flake.lock: Update

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/e55f9a8678adc02024a4877c2a403e3f6daf24fe' (2024-09-03)
  → 'github:nix-community/disko/51994df8ba24d5db5459ccf17b6494643301ad28' (2024-09-20)
• Updated input 'dream2nix':
    'github:nix-community/dream2nix/3fd4c14d3683baac8d1f94286ae14fe160888b51' (2024-08-01)
  → 'github:nix-community/dream2nix/b76c529f377100516c40c5b6e239a4525fdcabe0' (2024-09-16)
• Updated input 'flakeParts':
    'github:hercules-ci/flake-parts/567b938d64d4b4112ee253b9274472dc3a346eb6' (2024-09-01)
  → 'github:hercules-ci/flake-parts/bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a' (2024-09-12)
• Updated input 'homeManager':
    'github:nix-community/home-manager/be47a2bdf278c57c2d05e747a13ed31cef54a037' (2024-09-09)
  → 'github:nix-community/home-manager/14929f7089268481d86b83ed31ffd88713dcd415' (2024-09-21)
• Updated input 'lix':
    'git+https://git@git.lix.systems/lix-project/lix?ref=refs/heads/main&rev=c14486ae8d3bbc862c625d948a6b2f4dc0927d5b' (2024-09-09)
  → 'git+https://git@git.lix.systems/lix-project/lix?ref=refs/heads/main&rev=5f298f74c92402a8390b01c736463b17b36277e3' (2024-09-21)
• Updated input 'lix-module':
    'git+https://git.lix.systems/lix-project/nixos-module?ref=refs/heads/main&rev=353b25f0b6da5ede15206d416345a2ec4195b5c8' (2024-09-08)
  → 'git+https://git.lix.systems/lix-project/nixos-module?ref=refs/heads/main&rev=b0e6f359500d66670cc16f521e4f62d6a0a4864e' (2024-09-18)
• Updated input 'lix-module/flake-utils':
    'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a' (2024-03-11)
  → 'github:numtide/flake-utils/c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a' (2024-09-17)
• Updated input 'nixDarwin':
    'github:LnL7/nix-darwin/76559183801030451e200c90a1627c1d82bb4910' (2024-09-06)
  → 'github:LnL7/nix-darwin/c03f85fa42d68d1056ca1740f3113b04f3addff2' (2024-09-19)
• Updated input 'nixosHardware':
    'github:NixOS/nixos-hardware/166dee4f88a7e3ba1b7a243edb1aca822f00680e' (2024-09-09)
  → 'github:NixOS/nixos-hardware/b493dfd4a8cf9552932179e56ff3b5819a9b8381' (2024-09-21)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/268bb5090a3c6ac5e1615b38542a868b52ef8088' (2024-09-19)
  → 'github:NixOS/nixpkgs/29768748c8e6ce4e9b1fba2b5a978576ece5b3a4' (2024-09-21)
• Updated input 'treefmt-nix':
    'github:numtide/treefmt-nix/9fb342d14b69aefdf46187f6bb80a4a0d97007cd' (2024-09-02)
  → 'github:numtide/treefmt-nix/ee41a466c2255a3abe6bc50fc6be927cdee57a9f' (2024-09-19)

