summary refs log tree commit diff
diff options
context:
space:
mode:
authorV <v@unfathomable.blue>2022-06-02 18:44:20 +0200
committerV <v@unfathomable.blue>2022-06-04 00:19:22 +0200
commit69d03945f1027df7fc8d9d27a8be9d71712584f0 (patch)
tree7b45b3acc8b529b6d9b0c0623b16cd863664177c
parentae60d61097496b57ccb051db67d76e0f7a238741 (diff)
downloadunf-legacy-69d03945f1027df7fc8d9d27a8be9d71712584f0.tar.zst
fleet: upgrade to NixOS 22.05
Change-Id: Ie5542d079ee7b2de06e0faed52343905b3287b39
-rw-r--r--fleet/configuration.nix2
-rw-r--r--fleet/hosts/kaikou/default.nix2
-rw-r--r--fleet/hosts/kaikou/gerrit.nix2
-rw-r--r--fleet/hosts/trieste/cgit/default.nix4
-rw-r--r--fleet/hosts/trieste/default.nix2
-rw-r--r--fleet/hosts/trieste/lists.nix2
-rw-r--r--fleet/hosts/trieste/web.nix2
-rw-r--r--fleet/hosts/vityaz/default.nix2
-rw-r--r--fleet/modules/acme.nix4
-rw-r--r--fleet/modules/cgiserver.nix11
-rw-r--r--fleet/modules/public-inbox.nix4
-rw-r--r--fleet/modules/web.nix4
-rw-r--r--fleet/pkgs/overlay.nix10
-rw-r--r--fleet/pkgs/permission-warnings-only-when-necessary.patch50
14 files changed, 22 insertions, 79 deletions
diff --git a/fleet/configuration.nix b/fleet/configuration.nix
index 2ba819a..736e0d5 100644
--- a/fleet/configuration.nix
+++ b/fleet/configuration.nix
@@ -97,7 +97,7 @@ in {
   services.openssh = {
     enable = true;
     passwordAuthentication = false;
-    challengeResponseAuthentication = false;
+    kbdInteractiveAuthentication = false;
     # TODO(V): Route exclusively over WireGuard, if you dare
   };
 
diff --git a/fleet/hosts/kaikou/default.nix b/fleet/hosts/kaikou/default.nix
index fcb22db..6fe132b 100644
--- a/fleet/hosts/kaikou/default.nix
+++ b/fleet/hosts/kaikou/default.nix
@@ -29,7 +29,7 @@ with lib;
     prefixLength = 64;
   };
 
-  services.caddy.config = ''
+  services.caddy.extraConfig = ''
     kaikou.unfathomable.blue {
       import common
       redir / https://en.wikipedia.org/wiki/Kaik%C5%8D_ROV
diff --git a/fleet/hosts/kaikou/gerrit.nix b/fleet/hosts/kaikou/gerrit.nix
index f97ba23..5308ad4 100644
--- a/fleet/hosts/kaikou/gerrit.nix
+++ b/fleet/hosts/kaikou/gerrit.nix
@@ -32,7 +32,7 @@
     };
   };
 
-  services.caddy.config = ''
+  services.caddy.extraConfig = ''
     review.unfathomable.blue {
       import common
       reverse_proxy localhost:8080
diff --git a/fleet/hosts/trieste/cgit/default.nix b/fleet/hosts/trieste/cgit/default.nix
index 880842b..17f3e4f 100644
--- a/fleet/hosts/trieste/cgit/default.nix
+++ b/fleet/hosts/trieste/cgit/default.nix
@@ -21,7 +21,7 @@ let
     '';
     passAsFile = [ "extraStyles" ];
   } ''
-    ${pkgs.minify}/bin/minify --type css ${pkgs.cgit}/cgit/cgit.css $extraStylesPath -o $out/cgit.css
+    ${pkgs.minify}/bin/minify --type css --bundle ${pkgs.cgit}/cgit/cgit.css $extraStylesPath -o $out/cgit.css
     cp ${./un.svg} $out/un.svg  # TODO(V): remove this variant, apply padding to the Sigil using CSS
     cp ${./unicon.svg} $out/unicon.svg  # This is the same as un.svg, but without any padding
     cp ${./ripple.svg} $out/ripple.svg  # This is referenced in git.nix (as config.cgit.logo, for Ripple)
@@ -75,7 +75,7 @@ in {
   };
 
   # TODO(V): set up git-http-backend. Disable enable-http-clone when we've done that?
-  services.caddy.config = ''
+  services.caddy.extraConfig = ''
     src.unfathomable.blue {
       import common
 
diff --git a/fleet/hosts/trieste/default.nix b/fleet/hosts/trieste/default.nix
index 1ca50ac..97dfbd0 100644
--- a/fleet/hosts/trieste/default.nix
+++ b/fleet/hosts/trieste/default.nix
@@ -39,7 +39,7 @@ with lib;
     prefixLength = 64;
   };
 
