From 0958ffd7dd871adad85416a0245180dbf26dec1a Mon Sep 17 00:00:00 2001 From: Martin Fischer Date: Fri, 12 Jun 2026 08:06:52 +0200 Subject: deps: update to NixOS 26.05 For all: tailscale: 1.90.9 -> 1.98.2 zsh: 5.9 -> 5.9.1 hamac: android-studio 2025.2.1.8 -> 2025.3.4.7 anki: 25.09.3 -> 25.09.4 chromium: 148.0.7778.167 -> 149.0.7827.53 firefox: 150.0.3 -> 151.0.3 foot: 1.25.0 -> 1.27.0 gimp: 3.0.4 -> 3.0.8 i3status-rust: 0.34.0 -> 0.36.1 inkscape: 1.4.2 -> 1.4.4 krita: 5.2.15 -> 6.0.1 mako: 1.10.0 -> 1.11.0 thunderbird: 150.0.2 -> 151.0.1 vscodium: 1.106.27818 -> 1.116.02821 wireshark-qt: 4.6.5 -> 4.6.6 zathura: 0.5.13 -> 2026.05.20 zed-editor: 1.1.7 -> 1.5.4 docker-compose: 2.40.3 -> 5.1.4 go: 1.25.9 -> 1.26.3 hugo: 0.161.1 -> 0.162.1 jujutsu: 0.41.0 -> 0.42.0 just: 1.43.1 -> 1.51.0 scc: 3.5.0 -> 3.7.0 skim: 0.20.5 -> 4.0.0 coreutils-full: 9.8 -> 9.11 curl: 8.19.0 -> 8.20.0 file: 5.45 -> 5.47 gawk: 5.3.2 -> 5.4.0 git: 2.51.2 -> 2.54.0 htop: 3.4.1 -> 3.5.1 bluez: 5.84, 5.86 -> 5.86 iproute2: 6.17.0 -> 7.0.0 iptables: 1.8.11 -> 1.8.13 less: 679 -> 692 nix: 2.31.5 -> 2.34.7 nixfmt: 1.2.0 -> 1.3.1 npins: 0.3.1 -> 0.4.1 podman: 5.7.0 -> 5.8.2 networkmanager: 1.54.3 -> 1.56.0 openssl(bin): 3.6.1, 3.6.2 -> 3.6.2 shadow: 4.18.0 -> 4.19.4 swaylock: 1.8.4 -> 1.8.5 systemd: 258.7, 260.1 -> 260.1 time: 1.9 -> 1.10 tree: 2.2.1 -> 2.3.2 vim: 9.2.0340 -> 9.2.0389 wireguard-tools: 1.0.20250521 -> 1.0.20260223 xwayland: 24.1.10 -> 24.1.12 For ev: kodi-peripheral.joystick: 20.1.9 -> 21.1.23 miniflux: 2.2.19 -> 2.3.1 navidrome: 0.61.1 -> 0.61.2 qbittorrent-nox: 5.1.4 -> 5.2.1 grafana-alloy: 1.12.2 -> 1.16.0 grafana-loki: 3.6.3 -> 3.7.2 linux: 6.12.89 -> 6.18.35 mosquitto: 2.0.22 -> 2.1.2 node_exporter: 1.10.2 -> 1.11.1 prometheus: 3.7.2 -> 3.11.3 zigbee2mqtt: 2.6.3 -> 2.12.0 For tente: cgit: 1.2.3 -> 1.3.1 grafana-alloy: 1.12.2 -> 1.16.0 grafana-loki: 3.6.3 -> 3.7.2 grafana: 12.3.6+security-01 -> 13.0.2 headscale: 0.27.1 -> 0.28.0 lego: 4.31.0 -> 4.35.2 nginx: 1.28.3 -> 1.30.2 node_exporter: 1.10.2 -> 1.11.1 prometheus: 3.7.2 -> 3.11.3 --- nixos/hosts/ev/default.nix | 11 +- nixos/hosts/ev/hardware-configuration.nix | 2 +- nixos/hosts/hamac/hardware-configuration.nix | 2 +- nixos/hosts/tente/grafana.nix | 2 + nixos/npins/default.nix | 154 ++++++++++++++++++++++----- nixos/npins/sources.json | 44 ++++---- nixos/profiles/common/basics.nix | 2 +- nixos/profiles/common/nixpkgs/overlays.nix | 13 --- nixos/profiles/workstation/default.nix | 4 +- 9 files changed, 166 insertions(+), 68 deletions(-) diff --git a/nixos/hosts/ev/default.nix b/nixos/hosts/ev/default.nix index 29e0ffd..7fcc724 100644 --- a/nixos/hosts/ev/default.nix +++ b/nixos/hosts/ev/default.nix @@ -43,10 +43,13 @@ in enable = true; port = 