Merge branch 'nixos-23.11' into consensus

hardware/purism_librem_15.nix

@@ -2,10 +2,11 @@
 {
   config,
   lib,
+  modulesPath,
   pkgs,
   ...
 }: {
-  imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
+  imports = [(modulesPath + "/installer/scan/not-detected.nix")];
 
   boot = {
     initrd = {
@@ -16,26 +17,28 @@
         "usbhid" # USB HID transport layer
         "usb_storage" # USB Mass Storage support
         "sd_mod" # SCSI disk support
-        "aesni_intel" # AES-NI + SSE2 implementation of AEGIS-128
-        "cryptd" # Software async crypto daemon
       ];
-      kernelModules = ["dm-snapshot"];
-      luks.devices."cryptroot".device = "/dev/disk/by-uuid/52040288-dea9-4e74-9438-d0946b48a1f4";
     };
     kernelModules = ["kvm-intel"]; # Enable kvm for libvirtd
   };
 
-  fileSystems."/" = {
+  fileSystems = {
-    device = "/dev/disk/by-uuid/848e15eb-992b-499f-89b1-be8bc59af41c";
+    "/" = {
-    fsType = "ext4";
+      device = "/dev/disk/by-uuid/0bdc11fc-c497-47ff-bcc2-3044f81f40be";
+      fsType = "ext4";
+    };
+    "/home" = {
+      device = "/dev/disk/by-uuid/9c8a9dd1-b234-4a6d-ad62-3962e85d4063";
+      fsType = "ext4";
+    };
   };
 
-  fileSystems."/boot" = {
+  swapDevices = [{device = "/dev/disk/by-uuid/05aed0b0-3a79-44f2-aa4d-e5e5724643f2";}];
-    device = "/dev/disk/by-uuid/a9d48855-edaf-40b9-9296-58e9b7c7eb96";
-    fsType = "ext4";
-  };
 
-  swapDevices = [{device = "/dev/disk/by-uuid/ac308d76-cc12-4a73-83ee-64a2ad07b91e";}];
+  networking.useDHCP = lib.mkDefault true;
 
   nix.settings.max-jobs = lib.mkDefault 4;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hardware/raspberry_pi_3_model_B.nix

@@ -17,7 +17,7 @@
     };
     kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3)
     kernelParams = [
-      "cma=32M" # Needed for the virtual console to work on the RPi 3
+      "cma=320M" # Needed for the virtual console to work on the RPi 3
       "console=ttyS0,115200n8" # Enable the serial console
       "console=tty0"
     ];
@@ -31,9 +31,10 @@
       raspberryPi = {
         enable = false;
         version = 3;
-        uboot.enable = true;
         firmwareConfig = ''
           arm_64bit=1            # Force kernel loading system to assume a 64-bit kernel
+          display_auto_detect=1  # Enable auto detection of screen resolution
+          gpu_mem=128
           hdmi_force_hotplug=1   # Enable headless booting
         '';
       };

hosts/cuallaidh.nix

@@ -10,7 +10,6 @@
     ../networks/linode.nix
     ../profiles/coturn.nix
     #../profiles/cryptpad.nix
-    ../profiles/forgejo.nix
     #../profiles/hydra.nix
     ../profiles/iog.nix
     ../profiles/ipv6.nix
@@ -22,7 +21,6 @@
     ../profiles/nixpkgs-dev.nix
     ../profiles/taskserver.nix
     ../profiles/tt-rss.nix
-    ../secrets/forgejo.nix
     ../secrets/tt-rss.nix
   ];
 

hosts/dionach.nix

@@ -16,6 +16,7 @@
     loader.grub = {
       enable = true;
       device = "/dev/nvme0n1"; # or "nodev" for efi only
+      useOSProber = true;
     };
     kernel.sysctl."net.ipv4.ip_forward" = "1";
     extraModprobeConfig = "options kvm_intel nested=1";
@@ -23,6 +24,11 @@
 
   networking = {
     hostName = "dionach"; # Define your hostname.
+    firewall = {
+      enable = true;
+      checkReversePath = false; # Needed for libvirtd
+      allowedTCPPorts = [15000];
+    };
   };
 
   systemd.network.networks.enp0s20f0u4u4i5.ipv6SendRAConfig = {
@@ -33,15 +39,9 @@
 
   services.kbfs.enable = true;
 