-  services.caddy.config = ''
+  services.caddy.extraConfig = ''
     trieste.unfathomable.blue {
       import common
       redir / https://en.wikipedia.org/wiki/Trieste_(bathyscaphe)
diff --git a/fleet/hosts/trieste/lists.nix b/fleet/hosts/trieste/lists.nix
index a4e9a69..87c46d9 100644
--- a/fleet/hosts/trieste/lists.nix
+++ b/fleet/hosts/trieste/lists.nix
@@ -49,7 +49,7 @@ with lib;
   # By default, the index 404s with the rather confusing message "no inboxes, yet", even when there are inboxes configured.
   services.public-inbox.settings.publicinbox.wwwlisting = "all";
 
-  services.caddy.config = ''
+  services.caddy.extraConfig = ''
     lists.unfathomable.blue {
       import common
       reverse_proxy unix//run/public-inbox/httpd.sock
diff --git a/fleet/hosts/trieste/web.nix b/fleet/hosts/trieste/web.nix
index d32fc44..9b7752b 100644
--- a/fleet/hosts/trieste/web.nix
+++ b/fleet/hosts/trieste/web.nix
@@ -16,7 +16,7 @@
     '')
   ];
 
-  services.caddy.config = ''
+  services.caddy.extraConfig = ''
     unfathomable.blue {
       import common
       respond / "the depths await"
diff --git a/fleet/hosts/vityaz/default.nix b/fleet/hosts/vityaz/default.nix
index 8508518..bd7af5f 100644
--- a/fleet/hosts/vityaz/default.nix
+++ b/fleet/hosts/vityaz/default.nix
@@ -71,7 +71,7 @@ with lib;
 
   boot.kernel.sysctl."net.ipv4.conf.wg0.forwarding" = true;
 
-  services.caddy.config = ''
+  services.caddy.extraConfig = ''
     vityaz.unfathomable.blue {
       import common
       redir / https://en.wikipedia.org/wiki/Vityaz-D_Autonomous_Underwater_Vehicle
diff --git a/fleet/modules/acme.nix b/fleet/modules/acme.nix
index f06ac4e..0c04228 100644
--- a/fleet/modules/acme.nix
+++ b/fleet/modules/acme.nix
@@ -32,10 +32,10 @@ in {
   config = {
     security.acme = {
       acceptTerms = true;
-      email = "acme@unfathomable.blue";
+      defaults.email = "acme@unfathomable.blue";
     };
 
-    services.caddy.config = ''
+    services.caddy.extraConfig = ''
       ${concatStringsSep ", " (unique (mapAttrsToList (_: cert: "http://${cert.domain}") config.security.acme.certs))} {
         import all
 
diff --git a/fleet/modules/cgiserver.nix b/fleet/modules/cgiserver.nix
index 6cafbe0..a3e94c2 100644
--- a/fleet/modules/cgiserver.nix
+++ b/fleet/modules/cgiserver.nix
@@ -1,15 +1,16 @@
 # SPDX-FileCopyrightText: V <v@unfathomable.blue>
 # SPDX-License-Identifier: OSL-3.0
 
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, lib, utils, pkgs, ... }:
 
 with lib;
 
 let
   cfg = config.services.cgiserver;
 
-  inherit (import "${modulesPath}/system/boot/systemd-unit-options.nix" { inherit config lib; })
-    serviceOptions socketOptions;
+  inherit (utils.systemdUtils.unitOptions)
+    serviceOptions
+    socketOptions;
 
   # TODO(V): These descriptions could use a bit of work.
   instanceOpts = { name, ... }: {
@@ -33,13 +34,13 @@ let
 
       serviceConfig = mkOption {
         description = "Extra options to put in the [Service] section of the application's service unit.";
-        inherit (serviceOptions.serviceConfig) type;
+        inherit ((serviceOptions { name = null; config = null; }).options.serviceConfig) type;
         default = {};
       };
 
       listenStreams = mkOption {
         description = "Addresses to listen on, in the format used by the ListenStream option of systemd.socket(5).";
-        inherit (socketOptions.listenStreams) type;
+        inherit (socketOptions.options.listenStreams) type;
         default = [ "/run/${name}/${name}.sock" ];
       };
     };
diff --git a/fleet/modules/public-inbox.nix b/fleet/modules/public-inbox.nix
index c263fad..d5e041c 100644
--- a/fleet/modules/public-inbox.nix
+++ b/fleet/modules/public-inbox.nix
@@ -50,6 +50,10 @@ let
     };
   };
 in {
+  # XXX(V): this is here to fix the build until we migrate to the
+  # upstream module that was added recently.
+  disabledModules = [ "services/mail/public-inbox.nix" ];
+
   options.services.public-inbox = {
     enable = mkOption {
       type = types.bool;
diff --git a/fleet/modules/web.nix b/fleet/modules/web.nix
index 248f78b..b4328b7 100644
--- a/fleet/modules/web.nix
+++ b/fleet/modules/web.nix
@@ -8,7 +8,7 @@
     enable = true;
 
