From 7610d86028a40dcd3087f6595a79907d57d79290 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= Date: Mon, 30 Jun 2025 13:49:20 +0200 Subject: [PATCH 1/2] chore(flake): update inputs includes fixes for Nix & Lix CVEs --- flake.lock | 62 +++++++++++++++++++++++++++--------------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/flake.lock b/flake.lock index b85ef07..71d1fd6 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1747575206, - "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", + "lastModified": 1750173260, + "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", "owner": "ryantm", "repo": "agenix", - "rev": "4835b1dc898959d8547a871ef484930675cb47f1", + "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", "type": "github" }, "original": { @@ -129,11 +129,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1749143092, - "narHash": "sha256-IrVT37SUU8/B3X53rwEzDrx3djGLIfa8tmsyqVJxpR4=", + "lastModified": 1751256218, + "narHash": "sha256-WC1YSV4lFT41AaEhpiQZRuofe+2WLI9PNuuqgdRmjVM=", "owner": "rycee", "repo": "nur-expressions", - "rev": "d62d10f250ca6a37cbbe05a35a0e1e7ae3b4b5c2", + "rev": "fa40d85b15cbfb1a488ef9a119ff2d40a481c8da", "type": "gitlab" }, "original": { @@ -198,11 +198,11 @@ ] }, "locked": { - "lastModified": 1748821116, - "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", + "lastModified": 1749398372, + "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", + "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", "type": "github" }, "original": { @@ -299,11 +299,11 @@ ] }, "locked": { - "lastModified": 1749154018, - "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=", + "lastModified": 1750792728, + "narHash": "sha256-Lh3dopA8DdY+ZoaAJPrtkZOZaFEJGSYjOdAYYgOPgE4=", "owner": "nix-community", "repo": "home-manager", - "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111", + "rev": "366f00797b1efb70f2882d3da485e3c10fd3d557", "type": "github" }, "original": { @@ -353,11 +353,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1749195551, - "narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=", + "lastModified": 1750837715, + "narHash": "sha256-2m1ceZjbmgrJCZ2PuQZaK4in3gcg3o6rZ7WK6dr5vAA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "4602f7e1d3f197b3cb540d5accf5669121629628", + "rev": "98236410ea0fe204d0447149537a924fb71a6d4f", "type": "github" }, "original": { @@ -368,11 +368,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1749086602, - "narHash": "sha256-DJcgJMekoxVesl9kKjfLPix2Nbr42i7cpEHJiTnBUwU=", + "lastModified": 1751211869, + "narHash": "sha256-1Cu92i1KSPbhPCKxoiVG5qnoRiKTgR5CcGSRyLpOd7Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4792576cb003c994bd7cc1edada3129def20b27d", + "rev": "b43c397f6c213918d6cfe6e3550abfe79b5d1c51", "type": "github" }, "original": { @@ -384,11 +384,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1748929857, - "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", + "lastModified": 1751011381, + "narHash": "sha256-krGXKxvkBhnrSC/kGBmg5MyupUUT5R6IBCLEzx9jhMM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4", + "rev": "30e2e2857ba47844aa71991daa6ed1fc678bcbb7", "type": "github" }, "original": { @@ -423,11 +423,11 @@ "systems": "systems_3" }, "locked": { - "lastModified": 1749198233, - "narHash": "sha256-5YEDpGF46A5pnHX52ALqmFMlAB1orI0SnZhI6LQiw9w=", + "lastModified": 1751271961, + "narHash": "sha256-Ka+zyYx1UeDccCv4ZlW7LAvVJdJGnSzKjZQt04fCIoQ=", "owner": "astro", "repo": "nix-openwrt-imagebuilder", - "rev": "7eb902386112129be892e06cd5a51ffdfeb2517e", + "rev": "8e3ee0a40fb019ec95bec661c45b9d4940d27583", "type": "github" }, "original": { @@ -445,11 +445,11 @@ ] }, "locked": { - "lastModified": 1747372754, - "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", + "lastModified": 