-  networking.firewall = {
-    enable = true;
-    checkReversePath = false; # Needed for libvirtd
-    allowedTCPPorts = [15000];
-  };
-
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
   # should.
-  system.stateVersion = "20.03"; # Did you read the comment?
+  system.stateVersion = "23.11"; # Did you read the comment?
 }

hosts/sercanto.nix

@@ -27,8 +27,7 @@
     #../secrets/wireless.nix # Hey look! A squirrel!
   ];
 
-  #deployment.targetHost = "10.42.0.180";
+  deployment.targetHost = "10.42.0.126";
-  deployment.targetHost = "10.42.0.115";
 
   nixpkgs = {
     config = {
@@ -54,7 +53,7 @@
     networkmanager.enable = true; # Enables network support via NetworkManager.
   };
 
-  fonts.fonts = with pkgs; [
+  fonts.packages = with pkgs; [
     anonymousPro
     dejavu_fonts # A typeface family based on the Bitstream Vera fonts
     fira-code # Monospace font with programming ligaturess

nix/sources.json

@@ -55,6 +55,18 @@
         "url": "https://github.com/nmattia/niv/archive/82e5cd1ad3c387863f0545d7591512e76ab0fc41.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
+    "nixos-23.05": {
+        "branch": "nixos-23.05",
+        "description": "Nix Packages collection & NixOS",
+        "homepage": "",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
+        "sha256": "05cbl1k193c9la9xhlz4y6y8ijpb2mkaqrab30zij6z4kqgclsrd",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/70bdadeb94ffc8806c0570eb5c2695ad29f0e421.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
     "nixos2111": {
         "branch": "nixos-21.11",
         "description": "Nix Packages collection",
@@ -68,16 +80,16 @@
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "nixos-23.05",
+        "branch": "nixos-23.11",
         "builtin": false,
         "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
         "homepage": "https://github.com/NixOS/nixpkgs",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
+        "rev": "25e3d4c0d3591c99929b1ec07883177f6ea70c9d",
-        "sha256": "05cbl1k193c9la9xhlz4y6y8ijpb2mkaqrab30zij6z4kqgclsrd",
+        "sha256": "1q0hsllnzm4i6liafx5hql3fahcwv33vzn5vjkgxsvlwpxllxbrp",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/70bdadeb94ffc8806c0570eb5c2695ad29f0e421.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/25e3d4c0d3591c99929b1ec07883177f6ea70c9d.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgsUnstable": {
@@ -86,10 +98,10 @@
         "homepage": "",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370",
+        "rev": "e92b6015881907e698782c77641aa49298330223",
-        "sha256": "00vmgvwic5yip7r9knnv1w3rmwk6ad10p5xxghfwhky5cgk34q97",
+        "sha256": "0vq05559vmj5px94hr148wnq9qbn9whsfpwdbk8wn2myby4knwy7",
         "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370.tar.gz",
+        "url": "https://github.com/nixos/nixpkgs/archive/e92b6015881907e698782c77641aa49298330223.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

profiles/desktop_common.nix

@@ -31,6 +31,7 @@
     mplayer # A movie player that supports many video formats
     nextcloud-client # Nextcloud desktop client
     pwgen # Password generator
+    rsync
     shotwell # Photo organizer
     signal-desktop # Private, simple, and secure messenger
     usbutils # Tools for working with USB devices, such as lsusb
@@ -69,19 +70,27 @@
       };
       libinput.enable = true; # Enable touchpad support.
     };
+
+    pipewire = {
+      enable = true;
+      alsa = {
+        enable = true;
+        support32Bit = true;
+      };
+      pulse.enable = true;
+    };
   };
 
   sound.enable = true; # Enable sound.
+  security.rtkit.enable = true; # realtime scheduling for sound
 
