diff --git a/README.md b/README.md index 42477ac..5a5ef8b 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,7 @@ nixos-install --no-root-passwd --flake .#omega ### Upgrading Nixpkgs uses `stateVersion` so sparingly that auditing the entire nixpkgs repo is [easy -enough](https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/NixOS/nixpkgs%24+lang:Nix+stateVersion+AND+24.05&patternType=keyword&sm=0). +enough](https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/NixOS/nixpkgs%24+lang:Nix+stateVersion+AND+24.11&patternType=keyword&sm=0). Important changes to home-manager is available at and . diff --git a/flake.nix b/flake.nix index 374f41a..13920f5 100644 --- a/flake.nix +++ b/flake.nix @@ -6,7 +6,7 @@ url = "git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"; }; nixpkgs = { - url = "github:NixOS/nixpkgs/nixos-24.05"; + url = "github:NixOS/nixpkgs/nixos-24.11"; }; nixpkgs-unstable = { url = "github:NixOS/nixpkgs/nixos-unstable"; @@ -32,7 +32,7 @@ inputs.nixpkgs.follows = "nixpkgs"; # use the same nixpkgs as the system }; home-manager = { - url = "github:nix-community/home-manager/release-24.05"; + url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; # use the same nixpkgs as the system }; home-manager-unstable = { @@ -40,6 +40,7 @@ inputs.nixpkgs.follows = "nixpkgs"; # use the same nixpkgs as the system }; simple-nixos-mailserver = { + # TODO: upgrade to 24.11 url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; inputs.nixpkgs.follows = "nixpkgs"; # use the same nixpkgs as the system }; diff --git a/hosts/alpha/default.nix b/hosts/alpha/default.nix index c4fc921..ce9dac6 100644 --- a/hosts/alpha/default.nix +++ b/hosts/alpha/default.nix @@ -29,7 +29,7 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "24.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? # This value determines the Home Manager release that your # configuration is compatible with. This helps avoid breakage @@ -38,5 +38,5 @@ # You can update Home Manager without changing this value. See # the Home Manager release notes for a list of state version # changes in each release. - home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment? + home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment? } diff --git a/hosts/alpha/network.nix b/hosts/alpha/network.nix index d837d4a..2595172 100644 --- a/hosts/alpha/network.nix +++ b/hosts/alpha/network.nix @@ -13,14 +13,12 @@ "2a01:4f8:c2c:71c0::/64" ]; routes = [ - {routeConfig = {Destination = "172.31.1.1";};} + {Destination = "172.31.1.1";} { - routeConfig = { - Gateway = "172.31.1.1"; - GatewayOnLink = true; - }; + Gateway = "172.31.1.1"; + GatewayOnLink = true; } - {routeConfig = {Gateway = "fe80::1";};} + {Gateway = "fe80::1";} ]; # Enable proxy ARP to answer ARP requests for the floating IP addresses, # intended for the wireguard peers, from Hetzner's router. Without this, @@ -42,14 +40,12 @@ }; wireguardPeers = [ { - wireguardPeerConfig = { - PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0="; - PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path; - # Add to the main routing table that traffic for the address should - # be sent to sigma. - AllowedIPs = ["49.13.33.75/32"]; - RouteTable = "main"; - }; + PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0="; + PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path; + # Add to the main routing table that traffic for the address should + # be sent to sigma. + AllowedIPs = ["49.13.33.75/32"]; + RouteTable = "main"; } ]; }; @@ -71,12 +67,10 @@ }; wireguardPeers = [ { - wireguardPeerConfig = { - PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0="; - PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path; - AllowedIPs = ["${secrets.hosts.alpha.sigma-p2p-ip-address}/32"]; - RouteTable = "main"; - }; + PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0="; + PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path; + AllowedIPs = ["${secrets.hosts.alpha.sigma-p2p-ip-address}/32"]; + RouteTable = "main"; } ]; }; diff --git a/hosts/delta/default.nix b/hosts/delta/default.nix index ec11d27..37cf092 100644 --- a/hosts/delta/default.nix +++ b/hosts/delta/default.nix @@ -25,7 +25,7 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "24.