Merge pull request #79 from fsr/nixos-23.11

update flake to 23.11

flake.lock

@@ -9,11 +9,11 @@
         "poetry2nix": "poetry2nix"
       },
       "locked": {
-        "lastModified": 1699040089,
-        "narHash": "sha256-EEBYKHZgC3ecjEZno+a/ZbFRCCln2PrkVVzLJDXquZ4=",
+        "lastModified": 1701429257,
+        "narHash": "sha256-qogV2s6wU1KrFaPUPdUdRNYMLnuRJ19lnF8+bqqA5YE=",
         "owner": "fsr",
         "repo": "course-management",
-        "rev": "28f2eedcf0be82f5b718dc2077c6fba0f444d971",
+        "rev": "a0342bef0d833ef2175769e6cf3475a210fa3b94",
         "type": "github"
       },
       "original": {
@@ -47,11 +47,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1687709756,
-        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
         "type": "github"
       },
       "original": {
@@ -65,11 +65,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1687709756,
-        "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
         "type": "github"
       },
       "original": {
@@ -98,6 +98,28 @@
         "type": "github"
       }
     },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "course-management",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1698974481,
+        "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "4bb5e752616262457bc7ca5882192a564c0472d2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
     "nix-index-database": {
       "inputs": {
         "nixpkgs": [
@@ -105,11 +127,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700363379,
-        "narHash": "sha256-fBEVPFwSZ6AmBE1s1oT7E9WVuqRghruxTnSQ8UUlMkw=",
+        "lastModified": 1702291765,
+        "narHash": "sha256-kfxavgLKPIZdYVPUPcoDZyr5lleymrqbr5G9PVfQ2NY=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "27920146e671a0d565aaa7452907383be14d8d82",
+        "rev": "45d82e0a8b9dd6c5dd9da835ac0c072239af7785",
         "type": "github"
       },
       "original": {
@@ -120,27 +142,27 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1700403855,
-        "narHash": "sha256-Q0Uzjik9kUTN9pd/kp52XJi5kletBhy29ctBlAG+III=",
+        "lastModified": 1702346276,
+        "narHash": "sha256-eAQgwIWApFQ40ipeOjVSoK4TEHVd6nbSd9fApiHIw5A=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0c5678df521e1407884205fe3ce3cf1d7df297db",
+        "rev": "cf28ee258fd5f9a52de6b9865cdb93a1f96d09b7",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-23.05",
+        "ref": "nixos-23.11",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1700342017,
-        "narHash": "sha256-HaibwlWH5LuqsaibW3sIVjZQtEM/jWtOHX4Nk93abGE=",
+        "lastModified": 1702148972,
+        "narHash": "sha256-h2jODFP6n+ABrUWcGRSVPRFfLOkM9TJ2pO+h+9JcaL0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "decdf666c833a325cb4417041a90681499e06a41",
+        "rev": "b8f33c044e51de6dde3ad80a9676945e0e4e3227",
         "type": "github"
       },
       "original": {
@@ -153,17 +175,20 @@
     "poetry2nix": {
       "inputs": {
         "flake-utils": "flake-utils_2",
+        "nix-github-actions": "nix-github-actions",
         "nixpkgs": [
           "course-management",
           "nixpkgs"
-        ]
+        ],
+        "systems": "systems_3",
+        "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1688440303,
-        "narHash": "sha256-hFfOyityHdVFI0HNM+sqZfpi9Fbvjvy0N9O7FjuqPWY=",
+        "lastModified": 1701399357,
+        "narHash": "sha256-QSGP2J73HQ4gF5yh+MnClv2KUKzcpTmikdmV8ULfq2E=",
         "owner": "nix-community",
         "repo": "poetry2nix",
-        "rev": "04714155bae013fb9b207e54d1faf9f0c3d08706",
+        "rev": "7acb78166a659d6afe9b043bb6fe5cb5e86bb75e",
         "type": "github"
       },
       "original": {
@@ -190,11 +215,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1700362823,
-        "narHash": "sha256-/H7XgvrYM0IbkpWkcdfkOH0XyBM5ewSWT1UtaLvOgKY=",
+        "lastModified": 1702177193,
+        "narHash": "sha256-J2409SyXROoUHYXVy9h4Pj0VU8ReLuy/mzBc9iK4DBg=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "49a87c6c827ccd21c225531e30745a9a6464775c",
+        "rev": "d806e546f96c88cd9f7d91c1c19ebc99ba6277d9",
         "type": "github"
       },
       "original": {
@@ -232,6 +257,42 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "course-management",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1699786194,
+        "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -1,7 +1,7 @@
 {
   inputs = {
-    nixpkgs.url = github:nixos/nixpkgs/nixos-23.05;
-    sops-nix.url = github:Mic92/sops-nix;
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
+    sops-nix.url = "github:Mic92/sops-nix";
     sops-nix.inputs.nixpkgs.follows = "nixpkgs";
     nix-index-database.url = "github:nix-community/nix-index-database";
     nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
@@ -22,6 +22,7 @@
       formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
       hydraJobs."x86-64-linux".quitte = self.packages."x86_64-linux".quitte;
 
