From 3826ff4ebe565a8ba40d99877e89bedbc9451ced Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 1/4] update flake inputs --- flake.lock | 76 +++++++++++++++++++++++++++--------------------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/flake.lock b/flake.lock index 0642fdc..b07fc6e 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1771244661, - "narHash": "sha256-SMPAkwTSsSkRktu2alihmOQvWdJ99Hy+oNFEnQrrSEI=", + "lastModified": 1771733760, + "narHash": "sha256-/cOjTl8VjPFFijyDLoWXXU+7lSbl8guotHOPL6OAysw=", "owner": "nix-community", "repo": "buildbot-nix", - "rev": "cb4a75cc61446177491b00332285bfd6e57d5d8f", + "rev": "e9010d0937faf7a7b7e534e567cfd4ea5b209070", "type": "github" }, "original": { @@ -40,11 +40,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1771457652, - "narHash": "sha256-FOquRYuE76l0vEYzMZNjsH7egD62nLW2foZ6azTBd/Q=", + "lastModified": 1771945875, + "narHash": "sha256-/TgDXPTCDr3H/y+TRy80rsDquyjO5rTZob9HZdBKx3w=", "ref": "refs/heads/main", - "rev": "ea3e53509d04b60a3cc20608aae771eea426f773", - "revCount": 13076, + "rev": "1e54e4a55463239941f94116ad010ed497000274", + "revCount": 13148, "type": "git", "url": "https://git.clan.lol/clan/clan-core" }, @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1771211199, - "narHash": "sha256-1JHyii0rZzm9oyTgSxhW3v/t5XPEzqov+QN8bRUkxnk=", - "rev": "541e221be610c7e89a190ab2167d866a67cb815a", + "lastModified": 1771909837, + "narHash": "sha256-3mi2CJwfQ/ofn1TJZafFmETNnnR+tqMz0Yvafa3j3tQ=", + "rev": "9fb339dde200d2aa7ed9f57fe0c678fbaf1b494c", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/541e221be610c7e89a190ab2167d866a67cb815a.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/9fb339dde200d2aa7ed9f57fe0c678fbaf1b494c.tar.gz" }, "original": { "type": "tarball", @@ -127,11 +127,11 @@ ] }, "locked": { - "lastModified": 1771355198, - "narHash": "sha256-89m5VKxIs8QNiIvLsxHu5NpyhDsoXTtoN801IAurnW4=", + "lastModified": 1771881364, + "narHash": "sha256-A5uE/hMium5of/QGC6JwF5TGoDAfpNtW00T0s9u/PN8=", "owner": "nix-community", "repo": "disko", - "rev": "92fceb111901a6f13e81199be4fab95fce86a5c9", + "rev": "a4cb7bf73f264d40560ba527f9280469f1f081c6", "type": "github" }, "original": { @@ -147,11 +147,11 @@ ] }, "locked": { - "lastModified": 1771355198, - "narHash": "sha256-89m5VKxIs8QNiIvLsxHu5NpyhDsoXTtoN801IAurnW4=", + "lastModified": 1771881364, + "narHash": "sha256-A5uE/hMium5of/QGC6JwF5TGoDAfpNtW00T0s9u/PN8=", "owner": "nix-community", "repo": "disko", - "rev": "92fceb111901a6f13e81199be4fab95fce86a5c9", + "rev": "a4cb7bf73f264d40560ba527f9280469f1f081c6", "type": "github" }, "original": { @@ -251,11 +251,11 @@ ] }, "locked": { - "lastModified": 1768476106, - "narHash": "sha256-V0YOJRum50gtKgwavsAfwXc9+XAsJCC7386YZx1sWGQ=", + "lastModified": 1771131391, + "narHash": "sha256-HPBNYf7HiKtBVy7/69vKpLYHX6wTcUxndxmybzDlXP8=", "owner": "hercules-ci", "repo": "hercules-ci-effects", - "rev": "c19e263e6e22ec7379d972f19e6a322f943c73fb", + "rev": "0b152e0f7c5cc265a529cd63374b80e2771b207b", "type": "github" }, "original": { @@ -271,11 +271,11 @@ ] }, "locked": { - "lastModified": 1771422582, - "narHash": "sha256-xK5kl3OBZaF1VwziVMX+SZ2LT9Fbu5o8vRDt78uR7no=", + "lastModified": 1771851181, + "narHash": "sha256-gFgE6mGUftwseV3DUENMb0k0EiHd739lZexPo5O/sdQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "b3ccd4bb262f4e6d3248b46cede92b90c4a42094", + "rev": "9a4b494b1aa1b93d8edf167f46dc8e0c0011280c", "type": "github" }, "original": { @@ -316,11 +316,11 @@ ] }, "locked": { - "lastModified": 1771371916, - "narHash": "sha256-G14VTfmzzRYxAhtEBNanQgCNA++Cv0/9iV4h/lkqX9U=", + "lastModified": 1771520882, + "narHash": "sha256-9SeTZ4Pwr730YfT7V8Azb8GFbwk1ZwiQDAwft3qAD+o=", "owner": "nix-darwin", "repo": "nix-darwin", - "rev": "aff4c008cec17d6a6760949df641ca0ea9179cac", + "rev": "6a7fdcd5839ec8b135821179eea3b58092171bcf", "type": "github" }, "original": { @@ -410,11 +410,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1771369470, - "narHash": "sha256-0NBlEBKkN3lufyvFegY4TYv5mCNHbi5OmBDrzihbBMQ=", + "lastModified": 1771848320, + "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "0182a361324364ae3f436a63005877674cf45efb", + "rev": "2fc6539b481e1d2569f25f8799236694180c0993", "type": "github" }, "original": { @@ -492,11 +492,11 @@ ] }, "locked": { - "lastModified": 1771166946, - "narHash": "sha256-UFc4lfGBr+wJmwgDGJDn1cVD6DTr0/8TdronNUiyXlU=", + "lastModified": 1771889317, + "narHash": "sha256-YV17Q5lEU0S9ppw08Y+cs4eEQJBuc79AzblFoHORLMU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "2d0cf89b4404529778bc82de7e42b5754e0fe4fa", + "rev": "b027513c32e5b39b59f64626b87fbe168ae02094", "type": "github" }, "original": { @@ -512,11 +512,11 @@ ] }, "locked": { - "lastModified": 1771207491, - "narHash": "sha256-08s9LKq9Et4y9r6FSJLJUnRCyJHZMauAIok45ulQo0k=", + "lastModified": 1771812348, + "narHash": "sha256-d8LL7nSpFueYtZhK29t7j3JiaKLA4lqW8neJv/uZGQc=", "owner": "nix-community", "repo": "srvos", - "rev": "434ed3900e9a7b23638da97ebe16ab0e0be7fef5", + "rev": "ffc8fceb1e3cad06b5074cda30f88132b4fb4869", "type": "github" }, "original": { @@ -566,11 +566,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1762472226, - "narHash": "sha256-iVS4sxVgGn+T74rGJjEJbzx+kjsuaP3wdQVXBNJ79A0=", + "lastModified": 1771504637, + "narHash": "sha256-qPYBCcvws0cqVf4blYyxQ6JNxOdvUPK41s2sfqk6wL0=", "owner": "terranix", "repo": "terranix", - "rev": "3b5947a48da5694094b301a3b1ef7b22ec8b19fc", + "rev": "f3d77064bd135823a30916a1e63b90b7fe4453ac", "type": "github" }, "original": { From cbe76e5fc3e0a2f8d2f4948d50e27be49913578b Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 2/4] clan: remove vendored coredns service --- clanServices/coredns/README.md | 73 -------- clanServices/coredns/default.nix | 235 -------------------------- clanServices/coredns/flake-module.nix | 18 -- clanServices/flake-module.nix | 1 - 4 files changed, 327 deletions(-) delete mode 100644 clanServices/coredns/README.md delete mode 100644 clanServices/coredns/default.nix delete mode 100644 clanServices/coredns/flake-module.nix diff --git a/clanServices/coredns/README.md b/clanServices/coredns/README.md deleted file mode 100644 index 6283045..0000000 --- a/clanServices/coredns/README.md +++ /dev/null @@ -1,73 +0,0 @@ -!!! Danger "Experimental" - This service is experimental and will change in the future. - -This module enables hosting clan-internal services easily, which can be resolved -inside your VPN. This allows defining a custom top-level domain (e.g. `.clan`) -and exposing endpoints from a machine to others, which will be -accessible under `http://.clan` in your browser. - -The service consists of two roles: - -- A `server` role: This is the DNS-server that will be queried when trying to - resolve clan-internal services. It defines the top-level domain. -- A `default` role: This does two things. First, it sets up the nameservers so - that clan-internal queries are resolved via the `server` machine, while - external