treewide: update to nixos 24.11

2024-11-18 14:26:43 +01:00 · 2024-11-18 14:26:43 +01:00 · e341e72875
parent d65273e67a
commit e341e72875
10 changed files with 91 additions and 153 deletions
--- a/flake.nix
+++ b/flake.nix
@ -1,10 +1,11 @@
 {
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-24.05";
-    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
+    nixpkgs.url = "nixpkgs/nixos-24.11";
+    # nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/master";

    home-manager = {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager/release-24.11";
      inputs.nixpkgs.follows = "nixpkgs";
    };

@ -87,7 +88,7 @@
        android_sdk.accept_license = true;
        segger-jlink.acceptLicense = true;
        permittedInsecurePackages = [
-          "segger-jlink-qt4-794l"
+          "segger-jlink-qt4-796s"
        ];
      };

@ -97,32 +98,16 @@
          config.allowUnfree = true;
          config.segger-jlink.acceptLicense = true;
          config.permittedInsecurePackages = [
-            "segger-jlink-qt4-794s"
+            "segger-jlink-qt4-796s"
          ];
        };
      in [
        (self: super: {
          inherit (nonrecursive-unstable-pkgs)
-            atuin
-            wstunnel
-            nrf-udev
-            nrfutil
-            gpclient
-            gpauth
+              calibre
+              fcitx5-mozc
            ;
        })
-
-        # https://github.com/NixOS/nixpkgs/pull/251706
-        (self: super: {
-          mozc = self.qt6Packages.callPackage ./package-overrides/mozc.nix { };
-          fcitx5-mozc = self.callPackage ./package-overrides/fcitx5-mozc.nix { };
-        })
-
-        (self: super: {
-          mpv-unwrapped = super.mpv-unwrapped.override {
-            ffmpeg = super.ffmpeg_6-full;
-          };
-        })
      ];
    };

--- a/home/packages.nix
+++ b/home/packages.nix
@ -91,8 +91,8 @@
      geogebra
      ghidra
      gimp
-      gnome.gnome-font-viewer
-      gnome.seahorse
+      gnome-font-viewer
+      seahorse
      google-chrome
      imhex
      inkscape
--- a/home/programs/alacritty.nix
+++ b/home/programs/alacritty.nix
@ -43,9 +43,9 @@
        duration = 20;
      };

-      live_config_reload = true;
+      general.live_config_reload = true;

-      shell = {
+      terminal.shell = {
        program = "${pkgs.zsh}/bin/zsh";
        args = [ "--login" ];
      };
--- a/home/services/dunst.nix
+++ b/home/services/dunst.nix
@ -3,7 +3,7 @@
  services.dunst = {
    enable = true;
    iconTheme = {
-      package = pkgs.gnome.adwaita-icon-theme;
+      package = pkgs.adwaita-icon-theme;
      name = "Adwaita";
      size = "32x32";
    };
--- a/home/services/sxhkd.nix
+++ b/home/services/sxhkd.nix
@ -22,11 +22,11 @@ in

      # Volume

-      "super + {@F7,@F8}" = "${pkgs.alsaUtils}/bin/amixer set Master 2%{-,+}";
+      "super + {@F7,@F8}" = "${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%{-,+}";

-      "{XF86AudioLowerVolume,XF86AudioRaiseVolume}" = "${pkgs.alsaUtils}/bin/amixer set Master 2%{-,+}";
+      "{XF86AudioLowerVolume,XF86AudioRaiseVolume}" = "${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%{-,+}";

-      "XF86AudioMute" = "${pkgs.pulseaudio}/bin/pactl set-sink-mute @DEFAULT_SINK@ toggle";
+      "XF86AudioMute" = "${pkgs.wireplumber}/bin/wpctl set-mute toggle";

      # Music

--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@ -12,9 +12,7 @@ in {
    ./programs/ssh.nix
    ./programs/usbtop.nix