   # Configure common hardware settings
   hardware = {
     pulseaudio = {
-      enable = true;
+      enable = false;
-      package = pkgs.pulseaudioFull;
     };
     bluetooth = {
       enable = true; # Enable bluetooth
-      hsphfpd.enable = true;
       settings = {
         General = {
           Enable = "Source,Sink,Media,Socket";

profiles/forgejo.nix

@@ -1,121 +0,0 @@
-# NixOps configuration for the hosts running Forgejo
-{
-  config,
-  pkgs,
-  lib,
-  sources,
-  ...
-}: let
-  sources = import ../nix/sources.nix;
-  unstable = import sources.nixpkgsUnstable {};
-in {
-  services.gitea = {
-    enable = true; # Enable Forgejo
-    appName = "mcwhirter.io: Forgejo Service"; # Give the site a name
-    database = {
-      type = "postgres"; # Database type
-      passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password
-    };
-    disableRegistration = true;
-    domain = "source.mcwhirter.io"; # Domain name
-    rootUrl = "https://source.mcwhirter.io/"; # Root web URL
-    httpPort = 3002; # Provided unique port
-    package = pkgs.forgejo; # a soft fork of gitea
-    settings = let
-      docutils = pkgs.python39.withPackages (ps:
-        with ps; [
-          docutils # Provides rendering of ReStructured Text files
-          pygments # Provides syntax highlighting
-        ]);
-    in {
-      mailer = {
-        ENABLED = true;
-        FROM = "gitea@mcwhirter.io";
-      };
-      repository = {DEFAULT_BRANCH = "consensus";};
-      service = {REGISTER_EMAIL_CONFIRM = true;};
-      "markup.restructuredtext" = {
-        ENABLED = true;
-        FILE_EXTENSIONS = ".rst";
-        RENDER_COMMAND = "${docutils}/bin/rst2html.py";
-        IS_INPUT_FILE = false;
-      };
-      ui = {
-        DEFAULT_THEME = "forgejo-auto"; # Set the default theme
-        THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,arc-green,gitea";
-      };
-    };
-  };
-
-  systemd = {
-    services = {
-      gitea = {
-        # Ensure gitea starts after nixops keys are loaded
-        after = ["gitea-dbpass-key.service"];
-        wants = ["gitea-dbpass-key.service"];
-      };
-    };
-  };
-
-  services.postgresql = {
-    enable = true; # Ensure postgresql is enabled
-    authentication = ''
-      local gitea all ident map=gitea-users
-    '';
-    identMap =
-      # Map the gitea user to postgresql
-      ''
-        gitea-users gitea gitea
-      '';
-    ensureDatabases = ["gitea"]; # Ensure the database persists
-    ensureUsers = [
-      {
-        name = "gitea"; # Ensure the database user persists
-        ensurePermissions = {
-          # Ensure the database permissions persist
-          "DATABASE gitea" = "ALL PRIVILEGES";
-          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
-        };
-      }
-    ];
-  };
-
-  services.postgresqlBackup.databases = ["gitea"];
-
-  services.nginx = {
-    enable = true; # Enable Nginx
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    virtualHosts."source.mcwhirter.io" = {
-      # Forgejo hostname
-      enableACME = true; # Use ACME certs
-      forceSSL = true; # Force SSL
-      locations."/".proxyPass = "http://localhost:3002/"; # Proxy Forgejo
-    };
-    virtualHosts."git.mcwhirter.io" = {
-      # Hostname to be redirected
-      enableACME = true; # Use ACME certs
-      forceSSL = true; # Force SSL
-      globalRedirect = "source.mcwhirter.io"; # Redirect permanently to the host
-    };
-    virtualHosts."code.mcwhirter.io" = {
-      # Hostname to be redirected
-      enableACME = true; # Use ACME certs
-      forceSSL = true; # Force SSL
-      globalRedirect = "source.mcwhirter.io"; # Redirect permanently to the host
-    };
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    certs = {
-      "code.mcwhirter.io".email = "craige@mcwhirter.io";
-      "git.mcwhirter.io".email = "craige@mcwhirter.io";
-      "source.mcwhirter.io".email = "craige@mcwhirter.io";
-    };
-  };
-
-  users.groups.keys.members = ["gitea"]; # Required due to NixOps issue #1204
-}

