ]; diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix index 3ec5e09..4add3f6 100644 --- a/modules/vaultwarden.nix +++ b/modules/vaultwarden.nix @@ -25,9 +25,7 @@ in ensureUsers = [ { name = "vaultwarden"; - ensurePermissions = { - "DATABASE vaultwarden" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; } ]; ensureDatabases = [ "vaultwarden" ]; diff --git a/overlays/default.nix b/overlays/default.nix new file mode 100644 index 0000000..52de42e --- /dev/null +++ b/overlays/default.nix @@ -0,0 +1,15 @@ +_final: prev: +let + inherit (prev) fetchurl; +in +{ + # AGDSN is running an outdated version that we have to comply to + bacula = (prev.bacula.overrideAttrs (old: rec { + version = "9.6.7"; + src = fetchurl { + url = "mirror://sourceforge/bacula/${old.pname}-${version}.tar.gz"; + sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4="; + }; + })); + +}