chore(deps): lock file maintenance

.github/workflows/ci.yml

@@ -45,3 +45,17 @@ jobs:
           lfs: false
       - name: "Deploy profile"
         run: "auto-deploy ${{ matrix.profile }}"
+  deploy-ci:
+    needs: deploy
+    if: success() && github.ref == 'refs/heads/main'
+    runs-on: nix
+    env:
+      SSH_DEPLOY_KEY: "${{ secrets.SSH_DEPLOY_KEY }}"
+    steps:
+      - name: Initialize CI
+        uses: https://git.qo.is/qo.is/actions-nix-init@main
+        with:
+          token: ${{ secrets.CI_TOKEN }}
+          lfs: false
+      - name: "Deploy profile"
+        run: "auto-deploy system-ci"

defaults/meta/hosts.json

@@ -17,7 +17,7 @@
   },
   "lindberg-webapps": {
     "hostName": "lindberg-webapps",
-    "sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJT99lj5OI+V1PlZl/T2ikBORwMiXjDfWpHYfq/GvUM5"
+    "sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIByESy+XiBT8/PoE8DUB388B5MA6LVcJBgH1ZgYxr9Mg"
   },
   "batzberg": {
     "hostName": "batzberg"

flake.lock

@@ -23,15 +23,15 @@
     "disko": {
       "inputs": {
         "nixpkgs": [
-          "nixpkgs-nixos-stable"
+          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1749200714,
-        "narHash": "sha256-W8KiJIrVwmf43JOPbbTu5lzq+cmdtRqaNbOsZigjioY=",
+        "lastModified": 1751854533,
+        "narHash": "sha256-U/OQFplExOR1jazZY4KkaQkJqOl59xlh21HP9mI79Vc=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "17d08c65c241b1d65b3ddf79e3fac1ddc870b0f6",
+        "rev": "16b74a1e304197248a1bc663280f2548dbfcae3c",
         "type": "github"
       },
       "original": {
@@ -81,11 +81,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747372754,
-        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
+        "lastModified": 1750779888,
+        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
+        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
         "type": "github"
       },
       "original": {
@@ -131,34 +131,18 @@
         "type": "github"
       }
     },
-    "nixpkgs-nixos-stable": {
-      "locked": {
-        "lastModified": 1748995628,
-        "narHash": "sha256-bFufQGSAEYQgjtc4wMrobS5HWN0hDP+ZX+zthYcml9U=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "8eb3b6a2366a7095939cd22f0dc0e9991313294b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1749143949,
-        "narHash": "sha256-QuUtALJpVrPnPeozlUG/y+oIMSLdptHxb3GK6cpSVhA=",
+        "lastModified": 1751741127,
+        "narHash": "sha256-t75Shs76NgxjZSgvvZZ9qOmz5zuBE8buUaYD28BMTxg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d3d2d80a2191a73d1e86456a751b83aa13085d7d",
+        "rev": "29e290002bfff26af1db6f64d070698019460302",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -170,10 +154,10 @@
         ]
       },
       "locked": {
-        "lastModified": 1747599024,
-        "narHash": "sha256-qc94Cyt6uaQCVY2VlCtNxGb7hs3DbLvxuhEnSLFL8T8=",
-        "rev": "bed7588246ec58aacac3d0ff5b191fa6cc9faa98",
-        "revCount": 17,
+        "lastModified": 1749920008,
+        "narHash": "sha256-wn3U2q/+OQYErVyoY9kwZP/fXcDG4ewhJkHX7qHzq8g=",
+        "rev": "5f8ba2025848dd30539c42ef1f7e6c6f917e70d9",
+        "revCount": 19,
         "type": "git",
         "url": "file:./private"
       },
@@ -188,7 +172,6 @@
         "disko": "disko",
         "git-hooks-nix": "git-hooks-nix",
         "nixpkgs": "nixpkgs_2",
-        "nixpkgs-nixos-stable": "nixpkgs-nixos-stable",
         "private": "private",
         "sops-nix": "sops-nix",
         "treefmt-nix": "treefmt-nix"
@@ -201,11 +184,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747603214,
-        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "lastModified": 1751606940,
+        "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d",
         "type": "github"
       },
       "original": {
@@ -236,11 +219,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1749194973,
-        "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=",
+        "lastModified": 1750931469,
+        "narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5",
+        "rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1",
         "type": "github"
       },
       "original": {

