fix flood

This reverts commit c788335493.

.forgejo/workflows/lint.yml

@@ -1,22 +0,0 @@
-name: Lint
-
-on: [push]
-
-jobs:
-  lint:
-    runs-on: docker
-    env:
-    container:
-      image: ghcr.io/catthehacker/ubuntu:js-20.04
-    steps:
-      - uses: actions/checkout@v3
-      - uses: https://github.com/cachix/install-nix-action@v22
-        env:
-        with:
-          nix_path: nixpkgs=channel:nixos-unstable
-      - run: |
-          sed -i '/^access-tokens/ d' /etc/nix/nix.conf
-          nix profile install 'nixpkgs#deadnix' 'nixpkgs#statix' 'nixpkgs#yamllint'
-          statix check .
-          deadnix -f
-          yamllint .

.forgejo/workflows/nix.yml

@@ -1,22 +0,0 @@
-name: Nix
-
-# on: [push]
-
-jobs:
-  lint:
-    runs-on: docker
-    env:
-    container:
-      image: ghcr.io/catthehacker/ubuntu:js-20.04
-    steps:
-      - uses: actions/checkout@v3
-      - name: Check Nix flake inputs
-        uses: https://github.com/DeterminateSystems/flake-checker-action@v5
-      - uses: https://github.com/cachix/install-nix-action@v22
-        env:
-        with:
-          nix_path: nixpkgs=channel:nixos-unstable
-      - name: Run `nix flake check`
-        run: |
-          sed -i '/^access-tokens/ d' /etc/nix/nix.conf
-          nix run '.#' -- -V

.forgejo/workflows/plex_update.yml

@@ -21,6 +21,7 @@ jobs:
       - env:
           VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
           VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
+          NIXPKGS_ALLOW_UNFREE: 1
         run: |
           git config user.name "Forgejo Actions Bot"
           git config user.email "<>"

flake.nix

@@ -43,8 +43,6 @@
     vault-unseal.url = "git+https://git.0x76.dev/v/vault-unseal.git";
     gnome-autounlock-keyring.url = "git+https://git.0x76.dev/v/gnome-autounlock-keyring.git";
 
-    attic.url = "github:zhaofengli/attic";
-
     # Website(s)
     essentials.url = "github:jdonszelmann/essentials";
   };
@@ -57,7 +55,6 @@
     , colmena
     , nixos-generators
     , nur
-    , attic
     , deploy
     , ...
     }@inputs:
@@ -72,7 +69,7 @@
       pkgs = import nixpkgs {
         inherit system;
         config.allowUnfree = true;
-        overlays = [ (import ./nixos/pkgs) vault-secrets.overlay nur.overlay ];
+        overlays = [ (import ./nixos/pkgs) vault-secrets.overlays.default nur.overlay ];
       };
 
       pkgs_stable = import nixpkgs_stable {
@@ -115,6 +112,7 @@
           };
         }
         nixHosts;
+      colmenaHive = colmena.lib.makeHive self.outputs.colmena;
 
       packages.${system} = {
         inherit apply-local;
@@ -141,16 +139,13 @@
       devShells.${system}.default = pkgs.mkShell {
         VAULT_ADDR = "http://vault.olympus:8200/";
         buildInputs = with pkgs; [
-          attic.packages.${pkgs.system}.attic
           apply-local
           colmena.packages.${system}.colmena
           deploy.packages.${system}.deploy-rs
           cachix
           deadnix
           statix
-          nixfmt
           nixpkgs-fmt
-          nixUnstable
           nil
           vault
           yamllint

nixos/common/default.nix

@@ -33,7 +33,7 @@
   # https://src.fedoraproject.org/rpms/systemd/tree/acb90c49c42276b06375a66c73673ac3510255
   systemd.oomd = {
     enableRootSlice = true;
-    enableUserServices = true;
+    enableUserSlices = true;
   };
 
   # security.polkit.enable = lib.mkDefault true;
@@ -43,7 +43,7 @@
   nix = {
     registry.nixpkgs.flake = inputs.nixpkgs;
     nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
-    package = pkgs.nixUnstable;
+    # package = pkgs.nixUnstable;
     settings = {
       auto-optimise-store = true;
       trusted-users = [ "root" "vivian" ];
@@ -79,6 +79,11 @@
 
   nixpkgs.config.allowUnfree = true;
 
+  nixpkgs.config.permittedInsecurePackages = [
+    "dotnet-sdk-6.0.428"
+    "aspnetcore-runtime-6.0.36"
+  ];
+
   # Limit the systemd journal to 100 MB of disk or the
   # last 7 days of logs, whichever happens first.
   services.journald.extraConfig = ''

nixos/common/desktop/home.nix

@@ -11,7 +11,6 @@ in {
     btop
     calibre
     celluloid
-    cinny-desktop
     element-desktop
     fusee-launcher
     fractal-next
@@ -21,7 +20,9 @@ in {
     helix
     inputs.attic.packages.${pkgs.system}.attic
     inputs.comma.packages.${pkgs.system}.default
-    inputs.webcord.packages.${pkgs.system}.default
+    # inputs.webcord.packages.${pkgs.system}.default
+    discord
+    dogdns
     jetbrains.clion
     jetbrains.rust-rover
     kdenlive

nixos/common/modules/dns.nix

@@ -37,7 +37,7 @@ in {
     };
 
     mode = mkOption {
-      type = enum [ "server" "laptop" ];
+      type = types.enum [ "server" "laptop" ];
       default = "laptop";
       description = ''
         Whether to configure the DNS in server mode (listen on all interfaces) or laptop mode (just on localhost)
@@ -54,7 +54,6 @@ in {
       enable = true;
       inherit (cfg) openFirewall;
       inherit (config.services.unbound) group;
-      controlInterface = config.services.unbound.localControlSocketPath;
     };
     services.unbound = {
       enable = true;

nixos/common/modules/flood.nix

@@ -1,8 +1,8 @@
 { config, pkgs, lib, ... }:
 with lib;
-let cfg = config.services.flood;
+let cfg = config.services.v.flood;
 in {
-  options.services.flood = {
+  options.services.v.flood = {
     enable = mkEnableOption "flood";
 
     user = mkOption {

nixos/common/modules/gnome/default.nix

@@ -58,7 +58,7 @@ in {
         atomix # puzzle game
         epiphany # web browser
         geary # email reader
-        gedit # text editor
+        pkgs.gedit # text editor
         gnome-calendar
         gnome-clocks
         gnome-contacts

nixos/hosts/hades/bastion/configuration.nix

@@ -9,12 +9,5 @@
     vault
   ];
 
-  environment.noXlibs = lib.mkForce false;
-
   system.stateVersion = "22.11";
-
-  programs.gnupg.agent = {
-    enable = true;
-    pinentryFlavor = "curses";
-  };
 }

nixos/hosts/hades/default.nix

@@ -17,6 +17,7 @@
   "unifi" = {
     ip = "192.168.0.101";
     mac = "5a:00:b7:6c:d1:e2";
+    nix = false;
   };
   "jellyfin" = {
     ip = "192.168.0.102";
@@ -44,12 +45,9 @@
     };
   };
   "tautulli" = {
+    nix = false;
     ip = "192.168.0.106";
     mac = "BE:30:DB:F8:C6:55";
-    exposes.tautulli = {
-      domain = "tautulli.xirion.net";
-      port = 8080;
-    };
   };
   "dns-1" = {
     ip = "192.168.0.107";
@@ -83,10 +81,6 @@
     mac = "00:50:56:91:0d:69";
     type = "vm";
   };
-  "immich" = {
-    ip = "192.168.0.116";
-    mac = "06:8a:8e:3e:43:45";
-  };
   "mail" = {
     ip = "192.168.0.118";
     mac = "00:50:56:91:3b:03";
@@ -139,6 +133,7 @@
   "attic" = {
     ip = "192.168.0.128";
     mac = "9E:AF:E9:FE:D4:D9";
+    nix = false;
     exposes.attic = {
       domain = "attic.xirion.net";
       port = 8080;
@@ -158,16 +153,6 @@
   "tudelft" = {
     ip = "192.168.0.132";
     mac = "AE:B3:93:4B:04:76";
-    exposes = {
-      grist = {
-        domain = "grist.tud.0x76.dev";
-        port = 8484;
-      };
-      dex = {
-        domain = "dex.tud.0x76.dev";
-        port = 8000;
-      };
-    };
     nix = false;
   };
   "mastodon" = {

nixos/hosts/hades/dns/configuration.nix

@@ -34,6 +34,7 @@
       "fedi.xirion.net typetransparent"
       "grist.tud.0x76.dev typetransparent"
       "dex.tud.0x76.dev typetransparent"
+      "queer.af typetransparent"
     ];
 
     local-data = [
@@ -51,6 +52,7 @@
       ''"fedi.xirion.net A 192.168.0.122"''
       ''"grist.tud.0x76.dev A 192.168.0.122"''
       ''"dex.tud.0x76.dev A 192.168.0.122"''
+      ''"queer.af A 65.108.48.233"''
     ];
   };
 }

nixos/hosts/hades/garage/configuration.nix

@@ -27,10 +27,10 @@ in {
 
   services.garage = {
     enable = true;
-    package = pkgs.garage_0_9;
+    package = pkgs.garage_1;
     settings = {
-      db_engine = "lmdb"; # Recommended for mastodon
-      replication_mode = "1";
+      db_engine = "lmdb";
+      replication_factor = 1;
       compression_level = 0;
 
       # For inter-node comms

nixos/hosts/hades/jellyfin/configuration.nix

@@ -51,6 +51,9 @@
       WS_CRON_IMPORT = "1";
       WS_CRON_EXPORT = "1";
       WS_CRON_PROGRESS = "1";
+      WS_PUSH_ENABLED = "1";
+      WS_SYNC_PROGRESS = "1";
+      WS_API_AUTO = "1";
     };
     ports = [ "8080:8080" ];
     volumes = [ "/var/lib/watchstate:/config:rw" ];

nixos/hosts/hades/lucy/configuration.nix

@@ -3,28 +3,6 @@
 # and in the NixOS manual (accessible by running `nixos-help`).
 
