diff --git a/flake.lock b/flake.lock index 6122c8cc..de46426b 100644 --- a/flake.lock +++ b/flake.lock @@ -193,11 +193,11 @@ ] }, "locked": { - "lastModified": 1707095972, - "narHash": "sha256-iQ2jpCCwYWpk4UcPEgQqRSOVsY2p8GkPmz/lJw47Cvo=", + "lastModified": 1707385478, + "narHash": "sha256-xwKXoBeiwfp+jqQxt3O0mUxrBXsNfdBn15teMMWbw0U=", "owner": "nix-community", "repo": "disko", - "rev": "2e9b88f02ec166b1c3f0a638688f8e4ef444de32", + "rev": "15b52c3c8a718253e66f1b92f595dc47873fdfea", "type": "github" }, "original": { @@ -347,6 +347,23 @@ "type": "github" } }, + "gnome-shell": { + "flake": false, + "locked": { + "lastModified": 1698794309, + "narHash": "sha256-/TIkZ8y5Wv3QHLFp79Poao9fINurKs5pa4z0CRe+F8s=", + "owner": "GNOME", + "repo": "gnome-shell", + "rev": "a7c169c6c29cf02a4c392fa0acbbc5f5072823e7", + "type": "github" + }, + "original": { + "owner": "GNOME", + "ref": "45.1", + "repo": "gnome-shell", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -394,11 +411,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1707084830, - "narHash": "sha256-550b8OUt8j5G3tC4MgCfc+sHAAxARXzWYcYpfhNDhUc=", + "lastModified": 1707406707, + "narHash": "sha256-xbdwGi9cGcWX9l11RZPwPUb36QLmYWu/NqMg35aBkf4=", "owner": "astro", "repo": "microvm.nix", - "rev": "c5074bb6d328a6071a70dcb097f8bcd208fce80a", + "rev": "f0d8f6d5b4aa876ad76875a58c12e085780539b3", "type": "github" }, "original": { @@ -542,11 +559,11 @@ ] }, "locked": { - "lastModified": 1706085261, - "narHash": "sha256-7PgpHRHyShINcqgevPP1fJ6N8kM5ZSOJnk3QZBrOCQ0=", + "lastModified": 1707405218, + "narHash": "sha256-ZQ366Oo8WJbCqXAZET7N0Sz6RQ3G2IbqVtxQRSa3SXc=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "896f6589db5b25023b812bbb6c1f5d3a499b1132", + "rev": "843e2f04c716092797ffa4ce14c446adce2f09ef", "type": "github" }, "original": { @@ -574,11 +591,11 @@ "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1707092692, - "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=", + "lastModified": 1707268954, + "narHash": "sha256-2en1kvde3cJVc3ZnTy8QeD2oKcseLFjYPLKhIGDanQ0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "faf912b086576fd1a15fca610166c98d47bc667e", + "rev": "f8e2ebd66d097614d51a56a755450d4ae1632df1", "type": "github" }, "original": { @@ -623,11 +640,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1707306258, - "narHash": "sha256-Xyi+zdWYoH1Ud2L+DOZHTh6ZUp8iQd+qElCBxtIL0cU=", + "lastModified": 1707483574, + "narHash": "sha256-GQ+QUJc4/GtWE+nIIVnQsuJl7Vp50WNjyQ097dRN2WA=", "owner": "nazarewk", "repo": "nixpkgs", - "rev": "d9805e1d7dc1c9f0423010e4ad04c572d969c528", + "rev": "a7a80c31653ae65414e9c0a103b68f32a128f551", "type": "github" }, "original": { @@ -639,11 +656,11 @@ }, "nur": { "locked": { - "lastModified": 1707224015, - "narHash": "sha256-W8r+Fu3LJ5RbP+u8BxCGmnuCfRvA6jZ9bzz7AWiOIWY=", + "lastModified": 1707482166, + "narHash": "sha256-UO3Sh88CGwY9Aw7kcCZZ+RdFLRsYyX5atNYp3+7Vj+E=", "owner": "nix-community", "repo": "NUR", - "rev": "547506ae6419ea2e54e8fcf02c37fba340dd97d7", + "rev": "15db5a2314372dde84a47f016c22c5cc4c47082a", "type": "github" }, "original": { @@ -765,6 +782,7 @@ "flake-compat": [ "flake-compat" ], + "gnome-shell": "gnome-shell", "home-manager": [ "home-manager" ], @@ -773,11 +791,11 @@ ] }, "locked": { - "lastModified": 1706783767, - "narHash": "sha256-Rn21YNSa4TgZzTsarghUPQv+fz1dZcfdDKQZS9H79Hg=", + "lastModified": 1707414210, + "narHash": "sha256-MJ4deL9tTzowkGpW9Iq+k3cSKo2gnvyIkIuFctNz/dQ=", "owner": "danth", "repo": "stylix", - "rev": "ccca01b5b0393119822b1888cb7c68e294fc115b", + "rev": "f3b302dd9bb66fcdd1ed3f185068a5f1000eb863", "type": "github" }, "original": { @@ -873,11 +891,11 @@ ] }, "locked": { - "lastModified": 1706462057, - "narHash": "sha256-7dG1D4iqqt0bEbBqUWk6lZiSqqwwAO0Hd1L5opVyhNM=", + "lastModified": 1707300477, + "narHash": "sha256-qQF0fEkHlnxHcrKIMRzOETnRBksUK048MXkX0SOmxvA=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "c6153c2a3ff4c38d231e3ae99af29b87f1df5901", + "rev": "ac599dab59a66304eb511af07b3883114f061b9d", "type": "github" }, "original": { @@ -896,17 +914,17 @@ ] }, "locked": { - "lastModified": 1701168922, - "narHash": "sha256-h3RJpvd1DcNDap5/NaG56U1ym/wP80tIhmRmGvT7CNM=", + "lastModified": 1707086036, + "narHash": "sha256-QwkFkmudbqAQQT68rTlDkvYTO9QlETnTetaI0wXn8uU=", "owner": "Ulauncher", "repo": "Ulauncher", - "rev": "b5766869291816067397ca96b3f88f6fa4f24bf9", + "rev": "e531ccfb715574179d7b008a8a1301baf2f1db00", "type": "github" }, "original": { "owner": "Ulauncher", + "ref": "v6", "repo": "Ulauncher", - "rev": "b5766869291816067397ca96b3f88f6fa4f24bf9", "type": "github" } } diff --git a/flake.nix b/flake.nix index d678f038..fce7e9ce 100644 --- a/flake.nix +++ b/flake.nix @@ -44,10 +44,7 @@ treefmt-nix.url = "github:numtide/treefmt-nix"; ulauncher.inputs.flake-parts.follows = "flake-parts"; ulauncher.inputs.nixpkgs.follows = "nixpkgs"; - #ulauncher.url = "github:Ulauncher/Ulauncher/v6"; - # TODO: fix errors in latest v6/mypy - ulauncher.url = "github:Ulauncher/Ulauncher/b5766869291816067397ca96b3f88f6fa4f24bf9"; - # ulauncher.url = "github:nazarewk/Ulauncher/fix-nix-build"; + ulauncher.url = "github:Ulauncher/Ulauncher/v6"; }; outputs = diff --git a/modules/networking/netbird/default.nix b/modules/networking/netbird/default.nix deleted file mode 100644 index f4c1b6b7..00000000 --- a/modules/networking/netbird/default.nix +++ /dev/null @@ -1,192 +0,0 @@ -{ lib -, pkgs -, config -, ... -}: -let - cfg = config.kdn.networking.netbird; - - instancesList = builtins.attrValues cfg.instances; - - mkWrappers = instance: - let - vars = lib.trivial.pipe instance.envVars [ - (lib.mapAttrsToList lib.strings.toShellVar) - (lib.strings.concatStringsSep " ") - ]; - mkBinary = tool: pkgs.writeScriptBin "${tool}-${instance.alias}" '' - #!${lib.getExe pkgs.bash} - export ${vars} - ${lib.getExe' config.services.netbird.package tool} "$@" - ''; - in - builtins.map mkBinary [ "netbird" "netbird-mgmt" "netbird-signal" ]; - - mkInstancesMap = keyFn: valueFn: lib.trivial.pipe instancesList [ - (builtins.map (instance: lib.attrsets.nameValuePair (keyFn instance) (valueFn instance))) - builtins.listToAttrs - ]; -in -{ - options.kdn.networking.netbird = { - instances = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule ({ config, name, ... }: { - options = { - alias = lib.mkOption { - type = with lib.types; str; - readOnly = true; - default = name; - }; - name = lib.mkOption { - type = with