Require postgres version to be configured manually

SUMMARY.md

@@ -27,7 +27,6 @@
 
 - [calanda](nixos-configurations/calanda/README.md)
 - [cyprianspitz](nixos-configurations/cyprianspitz/README.md)
-- [fulberg](nixos-configurations/fulberg/README.md)
 - [lindberg](nixos-configurations/lindberg/README.md)
 - [stompert](nixos-configurations/stompert/README.md)
 - [tierberg](nixos-configurations/tierberg/README.md)

defaults/base-minimal/default.nix

@@ -72,7 +72,7 @@
       dates = "weekly";
       options = "--delete-older-than 90d";
     };
-    package = pkgs.nixFlakes;
+    package = pkgs.nixVersions.stable;
     extraOptions = ''
       experimental-features = nix-command flakes
     '';
@@ -105,7 +105,10 @@
   };
 
   programs.autojump.enable = true;
-  programs.vim.defaultEditor = true;
+  programs.vim = {
+    enable = true;
+    defaultEditor = true;
+  };
 
   sops.defaultSopsFile =
     let

defaults/meta/hosts.json

@@ -1,8 +1,4 @@
 {
-  "fulberg": {
-    "hostName": "fulberg",
-    "sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCG9qqpUOJ2RsohIqhMuw3YZZSrnPqhf5ayh5y0Cq/I"
-  },
   "calanda": {
     "hostName": "calanda",
     "sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdoOZcFFRXIqEWqUnwCk/kqP8DZw6/4omDefCT6aNN4"

defaults/meta/network-physical.nix

@@ -36,9 +36,6 @@
         calanda = {
           v4.ip = "10.1.2.1";
         };
-        fulberg = {
-          v4.ip = "10.1.2.2";
-        };
       };
     };
 

defaults/meta/network-virtual.nix

@@ -27,15 +27,6 @@
         domain = "backplane.net.qo.is";
 
         hosts = {
-          fulberg = {
-            v4.ip = "10.250.0.1";
-            endpoint = {
-              fqdn = physical-network.plessur-ext.hosts.calanda.fqdn;
-              port = 51821;
-            };
-            publicKey = "xcQOu+pp4ckNygcsLmJL1NmUzbbC+k3I7y+hJ9Ul4nk=";
-            persistentKeepalive = 25;
-          };
           lindberg = {
             v4.ip = "10.250.0.2";
             #endpoint = { # TODO: Port forwarding

defaults/meta/network.md

@@ -18,7 +18,7 @@ package "plessur.net.qo.is" {
   ]
 
   node calanda 
-  node fulberg
+  node cyprianspitz
   
   cloud plessurnet [
     <i>LAN Plessur
@@ -26,7 +26,7 @@ package "plessur.net.qo.is" {
   
   mediaconvchur - "enp4" calanda
   calanda "br0 (enp2, wlp1, wlp5)" --- plessurnet
-  calanda "enp4" -- "eno1" fulberg
+  plessurnet -- cyprianspitz
 } 
 
