diff --git a/flake.lock b/flake.lock index c1cf634..9535de3 100644 --- a/flake.lock +++ b/flake.lock @@ -69,11 +69,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1693611461, - "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=", + "lastModified": 1698882062, + "narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca", + "rev": "8c9fa2545007b49a5db5f650ae91f227672c3877", "type": "github" }, "original": { @@ -107,11 +107,11 @@ ] }, "locked": { - "lastModified": 1696446489, - "narHash": "sha256-xSjMKdNR+q/3hdSPyg/LUMsZT/WIoUi8dcm5zT4SMUQ=", + "lastModified": 1700553346, + "narHash": "sha256-kW7uWsCv/lxuA824Ng6EYD9hlVYRyjuFn0xBbYltAeQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "68f7d8c0fb0bfc67d1916dd7f06288424360d43a", + "rev": "1aabb0a31b25ad83cfaa37c3fe29053417cd9a0f", "type": "github" }, "original": { @@ -122,11 +122,11 @@ }, "impermanence": { "locked": { - "lastModified": 1694622745, - "narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=", + "lastModified": 1697303681, + "narHash": "sha256-caJ0rXeagaih+xTgRduYtYKL1rZ9ylh06CIrt1w5B4g=", "owner": "nix-community", "repo": "impermanence", - "rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e", + "rev": "0f317c2e9e56550ce12323eb39302d251618f5b5", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1697331506, - "narHash": "sha256-N6RD9EudU+i7SJO3z3S309XQRhp81iqaN9G9sxRtVts=", + "lastModified": 1700512623, + "narHash": "sha256-UpIxPW8Y5RauHugB9GRXge77vEs77RycZEDhh41V6Lc=", "owner": "chayleaf", "repo": "maubot.nix", - "rev": "cf32a2873523c80cebdd1ee409c45593040944b8", + "rev": "efe241fe720dfc9799348e5b12e7d55facd4bafa", "type": "github" }, "original": { @@ -181,11 +181,11 @@ ] }, "locked": { - "lastModified": 1696468271, - "narHash": "sha256-ZpzAIqs8VmgRDz+rBe28+TErlXkhzrgPKg3YKYraReE=", + "lastModified": 1700616016, + "narHash": "sha256-GCD2U3jMWmBqJccDDXr8pf2Ia2NnFiIYqnm9wK1DxLk=", "owner": "fufexan", "repo": "nix-gaming", - "rev": "cc55064e30efdf1b1ad3df4d39983314ef440aae", + "rev": "7d81bdbf62936d50906609097b1fd6e68e59daa7", "type": "github" }, "original": { @@ -196,11 +196,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1696614066, - "narHash": "sha256-nAyYhO7TCr1tikacP37O9FnGr2USOsVBD3IgvndUYjM=", + "lastModified": 1700559156, + "narHash": "sha256-gL4epO/qf+wo30JjC3g+b5Bs8UrpxzkhNBBsUYxpw2g=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "bb2db418b616fea536b1be7f6ee72fb45c11afe0", + "rev": "c3abafb01cd7045dba522af29b625bd1e170c2fb", "type": "github" }, "original": { @@ -225,11 +225,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1689976554, - "narHash": "sha256-uWJq3sIhkqfzPmfB2RWd5XFVooGFfSuJH9ER/r302xQ=", + "lastModified": 1700085753, + "narHash": "sha256-qtib7f3eRwfaUF+VziJXiBcZFqpHCAXS4HlrFsnzzl4=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e", + "rev": "008d78cc21959e33d0d31f375b88353a7d7121ae", "type": "gitlab" }, "original": { @@ -245,11 +245,11 @@ ] }, "locked": { - "lastModified": 1698227887, - "narHash": "sha256-QDVR3tZ5ugxtyCb9TlZLmqNTdAAH6wMUU8sGnPtduTA=", + "lastModified": 1700524221, + "narHash": "sha256-YQGjhwhd68N9fILRwZXlT3z6yXP5kRH8B6bxD2uQq14=", "owner": "chayleaf", "repo": "nixos-router", - "rev": "7d9669390a87da7e67dabcbce34681630e67cf32", + "rev": "e9d2ec7ad1f34cb9f1f71c1400430af817431a3b", "type": "github" }, "original": { @@ -260,11 +260,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1697804921, - "narHash": "sha256-PAoThb0U52HGscrU/Qp1GKwidqM6xnWxgovJCXNpjCc=", + "lastModified": 1700634993, + "narHash": "sha256-SpQ3i78Gxv4PB+R/qqVhDK5oq8blqc+dFmwhiUkCYd8=", "owner": "chayleaf", "repo": "nixpkgs", - "rev": "77ba48251d2b629d347e566c888000a379711ce0", + "rev": "dbe92cbf44795892d585afc540a9324d773553c8", "type": "github" }, "original": { @@ -276,11 +276,11 @@ "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1693471703, - "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=", + "lastModified": 1698611440, + "narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85", + "rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735", "type": "github" }, "original": { @@ -291,22 +291,6 @@ "type": "github" } }, - "nixpkgs2": { - "locked": { - "lastModified": 1696696817, - "narHash": "sha256-K8/YirUEkUD1Xd9Qg5R9czYU03M8wDN5W3DYns9F0rc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "0df1d6c8cac8e8dc08f42bfe062a1025555c9b6a", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, "notlua": { "inputs": { "nixpkgs": [ @@ -314,11 +298,11 @@ ] }, "locked": { - "lastModified": 1691609126, - "narHash": "sha256-InbGoENdL8LNT/09pl7AW5uv2ZSDburqr5LgvkJDfj0=", + "lastModified": 1697413333, + "narHash": "sha256-2nmu/+QhR/VhxFFr54l0Ok/yVhLCrrYVuTgeD4LHEhE=", "owner": "chayleaf", "repo": "notlua", - "rev": "0e972a0d23f2faa511b9a3f6d445204e18cd5020", + "rev": "ef7cdb7a883fe87238c9fff13bc14ad1fd06f4ba", "type": "github" }, "original": { @@ -334,11 +318,11 @@ ] }, "locked": { - "lastModified": 1691616520, - "narHash": "sha256-loZuL2YnMNwgH5GEZfXgXZadvo5P3Sp+YZSf9L3Wpu8=", + "lastModified": 