nixos 24.11

2024-12-04 00:34:25 +01:00 · 2024-12-04 00:34:25 +01:00 · 8408c59b79
commit 8408c59b79
parent 5a3ced21b7
26 changed files with 166 additions and 202 deletions
--- a/README.md
+++ b/README.md
@ -137,7 +137,7 @@ nixos-install --no-root-passwd --flake .#omega
 ### Upgrading
 Nixpkgs uses `stateVersion` so sparingly that auditing the entire nixpkgs repo
 is [easy
-enough](https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/NixOS/nixpkgs%24+lang:Nix+stateVersion+AND+24.05&patternType=keyword&sm=0).
+enough](https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/NixOS/nixpkgs%24+lang:Nix+stateVersion+AND+24.11&patternType=keyword&sm=0).
 Important changes to home-manager is available at
 <https://nix-community.github.io/home-manager/release-notes.xhtml> and
 <https://github.com/nix-community/home-manager/blob/master/modules/misc/news.nix>.
--- a/flake.nix
+++ b/flake.nix
@ -6,7 +6,7 @@
      url = "git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git";
    };
    nixpkgs = {
-      url = "github:NixOS/nixpkgs/nixos-24.05";
+      url = "github:NixOS/nixpkgs/nixos-24.11";
    };
    nixpkgs-unstable = {
      url = "github:NixOS/nixpkgs/nixos-unstable";
@ -32,7 +32,7 @@
      inputs.nixpkgs.follows = "nixpkgs"; # use the same nixpkgs as the system
    };
    home-manager = {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager/release-24.11";
      inputs.nixpkgs.follows = "nixpkgs"; # use the same nixpkgs as the system
    };
    home-manager-unstable = {
@ -40,6 +40,7 @@
      inputs.nixpkgs.follows = "nixpkgs"; # use the same nixpkgs as the system
    };
    simple-nixos-mailserver = {
      # TODO: upgrade to 24.11
      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
      inputs.nixpkgs.follows = "nixpkgs"; # use the same nixpkgs as the system
    };
--- a/hosts/alpha/default.nix
+++ b/hosts/alpha/default.nix
@ -29,7 +29,7 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
  # This value determines the Home Manager release that your
  # configuration is compatible with. This helps avoid breakage
@ -38,5 +38,5 @@
  # You can update Home Manager without changing this value. See
  # the Home Manager release notes for a list of state version
  # changes in each release.
-  home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment?
+  home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/hosts/alpha/network.nix
+++ b/hosts/alpha/network.nix
@ -13,14 +13,12 @@
        "2a01:4f8:c2c:71c0::/64"
      ];
      routes = [
-        {routeConfig = {Destination = "172.31.1.1";};}
+        {Destination = "172.31.1.1";}
        {
          routeConfig = {
          Gateway = "172.31.1.1";
          GatewayOnLink = true;
          };
        }
-        {routeConfig = {Gateway = "fe80::1";};}
+        {Gateway = "fe80::1";}
      ];
      # Enable proxy ARP to answer ARP requests for the floating IP addresses,
      # intended for the wireguard peers, from Hetzner's router. Without this,
@ -42,14 +40,12 @@
      };
      wireguardPeers = [
        {
          wireguardPeerConfig = {
          PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
          PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
          # Add to the main routing table that traffic for the address should
          # be sent to sigma.
          AllowedIPs = ["49.13.33.75/32"];
          RouteTable = "main";
          };
        }
      ];
    };
@ -71,12 +67,10 @@
      };
      wireguardPeers = [
        {
          wireguardPeerConfig = {
          PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
          PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
          AllowedIPs = ["${secrets.hosts.alpha.sigma-p2p-ip-address}/32"];
          RouteTable = "main";
          };
        }
      ];
    };
--- a/hosts/delta/default.nix
+++ b/hosts/delta/default.nix
@ -25,7 +25,7 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
  # This value determines the Home Manager release that your
  # configuration is compatible with. This helps avoid breakage
@ -34,5 +34,5 @@
  # You can update Home Manager without changing this value. See
  # the Home Manager release notes for a list of state version
  # changes in each release.
-  home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment?
+  home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/hosts/delta/network.nix
+++ b/hosts/delta/network.nix
@ -11,14 +11,12 @@
        "2a01:4f8:1c0c:70d1::1/64"
      ];
      routes = [
-        {routeConfig = {Destination = "172.31.1.1";};}
+        {Destination = "172.31.1.1";}
        {
          routeConfig = {
          Gateway = "172.31.1.1";
          GatewayOnLink = true;
          };
        }
-        {routeConfig = {Gateway = "fe80::1";};}
+        {Gateway = "fe80::1";}
      ];
    };
  };
--- a/hosts/mu/default.nix
+++ b/hosts/mu/default.nix
@ -27,7 +27,7 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
  # This value determines the Home Manager release that your
  # configuration is compatible with. This helps avoid breakage
@ -36,5 +36,5 @@
  # You can update Home Manager without changing this value. See
  # the Home Manager release notes for a list of state version
  # changes in each release.
-  home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment?