queries are resolved as normal via DHCP. Second, it allows exposing - services (see example below). - -## Example Usage - -Here the machine `dnsserver` is designated as internal DNS-server for the TLD -`.foo`. `server01` will host an application that shall be reachable at -`http://one.foo` and `server02` is going to be reachable at `http://two.foo`. -`client` is any other machine that is part of the clan but does not host any -services. - -When `client` tries to resolve `http://one.foo`, the DNS query will be -routed to `dnsserver`, which will answer with `192.168.1.3`. If it tries to -resolve some external domain (e.g. `https://clan.lol`), the query will not be -routed to `dnsserver` but resolved as before, via the nameservers advertised by -DHCP. - -```nix -inventory = { - - machines = { - dnsserver = { }; # 192.168.1.2 - server01 = { }; # 192.168.1.3 - server02 = { }; # 192.168.1.4 - client = { }; # 192.168.1.5 - }; - - instances = { - coredns = { - - module.name = "@clan/coredns"; - module.input = "self"; - - # Add the default role to all machines, including `client` - roles.default.tags.all = { }; - - # DNS server queries to http://.foo are resolved here - roles.server.machines."dnsserver".settings = { - ip = "192.168.1.2"; - tld = "foo"; - }; - - # First service - # Registers http://one.foo will resolve to 192.168.1.3 - # underlying service runs on server01 - roles.default.machines."server01".settings = { - ip = "192.168.1.3"; - services = [ "one" ]; - }; - - # Second service - roles.default.machines."server02".settings = { - ip = "192.168.1.4"; - services = [ "two" ]; - }; - }; - }; -}; -``` diff --git a/clanServices/coredns/default.nix b/clanServices/coredns/default.nix deleted file mode 100644 index 20d4350..0000000 --- a/clanServices/coredns/default.nix +++ /dev/null @@ -1,235 +0,0 @@ -{ ... }: - -{ - _class = "clan.service"; - manifest.name = "coredns"; - manifest.description = "Clan-internal DNS and service exposure"; - manifest.categories = [ "Network" ]; - manifest.readme = builtins.readFile ./README.md; - - roles.server = { - description = "A DNS server that resolves services in the clan network."; - interface = - { lib, ... }: - { - options.tld = lib.mkOption { - type = lib.types.str; - default = "clan"; - description = '' - Top-level domain for this instance. All services below this will be - resolved internally. - ''; - }; - - options.ip = lib.mkOption { - type = lib.types.str; - # TODO: Set a default - description = "IP for the DNS to listen on"; - }; - - options.dnsPort = lib.mkOption { - type = lib.types.int; - default = 1053; - description = "Port of the clan-internal DNS server"; - }; - }; - - perInstance = - { - roles, - settings, - ... - }: - { - nixosModule = - { - lib, - pkgs, - ... - }: - - let - hostServiceEntries = - host: - lib.strings.concatStringsSep "\n" ( - map ( - service: - let - ip = roles.default.machines.${host}.settings.ip; - isIPv4 = addr: (builtins.match "\\." addr) != null; - recordType = if (isIPv4 ip) then "A" else "AAAA"; - in - "${service} IN ${recordType} ${ip} ; ${host}" - ) roles.default.machines.${host}.settings.services - ); - - hostnameEntries = '' - crocus 10800 IN AAAA fd28:387a:90:c400:6db2:dfc3:c376:9956 - genepi 10800 IN AAAA fd28:387a:90:c400:ab23:3d38:a148:f539 - verbena 10800 IN AAAA fd28:387a:90:c400::1 - haze 10800 IN AAAA fd28:387a:90:c400:840e:e9db:4c08:b920 - ''; - - zonefile = builtins.toFile "${settings.tld}.zone" ( - '' - $TTL 3600 ; 1 Hour - $ORIGIN ${settings.tld}. - ${settings.tld}. IN SOA ns1 admin.rpqt.fr. ( - 2025112300 ; serial - 10800 ; refresh - 3600 ; retry - 604800 ; expire - 300 ; minimum - ) - - ${builtins.concatStringsSep "\n" ( - lib.lists.imap1 (i: _m: "@ 1D IN NS ns${toString i}.