1700483422, + "narHash": "sha256-ni6niOmObnG9EVGtaeT1I7ULz5+EkEewGTJVeFuWNuc=", "owner": "chayleaf", "repo": "notnft", - "rev": "118e25deeb741ba7963931212f02c96c50898578", + "rev": "b3e6a023a13a81d70a6a30997e2f1aaf36feafb3", "type": "github" }, "original": { @@ -349,11 +333,11 @@ }, "nur": { "locked": { - "lastModified": 1696624462, - "narHash": "sha256-lGmf7IPqWLfxvEQcPujB8dzu+++NHqGYQkmC05y3ByA=", + "lastModified": 1700632813, + "narHash": "sha256-VNl0QZU/77cIVIitSAEKiQHjwDMYV4QKcAhswjIx5dU=", "owner": "nix-community", "repo": "NUR", - "rev": "560b6a71f7fe0353dc19bc366a5ace71fbda51d1", + "rev": "bc262e5eda937c4220994fef040b9bac8c90ae04", "type": "github" }, "original": { @@ -374,7 +358,6 @@ "nixos-mailserver": "nixos-mailserver", "nixos-router": "nixos-router", "nixpkgs": "nixpkgs", - "nixpkgs2": "nixpkgs2", "notlua": "notlua", "notnft": "notnft", "nur": "nur", @@ -389,11 +372,11 @@ ] }, "locked": { - "lastModified": 1696558324, - "narHash": "sha256-TnnP4LGwDB8ZGE7h2n4nA9Faee8xPkMdNcyrzJ57cbw=", + "lastModified": 1700619457, + "narHash": "sha256-zjmlh8xo4UsNdw7nMyiHgQg1xXNcJnpdMLvyunnnitQ=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "fdb37574a04df04aaa8cf7708f94a9309caebe2b", + "rev": "7c94410d52d4e8bd72803fc1fe6c51fe179edaf5", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 292f75c..1c4e3a2 100644 --- a/flake.nix +++ b/flake.nix @@ -2,10 +2,9 @@ description = "NixOS + Home Manager configuration of chayleaf"; inputs = { - #nixpkgs.url = "github:nixos/nixpkgs/3dc2b4f8166f744c3b3e9ff8224e7c5d74a5424f"; - # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + #nixpkgs.url = "github:NixOS/nixpkgs/3dc2b4f8166f744c3b3e9ff8224e7c5d74a5424f"; + # nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:chayleaf/nixpkgs"; - nixpkgs2.url = "github:nixos/nixpkgs/master"; nixos-hardware.url = "github:NixOS/nixos-hardware"; mobile-nixos = { # url = "github:NixOS/mobile-nixos"; @@ -59,7 +58,6 @@ outputs = inputs@ { self , nixpkgs - , nixpkgs2 , nixos-hardware , mobile-nixos , impermanence @@ -157,7 +155,6 @@ ./system/devices/radxa-rock5a-server.nix (if devMaubot then import /${devPath}/maubot.nix/module else maubot.nixosModules.default) ./system/modules/scanservjs.nix - ./system/modules/certspotter.nix ]; }; server-cross = crossConfig server; @@ -172,7 +169,6 @@ notlua = notlua.lib.${system}; }; home.user = [ - { _module.args.pkgs2 = import nixpkgs2 { inherit system; overlays = [ overlay ]; }; } nur.nixosModules.nur ./home/hosts/nixmsi.nix ]; diff --git a/home/common/firefox.nix b/home/common/firefox.nix index e8119e3..42652ba 100644 --- a/home/common/firefox.nix +++ b/home/common/firefox.nix @@ -10,7 +10,7 @@ inherit (pkgs.librewolf-unwrapped) extraPrefsFiles extraPoliciesFiles; wmClass = "LibreWolf"; libName = "librewolf"; - cfg.enableKeePassXC = true; + nativeMessagingHosts = with pkgs; [ keepassxc ]; }; profiles.chayleaf = { extensions = (with config.nur.repos.rycee.firefox-addons; [ diff --git a/home/common/gui.nix b/home/common/gui.nix index f17f508..4ae4022 100644 --- a/home/common/gui.nix +++ b/home/common/gui.nix @@ -1,4 +1,4 @@ -{ config, pkgs, pkgs2, lib, ... }: +{ config, pkgs, lib, ... }: { imports = [ ./terminal.nix ]; i18n.inputMethod = let fcitx5-qt = pkgs.libsForQt5.fcitx5-qt; in { @@ -180,7 +180,7 @@ # profiles = { }; package = pkgs.wrapMpv ((pkgs.mpv-unwrapped.override { # webp support - ffmpeg_5 = pkgs.ffmpeg-custom; + ffmpeg = pkgs.ffmpeg-custom; }).overrideAttrs (old: { patches = old.patches or [] ++ [ (pkgs.fetchpatch { @@ -251,7 +251,7 @@ keepassxc nheko qbittorrent mumble nextcloud-client gnome.zenity kdeconnect # cli tools - imagemagick ffmpeg_5-full xdg-utils + imagemagick ffmpeg-full xdg-utils # fonts noto-fonts noto-fonts-cjk-sans noto-fonts-cjk-serif noto-fonts-emoji noto-fonts-extra @@ -261,7 +261,7 @@ # for working with nix nix-init - pkgs2.nvfetcher + nvfetcher config.nur.repos.rycee.mozilla-addons-to-nix anki-bin diff --git a/pkgs/_sources/generated.json b/pkgs/_sources/generated.json index bc4d4a8..68ccc66 100644 --- a/pkgs/_sources/generated.json +++ b/pkgs/_sources/generated.json @@ -22,24 +22,24 @@ "pinned": false, "src": { "name": null, - "sha256": "sha256-DcS5ov656f/l1zWPt+UYKxarDGcAWd6zTvi50Lsa1s8=", + "sha256": "sha256-72jxUJdn4j0FV1qFH0r7UEVrAvSwrWgWsxCXyT1N/1A=", "type": "url", - "url": "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton8-16/GE-Proton8-16.tar.gz" + "url": "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton8-24/GE-Proton8-24.tar.gz" }, - "version": "GE-Proton8-16" + "version": "GE-Proton8-24" }, "searxng": { "cargoLocks": null, - "date": "2023-10-06", + "date": "2023-11-14", "extract": null, "name": "searxng", "passthru": null, "pinned": false, "src": { - "sha256": "sha256-/blIZOaeOwQMp6T6GkNh8Fvtzh3Ik5UiPwuGjViENuE=", + "sha256": "sha256-vgDQ7cdWN79TFEbJGq0AdvC8p2YOmogk9iVViDkZDXw=", "type": "tarball", - "url": "https://github.com/searxng/searxng/archive/ce270961e82585971579844c64d7cde5f5d855ec.tar.gz" + "url": "https://github.com/searxng/searxng/archive/b3d29cb86db4cc1a4e6320016529d1361451e1f1.tar.gz" }, - "version": "ce270961e82585971579844c64d7cde5f5d855ec" + "version": "b3d29cb86db4cc1a4e6320016529d1361451e1f1" } -} +} \ No newline at end of file diff --git a/pkgs/_sources/generated.nix b/pkgs/_sources/generated.nix index eee9ac6..bbc0dc7 100644 --- a/pkgs/_sources/generated.nix +++ b/pkgs/_sources/generated.nix @@ -12,19 +12,19 @@ }; proton-ge = { pname = "proton-ge"; - version = "GE-Proton8-16"; + version = "GE-Proton8-24"; src = fetchurl { - url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton8-16/GE-Proton8-16.tar.gz"; - sha256 = "sha256-DcS5ov656f/l1zWPt+UYKxarDGcAWd6zTvi50Lsa1s8="; + url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton8-24/GE-Proton8-24.tar.gz"; + sha256 = "sha256-72jxUJdn4j0FV1qFH0r7UEVrAvSwrWgWsxCXyT1N/1A="; }; }; searxng = { pname = "searxng"; - version = "ce270961e82585971579844c64d7cde5f5d855ec"; + version = "b3d29cb86db4cc1a4e6320016529d1361451e1f1"; src = fetchTarball { - url = "https://github.com/searxng/searxng/archive/ce270961e82585971579844c64d7cde5f5d855ec.tar.gz"; - sha256 = "sha256-/blIZOaeOwQMp6T6GkNh8Fvtzh3Ik5UiPwuGjViENuE="; + url = "https://github.com/searxng/searxng/archive/b3d29cb86db4cc1a4e6320016529d1361451e1f1.tar.gz"; + sha256 = "sha256-vgDQ7cdWN79TFEbJGq0AdvC8p2YOmogk9iVViDkZDXw="; }; - date = "2023-10-06"; + date = "2023-11-14"; }; } diff --git a/pkgs/certspotter/configurable-sendmail.patch b/pkgs/certspotter/configurable-sendmail.patch deleted file mode 100644 index c895a76..0000000 --- a/pkgs/certspotter/configurable-sendmail.patch +++ /dev/null @@ -1,71 +0,0 @@ -diff --git a/cmd/certspotter/main.go b/cmd/certspotter/main.go -index 9730789..f2eb081 100644 ---- a/cmd/certspotter/main.go -+++ b/cmd/certspotter/main.go -@@ -163,6 +163,7 @@ func main() { - logs string - noSave bool - script string -+ sendmail string - startAtEnd bool - stateDir string - stdout bool -@@ -176,6 +177,7 @@ func main() { - flag.StringVar(&flags.logs, "logs", defaultLogList, "File path or URL of JSON list of logs to monitor") - flag.BoolVar(&flags.noSave, "no_save", false, "Do not save a copy of matching certificates in state directory") - flag.StringVar(&flags.script, "script", "", "Program to execute when a matching certificate is discovered") -+ flag.StringVar(&flags.sendmail, "sendmail", "/usr/sbin/sendmail", "Path to the sendmail-compatible program to use") - flag.BoolVar(&flags.startAtEnd, "start_at_end", false, "Start monitoring logs from the end rather than the beginning (saves considerable bandwidth)") - flag.StringVar(&flags.stateDir, "state_dir", defaultStateDir(), "Directory for storing log position and discovered certificates") - flag.BoolVar(&flags.stdout, "stdout", false, "Write matching certificates to stdout") -@@ -201,6 +203,7 @@ func main() { - Verbose: flags.verbose, - Script: flags.script, - ScriptDir: defaultScriptDir(), -+ SendmailPath: flags.sendmail, - Email: flags.email, - Stdout: flags.stdout, - HealthCheckInterval: flags.healthcheck, -diff --git a/monitor/config.go b/monitor/config.go -index 1e0d60c..d1bc430 100644 ---- a/monitor/config.go -+++ b/monitor/config.go -@@ -20,6 +20,7 @@ type Config struct { - WatchList WatchList - Verbose bool - SaveCerts bool -+ SendmailPath string - Script string - ScriptDir string - Email []string -diff --git a/monitor/notify.go b/monitor/notify.go -index 8fc6d09..86cabca 100644 ---- a/monitor/notify.go -+++ b/monitor/notify.go -@@ -36,7 +36,7 @@ func notify(ctx context.Context, config *Config, notif notification) error { - } - - if len(config.Email) > 0 { -- if err := sendEmail(ctx, config.Email, notif); err != nil { -+ if err := sendEmail(ctx, config.SendmailPath, config.Email, notif); err != nil { - return err - } - } -@@ -62,7 +62,7 @@ func writeToStdout(notif notification) { - os.Stdout.WriteString(notif.Text() + "\n") - } - --func sendEmail(ctx context.Context, to []string, notif notification) error { -+func sendEmail(ctx context.Context, sendmailPath string, to []string, notif notification) error { - stdin := new(bytes.Buffer) - stderr := new(bytes.Buffer) - -@@ -77,7 +77,7 @@ func sendEmail(ctx context.Context, to []string, notif notification) error { - args := []string{"-i", "--"} - args = append(args, to...) - -- sendmail := exec.CommandContext(ctx, "/usr/sbin/sendmail", args...) -+ sendmail := exec.CommandContext(ctx, sendmailPath, args...) - sendmail.Stdin = stdin - sendmail.Stderr = stderr - diff --git a/pkgs/certspotter/default.nix b/pkgs/certspotter/default.nix deleted file mode 100644 index 30904c8..0000000 --- a/pkgs/certspotter/default.