     # Snippets must be defined before they are used, so the mkBefore ensures they come first.
-    config = lib.mkBefore ''
+    extraConfig = lib.mkBefore ''
       (all) {
         log {
           output file /var/log/caddy/access.log
@@ -40,7 +40,5 @@
     '';
   };
 
-  systemd.services.caddy.serviceConfig.LogsDirectory = "caddy";
-
   networking.firewall.interfaces.ens3.allowedTCPPorts = [ 80 443 ];
 }
diff --git a/fleet/pkgs/overlay.nix b/fleet/pkgs/overlay.nix
index 49cc524..95330fa 100644
--- a/fleet/pkgs/overlay.nix
+++ b/fleet/pkgs/overlay.nix
@@ -10,16 +10,6 @@ final: prev: {
   public-inbox = final.perlPackages.callPackage ./public-inbox {};
   public-inbox-init-lite = final.callPackage ./public-inbox-init-lite {};
 
-  # Fixes bundler complaining loudly if $HOME is read-only or unset
-  # Taken from https://github.com/rubygems/rubygems/pull/4724
-  # This is here because the CGit about filter invokes Asciidoctor,
-  # which otherwise causes its log to fill with spurious error messages.
-  # Can be removed once Bundler 2.2.23 or above makes its way into stable.
-  bundler = prev.bundler.overrideAttrs ({ patches ? [], ... }: {
-    patches = patches ++ [ ./permission-warnings-only-when-necessary.patch ];
-    dontBuild = false;
-  });
-
   # Fixes archives having silly permissions due to Postfix messing with the umask
   mlmmj = prev.mlmmj.overrideAttrs ({ patches ? [], ... }: {
     patches = patches ++ [ ./group-readable-archives.patch ];
diff --git a/fleet/pkgs/permission-warnings-only-when-necessary.patch b/fleet/pkgs/permission-warnings-only-when-necessary.patch
deleted file mode 100644
index 4a557a5..0000000
--- a/fleet/pkgs/permission-warnings-only-when-necessary.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-SPDX-FileCopyrightText: David Rodríguez <deivid.rodriguez@riseup.net>
-SPDX-License-Identifier: MIT
---- a/lib/bundler.rb
-+++ b/lib/bundler.rb
-@@ -236,8 +236,9 @@ def user_home
-         end
- 
-         if warning
--          user_home = tmp_home_path(warning)
--          Bundler.ui.warn "#{warning}\nBundler will use `#{user_home}' as your home directory temporarily.\n"
-+          Bundler.ui.warn "#{warning}\n"
-+          user_home = tmp_home_path
-+          Bundler.ui.warn "Bundler will use `#{user_home}' as your home directory temporarily.\n"
-           user_home
-         else
-           Pathname.new(home)
-@@ -684,15 +685,13 @@ def configure_gem_home
-       Bundler.rubygems.clear_paths
-     end
- 
--    def tmp_home_path(warning)
-+    def tmp_home_path
-       Kernel.send(:require, "tmpdir")
-       SharedHelpers.filesystem_access(Dir.tmpdir) do
-         path = Bundler.tmp
-         at_exit { Bundler.rm_rf(path) }
-         path
-       end
--    rescue RuntimeError => e
--      raise e.exception("#{warning}\nBundler also failed to create a temporary home directory':\n#{e}")
-     end
- 
-     # @param env [Hash]
-
---- a/lib/bundler/settings.rb
-+++ b/lib/bundler/settings.rb
-@@ -428,12 +428,8 @@ def printable_value(value, key)
-     def global_config_file
-       if ENV["BUNDLE_CONFIG"] && !ENV["BUNDLE_CONFIG"].empty?
-         Pathname.new(ENV["BUNDLE_CONFIG"])
--      else
--        begin
--          Bundler.user_bundle_path("config")
--        rescue PermissionError, GenericSystemCallError
--          nil
--        end
-+      elsif Bundler.rubygems.user_home && !Bundler.rubygems.user_home.empty?
-+        Pathname.new(Bundler.rubygems.user_home).join(".bundle/config")
-       end
-     end