flake.lock

@@ -21,27 +21,6 @@
         "type": "github"
       }
     },
-    "crane": {
-      "inputs": {
-        "nixpkgs": [
-          "lanzaboote",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1721842668,
-        "narHash": "sha256-k3oiD2z2AAwBFLa4+xfU+7G5fisRXfkvrMTCJrjZzXo=",
-        "owner": "ipetkov",
-        "repo": "crane",
-        "rev": "529c1a0b1f29f0d78fa3086b8f6a134c71ef3aaf",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ipetkov",
-        "repo": "crane",
-        "type": "github"
-      }
-    },
     "darwin": {
       "inputs": {
         "nixpkgs": [
@@ -136,44 +115,7 @@
         "type": "github"
       }
     },
-    "flake-compat_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
     "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "lanzaboote",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1719994518,
-        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib_2"
       },
@@ -191,7 +133,7 @@
         "type": "github"
       }
     },
-    "flake-parts_3": {
+    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": [
           "nixThePlanet",
@@ -212,7 +154,7 @@
         "type": "indirect"
       }
     },
-    "flake-parts_4": {
+    "flake-parts_3": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib_3"
       },
@@ -343,31 +285,9 @@
         "type": "github"
       }
     },
-    "gitignore_2": {
-      "inputs": {
-        "nixpkgs": [
-          "lanzaboote",
-          "pre-commit-hooks-nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
     "hercules-ci-effects": {
       "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_2",
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
@@ -433,11 +353,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1726985855,
+        "lastModified": 1726902823,
-        "narHash": "sha256-NJPGK030Y3qETpWBhj9oobDQRbXdXOPxtu+YgGvZ84o=",
+        "narHash": "sha256-Gkc7pwTVLKj4HSvRt8tXNvosl8RS9hrBAEhOjAE0Tt4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "04213d1ce4221f5d9b40bcee30706ce9a91d148d",
+        "rev": "14929f7089268481d86b83ed31ffd88713dcd415",
         "type": "github"
       },
       "original": {
@@ -499,31 +419,6 @@
         "type": "github"
       }
     },
-    "lanzaboote": {
-      "inputs": {
-        "crane": "crane",
-        "flake-compat": "flake-compat_2",
-        "flake-parts": "flake-parts",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
-        "rust-overlay": "rust-overlay"
-      },
-      "locked": {
-        "lastModified": 1725379389,
-        "narHash": "sha256-qS1H/5/20ewJIXmf8FN2A5KTOKKU9elWvCPwdBi1P/U=",
-        "owner": "nix-community",
-        "repo": "lanzaboote",
-        "rev": "e7bd94e0b5ff3c1e686f2101004ebf4fcea9d871",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "lanzaboote",
-        "type": "github"
-      }
-    },
     "lix": {
       "flake": false,
       "locked": {
@@ -568,11 +463,11 @@
     "mobile-nixos": {
       "flake": false,
       "locked": {
-        "lastModified": 1726960027,
+        "lastModified": 1725601293,
-        "narHash": "sha256-BJe+6Gpqu98Mhi1oAfrJK25SZvvQgfYqpmLaXvXgQ9g=",
+        "narHash": "sha256-PLk1m0ZukClV+qrszd6WaNclpge8zGsSBTOAwYB9es4=",
         "owner": "NixOS",
         "repo": "mobile-nixos",
