Merge pull request #22 from privatevoid-net/platforn-22.05

Platforn 22.05
2022-05-31 09:23:40 +02:00 · 2022-05-31 09:23:40 +02:00 · 8f60df5a87
commit 8f60df5a87
parent a496f5311b 1912e63456
15 changed files with 89 additions and 120 deletions
--- a/flake.lock
+++ b/flake.lock
@ -86,11 +86,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1653308769,
-        "narHash": "sha256-9bylbRkrmaUiYYjcVLd0JyvqpKveOUw5q2mBf2+pR0c=",
+        "lastModified": 1653917170,
+        "narHash": "sha256-FyxOnEE/V4PNEcMU62ikY4FfYPo349MOhMM97HS0XEo=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "a00abaeb902ff568f9542d4b6f335e3a4db5c548",
+        "rev": "fc7a3e3adde9bbcab68af6d1e3c6eb738e296a92",
        "type": "github"
      },
      "original": {
@ -114,11 +114,11 @@
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
-        "lastModified": 1653135531,
-        "narHash": "sha256-pYwJrEQrG8BgeVcI+lveK3KbOBDx9MT28HxV09v+jgI=",
+        "lastModified": 1653944295,
+        "narHash": "sha256-xoFmfL71JS/wP5SvkupqDB7SNhDFmb77dyiyniNAwYs=",
        "owner": "nix-community",
        "repo": "dream2nix",
-        "rev": "4b3dfb101fd2fdbe25bd128072f138276aa4bc82",
+        "rev": "ca7f4d0a7fb79813b446ebce097c3db538b37b8c",
        "type": "github"
      },
      "original": {
@ -313,11 +313,11 @@
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1653740649,
-        "narHash": "sha256-3kZc+D03J+Uleftpdv5BuBogwkc45zvhDte/AI0BvaI=",
+        "lastModified": 1653841712,
+        "narHash": "sha256-XBF4i1MuIRAEbFpj3Z3fVaYxzNEsYapyENtw3vG+q1I=",
        "owner": "hercules-ci",
        "repo": "hercules-ci-effects",
-        "rev": "6d99ef9727b1327ec7eb6fa2055b74bd88ea4709",
+        "rev": "e14d2131b7c81acca3904b584ac45fb72da64dd2",
        "type": "github"
      },
      "original": {
@ -333,11 +333,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1653518057,
-        "narHash": "sha256-cam3Nfae5ADeEs6mRPzr0jXB7+DhyMIXz0/0Q13r/yk=",
+        "lastModified": 1653943687,
+        "narHash": "sha256-xXW9t24HLf89+n/92kOqRRfOBE3KDna+9rAOefs5WSQ=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "64831f938bd413cefde0b0cf871febc494afaa4f",
+        "rev": "8f3e26705178cc8c1d982d37d881fc0d5b5b1837",
        "type": "github"
      },
      "original": {
@ -482,17 +482,15 @@
    "nix-super": {
      "inputs": {
        "lowdown-src": "lowdown-src_2",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
+        "nixpkgs": "nixpkgs_5",
        "nixpkgs-regression": "nixpkgs-regression"
      },
      "locked": {
-        "lastModified": 1652724099,
-        "narHash": "sha256-w9GhILEhu8EdIH1+PnDOT9qWESB8wgbaP2gdIqHPfjk=",
+        "lastModified": 1653842047,
+        "narHash": "sha256-rm8OIwU0+V9KMooDvj4Hdwio5MWjAn6CvdM3MU2tGhk=",
        "ref": "refs/heads/master",
-        "rev": "2e3c7f0fed04ddcaec3116a82f226927b243b527",
-        "revCount": 12055,
+        "rev": "c6087c318fbc238269487ec3feee3d6ad762aee7",
+        "revCount": 12253,
        "type": "git",
        "url": "https://git.privatevoid.net/max/nix-super-fork"
      },
@ -581,16 +579,31 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1653653155,
-        "narHash": "sha256-zeKfULtxT5f7yDHhg7awVhVEsTsMNGNS2/7xlymUIFU=",
+        "lastModified": 1645296114,
+        "narHash": "sha256-y53N7TyIkXsjMpOG7RhvqJFGDacLs9HlyHeSTBioqYU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "13c15a84ffa02c5dd288f2398cd6eaf107d16dc5",
+        "rev": "530a53dcbc9437363471167a5e4762c5fcfa34a1",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-21.05-small",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_6": {
+      "locked": {
+        "lastModified": 1653948565,
+        "narHash": "sha256-jYfs8TQw/xRKOGg7NV+hVEZfYAVnqk4yEKhw111N4h4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "7c1e79e294fe1be3cacb6408e3983bf2836c818e",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-21.11-small",
+        "ref": "nixos-22.05-small",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -688,24 +701,7 @@
        "mms": "mms",
        "nar-serve": "nar-serve",
        "nix-super": "nix-super",
-        "nixpkgs": "nixpkgs_5",
-        "unstable": "unstable"
-      }
-    },
-    "unstable": {
-      "locked": {
-        "lastModified": 1653750779,
-        "narHash": "sha256-yQ5bsgAnUMS/MB2uRi+RANcXtlNENYp5+CZNvDVGxFo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "fa66e6d444f37c80d973d75fd3e0d28e286d8ea4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
-        "repo": "nixpkgs",
-        "type": "github"
+        "nixpkgs": "nixpkgs_6"
      }
    },
    "utils": {
--- a/flake.nix
+++ b/flake.nix
@ -2,11 +2,9 @@
  description = "Private Void system configurations";