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? # This value determines the Home Manager release that your # configuration is compatible with. This helps avoid breakage @@ -34,5 +34,5 @@ # You can update Home Manager without changing this value. See # the Home Manager release notes for a list of state version # changes in each release. - home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment? + home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment? } diff --git a/hosts/delta/network.nix b/hosts/delta/network.nix index d75fecd..ac0f2ef 100644 --- a/hosts/delta/network.nix +++ b/hosts/delta/network.nix @@ -11,14 +11,12 @@ "2a01:4f8:1c0c:70d1::1/64" ]; routes = [ - {routeConfig = {Destination = "172.31.1.1";};} + {Destination = "172.31.1.1";} { - routeConfig = { - Gateway = "172.31.1.1"; - GatewayOnLink = true; - }; + Gateway = "172.31.1.1"; + GatewayOnLink = true; } - {routeConfig = {Gateway = "fe80::1";};} + {Gateway = "fe80::1";} ]; }; }; diff --git a/hosts/mu/default.nix b/hosts/mu/default.nix index 6122906..9831b3c 100644 --- a/hosts/mu/default.nix +++ b/hosts/mu/default.nix @@ -27,7 +27,7 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "24.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? # This value determines the Home Manager release that your # configuration is compatible with. This helps avoid breakage @@ -36,5 +36,5 @@ # You can update Home Manager without changing this value. See # the Home Manager release notes for a list of state version # changes in each release. - home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment? + home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment? } diff --git a/hosts/omega/default.nix b/hosts/omega/default.nix index db93643..4423c57 100644 --- a/hosts/omega/default.nix +++ b/hosts/omega/default.nix @@ -26,7 +26,7 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "24.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? # This value determines the Home Manager release that your # configuration is compatible with. This helps avoid breakage @@ -35,5 +35,5 @@ # You can update Home Manager without changing this value. See # the Home Manager release notes for a list of state version # changes in each release. - home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment? + home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment? } diff --git a/hosts/omega/hardware.nix b/hosts/omega/hardware.nix index ae36f76..54b8b24 100644 --- a/hosts/omega/hardware.nix +++ b/hosts/omega/hardware.nix @@ -54,8 +54,12 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; # GPU - hardware.amdgpu.amdvlk = { - enable = true; - support32Bit.enable = true; + hardware.amdgpu = { + amdvlk = { + enable = true; + support32Bit.enable = true; + supportExperimental.enable = true; + }; + opencl.enable = true; }; } diff --git a/hosts/sigma/default.nix b/hosts/sigma/default.nix index 25d8aa6..8bd2909 100644 --- a/hosts/sigma/default.nix +++ b/hosts/sigma/default.nix @@ -39,7 +39,7 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "24.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? # This value determines the Home Manager release that your # configuration is compatible with. This helps avoid breakage @@ -48,5 +48,5 @@ # You can update Home Manager without changing this value. See # the Home Manager release notes for a list of state version # changes in each release. - home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment? + home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment? } diff --git a/hosts/sigma/matrix.nix b/hosts/sigma/matrix.nix index c4ff2cf..71ebeb9 100644 --- a/hosts/sigma/matrix.nix +++ b/hosts/sigma/matrix.nix @@ -51,16 +51,6 @@ }; }; - # https://github.com/matrix-org/sliding-sync - services.matrix-sliding-sync = { - # Unlike matrix-synapse, sliding-sync has createDatabase=true by default, - # which means we don't have to configure the database in the postgres - # service manually. - enable = true; - settings.SYNCV3_SERVER = config.services.matrix-synapse.settings.public_baseurl; - environmentFile = config.age.secrets.matrix-sliding-sync-environment-file.path; - }; - services.postgresql = { ensureDatabases = [ # matrix-synapse expects the database to have the options `LC_COLLATE` @@ -91,11 +81,4 @@ } ]; }; - - age.secrets.matrix-sliding-sync-environment-file = { - file = "${secrets}/secrets/matrix-sliding-sync-environment-file.age"; - mode = "400"; - owner = "root"; - group = "root"; - }; } diff --git a/hosts/sigma/network.nix b/hosts/sigma/network.nix index bd5b9f0..dde2192 100644 --- a/hosts/sigma/network.nix +++ b/hosts/sigma/network.nix @@ -71,26 +71,23 @@ }; wireguardPeers = [ { - wireguardPeerConfig = { - PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM="; - PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path; - # Explicit IPv4 address of alpha.caspervk.net to avoid attempting - # to (re)connect through IPv6(??). - Endpoint = "116.203.179.206:51820"; - # Keep NAT mappings and stateful firewalls open at the ISP - PersistentKeepalive = 25; - # AllowedIPs is both an ACL for incoming traffic, as well as a - # routing table specifying to which peer outgoing traffic should be - # sent. We want to allow incoming traffic from any address on the - # internet (routed through alpha), but only replies to this should - # be routed back over wireguard. Unlike if we had used NAT, IP - # routes are stateless, so we have no notion of "replies". Instead, - # we add these routes to a specific routing table and configure a - # routing policy rule to only use it for packets being sent as the - # public IP. - AllowedIPs = ["0.0.0.0/0"]; - RouteTable = "wg-sigma-public"; - }; + PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM="; + PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path; + # Explicit IPv4 address of alpha.caspervk.net to avoid attempting to + # (re)connect through IPv6(??). + Endpoint = "116.203.179.206:51820"; + # Keep NAT mappings and stateful firewalls open at the ISP + PersistentKeepalive = 25; + # AllowedIPs is both an ACL for incoming traffic, as well as a + # routing table specifying to which peer outgoing traffic should be + # sent. We want to allow incoming traffic from any address on the + # internet (routed through alpha), but only replies to this should be + # routed back over wireguard. Unlike if we had used NAT, IP routes + # are stateless, so we have no notion of "replies". Instead, we add + # these routes to a specific routing table and configure a routing + # policy rule to only use it for packets being sent as the public IP. + AllowedIPs = ["0.0.0.0/0"]; + RouteTable = "wg-sigma-public"; } ]; }; @@ -144,16 +141,14 @@ }; wireguardPeers = [ { - wireguardPeerConfig = { - PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM="; - PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path; - # Explicit IPv4 address of alpha.caspervk.net to avoid attempting - # to (re)connect through IPv6(??). - Endpoint = "116.203.179.206:51821"; - PersistentKeepalive = 25; - AllowedIPs = ["0.0.0.0/0"]; - RouteTable = "wg-sigma-p2p"; - }; + PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM="; + PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path; + # Explicit IPv4 address of alpha.caspervk.net to avoid attempting to + # (re)connect through IPv6(??). + Endpoint = "116.203.179.206:51821"; + PersistentKeepalive = 25; + AllowedIPs = ["0.0.0.0/0"]; + RouteTable = "wg-sigma-p2p"; } ]; }; diff --git a/hosts/sigma/postgresql.nix b/hosts/sigma/postgresql.nix index e7a4ae2..8b2622c 100644 --- a/hosts/sigma/postgresql.nix +++ b/hosts/sigma/postgresql.nix @@ -5,6 +5,7 @@ services.postgresql = { enable = true; # https://nixos.org/manual/nixos/stable/#module-services-postgres-upgrading + # https://wiki.nixos.org/wiki/PostgreSQL#Major_upgrades package = pkgs.postgresql_16; }; diff --git a/hosts/sigma/samba.nix b/hosts/sigma/samba.nix index ab61ca9..39b1346 100644 --- a/hosts/sigma/samba.nix +++ b/hosts/sigma/samba.nix @@ -24,11 +24,11 @@ # Disable discovery: don't reply to NetBIOS over IP name service requests # or participate in the browsing protocols which make up the Windows # “Network Neighborhood” view. - enableNmbd = false; + samba.enableNmbd = false; # Disable Samba’s winbindd, which provides a number of services to the Name # Service Switch capability found in most modern C libraries, to arbitrary # applications via PAM and ntlm_auth and to Samba itself. - enableWinbindd = false; + winbindd.enable = false; # https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html extraConfig = '' # Only allow local access. This should also be enforced by the firewall. @@ -43,7 +43,7 @@ # Allow Windows clients to run .exe's acl allow execute always = True ''; - shares = { + services.samba.settings = { downloads = { path = "/srv/torrents/downloads"; # Use the 'torrent' group for access for all users connecting diff --git a/hosts/tor/default.nix b/hosts/tor/default.nix index ae7e5e5..5dff49b 100644 --- a/hosts/tor/default.nix +++ b/hosts/tor/default.nix @@ -24,7 +24,7 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "24.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? # This value determines the Home Manager release that your # configuration is compatible with. This helps avoid breakage @@ -33,5 +33,5 @@ # You can update Home Manager without changing this value. See # the Home Manager release notes for a list of state version # changes in each release. - home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment? + home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment? } diff --git a/hosts/tor/network.nix b/hosts/tor/network.nix index 12800c6..01c1961 100644 --- a/hosts/tor/network.nix +++ b/hosts/tor/network.nix @@ -19,8 +19,8 @@ "2a0c:5700:3133:650:b0ea:eeff:fedb:1f7b/64" ]; routes = [ - {routeConfig = {Gateway = "185.231.102.1";};} - {routeConfig = {Gateway = "fe80::200:5eff:fe00:20c";};} + {Gateway = "185.231.102.1";} + {Gateway = "fe80::200:5eff:fe00:20c";} ]; }; }; diff --git a/hosts/zeta/default.nix b/hosts/zeta/default.nix index 3ec76e6..7f8046b 100644 --- a/hosts/zeta/default.nix +++ b/hosts/zeta/default.nix @@ -25,7 +25,7 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "24.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? # This value determines the Home Manager release that your # configuration is compatible with. This helps avoid breakage @@ -34,5 +34,5 @@ # You can update Home Manager without changing this value. See # the Home Manager release notes for a list of state version # changes in each release. - home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment? + home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment? } diff --git a/modules/base/nix.nix b/modules/base/nix.nix index cb4fe42..9e943de 100644 --- a/modules/base/nix.nix +++ b/modules/base/nix.nix @@ -28,7 +28,7 @@ auto-optimise-store = true; # Enable flakes - experimental-features = ["nix-command" "flakes" "repl-flake"]; + experimental-features = ["nix-command" "flakes"]; # Timeout connections to the binary cache instead of waiting forever connect-timeout = 5; diff --git a/modules/desktop/docker.nix b/modules/desktop/docker.nix index e7aa5b1..e6d51d6 100644 --- a/modules/desktop/docker.nix +++ b/modules/desktop/docker.nix @@ -7,9 +7,6 @@ enable = true; # Automatically `docker system prune` weekly autoPrune.enable = true; - # Fix waiting for docker containers to exit on shutdown/reboot - # https://discourse.nixos.org/t/docker-hanging-on-reboot/18270/4 - liveRestore = false; }; # Being a member of the docker group is effectively equivalent to being root, diff --git a/modules/desktop/foot.nix b/modules/desktop/foot.nix index 1b752ec..56cba4e 100644 --- a/modules/desktop/foot.nix +++ b/modules/desktop/foot.nix @@ -1,55 +1,53 @@ -{home-manager, ...