From 69d03945f1027df7fc8d9d27a8be9d71712584f0 Mon Sep 17 00:00:00 2001 From: V Date: Thu, 2 Jun 2022 18:44:20 +0200 Subject: fleet: upgrade to NixOS 22.05 Change-Id: Ie5542d079ee7b2de06e0faed52343905b3287b39 --- fleet/configuration.nix | 2 +- fleet/hosts/kaikou/default.nix | 2 +- fleet/hosts/kaikou/gerrit.nix | 2 +- fleet/hosts/trieste/cgit/default.nix | 4 +- fleet/hosts/trieste/default.nix | 2 +- fleet/hosts/trieste/lists.nix | 2 +- fleet/hosts/trieste/web.nix | 2 +- fleet/hosts/vityaz/default.nix | 2 +- fleet/modules/acme.nix | 4 +- fleet/modules/cgiserver.nix | 11 ++--- fleet/modules/public-inbox.nix | 4 ++ fleet/modules/web.nix | 4 +- fleet/pkgs/overlay.nix | 10 ----- .../permission-warnings-only-when-necessary.patch | 50 ---------------------- 14 files changed, 22 insertions(+), 79 deletions(-) delete mode 100644 fleet/pkgs/permission-warnings-only-when-necessary.patch (limited to 'fleet') diff --git a/fleet/configuration.nix b/fleet/configuration.nix index 2ba819a..736e0d5 100644 --- a/fleet/configuration.nix +++ b/fleet/configuration.nix @@ -97,7 +97,7 @@ in { services.openssh = { enable = true; passwordAuthentication = false; - challengeResponseAuthentication = false; + kbdInteractiveAuthentication = false; # TODO(V): Route exclusively over WireGuard, if you dare }; diff --git a/fleet/hosts/kaikou/default.nix b/fleet/hosts/kaikou/default.nix index fcb22db..6fe132b 100644 --- a/fleet/hosts/kaikou/default.nix +++ b/fleet/hosts/kaikou/default.nix @@ -29,7 +29,7 @@ with lib; prefixLength = 64; }; - services.caddy.config = '' + services.caddy.extraConfig = '' kaikou.unfathomable.blue { import common redir / https://en.wikipedia.org/wiki/Kaik%C5%8D_ROV diff --git a/fleet/hosts/kaikou/gerrit.nix b/fleet/hosts/kaikou/gerrit.nix index f97ba23..5308ad4 100644 --- a/fleet/hosts/kaikou/gerrit.nix +++ b/fleet/hosts/kaikou/gerrit.nix @@ -32,7 +32,7 @@ }; }; - services.caddy.config = '' + services.caddy.extraConfig = '' review.unfathomable.blue { import common reverse_proxy localhost:8080 diff --git a/fleet/hosts/trieste/cgit/default.nix b/fleet/hosts/trieste/cgit/default.nix index 880842b..17f3e4f 100644 --- a/fleet/hosts/trieste/cgit/default.nix +++ b/fleet/hosts/trieste/cgit/default.nix @@ -21,7 +21,7 @@ let ''; passAsFile = [ "extraStyles" ]; } '' - ${pkgs.minify}/bin/minify --type css ${pkgs.cgit}/cgit/cgit.css $extraStylesPath -o $out/cgit.css + ${pkgs.minify}/bin/minify --type css --bundle ${pkgs.cgit}/cgit/cgit.css $extraStylesPath -o $out/cgit.css cp ${./un.svg} $out/un.svg # TODO(V): remove this variant, apply padding to the Sigil using CSS cp ${./unicon.svg} $out/unicon.svg # This is the same as un.svg, but without any padding cp ${./ripple.svg} $out/ripple.svg # This is referenced in git.nix (as config.cgit.logo, for Ripple) @@ -75,7 +75,7 @@ in { }; # TODO(V): set up git-http-backend. Disable enable-http-clone when we've done that? - services.caddy.config = '' + services.caddy.extraConfig = '' src.unfathomable.blue { import common diff --git a/fleet/hosts/trieste/default.nix b/fleet/hosts/trieste/default.nix index 1ca50ac..97dfbd0 100644 --- a/fleet/hosts/trieste/default.nix +++ b/fleet/hosts/trieste/default.nix @@ -39,7 +39,7 @@ with lib; prefixLength = 64; }; - services.caddy.config = '' + services.caddy.extraConfig = '' trieste.unfathomable.blue { import common redir / https://en.wikipedia.org/wiki/Trieste_(bathyscaphe) diff --git