 { pkgs, ... }:
-# let
-# Redefining the package instead of overriding as overriding GoModules seems broken
-# see: https://github.com/NixOS/nixpkgs/issues/86349
-# _nuclei-latest = pkgs.buildGoModule rec {
-#   pname = "nuclei";
-#   version = "2.9.2";
-#
-#   src = pkgs.fetchFromGitHub {
-#     owner = "projectdiscovery";
-#     repo = pname;
-#     rev = "1f9a065713924b28b203e2108fc76d7a1ec49068";
-#     hash = "sha256-QiegMoBy0gZMyQl2MRAwR14zXeh8wvVonyETdAzHbj0=";
-#   };
-#
-#   vendorHash = "sha256-0JNwoBqLKH1F/0Tr8o35gCSNT/2plIjIQvZRuzAZ5P8=";
-#
-#   modRoot = "./v2";
-#   subPackages = [ "cmd/nuclei/" ];
-#
-#   doCheck = false;
-# };
-# in {
 {
   imports = [ ./hardware-configuration.nix ];
 
@@ -37,9 +15,13 @@
   system.stateVersion = "23.05"; # Did you read the comment?
 
   # Additional packages
-  environment.systemPackages = with pkgs; [ jq wget jre8 ];
-  boot.loader = {
+  environment.systemPackages = with pkgs; [
+    jq
+    wget
+    jdk17
+  ];
 
+  boot.loader = {
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;
     efi.efiSysMountPoint = "/boot";
@@ -49,28 +31,25 @@
     enable = true;
     allowedTCPPorts = [ 25565 ];
   };
+
   users = {
-    extraUsers = {
-
-      laura.extraGroups = [ "wheel" ];
-      vivian.extraGroups = [ "wheel" ];
-
-      julia = {
-        isNormalUser = true;
-        shell = pkgs.zsh;
-
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTvqk+CJG4VwN8wg3H1ZdbUVj1JuX7RYKH1ewRKfCPv julia@juliadijkstraarch"
-          # Below is Evelyn's keys
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDnZSVdqSybDwVooSZ+SGFM0YNu15sO/jgVqCBGDm33wj0fML5T4oviUrY6yABh+eAgy/NAztgM7+6L8Hlze5DBeMwNAvj9gr9QSzUetW0iqCscZJ8dDbW30O9449gw2JY/XZzcFMZAP5QEQGEgG/6QQ3yRwA3DMCsGhQQ37l/aS+RsKYq3ZSN4f1nFJCrm397QB8r+bhaexufXqwumxe8rlefoUNNVnmu54FA8Pc3jSdsWT4s/3mqF6NiRa53w13SBWyS+zopCy1tTSnRszgAkldpE7Vft/QnmpFavAWHzpfArv/uFXQ3fx5Cj5t70zB6VJEtaBxhdKXeQUFBCn7fmwfjV0Un9b8jLW94uDhDD3059trhMvJvqKebuqyZe74MTZH0IC3IobpSb9fHHvxuRwUQOMkkJmjv1p2y2R6v7s2tA1sZlIEBmRDvZcKo4hPBe6q13OePV3O8KAFzCmPBIfE6kQ/nLc+3k9OjFWFTshdDXUYpSVGjNrv/IanCXbEs="
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0KA0uOoLXUN4LhU7LgtSk0atWyPlEz5LA8dIXs9xTl"
-
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIfooZjMWXvXZu1ReOEACDZ0TMb2WJRBSOLlWE8y6fUh victor@aoife"
-        ];
-
-        extraGroups = [ "mc" "wheel" ];
-      };
-    };
     groups.mc = { };
+    groups.users = { };
+    extraUsers = {
+      laura.extraGroups = [ "wheel" ];
+      vivian.extraGroups = [
+        "wheel"
+        "mc"
+      ];
+      julius = {
+        isNormalUser = true;
+        group = "users";
+        extraGroups = [ "wheel" ];
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJBY9eQlR/JRnjVC2wKWQ+o02wDlGUlSgN/4e3i6ans"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBt9ie9/XBVPnKo6wENKjEd32hhPqjiQFnn+okXZ0LRT"
+        ];
+      };
+    };
   };
 }

nixos/hosts/hades/mastodon/configuration.nix

@@ -8,7 +8,6 @@ in {
   networking.interfaces.eth0.useDHCP = true;
 
   # Better cache hits
-  environment.noXlibs = lib.mkForce false;
   services = {
     elasticsearch = {
       enable = true;
@@ -29,6 +28,11 @@ in {
     };
 
     mastodon = {
+
+      extraEnvFiles = [
+        "${vs.mastodon}/active_record_secrets"
+      ];
+
       enable = true;
       package = pkgs.v.glitch-soc;
       streamingProcesses = 3;
@@ -79,6 +83,8 @@ in {
 
         AUTHORIZED_FETCH = "true";
 
+        MAX_TOOT_CHARS = "8192";
+
         # https://github.com/cybrespace/cybrespace-meta/blob/master/s3.md;
         # https://shivering-isles.com/Mastodon-and-Amazon-S3
         S3_ENABLED = "true";

nixos/hosts/hades/nginx/configuration.nix

@@ -62,9 +62,6 @@ in {
         };
       };
 
-      "peepeepoopoo.xirion.net" = proxy
-        "http://tautulli.hades:8080"; # Deprecated but Ricardo has it bookmarked already!
-
       "plex.xirion.net" = {
         # Since we want a secure connection, we force SSL
         forceSSL = true;

nixos/hosts/hades/overseerr/overseerr.nix

@@ -2,7 +2,7 @@ _: {
   networking.firewall.allowedTCPPorts = [ 5055 ];
   # TODO: Write NixOS package https://github.com/NixOS/nixpkgs/issues/135885
   virtualisation.oci-containers.containers.overseerr = {
-    image = "ghcr.io/sct/overseerr:1.33.2";
+    image = "ghcr.io/sct/overseerr:1.34.0";
     environment = { TZ = "Europe/Amsterdam"; };
     ports = [ "5055:5055" ];
     volumes = [ "/var/lib/overseerr/config:/app/config" ];

nixos/hosts/hades/overseerr/prowlarr.nix

@@ -5,7 +5,7 @@ _: {
   };
 
   virtualisation.oci-containers.containers.flaresolverr = {
-    image = "flaresolverr/flaresolverr:v3.3.10";
+    image = "flaresolverr/flaresolverr:v3.3.21";
     ports = [ "8191:8191" ];
   };
 }

nixos/hosts/hades/rtorrent/configuration.nix

@@ -47,7 +47,8 @@ in {
     enable = true;
     host = "0.0.0.0";
     openFirewall = true;
-    inherit (config.services.rtorrent) downloadDir;
+    extraArgs = [ ];
+    # inherit (config.services.rtorrent) downloadDir;
   };
 
   vault-secrets.secrets.rtorrent = { services = [ "wg-quick-wg0" ]; };

nixos/hosts/hades/rtorrent/rtorrent.nix

@@ -3,7 +3,7 @@
     enable = true;
     port = 14764; # port forwarded
     downloadDir = "/mnt/storage/torrents/r";
-    package = pkgs.jesec-rtorrent;
+    package = pkgs.rtorrent;
     configText =
       let cfg = config.services.rtorrent;
       in pkgs.lib.mkForce ''
@@ -27,15 +27,15 @@
         method.insert = cfg.watch,    private|const|string, (cat,(cfg.basedir),"watch/")
 
         # Create directories
-        fs.mkdir.recursive = (cat,(cfg.basedir))
+        # fs.mkdir.recursive = (cat,(cfg.basedir))
 
-        fs.mkdir = (cat,(cfg.download))
-        fs.mkdir = (cat,(cfg.logs))
-        fs.mkdir = (cat,(cfg.session))
+        # fs.mkdir = (cat,(cfg.download))
+        # fs.mkdir = (cat,(cfg.logs))
+        # fs.mkdir = (cat,(cfg.session))
 
-        fs.mkdir = (cat,(cfg.watch))
-        fs.mkdir = (cat,(cfg.watch),"/load")
-        fs.mkdir = (cat,(cfg.watch),"/start")
+        # fs.mkdir = (cat,(cfg.watch))
+        # fs.mkdir = (cat,(cfg.watch),"/load")
+        # fs.mkdir = (cat,(cfg.watch),"/start")
 
         # Drop to "$(cfg.watch)/load" to add torrent
         schedule2 = watch_load, 11, 10, ((load.verbose, (cat, (cfg.watch), "load/*.torrent")))
@@ -100,10 +100,17 @@
         system.daemon.set = true
 
         # XML-RPC interface
-        network.scgi.open_local = (cat,(cfg.rpcsock))
+        #network.scgi.open_local = (cat,(cfg.rpcsock))
+        network.scgi.open_port = localhost:5000
         schedule = scgi_group,0,0,"execute.nothrow=chown,\":rtorrent\",(cfg.rpcsock)"
         schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"g+w,o=\",(cfg.rpcsock)"
 
+        # For Flood
+        method.redirect=load.throw,load.normal
+        method.redirect=load.start_throw,load.start
+        method.insert=d.down.sequential,value|const,0
+        method.insert=d.down.sequential.set,value|const,0
+
         # Logging:
         #   Levels = critical error warn notice info debug
         #   Groups = connection_* dht_* peer_* rpc_* storage_* thread_* tracker_* torrent_*

nixos/hosts/hades/storage/configuration.nix

@@ -6,9 +6,35 @@
     ./fs.nix
   ];
 
-
   boot.loader.systemd-boot.enable = true;
   services = {
+    scrutiny = {
+      enable = true;
+      openFirewall = true;
+      influxdb.enable = true;
+      collector.enable = true;
+      collector.settings = {
+        host.id = "storage-vm";
+        devices = [
+          {
+            device = "/dev/disk/by-id/ata-QEMU_HARDDISK_QM00013";
+            ignore = true;
+          }
+          {
+            device = "/dev/disk/by-id/ata-QEMU_HARDDISK_QM00015";
+            ignore = true;
+          }
+          {
+            device = "/dev/disk/by-id/ata-QEMU_HARDDISK_QM00017";
+            ignore = true;
+          }
+          {
+            device = "/dev/disk/by-id/ata-QEMU_HARDDISK_QM00019";
+            ignore = true;
+          }
+        ];
+      };
+    };
 