profiles/gitea_home.nix

@@ -1,76 +0,0 @@
-# NixOps configuration for the hosts running Gitea
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  services.gitea = {
-    enable = true; # Enable Gitea
-    appName = "taigh,mcwhirter.io: Gitea Service"; # Give the site a name
-    database = {
-      type = "postgres"; # Database type
-      passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password
-    };
-    domain = "source.taigh.mcwhirter.io"; # Domain name
-    rootUrl = "http://source.taigh.mcwhirter.io/"; # Root web URL
-    httpPort = 3001; # Provided unique port
-    extraConfig = let
-      docutils = pkgs.python37.withPackages (ps:
-        with ps; [
-          docutils # Provides rendering of ReStructured Text files
-          pygments # Provides syntax highlighting
-        ]);
-    in ''
-      [mailer]
-      ENABLED = true
-      FROM = "gitea@mcwhirter.io"
-      [service]
-      REGISTER_EMAIL_CONFIRM = true
-      [markup.restructuredtext]
-      ENABLED = true
-      FILE_EXTENSIONS = .rst
-      RENDER_COMMAND = ${docutils}/bin/rst2html.py
-      IS_INPUT_FILE = false
-    '';
-  };
-
-  services.postgresql = {
-    enable = true; # Ensure postgresql is enabled
-    authentication = ''
-      local gitea all ident map=gitea-users
-    '';
-    identMap =
-      # Map the gitea user to postgresql
-      ''
-        gitea-users gitea gitea
-      '';
-  };
-
-  services.nginx = {
-    enable = true; # Enable Nginx
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    #recommendedTlsSettings = true;
-    virtualHosts."source.taigh.mcwhirter.io" = {
-      # Gitea hostname
-      #enableACME = true;                                    # Use ACME certs
-      #forceSSL = true;                                      # Force SSL
-      locations."/".proxyPass = "http://localhost:3001/"; # Proxy Gitea
-    };
-  };
-
-  # Configure firewall defaults:
-  networking = {
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [80];
-      trustedInterfaces = ["lo"];
-    };
-  };
-
-  #security.acme.certs = {
-  #    "source.mcwhirter.io".email = "craige@mcwhirter.io";
-  #};
-}

profiles/host_common.nix

@@ -26,7 +26,7 @@
   # Set the defaul console properties
   console = {
     keyMap = "us"; # Set the default console key map
-    font = "ter-powerline-v16Rv"; # Set the default console font
+    font = "ter-powerline-v32n"; # Set the default console font
   };
 
   time.timeZone = "Australia/Brisbane"; # Set your preferred timezone:
@@ -37,12 +37,15 @@
   security.sudo.wheelNeedsPassword = false;
 
   # Configure and install required fonts
-  fonts.enableDefaultFonts = true;
+  fonts = {
-  fonts.fontDir.enable = true;
+    enableDefaultPackages = true;
-  fonts.fonts = with pkgs; [
+    fontDir.enable = true;
-    powerline-fonts # Required for Powerline prompts
+    packages = with pkgs; [
-  ];
+      powerline-fonts # Required for Powerline prompts
-  fonts.fontconfig.includeUserConf = false;
+      powerline-symbols # Powerline symbols
+    ];
+    fontconfig.includeUserConf = false;
+  };
 
   # Adapted from gchristensen and clever
   nix = {

profiles/iog.nix

@@ -51,7 +51,6 @@ in {
       jq # A lightweight and flexible command-line JSON processor
       keybase-gui # The Keybase official client
       magic-wormhole # Securely transfer data between computers
-      python38Packages.grip # Preview GitHub Markdown files like locally
       s3fs # Mount an S3 bucket as filesystem through FUSE
       shellcheck # Shell script analysis tool
       slack-dark # Slack desktop client
@@ -66,9 +65,6 @@ in {
 
   services = {
     keybase.enable = true;
-    #postgresql = {
-    #  enable = true;                  # Ensure postgresql is enabled
-    #  package = pkgs.postgresql_10;   # Set the required version, if needed
   };
 
   users.groups.docker.members = ["craige"];

profiles/mastodon.nix

@@ -17,6 +17,7 @@
       extraConfig = {
         WEB_DOMAIN = "social.mcwhirter.io";
       };
+      streamingProcesses = 5;
     };
   };
 

profiles/matrix.nix

@@ -129,11 +129,7 @@
       ensureUsers = [
         {
           name = "matrix-synapse"; # Ensure the database user persists
-          ensurePermissions = {
+          ensureDBOwnership = true;
-            # Ensure the database permissions persist
-            "DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
-            "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
-          };
         }
       ];
       # Initial database creation

profiles/nextcloud.nix

@@ -27,8 +27,12 @@
       enable = true; # Run regular auto update of all apps installed
       startAt = "01:00:00"; # When to run the update
     };
-    enableBrokenCiphersForSSE = false; # force upgrade to SSL v3
     package = pkgs.nextcloud27;
+    extraApps = with config.services.nextcloud.package.packages.apps; {
+      inherit calendar contacts deck news notes tasks twofactor_webauthn;
+    };
+    extraAppsEnable = true;
+    appstoreEnable = true;
   };
 