a/fleet/hosts/trieste/lists.nix b/fleet/hosts/trieste/lists.nix index a4e9a69..87c46d9 100644 --- a/fleet/hosts/trieste/lists.nix +++ b/fleet/hosts/trieste/lists.nix @@ -49,7 +49,7 @@ with lib; # By default, the index 404s with the rather confusing message "no inboxes, yet", even when there are inboxes configured. services.public-inbox.settings.publicinbox.wwwlisting = "all"; - services.caddy.config = '' + services.caddy.extraConfig = '' lists.unfathomable.blue { import common reverse_proxy unix//run/public-inbox/httpd.sock diff --git a/fleet/hosts/trieste/web.nix b/fleet/hosts/trieste/web.nix index d32fc44..9b7752b 100644 --- a/fleet/hosts/trieste/web.nix +++ b/fleet/hosts/trieste/web.nix @@ -16,7 +16,7 @@ '') ]; - services.caddy.config = '' + services.caddy.extraConfig = '' unfathomable.blue { import common respond / "the depths await" diff --git a/fleet/hosts/vityaz/default.nix b/fleet/hosts/vityaz/default.nix index 8508518..bd7af5f 100644 --- a/fleet/hosts/vityaz/default.nix +++ b/fleet/hosts/vityaz/default.nix @@ -71,7 +71,7 @@ with lib; boot.kernel.sysctl."net.ipv4.conf.wg0.forwarding" = true; - services.caddy.config = '' + services.caddy.extraConfig = '' vityaz.unfathomable.blue { import common redir / https://en.wikipedia.org/wiki/Vityaz-D_Autonomous_Underwater_Vehicle diff --git a/fleet/modules/acme.nix b/fleet/modules/acme.nix index f06ac4e..0c04228 100644 --- a/fleet/modules/acme.nix +++ b/fleet/modules/acme.nix @@ -32,10 +32,10 @@ in { config = { security.acme = { acceptTerms = true; - email = "acme@unfathomable.blue"; + defaults.email = "acme@unfathomable.blue"; }; - services.caddy.config = '' + services.caddy.extraConfig = '' ${concatStringsSep ", " (unique (mapAttrsToList (_: cert: "http://${cert.domain}") config.security.acme.certs))} { import all diff --git a/fleet/modules/cgiserver.nix b/fleet/modules/cgiserver.nix index 6cafbe0..a3e94c2 100644 --- a/fleet/modules/cgiserver.nix +++ b/fleet/modules/cgiserver.nix @@ -1,15 +1,16 @@ # SPDX-FileCopyrightText: V # SPDX-License-Identifier: OSL-3.0 -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, utils, pkgs, ... }: with lib; let cfg = config.services.cgiserver; - inherit (import "${modulesPath}/system/boot/systemd-unit-options.nix" { inherit config lib; }) - serviceOptions socketOptions; + inherit (utils.systemdUtils.unitOptions) + serviceOptions + socketOptions; # TODO(V): These descriptions could use a bit of work. instanceOpts = { name, ... }: { @@ -33,13 +34,13 @@ let serviceConfig = mkOption { description = "Extra options to put in the [Service] section of the application's service unit."; - inherit (serviceOptions.serviceConfig) type; + inherit ((serviceOptions { name = null; config = null; }).options.serviceConfig) type; default = {}; }; listenStreams = mkOption { description = "Addresses to listen on, in the format used by the ListenStream option of systemd.socket(5)."; - inherit (socketOptions.listenStreams) type; + inherit (socketOptions.options.listenStreams) type; default = [ "/run/${name}/${name}.sock" ]; }; }; diff --git a/fleet/modules/public-inbox.nix b/fleet/modules/public-inbox.nix index c263fad..d5e041c 100644 --- a/fleet/modules/public-inbox.nix +++ b/fleet/modules/public-inbox.nix @@ -50,6 +50,10 @@ let }; }; in { + # XXX(V): this is here to fix the build until we migrate to the + # upstream module that was added recently. + disabledModules = [ "services/mail/public-inbox.nix" ]; + options.services.public-inbox = { enable = mkOption { type = types.bool; diff --git a/fleet/modules/web.nix b/fleet/modules/web.nix index 248f78b..b4328b7 100644 --- a/fleet/modules/web.nix +++ b/fleet/modules/web.nix @@ -8,7 +8,7 @@ enable = true; # Snippets must be defined before they are used, so the mkBefore ensures they come first. - config = lib.mkBefore '' + extraConfig = lib.mkBefore '' (all) { log { output file /var/log/caddy/access.log @@ -40,7 +40,5 @@ ''; }; - systemd.services.caddy.serviceConfig.LogsDirectory = "caddy"; - networking.firewall.interfaces.ens3.allowedTCPPorts = [ 80 443 ]; } diff --git a/fleet/pkgs/overlay.nix b/fleet/pkgs/overlay.nix index 49cc524..95330fa 100644 --- a/fleet/pkgs/overlay.nix +++ b/fleet/pkgs/overlay.nix @@ -10,16 +10,6 @@ final: prev: { public-inbox = final.perlPackages.callPackage ./public-inbox {}; public-inbox-init-lite = final.callPackage ./public-inbox-init-lite {}; - # Fixes bundler complaining loudly if $HOME is read-only or unset - # Taken from https://github.com/rubygems/rubygems/pull/4724 - # This is here because the CGit about filter invokes Asciidoctor, - # which otherwise causes its log to fill with spurious error messages. - # Can be removed once Bundler 2.2.23 or above makes its way into stable. - bundler = prev.bundler.overrideAttrs ({ patches ? [], ... }: { - patches = patches ++ [ ./permission-warnings-only-when-necessary.patch ]; - dontBuild = false; - }); - # Fixes archives having silly permissions due to Postfix messing with the umask mlmmj = prev.mlmmj.overrideAttrs ({ patches ? [], ... }: { patches = patches ++ [ ./group-readable-archives.patch ]; diff --git a/fleet/pkgs/permission-warnings-only-when-necessary.patch b/fleet/pkgs/permission-warnings-only-when-necessary.patch deleted file mode 100644 index 4a557a5..0000000 --- a/fleet/pkgs/permission-warnings-only-when-necessary.patch +++ /dev/null @@ -1,50 +0,0 @@ -SPDX-FileCopyrightText: David Rodríguez -SPDX-License-Identifier: MIT ---- a/lib/bundler.rb -+++ b/lib/bundler.rb -@@ -236,8 +236,9 @@ def user_home - end - - if warning -- user_home = tmp_home_path(warning) -- Bundler.ui.warn "#{warning}\nBundler will use `#{user_home}' as your home directory temporarily.\n" -+ Bundler.ui.warn "#{warning}\n" -+ user_home = tmp_home_path -+ Bundler.ui.warn "Bundler will use `#{user_home}' as your home directory temporarily.\n" - user_home - else - Pathname.new(home) -@@ -684,15 +685,13 @@ def configure_gem_home - Bundler.rubygems.clear_paths - end - -- def tmp_home_path(warning) -+ def tmp_home_path - Kernel.send(:require, "tmpdir") - SharedHelpers.filesystem_access(Dir.tmpdir) do - path = Bundler.tmp - at_exit { Bundler.rm_rf(path) } - path - end -- rescue RuntimeError => e -- raise e.exception("#{warning}\nBundler also failed to create a temporary home directory':\n#{e}") - end - - # @param env [Hash] - ---- a/lib/bundler/settings.rb -+++ b/lib/bundler/settings.rb -@@ -428,12 +428,8 @@ def printable_value(value, key) - def global_config_file - if ENV["BUNDLE_CONFIG"] && !ENV["BUNDLE_CONFIG"].empty? - Pathname.new(ENV["BUNDLE_CONFIG"]) -- else -- begin -- Bundler.user_bundle_path("config") -- rescue PermissionError, GenericSystemCallError -- nil -- end -+ elsif Bundler.rubygems.user_home && !Bundler.rubygems.user_home.empty? -+ Pathname.new(Bundler.rubygems.user_home).join(".bundle/config") - end - end -- cgit 1.4.1