diff --git a/flake.lock b/flake.lock index a996ab4..7143da3 100644 --- a/flake.lock +++ b/flake.lock @@ -91,27 +91,27 @@ ] }, "locked": { - "lastModified": 1702195668, - "narHash": "sha256-Lxmjez0nfNBptdqV5GsXKm7Bb7swjGsrxiLxWJu0tL8=", + "lastModified": 1706981411, + "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "33110fb3c7fe6a94b98b641866a5eddb64b7c23f", + "rev": "652fda4ca6dafeb090943422c34ae9145787af37", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "home-manager", "type": "github" } }, "impermanence": { "locked": { - "lastModified": 1703656108, - "narHash": "sha256-hCSUqdFJKHHbER8Cenf5JRzjMlBjIdwdftGQsO0xoJs=", + "lastModified": 1706639736, + "narHash": "sha256-CaG4j9+UwBDfinxxvJMo6yOonSmSo0ZgnbD7aj2Put0=", "owner": "nix-community", "repo": "impermanence", - "rev": "033643a45a4a920660ef91caa391fbffb14da466", + "rev": "cd13c2917eaa68e4c49fea0ff9cada45440d7045", "type": "github" }, "original": { @@ -123,27 +123,27 @@ }, "nixpkgs": { "locked": { - "lastModified": 1704290814, - "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "lastModified": 1707347730, + "narHash": "sha256-0etC/exQIaqC9vliKhc3eZE2Mm2wgLa0tj93ZF/egvM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "rev": "6832d0d99649db3d65a0e15fa51471537b2c56a6", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1705316053, - "narHash": "sha256-J2Ey5mPFT8gdfL2XC0JTZvKaBw/b2pnyudEXFvl+dQM=", + "lastModified": 1707268954, + "narHash": "sha256-2en1kvde3cJVc3ZnTy8QeD2oKcseLFjYPLKhIGDanQ0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370", + "rev": "f8e2ebd66d097614d51a56a755450d4ae1632df1", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 12fefeb..b7af61d 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ { inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; flake-utils.url = "github:numtide/flake-utils"; @@ -8,7 +8,7 @@ agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; - home-manager.url = "github:nix-community/home-manager/release-23.05"; + home-manager.url = "github:nix-community/home-manager/release-23.11"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; impermanence.url = "github:nix-community/impermanence/master"; diff --git a/hosts/router.home.ts.hillion.co.uk/default.nix b/hosts/router.home.ts.hillion.co.uk/default.nix index 020bc29..a3eff80 100644 --- a/hosts/router.home.ts.hillion.co.uk/default.nix +++ b/hosts/router.home.ts.hillion.co.uk/default.nix @@ -254,7 +254,6 @@ ## Netdata services.netdata = { enable = true; - group = "caddy"; config = { web = { "bind to" = "unix:/run/netdata/netdata.sock"; @@ -268,11 +267,17 @@ extraConfig = "reverse_proxy unix///run/netdata/netdata.sock"; }; }; - - ### HACK: caddy needs tailscale to be up so allow it to restart on failure - systemd.services.caddy.serviceConfig = { - Restart = lib.mkForce "on-failure"; - RestartSec = 15; + users.users.caddy.extraGroups = [ "netdata" ]; + ### HACK: Allow Caddy to restart if it fails. This happens because Tailscale + ### is too late at starting. Upstream nixos caddy does restart on failure + ### but it's prevented on exit code 1. Set the exit code to 0 (non-failure) + ### to override this. + systemd.services.caddy = { + requires = [ "tailscaled.service" ]; + after = [ "tailscaled.service" ]; + serviceConfig = { + RestartPreventExitStatus = lib.mkForce 0; + }; }; }; } diff --git a/hosts/tywin.storage.ts.hillion.co.uk/default.nix b/hosts/tywin.storage.ts.hillion.co.uk/default.nix index 969186b..bfe08a8 100644 --- a/hosts/tywin.storage.ts.hillion.co.uk/default.nix +++ b/hosts/tywin.storage.ts.hillion.co.uk/default.nix @@ -134,7 +134,17 @@ reverse_proxy http://localhost:8000 ''; }; - systemd.services.caddy.requires = [ "tailscaled.service" ]; + ### HACK: Allow Caddy to restart if it fails. This happens because Tailscale + ### is too late at starting. Upstream nixos caddy does restart on failure + ### but it's prevented on exit code 1. Set the exit code to 0 (non-failure) + ### to override this. + systemd.services.caddy = { + requires = [ "tailscaled.service" ]; + after = [ "tailscaled.service" ]; + serviceConfig = { + RestartPreventExitStatus = lib.mkForce 0; + }; + }; services.restic.backups."prune-128G" = { repository = "/data/backups/restic/128G"; diff --git a/modules/common/hostinfo.nix b/modules/common/hostinfo.nix index e548b3d..e839d80 100644 --- a/modules/common/hostinfo.nix +++ b/modules/common/hostinfo.nix @@ -17,7 +17,7 @@ in script = "${pkgs.writers.writePerl "hostinfo" { libraries = with pkgs; [ - perl536Packages.HTTPDaemon + perlPackages.HTTPDaemon ]; } '' use v5.10; diff --git a/modules/impermanence.nix b/modules/impermanence.nix index 2acbfce..3e54889 100644 --- a/modules/impermanence.nix +++ b/modules/impermanence.nix @@ -59,6 +59,8 @@ in name = x; value = { home.persistence."/data/users/${x}" = { + allowOther = false; + files = [ ".zsh_history" ] ++ cfg.userExtraFiles.${x} or [ ]; diff --git a/modules/services/mastodon/default.nix b/modules/services/mastodon/default.nix index 1d2147f..e70b831 100644 --- a/modules/services/mastodon/default.nix +++ b/modules/services/mastodon/default.nix @@ -54,6 +54,8 @@ in extraConfig = { EMAIL_DOMAIN_WHITELIST = "hillion.co.uk"; }; + + streamingProcesses = 9; }; caddy = { diff --git a/modules/users.nix b/modules/users.nix index b2aae25..d0fdf78 100644 --- a/modules/users.nix +++ b/modules/users.nix @@ -16,6 +16,6 @@ in config = lib.mkIf cfg.jake.password { age.secrets."passwords/jake".file = ../secrets/passwords/jake.age; - users.users.jake.passwordFile = config.age.secrets."passwords/jake".path; + users.users.jake.hashedPasswordFile = config.age.secrets."passwords/jake".path; }; }