}: { +{...}: { # Terminal emulator # https://codeberg.org/dnkl/foot - home-manager.users.caspervk = { - programs.foot = { - enable = true; - # https://man.archlinux.org/man/foot.ini.5.en - settings = { - main = { - font = "monospace:size=10.25"; - letter-spacing = "1"; - }; - scrollback = { - lines = 10000; - }; - colors = { - # https://alacritty.org/config-alacritty.html - foreground = "d8d8d8"; - background = "181818"; - regular0 = "181818"; # black - regular1 = "ac4242"; # red - regular2 = "90a959"; # green - regular3 = "f4bf75"; # yellow - regular4 = "6a9fb5"; # blue - regular5 = "aa759f"; # magenta - regular6 = "75b5aa"; # cyan - regular7 = "d8d8d8"; # white - bright0 = "6b6b6b"; # black - bright1 = "c55555"; # red - bright2 = "aac474"; # green - bright3 = "feca88"; # yellow - bright4 = "82b8c8"; # blue - bright5 = "c28cb8"; # magenta - bright6 = "93d3c3"; # cyan - bright7 = "f8f8f8"; # white - dim0 = "0f0f0f"; # black - dim1 = "712b2b"; # red - dim2 = "5f6f3a"; # green - dim3 = "a17e4d"; # yellow - dim4 = "456877"; # blue - dim5 = "704d68"; # magenta - dim6 = "4d7770"; # cyan - dim7 = "8e8e8e"; # white - }; - key-bindings = { - # HOW is this not the default? - scrollback-home = "Shift+Home"; - scrollback-end = "Shift+End"; - # Pipe last command's output to the clipboard. Requires fish - # integration, configured in modules/base/fish.nix. - pipe-command-output = "[wl-copy] Control+Shift+g"; - }; + programs.foot = { + enable = true; + # https://man.archlinux.org/man/foot.ini.5.en + settings = { + main = { + font = "monospace:size=10.25"; + letter-spacing = "1"; + }; + scrollback = { + lines = 10000; + }; + colors = { + # https://alacritty.org/config-alacritty.html + foreground = "d8d8d8"; + background = "181818"; + regular0 = "181818"; # black + regular1 = "ac4242"; # red + regular2 = "90a959"; # green + regular3 = "f4bf75"; # yellow + regular4 = "6a9fb5"; # blue + regular5 = "aa759f"; # magenta + regular6 = "75b5aa"; # cyan + regular7 = "d8d8d8"; # white + bright0 = "6b6b6b"; # black + bright1 = "c55555"; # red + bright2 = "aac474"; # green + bright3 = "feca88"; # yellow + bright4 = "82b8c8"; # blue + bright5 = "c28cb8"; # magenta + bright6 = "93d3c3"; # cyan + bright7 = "f8f8f8"; # white + dim0 = "0f0f0f"; # black + dim1 = "712b2b"; # red + dim2 = "5f6f3a"; # green + dim3 = "a17e4d"; # yellow + dim4 = "456877"; # blue + dim5 = "704d68"; # magenta + dim6 = "4d7770"; # cyan + dim7 = "8e8e8e"; # white + }; + key-bindings = { + # HOW is this not the default? + scrollback-home = "Shift+Home"; + scrollback-end = "Shift+End"; + # Pipe last command's output to the clipboard. Requires fish + # integration, configured in modules/base/fish.nix. + pipe-command-output = "[wl-copy] Control+Shift+g"; }; }; }; diff --git a/modules/desktop/programs.nix b/modules/desktop/programs.nix index 14936cc..50e3c5e 100644 --- a/modules/desktop/programs.nix +++ b/modules/desktop/programs.nix @@ -1,7 +1,5 @@ { - home-manager, lib, - nixpkgs, pkgs, ... }: { @@ -13,7 +11,6 @@ aspellDicts.da aspellDicts.en aspellDicts.en-computers - aspellDicts.en-science black element-desktop firefox-wayland @@ -50,16 +47,12 @@ "steam" "steam-original" "steam-run" + "steam-unwrapped" "terraform" ]; home-manager.users.caspervk = { home.sessionVariables = { - # The firefox-wayland package works with wayland without any further - # configuration, but tor-browser doesn't. - # TODO: remove when tor browser is based on firefox v121. - # https://www.mozilla.org/en-US/firefox/121.0/releasenotes/ - MOZ_ENABLE_WAYLAND = 1; # https://wiki.archlinux.org/title/Sway#Java_applications _JAVA_AWT_WM_NONREPARENTING = 1; # https://wiki.nixos.org/wiki/Wayland diff --git a/modules/desktop/sway.nix b/modules/desktop/sway.nix index d9f72a9..9e5284f 100644 --- a/modules/desktop/sway.nix +++ b/modules/desktop/sway.nix @@ -1,5 +1,4 @@ { - home-manager, lib, pkgs, ...