Update to NixOS 24.05

2024-07-16 18:05:48 +02:00 · 2024-07-16 18:05:48 +02:00 · 8a901e7871
parent 3e87eec0eb
commit 8a901e7871
7 changed files with 106 additions and 51 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -1,4 +1,10 @@
-{ config, inputs, pkgs, lib, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:

 with pkgs;

@ -28,7 +34,10 @@ with pkgs;
  users.users.coolneng = {
    isNormalUser = true;
    home = "/home/coolneng";
-    extraGroups = [ "wheel" "docker" ];
+    extraGroups = [
+      "wheel"
+      "docker"
+    ];
    openssh.authorizedKeys.keys = [
      # panacea
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea"
@ -64,7 +73,10 @@ with pkgs;
  nix = {
    settings = {
      auto-optimise-store = true;
-      experimental-features = [ "nix-command" "flakes" ];
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
    };
    gc = {
      automatic = true;
@ -79,8 +91,14 @@ with pkgs;
  };

  # Use same version of nixpkgs for nix-shell
-  nix.nixPath = let path = toString ./.;
-  in [ "nixpkgs=${inputs.nixpkgs}" "nixos-config=${path}/configuration.nix" ];
+  nix.nixPath =
+    let
+      path = toString ./.;
+    in
+    [
+      "nixpkgs=${inputs.nixpkgs}"
+      "nixos-config=${path}/configuration.nix"
+    ];

  # Configure fish shell
  programs.fish.enable = true;
@ -158,11 +176,6 @@ with pkgs;
      owner = "mosquitto";
      group = "mosquitto";
    };
-    secrets.nightscout = {
-      file = secrets/nightscout.age;
-      owner = "coolneng";
-      group = "podman";
-    };
    secrets.facebook = {
      file = secrets/facebook.age;
      owner = "matrix-as-facebook";
@ -180,8 +193,10 @@ with pkgs;
  system.autoUpgrade = {
    enable = true;
    flake = "/home/coolneng/system";
-    flags =
-      [ "--update-input agenix --update-input nixpkgs" "--commit-lock-file" ];
+    flags = [
+      "--update-input agenix --update-input nixpkgs"
+      "--commit-lock-file"
+    ];
  };

  # Limit the memory and CPU use of Nix
--- a/flake.nix
+++ b/flake.nix
@ -2,7 +2,7 @@
  description = "System configuration for zion";

  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-23.11";
+    nixpkgs.url = "nixpkgs/nixos-24.05";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
    agenix = {
      url = "github:ryantm/agenix";
--- a/modules/containers.nix
+++ b/modules/containers.nix
@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 {
  # Podman setup
@ -15,8 +20,7 @@
      containers = {
        # Openbooks configuration
        openbooks = {
-          image =
-            "evanbuss/openbooks@sha256:16609c3da954715f8f98b5de6c838146914ae700b2a700b4d9aad8b23c9217da";
+          image = "evanbuss/openbooks@sha256:16609c3da954715f8f98b5de6c838146914ae700b2a700b4d9aad8b23c9217da";
          ports = [ "127.0.0.1:9000:80" ];
          cmd = [
            "--name"
@ -30,8 +34,7 @@
        };
        # Prometheus MQTT integration
        mqtt2prometheus = {
-          image =
-            "hikhvar/mqtt2prometheus@sha256:ad133b8cef2d82c5573864598b1c8361753adc7e4ac53da28bc9b6afdf05aeaf";
+          image = "hikhvar/mqtt2prometheus@sha256:ad133b8cef2d82c5573864598b1c8361753adc7e4ac53da28bc9b6afdf05aeaf";
          ports = [ "127.0.0.1:9641:9641" ];
          volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ];
        };
@ -68,4 +71,5 @@
    [ /vault/mongodb ];
  systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor =
    [ /vault/mqtt2prometheus ];
+  systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ];
 }
--- a/modules/datasync.nix
+++ b/modules/datasync.nix
@ -1,4 +1,10 @@
-{ config, pkgs, lib, ... }: {
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{

  # Syncthing configuration
  services.syncthing = {
@ -13,38 +19,48 @@
        progressUpdateIntervalS = -1;
      };
      devices = {
-        panacea.id =
-          "VEGVHKF-P4FT3BD-4T3ML7J-65URQOU-3XKNMI5-6LGWSCI-BIQZOUE-RKQ6PQX";
-        caravanserai.id =
-          "MIRF73R-S7AV47R-VLWZUK2-TFCVQPV-FRYCPND-Y4VR3W2-ZAIQXZD-JAEQCAD";
+        panacea.id = "VEGVHKF-P4FT3BD-4T3ML7J-65URQOU-3XKNMI5-6LGWSCI-BIQZOUE-RKQ6PQX";
+        caravanserai.id = "WETYK5O-DNMS75S-XJ76CZH-Z6JBQDX-YXLJ7AA-5PLZ4DI-HA6QNDI-BFUU7QM";
      };
      folders = {
        Documents = {
          id = "wusdj-bfjkr";
          type = "receiveonly";
          path = "/vault/syncthing/Documents";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
        };