lib.types; str; - readOnly = true; - default = "netbird-${config.alias}"; - }; - port = lib.mkOption { - type = lib.types.port; - description = lib.mdDoc '' - The port Netbird's wireguard interface will listen on. - ''; - }; - autoStart = lib.mkEnableOption "start the service manually"; - logLevel = lib.mkOption { - type = with lib.types; enum [ - # logrus loglevels - "panic" - "fatal" - "error" - "warn" - "warning" - "info" - "debug" - "trace" - ]; - default = "info"; - }; - workDir = lib.mkOption { - type = with lib.types; str; - readOnly = true; - default = "/var/lib/${config.name}"; - }; - envVars = lib.mkOption { - type = with lib.types; attrsOf str; - default = { }; - apply = new: { - NB_LOG_FILE = "console"; - NB_LOG_LEVEL = config.logLevel; - NB_CONFIG = "/var/lib/${config.name}/config.json"; - NB_DAEMON_ADDR = "unix:///var/run/${config.name}/sock"; - NB_INTERFACE_NAME = "wt-${config.alias}"; - NB_WIREGUARD_PORT = builtins.toString config.port; - } // new; - }; - firewall.tcp = lib.mkOption { - type = with lib.types; listOf port; - default = [ ]; - }; - firewall.udp = lib.mkOption { - type = with lib.types; listOf port; - default = [ ]; - }; - }; - })); - default = { }; - }; - - }; - - config = lib.mkMerge [ - { - # TODO: update nixpkgs as there is a good base already merged at https://github.com/NixOS/nixpkgs/pull/246055 - services.netbird.package = pkgs.kdn.netbird; - } - (lib.mkIf (cfg.instances != { }) { - environment.systemPackages = lib.lists.flatten (builtins.map mkWrappers instancesList); - - boot.extraModulePackages = lib.optional (lib.versionOlder config.boot.kernelPackages.kernel.version "5.6") config.boot.kernelPackages.wireguard; - - # ignore wt* interfaces - networking.dhcpcd.denyInterfaces = [ "wt*" ]; - networking.networkmanager.unmanaged = [ "interface-name:wt*" ]; - systemd.network.networks."50-netbird" = lib.mkIf config.networking.useNetworkd { - matchConfig = { - Name = lib.mkForce "wt*"; - }; - linkConfig = { - Unmanaged = true; - ActivationPolicy = "manual"; - }; - }; - - systemd.services = mkInstancesMap (instance: instance.name) (instance: { - description = "A WireGuard-based mesh network that connects your devices into a single private network"; - documentation = [ "https://netbird.io/docs/" ]; - after = [ "network.target" ]; - wantedBy = lib.optional instance.autoStart "multi-user.target"; - path = lib.optional (!config.services.resolved.enable) pkgs.openresolv; - environment = instance.envVars; - serviceConfig = { - Restart = "always"; - ExecStart = "${lib.getExe' config.services.netbird.package "netbird"} service run"; - - # User/Group names for DynamicUser - User = instance.name; - Group = instance.name; - # Restrict permissinos - DynamicUser = true; - RuntimeDirectory = instance.name; - StateDirectory = instance.name; - StateDirectoryMode = "0700"; - WorkingDirectory = instance.workDir; - - AmbientCapabilities = - let kernelVersion = config.boot.kernelPackages.kernel.version; - in [ - # see https://man7.org/linux/man-pages/man7/capabilities.7.html - # see https://docs.netbird.io/how-to/installation#running-net-bird-in-docker - # seems to work fine without CAP_SYS_ADMIN and CAP_SYS_RESOURCE - # CAP_NET_BIND_SERVICE could