treewide: update to nixos 24.11

flake.nix

@@ -1,10 +1,11 @@
 {
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.05";
+    nixpkgs.url = "nixpkgs/nixos-24.11";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+    # nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";
 
     home-manager = {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager/release-24.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -87,7 +88,7 @@
         android_sdk.accept_license = true;
         segger-jlink.acceptLicense = true;
         permittedInsecurePackages = [
-          "segger-jlink-qt4-794l"
+          "segger-jlink-qt4-796s"
         ];
       };
 
@@ -97,32 +98,16 @@
           config.allowUnfree = true;
           config.segger-jlink.acceptLicense = true;
           config.permittedInsecurePackages = [
-            "segger-jlink-qt4-794s"
+            "segger-jlink-qt4-796s"
           ];
         };
       in [
         (self: super: {
           inherit (nonrecursive-unstable-pkgs)
-            atuin
+              calibre
-            wstunnel
+              fcitx5-mozc
-            nrf-udev
-            nrfutil
-            gpclient
-            gpauth
             ;
         })
-
-        # https://github.com/NixOS/nixpkgs/pull/251706
-        (self: super: {
-          mozc = self.qt6Packages.callPackage ./package-overrides/mozc.nix { };
-          fcitx5-mozc = self.callPackage ./package-overrides/fcitx5-mozc.nix { };
-        })
-
-        (self: super: {
-          mpv-unwrapped = super.mpv-unwrapped.override {
-            ffmpeg = super.ffmpeg_6-full;
-          };
-        })
       ];
     };
 

home/packages.nix

@@ -91,8 +91,8 @@
       geogebra
       ghidra
       gimp
-      gnome.gnome-font-viewer
+      gnome-font-viewer
-      gnome.seahorse
+      seahorse
       google-chrome
       imhex
       inkscape

home/programs/alacritty.nix

@@ -43,9 +43,9 @@
         duration = 20;
       };
 
-      live_config_reload = true;
+      general.live_config_reload = true;
 
-      shell = {
+      terminal.shell = {
         program = "${pkgs.zsh}/bin/zsh";
         args = [ "--login" ];
       };

home/services/dunst.nix

@@ -3,7 +3,7 @@
   services.dunst = {
     enable = true;
     iconTheme = {
-      package = pkgs.gnome.adwaita-icon-theme;
+      package = pkgs.adwaita-icon-theme;
       name = "Adwaita";
       size = "32x32";
     };

home/services/sxhkd.nix

@@ -22,11 +22,11 @@ in
 
       # Volume
 
-      "super + {@F7,@F8}" = "${pkgs.alsaUtils}/bin/amixer set Master 2%{-,+}";
+      "super + {@F7,@F8}" = "${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%{-,+}";
 
-      "{XF86AudioLowerVolume,XF86AudioRaiseVolume}" = "${pkgs.alsaUtils}/bin/amixer set Master 2%{-,+}";
+      "{XF86AudioLowerVolume,XF86AudioRaiseVolume}" = "${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%{-,+}";
 
-      "XF86AudioMute" = "${pkgs.pulseaudio}/bin/pactl set-sink-mute @DEFAULT_SINK@ toggle";
+      "XF86AudioMute" = "${pkgs.wireplumber}/bin/wpctl set-mute toggle";
 
       # Music
 

hosts/common/default.nix

@@ -12,9 +12,7 @@ in {
     ./programs/ssh.nix
     ./programs/usbtop.nix
 
-    ./services/cups.nix
     ./services/dbus.nix
-    ./services/logrotate.nix
     ./services/openssh.nix
     ./services/pcscd.nix
     ./services/pipewire.nix

hosts/common/services/cups.nix

@@ -1,71 +0,0 @@
-{ config, lib, ... }:
-{
-  systemd.services = lib.mkIf config.services.printing.enable {
-    cups.serviceConfig = {
-      PrivateTmp = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      ProtectClock= true;
-      ProtectControlGroups = true;
-      ProtectHostname = true; 
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      PrivateDevices = true;
-      NoNewPrivileges = true;
-      # User =
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DevicePolicy = "closed";
-      KeyringMode = "private";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      PrivateUsers = true;
-      RemoveIPC = true;
-      # RestrictAddressFamilies = [ "" ];
-      RestrictNamespaces=true;
-      RestrictRealtime=true;
-      RestrictSUIDSGID=true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
-      UMask = "0077";
-    };
-    cups-browsed.serviceConfig = {
-      PrivateTmp = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      ProtectClock= true;
-      ProtectControlGroups = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      PrivateDevices = true;
-      NoNewPrivileges = true;
-      # User =
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DevicePolicy = "closed";
-      KeyringMode = "private";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      PrivateUsers = true;
-      RemoveIPC = true;
-      # RestrictAddressFamilies = [ "" ];
-      RestrictNamespaces=true;
-      RestrictRealtime=true;
-      RestrictSUIDSGID=true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
-      UMask = "0077";
-    };
-  };
-}

hosts/common/services/logrotate.nix

@@ -1,42 +0,0 @@
-{ ... }:
-{
-  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
-  systemd.services.logrotate = {
-    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
-    unitConfig.RequiresMountsFor = "/var/log";
-    serviceConfig = {
-      Nice = 19;
-      IOSchedulingClass = "best-effort";
-      IOSchedulingPriority = 7;
-
-      ReadWritePaths = [ "/var/log" ];
-
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DeviceAllow = [ "" ];
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      NoNewPrivileges = true; # disable for third party rotate scripts
-      PrivateDevices = true;
-      PrivateNetwork = true; # disable for mail delivery
-      PrivateTmp = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true; # disable for userdir logs
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "full";
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true; # disable for creating setgid directories
-      SocketBindDeny = [ "any" ];
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-      ];
-    };
-  };
-}

hosts/common/services/printing.nix

@@ -1,4 +1,77 @@
-{ config, ... }:
+{ config, lib, ... }:
+let
+  cfg = config.services.printing;
+in
 {
-  services.printing.enable = !config.machineVars.headless;
+  # services.printing.enable = !config.machineVars.headless;
+  services.printing.enable = false;
+
+  systemd.services = lib.mkIf cfg.enable {
+    cups.serviceConfig = {
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectClock= true;
+      ProtectControlGroups = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      PrivateDevices = true;
+      NoNewPrivileges = true;
+      # User =
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DevicePolicy = "closed";
+      KeyringMode = "private";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateUsers = true;
+      RemoveIPC = true;
+      # RestrictAddressFamilies = [ "" ];
+      RestrictNamespaces=true;
+      RestrictRealtime=true;
+      RestrictSUIDSGID=true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0077";
+    };
+    cups-browsed.serviceConfig = lib.mkIf cfg.enable {
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectClock= true;
+      ProtectControlGroups = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      PrivateDevices = true;
+      NoNewPrivileges = true;
+      # User =
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DevicePolicy = "closed";
+      KeyringMode = "private";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateUsers = true;
+      RemoveIPC = true;
+      # RestrictAddressFamilies = [ "" ];
+      RestrictNamespaces=true;
+      RestrictRealtime=true;
+      RestrictSUIDSGID=true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0077";
+    };
+  };
 }

hosts/dosei/configuration.nix

@@ -81,10 +81,5 @@
     bluetooth.enable = true;
     enableRedistributableFirmware = true;
     keyboard.zsa.enable = true;
-    opengl = {
-      enable = true;
-      driSupport = true;
-      driSupport32Bit = true;
-    };
   };
 }