24.11 -> 25.05

2025-05-27 18:54:20 -04:00 · 2025-05-27 18:54:20 -04:00 · 71e55e9fb4
parent c28f6adcc2
commit 71e55e9fb4
6 changed files with 27 additions and 55 deletions
--- a/flake.lock
+++ b/flake.lock
@ -5,7 +5,7 @@
        "crane": "crane",
        "flake-utils": "flake-utils",
        "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
        ]
      },
      "locked": {
@ -181,16 +181,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1748037224,
-        "narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=",
+        "lastModified": 1748162331,
+        "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "f09dede81861f3a83f7f06641ead34f02f37597f",
+        "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -210,22 +210,6 @@
        "type": "github"
      }
    },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1747744144,
-        "narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "root": {
      "inputs": {
        "breeze": "breeze",
@ -234,7 +218,6 @@
        "flake-parts": "flake-parts",
        "impermanence": "impermanence",
        "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable",
        "sim-breeze": "sim-breeze",
        "sops-nix": "sops-nix"
      }
--- a/flake.nix
+++ b/flake.nix
@ -2,8 +2,7 @@
  description = "computer systems infrastructure";

  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";

    flake-parts.url = "github:hercules-ci/flake-parts";

@ -19,7 +18,7 @@
    impermanence.url = "github:nix-community/impermanence";

    breeze.url = "git+https://git.min.rip/min/breeze.git";
-    breeze.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    breeze.inputs.nixpkgs.follows = "nixpkgs";

    sim-breeze.url = "git+ssh://git@git.min.rip/min/sim-breeze.git";
    sim-breeze.inputs.nixpkgs.follows = "nixpkgs";
@ -43,10 +42,10 @@
      }: {
        devShells.default = pkgs.mkShell {
          packages = with pkgs; [
-            inputs'.nixpkgs-unstable.legacyPackages.sops
+            sops
            ssh-to-age
            openssl
-            inputs'.nixpkgs-unstable.legacyPackages.nebula
+            nebula
            # not included: age, age-plugin-yubikey, pcscd

            wireguard-tools
--- a/nixos/hosts/eidola/nebula.nix
+++ b/nixos/hosts/eidola/nebula.nix
@ -1,11 +1,10 @@
 {config, ...}: let
-  inherit (import ../../modules/nebula/shared.nix) userGroup service;
+  inherit (import ../../modules/nebula/shared.nix) userGroup;
 in {
  sops.secrets."nebula-key" = {
    mode = "0440";
    owner = userGroup;
    group = userGroup;
-    restartUnits = [service];
  };

  # TODO: why?
--- a/nixos/hosts/silver/services/nebula.nix
+++ b/nixos/hosts/silver/services/nebula.nix
@ -1,11 +1,10 @@
 {config, ...}: let
-  inherit (import ../../../modules/nebula/shared.nix) userGroup service;
+  inherit (import ../../../modules/nebula/shared.nix) userGroup;
 in {
  sops.secrets."svc-nebula-key" = {
    mode = "0440";
    owner = userGroup;
    group = userGroup;
-    restartUnits = [service];
  };

  networking.firewall.allowedUDPPorts = [4242];
--- a/nixos/modules/nebula/default.nix
+++ b/nixos/modules/nebula/default.nix
@ -4,7 +4,7 @@
  ...
 }:
 with lib; let
-  inherit (import ./shared.nix) netName interface service;
+  inherit (import ./shared.nix) netName interface;

  ca = ../../keys/ca.crt;

@ -81,28 +81,21 @@ in {
    };
  };

-  config = mkMerge [
-    (mkIf cfg.enable {
-      networking.firewall.trustedInterfaces = [interface];
+  config = mkIf cfg.enable {
+    networking.firewall.trustedInterfaces = [interface];

-      services.nebula.networks.${netName} = mkMerge [
-        {
-          inherit ca;
-          inherit (cfg) cert key;
+    services.nebula.networks.${netName} = mkMerge [
+      {
+        inherit ca;
+        inherit (cfg) cert key;

-          firewall = {
-            inherit (baseFirewall) outbound;
-            inbound = baseFirewall.inbound ++ cfg.extraInbound;
-          };
-        }
-        (mkIf cfg.enableLighthouse baseServer)
-        (mkIf (!cfg.enableLighthouse) baseClient)
-      ];
-    })
-    (mkIf config.services.openssh.enable {
-      # Make sure sshd starts after nebula
-      # TODO: is this necessary?
-      systemd.services.sshd.after = [service];
-    })
-  ];
+        firewall = {
+          inherit (baseFirewall) outbound;
+          inbound = baseFirewall.inbound ++ cfg.extraInbound;
+        };
+      }
+      (mkIf cfg.enableLighthouse baseServer)
+      (mkIf (!cfg.enableLighthouse) baseClient)
+    ];
+  };
 }
--- a/nixos/modules/nebula/shared.nix
+++ b/nixos/modules/nebula/shared.nix
@ -4,5 +4,4 @@ rec {
  # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix
  interface = "nebula.${netName}";
  userGroup = "nebula-${netName}";
-  service = "nebula@${netName}.service";
 }