 package "riedbach.net.qo.is" {

flake.lock

@@ -1,53 +1,9 @@
 {
   "nodes": {
-    "attic": {
-      "inputs": {
-        "crane": "crane",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": "nixpkgs",
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1731270564,
-        "narHash": "sha256-6KMC/NH/VWP5Eb+hA56hz0urel3jP6Y6cF2PX6xaTkk=",
-        "owner": "zhaofengli",
-        "repo": "attic",
-        "rev": "47752427561f1c34debb16728a210d378f0ece36",
-        "type": "github"
-      },
-      "original": {
-        "owner": "zhaofengli",
-        "repo": "attic",
-        "type": "github"
-      }
-    },
-    "crane": {
-      "inputs": {
-        "nixpkgs": [
-          "attic",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1722960479,
-        "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
-        "owner": "ipetkov",
-        "repo": "crane",
-        "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ipetkov",
-        "repo": "crane",
-        "type": "github"
-      }
-    },
     "deploy-rs": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs",
         "utils": "utils"
       },
       "locked": {
@@ -71,11 +27,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731274291,
+        "lastModified": 1733168902,
-        "narHash": "sha256-cZ0QMpv5p2a6WEE+o9uu0a4ma6RzQDOQTbm7PbixWz8=",
+        "narHash": "sha256-8dupm9GfK+BowGdQd7EHK5V61nneLfr9xR6sc5vtDi0=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc",
+        "rev": "785c1e02c7e465375df971949b8dcbde9ec362e5",
         "type": "github"
       },
       "original": {
@@ -100,129 +56,7 @@
         "type": "github"
       }
     },
-    "flake-compat_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "attic",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1722555600,
-        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "nix-github-actions": {
-      "inputs": {
-        "nixpkgs": [
-          "attic",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1729742964,
-        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
-      "locked": {
-        "lastModified": 1726042813,
-        "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-nixos-stable": {
-      "locked": {
-        "lastModified": 1731239293,
-        "narHash": "sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "9256f7c71a195ebe7a218043d9f93390d49e6884",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-nixos-unstable": {
-      "locked": {
-        "lastModified": 1731139594,
-        "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1724316499,
-        "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
       "locked": {
         "lastModified": 1702272962,
         "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
@@ -238,6 +72,38 @@
         "type": "github"
       }
     },
+    "nixpkgs-nixos-stable": {
+      "locked": {
+        "lastModified": 1733261153,
+        "narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b681065d0919f7eb5309a93cea2cfa84dec9aa88",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-nixos-unstable": {
+      "locked": {
+        "lastModified": 1733212471,
+        "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "private": {
       "inputs": {
         "nixpkgs-nixos-unstable": [
@@ -259,7 +125,6 @@
     },
     "root": {
       "inputs": {
-        "attic": "attic",
         "deploy-rs": "deploy-rs",
         "disko": "disko",
         "nixpkgs-nixos-stable": "nixpkgs-nixos-stable",
@@ -272,17 +137,14 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs-nixos-unstable"
-        ],
-        "nixpkgs-stable": [
-          "nixpkgs-nixos-stable"
         ]
       },
       "locked": {
-        "lastModified": 1731213149,
+        "lastModified": 1733128155,
-        "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
+        "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
+        "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
         "type": "github"
       },
       "original": {

flake.nix

@@ -5,19 +5,17 @@
     extra-trusted-public-keys = "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=";
   };
   inputs = {
-    attic.url = "github:zhaofengli/attic";
     deploy-rs.url = "github:serokell/deploy-rs";
     disko = {
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs-nixos-stable";
     };
     nixpkgs-nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs = {
         nixpkgs.follows = "nixpkgs-nixos-unstable";
-        nixpkgs-stable.follows = "nixpkgs-nixos-stable";
       };
     };
     private.url = "git+file:./private";

nixos-configurations/calanda/networking.nix

@@ -66,14 +66,6 @@ in
   # DMZ Portforwarding
   networking.nat.forwardPorts =
     let
-      fulbergPort = (
-        proto: port: {
-          destination = "10.1.2.2:${toString port}";
-          proto = proto;
-          sourcePort = port;
-          loopbackIPs = [ "85.195.200.253" ];
-        }
-      );
       cyprianspitzPort = (
         proto: port: {
           destination = "10.1.1.11:${toString port}";
@@ -84,26 +76,12 @@ in
       );
     in
     [
-      {
-        destination = "10.1.2.2:22";
-        proto = "tcp";
-        sourcePort = 8022;
-      }
-      {
-        destination = "10.1.2.2:2222";
-        proto = "tcp";
-        sourcePort = 8222;
-      }
       {
         destination = "10.1.1.11:2222";
         proto = "tcp";
         sourcePort = 8223;
       }
     ]
-    ++ map (fulbergPort "udp") [
-      51820
-      51821
-    ]
     ++ map (cyprianspitzPort "tcp") [
       80
       443

nixos-configurations/default.nix

@@ -3,7 +3,6 @@
   pkgs,
   nixpkgs-nixos-stable,
   disko,
-  attic,
   sops-nix,
   ...
 }@inputs:
@@ -20,13 +19,6 @@ pkgs.lib.genAttrs configs (
     modules = [
       self.nixosModules.default
       ./${config}/default.nix
-      (
-        { ... }:
-        {
-          imports = [ "${attic}/nixos/atticd.nix" ];
-          services.atticd.useFlakeCompatOverlay = false;
-        }
-      )
       disko.nixosModules.disko
       sops-nix.nixosModules.sops
       (