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ lib -, buildGoModule -, fetchFromGitHub -, lowdown -}: - -buildGoModule rec { - pname = "certspotter"; - version = "0.16.0"; - - src = fetchFromGitHub { - owner = "SSLMate"; - repo = "certspotter"; - rev = "v${version}"; - hash = "sha256-0+7GWxbV4j2vVdmool8J9hqRqUi8O/yKedCyynWJDkE="; - }; - - vendorHash = "sha256-haYmWc2FWZNFwMhmSy3DAtj9oW5G82dX0fxpGqI8Hbw="; - - patches = [ ./configurable-sendmail.patch ]; - - ldflags = [ "-s" "-w" ]; - - nativeBuildInputs = [ lowdown ]; - - postInstall = '' - cd man - make - mkdir -p $out/share/man/man8 - mv *.8 $out/share/man/man8 - ''; - - meta = with lib; { - description = "Certificate Transparency Log Monitor"; - homepage = "https://github.com/SSLMate/certspotter"; - changelog = "https://github.com/SSLMate/certspotter/blob/${src.rev}/CHANGELOG.md"; - license = licenses.mpl20; - mainProgram = "certspotter"; - maintainers = with maintainers; [ chayleaf ]; - }; -} diff --git a/pkgs/default.nix b/pkgs/default.nix index 86dead0..a8c1563 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -10,7 +10,7 @@ let sources = import ./_sources/generated.nix { inherit (pkgs) fetchgit fetchurl fetchFromGitHub dockerTools; }; - nixForNixPlugins = pkgs.nixVersions.nix_2_17; + nixForNixPlugins = pkgs.nixVersions.nix_2_18; in { @@ -22,16 +22,16 @@ in unstable = nixForNixPlugins; }); # Various patches to change Nix version of existing packages so they don't error out because of nix-plugins in nix.conf - nix-plugins = pkgs.nix-plugins.override { nix = nixForNixPlugins; }; /*.overrideAttrs (old: { - version = "12.0.0"; + nix-plugins = (pkgs.nix-plugins.override { nix = nixForNixPlugins; }).overrideAttrs (old: { + version = "13.0.0"; patches = [ (pkgs.fetchpatch { - # pull 17 - url = "https://github.com/shlevy/nix-plugins/commit/f7534b96e70ca056ef793918733d1820af89a433.patch"; - hash = "sha256-ePRAnZAobasF6jA3QC73p8zyzayXORuodhus96V+crs="; + # pull 16 + url = "https://github.com/chayleaf/nix-plugins/commit/8f945cadad7f2e60e8f308b2f498ec5e16961ede.patch"; + hash = "sha256-pOogMtjXYkSDtXW12TmBpGr/plnizJtud2nP3q2UldQ="; }) ]; - });*/ + }); harmonia = (pkgs.harmonia.override { nix = nixForNixPlugins; }); /*.overrideAttrs { patches = [ (pkgs.fetchpatch { @@ -48,38 +48,37 @@ in # TODO: remove when https://github.com/NixOS/nix/issues/8796 is fixed or hydra code stops needing a fix configureFlags = builtins.filter (x: x != "--enable-lto") (old.configureFlags or []); });*/ - });/*.overrideAttrs (old: { + }).overrideAttrs (old: { patches = (old.patches or [ ]) ++ [ (pkgs.fetchpatch { - url = "https://github.com/NixOS/hydra/pull/1296/commits/b23431a657d8a9b2f478c95dd81034780751a262.patch"; - hash = "sha256-ruTAIPUrPtfy8JkXYK2qigBrSa6KPXpJlORTNkUYrG0="; + url = "https://github.com/chayleaf/hydra/commit/e9da80fff6234fab2458173272ee0bedbe8935c3.patch"; + hash = "sha256-PS8rwe5lIzvaVlh/DogYmW5OccVfpKQ6JehTQibx2XQ="; }) ]; - });*/ - nurl = pkgs.nurl.override { nix = nixForNixPlugins; }; - nvfetcher = pkgs.nvfetcher.overrideAttrs (old: { - meta = builtins.removeAttrs old.meta [ "broken" ]; }); + nurl = pkgs.nurl.override { nix = nixForNixPlugins; }; + /*nvfetcher = pkgs.nvfetcher.overrideAttrs (old: { + meta = builtins.removeAttrs old.meta [ "broken" ]; + });*/ - certspotter = callPackage ./certspotter { }; clang-tools_latest = pkgs.clang-tools_16; clang_latest = pkgs.clang_16; /*ghidra = pkgs.ghidra.overrideAttrs (old: { patches = old.patches ++ [ ./ghidra-stdcall.patch ]; });*/ - ffmpeg-custom = (pkgs'.ffmpeg_6-full.override { + ffmpeg-custom = (pkgs.callPackage (import /${pkgs.path}/pkgs/development/libraries/ffmpeg/generic.nix { + version = "6.1"; + sha256 = "sha256-NzhD2D16bCVCyCXo0TRwZYp3Ta5eFSfoQPa+iRkeNZg="; + }) { + ffmpegVariant = "full"; withCuda = false; withCudaLLVM = false; withNvdec = false; withNvenc = false; + inherit (pkgs'.darwin.apple_sdk.frameworks) + Cocoa CoreServices CoreAudio CoreMedia AVFoundation MediaToolbox + VideoDecodeAcceleration VideoToolbox; }).overrideAttrs (old: { - version = "unstable-20231031"; - src = pkgs'.fetchgit { - url = "https://git.ffmpeg.org/ffmpeg.git"; - rev = "4e5f3e6b8e1132354eed810dfdadf87f45c5de27"; - hash = "sha256-fiWkU9fK8qPmxl2MOADKdlFf6XjHGKFhi8uaWltphCE="; - }; - patches = [ ]; postPatch = '' ${old.postPatch or ""} substituteInPlace libavutil/hwcontext_vulkan.c \ @@ -88,12 +87,11 @@ in --replace FF_VK_KHR_VIDEO_DECODE_H265 FF_VK_EXT_VIDEO_DECODE_H265 \ --replace FF_VK_KHR_VIDEO_DECODE_AV1 FF_VK_EXT_VIDEO_DECODE_AV1 ''; - buildInputs = old.buildInputs ++ [ pkgs'.libaribcaption ]; + buildInputs = old.buildInputs ++ [ pkgs.libaribcaption ]; configureFlags = old.configureFlags ++ [ "--enable-libaribcaption" ]; }); gimp = callPackage ./gimp { inherit (pkgs) gimp; }; home-daemon = callPackage ./home-daemon { }; - libaribcaption = callPackage ./libaribcaption { }; # pin version looking-glass-client = pkgs.looking-glass-client.overrideAttrs (old: { version = "B6"; @@ -108,7 +106,6 @@ in kvmfrOverlay = kvmfr: kvmfr.overrideAttrs (old: { inherit (pkgs'.looking-glass-client) version src; }); - pineapplebot = callPackage ./pineapplebot.nix { }; proton-ge = pkgs.stdenvNoCC.mkDerivation { inherit (sources.proton-ge) pname version src; installPhase = '' @@ -121,6 +118,7 @@ in searxng = pkgs'.python3.pkgs.toPythonModule (pkgs.searxng.overrideAttrs (old: { inherit (sources.searxng) src; version = "unstable-" + sources.searxng.date; + postInstall = builtins.replaceStrings [ "/botdetection" ] [ "" ] old.postInstall; })); techmino = callPackage ./techmino { }; @@ -153,6 +151,5 @@ in stdenv = pkgs'.ccacheStdenv; }; } -// import ./postgresql-packages { inherit pkgs pkgs' lib sources isOverlay; } // import ./ccache.nix { inherit pkgs pkgs' lib sources; } // import ../system/hardware/bpi-r3/pkgs.nix { inherit pkgs pkgs' lib sources; } diff --git a/pkgs/firefox-addons/generated.nix b/pkgs/firefox-addons/generated.nix index aea8923..347f232 100644 --- a/pkgs/firefox-addons/generated.nix +++ b/pkgs/firefox-addons/generated.nix @@ -63,10 +63,10 @@ }; "youtube-nonstop" = buildFirefoxXpiAddon { pname = "youtube-nonstop"; - version = "0.9.1"; + version = "0.9.2"; addonId = "{0d7cafdd-501c-49ca-8ebb-e3341caaa55e}"; - url = "https://addons.mozilla.org/firefox/downloads/file/3848483/youtube_nonstop-0.9.1.xpi"; - sha256 = "8340d57622a663949ec1768eb37d47651c809fadf0ffaa5ff546c48fdd28e33d"; + url = "https://addons.mozilla.org/firefox/downloads/file/4187690/youtube_nonstop-0.9.2.xpi"; + sha256 = "7659d180f76ea908ea81b84ed9bdd188624eaaa62b88accbe6d8ad4e8caeff38"; meta = with lib; { homepage = "https://github.com/lawfx/YoutubeNonStop"; diff --git a/pkgs/libaribcaption/default.nix b/pkgs/libaribcaption/default.nix deleted file mode 100644 index 354b300..0000000 --- a/pkgs/libaribcaption/default.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ lib -, stdenv -, fetchFromGitHub -, cmake - -, fontconfig -, freetype -}: - -stdenv.mkDerivation rec { - pname = "libaribcaption"; - version = "1.1.1"; - - src = fetchFromGitHub { - owner = "xqq"; - repo = "libaribcaption"; - rev = "v${version}"; - hash = "sha256-x6l0ZrTktSsqfDLVRXpQtUOruhfc8RF3yT991UVZiKA="; - }; - - nativeBuildInputs = [ cmake ]; - - cmakeFlags = [ "-DBUILD_SHARED_LIBS=ON" ]; - - buildInputs = lib.optionals (!stdenv.isDarwin) [ fontconfig freetype ]; - - meta = with lib; { - description = "Portable ARIB STD-B24 Caption Decoder/Renderer"; - homepage = "https://github.com/xqq/libaribcaption"; - license = licenses.mit; - maintainers = with maintainers; [ chayleaf ]; - }; -} diff --git a/pkgs/pineapplebot.nix b/pkgs/pineapplebot.nix deleted file mode 100644 index 66787fd..0000000 --- a/pkgs/pineapplebot.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ python3 -, fetchFromGitHub -, rustPlatform -, magic ? "" -, ... }: - -python3.pkgs.buildPythonPackage rec { - pname = "pineapplebot"; - version = "0.1.0"; - src = fetchFromGitHub { - owner = "chayleaf"; - repo = "pizzabot_v3"; - rev = "master"; - sha256 = "sha256-ZLskMlllZfmqIlbSr0pNHHJehDycohiwqgYbuEYP7Qc="; - }; - preBuild = '' - head -n13 Cargo.toml > Cargo.toml.new - mv Cargo.toml.new Cargo.toml - ''; - sourceRoot = "source/pineapplebot"; - cargoDeps = rustPlatform.fetchCargoTarball { - inherit src sourceRoot; - name = "${pname}-${version}"; - sha256 = "14jxgykwg1apy97gy1j8mz7ny2cqg4q9s03a2bk9kx2y6ibm4668"; - }; - nativeBuildInputs = with rustPlatform; [ - cargoSetupHook - maturinBuildHook - ]; - doCheck = false; - doInstallCheck = true; - pythonImportsCheck = [ "pineapplebot" ]; - PIZZABOT_MAGIC = magic; -} diff --git a/pkgs/postgresql-packages/default.nix b/pkgs/postgresql-packages/default.nix deleted file mode 100644 index cfb188f..0000000 --- a/pkgs/postgresql-packages/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ pkgs -, pkgs' -, isOverlay -, lib -, ... }: - -let - inherit (pkgs') callPackage; - - extraPackages = { - tsja = callPackage ./tsja.nix { }; - }; - gen' = postgresql: builtins.mapAttrs (k: v: v.override { inherit postgresql; }) extraPackages; - gen = ver: - lib.optionalAttrs isOverlay pkgs."postgresql${toString ver}Packages" - // gen' pkgs."postgresql${if ver == "" then "" else "_" + toString ver}"; - psql = ver: let - old = pkgs."postgresql${if ver == "" then "" else "_" + toString ver}"; - in old // { pkgs = old.pkgs // gen' old; }; - self = { - mecab = pkgs.mecab.overrideAttrs (old: { - postInstall = '' - mkdir -p $out/lib/mecab/dic - ln -s ${callPackage /${pkgs.path}/pkgs/tools/text/mecab/ipadic.nix { - mecab-nodic = callPackage /${pkgs.path}/pkgs/tools/text/mecab/nodic.nix { }; - }} $out/lib/mecab/dic/ipadic - ''; - }); - postgresqlPackages = gen ""; - postgresql11Packages = gen 11; - postgresql12Packages = gen 12; - postgresql13Packages = gen 13; - postgresql14Packages = gen 14; - postgresql15Packages = gen 15; - postgresql16Packages = gen 16; - } // lib.optionalAttrs isOverlay { - postgresql = psql ""; - postgresql_11 = psql 11; - postgresql_12 = psql 12; - postgresql_13 = psql 13; - postgresql_14 = psql 14; - postgresql_15 = psql 15; - postgresql_16 = psql 16; - }; -in self diff --git a/pkgs/postgresql-packages/tsja.nix b/pkgs/postgresql-packages/tsja.nix deleted file mode 100644 index 8985840..0000000 --- a/pkgs/postgresql-packages/tsja.