From e8bab677dbbec8a73de9321c1b123c924eb007eb Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 13 Dec 2023 22:42:34 +0100 Subject: [PATCH 1/5] chore: update flake inputs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'deploy-rs': 'github:serokell/deploy-rs/660180bbbeae7d60dad5a92b30858306945fd427' (2023-11-02) → 'github:serokell/deploy-rs/915327515f5fd1b7719c06e2f1eb304ee0bdd803' (2023-12-13) • Updated input 'deploy-rs/flake-compat': 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17) → 'github:edolstra/flake-compat/0f9255e01c2351cc7d116c072cb317785dd33b33' (2023-10-04) • Updated input 'deploy-rs/utils': 'github:numtide/flake-utils/5aed5285a952e0b949eb3ba02c12fa4fcfef535f' (2022-11-02) → 'github:numtide/flake-utils/4022d587cbbfd70fe950c1e2083a02621806a725' (2023-12-04) • Added input 'deploy-rs/utils/systems': 'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09) • Updated input 'home-manager': 'github:nix-community/home-manager/aeb2232d7a32530d3448318790534d196bf9427a' (2023-11-24) → 'github:nix-community/home-manager/6761b8188b860f374b457eddfdb05c82eef9752f' (2023-12-10) • Updated input 'nixos-flake': 'github:srid/nixos-flake/7c9168884128ed4634751b3e2f5553b09d7b8cb0' (2023-11-28) → 'github:srid/nixos-flake/4e422edf6b511f8e214b392cf1a0d4707a0399a4' (2023-12-09) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/5de0b32be6e85dc1a9404c75131316e4ffbc634c' (2023-12-01) → 'github:nixos/nixpkgs/cf28ee258fd5f9a52de6b9865cdb93a1f96d09b7' (2023-12-12) • Updated input 'unstable': 'github:nixos/nixpkgs/e92039b55bcd58469325ded85d4f58dd5a4eaf58' (2023-11-29) → 'github:nixos/nixpkgs/a9bf124c46ef298113270b1f84a164865987a91c' (2023-12-11) --- flake.lock | 64 ++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 41 insertions(+), 23 deletions(-) diff --git a/flake.lock b/flake.lock index 248f5b0..5e729ab 100644 --- a/flake.lock +++ b/flake.lock @@ -35,11 +35,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1698921442, - "narHash": "sha256-7KmvhQ7FuXlT/wG4zjTssap6maVqeAMBdtel+VjClSM=", + "lastModified": 1702460489, + "narHash": "sha256-H6s6oVLvx7PCjUcvfkB89Bb+kbaiJxTAgWfMjiQTjA0=", "owner": "serokell", "repo": "deploy-rs", - "rev": "660180bbbeae7d60dad5a92b30858306945fd427", + "rev": "915327515f5fd1b7719c06e2f1eb304ee0bdd803", "type": "github" }, "original": { @@ -54,7 +54,7 @@ "keycloak-theme-pub-solar", "nixpkgs" ], - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1688380630, @@ -90,11 +90,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -123,7 +123,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1689068808, @@ -161,11 +161,11 @@ ] }, "locked": { - "lastModified": 1700814205, - "narHash": "sha256-lWqDPKHRbQfi+zNIivf031BUeyciVOtwCwTjyrhDB5g=", + "lastModified": 1702195709, + "narHash": "sha256-+zRjWkm5rKqQ57PuLZ3JF3xi3vPMiOJzItb1m/43Cq4=", "owner": "nix-community", "repo": "home-manager", - "rev": "aeb2232d7a32530d3448318790534d196bf9427a", + "rev": "6761b8188b860f374b457eddfdb05c82eef9752f", "type": "github" }, "original": { @@ -221,11 +221,11 @@ }, "nixos-flake": { "locked": { - "lastModified": 1701201086, - "narHash": "sha256-GU2A+dI5Kp2+4g2dWixeTkp6yKhaW9BZ1uE9Z5cC82w=", + "lastModified": 