commit bcb46d30ee425ed9a54d67a8318fdfe2976578c5
author Skyler Grey <minion@clicks.codes> Fri Nov 10 20:48:38 2023 +0000
committer Skyler Grey <minion@clicks.codes> Sat Nov 11 17:30:00 2023 +0000
tree 17ffb946025e85189ce3ac139028e533ea6d3311
parent 0b140a808b303b7f2a4bed8393eb3893496a03eb

nix flake update

- this includes helpers change Ie1b0edbbb126c6cd6dcd8f0b4fd0cc829ee2b00c
- this updates nixpkgs. Likely this will be the final update before 23.11
- this fixes issues encountered while updating. These were
  - missing URL for richdocumentscode
  - replace fragile gerrit oauth plugin bazel build with prebuild jar
  - remove mongodb, as it is broken
  - remove references to "nobody" group. For sops secrets, replace these with
    "root"

Change-Id: I997f6067ea58b5996c6a386e6f4bf376fc458421

flake.lock

diff --git a/flake.lock b/flake.lock
index 62a44d6..8b5a381 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1686747123,
-        "narHash": "sha256-XUQK9kwHpTeilHoad7L4LjMCCyY13Oq383CoFADecRE=",
+        "lastModified": 1698921442,
+        "narHash": "sha256-7KmvhQ7FuXlT/wG4zjTssap6maVqeAMBdtel+VjClSM=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "724463b5a94daa810abfc64a4f87faef4e00f984",
+        "rev": "660180bbbeae7d60dad5a92b30858306945fd427",
         "type": "github"
       },
       "original": {
@@ -41,11 +41,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1692799911,
-        "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
         "type": "github"
       },
       "original": {
@@ -59,11 +59,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1698219444,
-        "narHash": "sha256-1f9tDt+1AcP6qnY4rhNJMlKVbHf3J+DfGVFsQUEThxw=",
+        "lastModified": 1699382547,
+        "narHash": "sha256-2eic/8NNO6G1fQsCpTm26ryUyk2bl6f08S9Zc/69iBI=",
         "ref": "refs/heads/main",
-        "rev": "64d1d305816c81380dd0924fa8c6810f67a78992",
-        "revCount": 16,
+        "rev": "fde6300909a486731d1cbe14589f65c8f6262d7e",
+        "revCount": 17,
         "type": "git",
         "url": "https://git.clicks.codes/Clicks/NixHelpers"
       },
@@ -79,11 +79,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1693208669,
-        "narHash": "sha256-hHFaaUsZ860wvppPeiu7nJn/nXZjJfnqAQEu9SPFE9I=",
+        "lastModified": 1695108154,
+        "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "5bac4a1c06cd77cf8fc35a658ccb035a6c50cd2c",
+        "rev": "07682fff75d41f18327a871088d20af2710d4744",
         "type": "github"
       },
       "original": {
@@ -127,11 +127,11 @@
     },
     "nixpkgs-privatebin": {
       "locked": {
-        "lastModified": 1691328775,
-        "narHash": "sha256-nz7Myc/3sW7/tN1QDYKrmHnH5f5eGdbcFt1FRDstavk=",
+        "lastModified": 1694007184,
+        "narHash": "sha256-RHg4SstzvEIJrWiegkP+ArRniW1ZMz9/TB56gIYMAkk=",
         "owner": "e1mo",
         "repo": "nixpkgs",
-        "rev": "e1b0550bc7498d61ba95bcd089d62e256ef1677a",
+        "rev": "49b7af8f96e6d33deef36e46b171f56eb470e9bc",
         "type": "github"
       },
       "original": {
@@ -143,11 +143,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1693097136,
-        "narHash": "sha256-fBZSMdBaoZ0INFbyZ5s0DOF7zDNcLsLxgkwdDh3l9Pc=",
+        "lastModified": 1699110214,
+        "narHash": "sha256-L2TU4RgtiqF69W8Gacg2jEkEYJrW+Kp0Mp4plwQh5b8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9117c4e9dc117a6cd0319cca40f2349ed333669d",
+        "rev": "78f3a4ae19f0e99d5323dd2e3853916b8ee4afee",
         "type": "github"
       },
       "original": {
@@ -173,11 +173,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1693428224,
-        "narHash": "sha256-FWUUlhYqkGEySUD0blTADRiDQ7fw+H1ikivfu88uy+w=",
+        "lastModified": 1699291058,
+        "narHash": "sha256-5ggduoaAMPHUy4riL+OrlAZE14Kh7JWX4oLEs22ZqfU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "841889913dfd06a70ffb39f603e29e46f45f0c1a",
+        "rev": "41de143fda10e33be0f47eab2bfe08a50f234267",
         "type": "github"
       },
       "original": {
@@ -231,11 +231,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1693404499,
-        "narHash": "sha256-cx/7yvM/AP+o/3wPJmA9W9F+WHemJk5t+Xcr+Qwkqhg=",
+        "lastModified": 1699311858,
+        "narHash": "sha256-W/sQrghPAn5J9d+9kMnHqi4NPVWVpy0V/qzQeZfS/dM=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d9c5dc41c4b1f74c77f0dbffd0f3a4ebde447b7a",
+        "rev": "664187539871f63857bda2d498f452792457b998",
         "type": "github"
       },
       "original": {