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ lib -, stdenv -, postgresql -, mecab -}: - -stdenv.mkDerivation rec { - pname = "tsja"; - version = "0.5.0"; - - src = fetchTarball { - url = "https://www.amris.jp/tsja/tsja-${version}.tar.xz"; - sha256 = "0hx4iygnqw1ay3nwrf3x2izflw4ip9i8i0yny26vivdz862m97w7"; - }; - - postPatch = '' - substituteInPlace Makefile \ - --replace /usr/local/pgsql ${postgresql} \ - --replace -L/usr/local/lib "" \ - --replace -I/usr/local/include "" - substituteInPlace tsja.c --replace /usr/local/lib/mecab ${mecab}/lib/mecab - ''; - - buildInputs = [ postgresql mecab ]; - - installPhase = '' - mkdir -p $out/lib $out/share/postgresql/extension - cp libtsja.so $out/lib - cp dbinit_libtsja.txt $out/share/postgresql/extension/libtsja_dbinit.sql - ''; - - meta = with lib; { - description = "PostgreSQL extension implementing Japanese text search"; - homepage = "https://www.amris.jp/tsja/index.html"; - maintainers = with maintainers; [ chayleaf ]; - platforms = postgresql.meta.platforms; - license = licenses.postgresql; - }; -} diff --git a/pkgs/rizin/rz-ghidra.nix b/pkgs/rizin/rz-ghidra.nix deleted file mode 100644 index b3b813e..0000000 --- a/pkgs/rizin/rz-ghidra.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ lib -, stdenv -, fetchFromGitHub -, cmake -# buildInputs -, rizin -, openssl -, pugixml -# optional buildInputs -, enableCutterPlugin ? true -, cutter -, qtbase -, qtsvg -}: - -stdenv.mkDerivation rec { - pname = "rz-ghidra"; - version = "0.5.0"; - - src = fetchFromGitHub { - owner = "rizinorg"; - repo = "rz-ghidra"; - rev = "v${version}"; - hash = "sha256-2QQEj4TIBmiZgbb66R7q6iEp2WitUc8Ui6Nr71JelXs="; - fetchSubmodules = true; - }; - - nativeBuildInputs = [ cmake ]; - buildInputs = [ - openssl - pugixml - rizin - ] ++ lib.optionals enableCutterPlugin [ - cutter - qtbase - qtsvg - ]; - - dontWrapQtApps = true; - - cmakeFlags = [ - "-DUSE_SYSTEM_PUGIXML=ON" - ] ++ lib.optionals enableCutterPlugin [ - "-DBUILD_CUTTER_PLUGIN=ON" - "-DCUTTER_INSTALL_PLUGDIR=share/rizin/cutter/plugins/native" - ]; - - meta = with lib; { - description = "Deep ghidra decompiler and sleigh disassembler integration for rizin"; - homepage = src.meta.homepage; - license = licenses.lgpl3; - maintainers = with maintainers; [ chayleaf ]; - }; -} diff --git a/pkgs/rizin/wrapper.nix b/pkgs/rizin/wrapper.nix deleted file mode 100644 index 575f11e..0000000 --- a/pkgs/rizin/wrapper.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ makeWrapper -, symlinkJoin -, unwrapped -}: - -plugins: - -symlinkJoin { - name = "cutter-with-plugins"; - - paths = [ unwrapped ] ++ plugins; - - nativeBuildInputs = [ makeWrapper ]; - - passthru = { - inherit unwrapped; - }; - - postBuild = '' - rm $out/bin/* - wrapperArgs=(--set RZ_LIBR_PLUGINS $out/lib/rizin/plugins) - if [ -d $out/share/rizin/cutter ]; then - wrapperArgs+=(--prefix XDG_DATA_DIRS : $out/share) - fi - for binary in $(ls ${unwrapped}/bin); do - makeWrapper ${unwrapped}/bin/$binary $out/bin/$binary "''${wrapperArgs[@]}" - done - ''; -} diff --git a/system/hardware/bpi-r3/default.nix b/system/hardware/bpi-r3/default.nix index 2d8772c..0e30100 100644 --- a/system/hardware/bpi-r3/default.nix +++ b/system/hardware/bpi-r3/default.nix @@ -9,7 +9,7 @@ }; #boot.kernelPackages = config._module.args.fromSourcePkgs.linuxPackages_bpiR3_ccache or pkgs.linuxPackages_bpiR3_ccache; - boot.kernelPackages = config._module.args.fromSourcePkgs.linuxPackages_bpiR3 or pkgs.linuxPackages_bpiR3; + boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.buildLinuxWithCcache (config._module.args.fromSourcePkgs.linux_bpiR3 or pkgs.linux_bpiR3)); hardware.deviceTree.enable = true; hardware.deviceTree.filter = "mt7986a-bananapi-bpi-r3.dtb"; diff --git a/system/hardware/msi-delta-15/default.nix b/system/hardware/msi-delta-15/default.nix index 77d0ab7..cd5977c 100644 --- a/system/hardware/msi-delta-15/default.nix +++ b/system/hardware/msi-delta-15/default.nix @@ -28,10 +28,8 @@ (final: prev: { amd-ucode = prev.amd-ucode.override { inherit (final) linux-firmware; }; linux-firmware = prev.stdenvNoCC.mkDerivation { - inherit (prev.linux-firmware) pname version meta src; - dontFixup = true; + inherit (prev.linux-firmware) pname version meta src dontFixup installFlags nativeBuildInputs; passthru = { inherit (prev.linux-firmware) version; }; - installFlags = [ "DESTDIR=$(out)" ]; # revert microcode updates which break boot for me patches = [ @@ -58,10 +56,8 @@ (final: prev: { amd-ucode = prev.amd-ucode.override { inherit (final) linux-firmware; }; linux-firmware = prev.stdenvNoCC.mkDerivation { - inherit (prev.linux-firmware) pname version meta src; - dontFixup = true; + inherit (prev.linux-firmware) pname version meta src dontFixup installFlags nativeBuildInputs; passthru = { inherit (prev.linux-firmware) version; }; - installFlags = [ "DESTDIR=$(out)" ]; patches = [ ]; postPatch = ""; }; diff --git a/system/hardware/msi-delta-15/revert-amd-ucode-update-fam19h.patch b/system/hardware/msi-delta-15/revert-amd-ucode-update-fam19h.patch