        Notes = {
          id = "kafhz-bfmzm";
          type = "receiveonly";
          path = "/vault/syncthing/Notes";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
        };

        Music = {
          id = "2aqt7-vpprc";
          type = "receiveonly";
          path = "/vault/syncthing/Music";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
        };

        Photos = {
          id = "mjibc-ustcg";
          type = "receiveonly";
          path = "/vault/syncthing/Photos";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
        };

        Projects = {
@ -58,28 +74,40 @@
          id = "m2007j20cg_vc7r-photos";
          type = "receiveonly";
          path = "/vault/syncthing/Photos/Phone";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
        };

        Files = {
          id = "tsk52-u6rbk";
          type = "receiveonly";
          path = "/vault/syncthing/Files";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
        };

        Phone-screenshots = {
          id = "pp70r-pbr70";
          type = "receiveonly";
          path = "/vault/syncthing/Photos/Phone-screenshots";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
        };

        Audio = {
          id = "tarrs-5mxck";
          type = "receiveonly";
          path = "/vault/syncthing/Audio";
-          devices = [ "panacea" "caravanserai" ];
+          devices = [
+            "panacea"
+            "caravanserai"
+          ];
        };
      };
    };
@ -111,8 +139,7 @@
  };

  # Start services after ZFS mount
-  systemd.services.syncthing.unitConfig.RequiresMountsFor =
-    [ /vault/syncthing ];
+  systemd.services.syncthing.unitConfig.RequiresMountsFor = [ /vault/syncthing ];
  systemd.services.radicale.unitConfig.RequiresMountsFor = [ /vault/radicale ];

 }
--- a/modules/information.nix
+++ b/modules/information.nix
@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 {
  # Miniflux configuration
@ -7,8 +12,7 @@
    adminCredentialsFile = config.age.secrets.miniflux.path;
    config = {
      BASE_URL = "https://rss.coolneng.duckdns.org";
-      RUN_MIGRATIONS = "1";
-      DISABLE_HSTS = "1";
+      DISABLE_HSTS = 1;
    };
  };

@ -23,7 +27,7 @@
      "pm" = "ondemand";
      "pm.max_children " = 4;
      "pm.max_requests" = 32;
-      "env[WALLABAG_DATA]" = "/var/lib/wallabag";
+      "env[WALLABAG_DATA]" = config.environment.variables.WALLABAG_DATA;
    };
    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
  };
--- a/modules/networking.nix
+++ b/modules/networking.nix
@ -1,8 +1,15 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:

-let wireguard_port = 1194;
+let
+  wireguard_port = 1194;

-in {
+in
+{
  # Enable systemd-networkd
  networking = {
    hostName = "zion";
@ -19,7 +26,10 @@ in {
    matchConfig.Name = "end0";
    address = [ "192.168.13.2/24" ];
    gateway = [ "192.168.13.1" ];
-    dns = [ "1.1.1.1" "9.9.9.9" ];
+    dns = [
+      "1.1.1.1"
+      "9.9.9.9"
+    ];
    networkConfig.DNSSEC = "no";
  };

@ -76,7 +86,7 @@ in {
      # caravanserai
      {
        wireguardPeerConfig = {
-          PublicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
+          PublicKey = "mCsTj09H7lfDDs8vMQkJOlItHtHQ6MPUyfGO5ZjBbVs=";
          AllowedIPs = [ "10.8.0.3/32" ];
        };
      }
@ -121,15 +131,11 @@ in {
    settings = {
      listen_addresses = [ "127.0.0.1:43" ];
      sources.public-resolvers = {
-        urls = [
-          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
-        ];
+        urls = [ "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ];
        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
-        minisign_key =
-          "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
      };
-      blocked_names.blocked_names_file =
-        "/var/lib/dnscrypt-proxy/blocklist.txt";
+      blocked_names.blocked_names_file = "/var/lib/dnscrypt-proxy/blocklist.txt";
    };
  };

--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@ -5,10 +5,9 @@
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
+    recommendedZstdSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
-    recommendedBrotliSettings = true;
    clientMaxBodySize = "0";
    sslCiphers =
      "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";