Update from updated-inputs-2025-06-30-01-03

2025-06-30 03:04:01 +02:00
parent e03f4f80eb 815c65ea62
commit 508d65a4d7
17 changed files with 222 additions and 158 deletions
--- a/configuration/common/default.nix
+++ b/configuration/common/default.nix
@@ -7,7 +7,6 @@
    ./initrd.nix
    ./locale.nix
    ./networking.nix
-    ./nix.nix
    ./programs.nix
    ./ssh.nix
    ./systemd.nix
--- a/configuration/common/nix.nix
+++ b/configuration/common/nix.nix
@@ -1,70 +0,0 @@
-{ lib, pkgs, ... }:
-
-{
-
-  clerie.nixfiles.enable = true;
-
-  clerie.system-auto-upgrade.enable = true;
-
-  nix.settings = {
-    trusted-users = [ "@wheel" "@guests" ];
-    auto-optimise-store = true;
-    # Keep buildtime dependencies
-    keep-outputs = true;
-    # Build local, when caches are broken
-    fallback = true;
-  };
-
-  nix.gc = lib.mkDefault {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 30d";
-  };
-
-
-  nix.settings = {
-    experimental-features = [
-      "flakes"
-      "nix-command"
-    ];
-    substituters = [
-      "https://nix-cache.clerie.de"
-    ];
-    trusted-public-keys = [
-      "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
-    ];
-  };
-
-  # Pin current nixpkgs channel and flake registry to the nixpkgs version
-  # the host got build with
-  nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
-  nix.registry = {
-    "nixpkgs" = lib.mkForce {
-       from = {
-         type = "indirect";
-         id = "nixpkgs";
-       };
-       to = {
-         type = "path";
-         path = lib.cleanSource pkgs.path;
-       };
-       exact = true;
-    };
-    "templates" = {
-       from = {
-         type = "indirect";
-         id = "templates";
-       };
-       to = {
-         type = "git";
-         url = "https://git.clerie.de/clerie/flake-templates.git";
-       };
-    };
-  };
-
-  documentation.doc.enable = false;
-
-  environment.systemPackages = with pkgs; [
-    nix-remove-result-links
-  ];
-}
--- a/configuration/desktop/ssh.nix
+++ b/configuration/desktop/ssh.nix
@@ -2,9 +2,8 @@

 {

-  imports = [
-    ../../configuration/gpg-ssh
-  ];
+  profiles.clerie.gpg-ssh.enable = true;
+
  programs.gnupg.agent = {
    pinentryPackage = pkgs.pinentry-gtk2;
  };
--- a/configuration/gpg-ssh/default.nix
+++ b/configuration/gpg-ssh/default.nix
@@ -1,51 +0,0 @@
-{ pkgs, lib, ... }:
-
-let
-
-  custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
-    configureFlags = prev.configureFlags ++ [
-      # Make sure scdaemon never ever again tries to use its own ccid driver
-      "--disable-ccid-driver"
-    ];
-  });
-
-in {
-
-  programs.gnupg.package = custom_gnupg;
-  programs.gnupg.agent = {
-    enable = true;
-    enableSSHSupport = true;
-    pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
-  };
-
-  environment.systemPackages = with pkgs; [
-    custom_gnupg
-    yubikey-personalization
-    openpgp-card-tools
-
-    # Add wrapper around ssh that takes the gnupg ssh-agent
-    # instead of gnome-keyring
-    ssh-gpg
-  ];
-
-  services.pcscd.enable = true;
-
-  # pcscd sometimes breaks and seem to need a manual restart
-  # so we allow users to restart that service themself
-  security.polkit.extraConfig = ''
-    polkit.addRule(function(action, subject) {
-        if (
-            action.id == "org.freedesktop.systemd1.manage-units"
-            && action.lookup("unit") == "pcscd.service"
-            && action.lookup("verb") == "restart"
-            && subject.isInGroup("users")
-        ) {
-            return polkit.Result.YES;
-        }
-    });
-  '';
-
-  services.udev.packages = with pkgs; [
-    yubikey-personalization
-  ];
-}
--- a/flake.lock
+++ b/flake.lock
@@ -532,6 +532,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-carbon": {
+      "locked": {
+        "lastModified": 1751206202,
+        "narHash": "sha256-VjK8pEv4cfDpCTh4KW1go98kP25j7KdTNEce342Bh/Y=",
+        "owner": "clerie",
+        "repo": "nixpkgs",
+        "rev": "ac4ac98609c1b30c378458ab7207a9a5b5148457",
+        "type": "github"
+      },
+      "original": {
+        "owner": "clerie",
+        "ref": "clerie/always-setup-netdevs",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs-regression": {
      "locked": {
        "lastModified": 1643052045,
@@ -731,6 +747,7 @@
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_5",
        "nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
+        "nixpkgs-carbon": "nixpkgs-carbon",
        "nurausstieg": "nurausstieg",
        "rainbowrss": "rainbowrss",
        "scan-to-gpg": "scan-to-gpg",
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,7 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-carbon.url = "github:clerie/nixpkgs/clerie/always-setup-netdevs";
    # for etesync-dav
    nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
@@ -70,7 +71,6 @@
  };
  outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
    lib = import ./lib inputs;
-    localNixpkgs = import ./flake/nixpkgs.nix inputs;
  in {
    clerie.hosts = {
      aluminium = {
@@ -140,14 +140,17 @@
      clerie-overrides = import ./pkgs/overrides/overlay.nix;
    };