2222; hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"]; - authorizedKeys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDo/Y7w3hQgUIOQi63e8+L7eTMsVWl1vqY+Bd4tvwShdAj8ECU6JnD6gkCVzqXfUNdpA0Csd9PZlGAbXU+0kxudryFV6mxbXvYf+z70vcF02L5lDJ1tzCV7t7SwXnoenSNBIra/M2zDFgGM4oUkl9iZ2wxn/X/mvFzopJsM3xe2YNtJhXzCyaQTakKRDdHMyj9E867Ko03H6ZD2PI+9G+S39tk5ZLIcG9qhLTfDPziiZj7AIeTYVoxQycajwSlvp8BLzxxCKH8Mq7qW86jfT4lYvUuL5ItQ1cdFbmvJNKpgGXBzgBU+6kWf5c7P2aajhE3otgpfBXWBZRA3hKk+E+xX martin@hamac" - ]; - shell = "/bin/cryptsetup-askpass"; + authorizedKeys = + let + key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDo/Y7w3hQgUIOQi63e8+L7eTMsVWl1vqY+Bd4tvwShdAj8ECU6JnD6gkCVzqXfUNdpA0Csd9PZlGAbXU+0kxudryFV6mxbXvYf+z70vcF02L5lDJ1tzCV7t7SwXnoenSNBIra/M2zDFgGM4oUkl9iZ2wxn/X/mvFzopJsM3xe2YNtJhXzCyaQTakKRDdHMyj9E867Ko03H6ZD2PI+9G+S39tk5ZLIcG9qhLTfDPziiZj7AIeTYVoxQycajwSlvp8BLzxxCKH8Mq7qW86jfT4lYvUuL5ItQ1cdFbmvJNKpgGXBzgBU+6kWf5c7P2aajhE3otgpfBXWBZRA3hKk+E+xX martin@hamac"; + in + [ + ''command="systemctl default" ${key}'' + ]; }; }; }; diff --git a/nixos/hosts/ev/hardware-configuration.nix b/nixos/hosts/ev/hardware-configuration.nix index 65300c8..20e2906 100644 --- a/nixos/hosts/ev/hardware-configuration.nix +++ b/nixos/hosts/ev/hardware-configuration.nix @@ -14,7 +14,7 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/2c273b8a-7f40-41dd-ab63-2194d4bfd328"; + { device = "/dev/mapper/luks-d9d95f9b-5f7d-4193-859f-d36dae4ed814"; fsType = "ext4"; }; diff --git a/nixos/hosts/hamac/hardware-configuration.nix b/nixos/hosts/hamac/hardware-configuration.nix index 54b9d60..0de35e8 100644 --- a/nixos/hosts/hamac/hardware-configuration.nix +++ b/nixos/hosts/hamac/hardware-configuration.nix @@ -14,7 +14,7 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/7b33d046-ffd6-4baf-8bd8-a88e3c04d538"; + { device = "/dev/mapper/luks-cf2639e7-1f9c-4c2d-989a-ef2d9950f751"; fsType = "ext4"; }; diff --git a/nixos/hosts/tente/grafana.nix b/nixos/hosts/tente/grafana.nix index f6db5ca..44d1815 100644 --- a/nixos/hosts/tente/grafana.nix +++ b/nixos/hosts/tente/grafana.nix @@ -31,6 +31,8 @@ in from_address = user; password = "$__file{${config.age.secrets.alerts-smtp.path}}"; }; + # TODO: rotate this secret and use an encrypted secret (this was the default value before NixOS 26.05) + security.secret_key = "SW2YcwTIb9zpOOhoPsMm"; }; provision = { diff --git a/nixos/npins/default.nix b/nixos/npins/default.nix index 6592476..b7f402e 100644 --- a/nixos/npins/default.nix +++ b/nixos/npins/default.nix @@ -9,8 +9,15 @@ */ # Generated by npins. Do not modify; will be overwritten regularly let - data = builtins.fromJSON (builtins.readFile ./sources.json); - version = data.version; + # Backwards-compatibly make something that previously didn't take any arguments take some + # The function must return an attrset, and will unfortunately be eagerly evaluated + # Same thing, but it catches eval errors on the default argument so that one may still call it with other arguments + mkFunctor = + fn: + let + e = builtins.tryEval (fn { }); + in + (if e.success then e.value else { error = fn { }; }) // { __functor = _self: fn; }; # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 range = @@ -21,7 +28,6 @@ let # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); - concatMapStrings = f: list: concatStrings (map f list); concatStrings = builtins.concatStringsSep ""; # If the environment variable NPINS_OVERRIDE_${name} is set, then use @@ -48,41 +54,88 @@ let mkSource = name: spec: + { + pkgs ? null, + }: assert spec ? type; let + # Unify across builtin and pkgs fetchers. + # `fetchGit` requires a wrapper because of slight API differences. + fetchers = + if pkgs == null then + { + inherit (builtins) fetchTarball fetchurl; + # Frustratingly, due to flakes and `fetchTree`, `fetchGit` + # has a different signature than the other builtin + # fetchers + fetchGit = args: (builtins.fetchGit args).outPath; + } + else + { + fetchTarball = + { + url, + sha256, + }: + pkgs.fetchzip { + inherit url sha256; + extension = "tar"; + }; + inherit (pkgs) fetchurl; + fetchGit = + { + url, + submodules, + rev, + name, + narHash, + }: + pkgs.fetchgit { + inherit url rev name; + fetchSubmodules = submodules; + hash = narHash; + }; + }; + path = if spec.type == "Git" then - mkGitSource spec + mkGitSource fetchers spec else if spec.type == "GitRelease" then - mkGitSource spec + mkGitSource fetchers spec else if spec.type == "PyPi" then - mkPyPiSource spec + mkPyPiSource fetchers spec else if spec.type == "Channel" then - mkChannelSource spec + mkChannelSource fetchers spec else if spec.type == "Tarball" then - mkTarballSource spec + mkTarballSource fetchers spec + else if spec.type == "Container" then + mkContainerSource pkgs spec else builtins.throw "Unknown source type ${spec.type}"; in spec // { outPath = mayOverride name path; }; mkGitSource = + { + fetchTarball, + fetchGit, + ... + }: { repository, revision, url ? null, submodules, hash, - branch ? null, ... }: assert repository ? type; # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository # In the latter case, there we will always be an url to the tarball if url != null && !submodules then - builtins.fetchTarball { + fetchTarball { inherit url; - sha256 = hash; # FIXME: check nix version & use SRI hashes + sha256 = hash; } else let @@ -93,6 +146,8 @@ let "https://github.com/${repository.owner}/${repository.repo}.git" else if repository.type == "GitLab" then "${repository.server}/${repository.repo_path}.git" + else if repository.type == "Forgejo" then + "${repository.server}/${repository.owner}/${repository.repo}.git" else throw "Unrecognized repository type ${repository.type}"; urlToName = @@ -107,40 +162,91 @@ let "${if matched == null then "source" else builtins.head matched}${appendShort}"; name = urlToName url revision; in - builtins.fetchGit { + fetchGit { rev = revision; - inherit name; - # hash = hash; - inherit url submodules; + narHash = hash; + + inherit name