flake.nix

diff --git a/flake.nix b/flake.nix
index c71216b..a9ca630 100644
--- a/flake.nix
+++ b/flake.nix
@@ -102,7 +102,7 @@
             remoteBuild = true;
             user = "root";
             path = deploy-rs.lib.x86_64-linux.activate.nixos
-              self.nixosConfigurations.clicks;
+              self.nixosConfigurations.clicks-without-mongodb;
           };
         } // (let
           mkServiceConfig = service: {

helpers

diff --git a/helpers b/helpers
index 64d1d30..fde6300 160000
--- a/helpers
+++ b/helpers
@@ -1 +1 @@
-Subproject commit 64d1d305816c81380dd0924fa8c6810f67a78992
+Subproject commit fde6300909a486731d1cbe14589f65c8f6262d7e

modules/gerrit.nix

diff --git a/modules/gerrit.nix b/modules/gerrit.nix
index 6c0749c..36bc1cd 100644
--- a/modules/gerrit.nix
+++ b/modules/gerrit.nix
@@ -112,40 +112,9 @@
     };
 
     plugins = [
-      (derivation {
-        name =
-          "oauth.jar"; # HACK: wrapping a derivation in a derivation to rename it seems like a bad hack... but bazel would not build if I didn't (I think because it didn't like the .jar extension...) check why though?
-        src = (pkgs.buildBazelPackage {
-          __noChroot = true; # FIXME: terrible, horrible, no good, very bad
-          # name = "gerrit-oauth-provider.jar";
-          pname = "gerrit-oauth-provider.jar";
-          version = "unstable-2023-10-08";
-          src = pkgs.fetchgit {
-            url = "https://gerrit.googlesource.com/plugins/oauth";
-            rev = "1b3cc407cb2571d08601ab852e6e01f82d27160f";
-            hash = "sha256-yC/8qnkDbfIujl+Cvamr+EQSwto1DcIUWXh5cwDEZHo=";
-            deepClone =
-              true; # FIXME: this bazel build uses some git stuff, maybe we should try replacing with fakegit?
-          };
-          bazelTargets = [ "oauth" ];
-          bazel = pkgs.bazel_4;
-          buildAttrs = { };
-          fetchAttrs.sha256 =
-            "sha256-i5wOTn2NqqgJf4TCIqaCucpXu+5Vm5C84UPrGYFMSzc=";
-
-          postUnpack = ''
-            echo "4.2.2" > */.bazelversion  # nixpkgs only has certain bazel versions, so let's upgrade the patch of this one
-          '';
-
-          buildInputs = with pkgs; [ git curl jdk11 ];
-
-          postInstall = ''
-            cp bazel-bin/oauth.jar $out
-          '';
-        });
-        builder = "/bin/sh";
-        args = [ "-c" "${pkgs.coreutils}/bin/cp $src $out" ];
-        inherit system;
+      (pkgs.fetchurl {
+        url = "https://gerrit-ci.gerritforge.com/job/plugin-oauth-bazel-master-master/55/artifact/bazel-bin/plugins/oauth/oauth.jar";
+        hash = "sha256-Qil1CIh/+XC15rKfW0iYR9u370eF2TXnCNSmQfr+7/8=";
       })
     ];
     builtinPlugins = [
@@ -164,21 +133,18 @@
     listenAddress = "127.0.0.255:1000";
   };
 
