flake.lock: Update

Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/90055d5e616bd943795d38808c94dbf0dd35abe8' (2024-04-13) → 'github:NixOS/nixpkgs/53a2c32bc66f5ae41a28d7a9a49d321172af621e' (2024-04-15) • Updated input 'secrets': 'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=fe08a4769ba195e2ee515967d33a520c8692420c' (2024-04-09) → 'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=17e318fd2ae0272999e89a43279298517b9444b4' (2024-04-15)
knot-resolver: chill cache size
2024-04-16 02:32:51 +02:00 · 2024-04-16 02:32:51 +02:00 · 2024-04-16 02:32:51 +02:00
4 changed files with 19 additions and 11 deletions
--- a/flake.lock
+++ b/flake.lock
@ -120,11 +120,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1713013257,
-        "narHash": "sha256-ZEfGB3YCBVggvk0BQIqVY7J8XF/9jxQ68fCca6nib+8=",
+        "lastModified": 1713145326,
+        "narHash": "sha256-m7+IWM6mkWOg22EC5kRUFCycXsXLSU7hWmHdmBfmC3s=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "90055d5e616bd943795d38808c94dbf0dd35abe8",
+        "rev": "53a2c32bc66f5ae41a28d7a9a49d321172af621e",
        "type": "github"
      },
      "original": {
@ -165,11 +165,11 @@
    },
    "secrets": {
      "locked": {
-        "lastModified": 1712706448,
-        "narHash": "sha256-ekO1azljI9rKc5u+cRp+33Xe8VVxvDxxseXFvtypHI8=",
+        "lastModified": 1713224959,
+        "narHash": "sha256-WnZVnnu1L/PyODRrjwU/K4xcJx4HlCX72Dm3KBzgSA0=",
        "ref": "refs/heads/master",
-        "rev": "fe08a4769ba195e2ee515967d33a520c8692420c",
-        "revCount": 16,
+        "rev": "17e318fd2ae0272999e89a43279298517b9444b4",
+        "revCount": 17,
        "type": "git",
        "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
      },
--- a/hosts/alpha/acme.nix
+++ b/hosts/alpha/acme.nix
@ -1,10 +1,14 @@
-{...}: {
+{lib, ...}: {
  security.acme.certs."caspervk.net" = {
    domain = "*.caspervk.net";
    reloadServices = [
      "caddy.service"
      "murmur.service"
    ];
+    # The NixOS Caddy module is a little too clever and sets the cert's group
+    # to 'caddy', which means other services can't load it. This is not needed
+    # since we handle the group membership manually.
+    group = lib.mkForce "acme";
  };
  users.groups.acme.members = [
    "caddy"
--- a/hosts/delta/knot-resolver.nix
+++ b/hosts/delta/knot-resolver.nix
@ -46,9 +46,9 @@
        "${config.security.acme.certs."caspervk.net".directory}/key.pem"
      )
      -- Cache is stored in /var/cache/knot-resolver, which is mounted as
-      -- tmpfs. Allow using 90% of the partition for caching.
+      -- tmpfs. Allow using 75% of the partition for caching.
      -- https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html
-      cache.size = math.floor(cache.fssize() * 0.9)
+      cache.size = math.floor(cache.fssize() * 0.75)
      -- The predict module helps to keep the cache hot by prefetching
      -- records. Any time the resolver answers with records that are about to
      -- expire, they get refreshed.
--- a/hosts/sigma/acme.nix
+++ b/hosts/sigma/acme.nix
@ -1,9 +1,13 @@
-{...}: {
+{lib, ...}: {
  security.acme.certs."caspervk.net" = {
    domain = "*.caspervk.net";
    reloadServices = [
      "caddy.service"
    ];
+    # The NixOS Caddy module is a little too clever and sets the cert's group
+    # to 'caddy', which means other services can't load it. This is not needed
+    # since we handle the group membership manually.
+    group = lib.mkForce "acme";
  };
  users.groups.acme.members = [
    "caddy"