submodules url; }; mkPyPiSource = - { url, hash, ... }: - builtins.fetchurl { + { fetchurl, ... }: + { + url, + hash, + ... + }: + fetchurl { inherit url; sha256 = hash; }; mkChannelSource = - { url, hash, ... }: - builtins.fetchTarball { + { fetchTarball, ... }: + { + url, + hash, + ... + }: + fetchTarball { inherit url; sha256 = hash; }; mkTarballSource = + { fetchTarball, ... }: { url, locked_url ? url, hash, ... }: - builtins.fetchTarball { + fetchTarball { url = locked_url; sha256 = hash; }; + + mkContainerSource = + pkgs: + { + image_name, + image_tag, + image_digest, + hash, + ... + }: + if pkgs == null then + builtins.throw "container sources require passing in a Nixpkgs value: https://github.com/andir/npins/blob/master/README.md#using-the-nixpkgs-fetchers" + else + pkgs.dockerTools.pullImage { + imageName = image_name; + imageDigest = image_digest; + finalImageTag = image_tag; + hash = hash; + }; in -if version == 5 then - builtins.mapAttrs mkSource data.pins -else - throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" +mkFunctor ( + { + input ? ./sources.json, + }: + let + data = + if builtins.isPath input then + # while `readFile` will throw an error anyways if the path doesn't exist, + # we still need to check beforehand because *our* error can be caught but not the one from the builtin + # See: + if builtins.pathExists input then + builtins.fromJSON (builtins.readFile input) + else + throw "Input path ${toString input} does not exist" + else if builtins.isAttrs input then + input + else + throw "Unsupported input type ${builtins.typeOf input}, must be a path or an attrset"; + version = data.version; + in + if version == 7 then + builtins.mapAttrs (name: spec: mkFunctor (mkSource name spec)) data.pins + else + throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" +) diff --git a/nixos/npins/sources.json b/nixos/npins/sources.json index 23c918f..d4f7d84 100644 --- a/nixos/npins/sources.json +++ b/nixos/npins/sources.json @@ -10,7 +10,7 @@ "submodules": false, "revision": "fcdea223397448d35d9b31f798479227e80183f6", "url": null, - "hash": "1d4m7hsq727q7ndjqmgyl8vkbkqjwps962ygmv2mcc5dbqzgn963" + "hash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=" }, "my-cmd50": { "type": "Git", @@ -22,7 +22,7 @@ "submodules": false, "revision": "dc6b8f5ba8298f3ad1f04eee1f2c82183b9ed28c", "url": null, - "hash": "0b40dvh0i5q0gcg6xm2q8lffd9nh2pwp2vdfcj3n2zgngv833wqj" + "hash": "sha256-EvMx0H72fWGHZK5tcfkV0KbmHEVY1G4eewCXCOBugCw=" }, "my-geopos-link": { "type": "Git", @@ -34,7 +34,7 @@ "submodules": false, "revision": "067e52bc973931680da025b4f012f92f94bdbe53", "url": null, - "hash": "02ld2hpl3pmy54bqs8q7m0515lqsyajj9fxrhpf9qm1bjvc4f14w" + "hash": "sha256-nARH2JYrVJzchbm7JKXyGtMSCqgHI40XKb7eQS8UjQo=" }, "my-git-grep-exporter": { "type": "Git", @@ -46,7 +46,7 @@ "submodules": false, "revision": "b89125bf417a00985f37f45f1d190b8c92225eaf", "url": null, - "hash": "0gryj85yp3g3cdg68myhv742a7709a8p5b2wbdf88rj96kwrryhj" + "hash": "sha256-Evqc+TRJZoRcW1yscpFK4BwlyNnQV2ReY+ON6wuSPj8=" }, "my-inkstitch": { "type": "Git", @@ -58,7 +58,7 @@ "submodules": false, "revision": "3ed2ad1293e1d9c5758999006fbdeb6ec8fae3f3", "url": null, - "hash": "0gv3llyav2kwhd73m2qmcd0p094pcrrh9q3c63qpawf5h0d6k0ly" + "hash": "sha256-noJpGoDFcXXxMGzgBHNmlyRwQWMVizpOg3yKrTylYz8=" }, "my-lex-surf": { "type": "Git", @@ -70,7 +70,7 @@ "submodules": false, "revision": "eb58df2a5fa971bf3a3231f52643d8323b4e7ebc", "url": null, - "hash": "1z2s783dzzscz1a6bi3nfmmkbb7ixbd8z69w2aai96mnqnl8vb6f" + "hash": "sha256-zqyNqMW2mhSVEjyZj9rq8aw1a3V2xGVU+Ez/3wY6Wvw=" }, "my-osm-proposals": { "type": "Git", @@ -82,7 +82,7 @@ "submodules": false, "revision": "bac7da2cfa0cd67a764a4f1199119eaa3164add2", "url": null, - "hash": "1jwd85k529lxnjk6z4m91q1mi9wvfrqis70fgjr5hjfnw013f9rw" + "hash": "sha256-PCc3AuDWSViyfA4cHXF2m6dYAw6pkm+mtJ0mUWZBjcs=" }, "my-rust-features": { "type": "Git", @@ -94,7 +94,7 @@ "submodules": false, "revision": "8290eaf775a77bea3efc82419ad32bdaa053fce8", "url": null, - "hash": "1dhcz6wxkr8p72734jqrpxdqb4p6wl3yndka9ikbx3v423r2y08w" + "hash": "sha256-HAEv8hBkj75mTGo26wfl5pKFW78ZSzKOOBfl2bn5DLY=" }, "my-spec-pub": { "type": "Git", @@ -106,7 +106,7 @@ "submodules": false, "revision": "f222614a20ddd9280866f57a0612fbaf3c53125a", "url": null, - "hash": "0i0w4j1lfn7kgh3a6z8yfbkj1a48v2mvfyji7hi4rr9wa3gzlz0v" + "hash": "sha256-G3z631A85UwiPFF6t6vYiKgg53IefaMGfPNYR4MkHEQ=" }, "my-vdf": { "type": "Git", @@ -118,7 +118,7 @@ "submodules": false, "revision": "b372a2cded1fc431639d2cc159b2c2e6b61e6bcd", "url": null, - "hash": "0cfwzpvllw5w5w14ylqj029df1h83b5r7sk56kh3pbpg3r365i06" + "hash": "sha256-BsRiRh7vrjvgNGXqk8saCAbXkgASU08CL7xwSvf93DE=" }, "my-web-feed-exporter": { "type": "Git", @@ -130,25 +130,25 @@ "submodules": false, "revision": "b5e9076c6e1683e4d2384ac76e85ad1503c5336a", "url": null, - "hash": "0x80wfw2d7klinyp1igsczhpx2bpvw0x6n0cdm4i1qj5ivsfnka8" + "hash": "sha256-SE3r9I5F4hBJbQxY0wHfd4l+4Wf6xXC9jXSeJrjjAHU=" }, "nixos": { "type": "Channel", - "name": "nixos-25.11", - "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.10830.d7a713c0b7e4/nixexprs.tar.xz", - "hash": "046szh6p14ffkayjcwa5ixm8kx71s9p4giq03i6v102y91ws1b69" + "name": "nixos-26.05", + "url": "https://releases.nixos.org/nixos/26.05/nixos-26.05.1550.bd0ff2d3eac2/nixexprs.tar.xz", + "hash": "sha256-YMnBf9lk/LYgvqfmSSJuOGigtRs5Lsy26pJHVlR9yMY=" }, "nixos-small": { "type": "Channel", - "name": "nixos-25.11-small", - "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10941.30f30521f3fc/nixexprs.tar.xz", - "hash": "0m21l2rwbhc2hdnna2lih0zjav629mipw7a28hrsz1ym5caamvyg" + "name": "nixos-26.05-small", + "url": "https://releases.nixos.org/nixos/26.05-small/nixos-26.05.1896.88a9d48c8af8/nixexprs.tar.xz", + "hash": "sha256-g8mR7W7eVpIb841l5/fKqYzFVwcTgOam6febL4jkkrc=" }, "nixos