nixos-configurations/fulberg/README.md

@@ -1 +0,0 @@
-# fulberg

nixos-configurations/fulberg/applications/default.nix

@@ -1 +0,0 @@
-{ ... }: { }

nixos-configurations/fulberg/backup.nix

@@ -1,35 +0,0 @@
-{ config, pkgs, ... }:
-{
-
-  qois.backup-server = {
-    enable = true;
-    backupStorageRoot = "/mnt/nas/backup";
-  };
-
-  services.borgbackup.repos =
-    let
-      backupRoot = "/mnt/nas/backup";
-      hostBackupRoot = "${backupRoot}/hosts";
-      dataBackupRoot = "${backupRoot}/data";
-    in
-    {
-      "lindberg-nextcloud" = {
-        authorizedKeys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIpzfp9VqclbPJ42ZrkRpvjMSTeyq0qce03zCRXqIHMw backup@lindberg-nextcloud"
-        ];
-        path = "${hostBackupRoot}/lindberg-nextcloud";
-      };
-      "lindberg-data" = {
-        authorizedKeys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGTmyoVONC12MgOodvzdPpZzLSVwpkC6zkf+Rg0W36gy backup-data@lindberg"
-        ];
-        path = "${dataBackupRoot}/lindberg";
-      };
-      "lindberg-build-system" = {
-        authorizedKeys = [
-          "ssh-ed25519 AAAATODOTODOTODONTE5AAAAIGTmyoVONC12MgOodvzdPpZzLSVwpkC6zkf+Rg0W36gy backup-system@lindberg-build"
-        ];
-        path = "${dataBackupRoot}/lindberg-build-system";
-      };
-    };
-}

nixos-configurations/fulberg/default.nix

@@ -1,22 +0,0 @@
-{ config, pkgs, ... }:
-{
-
-  imports = [
-    ../../defaults/base
-    ../../defaults/hardware/apu.nix
-    ../../defaults/meta
-    ./applications
-    ./backup.nix
-    ./filesystems.nix
-    ./networking.nix
-    ./secrets.nix
-  ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like fi:le locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-}

nixos-configurations/fulberg/filesystems.nix

@@ -1,31 +0,0 @@
-{ config, pkgs, ... }:
-{
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/360a6bc9-fc4e-4803-bd53-69320ac32ac5";
-      fsType = "btrfs";
-      options = [
-        "defaults"
-        "subvol=nixos"
-        "noatime"
-      ];
-    };
-    "/mnt/nas" = {
-      device = "10.1.1.39:/qois";
-      fsType = "nfs";
-      options = [
-        "defaults"
-        "noatime"
-        "soft"
-      ];
-    };
-  };
-
-  swapDevices = [ { device = "/dev/disk/by-uuid/73f91e99-d856-4504-b6b2-d60f855d6d95"; } ];
-
-  boot.loader.grub = {
-    enable = true;
-    device = "/dev/sda";
-  };
-}

nixos-configurations/fulberg/networking.nix

@@ -1,48 +0,0 @@
-{ config, pkgs, ... }:
-let
-  meta = config.qois.meta;
-  plessur-dmz-net = meta.network.physical.plessur-dmz;
-  getCalandaIp4 = net: net.hosts.calanda.v4.ip;
-in
-{
-  networking.hostName = meta.hosts.fulberg.hostName;
-
-  imports = [ ../../defaults/backplane-net ];
-
-  # WWAN is currently not available due to a broken SIM-card.
-  #services.qois.wwan = {
-  #  enable = true;
-  #  apn = "gprs.swisscom.ch";
-  #  networkInterface = "wwp0s19u1u3i12";
-  #};
-
-  networking.interfaces.enp1s0 = {
-    useDHCP = false;
-    ipv4.addresses = [
-      {
-        inherit (plessur-dmz-net.v4) prefixLength;
-        address = plessur-dmz-net.hosts.fulberg.v4.ip;
-      }
-    ];
-  };
-
-  networking.defaultGateway = plessur-dmz-net.v4.gateway;
-  networking.nameservers = plessur-dmz-net.v4.nameservers;
-
-  # Configure this node to be used as an vpn exit node
-  qois.backup-client.includePaths = [ "/var/lib/tailscale" ];
-  services.tailscale = {
-    enable = true;
-    openFirewall = true;
-    useRoutingFeatures = "server";
-    authKeyFile = config.sops.secrets."tailscale/key".path;
-    extraUpFlags = [
-      "--login-server=https://vpn.qo.is"
-      "--advertise-exit-node"
-      (
-        with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}"
-      )
-      "--advertise-tags=tag:srv"
-    ];
-  };
-}

