diff --git a/flake.lock b/flake.lock
index 2634db5..2cf0c92 100644
--- a/flake.lock
+++ b/flake.lock
@@ -118,11 +118,11 @@
},
"hardware": {
"locked": {
- "lastModified": 1737751639,
- "narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=",
+ "lastModified": 1739798439,
+ "narHash": "sha256-GyipmjbbQEaosel/+wq1xihCKbv0/e1LU00x/8b/fP4=",
"owner": "NixOS",
"repo": "nixos-hardware",
- "rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4",
+ "rev": "3e2ea8a49d4d76276b0f4e2041df8ca5c0771371",
"type": "github"
},
"original": {
@@ -181,11 +181,11 @@
]
},
"locked": {
- "lastModified": 1736373539,
- "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
+ "lastModified": 1739757849,
+ "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=",
"owner": "nix-community",
"repo": "home-manager",
- "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
+ "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe",
"type": "github"
},
"original": {
@@ -324,11 +324,11 @@
},
"nixpkgs-unstable": {
"locked": {
- "lastModified": 1738009863,
- "narHash": "sha256-KxmFlQ2j9PpDhKRXWu85bv3R2wmfkUqdpJhEwz9JN/E=",
+ "lastModified": 1739863612,
+ "narHash": "sha256-UbtgxplOhFcyjBcNbTVO8+HUHAl/WXFDOb6LvqShiZo=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "f898cbfddfab52593da301a397a17d0af801bbc3",
+ "rev": "632f04521e847173c54fa72973ec6c39a371211c",
"type": "github"
},
"original": {
@@ -340,11 +340,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1738023785,
- "narHash": "sha256-BPHmb3fUwdHkonHyHi1+x89eXB3kA1jffIpwPVJIVys=",
+ "lastModified": 1739758141,
+ "narHash": "sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "2b4230bf03deb33103947e2528cac2ed516c5c89",
+ "rev": "c618e28f70257593de75a7044438efc1c1fc0791",
"type": "github"
},
"original": {
diff --git a/hosts/istal/services/renovate.nix b/hosts/istal/services/renovate.nix
index 385205e..2086261 100644
--- a/hosts/istal/services/renovate.nix
+++ b/hosts/istal/services/renovate.nix
@@ -1,21 +1,5 @@
{ config, pkgs, ... }:
-let
- latestRenovate = pkgs.unstable.renovate.overrideAttrs (finalAttrs: prevAttrs: {
- version = "39.138.0";
-
- src = pkgs.fetchFromGitHub {
- owner = "renovatebot";
- repo = "renovate";
- tag = finalAttrs.version;
- hash = "sha256-kSN5rrVWBhko0MNLbaD/hHl7nJsLErfKsgxNT1/X79A=";
- };
- pnpmDeps = pkgs.pnpm_9.fetchDeps {
- inherit (finalAttrs) pname version src;
- hash = "sha256-yOKQjbU7PMUaBFBNsYQMSj1kT/f4FezdcNvjgeeXNNg=";
- };
- });
-in
{
age.secrets.renovate-gitea-token.file = ./renovate-gitea-token.age;
age.secrets.renovate-github-token.file = ./renovate-github-token.age;
@@ -34,7 +18,7 @@ in
services.renovate = {
enable = true;
- package = latestRenovate;
+ package = pkgs.unstable.renovate;
schedule = "0..2,10..23:00";
credentials = {
RENOVATE_TOKEN = config.age.secrets.renovate-gitea-token.path;
diff --git a/modules/nixos/configs/system.nix b/modules/nixos/configs/system.nix
index e3e7557..abbfcec 100644
--- a/modules/nixos/configs/system.nix
+++ b/modules/nixos/configs/system.nix
@@ -2,11 +2,14 @@
let
headlessProfile = import "${inputs.nixpkgs-unstable}/nixos/modules/profiles/headless.nix" args;
- hardenedProfile = import "${inputs.nixpkgs-unstable}/nixos/modules/profiles/hardened.nix" args;
cfg = config.local.system;
in
{
+ imports = [
+ "${inputs.nixpkgs-unstable}/nixos/modules/profiles/hardened.nix"
+ ];
+
options.local.system = with lib; {
kernel = mkOption {
type = types.enum [ "hardened" "stable" "latest" ];
@@ -17,6 +20,7 @@ in
config = lib.mkMerge [
{
+ profiles.hardened = lib.mkDefault false;
boot.tmp.cleanOnBoot = true;
}
@@ -27,7 +31,8 @@ in
))
(lib.mkIf (cfg.kernel == "hardened") (
- hardenedProfile // {
+ {
+ profiles.hardened = true;
boot.kernelPackages = pkgs.unstable.linuxPackages_6_6_hardened;
# Fix for GLIBC errors due to 'scudo' from hardened profile.
# https://github.com/NixOS/nix/issues/6563
@@ -40,7 +45,7 @@ in
})
(lib.mkIf (cfg.kernel == "stable") {
- boot.kernelPackages = pkgs.unstable.linuxPackages_6_12;
+ boot.kernelPackages = pkgs.unstable.linuxPackages_6_13;
})
(lib.mkIf (cfg.kernel == "latest") {