+      overlays.default = import ./overlays;
       nixosConfigurations = {
         quitte = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
@@ -67,6 +68,7 @@
             ./modules/sharepic.nix
             ./modules/zammad.nix
             {
+              nixpkgs.overlays = [ self.overlays.default ];
               sops.defaultSopsFile = ./secrets/quitte.yaml;
             }
           ];

modules/bacula.nix

@@ -1,41 +1,4 @@
 { pkgs, config, lib, ... }:
-with lib;
-
-let
-  # We write a custom config file because the upstream config has some flaws
-  fd_cfg = config.services.bacula-fd;
-  fd_conf = pkgs.writeText "bacula-fd.conf" ''
-    Client {
-      Name = ${fd_cfg.name}
-      FDPort = ${toString fd_cfg.port}
-      WorkingDirectory = /var/lib/bacula
-      Pid Directory = /run
-      ${fd_cfg.extraClientConfig}
-    }
-
-    ${concatStringsSep "\n" (mapAttrsToList (name: value: ''
-    Director {
-      Name = ${name}
-      Password = ${value.password}
-      Monitor = ${value.monitor}
-    }
-    '') fd_cfg.director)}
-
-    Messages {
-      Name = Standard;
-      syslog = all, !skipped, !restored
-      ${fd_cfg.extraMessagesConfig}
-    }
-  '';
-  # AGDSN is running an outdated version that we have to comply to
-  bacula_package = (pkgs.bacula.overrideAttrs (old: rec {
-    version = "9.6.7";
-    src = pkgs.fetchurl {
-      url = "mirror://sourceforge/bacula/${old.pname}-${version}.tar.gz";
-      sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4=";
-    };
-  }));
-in
 {
   sops.secrets = {
     "bacula/password".owner = "bacula";
@@ -56,7 +19,7 @@ in
     '';
     extraMessagesConfig = ''
       director = abel-dir = all, !skipped, !restored
-      mailcommand = "${bacula_package}/bin/bsmtp -f \"Bacula <bacula@${config.networking.domain}>\" -s \"Bacula report" %r"
+      mailcommand = "${pkgs.bacula}/bin/bsmtp -f \"Bacula <bacula@${config.networking.domain}>\" -s \"Bacula report" %r"
       mail = root+backup = all, !skipped
     '';
     director."abel-dir".password = "@${config.sops.secrets."bacula/password".path}";
@@ -73,5 +36,4 @@ in
       Password = @${config.sops.secrets."bacula/password".path}
     }
   '';
-  systemd.services.bacula-fd.serviceConfig.ExecStart = lib.mkForce "${bacula_package}/sbin/bacula-fd -f -u root -g bacula -c ${fd_conf}";
 }

modules/base.nix

@@ -93,7 +93,7 @@
     sysstat
     tree
     whois
-    exa
+    eza
     zsh
   ];
 }

modules/course-management.nix

@@ -38,9 +38,7 @@ in
     enable = lib.mkForce true; # upstream bacula config wants to disable it, so we need to force
     ensureUsers = [{
       name = "course-management";
-      ensurePermissions = {
-        "DATABASE \"course-management\"" = "ALL PRIVILEGES";
-      };
+      ensureDBOwnership = true;
     }];
     ensureDatabases = [ "course-management" ];
   };

modules/courses-phil.nix

@@ -67,9 +67,7 @@ in
         enableTCPIP = lib.mkForce false;
         ensureUsers = [{
           name = "course-management";
-          ensurePermissions = {
-            "DATABASE \"course-management\"" = "ALL PRIVILEGES";
-          };
+          ensureDBOwnership = true;
         }];
         ensureDatabases = [ "course-management" ];
       };

modules/gitea.nix

@@ -1,40 +1,43 @@
 { config, lib, pkgs, ... }:
 let
   domain = "git.${config.networking.domain}";
-  giteaUser = "git";
+  gitUser = "git";
 in
 {
   sops.secrets.gitea_ldap_search = {
     key = "portunus/search-password";
-    owner = config.services.gitea.user;
+    owner = config.services.forgejo.user;
   };
 
-  users.users.${giteaUser} = {
+  users.users.${gitUser} = {
     isSystemUser = true;
     home = config.services.gitea.stateDir;
-    group = giteaUser;
+    group = gitUser;
     useDefaultShell = true;
   };
-  users.groups.${giteaUser} = { };
+  users.groups.${gitUser} = { };
 