     # Enable the OpenSSH daemon.
     openssh.enable = true;
@@ -32,6 +58,7 @@
         d5 = "/mnt/disk5";
         d6 = "/mnt/disk6";
         d7 = "/mnt/disk7";
+        # d8 = "/mnt/disk8";
       };
       contentFiles = [
         "/var/lib/snapraid/snapraid.content"
@@ -54,6 +81,18 @@
     };
   };
 
+  users.groups.backup = {
+    gid = 10000;
+    members = [ "vivian" "syncthing" ];
+  };
+
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = true;
+    guiAddress = "0.0.0.0:8384";
+    group = "backup";
+  };
+
   # Disable firewall, as NFS makes it annoying
   networking.firewall.enable = false;
 

nixos/hosts/hades/storage/fs.nix

@@ -9,46 +9,60 @@
     "/mnt/disk1" = {
       fsType = "ext4";
       device = "/dev/disk/by-partuuid/abbfc440-fb3d-4b33-92cb-948b2deeac53";
+      options = [ "nofail" ];
     };
 
     "/mnt/disk2" = {
       fsType = "ext4";
       device = "/dev/disk/by-partuuid/3a57ffa8-8a0f-4839-81df-7f34d99e9dbc";
+      options = [ "nofail" ];
     };
 
     "/mnt/disk3" = {
       fsType = "ext4";
       device = "/dev/disk/by-partuuid/0f72c5f8-b7db-4151-83f0-47e5f703aeb1";
+      options = [ "nofail" ];
     };
 
     "/mnt/disk4" = {
       fsType = "ext4";
       device = "/dev/disk/by-partuuid/b9c72b41-1538-436e-a595-49d1faa5ed01";
+      options = [ "nofail" ];
     };
 
     "/mnt/disk5" = {
       fsType = "ext4";
       device = "/dev/disk/by-partuuid/928d0200-eca1-4a69-b2d6-fbd23a5ee8cd";
+      options = [ "nofail" ];
     };
 
     "/mnt/disk6" = {
       fsType = "ext4";
       device = "/dev/disk/by-uuid/63381321-fe00-4838-8668-4d1decc94296";
+      options = [ "nofail" ];
     };
 
     "/mnt/disk7" = {
       fsType = "ext4";
       device = "/dev/disk/by-uuid/6c568887-9d2e-45ce-ab85-4c48cca2226a";
+      options = [ "nofail" ];
     };
 
+    # "/mnt/disk8" = {
+      # fsType = "ext4";
+      # device = "/dev/disk/by-partuuid/73d8eea4-c648-4c91-99dc-19940832ffe7";
+    # };
+
     "/mnt/parity1" = {
       fsType = "ext4";
       device = "/dev/disk/by-partuuid/7c9b88ed-b8f8-40c9-bbc3-b75d30e04e01";
+      options = [ "nofail" ];
     };
 
     "/mnt/parity2" = {
       fsType = "ext4";
       device = "/dev/disk/by-partuuid/5d2d7e3e-3730-4d9b-8759-dc14396f3357";
+      options = [ "nofail" ];
     };
 
     "/mnt/storage" = {

nixos/hosts/hades/tautulli/configuration.nix

@@ -1,23 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ ... }:
-
-{
-  imports = [ ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.11"; # Did you read the comment?
-
-  services.tautulli = {
-    enable = true;
-    port = 8080;
-    openFirewall = true;
-  };
-}

nixos/hosts/hades/unifi/configuration.nix

@@ -11,10 +11,6 @@
     openFirewall = true;
   };
 
-  # Required for Java
-  # gets forced to true due the lxc profile
-  environment.noXlibs = lib.mkForce false;
-
   # Unifi Web Port
   networking.firewall.allowedTCPPorts = [ 8443 ];
 }

nixos/hosts/olympus/bastion/configuration.nix

@@ -3,6 +3,22 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { pkgs, inputs, ... }: {
+let
+  fix-vscode = pkgs.writeScriptBin "fix-vscode" ''
+    #!${pkgs.stdenv.shell}
+    # Check if vscode-server dir exists
+    if [[ -d "$HOME/.vscode-server/bin" ]]; then
+      # For every bin folder within
+      for versiondir in "$HOME"/.vscode-server/bin/*; do
+        # Remove bundled node (dynamic links are borked for nix)
+        rm "$versiondir/node"
+        # symlink node form the nixpkg
+        ln -s "${pkgs.nodejs-slim}/bin/node" "$versiondir/node"
+      done
+    fi
+  '';
+in
+{
   imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix

nixos/hosts/olympus/ci/configuration.nix

@@ -61,7 +61,7 @@ in {
         gitMinimal
         gnused
         jq
-        nixUnstable
+        nix
         nodejs
         statix
         vault

nixos/hosts/olympus/default.nix

@@ -19,7 +19,8 @@
     ip = "10.42.42.4";
     ip6 = "2001:41f0:9639:1:80f0:7cff:fecb:bd6d";
     mac = "82:F0:7C:CB:BD:6D";
-    type = "vm";
+    # type = "vm";
+    nix = false; # Now managed in the `new` branch
   };
   "vault" = {
     ip = "10.42.42.6";
@@ -50,9 +51,7 @@
   "kubernetes" = {
     ip = "10.42.42.10";
     mac = "6E:A5:25:99:FE:68";
-    exposes = {
-      flux.domain = "flux.0x76.dev";
-    };
+    nix = false;
   };
   "dex" = {
     ip = "10.42.42.11";
@@ -85,13 +84,19 @@
     profile = "dns";
     ip = "10.42.42.15";
     mac = "5E:F6:36:23:16:E3";
-    tags = [ "dns" "networking" ];
+    tags = [
+      "dns"
+      "networking"
+    ];
   };
   "dns-2" = {
     profile = "dns";
     ip = "10.42.42.16";
     mac = "B6:04:0B:CD:0F:9F";
-    tags = [ "dns" "networking" ];
+    tags = [
+      "dns"
+      "networking"
+    ];
   };
   "minio" = {
     ip = "10.42.42.17";
@@ -118,6 +123,7 @@
   "unifi" = {
     ip = "10.42.42.20";
     mac = "1A:88:A0:B0:65:B4";
+    nix = false;
   };
   "minecraft" = {
     ip = "10.42.42.21";
@@ -156,19 +162,16 @@
   "grist" = {
     ip = "10.42.42.26";
     mac = "B2:AA:AB:5D:2F:22";
-    exposes.grist = {
-      domain = "grist.0x76.dev";
-      port = 8484;
-    };
+    nix = false;
   };
   "bookwyrm" = {
     ip = "10.42.42.27";
     mac = "9E:8A:6C:39:27:DE";
     nix = false;
-    exposes.books = {
-      domain = "books.meowy.tech";
-      port = 8001;
-    };
+    # exposes.books = {
+    #   domain = "books.meowy.tech";
+    #   port = 8001;
+    # };
   };
   "synapse" = {
     ip = "10.42.42.28";
@@ -193,6 +196,7 @@
   "ci" = {
     ip = "10.42.42.33";
     mac = "1E:24:DA:DB:4A:1A";
+    nix = false;
   };
   "nuc" = {
     ip = "10.42.42.42";

nixos/hosts/olympus/gitea/configuration.nix

@@ -21,8 +21,6 @@ in
   # Additional packages
   environment.systemPackages = with pkgs; [ ];
 
-  environment.noXlibs = lib.mkForce false;
-
   networking.firewall.allowedTCPPorts = [ port ];
   services = {
 
@@ -59,7 +57,7 @@ in
           "REPO_INDEXER_EXCLUDE" = "node_modules/**";
         };
         ui = {
-          "THEMES" = "forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green,agatheme";
+          "THEMES" = "forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green";
           "DEFAULT_THEME" = "forgejo-auto";
           "USE_SERVICE_WORKER" = true;
         };
@@ -96,10 +94,10 @@ in
     group = "gitea";
   };
 
-  system.activationScripts.gitea-theme =
-    let target_dir = "${config.services.gitea.stateDir}/custom/public/css/";
-    in lib.stringAfter [ "var" ] ''
-      mkdir -p ${target_dir}
-      ln -sf ${pkgs.v.gitea-agatheme} "${target_dir}/theme-agatheme.css"
-    '';
+  # system.activationScripts.gitea-theme =
+  #   let target_dir = "${config.services.gitea.stateDir}/custom/public/css/";
+  #   in lib.stringAfter [ "var" ] ''
+  #     mkdir -p ${target_dir}
+  #     ln -sf ${pkgs.v.gitea-agatheme} "${target_dir}/theme-agatheme.css"
+  #   '';
 }

nixos/hosts/olympus/hedgedoc/configuration.nix

@@ -20,8 +20,6 @@ in
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "21.11"; # Did you read the comment?
 
