Update from updated-inputs-2025-06-30-01-03

2025-06-30 03:04:01 +02:00
parent e03f4f80eb 815c65ea62
commit 508d65a4d7
17 changed files with 222 additions and 158 deletions
--- a/configuration/common/default.nix
+++ b/configuration/common/default.nix
@@ -7,7 +7,6 @@
    ./initrd.nix
    ./locale.nix
    ./networking.nix
    ./nix.nix
    ./programs.nix
    ./ssh.nix
    ./systemd.nix
--- a/configuration/common/nix.nix
+++ b/configuration/common/nix.nix
@@ -1,70 +0,0 @@
 { lib, pkgs, ... }:
 {
  clerie.nixfiles.enable = true;
  clerie.system-auto-upgrade.enable = true;
  nix.settings = {
    trusted-users = [ "@wheel" "@guests" ];
    auto-optimise-store = true;
    # Keep buildtime dependencies
    keep-outputs = true;
    # Build local, when caches are broken
    fallback = true;
  };
  nix.gc = lib.mkDefault {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 30d";
  };
  nix.settings = {
    experimental-features = [
      "flakes"
      "nix-command"
    ];
    substituters = [
      "https://nix-cache.clerie.de"
    ];
    trusted-public-keys = [
      "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
    ];
  };
  # Pin current nixpkgs channel and flake registry to the nixpkgs version
  # the host got build with
  nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
  nix.registry = {
    "nixpkgs" = lib.mkForce {
       from = {
         type = "indirect";
         id = "nixpkgs";
       };
       to = {
         type = "path";
         path = lib.cleanSource pkgs.path;
       };
       exact = true;
    };
    "templates" = {
       from = {
         type = "indirect";
         id = "templates";
       };
       to = {
         type = "git";
         url = "https://git.clerie.de/clerie/flake-templates.git";
       };
    };
  };
  documentation.doc.enable = false;
  environment.systemPackages = with pkgs; [
    nix-remove-result-links
  ];
 }
--- a/configuration/desktop/ssh.nix
+++ b/configuration/desktop/ssh.nix
@@ -2,9 +2,8 @@
 {
-  imports = [
+  profiles.clerie.gpg-ssh.enable = true;
-    ../../configuration/gpg-ssh
+
  ];
  programs.gnupg.agent = {
    pinentryPackage = pkgs.pinentry-gtk2;
  };
--- a/configuration/gpg-ssh/default.nix
+++ b/configuration/gpg-ssh/default.nix
@@ -1,51 +0,0 @@
 { pkgs, lib, ... }:
 let
  custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
    configureFlags = prev.configureFlags ++ [
      # Make sure scdaemon never ever again tries to use its own ccid driver
      "--disable-ccid-driver"
    ];
  });
 in {
  programs.gnupg.package = custom_gnupg;
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
  };
  environment.systemPackages = with pkgs; [
    custom_gnupg
    yubikey-personalization
    openpgp-card-tools
    # Add wrapper around ssh that takes the gnupg ssh-agent
    # instead of gnome-keyring
    ssh-gpg
  ];
  services.pcscd.enable = true;
  # pcscd sometimes breaks and seem to need a manual restart
  # so we allow users to restart that service themself
  security.polkit.extraConfig = ''
    polkit.addRule(function(action, subject) {
        if (
            action.id == "org.freedesktop.systemd1.manage-units"
            && action.lookup("unit") == "pcscd.service"
            && action.lookup("verb") == "restart"
            && subject.isInGroup("users")
        ) {
            return polkit.Result.YES;
        }
    });
  '';
  services.udev.packages = with pkgs; [
    yubikey-personalization
  ];
 }
--- a/flake.lock
+++ b/flake.lock
@@ -532,6 +532,22 @@
        "type": "github"
      }
    },
    "nixpkgs-carbon": {
      "locked": {
        "lastModified": 1751206202,
        "narHash": "sha256-VjK8pEv4cfDpCTh4KW1go98kP25j7KdTNEce342Bh/Y=",
        "owner": "clerie",
        "repo": "nixpkgs",
        "rev": "ac4ac98609c1b30c378458ab7207a9a5b5148457",
        "type": "github"
      },
      "original": {
        "owner": "clerie",
