tsuki: fixes for nixos 24.11

hosts/tsuki/services/postgres.nix

@@ -48,32 +48,7 @@ in {
     requires = [ "postgresql.service" ];
   };
 
-  systemd.services.postgresql = {
+  systemd.services.postgresql.serviceConfig.ReadWritePaths = [ cfg.dataDir ];
-    serviceConfig = {
-      Restart = "always";
-      RestartSec = 3;
-      ReadWritePaths = [ cfg.dataDir ];
-      NoNewPrivileges = true;
-      PrivateDevices = true;
-      ProtectClock = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      # PrivateMounts = true;
-      RestrictSUIDSGID = true;
-      ProtectHostname = true;
-      LockPersonality = true;
-      ProtectKernelTunables = true;
-      ProtectSystem = "strict";
-      ProtectProc = "invisible";
-      ProtectHome = true;
-      # PrivateNetwork = true;
-      PrivateUsers = true;
-      PrivateTmp = true;
-      UMask = "0077";
-      # RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
-      SystemCallArchitectures = "native";
-    };
-  };
 
   environment.systemPackages = [ config.services.postgresql.package ];
 }

hosts/tsuki/services/samba.nix

@@ -5,26 +5,25 @@
     enable = true;
     # openFirewall = true;
 
-    extraConfig = ''
+    settings = {
-      workgroup = TSUKI
+      global = {
-      server string = smbnix
+        "workgroup" = "TSUKI";
-      netbios name = smbnix
+        "server string" = "smbnix";
+        "netbios name" = "smbnix";
 
-      security = user
+        "security" = "user";
 
-      use sendfile = yes
+        "use sendfile" = "yes";
-      min protocol = SMB2
+        "min protocol" = "SMB2";
-      smb encrypt = desired
+        "smb encrypt" = "desired";
 
-      # note: localhost is the ipv6 localhost ::1
+        # note: localhost is the ipv6 localhost ::1
-      hosts allow = 100.107.69.8 100.100.65.88
+        "hosts allow" = "100.107.69.8 100.100.65.88";
-      hosts deny = 0.0.0.0/0
+        "hosts deny" = "0.0.0.0/0";
 
-      guest ok = no
+        "guest ok" = "no";
-      map to guest = never
+        "map to guest" = "never";
-    '';
+      };
-
-    shares = {
       cirno = {
         path = "/data/cirno";
         browseable = "yes";
@@ -66,15 +65,4 @@
 
   networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 139 445 ];
   networking.firewall.interfaces."tailscale0".allowedUDPPorts = [ 137 138 ];
-
-
-  systemd.slices.system-samba = {
-    description = "Samba slice";
-    after = [ "system.slice" ];
-    requires = [ "system.slice" ];
-  };
-
-  systemd.services.samba-smbd.serviceConfig.Slice = "system-samba.slice";
-  systemd.services.samba-nmbd.serviceConfig.Slice = "system-samba.slice";
-  systemd.services.samba-winbindd.serviceConfig.Slice = "system-samba.slice";
 }

hosts/tsuki/services/vaultwarden.nix

@@ -21,39 +21,6 @@ in {
 
   systemd.services.vaultwarden = lib.mkIf cfg.enable {
     requires = [ "postgresql.service" ];
-
-    serviceConfig = {
-      # Extra hardening
-      CapabilityBoundingSet = "";
-      LockPersonality = true;
-      NoNewPrivileges = true;
-      # MemoryDenyWriteExecute = true;
-      PrivateMounts = true;
-      PrivateUsers = true;
-      ProcSubset = "pid";
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
-        "AF_UNIX"
-      ];
-      RemoveIPC = true;
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
-      UMask = "0007";
-    };
   };
 
   services.postgresql = lib.mkIf cfg.enable {