1702145288, + "narHash": "sha256-apVeRT0kOnDejwwBwbwNccm+qq1l6+qUOiRKE0vK5qk=", "owner": "srid", "repo": "nixos-flake", - "rev": "7c9168884128ed4634751b3e2f5553b09d7b8cb0", + "rev": "4e422edf6b511f8e214b392cf1a0d4707a0399a4", "type": "github" }, "original": { @@ -236,11 +236,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1701389149, - "narHash": "sha256-rU1suTIEd5DGCaAXKW6yHoCfR1mnYjOXQFOaH7M23js=", + "lastModified": 1702346276, + "narHash": "sha256-eAQgwIWApFQ40ipeOjVSoK4TEHVd6nbSd9fApiHIw5A=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5de0b32be6e85dc1a9404c75131316e4ffbc634c", + "rev": "cf28ee258fd5f9a52de6b9865cdb93a1f96d09b7", "type": "github" }, "original": { @@ -330,6 +330,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "triton-vmtools": { "inputs": { "flake-utils": "flake-utils_2", @@ -356,11 +371,11 @@ }, "unstable": { "locked": { - "lastModified": 1701253981, - "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=", + "lastModified": 1702312524, + "narHash": "sha256-gkZJRDBUCpTPBvQk25G0B7vfbpEYM5s5OZqghkjZsnE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58", + "rev": "a9bf124c46ef298113270b1f84a164865987a91c", "type": "github" }, "original": { @@ -371,12 +386,15 @@ } }, "utils": { + "inputs": { + "systems": "systems" + }, "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "owner": "numtide", "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "type": "github" }, "original": { -- 2.44.1 From 294f3b7836c39bbe139f34f82dae22efb9888b2a Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 13 Dec 2023 22:43:11 +0100 Subject: [PATCH 2/5] fix: add result to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 4c7daf8..58b21b7 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ .direnv .terraform *.plan +result -- 2.44.1 From efb789d658f642109d123272e51888b23b928bb1 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 13 Dec 2023 22:43:28 +0100 Subject: [PATCH 3/5] docs: how to show diff with nix before deploying updates --- docs/nix-flake-updates.md | 43 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 docs/nix-flake-updates.md diff --git a/docs/nix-flake-updates.md b/docs/nix-flake-updates.md new file mode 100644 index 0000000..eef1613 --- /dev/null +++ b/docs/nix-flake-updates.md @@ -0,0 +1,43 @@ +Use these commands to show the diff between versions for planning updates: + +``` +OLD_CLOSURE=$(nix build --print-out-paths .#nixosConfigurations.nachtigall.config.system.build.toplevel) +/nix/store/c6wqp1vzvyr3bq2igd8p460613ddwrmj-nixos-system-nachtigall-23.11.20231201.5de0b32 +``` + +``` +nix flake update +... +``` + +``` +NEW_CLOSURE=$(nix build --print-out-paths .#nixosConfigurations.nachtigall.config.system.build.toplevel) +/nix/store/xynyf943d2nw1wgawhzxh13xkkf1whb0-nixos-system-nachtigall-23.11.20231210.781e2a9 +``` + +``` +nix store diff-closures $OLD_CLOSURE $NEW_CLOSURE +cpupower: 6.1.64 → 6.1.66 +element-web: 1.11.47 → 1.11.51, +5325.9 KiB +element-web-wrapped: 1.11.47 → 1.11.51 +initrd-linux: 6.1.64 → 6.1.66 +keycloak: 22.0.5 → 23.0.0, +15201.4 KiB +linux: 6.1.64, 6.1.64-modules → 6.1.66, 6.1.66-modules, +8.3 KiB +mastodon: 4.2.1 → 4.2.3, +16.3 KiB +mastodon-gems: 4.2.1 → 4.2.3, +14.4 KiB +mastodon-modules: 4.2.1 → 4.2.3 +nix: +18.8 KiB +nixos-manual: +73.6 KiB +nixos-system-nachtigall: 23.11.20231201.5de0b32 → 23.11.20231210.781e2a9 +opensearch: 2.11.0 → 2.11.1, +560.5 KiB +owncast: 0.1.1 → 0.1.2, +798.9 KiB +ruby3.2.2-bcp47_spec: ∅ → 0.2.1, +13.6 KiB +ruby3.2.2-json-canonicalization: 0.3.2 → 1.0.0 +ruby3.2.2-json-ld: 3.2.5 → 3.3.1 +ruby3.2.2-rdf: 3.2.11 → 3.3.1 +samba: +12.5 KiB +source: +3888.1 KiB +wrapped-ruby-mastodon-gems: 4.2.1 → 4.2.3 +zfs-kernel: 2.2.1-6.1.64 → 2.2.2-6.1.66 +zfs-user: 2.2.1 → 2.2.2 +``` -- 2.44.1 From 4562bda0bfb4f4756c79ad287152ec42444727d5 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 14 Dec 2023 00:18:28 +0100 Subject: [PATCH 4/5] fix(ci): avoid nix trying to use GH access-token The GITHUB_TOKEN env var is set on each step by https://code.forgejo.org/forgejo/runner, but only to communicate with forgejo to access the repo (if it is private) error: unable to download 'https://api.github.com/repos/srid/nixos-flake/tarball/4e422edf6b511f8e214b392cf1a0d4707a0399a4': HTTP error 401 --- .forgejo/workflows/check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/check.yml b/.forgejo/workflows/check.yml index a10626b..f8f9f03 100644 --- a/.forgejo/workflows/check.yml +++ b/.forgejo/workflows/check.yml @@ -47,4 +47,4 @@ jobs: - name: Run flake checks run: | - nix --print-build-logs --verbose --accept-flake-config flake check + nix --print-build-logs --verbose --accept-flake-config --access-tokens '' flake check -- 2.44.1 From e6177069ab9d4cbb182eb8d037227a6c9e7e51a8 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 14 Dec 2023 00:49:21 +0100 Subject: [PATCH 5/5] fix(security): pull in forgejo 1.20.6-1 early MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1206-1 https://github.com/NixOS/nixpkgs/pull/274026 https://nixpk.gs/pr-tracker.html?pr=274026 • Added input 'release-2311': 'github:nixos/nixpkgs/c15f414581b4eb4113eed52ed303a1e62771fb6f' (2023-12-13) --- flake.lock | 17 +++++++++++++++++ flake.nix | 1 + overlays/default.nix | 9 ++++++++- 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/flake.lock b/flake.lock index 5e729ab..452a663 100644 --- a/flake.lock +++ b/flake.lock @@ -284,6 +284,22 @@ "type": "github" } }, + "release-2311": { + "locked": { + "lastModified": 1702509556, + "narHash": "sha256-trm+c/erCSRe+Mi2fAaI975+jrU8uhmUznx8py6N9po=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "c15f414581b4eb4113eed52ed303a1e62771fb6f", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -296,6 +312,7 @@ "nixos-flake": "nixos-flake", "nixpkgs": "nixpkgs", "nixpkgs-2205": "nixpkgs-2205", + "release-2311": "release-2311", "triton-vmtools": "triton-vmtools", "unstable": "unstable" } diff --git a/flake.nix b/flake.nix index 7cb4db7..13cb071 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,7 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + release-2311.url = "github:nixos/nixpkgs/release-23.11"; nixpkgs-2205.url = "github:nixos/nixpkgs/nixos-22.05"; nix-darwin.url = "github:lnl7/nix-darwin/master"; diff --git a/overlays/default.nix b/overlays/default.nix index 4f7efb8..37a7340 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -7,8 +7,15 @@ nixosModules = rec { overlays = ({ ... }: { nixpkgs.overlays = [ - (final: prev: { + (final: prev: + let + release-2311 = import inputs.release-2311 { + system = prev.system; + }; + in + { element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; }; + forgejo = release-2311.forgejo; }) ]; }); -- 2.44.1