-unstable": { "type": "Channel", "name": "nixos-unstable", - "url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre995699.da5ad661ba4e/nixexprs.tar.xz", - "hash": "1xj1yx3nj4p8gpcdylqqhp51v0v51b4dabrwa595wkc9bp6wkl5c" + "url": "https://releases.nixos.org/nixos/unstable/nixos-26.11pre1014179.9ae611a455b9/nixexprs.tar.xz", + "hash": "sha256-d34lhgOet4IqYMnCxbIvwFBMOyTV6PT4TyNEOP0/ZhU=" }, "prometheus-sql-exporter": { "type": "GitRelease", @@ -163,7 +163,7 @@ "version": "0.18.1", "revision": "6e73ff71a8976939c28ce9a0ddbeefe0801d0a37", "url": null, - "hash": "1a3j3rsjvw6wqyayml5x5c7x18bvn45ldr2p280yn9pqdzihk480" + "hash": "sha256-AJEJ42/4JusBElfkRguxe6HQDyu90OqVx9zwLXUecqg=" }, "prometheus-storagebox-exporter": { "type": "GitRelease", @@ -178,8 +178,8 @@ "version": "v0.3.0", "revision": "0382d2fc9c26d69dab7be1e0b6bdb3e38e5e13c6", "url": null, - "hash": "0qa0k7rkf92x14b707h1qrivj4xj0jd2zmrrp5bwarm4iipyid76" + "hash": "sha256-5rTob4ykZsVXuTnXL5oEshO5Y8YBHnAWCV0kN/OZQGE=" } }, - "version": 5 + "version": 7 } diff --git a/nixos/profiles/common/basics.nix b/nixos/profiles/common/basics.nix index e9fadb4..7bd7125 100644 --- a/nixos/profiles/common/basics.nix +++ b/nixos/profiles/common/basics.nix @@ -35,7 +35,7 @@ }; # without this `apropos` doesn't work - documentation.man.generateCaches = true; + documentation.man.cache.enable = true; # system-wide vi-mode in readline (handy when executing sqlite3 as root) environment.etc.inputrc.text = '' diff --git a/nixos/profiles/common/nixpkgs/overlays.nix b/nixos/profiles/common/nixpkgs/overlays.nix index 40f17a9..7bad946 100644 --- a/nixos/profiles/common/nixpkgs/overlays.nix +++ b/nixos/profiles/common/nixpkgs/overlays.nix @@ -1,19 +1,6 @@ # https://nixos.org/manual/nixpkgs/stable/#sec-overlays-definition { pkgs, ... }: [ - # features - (final: prev: { - scc = prev.scc.overrideAttrs (old: { - # https://github.com/boyter/scc/pull/622 - src = pkgs.fetchFromGitHub { - owner = "boyter"; - repo = "scc"; - rev = "b73ea06bdc5890821d03502a2cfc4224b19a9b67"; - hash = "sha256-vcuoKrvludBE0KpXVLkKzB38n0mZJWVB8bYrgJDHKfY="; - }; - }); - }) - (final: prev: { sway-unwrapped = prev.sway-unwrapped.overrideAttrs (old: { patches = old.patches ++ [ diff --git a/nixos/profiles/workstation/default.nix b/nixos/profiles/workstation/default.nix index f88f77c..e5c2437 100644 --- a/nixos/profiles/workstation/default.nix +++ b/nixos/profiles/workstation/default.nix @@ -64,14 +64,14 @@ in builtins.elem (lib.getName pkg) [ # The device mirroring feature is nice. Also I couldn't get kotlin-lsp (nor any of the open source # Kotlin language servers) to reliably resolve references and show documentation on hover. - "android-studio-stable" + "android-studio" ]; environment.systemPackages = with pkgs; [ npins (callPackage "${sources.agenix}/pkgs/agenix.nix" {}) (callPackage sources.my-vdf {}) - nixfmt-rfc-style + nixfmt vim-full -- cgit v1.3.1