-        "rev": "a386813d9ec46fa32e51488f7d48c0e1bde77f8e",
+        "rev": "672f8299e484301994858d9220921309f631d616",
         "type": "github"
       },
       "original": {
@@ -637,11 +532,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1727003835,
+        "lastModified": 1726742753,
-        "narHash": "sha256-Cfllbt/ADfO8oxbT984MhPHR6FJBaglsr1SxtDGbpec=",
+        "narHash": "sha256-QclpWrIFIg/yvWRiOUaMp1WR+TGUE9tb7RE31xHlxWc=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "bd7d1e3912d40f799c5c0f7e5820ec950f1e0b3d",
+        "rev": "c03f85fa42d68d1056ca1740f3113b04f3addff2",
         "type": "github"
       },
       "original": {
@@ -652,7 +547,7 @@
     },
     "nixThePlanet": {
       "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts",
         "hercules-ci-effects": "hercules-ci-effects",
         "nixpkgs": [
           "nixpkgs"
@@ -817,22 +712,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable_2": {
-      "locked": {
-        "lastModified": 1720386169,
-        "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1720181791,
@@ -882,11 +761,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1727007089,
+        "lastModified": 1726930246,
-        "narHash": "sha256-vsyRYF7MSJE5FHrQdcY3g+CORy6K/6NW+Cw00+VvNy0=",
+        "narHash": "sha256-BG4Qyero2a5DsfC4CDT5Jx9l7h4/N0/7JD0agHoBSGk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9c711566cde5929768e311413eaa2399631624ce",
+        "rev": "29768748c8e6ce4e9b1fba2b5a978576ece5b3a4",
         "type": "github"
       },
       "original": {
@@ -995,33 +874,6 @@
         "type": "gitlab"
       }
     },
-    "pre-commit-hooks-nix": {
-      "inputs": {
-        "flake-compat": [
-          "lanzaboote",
-          "flake-compat"
-        ],
-        "gitignore": "gitignore_2",
-        "nixpkgs": [
-          "lanzaboote",
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable_2"
-      },
-      "locked": {
-        "lastModified": 1721042469,
-        "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "type": "github"
-      }
-    },
     "purescript-overlay": {
       "inputs": {
         "nixpkgs": [
@@ -1064,7 +916,7 @@
     "rock5b": {
       "inputs": {
         "fan-control": "fan-control",
-        "flake-parts": "flake-parts_4",
+        "flake-parts": "flake-parts_3",
         "kernel-src": "kernel-src",
         "nixpkgs": "nixpkgs_6",
         "nixpkgs-kernel": "nixpkgs-kernel",
@@ -1096,7 +948,6 @@
         "homeManager": "homeManager",
         "homeManagerGitWorkspace": "homeManagerGitWorkspace",
         "impermanence": "impermanence",
-        "lanzaboote": "lanzaboote",
         "lix": "lix",
         "lix-module": "lix-module",
         "mobile-nixos": "mobile-nixos",
@@ -1110,27 +961,6 @@
         "vscode-server": "vscode-server"
       }
     },
-    "rust-overlay": {
-      "inputs": {
-        "nixpkgs": [
-          "lanzaboote",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1722219664,
-        "narHash": "sha256-xMOJ+HW4yj6e69PvieohUJ3dBSdgCfvI0nnCEe6/yVc=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "a6fbda5d9a14fb5f7c69b8489d24afeb349c7bb4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
-      }
-    },
     "scss-reset": {
       "flake": false,
       "locked": {

