Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 915067dd9b75f5bcad45c8169fc06e5a8e8977a5
commit915067dd9b75f5bcad45c8169fc06e5a8e8977a5[log] [tgz]
authorSkyler Grey <minion@clicks.codes>Sun Dec 03 13:46:53 2023 +0000
committerSamuel Shuert <coded@clicks.codes>Sat Dec 09 20:05:07 2023 +0000
treeb14f851ee454636df3c4a8b4ac5ece04215adb90
parent45489981b685fdf0bd22d90b58ae2946e6b3ed9a [diff]
Update to NixOS 23.11

Most of the release notes we have the luxury of not caring about, however
for some we needed to make changes

- postgresql ensurePermissions was deprecated. We have replaced it with a
  combination of the new ensureDBOwner, and manual permissions grants
  where that is not applicable
- fetchPypi should now be used at top-level. We used it once to install
  jishaku for ClicksForms. We have replaced the usage. There should be a
  broader conversation about the future of ClicksForms, but while
  upgrading to 23.11 is probably not the time for that
- fail2ban configs for things we no longer run have been removed

Additionally, the following things were looked at in-detail and deemed
non-important
- passwordFile changes (we do not use passwords, at all)
- matrix changes (we believe this will need no module changes for our
  use-case)
- nextcloud phpOptions changes (this may reintroduce some default PHP
  options. We didn't realize we were clobbering them and consider this to
  be a good thing)
- vaultwarden default host change (we already specify a host)
- RAID changes (neither a1d1 or a1d2 currently use software RAID)
- nixpkgs.config with external packages warnings (we don't use any
  nixpkgs.config options, but if we did we could remove them and) keep
  the same behavior
- nextcloud upgrade to 27 (we already use nextcloud 27)
- matrix workers and redis configuration (redis doesn't provide a benefit
  outside of workers, our deployment is too small to need workers)
- several services have improved requirements. In particular, lots of
  dependencies around postgres have been improved

We haven't yet updated mongodb, it may be a good idea to migrate to
ferretdb but this is better placed in a later change as migration will
require migrating all the data which will likely get messy

Change-Id: I8db3cc5bfa68bc591ef5e467e8c7de0cae30b300
Reviewed-on: https://git.clicks.codes/c/Clicks/NixFiles/+/122
Tested-by: Samuel Shuert <coded@clicks.codes>
Reviewed-by: Samuel Shuert <coded@clicks.codes>
15 files changed
tree: b14f851ee454636df3c4a8b4ac5ece04215adb90
  1. .vscode/
  2. homes/
  3. modules/
  4. packages/
  5. secrets/
  6. services/
  7. variables/
  8. helpers
  9. .editorconfig
  10. .envrc
  11. .gitignore
  12. .gitmodules
  13. .gitreview
  14. .sops.yaml
  15. flake.lock
  16. flake.nix
  17. LICENSE
  18. README.md
README.md

Clicks' NixFiles

Deploying

To deploy these files to our server we use deploy-rs. If you've got a flakes-enabled nix installed on your system you can run

nix run github:serokell/deploy-rs

You can also install deploy-rs to your profile, at which point you'll be able to run

deploy

Updating secrets

Secrets are stored in SOPS and deployed using scalpel.

If you have a service which needs to store secrets in its config file, please set systemd reloadTriggers and restartTriggers to automatically reload/restart the service whenever the configuration changes.

It's notable that changing the secrets will not trigger a reload/restart of the service. If you want to update the secrets without updating the rest of the configuration you currently need to manually restart the service. It's possible that this could be solved by using systemd paths to watch the files (see https://superuser.com/questions/1171751/restart-systemd-service-automatically-whenever-a-directory-changes-any-file-ins) but this is not a priority