index 698c50a..f26dd2a 100644 --- a/system/hardware/msi-delta-15/revert-amd-ucode-update-fam19h.patch +++ b/system/hardware/msi-delta-15/revert-amd-ucode-update-fam19h.patch @@ -6,7 +6,7 @@ index dbcdced..dd7b8d5 100644 RawFile: amd-ucode/microcode_amd_fam17h.bin Version: 2023-07-19 RawFile: amd-ucode/microcode_amd_fam19h.bin --Version: 2023-08-08 +-Version: 2023-10-19 +Version: 2023-07-18 File: amd-ucode/README @@ -19,13 +19,13 @@ index f47743c..6a9ff1e 100644 Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126e Length=3200 bytes Microcode patches in microcode_amd_fam19h.bin: -- Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e Length=5568 bytes -- Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e Length=5568 bytes -- Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 Length=5568 bytes +- Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101244 Length=5568 bytes Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d1 Length=5568 bytes Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001079 Length=5568 bytes +- Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00213 Length=5568 bytes Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001234 Length=5568 bytes - Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Length=5568 bytes +- Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101144 Length=5568 bytes - -NOTE: For Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19 Model=0xa0), -either AGESA version >= 1.0.0.8 OR a kernel with the following commit is @@ -45,14 +45,14 @@ index 8cff901..a32b4d6 100644 @@ -1,11 +1,11 @@ -----BEGIN PGP SIGNATURE----- --iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmTEYrcACgkQ5L5TOfMo --rnN4IQf/QKbOezXZ4OYzaPANvsZQEAzLNfuylC/aQMwrPaO7daz5/zmCN4HU5XkH --dDT8DYfPg+fQHIgxAw0/L24xPOm5Op/QuLVDyDqVr4qvL8+65eeI+JqxD/wXMXYN --V34kkLM2p8iuyY1Nc8IDLXu4X75KGNPbKZlMRKMU3Pr7ai5O4ihmiAM+N6qv1KEJ --YToNN6vrg0qt1cv0SLM8sa4e7L1+oblUrg/o0FViYE8pxsU3ZRRVSJMUg+lKjvl/ --1ZPGKOdD80fcNJ+ItYGHNNs3eCc3WgW7Kc/E668eH75Yu9Zt7ewWZX8Sg/mygleY --OzMwhbPJg4bF4zm7C/Pku7i1T2Omcg== --=km2X +-iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmUoW6AACgkQ5L5TOfMo +-rnMHAAf/SxaKEu5l7FGXR+QJYc2oSJDpf9ZsHTkVnxqF1I3ReItEGAR3iqSWrsRw +-KA4niP9Ihr8EqwhOaOtqkRKKF9D5yg+DksnRWbh2VTUECO4KQxjHNrPp3JWEzBwb +-Xn+vRVP02ZRi3u4MCYbnDC4AfUSnKnldY3TTlNi/6HUaGS2pcw8Vjli/C06zwfgh +-WwUAoFMQl4SDJhbGfC9cb93MKjBl/0Hv4uhK5W8fJ1iUkMvY8Ijna/oDTZCNPqP0 +-0AgOwdAdzoyOYWjbUXcwofz2Umpz12xmJW8yXNwdv1pmaCvv9aCJz1L49lGwFH9E +-lhhoFQ1SQL3hhPjTXO6DbeeT9+fjOg== +-=9Xav +iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmS3F00ACgkQ5L5TOfMo +rnNEhQgAizSV8IFpvaYNytaJKLA4uevrZneGPV4czjCXnnj1yHpfQmCTyZQnoLnx +7gyzf7K5271zO51FBQ5z2Nm48a3XPUhMbQLNP4BZdekLiA3bRpMtSyHct6zD0ULm diff --git a/system/hardware/radxa-rock5a/default.nix b/system/hardware/radxa-rock5a/default.nix index 21edda0..d6ec4dc 100644 --- a/system/hardware/radxa-rock5a/default.nix +++ b/system/hardware/radxa-rock5a/default.nix @@ -5,20 +5,7 @@ { boot.initrd.availableKernelModules = [ "ahci" "usbhid" "usb_storage" ]; - # TODO: switch to upstream when PCIe support works - # boot.kernelPackages = pkgs.linuxPackages_testing; - boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.buildLinux { - version = "6.6.0-rc1"; - kernelPatches = [ ]; - src = pkgs.fetchFromGitLab { - domain = "gitlab.collabora.com"; - group = "hardware-enablement"; - owner = "rockchip-3588"; - repo = "linux"; - rev = "f04271158aee35d270748301c5077231a75bc589"; - hash = "sha256-B85162plbt92p51f/M82y2zOg3/TqrBWqgw80ksJVGc="; - }; - }); + boot.kernelPackages = pkgs.linuxPackages_testing; boot.kernelParams = [ "dtb=/${config.hardware.deviceTree.name}" ]; hardware.deviceTree.enable = true; diff --git a/system/hosts/server/files.nix b/system/hosts/server/files.nix index f0ea8aa..be8c814 100644 --- a/system/hosts/server/files.nix +++ b/system/hosts/server/files.nix @@ -65,7 +65,6 @@ in { }; services.nextcloud = { enable = true; - enableBrokenCiphersForSSE = false; package = pkgs.nextcloud27; autoUpdateApps.enable = true; # TODO: use socket auth and remove the next line diff --git a/system/hosts/server/home.nix b/system/hosts/server/home.nix index 899a19a..9a9e552 100644 --- a/system/hosts/server/home.nix +++ b/system/hosts/server/home.nix @@ -12,6 +12,9 @@ let (x: "127.0.0.1:${toString x.port}") (builtins.attrValues (lib.filterAttrs (k: v: builtins.elem k names && v.enable) config.services.prometheus.exporters)); + hplip = pkgs.hplipWithPlugin.override { + withQt5 = false; + }; in { # a bunch of services for personal use not intended for the public # TODO: keycloakify this @@ -386,7 +389,7 @@ in { ''; listenAddresses = [ "*:631" ]; defaultShared = true; - drivers = [ pkgs.hplip ]; + drivers = [ hplip ]; startWhenNeeded = false; }; services.avahi = { @@ -398,7 +401,7 @@ in { }; hardware.sane = { enable = true; - extraBackends = with pkgs; [ hplipWithPlugin ]; + extraBackends = [ hplip ]; }; nixpkgs.config.allowUnfreePredicate = pkg: lib.getName pkg == "hplip"; services.scanservjs.enable = true; diff --git a/system/hosts/server/maubot.nix b/system/hosts/server/maubot.nix index aba4940..ffe0bc5 100644 --- a/system/hosts/server/maubot.nix +++ b/system/hosts/server/maubot.nix @@ -61,9 +61,7 @@ in { translate rss ]; - services.maubot.pythonPackages = [ - (pkgs.pineapplebot.override { magic = cfg.pizzabotMagic; }) - ] ++ (with pkgs.python3.pkgs; [ + services.maubot.pythonPackages = with pkgs.python3.pkgs; [ levenshtein - ]); + ]; } diff --git a/system/hosts/server/options.nix b/system/hosts/server/options.nix index d7fbad4..0e70ced 100644 --- a/system/hosts/server/options.nix +++ b/system/hosts/server/options.nix @@ -57,10 +57,6 @@ description = "unhashed noreply password for internal access only. \ This should be different from the password that is hashed for better security"; }; - pizzabotMagic = mkOption { - type = types.str; - default = ""; - }; }; }; description = "server settings"; diff --git a/system/modules/certspotter.nix b/system/modules/certspotter.nix deleted file mode 100644 index a0a54a3..0000000 --- a/system/modules/certspotter.nix +++ /dev/null @@ -1,115 +0,0 @@ -{ config -, lib -, pkgs -, ... }: - -let - cfg = config.services.certspotter; -in { - options.services.certspotter = { - enable = lib.mkEnableOption "Cert Spotter, a Certificate Transparency log monitor"; - sendmailPath = lib.mkOption { - type = lib.types.path; - description = '' - Path to the `sendmail` binary. By default, the local sendmail wrapper is used - (see `config.services.mail.sendmailSetuidWrapper`). - ''; - example = lib.literalExpression ''"''${pkgs.system-sendmail}/bin/sendmail"''; - }; - watchlist = lib.mkOption { - type = with lib.types; listOf str; - description = "Domain names to watch. To monitor a domain with all subdomains, prefix its name with `.` (e.g. `.example.org`)."; - default = [ ]; - example = [ ".example.org" "another.example.com" ]; - }; - emailRecipients = lib.mkOption { - type = with lib.types; listOf str; - description = "A list of email addresses to send certificate updates to."; - default = [ ]; - }; - hooks = lib.mkOption { - type = with lib.types; listOf path; - description = '' - Scripts to run upon the detection of a new certificate. See `man 8 certspotter-script` or [the GitHub page](https://github.com/SSLMate/certspotter/blob/master/man/certspotter-script.md) for more info. - ''; - default = []; - example = lib.literalExpression '' - [ - (pkgs.writeShellScript "certspotter-hook" ''' - echo "Event summary: $SUMMARY." - ''') - ] - ''; - }; - extraFlags = lib.mkOption { - type = with lib.types; listOf str; - description = "Extra command-line arguments to pass to Cert Spotter"; - example = [ "-start_at_end" ]; - default = [ ]; - }; - }; - config = lib.mkIf cfg.enable { - assertions = [ - { - assertion = cfg.watchlist != [ ]; - message = "You must specify at least one domain for Cert Spotter to watch"; - } - { - assertion = cfg.hooks != [] || cfg.emailRecipients != []; - message = "You must specify at least one hook or email recipient for Cert Spotter"; - } - { - assertion = (cfg.emailRecipients != []) -> (cfg.sendmailPath != "/run/current-system/sw/bin/false"); - message = '' - You must configure the sendmail setuid wrapper (services.mail.sendmailSetuidWrapper) - or services.certspotter.sendmailPath - ''; - } - ]; - services.certspotter.sendmailPath = lib.mkMerge [ - (lib.mkIf (config.services.mail.sendmailSetuidWrapper != null) (lib.mkOptionDefault "/run/wrappers/bin/sendmail")) - (lib.mkIf (config.services.mail.sendmailSetuidWrapper == null) (lib.mkOptionDefault "/run/current-system/sw/bin/false")) - ]; - users.users.certspotter = { - group = "certspotter"; - home = "/var/lib/certspotter"; - createHome = true; - isSystemUser = true; - # uid = config.ids.uids.certspotter; - }; - users.groups.certspotter = { - # gid = config.ids.gids.certspotter; - }; - systemd.services.certspotter = { - description = "Cert Spotter - Certificate Transparency Monitor"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - environment.CERTSPOTTER_CONFIG_DIR = pkgs.linkFarm "certspotter-config" - (lib.toList { - name = "watchlist"; - path = pkgs.writeText "cerspotter-watchlist" (builtins.concatStringsSep "\n" cfg.watchlist); - } - ++ lib.optional (cfg.emailRecipients != [ ]) { - name = "email_recipients"; - path = pkgs.writeText "cerspotter-email_recipients" (builtins.concatStringsSep "\n" cfg.emailRecipients); - } - ++ lib.optional (cfg.hooks != [ ]) { - name = "hooks.d"; - path = pkgs.linkFarm "certspotter-hooks" (lib.imap1 (i: path: { - inherit path; - name = "hook${toString i}"; - }) cfg.hooks); - }); - serviceConfig = { - User = "certspotter"; - Group = "certspotter"; - StateDirectory = "certspotter"; - }; - script = '' - export CERTSPOTTER_STATE_DIR="$STATE_DIRECTORY" - cd "$CERTSPOTTER_STATE_DIR" - ${pkgs.certspotter}/bin/certspotter -sendmail ${cfg.sendmailPath} ${lib.escapeShellArgs cfg.extraFlags} - ''; - }; - }; -}