From ebc5b269ef7515bee0c96567e3033f44d94c23e1 Mon Sep 17 00:00:00 2001 From: Daniel Olsen Date: Sat, 7 Dec 2024 22:46:35 +0100 Subject: [PATCH] 24.11 --- base/services/auto-upgrade.nix | 4 +- base/services/logrotate.nix | 3 +- base/services/nginx.nix | 6 +- flake.lock | 8 +- flake.nix | 2 +- hosts/bekkalokk/services/bluemap/default.nix | 2 +- hosts/bekkalokk/services/vaultwarden.nix | 2 - .../bekkalokk/services/webmail/roundcube.nix | 2 +- .../services/matrix/hookshot/default.nix | 4 - .../bicep/services/matrix/hookshot/module.nix | 127 ------------------ 10 files changed, 15 insertions(+), 145 deletions(-) delete mode 100644 hosts/bicep/services/matrix/hookshot/module.nix diff --git a/base/services/auto-upgrade.nix b/base/services/auto-upgrade.nix index 7e8e982..6dcb9d8 100644 --- a/base/services/auto-upgrade.nix +++ b/base/services/auto-upgrade.nix @@ -2,12 +2,12 @@ { system.autoUpgrade = { enable = true; - flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git"; + flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git?ref=24.11"; flags = [ # --update-input is deprecated since nix 2.22, and removed in lix 2.90 # https://git.lix.systems/lix-project/lix/issues/400 "--refresh" - "--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.05-small" + "--override-input" "nixpkgs" "github:nixos/nixpkgs/nixos-24.11-small" "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable-small" "--no-write-lock-file" ]; diff --git a/base/services/logrotate.nix b/base/services/logrotate.nix index 2db259e..f315638 100644 --- a/base/services/logrotate.nix +++ b/base/services/logrotate.nix @@ -31,7 +31,6 @@ ProtectSystem = "full"; RestrictNamespaces = true; RestrictRealtime = true; - RestrictSUIDSGID = true; # disable for creating setgid directories SocketBindDeny = [ "any" ]; SystemCallArchitectures = "native"; SystemCallFilter = [ @@ -39,4 +38,4 @@ ]; }; }; -} \ No newline at end of file +} diff --git a/base/services/nginx.nix b/base/services/nginx.nix index 6406527..7140c64 100644 --- a/base/services/nginx.nix +++ b/base/services/nginx.nix @@ -33,6 +33,10 @@ systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable { LimitNOFILE = 65536; + # We use jit my dudes + MemoryDenyWriteExecute = lib.mkForce false; + # What the fuck do we use that where the defaults are not enough??? + SystemCallFilter = lib.mkForce null; }; services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable { @@ -41,4 +45,4 @@ addSSL = true; extraConfig = "return 444;"; }; -} \ No newline at end of file +} diff --git a/flake.lock b/flake.lock index ff70982..762f329 100644 --- a/flake.lock +++ b/flake.lock @@ -119,16 +119,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1731663789, - "narHash": "sha256-x07g4NcqGP6mQn6AISXJaks9sQYDjZmTMBlKIvajvyc=", + "lastModified": 1733466147, + "narHash": "sha256-1QAch5UZXGDc8Kh3PvdIKfVNeebjZFWiIKn8lAr1ZBM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "035d434d48f4375ac5d3a620954cf5fda7dd7c36", + "rev": "66dddf2c2aae34272f117ea95a06efe376edbe27", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05-small", + "ref": "nixos-24.11-small", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 4be2355..52c9289 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "PVV System flake"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; # remember to also update the url in base/services/auto-upgrade.nix + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small"; # remember to also update the url in base/services/auto-upgrade.nix nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; sops-nix.url = "github:Mic92/sops-nix"; diff --git a/hosts/bekkalokk/services/bluemap/default.nix b/hosts/bekkalokk/services/bluemap/default.nix index e8ebe1f..e11bef3 100644 --- a/hosts/bekkalokk/services/bluemap/default.nix +++ b/hosts/bekkalokk/services/bluemap/default.nix @@ -6,7 +6,7 @@ in { ./module.nix # From danio, pending upstreaming ]; - disabledModules = [ "services/web-servers/bluemap.nix" ]; + disabledModules = [ "services/web-apps/bluemap.nix" ]; sops.secrets."bluemap/ssh-key" = { }; sops.secrets."bluemap/ssh-known-hosts" = { }; diff --git a/hosts/bekkalokk/services/vaultwarden.nix b/hosts/bekkalokk/services/vaultwarden.nix index f4a7477..3425b6f 100644 --- a/hosts/bekkalokk/services/vaultwarden.nix +++ b/hosts/bekkalokk/services/vaultwarden.nix @@ -83,7 +83,6 @@ in { ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; - ProtectProc = "invisible"; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" @@ -98,7 +97,6 @@ in { "@system-service" "~@privileged" ]; - UMask = "0007"; }; }; } diff --git a/hosts/bekkalokk/services/webmail/roundcube.nix b/hosts/bekkalokk/services/webmail/roundcube.nix index 6212ccd..960fb67 100644 --- a/hosts/bekkalokk/services/webmail/roundcube.nix +++ b/hosts/bekkalokk/services/webmail/roundcube.nix @@ -21,7 +21,7 @@ in custom_from ]); - dicts = with pkgs.aspellDicts; [ en en-science en-computers nb nn fr de it ]; + dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ]; maxAttachmentSize = 20; hostName = "roundcubeplaceholder.example.com"; diff --git a/hosts/bicep/services/matrix/hookshot/default.nix b/hosts/bicep/services/matrix/hookshot/default.nix index 510bc16..b01683b 100644 --- a/hosts/bicep/services/matrix/hookshot/default.nix +++ b/hosts/bicep/services/matrix/hookshot/default.nix @@ -6,10 +6,6 @@ let webhookListenPort = 8435; in { - imports = [ - ./module.nix - ]; - sops.secrets."matrix/hookshot/as_token" = { sopsFile = fp /secrets/bicep/matrix.yaml; key = "hookshot/as_token"; diff --git a/hosts/bicep/services/matrix/hookshot/module.nix b/hosts/bicep/services/matrix/hookshot/module.nix deleted file mode 100644 index d6329e9..0000000 --- a/hosts/bicep/services/matrix/hookshot/module.nix +++ /dev/null @@ -1,127 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -let - cfg = config.services.matrix-hookshot; - settingsFormat = pkgs.formats.yaml { }; - configFile = settingsFormat.generate "matrix-hookshot-config.yml" cfg.settings; -in -{ - options = { - services.matrix-hookshot = { - enable = lib.mkEnableOption "matrix-hookshot, a bridge between Matrix and project management services"; - - package = lib.mkPackageOption pkgs "matrix-hookshot" { }; - - registrationFile = lib.mkOption { - type = lib.types.path; - description = '' - Appservice registration file. - As it contains secret tokens, you may not want to add this to the publicly readable Nix store. - ''; - example = lib.literalExpression '' - pkgs.writeText "matrix-hookshot-registration" \'\' - id: matrix-hookshot - as_token: aaaaaaaaaa - hs_token: aaaaaaaaaa - namespaces: - rooms: [] - users: - - regex: "@_webhooks_.*:foobar" - exclusive: true - - sender_localpart: hookshot - url: "http://localhost:9993" - rate_limited: false - \'\' - ''; - }; - - settings = lib.mkOption { - description = '' - {file}`config.yml` configuration as a Nix attribute set. - - For details please see the [documentation](https://matrix-org.github.io/matrix-hookshot/latest/setup/sample-configuration.html). - ''; - example = { - bridge = { - domain = "example.com"; - url = "http://localhost:8008"; - mediaUrl = "https://example.com"; - port = 9993; - bindAddress = "127.0.0.1"; - }; - listeners = [ - { - port = 9000; - bindAddress = "0.0.0.0"; - resources = [ "webhooks" ]; - } - { - port = 9001; - bindAddress = "localhost"; - resources = [ - "metrics" - "provisioning" - ]; - } - ]; - }; - default = { }; - type = lib.types.submodule { - freeformType = settingsFormat.type; - options = { - passFile = lib.mkOption { - type = lib.types.path; - default = "/var/lib/matrix-hookshot/passkey.pem"; - description = '' - A passkey used to encrypt tokens stored inside the bridge. - File will be generated if not found. - ''; - }; - }; - }; - }; - - serviceDependencies = lib.mkOption { - type = with lib.types; listOf str; - default = lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit; - defaultText = lib.literalExpression '' - lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit - ''; - description = '' - List of Systemd services to require and wait for when starting the application service, - such as the Matrix homeserver if it's running on the same host. - ''; - }; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.services.matrix-hookshot = { - description = "a bridge between Matrix and multiple project management services"; - - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ] ++ cfg.serviceDependencies; - after = [ "network-online.target" ] ++ cfg.serviceDependencies; - - preStart = '' - if [ ! -f '${cfg.settings.passFile}' ]; then - mkdir -p $(dirname '${cfg.settings.passFile}') - ${pkgs.openssl}/bin/openssl genpkey -out '${cfg.settings.passFile}' -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 - fi - ''; - - serviceConfig = { - Type = "simple"; - Restart = "always"; - ExecStart = "${cfg.package}/bin/matrix-hookshot ${configFile} ${cfg.registrationFile}"; - }; - }; - }; - - meta.maintainers = with lib.maintainers; [ flandweber ]; -}