-  environment.noXlibs = lib.mkForce false;
-
   networking.firewall.allowedTCPPorts = [ port ];
 
   vault-secrets.secrets.hedgedoc = { };

nixos/hosts/olympus/mailserver/configuration.nix

@@ -3,8 +3,10 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, pkgs, ... }:
-let vs = config.vault-secrets.secrets;
-in {
+let
+  vs = config.vault-secrets.secrets;
+in
+{
   imports = [ ];
 
   # This value determines the NixOS release from which the default
@@ -15,19 +17,31 @@ in {
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "22.11"; # Did you read the comment?
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
 
   # needed as the mailserver configures its down DNS resolver
   networking.extraHosts = ''
     10.42.42.6 vault.olympus
   '';
 
-  vault-secrets.secrets.mailserver = { services = [ "dovecot2" "postfix" ]; };
+  vault-secrets.secrets.mailserver = {
+    services = [
+      "dovecot2"
+      "postfix"
+    ];
+  };
 
   mailserver = {
     enable = true;
     fqdn = "mail.0x76.dev";
-    domains = [ "0x76.dev" "meowy.tech" "xirion.net" ];
+    domains = [
+      "0x76.dev"
+      "meowy.tech"
+      "xirion.net"
+    ];
     certificateScheme = "acme-nginx";
     enableManageSieve = true;
 
@@ -44,15 +58,19 @@ in {
       # People
       "v@0x76.dev" = {
         hashedPasswordFile = "${vs.mailserver}/v@0x76.dev";
-        catchAll = [ "xirion.net" "0x76.dev" ];
+        catchAll = [
+          "xirion.net"
+          "0x76.dev"
+        ];
         aliases = [
           "postmaster@0x76.dev"
           "abuse@0x76.dev"
-
-          "v@meowy.tech"
           "abuse@meowy.tech"
           "postmaster@meowy.tech"
+          "abuse@xirion.net"
+          "postmaster@xirion.net"
 
+          "@meowy.tech"
           "@xirion.net"
           "@0x76.dev"
         ];
@@ -95,21 +113,34 @@ in {
       # index new email as they arrive
       autoIndex = true;
       # this only applies to plain text attachments, binary attachments are never indexed
-      indexAttachments = true;
+      # indexAttachments = true;
       enforced = "body";
       memoryLimit = 2000;
       autoIndexExclude = [ "\\Junk" ];
     };
   };
-  services = {
 
-    postfix.relayHost = "smtp.ziggozakelijk.nl";
-    postfix.relayPort = 587;
+  services = {
+    postfix = {
+
+      relayHost = "smtp.ziggozakelijk.nl";
+      relayPort = 587;
+    };
+
+    rspamd = {
+      overrides."whitelist.conf".text = ''
+        whitelist_from {
+          fckn.gay = true;
+        }
+      '';
+    };
 
     roundcube = {
       enable = true;
-      package = pkgs.roundcube.withPlugins
-        (plugins: [ plugins.persistent_login pkgs.v.roundcube-swipe ]);
+      package = pkgs.roundcube.withPlugins (plugins: [
+        plugins.persistent_login
+        pkgs.v.roundcube-swipe
+      ]);
       plugins = [
         "archive"
         "managesieve"
@@ -143,7 +174,9 @@ in {
       '';
     };
 
-    nginx = { enable = true; };
+    nginx = {
+      enable = true;
+    };
   };
 
   security.acme.acceptTerms = true;

nixos/hosts/olympus/minecraft/configuration.nix

@@ -16,8 +16,6 @@
   # Additional packages
   environment.systemPackages = with pkgs; [ ];
 
-  environment.noXlibs = lib.mkForce false;
-
   networking.firewall.allowedTCPPorts = [ ];
 
   services.minecraft-server = {

nixos/hosts/olympus/mosquitto/configuration.nix

@@ -3,8 +3,10 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, pkgs, ... }:
-let mosquittoPort = 1883;
-in {
+let
+  mosquittoPort = 1883;
+in
+{
   imports = [ ];
 
   # This value determines the NixOS release from which the default
@@ -20,15 +22,21 @@ in {
 
   services.mosquitto = {
     enable = true;
-    listeners = [{
+    listeners = [
+      {
         port = mosquittoPort;
         settings.allow_anonymous = true;
         acl = [ "topic readwrite #" ];
         users = {
-        vivian = { acl = [ "readwrite #" ]; };
-        zigbee2mqtt = { acl = [ "readwrite #" ]; };
+          vivian = {
+            acl = [ "readwrite #" ];
           };
-    }];
+          zigbee2mqtt = {
+            acl = [ "readwrite #" ];
+          };
+        };
+      }
+    ];
 
   };
 
@@ -39,7 +47,9 @@ in {
       homeassistant = true;
       permit_join = false;
 
-      serial = { port = "/dev/ttyUSB0"; };
+      serial = {
+        port = "/dev/ttyUSB0";
+      };
 
       mqtt = {
         base_topic = "zigbee2mqtt";
@@ -47,10 +57,14 @@ in {
         user = "zigbee2mqtt";
       };
 
-      frontend = { port = 8080; };
+      frontend = {
+        port = 8080;
+      };
     };
   };
 
-  networking.firewall.allowedTCPPorts =
-    [ mosquittoPort config.services.zigbee2mqtt.settings.frontend.port ];
+  networking.firewall.allowedTCPPorts = [
+    mosquittoPort
+    config.services.zigbee2mqtt.settings.frontend.port
+  ];
 }

nixos/hosts/olympus/nginx/configuration.nix

@@ -5,7 +5,6 @@ let
       base_url = "https://chat.meowy.tech";
       server_name = "meowy.tech";
     };
-    "m.identity_server" = { };
   };
   serverConfig."m.server" = "chat.meowy.tech:443";
   mkWellKnown = data: ''
@@ -13,7 +12,13 @@ let
     add_header Access-Control-Allow-Origin *;
     return 200 '${builtins.toJSON data}';
   '';
-in {
+
+  website = builtins.fetchGit {
+    url = "https://git.0x76.dev/v/0x76.dev.git";
+    rev = "27baf03cdcd41a9ea4bd591071baf826f6950233";
+  };
+in
+{
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
@@ -22,7 +27,10 @@ in {
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "21.05"; # Did you read the comment?
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
   services = {
 
     # Generates vhosts for all hosts that have an `exposes` section
@@ -35,7 +43,7 @@ in {
       recommendedTlsSettings = true;
       recommendedOptimisation = true;
       recommendedBrotliSettings = true;
-      clientMaxBodySize = "500m";
+      clientMaxBodySize = "5000M";
 
       package = pkgs.nginxMainline;
 
@@ -70,20 +78,21 @@ in {
           enableACME = true;
           forceSSL = true;
 
-          locations."/".extraConfig = ''
-            add_header Content-Type 'text/html; charset=UTF-8';
-            return 200 '<h1>Under Construction</h1>';
-          '';
+          root = "${website}";
         };
 
-        "blog.xirion.net" = {
+        "vivian.is.fckn.gay" = {
           enableACME = true;
           forceSSL = true;
 
-          locations."/".extraConfig = ''
-            add_header Content-Type 'text/html; charset=UTF-8';
-            return 200 '<h1>Under Construction</h1>';
-          '';
+          root = "${website}";
+        };
+
+        "immich.0x76.dev" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/".proxyPass = "http://10.42.42.4:2283";
+          locations."/".proxyWebsockets = true;
         };
 
         # Meow
@@ -95,10 +104,8 @@ in {
               add_header Content-Type 'text/html; charset=UTF-8';
               return 200 '<h1>meow</h1>';
             '';
-            "= /.well-known/matrix/client".extraConfig =
-              mkWellKnown clientConfig;
-            "= /.well-known/matrix/server".extraConfig =
-              mkWellKnown serverConfig;
+            "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+            "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
           };
         };
         "chat.meowy.tech" = {
@@ -106,8 +113,9 @@ in {
           forceSSL = true;
           locations = {
             "/".extraConfig = ''
-              return 307 https://element.chat.meowy.tech;
+              return 303 https://element.chat.meowy.tech;
             '';
+            "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
             "/_matrix".proxyPass = "http://synapse.olympus:8008";
             "/_synapse/client".proxyPass = "http://synapse.olympus:8008";
             "/_synapse/admin" = {
@@ -116,9 +124,7 @@ in {
                 allow 127.0.0.1;
                 allow 10.42.42.0/23;
                 allow 192.168.0.0/23;
-                allow 80.60.83.220;
-                allow 83.128.154.23;
-                allow 62.45.26.248;
+                allow 62.45.180.183;
                 allow 195.85.167.32/29;
                 deny all;
               '';
@@ -138,11 +144,6 @@ in {
             };
           };
         };
-        "es.0x76.dev" = {
-          enableACME = true;
-          forceSSL = true;
-          root = inputs.essentials.packages.${pkgs.system}.default;
-        };
         "cinny.chat.meowy.tech" = {
           enableACME = true;
           forceSSL = true;
@@ -155,6 +156,7 @@ in {
             };
           };
         };
+
         "admin.chat.meowy.tech" = {
           enableACME = true;
           forceSSL = true;

nixos/hosts/olympus/synapse/configuration.nix

@@ -2,12 +2,16 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
+
 { config, pkgs, ... }:
+
 let
   vs = config.vault-secrets.secrets;
   port = 8008;
+  slidingSyncPort = 8009;
   metricsPort = 9000;
 in
+
   {
   imports = [ ];
 
@@ -19,7 +23,7 @@ in
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "22.11"; # Did you read the comment?
 
-  networking.firewall.allowedTCPPorts = [ port metricsPort ];
+  networking.firewall.allowedTCPPorts = [ port metricsPort slidingSyncPort ];
 
   vault-secrets.secrets.synapse = {
     user = "matrix-synapse";
@@ -109,3 +113,5 @@ in
       };
   };
 }
+
+

nixos/hosts/olympus/unifi/configuration.nix

@@ -17,8 +17,6 @@
 
   networking.firewall.allowedTCPPorts = [ 8443 ];
 
-  environment.noXlibs = lib.mkForce false;
-
   services.unifi = {
     enable = true;
     unifiPackage = pkgs.unifi;

nixos/hosts/olympus/victoriametrics/configuration.nix

@@ -26,7 +26,7 @@ in {
       enable = true;
       listenAddress = ":${toString vmPort}";
       # Data Retention period in months
-      retentionPeriod = 36;
+      retentionPeriod = "3y";
     };
 
     vmagent = {

nixos/hosts/olympus/wireguard/configuration.nix

@@ -18,7 +18,6 @@ in {
   # Additional packages
   environment.systemPackages = with pkgs; [ wireguard-tools ];
 