+  home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/hosts/omega/default.nix
+++ b/hosts/omega/default.nix
@ -26,7 +26,7 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
  # This value determines the Home Manager release that your
  # configuration is compatible with. This helps avoid breakage
@ -35,5 +35,5 @@
  # You can update Home Manager without changing this value. See
  # the Home Manager release notes for a list of state version
  # changes in each release.
-  home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment?
+  home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/hosts/omega/hardware.nix
+++ b/hosts/omega/hardware.nix
@ -54,8 +54,12 @@
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  # GPU
-  hardware.amdgpu.amdvlk = {
+  hardware.amdgpu = {
    amdvlk = {
      enable = true;
      support32Bit.enable = true;
      supportExperimental.enable = true;
    };
    opencl.enable = true;
  };
 }
--- a/hosts/sigma/default.nix
+++ b/hosts/sigma/default.nix
@ -39,7 +39,7 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
  # This value determines the Home Manager release that your
  # configuration is compatible with. This helps avoid breakage
@ -48,5 +48,5 @@
  # You can update Home Manager without changing this value. See
  # the Home Manager release notes for a list of state version
  # changes in each release.
-  home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment?
+  home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/hosts/sigma/deluge.nix
+++ b/hosts/sigma/deluge.nix
@ -46,8 +46,8 @@
  # Only allow deluged internet access through wg-sigma-p2p. Note that this
  # does not tell it to use the correct routing table. For proper internet
-  # access, the correct routing table is also configured by
+  # access, the correct routing table is also configured by routingPolicyRules
-  # routingPolicyRuleConfig in networking.nix.
+  # in networking.nix.
  systemd.services.deluged = {
    serviceConfig = {
      RestrictNetworkInterfaces = "lo wg-sigma-p2p";
--- a/hosts/sigma/forgejo.nix
+++ b/hosts/sigma/forgejo.nix
@ -9,6 +9,8 @@
  # https://wiki.nixos.org/wiki/Forgejo
  services.forgejo = {
    enable = true;
    # NixOS defaults to forgejo-lts
    package = pkgs.forgejo;
    # Run Forgejo under git:git for better ssh clone urls.
    user = "git";
    group = "git";
--- a/hosts/sigma/mail.nix
+++ b/hosts/sigma/mail.nix
@ -82,7 +82,7 @@
  # Only allow mail delivery through wg-sigma-public. Note that this does not
  # tell it to use the correct routing table. For proper internet access, the
-  # correct routing table is also configured by routingPolicyRuleConfig in
+  # correct routing table is also configured by routingPolicyRules in
  # networking.nix. lan0 is additionally allowed to enable mail submission from
  # lan hosts.
  systemd.services.postfix = {
--- a/hosts/sigma/matrix.nix
+++ b/hosts/sigma/matrix.nix
@ -51,16 +51,6 @@
    };
  };
  # https://github.com/matrix-org/sliding-sync
  services.matrix-sliding-sync = {
    # Unlike matrix-synapse, sliding-sync has createDatabase=true by default,
    # which means we don't have to configure the database in the postgres
    # service manually.
    enable = true;
    settings.SYNCV3_SERVER = config.services.matrix-synapse.settings.public_baseurl;
    environmentFile = config.age.secrets.matrix-sliding-sync-environment-file.path;
  };
  services.postgresql = {
    ensureDatabases = [
      # matrix-synapse expects the database to have the options `LC_COLLATE`
@ -91,11 +81,4 @@
      }
    ];
  };
  age.secrets.matrix-sliding-sync-environment-file = {
    file = "${secrets}/secrets/matrix-sliding-sync-environment-file.age";
    mode = "400";
    owner = "root";
    group = "root";
  };
 }
--- a/hosts/sigma/network.nix
+++ b/hosts/sigma/network.nix
@ -71,26 +71,23 @@
      };
      wireguardPeers = [
        {
          wireguardPeerConfig = {
          PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM=";
          PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
-            # Explicit IPv4 address of alpha.caspervk.net to avoid attempting
+          # Explicit IPv4 address of alpha.caspervk.net to avoid attempting to
-            # to (re)connect through IPv6(??).
+          # (re)connect through IPv6(??).