flake.nix

@@ -5,8 +5,7 @@
     extra-trusted-public-keys = "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=";
   };
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
 
     treefmt-nix = {
       url = "github:numtide/treefmt-nix";
@@ -24,7 +23,7 @@
     deploy-rs.url = "github:serokell/deploy-rs";
     disko = {
       url = "github:nix-community/disko";
-      inputs.nixpkgs.follows = "nixpkgs-nixos-stable";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
     private.url = "git+file:./private";
     private.inputs.nixpkgs.follows = "nixpkgs";
@@ -59,7 +58,7 @@
         inherit (inputs)
           deploy-rs
           disko
-          nixpkgs-nixos-stable
+          nixpkgs
           sops-nix
           private
           git-hooks-nix

nixos-configurations/calanda/default.nix

@@ -16,5 +16,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "25.05"; # Did you read the comment?
 }

nixos-configurations/cyprianspitz/default.nix

@@ -23,5 +23,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "25.05"; # Did you read the comment?
 }

nixos-configurations/default.nix

@@ -1,12 +1,12 @@
 {
   self,
   pkgs,
-  nixpkgs-nixos-stable,
+  nixpkgs,
   ...
 }@inputs:
 let
   inherit (pkgs.lib) genAttrs;
-  inherit (nixpkgs-nixos-stable.lib) nixosSystem;
+  inherit (nixpkgs.lib) nixosSystem;
   configs = self.lib.foldersWithNix ./.;
 in
 genAttrs configs (

nixos-configurations/lindberg-build/default.nix

@@ -19,5 +19,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "25.05"; # Did you read the comment?
 }

nixos-configurations/lindberg-nextcloud/default.nix

@@ -46,5 +46,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "25.05"; # Did you read the comment?
 }

nixos-configurations/lindberg-webapps/default.nix

@@ -19,5 +19,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "25.05"; # Did you read the comment?
 }

nixos-configurations/lindberg-webapps/disko-config.nix

@@ -3,7 +3,7 @@
   disko.devices.disk = {
     system = {
       type = "disk";
-      device = "/dev/vda";
+      device = "/dev/vdb";
       content = {
         type = "gpt";
         partitions = {

nixos-configurations/lindberg/default.nix

@@ -24,5 +24,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "25.05"; # Did you read the comment?
 }

nixos-modules/cloud/default.nix

@@ -3,7 +3,6 @@
   config,
   lib,
   pkgs,
-  options,
   ...
 }:
 
@@ -31,10 +30,6 @@ with lib;
         "nextcloud30"
       ];
     };
-
-    adminpassFile = options.services.nextcloud.config.adminpassFile // {
-      default = config.sops.secrets."nextcloud/admin".path;
-    };
   };
 
   config = mkIf cfg.enable {
@@ -64,7 +59,7 @@ with lib;
       database.createLocally = true;
 
       config = {
-        inherit (cfg) adminpassFile;
+        adminpassFile = config.sops.secrets."nextcloud/admin".path;
         adminuser = "root";
         dbtype = "pgsql";
       };
@@ -88,16 +83,22 @@ with lib;
       };
 
       phpOptions = {
-        "opcache.interned_strings_buffer" = "23";
+        "opcache.interned_strings_buffer" = "64";
+        "opcache.memory_consumption" = "512";
+        "opcache.save_comments" = "1";
+        "opcache.max_accelerated_files" = "50000";
+        "opcache.fast_shutdown" = "1";
+        "opcache.jit" = "1255";
+        "opcache.jit_buffer_size" = "8M";
       };
 
       poolSettings = {
         "pm" = "dynamic";
-        "pm.max_children" = "256";
-        "pm.max_requests" = "500";
-        "pm.max_spare_servers" = "16";
-        "pm.min_spare_servers" = "2";
-        "pm.start_servers" = "8";
+        "pm.max_children" = "480";
+        "pm.max_requests" = "2000";
+        "pm.max_spare_servers" = "72";
+        "pm.min_spare_servers" = "24";
+        "pm.start_servers" = "48";
       };
 
       configureRedis = true;
@@ -121,12 +122,6 @@ with lib;
       };
     };
 