  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11-small";
-    unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05-small";

    nix-super.url = "git+https://git.privatevoid.net/max/nix-super-fork";
-    nix-super.inputs.nixpkgs.follows = "nixpkgs";

    home-manager.url = "github:nix-community/home-manager/master";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
--- a/hosts/VEGAS/modules/database/default.nix
+++ b/hosts/VEGAS/modules/database/default.nix
@ -10,7 +10,7 @@

  services.mysql = {
    enable = true;
-    bind = "127.0.0.1";
+    settings.mysqld.bind-address = "127.0.0.1";
    package = pkgs.mariadb;
    dataDir = "/srv/storage/database/mariadb/data";
  };
--- a/hosts/VEGAS/modules/nginx/default.nix
+++ b/hosts/VEGAS/modules/nginx/default.nix
@ -6,7 +6,7 @@ in
  with tools.nginx.vhosts;
  with tools.nginx.mappers;
 {
-  security.acme.email = adminEmail;
+  security.acme.defaults.email = adminEmail;
  security.acme.acceptTerms = true;
  services.nginx = {
    enable = true;
--- a/hosts/VEGAS/modules/redis/default.nix
+++ b/hosts/VEGAS/modules/redis/default.nix
@ -1,5 +1,5 @@
 {
-  services.redis = {
+  services.redis.servers.default = {
    enable = true;
  };
 }
--- a/hosts/VEGAS/services/api/default.nix
+++ b/hosts/VEGAS/services/api/default.nix
@ -6,6 +6,9 @@ let
  proxy = tools.nginx.vhosts.proxy proxyTarget;
 in
 {
+  # n8n uses "Sustainable Use License"
+  nixpkgs.config.allowUnfree = true;
+
  reservePortsFor = [ "api" ];

  services.n8n = {
--- a/hosts/VEGAS/services/matrix/default.nix
+++ b/hosts/VEGAS/services/matrix/default.nix
@ -3,7 +3,7 @@ let
  inherit (tools.meta) domain;
  listener = {
    port = 8008;
-    bind_address = "127.0.0.1";
+    bind_addresses = lib.singleton "127.0.0.1";
    type = "http";
    tls = false;
    x_forwarded = true;
@ -22,27 +22,6 @@ let
    "im.vector.riot.jitsi".preferredDomain = config.services.jitsi-meet.hostName;
  };
  clientConfigJSON = pkgs.writeText "matrix-client-config.json" (builtins.toJSON clientConfig);
-  extraConfig = {
-    experimental_features.spaces_enabled = true;
-    federation_ip_range_blacklist = cfg.url_preview_ip_range_blacklist;
-    admin_contact = "mailto:admins@${domain}";
-    max_upload_size = "32M";
-    max_spider_size = "10M";
-    emable_registration = true;
-    allow_guest_access = true;
-    push.include_content = true;
-    group_creation_prefix = "unofficial/";
-    app_service_config_files =  [
-      "/etc/synapse/discord-registration.yaml"
-    ];
-    turn_uris = let
-      combinations = lib.cartesianProductOfSets {
-        proto = [ "udp" "tcp" ];
-        scheme = [ "turns" "turn" ];
-      };
-      makeTurnServer = x: "${x.scheme}:turn.${domain}?transport=${x.proto}";
-    in map makeTurnServer combinations;
-  };
  cfg = config.services.matrix-synapse;
 in {
  imports = [
@ -82,27 +61,44 @@ in {
    enable = true;
    plugins = [ pkgs.matrix-synapse-plugins.matrix-synapse-ldap3 ];