          Endpoint = "116.203.179.206:51820";
          # Keep NAT mappings and stateful firewalls open at the ISP
          PersistentKeepalive = 25;
          # AllowedIPs is both an ACL for incoming traffic, as well as a
          # routing table specifying to which peer outgoing traffic should be
          # sent. We want to allow incoming traffic from any address on the
-            # internet (routed through alpha), but only replies to this should
+          # internet (routed through alpha), but only replies to this should be
-            # be routed back over wireguard. Unlike if we had used NAT, IP
+          # routed back over wireguard. Unlike if we had used NAT, IP routes
-            # routes are stateless, so we have no notion of "replies". Instead,
+          # are stateless, so we have no notion of "replies". Instead, we add
-            # we add these routes to a specific routing table and configure a
+          # these routes to a specific routing table and configure a routing
-            # routing policy rule to only use it for packets being sent as the
+          # policy rule to only use it for packets being sent as the public IP.
            # public IP.
          AllowedIPs = ["0.0.0.0/0"];
          RouteTable = "wg-sigma-public";
          };
        }
      ];
    };
@ -102,30 +99,24 @@
          # Allow hosts on the local network to contact us directly on the
          # public address instead of routing the packet through Wireguard and
          # back again.
          routingPolicyRuleConfig = {
          Priority = 10;
          To = "192.168.0.0/24";
          Table = "main";
          };
        }
        {
          # The postfix systemd service has
          # RestrictNetworkInterfaces=wg-sigma-public, but that does not tell
          # it to use the correct routing table. You can check that this works
          # as expected using `sudo -u postfix curl ip.caspervk.net`.
          routingPolicyRuleConfig = {
          Priority = 100;
          User = config.services.postfix.user;
          Table = "wg-sigma-public";
          };
        }
        {
          # See the AllowedIPs comment above for why this is necessary
          routingPolicyRuleConfig = {
          Priority = 1000;
          From = "49.13.33.75/32";
          Table = "wg-sigma-public";
          };
        }
      ];
    };
@ -144,16 +135,14 @@
      };
      wireguardPeers = [
        {
          wireguardPeerConfig = {
          PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM=";
          PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
-            # Explicit IPv4 address of alpha.caspervk.net to avoid attempting
+          # Explicit IPv4 address of alpha.caspervk.net to avoid attempting to
-            # to (re)connect through IPv6(??).
+          # (re)connect through IPv6(??).
          Endpoint = "116.203.179.206:51821";
          PersistentKeepalive = 25;
          AllowedIPs = ["0.0.0.0/0"];
          RouteTable = "wg-sigma-p2p";
          };
        }
      ];
    };
@ -166,18 +155,14 @@
          # RestrictNetworkInterfaces=wg-sigma-p2p, but that does not tell it
          # to use the correct routing table. You can check that this works as
          # expected using `sudo -u deluge curl ip.caspervk.net`.
          routingPolicyRuleConfig = {
          Priority = 100;
          User = config.services.deluge.user;
          Table = "wg-sigma-p2p";
          };
        }
        {
          routingPolicyRuleConfig = {
          Priority = 1000;
          From = "${secrets.hosts.sigma.sigma-p2p-ip-address}/32";
          Table = "wg-sigma-p2p";
          };
        }
      ];
    };
--- a/hosts/sigma/postgresql.nix
+++ b/hosts/sigma/postgresql.nix
@ -5,6 +5,7 @@
  services.postgresql = {
    enable = true;
    # https://nixos.org/manual/nixos/stable/#module-services-postgres-upgrading
    # https://wiki.nixos.org/wiki/PostgreSQL#Major_upgrades
    package = pkgs.postgresql_16;
  };
--- a/hosts/sigma/samba.nix
+++ b/hosts/sigma/samba.nix
@ -24,26 +24,27 @@
    # Disable discovery: don't reply to NetBIOS over IP name service requests
    # or participate in the browsing protocols which make up the Windows
    # “Network Neighborhood” view.
-    enableNmbd = false;
+    nmbd.enable = false;
    # Disable Samba’s winbindd, which provides a number of services to the Name
    # Service Switch capability found in most modern C libraries, to arbitrary
    # applications via PAM and ntlm_auth and to Samba itself.
-    enableWinbindd = false;
+    winbindd.enable = false;
    # https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
-    extraConfig = ''
+    settings = {
-      # Only allow local access. This should also be enforced by the firewall.
+      global = {
-      hosts deny ALL
+        # Only allow local access. This should also be enforced by the
-      hosts allow = 192.168.0.0/16 127.0.0.1 localhost
+        # firewall.