-  environment.noXlibs = lib.mkForce false;
   networking = {
 
     firewall.allowedUDPPorts =

nixos/hosts/thalassa/default.nix

@@ -2,5 +2,6 @@
   "aoife" = {
     type = "local";
     mac = "04:7b:cb:b6:2d:88";
+    nix = false;
   };
 }

nixos/pkgs/default.nix

@@ -1,5 +1,5 @@
 # nix-build -E 'with import <nixpkgs> {}; callPackage ./default.nix {}'
-_final: prev: {
+final: prev: {
   v = {
     glitch-soc = prev.callPackage ./glitch-soc { };
 

nixos/pkgs/glitch-soc/README.md

@@ -0,0 +1,21 @@
+# Mastodon Glitch Edition
+
+<https://github.com/glitch-soc/mastodon>
+
+Based on [nixpkgs upstream](https://github.com/NixOS/nixpkgs/tree/master/pkgs/servers/mastodon).
+
+Modifications for the new yarn berry lockfiles and some other improvements stolen and adjusted (with permissions) from [catgirl.cloud](https://git.catgirl.cloud/999eagle/dotfiles-nix/-/tree/main/overlay/mastodon/glitch) (see also https://github.com/NixOS/nixpkgs/issues/277697).
+
+I've also made some further modifications myself to try and simplify the package and better understand it.
+
+## Updating
+
+The package can be updated to the latest glitch-soc commit with `update.sh`.
+
+- the `deps.patch` for the yarn lockfile will probably not work anymore
+- in that case, delete it before running `update.sh`
+- then try to build the package
+- when it fails again with a yarn error, run `nix log` to get the full yarn output
+- take the diff from there and adjust `deps.patch` accordingly
+- also, the yarn hash in `version_data.nix` has to be adjusted manually
+- build the package and paste the hash from the error message into `yarnHash`

nixos/pkgs/glitch-soc/default.nix

@@ -1,84 +1,100 @@
-{ lib, stdenv, nodejs-slim, bundlerEnv, nixosTests
-, yarn, callPackage, imagemagick, ffmpeg, file, ruby, writeShellScript
-, fetchYarnDeps, prefetch-yarn-deps
-, brotli
-
-  # Allow building a fork or custom version of Mastodon:
-, pname ? "mastodon"
-, version ? srcOverride.version
-, patches ? []
-  # src is a package
-, srcOverride ? callPackage ./source.nix { inherit patches; }
-, gemset ? ./. + "/gemset.nix"
-, yarnHash ? srcOverride.yarnHash
+{ stdenv, nodejs-slim, bundlerEnv, defaultGemConfig
+, yarn-berry, callPackage, ruby, writeShellScript
+, brotli, openssl
 }:
 
-stdenv.mkDerivation rec {
-  inherit pname version;
+let
 
-  src = srcOverride;
+  # optimally, updates only need to touch `version_data.nix`, and nothing else should be in there
+  versionData = import ./version_data.nix;
 
+  # use the first 7 characters of the glitch-soc commit hash as version string
+  version = builtins.substring 0 7 versionData.rev;
+
+  # the patched glitch-soc source
+  src = callPackage ./source.nix { };
+
+  # ruby gems, built from `gemset.nix`, which is generated by bundix in `update.sh` from the source Gemfile
   mastodonGems = bundlerEnv {
-    name = "${pname}-gems-${version}";
-    inherit version gemset ruby;
+    name = "glitch-soc-gems-${version}";  # bundlerEnv breaks when pname is set instead
+    inherit version;
+    ruby = ruby;
+    gemset = ./gemset.nix;
     gemdir = src;
-    # This fix (copied from https://github.com/NixOS/nixpkgs/pull/76765) replaces the gem
-    # symlinks with directories, resolving this error when running rake:
-    #   /nix/store/451rhxkggw53h7253izpbq55nrhs7iv0-mastodon-gems-3.0.1/lib/ruby/gems/2.6.0/gems/bundler-1.17.3/lib/bundler/settings.rb:6:in `<module:Bundler>': uninitialized constant Bundler::Settings (NameError)
-    postBuild = ''
-      for gem in "$out"/lib/ruby/gems/*/gems/*; do
-        cp -a "$gem/" "$gem.new"
-        rm "$gem"
-        # needed on macOS, otherwise the mv yields permission denied
-        chmod +w "$gem.new"
-        mv "$gem.new" "$gem"
-      done
-    '';
+    /*
+    See:
+    - https://wiki.nixos.org/wiki/Packaging/Ruby#Adding_a_global_override_for_a_gem
+    - https://nixos.org/manual/nixpkgs/stable/#gem-specific-configurations-and-workarounds
+    */
+    gemConfig = defaultGemConfig // {
+      hiredis-client = attrs: {
+        buildInputs = [ openssl ];
+      };
+    };
   };
 
+  # fetches JS dependencies via yarn based on the lockfile in the source
+  mastodonYarnDeps = yarn-berry.fetchYarnBerryDeps {
+    inherit src;
+    hash = versionData.yarnHash;
+    missingHashes = ./missing-hashes.json;
+  };
+
+  # builds the node modules for mastodon using the previously fetched yarn deps
   mastodonModules = stdenv.mkDerivation {
-    pname = "${pname}-modules";
-    inherit src version;
+    pname = "glitch-soc-modules";
+    inherit version src;
 
-    yarnOfflineCache = fetchYarnDeps {
-      yarnLock = "${src}/yarn.lock";
-      hash = yarnHash;
-    };
+    yarnOfflineCache = mastodonYarnDeps;
+    missingHashes = ./missing-hashes.json;
 
-    nativeBuildInputs = [ prefetch-yarn-deps nodejs-slim yarn mastodonGems mastodonGems.wrappedRuby brotli ];
+    nativeBuildInputs = [
+      nodejs-slim
+      yarn-berry
+      yarn-berry.yarnBerryConfigHook
+      brotli
+      mastodonGems
+      mastodonGems.wrappedRuby
+    ];
 
     RAILS_ENV = "production";
     NODE_ENV = "production";
 
+    /*
+    So it seems that somehow a change in Linux 6.9 changed something that broke libuv, an IO lib
+    used by Node. This undocumented env var disables the broken IO feature in libuv and it works
+    again.
+
+    - https://lore.kernel.org/lkml/d7003b6e-b8e3-41c4-9e6e-2b9abd0c5572@gmail.com/t/
+    - https://github.com/nodejs/node/issues/53051#issuecomment-2124940205
+    - https://github.com/nodejs/docker-node/issues/1912#issuecomment-1594233686
+    */
+    UV_USE_IO_URING = "0";
+
     buildPhase = ''
       runHook preBuild
 
-      export HOME=$PWD
-      # This option is needed for openssl-3 compatibility
-      # Otherwise we encounter this upstream issue: https://github.com/mastodon/mastodon/issues/17924
-      export NODE_OPTIONS=--openssl-legacy-provider
-      fixup-yarn-lock ~/yarn.lock
-      yarn config --offline set yarn-offline-mirror $yarnOfflineCache
-      yarn install --offline --frozen-lockfile --ignore-engines --ignore-scripts --no-progress
+      export SECRET_KEY_BASE_DUMMY=1
 
-      patchShebangs ~/bin
-      patchShebangs ~/node_modules
+      patchShebangs bin
 
-      # skip running yarn install
-      rm -rf ~/bin/yarn
+      bundle exec rails assets:precompile
 
-      OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder \
-        rails assets:precompile
-      yarn cache clean --offline
-      rm -rf ~/node_modules/.cache
+      rm -rf node_modules/.cache
+
+      # Remove workspace "package" as it contains broken symlinks
+      # See https://github.com/NixOS/nixpkgs/issues/380366
+      rm -rf node_modules/@mastodon
+
+      # Remove execute permissions
+      find public/assets -type f ! -perm 0555 \
+        -exec chmod 0444 {} ';'
 
       # Create missing static gzip and brotli files
-      gzip --best --keep ~/public/assets/500.html
-      gzip --best --keep ~/public/packs/report.html
-      find ~/public/assets -maxdepth 1 -type f -name '.*.json' \
-        -exec gzip --best --keep --force {} ';'
-      brotli --best --keep ~/public/packs/report.html
-      find ~/public/assets -type f -regextype posix-extended -iregex '.*\.(css|js|json|html)' \
+      # see: https://git.catgirl.cloud/999eagle/dotfiles-nix/-/blob/5d0da33c4f6b52b48777b404593c68a13e292721/overlay/mastodon/glitch/default.nix#L30
+      # see: https://code.hackerspace.pl/ar/nibylandia/src/commit/7bbb773554204026644fb98c9463fd15726976e9/pkgs/glitch-soc/modules.nix#L52
+      find public/assets public/packs -type f -regextype posix-extended -iregex '.*\.(css|html|js|js.map|json|svg)' \
+        -exec gzip --best --keep --force {} ';' \
         -exec brotli --best --keep {} ';'
 
       runHook postBuild
@@ -96,7 +112,15 @@ stdenv.mkDerivation rec {
     '';
   };
 
-  propagatedBuildInputs = [ imagemagick ffmpeg file mastodonGems.wrappedRuby ];
+# the actual main glitch-soc package
+
+in stdenv.mkDerivation {
+
+  pname = "glitch-soc";
+  inherit version src mastodonGems mastodonModules;
+
+  propagatedBuildInputs = [ mastodonGems.wrappedRuby ];
+  nativeBuildInputs = [ brotli ];
   buildInputs = [ mastodonGems nodejs-slim ];
 
   buildPhase = ''
@@ -153,17 +177,4 @@ stdenv.mkDerivation rec {
     runHook postInstall
   '';
 
