This commit adds a new runner image for the Nix environment. The "nix:docker://backslashhh/nix:latest" line has been included in the Forgejo configuration, allowing Gitea to use the latest Nix image in the runner.
This commit updates the runner labels in the forgejo.nix file. It changes the URL links for the runner images and specifies the version of Ubuntu to be used. The new labels reference the runner images from the gitea repository rather than Node.js images.
Corrects the indentation in the systemd service and timer definitions within the default.nix configuration file. This improves the readability and maintenance of the code.
The runner token in the Hetzner secrets configuration file has been updated. Additionally, the last modified timestamp has been changed to reflect the latest modifications.
This commit introduces the configuration for the gitea-actions-runner service in the forgejo.nix file. It also includes adding a new encrypted yaml file for the runner token. The configurations set up instances and labels for different versions of Ubuntu.
The system's configuration for x86_64-linux architecture has been modified. Specifically, warp-svc will not be started automatically anymore, as its reference in the "wants" section of "multi-user" targets in systemd configuration has been removed.
The systemd.user.services block in the default.nix file has been commented out. This change is vital if the associated services are not meant to be used or activated, avoiding any potential conflicts or issues.
The default value for `wheelNeedsPassword` has been changed to `true` in `base/default.nix`. The redundant entry in `gui/default.nix` setting `wheelNeedsPassword` to `true` was removed as it is now enforced by the base module.
This change updates the settings in the GUI module for the sudo wheel group. The security policy has been modified to require a password when a member of the wheel group attempts to use sudo.
Adjust default garbage collection intervals and retention periods. Set default GC to run weekly and retain 14 days on nixos module and to run daily and retain 7 days on the 64-linux module.
Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
The update modifies the default setting for the 'sudo wheelNeedsPassword' option in both the base and gui modules/services. Now, the base service has 'sudo wheelNeedsPassword' marked as a default option and disabled by default in the gui service.
New system packages including azure-cli, cloudflare-warp, desktop-file-utils, and kubectl have been added to the environment. The systemd has been configured for cloudflare-warp. Additionally, version updates were made in flake.lock with revised hashes and revisions.
This update introduces a more efficient way for managing whitelisted domains in rspamd.nix. Instead of repeating the list of domains across multiple configurations, the domains are now defined only once in a dedicated variable. This improves the maintainability and readability of the code.
This commit simplifies the configuration of rspamd settings in x86_64-linux systems. It primarily involves restructuring of settings for 'settings.conf', 'spf_whitelist', 'spf_dkim_whitelist', 'dmarc_whitelist', and 'greylist-whitelist-domains'.
This commit introduces new whitelisted domains for SPFs, DKIMs, DMARCs and Greylists in the Rspamd configurations. It also adds new rules for incoming emails from bogensport-jugend@gmx.de, including disabling greylisting and specifying actions to apply.
This commit introduces new whitelisted domains for SPFs, DKIMs, DMARCs and Greylists in the Rspamd configurations. It also adds new rules for incoming emails from bogensport-jugend@gmx.de, including disabling greylisting and specifying actions to apply.
This commit introduces new whitelisted domains for SPFs, DKIMs, DMARCs and Greylists in the Rspamd configurations. It also adds new rules for incoming emails from bogensport-jugend@gmx.de, including disabling greylisting and specifying actions to apply.
This commit corrects the code's formatting in two parts:
1) It normalizes the indentation in the BindPaths block under aesmd_dcap/default.nix.
2) It also removes the extra space before "DE" in the default_phone_region setting in nextcloud.nix.
The flake.lock file has been updated with the latest modifications, including changes to the lastModified, narHash, and rev values for several Github repositories. Furthermore, the trezord service has been enabled in the default.nix file for the x1 system.
This commit removes the "--refresh" flag from the system.autoUpgrade field in the default.nix file. The update function will now rely on the remaining flags only.
The primary change in this commit enables the Git program in the base/default service module. This marks a configuration alteration at the systems level, transferring the 'programs.git.enable' declaration from 'systems/x86_64-linux/mx/default.nix' to 'modules/nixos/services/base/default.nix'. We've undertaken this change for better structuring of our service configuration.
Move 'default_phone_region' setting to the proper place. The previous erroneous location of the following setting `default_phone_region` was fixed and moved under `settings` where the rest of the options reside. The configuration now aligns with the expected structure.
This commit updates the existing "nixpkgs_4" and "locked" packages in flake.lock file. The revisions for "nixpkgs_4" and "locked" packages are updated along with associated "lastModified" and "narHash".
Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
This commit adds a git safe directory to the system config. This is to ensure that the git configurations are securely stored in "/var/lib/gitea/repositories/harald/nixcfg.git".
This commit removes specific email addresses related to "meike-knutz.de" and "gerlinde-hoyer.de" in the mailserver configuration. It affects aliases, postmaster, and abuse sections of the configuration.
This commit removes the defaultPhoneRegion from the config section and sets it in the settings section in nextcloud.nix file. This reorganization improves the structure and readability of the configuration.
The Nextcloud package in the x86_64-linux system has been upgraded from version 28 to version 29. This update introduces the latest features, improvements, and security fixes from the Nextcloud project.
This commit moves the kernel package version override from the base nixos service to specific system configurations. Now, the latest linux packages will be used only in the system configurations where the override has been explicitly added. This approach gives us more flexibility to handle different kernel package versions for different systems.
An extra comma is added to the pccs_url in the sgx_default_qcnl.conf file to correct a possible syntax error. This fix ensures the correct parsing of the JSON object.
This commit updates systemd services configuration of aesmd_dcap by adding a new directory to BindPaths. The file "/dev/log" has been added to ensure proper logging.
This commit includes gnome.cheese and pstree to the list of default services in the gui module. Users will now have these services available by default in the graphical user interface.
A new systemd service, `check_root`, has been added which checks disk usage of the root directory. If usage exceeds 85%, an email alert is sent. In addition to this service, a corresponding systemd timer is added to trigger this check daily.
This commit introduces a new systemd service that runs daily to check the disk usage of the /boot partition. If utilization exceeds a set threshold, it triggers a warning email. This will ensure prompt alerts on critically low boot disk space, helping in maintaining a stable system.
This commit includes a new lid switch configuration for the logind service within the SGX default configuration file. The lid switch has been set to "ignore", enhancing control over system behaviors upon lid actions.
In systems/x86_64-linux/x1/default.nix, 'docker' has been added to user.extraGroups. This allows the current user to manage Docker without needing root access.
This commit introduces virtualization configurations for docker and libvirtd in the x86_64-linux system. It also sets the podman.dockerCompat to false to avoid compatibility issues.
This commit updates the hardware configuration for SGX systems. We have configured the available kernel modules list to include TPM-related modules. Also, unnecessary TPM2 security settings have been removed to clean up the configuration file.
Harald Hoyer