-  services.gitea = {
+  services.forgejo = {
     enable = true;
-    package = pkgs.forgejo; # community fork
-    user = giteaUser;
-    group = giteaUser;
-    appName = "iFSR Git";
+    # package = pkgs.forgejo; # community fork
+    user = gitUser;
+    group = gitUser;
     lfs.enable = true;
 
     database = {
       type = "postgres";
+      name = "git"; # legacy
       createDatabase = true;
-      user = giteaUser;
+      user = gitUser;
     };
 
     # TODO: enable periodic dumps of the DB and repos, maybe use this for backups?
     # dump = { };
 
     settings = {
+      DEFAULT = {
+        APP_NAME = "iFSR Git";
+      };
       server = {
         PROTOCOL = "http+unix";
         DOMAIN = domain;
@@ -68,7 +71,7 @@ in
 
   systemd.services.gitea.preStart =
     let
-      exe = lib.getExe config.services.gitea.package;
+      exe = lib.getExe config.services.forgejo.package;
       portunus = config.services.portunus;
       basedn = "ou=users,${portunus.ldap.suffix}";
       ldapConfigArgs = ''
@@ -108,7 +111,7 @@ in
     enableACME = true;
     forceSSL = true;
     locations."/" = {
-      proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}:/";
+      proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
       proxyWebsockets = true;
     };
     locations."/api/v1/users/search".return = "403";

modules/hedgedoc.nix

@@ -14,9 +14,7 @@ in
       ensureUsers = [
         {
           name = "hedgedoc";
-          ensurePermissions = {
-            "DATABASE hedgedoc" = "ALL PRIVILEGES";
-          };
+          ensureDBOwnership = true;
         }
       ];
       ensureDatabases = [ "hedgedoc" ];

modules/mailman.nix

@@ -20,7 +20,7 @@
     webSettings = {
       DATABASES.default = {
         ENGINE = "django.db.backends.postgresql";
-        NAME = "mailmanweb";
+        NAME = "mailman-web";
       };
     };
     ldap = {
@@ -45,18 +45,14 @@
     ensureUsers = [
       {
         name = "mailman";
-        ensurePermissions = {
-          "DATABASE mailman" = "ALL PRIVILEGES";
-        };
+        ensureDBOwnership = true;
       }
       {
         name = "mailman-web";
-        ensurePermissions = {
-          "DATABASE mailmanweb" = "ALL PRIVILEGES";
-        };
+        ensureDBOwnership = true;
       }
     ];
-    ensureDatabases = [ "mailman" "mailmanweb" ];
+    ensureDatabases = [ "mailman" "mailman-web" ];
   };
   services.nginx.virtualHosts."lists.${config.networking.domain}" = {
     enableACME = true;

modules/mautrix-telegram.nix

@@ -10,9 +10,7 @@ in
     enable = true;
     ensureUsers = [{
       name = "mautrix-telegram";
-      ensurePermissions = {
-        "DATABASE \"mautrix-telegram\"" = "ALL PRIVILEGES";
-      };
+      ensureDBOwnership = true;
     }];
     ensureDatabases = [ "mautrix-telegram" ];
   };

modules/nextcloud.nix

@@ -17,7 +17,6 @@ in
       enable = true;
       configureRedis = true;
       package = pkgs.nextcloud27;
-      enableBrokenCiphersForSSE = false; # disable the openssl warning
       hostName = domain;
       https = true; # Use https for all urls
       phpExtraExtensions = all: [

modules/sogo.nix

@@ -51,9 +51,7 @@ in
       ensureUsers = [
         {
           name = "sogo";
-          ensurePermissions = {
-            "DATABASE sogo" = "ALL PRIVILEGES";
-          };
+          ensureDBOwnership = true;
         }
       ];
       ensureDatabases = [ "sogo" ];

modules/vaultwarden.nix

@@ -25,9 +25,7 @@ in
     ensureUsers = [
       {
         name = "vaultwarden";
-        ensurePermissions = {
-          "DATABASE vaultwarden" = "ALL PRIVILEGES";
-        };
+        ensureDBOwnership = true;
       }
     ];
     ensureDatabases = [ "vaultwarden" ];

overlays/default.nix

@@ -0,0 +1,15 @@
+_final: prev:
+let
+  inherit (prev) fetchurl;
+in
+{
+  # AGDSN is running an outdated version that we have to comply to
+  bacula = (prev.bacula.overrideAttrs (old: rec {
+    version = "9.6.7";
+    src = fetchurl {
+      url = "mirror://sourceforge/bacula/${old.pname}-${version}.tar.gz";
+      sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4=";
+    };
+  }));
+
+}