-  passthru = {
-    tests.mastodon = nixosTests.mastodon;
-    # run with: nix-shell ./maintainers/scripts/update.nix --argstr package mastodon
-    updateScript = ./update.sh;
-  };
-
-  meta = with lib; {
-    description = "Self-hosted, globally interconnected microblogging software based on ActivityPub";
-    homepage = "https://joinmastodon.org";
-    license = licenses.agpl3Plus;
-    platforms = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
-    maintainers = with maintainers; [ happy-river erictapen izorkin ghuntley ];
-  };
 }

nixos/pkgs/glitch-soc/missing-hashes.json

@@ -0,0 +1,75 @@
+{
+  "@esbuild/aix-ppc64@npm:0.25.5": "fb872b34a2843293dc60e809968fedf93e0d8f7174b062decffae6ba861eb56aaea0cd0aba87ba99162ceb2a690f0cde4fc29c000b52c035e40c91ec7861d43e",
+  "@esbuild/android-arm64@npm:0.25.5": "c818e799b19b5587466bf68a27b578ccaaf866c1d144573fbde7659e3fd3f555422ec3e67f5bd186a87648957d1b6e74df4f847edea7219c16979c9916f36e91",
+  "@esbuild/android-arm@npm:0.25.5": "a5384933f9f2ffcadce2be49da6ff43249fe42f32a04071316434e9f633fc20c8d4029072e9a53555620c3531045786297607b852579eee30b6dbc3bc9d98cd9",
+  "@esbuild/android-x64@npm:0.25.5": "8ce115dc7e1e6735f23b4aadb2dfca29c0abd8577ce34802ea3d017a64e388928949134fe225dfe190babdc5ec01be5fc7794eca84738cdefc12c5e3789ce43b",
+  "@esbuild/darwin-arm64@npm:0.25.5": "a009eab62f2bd284a6f2001d5e08217059186ffc16907bbe873e1de40fe9b5ed92c0db2f4c4d0dc41545838850a430c8f2f35d7bdb9cd01a1a04293acd97afca",
+  "@esbuild/darwin-x64@npm:0.25.5": "cac8021a7a0c549263e076913346b35a5bb81f76ffbc1abfad5e7b67303f013ac0c76f111bf624ea8447b327ec86c18a60c6ff307d743a2269f5d47313f5b2de",
+  "@esbuild/freebsd-arm64@npm:0.25.5": "d248e7103b7094eb4288db7c9a78b2905a25b4a957f2b945531ca88d3394f45ceca2343a7c84954734534af6159bc741eb3d5c1ed9df990f7395337a1b14192c",
+  "@esbuild/freebsd-x64@npm:0.25.5": "8a7be0740f07f5dbb3e24bf782ca6ef518a8ce9b53e5d864221722045713586d41774cbd531df97dc868b291b3b303c12e50ca8611c3cb7b5fe09a30b38285eb",
+  "@esbuild/linux-arm64@npm:0.25.5": "ce3c8fca47cf0a92148fb288eb35a5c4a4dcf7a700730b3a48fdd63c13e17c719eb6b350378203fba773477eb5be637f47a6d52c5d4ce5bdc0075ee917156006",
+  "@esbuild/linux-arm@npm:0.25.5": "cc81ea76ab86ed2a837c9da329f7c63412d288dc0aa608c8dcdf51705dc93d5b7f966a429be4896babe611074e5898c7e6c8e07ad7f50123a05478975294fbb4",
+  "@esbuild/linux-ia32@npm:0.25.5": "bfed6750923afd56148f658f6ec8995479f5115116dc212ecb9e4c556064422e22eda855177e7c02cbc945494e4db1167101918c5fa932278115db2c7025a3f6",
+  "@esbuild/linux-loong64@npm:0.25.5": "e5c20140bbbdba53f0d86dd72961ed73e6255d2ada2d3a626f390b352170605644822ad7592f695b6e520edcefe0c5f6ba19d10694b5d11d725745d9792bde01",
+  "@esbuild/linux-mips64el@npm:0.25.5": "6b3559517efd0dd1301debc7af7e275b055859c26facdda2e229b1aaab6ebea4c480a1da151c46211ee4035d95bfa7f0cdacf735b57ee99d41b69c77357310b9",
+  "@esbuild/linux-ppc64@npm:0.25.5": "a1a1af99d758efce928335637924dcd8ddec4201af51014e1f831b012d53a0a673b1e0c31036ec9e8c5a0311439283419ec8abdfc67ecb245fa7f7b653006ed0",
+  "@esbuild/linux-riscv64@npm:0.25.5": "6cd8dce6723b73e0f89898ab6cd52e0d009afdacdfc0d5529134de7b832c92c2e0421fbb5cbfc0e0c0b2b00a9b1ff2c4cdb9695b2c535ebc174960e986c727a7",
+  "@esbuild/linux-s390x@npm:0.25.5": "31b86dbc93d19eb362bad3353e65d6da771118346e723582d06c05f1b6ffad1c3765001b5215ef1e8f0c2bb29130d98815359bbc88e5c08304354d5a92e6ea94",
+  "@esbuild/linux-x64@npm:0.25.5": "f878a3e40edfd8a50de94bf982a9eaf03e636a0332af163a6c905490063aae652384fb392d4765c4338fb6f991034949c92ec768ee65c3b2fceeb494b89fe8b3",
+  "@esbuild/netbsd-arm64@npm:0.25.5": "941c5e28a63a93f19122271b5490e196db12815702c2266c6d66401b6909a4364ab889611ba81c5359624e3ce61f0505a680a1179ed9a555d1415fa1c485d75d",
+  "@esbuild/netbsd-x64@npm:0.25.5": "edbefdd88ca24a373497a7c8d1fdab418827ff89c6eee1c574159dbb4d9174552aa87753f35525a894964b77c14b012164ec5582b9f19dd4d6c1f5d45df411c7",
+  "@esbuild/openbsd-arm64@npm:0.25.5": "d44633a374c109d2fb9c678882016e3ec3d79f0c5f21a6e6fb0114ea709bc539200b037a4e3ec52304eea2f8c5957bf16c6f0a7af5cfde41b652c4bac604bba6",
+  "@esbuild/openbsd-x64@npm:0.25.5": "efc4641ea653dedc9886f0603c2e7cfc6fbe94c34d4cdaee9b060a8b9d8143d1192c45da93b3e802af2c26f72ab1ad3a3fad0e0cb297d06de55814fe83ccd32c",
+  "@esbuild/sunos-x64@npm:0.25.5": "29860663381b6098c0fda6f69235407654dfad953e83b3f9f06a270950d5c37da4ca60a4b5915b8e2606d468b560be6179870f64a22d5b046e8a930c31a7b554",
+  "@esbuild/win32-arm64@npm:0.25.5": "a77d395251c8a62ab0cec07d5230222823fa02fbf3ef008d94b5213a335c9f949872c3f1c2f947abaa28098b669018e429af42f59616e049860a0072f3b006de",
+  "@esbuild/win32-ia32@npm:0.25.5": "ff1b6cbe835082aef5b93c3e2012d51be431d05c6ae5f90a5bc89687c687e8e2340c262dedddd124b27b511616bbc4088b5a4a949d3147f677084dc6ec572629",
+  "@esbuild/win32-x64@npm:0.25.5": "266e69e8d37bd4deb77443588e49472e4e9791178cb39e1692eabb67cf65d8e85a932ac468e7ebb2072c8a9ee23ad413c8f0f7d954c474f643cedbbf7aad952a",
+  "@parcel/watcher-android-arm64@npm:2.5.0": "2d5d66f4e904546cff638d0b27a871d695dda1205e32902f917723dc1b09a5edef4ed8064fc5c85192a4e5e5b531eb4a2d3b349015ff6170c8228e3c098d5376",
+  "@parcel/watcher-darwin-arm64@npm:2.5.0": "bbdbaeb31ccea5ec172adab2bb2b1a5f4b2e18ed31054d7f6b1db718238f5880e3b8bc8ac1b55c00048c7a1973e75c0c86fa04c02679f99c0bb355145c8b685b",
+  "@parcel/watcher-darwin-x64@npm:2.5.0": "85089bf1c0f7fb0b4007d54f97e890bf2173d1a11166e9e601b9afe6e260e9cff2eed150ea80f51aae358436376c36af75a70523f53711f16a773987422cf93b",
+  "@parcel/watcher-freebsd-x64@npm:2.5.0": "1355a42a68beb177f9d15b8e379b63dd2e633494e0f09a7e28a778c6a5eb082206d6690e3776e79da5263ecc8791be047c33943cfd2d09019f8f545800ed583b",
+  "@parcel/watcher-linux-arm-glibc@npm:2.5.0": "3c78f9ab9e9d52745f3d44200e290a64843a9346bbe6628485cc6d777a1d329fd0345a5c919daad05fb436fda59143ec2f1810789c8e594a51c7f5d8099ac682",
+  "@parcel/watcher-linux-arm-musl@npm:2.5.0": "80f7f97115e4d98d95735149c6b210ed1902dbf0020d20b245801272a1459f3cef75307c124c1a947450dff9d7d62440ad85e46a98e06523523170fdffab5bf1",
+  "@parcel/watcher-linux-arm64-glibc@npm:2.5.0": "f82fb66b301754f9bf67c7abfe41b18c987ed47f8de05750395ac7453a2c396104d44090b20450d90d5af3e9de54e06aed1520e8401343b824f3c19747cf0aa1",
+  "@parcel/watcher-linux-arm64-musl@npm:2.5.0": "914ebc3387884a8948594fa91520726ef9a7dfbbf7663fd00e7c0de13e08a4e7a525c9132b5439b64b9deb9b62fdfb8c5e02148013cd2383d171334ea76641c0",
+  "@parcel/watcher-linux-x64-glibc@npm:2.5.0": "5db33f6a134d20e8bfd8bed6d13107e7d30947e832a4f677136abee8e1c2855ea19629ccf220e95056dbff753b55fe2b698dd936f31e492b095cc6434451e9d4",
+  "@parcel/watcher-linux-x64-musl@npm:2.5.0": "dbf3f903c4eb6014660f4c3c0d44dcef0e21ee16908288ad0149d6c1a5c9fd7f0405d8d0e91a2493fbeef83df5784bd43f7d1426a0150e00a415b6c0eab38c98",
+  "@parcel/watcher-win32-arm64@npm:2.5.0": "cff6516b1dad597ca1ec8c385cf8251f5050b32ab46fc15360f2eff3a40b61b7107eee56df73764007d9bd6b826960d2f3589c8e0ce270bb5b2a292313bd7a1b",
+  "@parcel/watcher-win32-ia32@npm:2.5.0": "ad9d2c9ae3a7031105fc90418050a910d4b679ead36e5fdcbb1b3e4afbaf56aec6566863e3a374c645c82f57073d8f643183f19c67c8c48b0aa62224c05fdb9d",
+  "@parcel/watcher-win32-x64@npm:2.5.0": "aa9660bdb2fe70de5163f9f8419e263711fd30612244fb7feb58fce49a653b88ac0e1e29646fb1fc76b86fd8215e62eea5ded0616725987dfca5372041925bd2",
+  "@rollup/rollup-android-arm-eabi@npm:4.40.2": "cb502d6933de94860f9d49a4b4e849a206d10d9b1a424847cb2545667f8937ac891a37854e2934992b39521dc8b8daa2ec6b683da6bb47ef893ab24f9424c887",
+  "@rollup/rollup-android-arm64@npm:4.40.2": "42e04ae6605f8a31cc7daf484f9104e6d2174a99e39d829c24d77780cd257a6dab67f5c6a38e84e5a967ad4a64a042f1e6dfbe75444aa03517e83d8436179726",
+  "@rollup/rollup-darwin-arm64@npm:4.40.2": "8e641fd8a888504c516e76e525a7fcc099d363a82ce8569a1a5bb2fdcf632fa262e1a73b47932a922d132e0c46fab6ba04490053f63e6e4fb30c313a499b139f",
+  "@rollup/rollup-darwin-x64@npm:4.40.2": "9dca62986fa2afef8c5addcb1eb4ee08afbd3aa03ece3c5372a82a785af67ae441b9782dd542018fa5bb39a6de34ea53f10795d6f6f801a0469ce7979c52c729",
+  "@rollup/rollup-freebsd-arm64@npm:4.40.2": "f21c73712c4cb74a797998e8adfa83bb7ff0d6cc3e7353eae5b213b4bb3f9f481e025d37dd67aeee7488b9fc9ecd0bc8f85a61469cfa6592ed9292d14ba868d0",
+  "@rollup/rollup-freebsd-x64@npm:4.40.2": "9f8b6abb5be2527e6cffdaf0dd95a8bbb6f4aa5599be2bfe919e8252f57558f0a06b66748d29cb1e42d0b65e1d2ef0ec2d6a429d3c8a1a85352269d88ffbda17",
+  "@rollup/rollup-linux-arm-gnueabihf@npm:4.40.2": "fc205b61c54ddaac7bb45768c3b4bbd79632df3f7bbe65532f5453d54e1a31c1d3f1e4508a00323cf0656d6c5a69f0793989d11fd0805dc2621053c8c6fbcaa3",
+  "@rollup/rollup-linux-arm-musleabihf@npm:4.40.2": "14fde6bac72d734462b9c2fa3594934454069d01422fe12e650ae6fc9e998daac3d43d1726a0aa040cac9d4de43cf75ca34d82932e0a2c3f564f49f0b6fba4af",
+  "@rollup/rollup-linux-arm64-gnu@npm:4.40.2": "1a7c361022d74025076d322cdeb741923f1d3e0d5e1a12fd4dcc678a7c3dc8a07002f6ec4d537b6f089c75b90273cd700580b9ac1b1d45fa68908eadb524f1c7",
+  "@rollup/rollup-linux-arm64-musl@npm:4.40.2": "2fbf7f6f28bfe5148b1a82b04569574bc865b65f6e8f874aa8b175ad3c3ee9197a9a22bc3693153f0d55ff2bd78938b15e162cafa4b77756d1933036b0520bf0",
+  "@rollup/rollup-linux-loongarch64-gnu@npm:4.40.2": "ae77d9e7a797868fbd6887b8b4a8a26bcd96ea632022ddc47c570d90ad6e47b2ac0b3a933885c06a0af5ad57b5f818f4531ff6961b351e9705f5af6dd26b2427",
+  "@rollup/rollup-linux-powerpc64le-gnu@npm:4.40.2": "867b6bc576e07110181f41c588b1a7ee22a6571bf5a3ceff0527c1e7c4540b5122d34b99f0c56c00d5c33a2e517fbb16c3e269cc4c08110e69dc0f0e4b2fbf26",
+  "@rollup/rollup-linux-riscv64-gnu@npm:4.40.2": "52f07f3e5e008cd0d277d5290524682c8ec5c03e08659b07a800fddc00b450dbf8df08612921b9fe6e4e16d60d5e282027d9b260ff520c40bf3e7c5e1efabb60",
+  "@rollup/rollup-linux-riscv64-musl@npm:4.40.2": "6483ab13ac5626c5b94d72aad3ffafe63a3572899824b1d37e59bc071b147f3d498864a0e19942e013a4488aa9262a92817232ca6c38339e3de62c3c4aca87e3",
+  "@rollup/rollup-linux-s390x-gnu@npm:4.40.2": "842ad92a20ff994091d4ba4c16f87e2f8a57e1eb9e3004c20aaeeb692bc2061619dd43ba4dd246712f8904fe1480e6211b43e9fd2e11a5faebbeebea0c79da63",
+  "@rollup/rollup-linux-x64-gnu@npm:4.40.2": "c440df4beca32d238b0a0f0b1017fb30da52c0f705946177c01a08d7d214ae190b2070885d93e15ff5fb5741e0964e1370bdd45f8a94e9a4689816f06f18c5a0",
+  "@rollup/rollup-linux-x64-musl@npm:4.40.2": "9874b4cce42573d460634443ddb730d348360089bf93667309e660301e4e389d8ae80abe7f33fa9a20db5e67984e107e17d1479bdfee278d74bc60dde6ab5f83",
+  "@rollup/rollup-win32-arm64-msvc@npm:4.40.2": "b61552ab831efde1ca4823cab1982d3d681e1be269d67d60558cd2ac86fe3802f6d569300d9ada084acebae27257b00c68f9d858261a579b5d8686956aa92ba0",
+  "@rollup/rollup-win32-ia32-msvc@npm:4.40.2": "13ad059483b26bbf12af5108207d66a98ae2aef7599f27a506b998c781921b653dacc63ee0db57bb6f37c920163fd8bc40072e0be0ec6b1e5f52eb3f1455efeb",
+  "@rollup/rollup-win32-x64-msvc@npm:4.40.2": "98ab8600ecbeab358c53ed563a7b586da0c5cdf26c03456a982a016b2f8eff6e2ec07055d15fe039b982a18a970744390d85a05970c9a8b1533c54702026f8df",
+  "@unrs/resolver-binding-darwin-arm64@npm:1.3.2": "c8c61120e2bead2e0fec054399107e1ebd39455a2b7d59a5446cafad86cca376e0010e65644c41da0958a065869dcbe0509a29394b52a469a48990d32bf7a6e8",
+  "@unrs/resolver-binding-darwin-x64@npm:1.3.2": "ee67a4043d2e297cb1362b7aa25be3f5defef9eb13f4e80358c3f22ffdef043ef905ac661fc9e70359383bafed5837a52bd001b49a8ea4f70372051d89ee6eff",
+  "@unrs/resolver-binding-freebsd-x64@npm:1.3.2": "5f19ef3991435a96e682d427a8d9b28886b4afc9ea5b723e51c4bca51f25bb24add8819ed91c9f228bd39e139d51625cc127ddd35efd6c3f6e1d88106808fad1",
+  "@unrs/resolver-binding-linux-arm-gnueabihf@npm:1.3.2": "f77b2345c2b572b569089092fa6c08b5a55fdb08d26e1db3cdfa0d195511a0efbe109c558e77bfd78d7aed4ffe47b6542890c9cad032cc00bb0fcd5f373f5090",
+  "@unrs/resolver-binding-linux-arm-musleabihf@npm:1.3.2": "8b7156d8c641994c39626522ba42e69eef8d868a69b319c9ea5f7584ef0c4ea98bc698c1a4417d209dd3a786630be404d459680cf5b5b2500d3c4b0eb1be894f",
+  "@unrs/resolver-binding-linux-arm64-gnu@npm:1.3.2": "93b28c2ea0dae2d452659e0afde6099107b70362043e19800e35b7ae86350856dfa0a4d6ba2be566c225965b458b5fba78a10219cf78e6fc0c581373cd2e2a52",
+  "@unrs/resolver-binding-linux-arm64-musl@npm:1.3.2": "49ed9f24838e876eb1bba9b5f3e283af0716ee23f7d11a799a6376a47fa59a2e28b724431ca165a3874d60b1ed5a6b6c7650fe207f0610a788c88baa7862688f",
+  "@unrs/resolver-binding-linux-ppc64-gnu@npm:1.3.2": "9fad22ffbf7aadf471a6d054c833a9b4cea74e2c38be40d546e6ba71058a6be10fa4e28947425ef33d42dc77de1c81b631fbff5a96a637c3a7652910f3e27d76",
+  "@unrs/resolver-binding-linux-s390x-gnu@npm:1.3.2": "dd28e351f19268c4735da984e96301d8433603cf109b2b6880aab9bb8f448242699b7f84c36c536ca4a9443f944153098a3d3e78fce26d0c56fe3406d73d4b55",
+  "@unrs/resolver-binding-linux-x64-gnu@npm:1.3.2": "e1cc70d8e012bc61bf5af85c2e9905aa1953c06daaab9b3857d780424c62807ccd0c5a20acb919e3accec7152badee426b1514ab9a4256b77945c3e7c8df3496",
+  "@unrs/resolver-binding-linux-x64-musl@npm:1.3.2": "e97b95e53d029e4ccaf7cf32072e644c495d8e1f097b6fdeb417860db4db4b752d84f5fa6310b9f170a1fbf0562696f0145005dda4a95d658ea0857fac6c51dd",
+  "@unrs/resolver-binding-wasm32-wasi@npm:1.3.2": "d3f16f36ba5dd714ef3eaf7bc57597e9f9a1fab7c6b5fb5dc5bf688d81a1bd4a574da16bd3e2b383181032a71001583b6534c21e5ffde1ee43fcfa95bc292f3b",
+  "@unrs/resolver-binding-win32-arm64-msvc@npm:1.3.2": "de65010d133e99a062827f698a7e50c30db15d9f6b9011d351762cc8809497e97c4617b7d6ca3052583ca3f6b8c3cb1f2857fd0c9afd944c7ebb65d5e1da74f6",
+  "@unrs/resolver-binding-win32-ia32-msvc@npm:1.3.2": "f214a8950e823c60656d2d113584c3cd20c6e92668f43f73c13c3ddfe38a7063615e42537645e2aa52a0652ace9c82e8fd5d9411043a6985ccb49d8dc8bb2595",
+  "@unrs/resolver-binding-win32-x64-msvc@npm:1.3.2": "38ca5f5912d7cddd3f3e1983ad8e79d084ab3f5990189ce8cdfcfc3b58d97cc0dd7b543cc78ff43eb1769d15a8c235339a5942c688ab680192caa4c97116a511"
+}

