nix flake update
- this includes helpers change Ie1b0edbbb126c6cd6dcd8f0b4fd0cc829ee2b00c
- this updates nixpkgs. Likely this will be the final update before 23.11
- this fixes issues encountered while updating. These were
- missing URL for richdocumentscode
- replace fragile gerrit oauth plugin bazel build with prebuild jar
- remove mongodb, as it is broken
- remove references to "nobody" group. For sops secrets, replace these with
"root"
Change-Id: I997f6067ea58b5996c6a386e6f4bf376fc458421
diff --git a/modules/gerrit.nix b/modules/gerrit.nix
index 6c0749c..36bc1cd 100644
--- a/modules/gerrit.nix
+++ b/modules/gerrit.nix
@@ -112,40 +112,9 @@
};
plugins = [
- (derivation {
- name =
- "oauth.jar"; # HACK: wrapping a derivation in a derivation to rename it seems like a bad hack... but bazel would not build if I didn't (I think because it didn't like the .jar extension...) check why though?
- src = (pkgs.buildBazelPackage {
- __noChroot = true; # FIXME: terrible, horrible, no good, very bad
- # name = "gerrit-oauth-provider.jar";
- pname = "gerrit-oauth-provider.jar";
- version = "unstable-2023-10-08";
- src = pkgs.fetchgit {
- url = "https://gerrit.googlesource.com/plugins/oauth";
- rev = "1b3cc407cb2571d08601ab852e6e01f82d27160f";
- hash = "sha256-yC/8qnkDbfIujl+Cvamr+EQSwto1DcIUWXh5cwDEZHo=";
- deepClone =
- true; # FIXME: this bazel build uses some git stuff, maybe we should try replacing with fakegit?
- };
- bazelTargets = [ "oauth" ];
- bazel = pkgs.bazel_4;
- buildAttrs = { };
- fetchAttrs.sha256 =
- "sha256-i5wOTn2NqqgJf4TCIqaCucpXu+5Vm5C84UPrGYFMSzc=";
-
- postUnpack = ''
- echo "4.2.2" > */.bazelversion # nixpkgs only has certain bazel versions, so let's upgrade the patch of this one
- '';
-
- buildInputs = with pkgs; [ git curl jdk11 ];
-
- postInstall = ''
- cp bazel-bin/oauth.jar $out
- '';
- });
- builder = "/bin/sh";
- args = [ "-c" "${pkgs.coreutils}/bin/cp $src $out" ];
- inherit system;
+ (pkgs.fetchurl {
+ url = "https://gerrit-ci.gerritforge.com/job/plugin-oauth-bazel-master-master/55/artifact/bazel-bin/plugins/oauth/oauth.jar";
+ hash = "sha256-Qil1CIh/+XC15rKfW0iYR9u370eF2TXnCNSmQfr+7/8=";
})
];
builtinPlugins = [
@@ -164,21 +133,18 @@
listenAddress = "127.0.0.255:1000";
};
- nix.settings.sandbox =
- "relaxed"; # FIXME: terrible, horrible, no good, very bad, here to support buildBazelPackage's use of cURL
-
sops.secrets = {
gerrit_email_private_key = {
mode = "0400";
owner = config.users.users.root.name;
- group = config.users.users.nobody.group;
+ group = config.users.users.root.group;
sopsFile = ../secrets/gerrit.json;
format = "json";
};
gerrit_oauth_client_secret = {
mode = "0400";
owner = config.users.users.root.name;
- group = config.users.users.nobody.group;
+ group = config.users.users.root.group;
sopsFile = ../secrets/gerrit.json;
format = "json";
};
@@ -195,7 +161,7 @@
config.sops.secrets.gerrit_email_private_key.path;
matchers."gerrit_oauth_client_secret".secret =
config.sops.secrets.gerrit_oauth_client_secret.path;
- owner = config.users.users.nobody.name;
+ owner = config.users.users.root.name;
group = "gerrit";
mode = "0040";
};
diff --git a/modules/grafana.nix b/modules/grafana.nix
index 6c63f75..948d29a 100644
--- a/modules/grafana.nix
+++ b/modules/grafana.nix
@@ -51,8 +51,8 @@
sops.secrets.clicks_grafana_client_secret = {
mode = "0600";
- owner = "root";
- group = "nobody";
+ owner = config.users.users.root.name;
+ group = config.users.users.root.group;
sopsFile = ../secrets/grafana.json;
format = "json";
};
@@ -76,7 +76,7 @@
matchers."client_secret".secret =
config.sops.secrets.clicks_grafana_client_secret.path;
owner = config.users.users.grafana.name;
- group = "nobody";
+ group = config.users.users.root.name;
mode = "0400";
};
diff --git a/modules/matrix.nix b/modules/matrix.nix
index 2d41da9..2618fde 100644
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@@ -122,7 +122,7 @@
registration_shared_secret = {
mode = "0400";
owner = config.users.users.root.name;
- group = config.users.users.nobody.group;
+ group = config.users.users.root.group;
sopsFile = ../secrets/matrix.json;
format = "json";
};
diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index a5fbf92..d0bd88a 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -52,8 +52,8 @@
sha256 = "sha256-96/wtK7t23fXVRcntDONjgb5bYtZuaNZzbvQCa5Gsj4=";
};
richdocumentscode = pkgs.fetchNextcloudApp {
- url = "redacted";
- sha256 = "sha256-XYtjBZCIQ6+PL3BNLSZfJTgLLpOyphzR5HOAwI7bWx0=";
+ url = "https://github.com/CollaboraOnline/richdocumentscode/releases/download/23.5.503/richdocumentscode.tar.gz";
+ sha256 = "sha256-5BEN2YXRsMy+zyBBO0KLRMCkTOGv1RdPp1xcDFRNr2I=";
};
richdocuments = pkgs.fetchNextcloudApp {
url =
diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix
index a46987e..edca467 100644
--- a/modules/vaultwarden.nix
+++ b/modules/vaultwarden.nix
@@ -16,7 +16,7 @@
value = {
mode = "0400";
owner = config.users.users.root.name;
- group = config.users.users.nobody.group;
+ group = config.users.users.root.group;
sopsFile = ../secrets/vaultwarden.json;
format = "json";
};