-    server_name = domain;
-    listeners = lib.singleton listener;
+    settings = {
+      server_name = domain;
+      listeners = lib.singleton listener;
+      url_preview_enabled = true;
+      experimental_features.spaces_enabled = true;
+      admin_contact = "mailto:admins@${domain}";
+      max_upload_size = "32M";
+      max_spider_size = "10M";
+      emable_registration = true;
+      allow_guest_access = true;
+      push.include_content = true;
+      group_creation_prefix = "unofficial/";
+      app_service_config_files =  [
+        "/etc/synapse/discord-registration.yaml"
+      ];
+      turn_uris = let
+        combinations = lib.cartesianProductOfSets {
+          proto = [ "udp" "tcp" ];
+          scheme = [ "turns" "turn" ];
+        };
+        makeTurnServer = x: "${x.scheme}:turn.${domain}?transport=${x.proto}";
+      in map makeTurnServer combinations;
+    };

-    url_preview_enabled = true;
-
-    extraConfigFiles = [
-      (pkgs.writeText "synapse-extra-config.yaml" (builtins.toJSON extraConfig))
-    ] ++ (map (x: config.age.secrets.${x}.path) [
+    extraConfigFiles = map (x: config.age.secrets.${x}.path) [
      "synapse-ldap"
      "synapse-db"
      "synapse-turn"
      "synapse-keys"
-    ]); 
+    ]; 
  };

  services.nginx.virtualHosts = tools.nginx.mappers.mapSubdomains {
    matrix = tools.nginx.vhosts.basic // {
      locations."/".return = "204";
      locations."/_matrix" = {
-        proxyPass = with listener; "${type}://${bind_address}:${builtins.toString port}";
-        extraConfig = "client_max_body_size ${extraConfig.max_upload_size};";
+        proxyPass = "http://127.0.0.1:8008";
+        extraConfig = "client_max_body_size ${cfg.settings.max_upload_size};";
      };
      locations."= /.well-known/matrix/client".alias = clientConfigJSON;
    };
--- a/hosts/VEGAS/services/nextcloud/default.nix
+++ b/hosts/VEGAS/services/nextcloud/default.nix
@ -18,7 +18,7 @@ in
    };
  };
  services.nextcloud = {
-    package = pkgs.nextcloud23;
+    package = pkgs.nextcloud24;
    enable = true;
    https = true;
    hostName = "storage.${tools.meta.domain}";
--- a/hosts/VEGAS/services/sso/default.nix
+++ b/hosts/VEGAS/services/sso/default.nix
@ -17,29 +17,25 @@ in
    mode = "0400";
  };
  services.nginx.virtualHosts = { 
-    "${login}" = lib.recursiveUpdate (vhosts.proxy "http://${cfg.bindAddress}:${config.portsStr.keycloak}") {
+    "${login}" = lib.recursiveUpdate (vhosts.proxy "http://${cfg.settings.http-host}:${config.portsStr.keycloak}") {
      locations."= /".return = "302 /auth/realms/master/account/";
    };
    "account.${domain}" = vhosts.redirect "https://${login}/auth/realms/master/account/";
  };
  services.keycloak = {
    enable = true;
-    frontendUrl = "https://${login}/auth";
-    bindAddress = "127.0.0.1";
-    httpPort = config.portsStr.keycloak;
    database = {
      createLocally = true;
      type = "postgresql";
      passwordFile = config.age.secrets.keycloak-dbpass.path;
    };
-    extraConfig = {
-      "subsystem=undertow" = {
-        "server=default-server" = {
-          "http-listener=default" = {
-            proxy-address-forwarding = true;
-          };
-        };
-      };
+    settings = {
+      http-host = "127.0.0.1";
+      http-port = config.ports.keycloak;
+      hostname = login;
+      proxy = "edge";
+      # for backcompat, TODO: remove
+      http-relative-path = "/auth";
    };
  };
 }
--- a/hosts/prophet/modules/nginx/default.nix
+++ b/hosts/prophet/modules/nginx/default.nix
@ -6,7 +6,7 @@ in
  with tools.nginx.vhosts;
  with tools.nginx.mappers;
 {
-  security.acme.email = adminEmail;
+  security.acme.defaults.email = adminEmail;
  security.acme.acceptTerms = true;
  services.nginx = {
    enable = true;
--- a/modules/autopatch/default.nix
+++ b/modules/autopatch/default.nix
@ -17,10 +17,6 @@

        jre_headless = patched.jre17_standard;