nixos/pkgs/glitch-soc/source.nix

@@ -1,18 +1,23 @@
-# This file was generated by pkgs.mastodon.updateScript.
-{ fetchFromGitHub, applyPatches, patches ? [] }:
+/*
+This fetches the glitch-soc source from GitHub and patches it.
+
+This needs to be a separately buildable package so that update.sh can build it during upgrading,
+because it needs it for generating `gemset.nix` from the Gemfile in the source.
+*/
+
+{
+  applyPatches,
+  fetchFromGitHub,
+  lib,
+}:
+
 let
-  version = "0e562916cce3241d98bd10f04a6aa7419700605";
-in
-(
-  applyPatches {
+  versionData = import ./version_data.nix;
+in applyPatches {
   src = fetchFromGitHub {
     owner = "glitch-soc";
     repo = "mastodon";
-      rev = "v${version}";
-      hash = "sha256-fZH3zPEU5jnYFhLx8OKDNrvsSVT46Peu92L84Fg5YpQ=";
+    inherit (versionData) rev hash;
   };
-    inherit patches;
-  }) // {
-  inherit version;
-  yarnHash = "sha256-P7KswzsCusyiS4MxUFnC1HYMTQ6fLpIwd97AglCukIk=";
+  patches = lib.filesystem.listFilesRecursive ./patches;
 }