-    services.phpfpm.pools.nextcloud.settings = {
-      "pm.max_children" = lib.mkForce "256";
-      "pm.max_spare_servers" = lib.mkForce "16";
-      "pm.start_servers" = lib.mkForce "8";
-    };
-
     users.users.nextcloud.extraGroups = [ "postdrop" ];
 
     systemd.services.nextcloud-cron = {

nixos-modules/cloud/test.nix

@@ -1,36 +0,0 @@
-{
-  ...
-}:
-{
-  # Note: This extends the default configuration from ${self}/checks/nixos-modules
-  nodes.webserver =
-    { pkgs, lib, ... }:
-    let
-      inherit (pkgs) curl gnugrep;
-      inherit (lib) mkForce;
-      cloud-domain = "cloud.example.com";
-    in
-    {
-      qois.cloud = {
-        enable = true;
-        domain = cloud-domain;
-        package = pkgs.nextcloud31;
-        adminpassFile = "${pkgs.writeText "adminpass" "insecure"}"; # Don't try this at home!
-      };
-
-      qois.postgresql.package = pkgs.postgresql;
-      sops.secrets = mkForce { };
-
-      # Disable TLS services
-      services.nginx.virtualHosts."${cloud-domain}" = {
-        forceSSL = mkForce false;
-        enableACME = mkForce false;
-      };
-
-      # Test environment
-      environment.systemPackages = [
-        curl
-        gnugrep
-      ];
-    };
-}

nixos-modules/cloud/test.py

@@ -1,34 +0,0 @@
-def test(subtest, webserver):
-    webserver.wait_for_unit("nginx")
-    webserver.wait_for_open_port(80)
-    webserver.wait_for_unit("nextcloud-setup.service")
-    webserver.wait_for_unit("phpfpm-nextcloud.service")
-
-    # Helpers
-    def curl_variable_test(node, variable, expected, url):
-        value = node.succeed(
-            f"curl -s --no-location -o /dev/null -w '%{{{variable}}}' '{url}'"
-        )
-        assert value == expected, (
-            f"expected {variable} to be '{expected}' but got '{value}'"
-        )
-
-    def expect_http_code(node, code, url):
-        curl_variable_test(node, "http_code", code, url)
-
-    def expect_http_content_contains(node, expectedContentSnippet, url):
-        content = node.succeed(f"curl --no-location --silent '{url}'")
-        assert expectedContentSnippet in content, f"""
-                expected in content:
-                  {expectedContentSnippet}
-                at {url} but got following content:
-                  {content}
-            """
-
-    # Tests
-    with subtest("website is successfully served on cloud.example.com"):
-        webserver.succeed("grep cloud.example.com /etc/hosts")
-        expect_http_code(webserver, "200", "http://cloud.example.com")
-        expect_http_content_contains(
-            webserver, "Log in to cloud.qoo.is", "http://docs.example.com"
-        )

nixos-modules/static-page/README.md

@@ -1,5 +1,5 @@
 # Static Pages
 
-This module enables static nginx sites, with data served from "/var/lib/nginx/$domain/root".
+This module enables static nginx sites, with data served from "/var/lib/nginx-$domain/root".
 
 To deploy the site, a user `nginx-$domain` is added, of which a `root` profile in the home folder can be deployed, e.g. with deploy-rs.

packages/sops-config/default.nix

@@ -75,7 +75,7 @@ writeText ".sops.yaml" (
 
         # Secrets for all hosts
         {
-          path_regex = "private/nixos-configurations/secrets\.sops\.(yaml|json|env|ini)$";
+          path_regex = "private/nixos-modules/shared-secrets/default\.sops\.(yaml|json|env|ini)$";
           pgp = toCommaList userPgpKeys;
           age = toCommaList (userAgeKeys ++ builtins.attrValues serverAgeKeys);
         }

private

@@ -1 +1 @@
-Subproject commit bed7588246ec58aacac3d0ff5b191fa6cc9faa98
+Subproject commit 5f8ba2025848dd30539c42ef1f7e6c6f917e70d9