+    nixpkgs = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
+      lib.mkNixpkgs {
+        inherit system;
+      }
+    );
+
    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
-      let
-       pkgs = localNixpkgs.${system};
-      in
      nixpkgs.lib.genAttrs (
        (builtins.attrNames (self.overlays.clerie-pkgs null null))
        ++ (builtins.attrNames (self.overlays.clerie-overrides null null))
-      ) (name: pkgs."${name}")
+      ) (name: self.nixpkgs."${system}"."${name}")
    );

    inherit lib self;
--- a/flake/nixosConfigurations.nix
+++ b/flake/nixosConfigurations.nix
@@ -10,8 +10,10 @@ let
    group ? null,
    modules ? [],
  }: let
+    localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
  in self.lib.nixosSystem {
    system = system;
+    nixpkgs = localNixpkgs;
    modules = modules ++ [
      ({ config, lib, ... }: {
        # Set hostname
--- a/flake/nixpkgs.nix
+++ b/flake/nixpkgs.nix
@@ -1,19 +0,0 @@
-{ self
-, nixpkgs
-, ...
-}@inputs:
-
-let
-  mkNixpkgs = { system, ... }@args: 
-    import nixpkgs {
-      inherit system;
-      overlays = [
-        self.overlays.clerie-inputs
-        self.overlays.clerie-pkgs
-        self.overlays.clerie-build-support
-        self.overlays.clerie-overrides
-      ];
-    };
-
-in
-  nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: mkNixpkgs { inherit system; })
--- a/hosts/_iso/configuration.nix
+++ b/hosts/_iso/configuration.nix
@@ -3,9 +3,9 @@
 {
  imports = [
    (modulesPath + "/installer/cd-dvd/installation-cd-base.nix")
-    ../../configuration/gpg-ssh
  ];

+  profiles.clerie.gpg-ssh.enable = true;
  profiles.clerie.network-fallback-dhcp.enable = true;

  # systemd in initrd is broken with ISOs
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -63,10 +63,10 @@

  systemd.services.kea-dhcp4-server = {
    after = [
-      "network-setup.service"
+      "network.target"
    ];
-    requires = [
-      "network-setup.service"
+    wants = [
+      "network.target"
    ];
  };

--- a/lib/default.nix
+++ b/lib/default.nix
@@ -8,6 +8,7 @@ let

  lib = {
    clerie-monitoring-ids = callLibs ./clerie-monitoring-ids.nix;
+    mkNixpkgs = callLibs ./mkNixpkgs.nix;
    nixosSystem = callLibs ./nixosSystem.nix;
  };

--- a/lib/mkNixpkgs.nix
+++ b/lib/mkNixpkgs.nix
@@ -0,0 +1,27 @@
+{
+  inputs,
+  self,
+  ...
+}:
+
+/*
+
+  Loads a version of nixpkgs with nixfiles overlays loaded
+
+*/
+{
+  system,
+  nixpkgs ? inputs.nixpkgs,
+  overlays ? [],
+  ...
+}@args:
+
+import nixpkgs {
+  inherit system;
+  overlays = [
+    self.overlays.clerie-inputs
+    self.overlays.clerie-pkgs
+    self.overlays.clerie-build-support
+    self.overlays.clerie-overrides
+  ] ++ overlays;
+}
--- a/lib/nixosSystem.nix
+++ b/lib/nixosSystem.nix
@@ -12,16 +12,17 @@
 */
 {
  system ? null,
+  nixpkgs ? inputs.nixpkgs,
  pkgs ? null,
  modules ? [],
  ...
 }@args:

-let
-  localNixpkgs = import ../flake/nixpkgs.nix inputs;
-in inputs.nixpkgs.lib.nixosSystem ({
+nixpkgs.lib.nixosSystem ({
  system = system;
-  pkgs = if pkgs != null then pkgs else localNixpkgs.${system};
+  pkgs = if pkgs != null then pkgs else (self.lib.mkNixpkgs {
+    inherit system nixpkgs;
+  });
  modules = [
    self.nixosModules.nixfilesInputs
    self.nixosModules.clerie
@@ -38,4 +39,4 @@ in inputs.nixpkgs.lib.nixosSystem ({
      };
    })
  ] ++ modules;
-} // builtins.removeAttrs args [ "system" "pkgs" "modules" ] )
+} // builtins.removeAttrs args [ "system" "nixpkgs" "pkgs" "modules" ] )
--- a/profiles/common-nix/default.nix
+++ b/profiles/common-nix/default.nix
@@ -0,0 +1,88 @@
+{ lib, pkgs, config, ... }:
+
+with lib;
+
+let
+
+  cfg = config.profiles.clerie.common-nix;
+
+in {
+
+  options.profiles.clerie.common-nix = {
+    enable = mkEnableOption "Common nix config";
+    useClerieNixCache = (mkEnableOption "Use nix cache from clerie") // {
+      default = true;
+    };
+  };
+
+  config = mkIf config.profiles.clerie.common-nix.enable {
+
+    clerie.nixfiles.enable = true;
+
+    clerie.system-auto-upgrade.enable = true;
+
+    nix.settings = {
+      trusted-users = [ "@wheel" "@guests" ];
+      auto-optimise-store = true;
+      # Keep buildtime dependencies
+      keep-outputs = true;
+      # Build local, when caches are broken
+      fallback = true;
+    };
+
+    nix.gc = lib.mkDefault {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+    };
+
+
+    nix.settings = {
+      experimental-features = [
+        "flakes"
+        "nix-command"
+      ];
+      substituters = if cfg.useClerieNixCache then [
+        "https://nix-cache.clerie.de"
+      ] else [];
+      trusted-public-keys = if cfg.useClerieNixCache then [
+        "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
+      ] else [];
+    };
+
+    # Pin current nixpkgs channel and flake registry to the nixpkgs version
+    # the host got build with
+    nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
+    nix.registry = {
+      "nixpkgs" = lib.mkForce {
+         from = {
+           type = "indirect";
+           id = "nixpkgs";
+         };
+         to = {
+           type = "path";
+           path = lib.cleanSource pkgs.path;
+         };
+         exact = true;
+      };
+      "templates" = {
+         from = {
+           type = "indirect";
+           id = "templates";
+         };
+         to = {
+           type = "git";
+           url = "https://git.clerie.de/clerie/flake-templates.git";
+         };
+      };
+    };
+
+    documentation.doc.enable = false;
+
+    environment.systemPackages = with pkgs; [
+      nix-remove-result-links
+    ];
+
+  };
+
+}
--- a/profiles/common/default.nix
+++ b/profiles/common/default.nix
@@ -13,6 +13,7 @@ with lib;
    profiles.clerie.common-dns.enable = mkDefault true;

    profiles.clerie.common-networking.enable = mkDefault true;
+    profiles.clerie.common-nix.enable = mkDefault true;

    profiles.clerie.common-webserver.enable = mkDefault true;

--- a/profiles/default.nix
+++ b/profiles/default.nix
@@ -6,11 +6,13 @@
    ./common
    ./common-dns
    ./common-networking
+    ./common-nix
    ./common-webserver
    ./cybercluster-vm
    ./dn42-router
    ./fem-net
    ./firefox
+    ./gpg-ssh
    ./hetzner-cloud
    ./hydra-build-machine
    ./mercury-vm
--- a/profiles/gpg-ssh/default.nix
+++ b/profiles/gpg-ssh/default.nix
@@ -0,0 +1,64 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+
+let
+
+  cfg = config.profiles.clerie.gpg-ssh;
+
+  custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
+    configureFlags = prev.configureFlags ++ [
+      # Make sure scdaemon never ever again tries to use its own ccid driver
+      "--disable-ccid-driver"
+    ];
+  });
+
+in {
+
+  options.profiles.clerie.gpg-ssh = {
+    enable = mkEnableOption "SSH integration for GPG";
+  };
+
+  config = mkIf config.profiles.clerie.gpg-ssh.enable {
+
+    programs.gnupg.package = custom_gnupg;
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+      pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
+    };
+
+    environment.systemPackages = with pkgs; [
+      custom_gnupg
+      yubikey-personalization
+      openpgp-card-tools
+
+      # Add wrapper around ssh that takes the gnupg ssh-agent
+      # instead of gnome-keyring
+      ssh-gpg
+    ];
+
+    services.pcscd.enable = true;
+
+    # pcscd sometimes breaks and seem to need a manual restart
+    # so we allow users to restart that service themself
+    security.polkit.extraConfig = ''
+      polkit.addRule(function(action, subject) {
+          if (
+              action.id == "org.freedesktop.systemd1.manage-units"
+              && action.lookup("unit") == "pcscd.service"
+              && action.lookup("verb") == "restart"
+              && subject.isInGroup("users")
+          ) {
+              return polkit.Result.YES;
+          }
+      });
+    '';
+
+    services.udev.packages = with pkgs; [
+      yubikey-personalization
+    ];
+
+  };
+
+}