nixos/pkgs/glitch-soc/update.sh

@@ -1,112 +1,48 @@
-#!/usr/bin/env nix-shell
-#! nix-shell -i bash -p bundix coreutils diffutils nix-prefetch-github gnused jq prefetch-yarn-deps
+#!/usr/bin/env -S nix shell nixpkgs#coreutils nixpkgs#bundix nixpkgs#nix-prefetch-github nixpkgs#jq nixpkgs-unstable#yarn-berry_4.yarn-berry-fetcher -c bash
+
 set -e
 
-OWNER=mastodon
-REPO=mastodon
+cd "$(dirname "$0")"  # cd to the script's directory
 
-POSITIONAL=()
-while [[ $# -gt 0 ]]; do
-    key="$1"
+echo "Retrieving latest glitch-soc/mastodon commit..."
+commit="$(curl -SsL 'https://api.github.com/repos/glitch-soc/mastodon/branches/main')"
+rev="$(jq -r '.commit.sha' <<<"$commit")"
+echo "Latest commit is $rev."
 
-    case $key in
-        --owner)
-            OWNER="$2"
-            shift # past argument
-            shift # past value
-            ;;
-        --repo)
-            REPO="$2"
-            shift # past argument
-            shift # past value
-            ;;
-        --ver)
-            VERSION="$2"
-            shift # past argument
-            shift # past value
-            ;;
-        --rev)
-            REVISION="$2"
-            shift # past argument
-            shift # past value
-            ;;
-        --patches)
-            PATCHES="$2"
-            shift # past argument
-            shift # past value
-            ;;
-        *)  # unknown option
-            POSITIONAL+=("$1")
-            shift # past argument
-            ;;
-    esac
-done
+echo
+echo "Prefetching glitch-soc/mastodon source..."
+hash="$(nix-prefetch-github glitch-soc mastodon --rev $rev | jq -r '.hash')"
+echo "Source hash is $hash."
 
-if [[ -n "$POSITIONAL" ]]; then
-    echo "Usage: update.sh [--owner OWNER] [--repo REPO] [--ver VERSION] [--rev REVISION] [--patches PATCHES]"
-    echo "OWNER and REPO must be paths on github."
-    echo "If REVISION is not provided, the latest tag from github.com/mastodon/mastodon is fetched and VERSION is calculated from it."
-    echo "If OWNER and REPO are not provided, it defaults they default to mastodon and mastodon."
-    echo "PATCHES, if provided, should be one or more Nix expressions separated by spaces."
-    exit 1
-fi
+echo
+echo "Building source derivation..."
+srcdir="$(nix build --no-link --print-out-paths --no-warn-dirty ../..#glitch-soc-source)"
+echo "Source derivation is $srcdir."
 
-if [[ -z "$REVISION" ]]; then
-    REVISION="$(curl ${GITHUB_TOKEN:+" -u \":$GITHUB_TOKEN\""} -s "https://api.github.com/repos/$OWNER/$REPO/releases" | jq -r  'map(select(.prerelease == false)) | .[0].tag_name')"
-fi
+echo
+echo "Generating gemset.nix using built source derivation..."
+rm -f gemset.nix
+bundix --quiet --lockfile $srcdir/Gemfile.lock --gemfile $srcdir/Gemfile
 
-VERSION="$(echo "$REVISION" | cut -c2-)"
+echo
+echo "Generating missing yarn hashes file..."
+rm -f missing-hashes.json
+yarn-berry-fetcher missing-hashes $srcdir/yarn.lock 2>/dev/null > missing-hashes.json
 
-rm -f gemset.nix source.nix
-cd "$(dirname "${BASH_SOURCE[0]}")" || exit 1
+echo
+echo "Prefetching yarn deps..."
+yarn_hash="$(yarn-berry-fetcher prefetch "$srcdir/yarn.lock" ./missing-hashes.json 2>/dev/null)"
 
-WORK_DIR=$(mktemp -d)
-
-# Check that working directory was created.
-if [[ -z "$WORK_DIR" || ! -d "$WORK_DIR" ]]; then
-    echo "Could not create temporary directory"
-    exit 1
-fi
-
-# Delete the working directory on exit.
-function cleanup {
-    # Report errors, if any, from nix-prefetch-git
-    grep "fatal" $WORK_DIR/nix-prefetch-git.out >/dev/stderr || true
-    rm -rf "$WORK_DIR"
-}
-trap cleanup EXIT
-
-echo "Fetching source code $REVISION"
-JSON=$(nix-prefetch-github "$OWNER" "$REPO" --rev "$REVISION" 2> $WORK_DIR/nix-prefetch-git.out)
-HASH=$(echo "$JSON" | jq -r .hash)
-
-cat > source.nix << EOF
-# This file was generated by pkgs.mastodon.updateScript.
-{ fetchFromGitHub, applyPatches, patches ? [] }:
-let
-  version = "$VERSION";
-in
-(
-  applyPatches {
-    src = fetchFromGitHub {
-      owner = "$OWNER";
-      repo = "$REPO";
-      rev = "v\${version}";
-      hash = "$HASH";
-    };
-    patches = patches ++ [$PATCHES];
-  }) // {
-  inherit version;
-  yarnHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+echo
+echo "Generating version_data.nix..."
+cat > version_data.nix << EOF
+# This file was generated with update.sh.
+{
+  rev = "$rev";
+  hash = "$hash";
+  yarnHash = "$yarn_hash";
 }
 EOF
-SOURCE_DIR="$(nix-build --no-out-link -E '(import <nixpkgs> {}).callPackage ./source.nix {}')"
 
-echo "Creating gemset.nix"
-bundix --lockfile="$SOURCE_DIR/Gemfile.lock" --gemfile="$SOURCE_DIR/Gemfile"
-echo "" >> gemset.nix  # Create trailing newline to please EditorConfig checks
-
-echo "Creating yarn-hash.nix"
-YARN_HASH="$(prefetch-yarn-deps "$SOURCE_DIR/yarn.lock")"
-YARN_HASH="$(nix hash to-sri --type sha256 "$YARN_HASH")"
-sed -i "s/sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/$YARN_HASH/g" source.nix
+echo
+echo "Done."

nixos/pkgs/glitch-soc/version_data.nix

@@ -0,0 +1,6 @@
+# This file was generated with update.sh.
+{
+  rev = "fa9318083efdd6d74ccc17c7d12390916ba6b0d1";
+  hash = "sha256-0vCTy0GX9Ji4iecf+8UX3Kz5PtnlqNqXOp3f4dZNXtI=";
+  yarnHash = "sha256-OGpIjEYQ6ejxMSFQyxQ5gzL6XCvj1jHqEnyAS9Uy9Cs=";
+}

nixos/pkgs/plex-pass/sources.json

@@ -1,14 +1,14 @@
 [
   {
-    "version": "1.40.0.7775",
+    "version": "1.41.9.9961",
     "platform": "aarch64-linux",
-    "url": "https://downloads.plex.tv/plex-media-server-new/1.40.0.7775-456fbaf97/debian/plexmediaserver_1.40.0.7775-456fbaf97_arm64.deb",
-    "hash": "0awannq36c5zgp2hln6g90yc44qf2sm0cq14wp7ck4yvs7wr5rwh"
+    "url": "https://downloads.plex.tv/plex-media-server-new/1.41.9.9961-46083195d/debian/plexmediaserver_1.41.9.9961-46083195d_arm64.deb",
+    "hash": "1gxiwzv799w2b18mlq1yx5z3x9k51f88yc9k7mmcn5a224a11kxf"
   },
   {
-    "version": "1.40.0.7775",
+    "version": "1.41.9.9961",
     "platform": "x86_64-linux",
-    "url": "https://downloads.plex.tv/plex-media-server-new/1.40.0.7775-456fbaf97/debian/plexmediaserver_1.40.0.7775-456fbaf97_amd64.deb",
-    "hash": "0zkz2w2rjngkdamsdp10j1gxd197kqrlqdm6z0sfvnzf7zvlr7v6"
+    "url": "https://downloads.plex.tv/plex-media-server-new/1.41.9.9961-46083195d/debian/plexmediaserver_1.41.9.9961-46083195d_amd64.deb",
+    "hash": "0hnwsh9x48xx9grgv4j30ymbr7v9bdfkl3dnfwjbqr0g3zb22av2"
   }
 ]

nixos/util.nix

@@ -1,4 +1,4 @@
-{ nixpkgs, home-manager, mailserver, lanzaboote, attic, ... }:
+{ nixpkgs, home-manager, mailserver, lanzaboote,  ... }:
 let
   inherit (builtins) filter attrValues concatMap mapAttrs;
   inherit (nixpkgs.lib.attrsets) mapAttrsToList;
@@ -6,7 +6,6 @@ let
     ./common
     home-manager.nixosModules.home-manager
     mailserver.nixosModules.mailserver
-    attic.nixosModules.atticd
   ];
   type_import =
     let