nixos-configurations/fulberg/secrets.nix

@@ -1,8 +0,0 @@
-{ ... }:
-{
-  sops.secrets = {
-    "tailscale/key" = {
-      restartUnits = [ "tailscale.service" ];
-    };
-  };
-}

nixos-configurations/lindberg-build/applications/attic.nix

@@ -14,7 +14,7 @@ in
     # generate secret with
     # nix run system#openssl rand 64 | base64 -w0
     # ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl"
-    credentialsFile = config.sops.secrets."attic/server_token".path;
+    environmentFile = config.sops.secrets."attic/server_token".path;
 
     settings = {
       listen = "127.0.0.1:${builtins.toString atticPort}";
@@ -44,6 +44,8 @@ in
         max-size = 256 * 1024; # 256 KiB
       };
 
+      garbage-collection.default-retention-period = "6 months";
+
       database.url = "postgresql:///atticd?host=/run/postgresql";
     };
   };
@@ -51,6 +53,7 @@ in
   imports = [ ../../../defaults/webserver ];
 
   qois.postgresql.enable = true;
+
   # Note: Attic cache availability is "best effort", so no artifacts are backed up.
 
   services.postgresql = {

nixos-configurations/lindberg-build/backup.nix

@@ -3,7 +3,6 @@
 let
   vnet = config.qois.meta.network.virtual.backplane.hosts;
   systemTargets = [
-    "fulberg"
     "tierberg"
   ];
   systemJobs = builtins.listToAttrs (

nixos-configurations/lindberg-nextcloud/secrets.nix

@@ -2,7 +2,7 @@
 let
   backupConfiguration = {
     restartUnits = [
-      "borgbackup-job-system-fulberg.service"
+      "borgbackup-job-system-cyprianspitz.service"
       "borgbackup-job-system-tierberg.service"
     ];
   };

nixos-configurations/lindberg/secrets.nix

@@ -2,7 +2,7 @@
 let
   backupConfiguration = {
     restartUnits = [
-      "borgbackup-job-data-fulberg.service"
+      "borgbackup-job-data-cyprianspitz.service"
       "borgbackup-job-data-tierberg.service"
     ];
   };

nixos-configurations/stompert/default.nix

@@ -59,5 +59,5 @@
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
   # should.
-  system.stateVersion = "22.11"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }

nixos-modules/postgresql/default.nix

@@ -12,6 +12,10 @@ with lib;
 {
   options.qois.postgresql = {
     enable = mkEnableOption ''Enable postgresql services with defaults'';
+    package = mkPackageOption pkgs "postgresql" {
+      example = "postgresql_15";
+      default = null;
+    };
   };
 
   config = mkIf cfg.enable {

updates.md

@@ -28,7 +28,7 @@ deploy-qois .#lindberg-nextcloud .#lindberg-build
 deploy-qois .#lindberg
 
 # Deploy slow physical hosts (maybe do individually)
-deploy-qois --confirm-timeout 600 --activation-timeout 600 --targets .#fulberg .#tierberg .#stompert .#stompert
+deploy-qois --confirm-timeout 600 --activation-timeout 600 --targets .#tierberg .#stompert .#stompert
 
 ```
 
@@ -39,7 +39,13 @@ For kernel updates, it might be required to reboot machines, which can be done i
 pssh -l root -H lindberg-nextcloud.backplane.net.qo.is -H lindberg-build.backplane.net.qo.is reboot
 ```
 
-## Aplication Updates
+## `systemVersion` upgrades
+
+- Make sure to read through the nixpkgs changelog to catch configuration scheme changes,
+  successor applications or for the need for manual interventions.
+- Pay special attention the applications listed below.
+
+## Application Updates
 
 Some applications have pinned versions to prevent problems due to accidental upgrades.  
 The version switch has to be done manually by switching the package used.
@@ -47,3 +53,5 @@ The version switch has to be done manually by switching the package used.
 This includes the modules for:
 
 - `nextcloud`
+- `postgresql`, [→ Nixpkgs manual page](https://nixos.org/manual/nixos/stable/#module-services-postgres-upgrading)
+