-    ./services/cups.nix
    ./services/dbus.nix
-    ./services/logrotate.nix
    ./services/openssh.nix
    ./services/pcscd.nix
    ./services/pipewire.nix
--- a/hosts/common/services/cups.nix
+++ b/hosts/common/services/cups.nix
@ -1,71 +0,0 @@
-{ config, lib, ... }:
-{
-  systemd.services = lib.mkIf config.services.printing.enable {
-    cups.serviceConfig = {
-      PrivateTmp = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      ProtectClock= true;
-      ProtectControlGroups = true;
-      ProtectHostname = true; 
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      PrivateDevices = true;
-      NoNewPrivileges = true;
-      # User =
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DevicePolicy = "closed";
-      KeyringMode = "private";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      PrivateUsers = true;
-      RemoveIPC = true;
-      # RestrictAddressFamilies = [ "" ];
-      RestrictNamespaces=true;
-      RestrictRealtime=true;
-      RestrictSUIDSGID=true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
-      UMask = "0077";
-    };
-    cups-browsed.serviceConfig = {
-      PrivateTmp = true;
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      ProtectClock= true;
-      ProtectControlGroups = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      PrivateDevices = true;
-      NoNewPrivileges = true;
-      # User =
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DevicePolicy = "closed";
-      KeyringMode = "private";
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      PrivateUsers = true;
-      RemoveIPC = true;
-      # RestrictAddressFamilies = [ "" ];
-      RestrictNamespaces=true;
-      RestrictRealtime=true;
-      RestrictSUIDSGID=true;
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged"
-      ];
-      UMask = "0077";
-    };
-  };
-}
--- a/hosts/common/services/logrotate.nix
+++ b/hosts/common/services/logrotate.nix
@ -1,42 +0,0 @@
-{ ... }:
-{
-  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
-  systemd.services.logrotate = {
-    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
-    unitConfig.RequiresMountsFor = "/var/log";
-    serviceConfig = {
-      Nice = 19;
-      IOSchedulingClass = "best-effort";
-      IOSchedulingPriority = 7;
-
-      ReadWritePaths = [ "/var/log" ];
-
-      AmbientCapabilities = [ "" ];
-      CapabilityBoundingSet = [ "" ];
-      DeviceAllow = [ "" ];
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      NoNewPrivileges = true; # disable for third party rotate scripts
-      PrivateDevices = true;
-      PrivateNetwork = true; # disable for mail delivery
-      PrivateTmp = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true; # disable for userdir logs
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "full";
-      RestrictNamespaces = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true; # disable for creating setgid directories
-      SocketBindDeny = [ "any" ];
-      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-      ];
-    };
-  };
-}
--- a/hosts/common/services/printing.nix
+++ b/hosts/common/services/printing.nix
@ -1,4 +1,77 @@
-{ config, ... }:
+{ config, lib, ... }:
+let
+  cfg = config.services.printing;
+in
 {
-  services.printing.enable = !config.machineVars.headless;
+  # services.printing.enable = !config.machineVars.headless;
+  services.printing.enable = false;
+
+  systemd.services = lib.mkIf cfg.enable {
+    cups.serviceConfig = {
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectClock= true;
+      ProtectControlGroups = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      PrivateDevices = true;
+      NoNewPrivileges = true;
+      # User =
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DevicePolicy = "closed";
+      KeyringMode = "private";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateUsers = true;
+      RemoveIPC = true;
+      # RestrictAddressFamilies = [ "" ];
+      RestrictNamespaces=true;
+      RestrictRealtime=true;
+      RestrictSUIDSGID=true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0077";
+    };
+    cups-browsed.serviceConfig = lib.mkIf cfg.enable {
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectClock= true;
+      ProtectControlGroups = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      PrivateDevices = true;
+      NoNewPrivileges = true;
+      # User =
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DevicePolicy = "closed";
+      KeyringMode = "private";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateUsers = true;
+      RemoveIPC = true;
+      # RestrictAddressFamilies = [ "" ];
+      RestrictNamespaces=true;
+      RestrictRealtime=true;
+      RestrictSUIDSGID=true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0077";
+    };
+  };
 }
--- a/hosts/dosei/configuration.nix
+++ b/hosts/dosei/configuration.nix
@ -81,10 +81,5 @@
    bluetooth.enable = true;
    enableRedistributableFirmware = true;
    keyboard.zsa.enable = true;
-    opengl = {
-      enable = true;
-      driSupport = true;
-      driSupport32Bit = true;
-    };
  };
 }