        "hosts deny" = "ALL";
        "hosts allow" = "192.168.0.0/16 127.0.0.1 localhost";
        # Use user and group information from TDB database.
        # The age-encrypted database is created by setting in the config
        # > passdb backend = passdb backend = tdbsam:/tmp/samba-password-database
        # and running
        # > sudo pdbedit --create --user=caspervk
-      passdb backend = tdbsam:${config.age.secrets.samba-password-database.path}
+        "passdb backend" = "tdbsam:${config.age.secrets.samba-password-database.path}";
-      # Allow Windows clients to run .exe's
+        # Allow Windows clients to run .exes
-      acl allow execute always = True
+        "acl allow execute always" = true;
-    '';
+      };
    shares = {
      downloads = {
        path = "/srv/torrents/downloads";
        # Use the 'torrent' group for access for all users connecting
--- a/hosts/sigma/sonarr.nix
+++ b/hosts/sigma/sonarr.nix
@ -18,6 +18,14 @@
    group = "torrent";
  };
  # https://github.com/NixOS/nixpkgs/issues/360592
  nixpkgs.config.permittedInsecurePackages = [
    "aspnetcore-runtime-6.0.36"
    "aspnetcore-runtime-wrapped-6.0.36"
    "dotnet-sdk-6.0.428"
    "dotnet-sdk-wrapped-6.0.428"
  ];
  environment.persistence."/nix/persist" = {
    directories = [
      {
--- a/hosts/tor/default.nix
+++ b/hosts/tor/default.nix
@ -24,7 +24,7 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
  # This value determines the Home Manager release that your
  # configuration is compatible with. This helps avoid breakage
@ -33,5 +33,5 @@
  # You can update Home Manager without changing this value. See
  # the Home Manager release notes for a list of state version
  # changes in each release.
-  home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment?
+  home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/hosts/tor/network.nix
+++ b/hosts/tor/network.nix
@ -19,8 +19,8 @@
        "2a0c:5700:3133:650:b0ea:eeff:fedb:1f7b/64"
      ];
      routes = [
-        {routeConfig = {Gateway = "185.231.102.1";};}
+        {Gateway = "185.231.102.1";}
-        {routeConfig = {Gateway = "fe80::200:5eff:fe00:20c";};}
+        {Gateway = "fe80::200:5eff:fe00:20c";}
      ];
    };
  };
--- a/hosts/zeta/default.nix
+++ b/hosts/zeta/default.nix
@ -25,7 +25,7 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
  # This value determines the Home Manager release that your
  # configuration is compatible with. This helps avoid breakage
@ -34,5 +34,5 @@
  # You can update Home Manager without changing this value. See
  # the Home Manager release notes for a list of state version
  # changes in each release.
-  home-manager.users.caspervk.home.stateVersion = "24.05"; # Did you read the comment?
+  home-manager.users.caspervk.home.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/modules/base/nix.nix
+++ b/modules/base/nix.nix
@ -28,7 +28,7 @@
      auto-optimise-store = true;
      # Enable flakes
-      experimental-features = ["nix-command" "flakes" "repl-flake"];
+      experimental-features = ["nix-command" "flakes"];
      # Timeout connections to the binary cache instead of waiting forever
      connect-timeout = 5;
--- a/modules/desktop/docker.nix
+++ b/modules/desktop/docker.nix
@ -7,9 +7,6 @@
    enable = true;
    # Automatically `docker system prune` weekly
    autoPrune.enable = true;
    # Fix waiting for docker containers to exit on shutdown/reboot
    # https://discourse.nixos.org/t/docker-hanging-on-reboot/18270/4
    liveRestore = false;
  };
  # Being a member of the docker group is effectively equivalent to being root,
--- a/modules/desktop/foot.nix
+++ b/modules/desktop/foot.nix
@ -1,7 +1,6 @@
-{home-manager, ...}: {
+{...}: {
  # Terminal emulator
  # https://codeberg.org/dnkl/foot
  home-manager.users.caspervk = {
  programs.foot = {
    enable = true;
    # https://man.archlinux.org/man/foot.ini.5.en
@ -52,5 +51,4 @@
      };
    };
  };
  };
 }
--- a/modules/desktop/programs.nix
+++ b/modules/desktop/programs.nix
@ -1,7 +1,5 @@
 {
  home-manager,
  lib,
  nixpkgs,
  pkgs,
  ...
 }: {
@ -13,7 +11,6 @@
    aspellDicts.da
    aspellDicts.en
    aspellDicts.en-computers
    aspellDicts.en-science
    black
    element-desktop
    firefox-wayland
@ -50,16 +47,12 @@
      "steam"
      "steam-original"
      "steam-run"
      "steam-unwrapped"
      "terraform"
    ];
  home-manager.users.caspervk = {
    home.sessionVariables = {
      # The firefox-wayland package works with wayland without any further
      # configuration, but tor-browser doesn't.
      # TODO: remove when tor browser is based on firefox v121.
      # https://www.mozilla.org/en-US/firefox/121.0/releasenotes/
      MOZ_ENABLE_WAYLAND = 1;
      # https://wiki.archlinux.org/title/Sway#Java_applications
      _JAVA_AWT_WM_NONREPARENTING = 1;
      # https://wiki.nixos.org/wiki/Wayland
--- a/modules/desktop/sway.nix
+++ b/modules/desktop/sway.nix
@ -1,5 +1,4 @@
 {
  home-manager,
  lib,
  pkgs,
  ...