flake.nix

@@ -55,10 +55,6 @@
     };
     impermanence.url = "github:nix-community/impermanence";
     vscode-server.url = "github:nix-community/nixos-vscode-server";
-    lanzaboote = {
-      url = "github:nix-community/lanzaboote";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
   };
 
   outputs =

hosts/default.nix

@@ -11,6 +11,66 @@
     nixOnDroidHosts.janeway = { };
 
     hosts = {
+      # thinkpad = {
+      #   extraModules = with inputs; [
+      #     nixosHardware.nixosModules.lenovo-thinkpad-x1-7th-gen
+      # 	buildbot-nix.nixosModules.buildbot-master
+      # 	buildbot-nix.nixosModules.buildbot-worker
+      #   ];
+      #   extraHmModules = with inputs; [
+      #     ccrEmacs.hmModules.default
+      #     {
+      #         # TODO: remove after https://github.com/nix-community/home-manager/pull/3811
+      #       imports = let
+      #         hmModules = "${inputs.homeManagerGitWorkspace}/modules";
+      #       in [
+      #         "${hmModules}/services/git-workspace.nix"
+      #       ];
+      #     }
+      #   ];
+      #   overlays = [inputs.nil.overlays.default];
+      #   secrets = {
+      #     "thinkpad-wireguard-private-key" = {};
+      #     "cachix-personal-token".owner = "ccr";
+      #     "autistici-password".owner = "ccr";
+      #     "git-workspace-tokens".owner = "ccr";
+      #     "chatgpt-token".owner = "ccr";
+      #   };
+      # };
+      # rock5b = {
+      #   system = "aarch64-linux";
+      #   extraModules = with inputs; [
+      #     disko.nixosModules.disko
+      #     rock5b.nixosModules.default
+      #   ];
+      #   secrets = {
+      #     "rock5b-wireguard-private-key" = {};
+      #     "hercules-ci-join-token".owner = "hercules-ci-agent";
+      #     "hercules-ci-binary-caches".owner = "hercules-ci-agent";
+      #     "cachix-personal-token".owner = "ccr";
+      #     "home-planimetry".owner = "hass";
+      # 	"cloudflare-dyndns-api-token" = {};
+      #       # "nextcloud-admin-pass".owner = "nextcloud";
+      #       # "aws-credentials" = {};
+      #   };
+      #   colmena.deployment.buildOnTarget = true;
+      # };
+      # pbp = {
+      #   system = "aarch64-linux";
+      #   extraModules = with inputs; [
+      #     nixosHardware.nixosModules.pine64-pinebook-pro
+      #     disko.nixosModules.disko
+      #   ];
+      #   extraHmModules = [
+      #     inputs.ccrEmacs.hmModules.default
+      #   ];
+      #   secrets = {
+      #     "pbp-wireguard-private-key" = {};
+      #     "cachix-personal-token".owner = "ccr";
+      #     "chatgpt-token".owner = "ccr";
+      #   };
+      # };
+
       deltaflyer = {
         nixpkgs =
           let
@@ -46,6 +106,7 @@
           inputs.lix-module.nixosModules.default
         ];
         extraHmModules = [
+          # inputs.ccrEmacs.hmModules.default
           "${inputs.homeManagerGitWorkspace}/modules/services/git-workspace.nix"
         ];
         secrets = {
@@ -67,7 +128,7 @@
           inputs.disko.nixosModules.disko
           inputs.nixThePlanet.nixosModules.macos-ventura
           inputs.lix-module.nixosModules.default
-          inputs.lanzaboote.nixosModules.lanzaboote
+          # inputs.hercules-ci-agent.nixosModules.agent-service
         ];
         extraHmModules = [
           # inputs.ccrEmacs.hmModules.default
@@ -78,9 +139,13 @@
           "picard-wireguard-private-key" = { };
           "chatgpt-token".owner = "ccr";
           "cachix-personal-token".owner = "ccr";
+          "hercules-ci-join-token".owner = "hercules-ci-agent";
+          "hercules-ci-binary-caches".owner = "hercules-ci-agent";
+          "hercules-ci-secrets-json".owner = "hercules-ci-agent";
           "git-workspace-tokens".owner = "ccr";
           "autistici-password".owner = "ccr";
           "restic-hetzner-password" = { };
+          "aws-credentials".owner = "hercules-ci-agent";
           "forgejo-runners-token".owner = "nixuser";
           "forgejo-nix-access-tokens".owner = "nixuser";
         };
@@ -95,16 +160,26 @@
         extraModules = with inputs; [
           disko.nixosModules.disko
           impermanence.nixosModules.impermanence
+          # lix-module.nixosModules.default
+          # inputs.hercules-ci-agent.nixosModules.agent-service;
+          # rock5b.nixosModules.default
         ];
         secrets = {
           "sisko-wireguard-private-key" = { };
+          "hercules-ci-join-token".owner = "hercules-ci-agent";
+          "hercules-ci-binary-caches".owner = "hercules-ci-agent";
+          "hercules-ci-secrets-json".owner = "hercules-ci-agent";
           "cachix-personal-token".owner = "ccr";
           "home-planimetry".owner = "hass";
           "home-assistant-token".owner = "prometheus";
           "grafana-password".owner = "grafana";
           "cloudflare-dyndns-api-token" = { };
           "restic-hetzner-password" = { };
+          # "minio-credentials".owner = "minio";
+          # "aws-credentials".owner = "hercules-ci-agent";
           "hass-ssh-key".owner = "hass";
+          # "matrix-registration-shared-secret".owner = "matrix-synapse";
+          # "matrix-sliding-sync-secret".owner = "matrix-synapse";
           "autistici-password" = {
             # FIXME terrible, should create a third ad-hoc group
             owner = "grafana";

hosts/picard/default.nix

@@ -26,6 +26,7 @@
       "waydroid"
       "virt-manager"
       "ssh-initrd"
+      "hercules-ci"
       "printing"
       "pam"
       "wireguard-client"
@@ -128,15 +129,12 @@
 
   boot.loader.efi.canTouchEfiVariables = true;
   boot.loader.systemd-boot = {
-    enable = lib.mkForce false; # needed by lanzaboote
-  };
-  boot.lanzaboote = {
     enable = true;
-    pkiBundle = "/etc/secureboot";
     configurationLimit = 20;
   };
 
-  boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_10;
+  # boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_8;
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
 
   networking.hostId = "5b02e763";