be added to allow binding on low ports, but is not required, see https://github.com/netbirdio/netbird/pull/1513 - - # failed creating tunnel interface wt-priv: [operation not permitted - "CAP_NET_ADMIN" - # failed to pull up wgInterface [wt-priv]: failed to create ipv4 raw socket: socket: operation not permitted - "CAP_NET_RAW" - ] - # required for eBPF filter, used to be subset of CAP_SYS_ADMIN - ++ lib.optional (lib.versionAtLeast kernelVersion "5.8") "CAP_BPF" - ++ lib.optional (lib.versionOlder kernelVersion "5.8") "CAP_SYS_ADMIN" - ; - }; - unitConfig = { - StartLimitInterval = 5; - StartLimitBurst = 10; - }; - stopIfChanged = false; - }); - - networking.firewall.interfaces = mkInstancesMap (instance: instance.envVars.NB_INTERFACE_NAME) (instance: { - allowedUDPPorts = instance.firewall.udp; - allowedTCPPorts = instance.firewall.tcp; - }); - - # see https://github.com/systemd/systemd/blob/17f3e91e8107b2b29fe25755651b230bbc81a514/src/resolve/org.freedesktop.resolve1.policy#L43-L43 - security.polkit.extraConfig = lib.mkIf config.services.resolved.enable ( - let - isAllowedUser = lib.pipe instancesList [ - (builtins.map (instance: ''subject.user == ${builtins.toJSON instance.name}'')) - (builtins.concatStringsSep " || ") - (v: "( ${v} )") - ]; - in - '' - // systemd-resolved access for Netbird - polkit.addRule(function(action, subject) { - if ( action.id.indexOf("org.freedesktop.resolve1.") == 0 && ${isAllowedUser} ) { - return polkit.Result.YES; - } - }); - '' - ); - }) - ]; -} diff --git a/modules/profile/host/krul/default.nix b/modules/profile/host/krul/default.nix index 5c1accc2..93c6930c 100644 --- a/modules/profile/host/krul/default.nix +++ b/modules/profile/host/krul/default.nix @@ -96,8 +96,6 @@ in # 12G was not enough for large rebuild boot.tmp.tmpfsSize = "20%"; - kdn.networking.netbird.instances.sc.firewall.tcp = [ 7080 ]; - # legacy mountpoints fileSystems = lib.mkMerge [ (mkNixOSMount "/root" { at = "/"; }) diff --git a/modules/profile/machine/baseline/default.nix b/modules/profile/machine/baseline/default.nix index 0f10da90..5be6a43a 100644 --- a/modules/profile/machine/baseline/default.nix +++ b/modules/profile/machine/baseline/default.nix @@ -107,9 +107,7 @@ in "xhci_pci" ]; - kdn.networking.netbird.instances.priv.port = 51819; - kdn.networking.netbird.instances.priv.autoStart = true; - kdn.networking.netbird.instances.priv.logLevel = "trace"; + services.netbird.clients.priv.port = 51819; services.devmon.enable = false; # disable auto-mounting service devmon, it interferes with disko diff --git a/modules/profile/machine/workstation/default.nix b/modules/profile/machine/workstation/default.nix index 631d3d9b..54672fd8 100644 --- a/modules/profile/machine/workstation/default.nix +++ b/modules/profile/machine/workstation/default.nix @@ -65,8 +65,8 @@ in # services.offlineimap.enable or manually with `systemctl --user start` services.offlineimap.install = true; - kdn.networking.netbird.instances.sc.port = 51818; - kdn.networking.netbird.instances.sc.logLevel = "trace"; + services.netbird.clients.sc.autoStart = false; + services.netbird.clients.sc.port = 51818; kdn.networking.openvpn.enable = true; kdn.networking.openfortivpn.enable = true;