   systemd = {
@@ -43,15 +47,19 @@
 
   services.postgresql = {
     enable = true; # Ensure postgresql is enabled
+    authentication = ''
+      local nextcloud all ident map=nextcloud-users
+    '';
+    identMap =
+      # Map the nextcloud user to postgresql
+      ''
+        nextcloud-users nextcloud nextcloud
+      '';
     ensureDatabases = ["nextcloud"]; # Ensure the database persists
     ensureUsers = [
       {
         name = "nextcloud"; # Ensure the database user persists
-        ensurePermissions = {
+        ensureDBOwnership = true;
-          # Ensure the database permissions persist
-          "DATABASE nextcloud" = "ALL PRIVILEGES";
-          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
-        };
       }
     ];
   };

profiles/nix-direnv.nix

@@ -23,7 +23,7 @@
 
   nixpkgs.overlays = [
     (self: super: {
-      nix-direnv = super.nix-direnv.override {enableFlakes = true;};
+      #nix-direnv = super.nix-direnv.override {enableFlakes = true;};
     })
   ];
 }

profiles/nixpkgs-dev.nix

@@ -18,7 +18,7 @@
       nixfmt # An opinionated formatter for Nix
       nix-prefetch-github # Prefetch sources from github
       nix-prefetch-git # Prefetch sources from git
-      nix-review # Review pull-requests on https://github.com/NixOS/nixpkgs
+      nixpkgs-review # Review pull-requests on https://github.com/NixOS/nixpkgs
       nix-top # Tracks what nix is building
       nix-universal-prefetch # Uses nixpkgs fetchers to figure out hashes
       nodePackages.node2nix # Generate Nix expressions to build NPM packages

profiles/server_common.nix

@@ -6,7 +6,7 @@
   ...
 }: let
   sources = import ../nix/sources.nix;
-  nixpkgs2111 = (import sources.nixos2111 {}).pkgs;
+  nixpkgs2305 = (import sources."nixos-23.05" {}).pkgs;
 in {
   imports = [
     ../profiles/openssh.nix
@@ -20,7 +20,7 @@ in {
   };
 
   services.postgresql = {
-    package = pkgs.postgresql_11;
+    package = pkgs.postgresql_16;
   };
 
   security.polkit.enable = false; # avoid CVE-2021-4034 (PwnKit)

profiles/tt-rss.nix

@@ -34,11 +34,7 @@
     ensureUsers = [
       {
         name = "tt_rss"; # Ensure the database user persists
-        ensurePermissions = {
+        ensureDBOwnership = true;
-          # Ensure the database permissions persist
-          "DATABASE tt_rss" = "ALL PRIVILEGES";
-          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
-        };
       }
     ];
   };

profiles/xmonad.nix

@@ -26,8 +26,10 @@
       layout = "us"; # Set your preferred keyboard layout.
       libinput = {
         enable = true; # Enable touchpad support.
-        tapping = true;
+        touchpad = {
-        tappingButtonMap = "lrm"; # Set the touchpad button mappeing
+          tapping = true;
+          tappingButtonMap = "lrm"; # Set the touchpad button mappeing
+        };
       };
       windowManager = {
         # Open configuration for the window manager.
@@ -53,7 +55,7 @@
   };
 
   # Install any additional fonts that I require to be used with xmonad
-  fonts.fonts = with pkgs; [
+  fonts.packages = with pkgs; [
     open-sans # Used in in my polybar configuration
   ];
 

profiles/yubikey.nix

@@ -40,8 +40,8 @@
   environment = {
     systemPackages = with pkgs; [
       paperkey # Store OpenPGP or GnuPG on paper
-      pinentry_curses # GnuPG’s interface to passphrase input
+      pinentry-curses # GnuPG’s interface to passphrase input
-      pinentry_qt # GnuPG’s interface to passphrase input
+      pinentry-qt # GnuPG’s interface to passphrase input
       yubikey-manager # CLI tool for configuring any YubiKey over USB
       yubikey-manager-qt # Configure any YubiKey over USB interfaces
       yubikey-personalization # Lib & CLI tool to personalize YubiKeys