        "ref": "clerie/always-setup-netdevs",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-regression": {
      "locked": {
        "lastModified": 1643052045,
@@ -731,6 +747,7 @@
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_5",
        "nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
        "nixpkgs-carbon": "nixpkgs-carbon",
        "nurausstieg": "nurausstieg",
        "rainbowrss": "rainbowrss",
        "scan-to-gpg": "scan-to-gpg",
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,7 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    nixpkgs-carbon.url = "github:clerie/nixpkgs/clerie/always-setup-netdevs";
    # for etesync-dav
    nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
@@ -70,7 +71,6 @@
  };
  outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
    lib = import ./lib inputs;
    localNixpkgs = import ./flake/nixpkgs.nix inputs;
  in {
    clerie.hosts = {
      aluminium = {
@@ -140,14 +140,17 @@
      clerie-overrides = import ./pkgs/overrides/overlay.nix;
    };
    nixpkgs = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
      lib.mkNixpkgs {
        inherit system;
      }
    );
    packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
      let
       pkgs = localNixpkgs.${system};
      in
      nixpkgs.lib.genAttrs (
        (builtins.attrNames (self.overlays.clerie-pkgs null null))
        ++ (builtins.attrNames (self.overlays.clerie-overrides null null))
-      ) (name: pkgs."${name}")
+      ) (name: self.nixpkgs."${system}"."${name}")
    );
    inherit lib self;
--- a/flake/nixosConfigurations.nix
+++ b/flake/nixosConfigurations.nix
@@ -10,8 +10,10 @@ let
    group ? null,
    modules ? [],
  }: let
    localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
  in self.lib.nixosSystem {
    system = system;
    nixpkgs = localNixpkgs;
    modules = modules ++ [
      ({ config, lib, ... }: {
        # Set hostname
--- a/flake/nixpkgs.nix
+++ b/flake/nixpkgs.nix
@@ -1,19 +0,0 @@
 { self
 , nixpkgs
 , ...
 }@inputs:
 let
  mkNixpkgs = { system, ... }@args: 
    import nixpkgs {
      inherit system;
      overlays = [
        self.overlays.clerie-inputs
        self.overlays.clerie-pkgs
        self.overlays.clerie-build-support
        self.overlays.clerie-overrides
      ];
    };
 in
  nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: mkNixpkgs { inherit system; })
--- a/hosts/_iso/configuration.nix
+++ b/hosts/_iso/configuration.nix
@@ -3,9 +3,9 @@
 {
  imports = [
    (modulesPath + "/installer/cd-dvd/installation-cd-base.nix")
    ../../configuration/gpg-ssh
  ];
  profiles.clerie.gpg-ssh.enable = true;
  profiles.clerie.network-fallback-dhcp.enable = true;
  # systemd in initrd is broken with ISOs
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -63,10 +63,10 @@
  systemd.services.kea-dhcp4-server = {
    after = [
-      "network-setup.service"
+      "network.target"
    ];
-    requires = [
+    wants = [
-      "network-setup.service"
+      "network.target"
    ];
  };
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -8,6 +8,7 @@ let
  lib = {
    clerie-monitoring-ids = callLibs ./clerie-monitoring-ids.nix;
    mkNixpkgs = callLibs ./mkNixpkgs.nix;
    nixosSystem = callLibs ./nixosSystem.nix;
  };
--- a/lib/mkNixpkgs.nix
+++ b/lib/mkNixpkgs.nix
@@ -0,0 +1,27 @@
 {
  inputs,
  self,
  ...
 }:
 /*
  Loads a version of nixpkgs with nixfiles overlays loaded
 */
 {
  system,
  nixpkgs ? inputs.nixpkgs,
  overlays ? [],
  ...
 }@args:
 import nixpkgs {
  inherit system;
  overlays = [
    self.overlays.clerie-inputs
    self.overlays.clerie-pkgs
    self.overlays.clerie-build-support
    self.overlays.clerie-overrides
  ] ++ overlays;
 }
--- a/lib/nixosSystem.nix
+++ b/lib/nixosSystem.nix
@@ -12,16 +12,17 @@
 */
 {
  system ? null,
  nixpkgs ? inputs.nixpkgs,
  pkgs ? null,
  modules ? [],
  ...