1750779888, + "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", + "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", "type": "github" }, "original": { @@ -485,11 +485,11 @@ ] }, "locked": { - "lastModified": 1749209568, - "narHash": "sha256-D8EN+fjyhYGhQQoY5WfGlX7arc+C7OyDk66CJuscpGo=", + "lastModified": 1749586138, + "narHash": "sha256-Kb1fjUysqAFzDft35K+7QhENrqtsVjJFwO+Le5WsGSo=", "ref": "refs/heads/main", - "rev": "520d5c291ca0d059fc38f42f503bb704d72b22f4", - "revCount": 3, + "rev": "bf52f999ec854bce0fef9e15d2d2f888dcfcccb1", + "revCount": 5, "type": "git", "url": "ssh://git@felschr.com:2222/felschr/seven-modules" }, From 77f0ba6d0309bf3917a7113ff520801c1281f27f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= Date: Mon, 30 Jun 2025 13:52:19 +0200 Subject: [PATCH 2/2] feat(nix): use lix-module Initially using Lix 2.93.2 from lix-module to fix critical regression. Will later switch to Lix from nixpkgs to benefit from the cache. --- flake.lock | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 6 ++++++ system/nix.nix | 8 ++++++-- 3 files changed, 65 insertions(+), 2 deletions(-) diff --git a/flake.lock b/flake.lock index 71d1fd6..afd77bd 100644 --- a/flake.lock +++ b/flake.lock @@ -250,6 +250,21 @@ "type": "github" } }, + "flakey-profile": { + "locked": { + "lastModified": 1712898590, + "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=", + "owner": "lf-", + "repo": "flakey-profile", + "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d", + "type": "github" + }, + "original": { + "owner": "lf-", + "repo": "flakey-profile", + "type": "github" + } + }, "gitignore": { "inputs": { "nixpkgs": [ @@ -313,6 +328,43 @@ "type": "github" } }, + "lix": { + "flake": false, + "locked": { + "lastModified": 1751235704, + "narHash": "sha256-J4ycLoXHPsoBoQtEXFCelL4xlq5pT8U9tNWNKm43+YI=", + "rev": "1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6", + "type": "tarball", + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6.tar.gz?rev=1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6" + }, + "original": { + "type": "tarball", + "url": "https://git.lix.systems/lix-project/lix/archive/release-2.93.tar.gz" + } + }, + "lix-module": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "flakey-profile": "flakey-profile", + "lix": "lix", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1751240025, + "narHash": "sha256-SXUAlxpjPRkArRMHy5+Hdi+PiC+ND9yzzIjiaHmTvQU=", + "rev": "8b1094356f4723d6e89d3f8a95b333ee16d9ab02", + "type": "tarball", + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/8b1094356f4723d6e89d3f8a95b333ee16d9ab02.tar.gz?rev=8b1094356f4723d6e89d3f8a95b333ee16d9ab02" + }, + "original": { + "type": "tarball", + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.2-1.tar.gz" + } + }, "matrix-appservices": { "inputs": { "devshell": "devshell", @@ -468,6 +520,7 @@ "flake-parts": "flake-parts", "flake-utils": "flake-utils", "home-manager": "home-manager_2", + "lix-module": "lix-module", "matrix-appservices": "matrix-appservices", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index cf2c29e..dafa3ba 100644 --- a/flake.nix +++ b/flake.nix @@ -19,6 +19,12 @@ rec { nixos-hardware.url = "github:NixOS/nixos-hardware"; + lix-module = { + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.2-1.tar.gz"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; + }; + disko = { url = "github:nix-community/disko/latest"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/system/nix.nix b/system/nix.nix index e77734a..927b138 100644 --- a/system/nix.nix +++ b/system/nix.nix @@ -10,9 +10,13 @@ let inherit (inputs.self.outputs) nixConfig; in { - nixpkgs.config.allowUnfree = true; + imports = [ + # TODO switch to lixFromNixpkgs once 2.93.2 is available + inputs.lix-module.nixosModules.default + # inputs.lix-module.nixosModules.lixFromNixpkgs + ]; - nix.package = pkgs.lix; + nixpkgs.config.allowUnfree = true; nix.gc = { automatic = true;