this doesn't help us with anything yet, but it does at least mean that
this openssh now also listens on IPv6, which it didn't before.
(reaching the container from the outside still does not work)
this started with emily pointing out to me that it's possible to
generate IP addresses for containers in Nix (hence no need to worry
about ever having collisions, as we had before), but then I thought,
hey, while I'm at it, I can also write a little container module so we
have a little less repetition in our configs in general (and a more
reasonable place for our custom evalConfig than just keeping it around
in flake.nix).
See the option descriptions in modules/containers.nix for further
details.
Apart from giving all containers a new IP address (and also shiny new
IPv6 addresses), this should be a no-op for the actual built system.
move the monit config out of mail.nix, and add two checks:
- has any systemd unit failed?
- is the currently deployed commit the tip of the main branch of
haccfiles?
this does slight tweaking of paths to make the docs.hacc.space
derivation no longer depend on our entire flake, so we won't have to
rebuild it as often.
this should hopefully help with our consistent onlyoffice-does-not-work-but-no-one-noticed
problems (yes, monit runs as root and can do that).
"then restart" will still send an alert if it restarted the unit (see monit's man page)
this copies the current mattermost package definition from upstream
nixpkgs into our repo as-is (that definition itself being a modified
version of our definition that I upstreamed recently).
Since apparently no one else is maintaining the nixpkgs package and I am
apparently maintaining a mattermost package mostly on my own anyways,
this should make upstreaming future changes easier.
alps frequently fails to start (e.g. during a system activation script)
since either its configured imap or smtp servers are not reachable
yet (i.e. their process has not yet opened the corresponding port).
This should hopefully fix that behaviour:
- also set BindsTo, telling systemd to only start alps once the
required units have entered "active" state (not just after it has
started them)
- also require postfix to be present, since that provides smtp
mostly just replacing strings to avoid confusion later on. Since our
containers are now ephemeral, renaming them is basically a non-issue
(though the files under /persist/containers & the uffd client name had
to be changed manually)
This jumps Mattermost ESR Versions (see [1] for their release cycle). The
new version makes use of Go's workspace feature, which unfortunately the
buildGoModule function does not (yet?) support [2], and unfortunately this
breaks the previous build process for mattermost.
Further, the new release also makes use of private modules only included
in the (non-free) enterprise version of mattermost which makes it impossible
to build in the usual way even outside of nixpkgs's build abstractions [3].
Both issues can be solved by using Go 1.22, which has added support for
vendoring when using workspaces, and instructing it to ignore errors with
the -e flag. This requires overriding the go-modules derivation's buildPhase.
Finally, this now also build the commands/mmctl subpackage, which contains
a cli utility to administrate mattermost. This currently has its own nixpkgs
package for no reason i can see at all (it also has a version mismatch
between nixpkgs's mattermost and nixpkgs's mmctl).
[1] https://docs.mattermost.com/upgrade/extended-support-release.html
[2] https://github.com/NixOS/nixpkgs/issues/203039
[3] https://github.com/mattermost/mattermost/issues/26221
this removes usage of the nftnat module by rendering it into a static
nftables config. It's a no-op (modulo /etc/haccfiles) as far as nix is
concerned, hence the slightly off-putting whitespace of the multi-line
string.
This seems to me to be a better approach than just bundling the module,
since we only use it for two things (giving the containers network
access & forwarding port 22 to forgejo), which to me doesn't press for
using a custom module we can't really maintain on our own.
the bind mount module has been tweaked in a couple ways:
- rename hexchen.* to hacc.*
- rename bindmount to bindMount to make it consistent with usage in
the nixpkgs container module
- add a hacc.bindToPersist option as shorthand for prepending /perist
to a path via bind mount
the nopersist module has been shortened a little by moving
service-specific things which are used once out into the individual
service files, and removing those which we don't need at all (this also
means we get to loose a mkForce or two in case of mismatches between
hexchen's and our current config).
this is a slightly cursed work around; see the comment.
Alternatively, we could pass in the $src attribute of that derivation
via callPackage (passing it through all the way from flake.nix), but tbh
that sounds like too much effort rn.
Have fun with confusingly long paths in the nix store 🙃
we decided to:
- get rid of unused packages
- simpify the directory layout since we only have one host anyways
- move our docs (such as they are) in-tree
stuebinm
Moira