-  nix.settings.sandbox =
-    "relaxed"; # FIXME: terrible, horrible, no good, very bad, here to support buildBazelPackage's use of cURL
-
   sops.secrets = {
     gerrit_email_private_key = {
       mode = "0400";
       owner = config.users.users.root.name;
-      group = config.users.users.nobody.group;
+      group = config.users.users.root.group;
       sopsFile = ../secrets/gerrit.json;
       format = "json";
     };
     gerrit_oauth_client_secret = {
       mode = "0400";
       owner = config.users.users.root.name;
-      group = config.users.users.nobody.group;
+      group = config.users.users.root.group;
       sopsFile = ../secrets/gerrit.json;
       format = "json";
     };
@@ -195,7 +161,7 @@
         config.sops.secrets.gerrit_email_private_key.path;
       matchers."gerrit_oauth_client_secret".secret =
         config.sops.secrets.gerrit_oauth_client_secret.path;
-      owner = config.users.users.nobody.name;
+      owner = config.users.users.root.name;
       group = "gerrit";
       mode = "0040";
     };

modules/grafana.nix

diff --git a/modules/grafana.nix b/modules/grafana.nix
index 6c63f75..948d29a 100644
--- a/modules/grafana.nix
+++ b/modules/grafana.nix
@@ -51,8 +51,8 @@
 
   sops.secrets.clicks_grafana_client_secret = {
     mode = "0600";
-    owner = "root";
-    group = "nobody";
+    owner = config.users.users.root.name;
+    group = config.users.users.root.group;
     sopsFile = ../secrets/grafana.json;
     format = "json";
   };
@@ -76,7 +76,7 @@
       matchers."client_secret".secret =
         config.sops.secrets.clicks_grafana_client_secret.path;
       owner = config.users.users.grafana.name;
-      group = "nobody";
+      group = config.users.users.root.name;
       mode = "0400";
     };
 

modules/matrix.nix

diff --git a/modules/matrix.nix b/modules/matrix.nix
index 2d41da9..2618fde 100644
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@@ -122,7 +122,7 @@
     registration_shared_secret = {
       mode = "0400";
       owner = config.users.users.root.name;
-      group = config.users.users.nobody.group;
+      group = config.users.users.root.group;
       sopsFile = ../secrets/matrix.json;
       format = "json";
     };

modules/nextcloud.nix

diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index a5fbf92..d0bd88a 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -52,8 +52,8 @@
       sha256 = "sha256-96/wtK7t23fXVRcntDONjgb5bYtZuaNZzbvQCa5Gsj4=";
     };
     richdocumentscode = pkgs.fetchNextcloudApp {
-      url = "redacted";
-      sha256 = "sha256-XYtjBZCIQ6+PL3BNLSZfJTgLLpOyphzR5HOAwI7bWx0=";
+      url = "https://github.com/CollaboraOnline/richdocumentscode/releases/download/23.5.503/richdocumentscode.tar.gz";
+      sha256 = "sha256-5BEN2YXRsMy+zyBBO0KLRMCkTOGv1RdPp1xcDFRNr2I=";
     };
     richdocuments = pkgs.fetchNextcloudApp {
       url =

modules/vaultwarden.nix

diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix
index a46987e..edca467 100644
--- a/modules/vaultwarden.nix
+++ b/modules/vaultwarden.nix
@@ -16,7 +16,7 @@
       value = {
         mode = "0400";
         owner = config.users.users.root.name;
-        group = config.users.users.nobody.group;
+        group = config.users.users.root.group;
         sopsFile = ../secrets/vaultwarden.json;
         format = "json";
       };