${settings.tld}.") ( - lib.attrNames roles.server.machines - ) - )} - - ${builtins.concatStringsSep "\n" ( - lib.lists.imap1 (i: m: "ns${toString i} 10800 IN CNAME ${m}.${settings.tld}.") ( - lib.attrNames roles.server.machines - ) - )} - - '' - + hostnameEntries - + "\n" - + (lib.strings.concatStringsSep "\n" ( - map (host: hostServiceEntries host) (lib.attrNames roles.default.machines) - )) - ); - in - { - networking.firewall.interfaces.wireguard = { - allowedTCPPorts = [ settings.dnsPort ]; - allowedUDPPorts = [ settings.dnsPort ]; - }; - - services.coredns = { - enable = true; - config = - - let - dnsPort = builtins.toString settings.dnsPort; - in - - '' - .:${dnsPort} { - bind wireguard - forward . 1.1.1.1 - cache 30 - } - - ${settings.tld}:${dnsPort} { - bind wireguard - file ${zonefile} - } - ''; - }; - }; - }; - }; - - roles.default = { - description = "A machine that registers the 'server' role as resolver and registers services under the configured TLD in the resolver."; - interface = - { lib, ... }: - { - options.services = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - description = '' - Service endpoints this host exposes (without TLD). Each entry will - be resolved to . using the configured top-level domain. - ''; - }; - - options.ip = lib.mkOption { - type = lib.types.str; - # TODO: Set a default - description = "IP on which the services will listen"; - }; - - options.dnsPort = lib.mkOption { - type = lib.types.int; - default = 1053; - description = "Port of the clan-internal DNS server"; - }; - }; - - perInstance = - { roles, settings, ... }: - { - nixosModule = - { config, lib, ... }: - { - - networking.nameservers = map ( - m: - let - port = config.services.unbound.settings.server.port or 53; - in - "127.0.0.1:${toString port}#${roles.server.machines.${m}.settings.tld}" - ) (lib.attrNames roles.server.machines); - - services.resolved.domains = map (m: "~${roles.server.machines.${m}.settings.tld}") ( - lib.attrNames roles.server.machines - ); - - services.unbound = { - enable = true; - # resolveLocalQueries = true; - checkconf = true; - settings = { - server = { - port = 5353; - verbosity = 2; - interface = [ "127.0.0.1" ]; - access-control = [ "127.0.0.0/8 allow" ]; - do-not-query-localhost = "no"; - domain-insecure = map (m: "${roles.server.machines.${m}.settings.tld}.") ( - lib.attrNames roles.server.machines - ); - }; - - # Default: forward everything else to DHCP-provided resolvers - # forward-zone = [ - # { - # name = "."; - # forward-addr = "127.0.0.53@53"; # Forward to systemd-resolved - # } - # ]; - forward-zone = [ - { - name = "."; - forward-tls-upstream = true; - forward-addr = [ - "9.9.9.9#dns.quad9.net" - "149.112.112.112#dns.quad9.net" - "1.1.1.1@853#cloudflare-dns.com" - "1.0.0.1@853#cloudflare-dns.com" - "2606:4700:4700::1111@853#cloudflare-dns.com" - "2606:4700:4700::1001@853#cloudflare-dns.com" - "8.8.8.8#dns.google" - "8.8.4.4#dns.google" - "2001:4860:4860::8888#dns.google" - "2001:4860:4860::8844#dns.google" - ]; - } - ]; - - stub-zone = { - name = "${roles.server.machines.${(lib.head (lib.attrNames roles.server.machines))}.settings.tld}."; - stub-addr = map ( - m: "${roles.server.machines.