 }@args:
-let
+nixpkgs.lib.nixosSystem ({
  localNixpkgs = import ../flake/nixpkgs.nix inputs;
 in inputs.nixpkgs.lib.nixosSystem ({
  system = system;
-  pkgs = if pkgs != null then pkgs else localNixpkgs.${system};
+  pkgs = if pkgs != null then pkgs else (self.lib.mkNixpkgs {
    inherit system nixpkgs;
  });
  modules = [
    self.nixosModules.nixfilesInputs
    self.nixosModules.clerie
@@ -38,4 +39,4 @@ in inputs.nixpkgs.lib.nixosSystem ({
      };
    })
  ] ++ modules;
-} // builtins.removeAttrs args [ "system" "pkgs" "modules" ] )
+} // builtins.removeAttrs args [ "system" "nixpkgs" "pkgs" "modules" ] )
--- a/profiles/common-nix/default.nix
+++ b/profiles/common-nix/default.nix
@@ -0,0 +1,88 @@
 { lib, pkgs, config, ... }:
 with lib;
 let
  cfg = config.profiles.clerie.common-nix;
 in {
  options.profiles.clerie.common-nix = {
    enable = mkEnableOption "Common nix config";
    useClerieNixCache = (mkEnableOption "Use nix cache from clerie") // {
      default = true;
    };
  };
  config = mkIf config.profiles.clerie.common-nix.enable {
    clerie.nixfiles.enable = true;
    clerie.system-auto-upgrade.enable = true;
    nix.settings = {
      trusted-users = [ "@wheel" "@guests" ];
      auto-optimise-store = true;
      # Keep buildtime dependencies
      keep-outputs = true;
      # Build local, when caches are broken
      fallback = true;
    };
    nix.gc = lib.mkDefault {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 30d";
    };
    nix.settings = {
      experimental-features = [
        "flakes"
        "nix-command"
      ];
      substituters = if cfg.useClerieNixCache then [
        "https://nix-cache.clerie.de"
      ] else [];
      trusted-public-keys = if cfg.useClerieNixCache then [
        "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
      ] else [];
    };
    # Pin current nixpkgs channel and flake registry to the nixpkgs version
    # the host got build with
    nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
    nix.registry = {
      "nixpkgs" = lib.mkForce {
         from = {
           type = "indirect";
           id = "nixpkgs";
         };
         to = {
           type = "path";
           path = lib.cleanSource pkgs.path;
         };
         exact = true;
      };
      "templates" = {
         from = {
           type = "indirect";
           id = "templates";
         };
         to = {
           type = "git";
           url = "https://git.clerie.de/clerie/flake-templates.git";
         };
      };
    };
    documentation.doc.enable = false;
    environment.systemPackages = with pkgs; [
      nix-remove-result-links
    ];
  };
 }
--- a/profiles/common/default.nix
+++ b/profiles/common/default.nix
@@ -13,6 +13,7 @@ with lib;
    profiles.clerie.common-dns.enable = mkDefault true;
    profiles.clerie.common-networking.enable = mkDefault true;
    profiles.clerie.common-nix.enable = mkDefault true;
    profiles.clerie.common-webserver.enable = mkDefault true;
--- a/profiles/default.nix
+++ b/profiles/default.nix
@@ -6,11 +6,13 @@
    ./common
    ./common-dns
    ./common-networking
    ./common-nix
    ./common-webserver
    ./cybercluster-vm
    ./dn42-router
    ./fem-net
    ./firefox
    ./gpg-ssh
    ./hetzner-cloud
    ./hydra-build-machine
    ./mercury-vm
--- a/profiles/gpg-ssh/default.nix
+++ b/profiles/gpg-ssh/default.nix
@@ -0,0 +1,64 @@
 { pkgs, lib, config, ... }:
 with lib;
 let
  cfg = config.profiles.clerie.gpg-ssh;
  custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
    configureFlags = prev.configureFlags ++ [
      # Make sure scdaemon never ever again tries to use its own ccid driver
      "--disable-ccid-driver"
    ];
  });
 in {
  options.profiles.clerie.gpg-ssh = {
    enable = mkEnableOption "SSH integration for GPG";
  };
  config = mkIf config.profiles.clerie.gpg-ssh.enable {
    programs.gnupg.package = custom_gnupg;
    programs.gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
      pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
    };
    environment.systemPackages = with pkgs; [
      custom_gnupg
      yubikey-personalization
      openpgp-card-tools
      # Add wrapper around ssh that takes the gnupg ssh-agent
      # instead of gnome-keyring
      ssh-gpg
    ];
    services.pcscd.enable = true;
    # pcscd sometimes breaks and seem to need a manual restart
    # so we allow users to restart that service themself
    security.polkit.extraConfig = ''
      polkit.addRule(function(action, subject) {
          if (
              action.id == "org.freedesktop.systemd1.manage-units"
              && action.lookup("unit") == "pcscd.service"
              && action.lookup("verb") == "restart"
              && subject.isInGroup("users")
          ) {
              return polkit.Result.YES;
          }
      });
    '';
    services.udev.packages = with pkgs; [
      yubikey-personalization
    ];
  };
 }