-      } // lib.optionalAttrs config.krb5.enable {
-        bind = patched.kerberized-bind;
-        dnsutils = patched.kerberized-dnsutils;
-        dig = patched.kerberized-dig;
      })
    )
  ];
--- a/packages/dream2nix-overrides/nodejs/default.nix
+++ b/packages/dream2nix-overrides/nodejs/default.nix
@ -21,7 +21,7 @@ let
      repo = "libvips";
      rev = "v8.12.2";
      sha256 = "sha256-ffDJJWe/SzG+lppXEiyfXXL5KLdZgnMjv1SYnuYnh4c=";
-      extraPostFetch = ''
+      postFetch = ''
        rm -r $out/test/test-suite/images/
      '';
    };
--- a/packages/patched-derivations.nix
+++ b/packages/patched-derivations.nix
@ -1,14 +1,7 @@
 let tools = import ./lib/tools.nix;
 in with tools;
 super: rec {
-  kerberized-bind = super.bind.overrideAttrs (attrs: {
-    configureFlags = attrs.configureFlags ++ [ "--with-gssapi=${super.krb5.dev}" ];
-    buildInputs = attrs.buildInputs ++ [ super.krb5 ];
-  });
-  kerberized-dnsutils = kerberized-bind.dnsutils;
-  kerberized-dig = kerberized-bind.dnsutils;
-
-  hydra = (patch super.hydra-unstable "patches/base/hydra").override { nix = super.nix_2_4; };
+  hydra = (patch super.hydra-unstable "patches/base/hydra").override { nix = super.nixVersions.nix_2_8; };

  lain-ipfs = patch-rename (super.ipfs_latest or super.ipfs) "lain-ipfs" "patches/base/ipfs";

--- a/packages/projects.nix
+++ b/packages/projects.nix
@ -60,16 +60,7 @@ in
      meta.mainProgram = "reflex";
    };

-    searxng = let
-      scope = pkgs.python3Packages.overrideScope (final: prev: let
-        pullDownPackages = pypkgs: lib.genAttrs pypkgs (pkgName:
-          final.callPackage  "${unstable}/pkgs/development/python-modules/${pkgName}/default.nix" {}
-        );
-      in pullDownPackages [ "httpcore" "httpx" "httpx-socks" "h2" "python-socks" "socksio" ]);
-    in pkgs.callPackage ./web-apps/searxng rec {
-      python3Packages = scope;
-      inherit pins;
-    };
+    searxng = pkgs.callPackage ./web-apps/searxng { inherit pins; };

    sips = pkgs.callPackage ./servers/sips { };

--- a/patches/base/ipfs/ipfs-unsafe-allow-all-paths-for-filestore.patch
+++ b/patches/base/ipfs/ipfs-unsafe-allow-all-paths-for-filestore.patch
@ -1,12 +1,12 @@
 diff --git a/vendor/github.com/ipfs/go-filestore/fsrefstore.go b/vendor/github.com/ipfs/go-filestore/fsrefstore.go
-index 19927e0..7ff13aa 100644
+index 9eb2b43..43e336c 100644
 --- a/vendor/github.com/ipfs/go-filestore/fsrefstore.go
 +++ b/vendor/github.com/ipfs/go-filestore/fsrefstore.go
-@@ -281,9 +281,6 @@ func (f *FileManager) putTo(b *posinfo.FilestoreNode, to putter) error {
- 		if !f.AllowFiles {
+@@ -291,9 +291,6 @@ func (f *FileManager) putTo(ctx context.Context, b *posinfo.FilestoreNode, to pu
 			return ErrFilestoreNotEnabled
 		}
-		if !filepath.HasPrefix(b.PosInfo.FullPath, f.root) { //nolint:staticcheck
+ 		//lint:ignore SA1019 // ignore staticcheck
+-		if !filepath.HasPrefix(b.PosInfo.FullPath, f.root) {
 -			return fmt.Errorf("cannot add filestore references outside ipfs root (%s)", f.root)
 -		}