${m}.settings.ip}@${builtins.toString settings.dnsPort}" - ) (lib.attrNames roles.server.machines); - }; - }; - }; - }; - }; - }; -} diff --git a/clanServices/coredns/flake-module.nix b/clanServices/coredns/flake-module.nix deleted file mode 100644 index 69c8537..0000000 --- a/clanServices/coredns/flake-module.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: -let - module = ./default.nix; -in -{ - clan.modules = { - "@rpqt/coredns" = module; - }; - # perSystem = - # { ... }: - # { - # clan.nixosTests.coredns = { - # imports = [ ./tests/vm/default.nix ]; - - # clan.modules."@rpqt/coredns" = module; - # }; - # }; -} diff --git a/clanServices/flake-module.nix b/clanServices/flake-module.nix index 2a428e5..b698c41 100644 --- a/clanServices/flake-module.nix +++ b/clanServices/flake-module.nix @@ -1,7 +1,6 @@ { imports = [ ./buildbot/flake-module.nix - ./coredns/flake-module.nix ./prometheus/flake-module.nix ]; From d46a1aeb8cd6876409fa8ac1f7a9c6d92da41e3f Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 3/4] flake: remove duplicate nixpkgs input --- flake.lock | 22 ++++------------------ flake.nix | 1 + 2 files changed, 5 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index b07fc6e..493a8d2 100644 --- a/flake.lock +++ b/flake.lock @@ -360,7 +360,9 @@ "nixos-generators": { "inputs": { "nixlib": "nixlib", - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1769813415, @@ -393,22 +395,6 @@ } }, "nixpkgs": { - "locked": { - "lastModified": 1736657626, - "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { "locked": { "lastModified": 1771848320, "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=", @@ -458,7 +444,7 @@ "lanzaboote": "lanzaboote", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "srvos": "srvos", "terranix": "terranix" } diff --git a/flake.nix b/flake.nix index a0b1791..e79a23d 100644 --- a/flake.nix +++ b/flake.nix @@ -40,6 +40,7 @@ nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-generators.url = "github:nix-community/nixos-generators"; + nixos-generators.inputs.nixpkgs.follows = "nixpkgs"; clan-core.url = "git+https://git.clan.lol/clan/clan-core"; clan-core.inputs.nixpkgs.follows = "nixpkgs"; From 599a0d92c7821ed0a47d9cc3f2fe9b2dda85fa3f Mon Sep 17 00:00:00 2001 From: Romain Paquet Date: Tue, 24 Feb 2026 17:53:46 +0100 Subject: [PATCH 4/4] home-manager: remove dead code --- homeModules/cli.nix | 28 ---------------------------- 1 file changed, 28 deletions(-) diff --git a/homeModules/cli.nix b/homeModules/cli.nix index a678563..a349053 100644 --- a/homeModules/cli.nix +++ b/homeModules/cli.nix @@ -1,7 +1,6 @@ { self, config, - osConfig, pkgs, ... }: @@ -64,33 +63,6 @@ in inherit shellAliases; }; - programs.zellij.enable = true; - - # programs.khal = { - # enable = true; - # }; - - # accounts.calendar.basePath = ".calendar"; - - # programs.pimsync.enable = true; - - # accounts.calendar.accounts.personal = { - # pimsync.enable = true; - # khal.enable = true; - # thunderbird.enable = true; - # remote = { - # url = "https://cloud.rpqt.fr/remote.php/dav/calendars/rpqt/personal/"; - - # type = "caldav"; - # userName = "rpqt@rpqt.fr"; - # passwordCommand = [ - # "sh" - # "-c" - # "passage web/cloud.rpqt.fr | head -n 1" - # ]; - # }; - # }; - xdg.configFile."git".source = "${config.dotfiles.path}/.config/git"; xdg.configFile."jj/config.toml".source = "${config.dotfiles.path}/.config/jj/config.toml"; xdg.configFile."task/taskrc".source = "${config.dotfiles.path}/.config/task/taskrc";