privatevoid-net · hercules-ci · May 9, 2026 · May 8, 2026 · Apr 17, 2026 · May 6, 2026
diff --git a/cluster/services/acme-client/client.nix b/cluster/services/acme-client/client.nix
@@ -40,11 +40,11 @@ in
       (map (x: [ "--dns.resolvers" x ]) authoritativeServers)
       "--dns-timeout" "30"
     ];
-    credentialsFile = pkgs.writeText "acme-exec-config" ''
+    environmentFile = pkgs.writeText "acme-exec-config" ''
       EXEC_PATH=${execScript}
-      EXEC_ENV_FILE=${config.age.secrets.acmeDnsApiKey.path}
       EXEC_SEQUENCE_INTERVAL=0
     '';
+    credentialFiles.EXEC_ENV_FILE = config.age.secrets.acmeDnsApiKey.path;
   };
 
   systemd.services = lib.mapAttrs' (name: value: {

diff --git a/cluster/services/forge/server.nix b/cluster/services/forge/server.nix
@@ -13,10 +13,6 @@ let
   backendLink = config.links.forgejoBackend;
 
   exe = lib.getExe config.services.forgejo.package;
-
-  go-away = pkgs.go-away.override {
-    buildGoModule = pkgs.buildGo125Module;
-  };
 in
 
 {
@@ -309,12 +305,12 @@ in
     serviceConfig = {
       DynamicUser = true;
       ExecStart = lib.escapeShellArgs [
-        "${go-away}/bin/go-away"
+        "${pkgs.go-away}/bin/go-away"
         "--challenge-template" "forgejo"
         "--bind" protectionLink.tuple
         "--backend" "${host}=${backendLink.url}"
         "--client-ip-header" "X-Forwarded-For"
-        "--policy-snippets" "${go-away}/lib/go-away/snippets"
+        "--policy-snippets" "${pkgs.go-away}/lib/go-away/snippets"
         "--policy" policy
       ];
     };

diff --git a/cluster/services/mail/imap.nix b/cluster/services/mail/imap.nix
@@ -43,48 +43,51 @@ in {
 
   services.dovecot2 = {
     enable = true;
-    enableLmtp = true;
-    enableImap = true;
     enablePAM = false;
     mailUser = "vmail";
     mailGroup = "vmail";
-    sslServerCert = "${certDir}/fullchain.pem";
-    sslServerKey = "${certDir}/key.pem";
     mailPlugins.perProtocol.lmtp.enable = [ "sieve" ];
 
+    settings = {
+      protocols = {
+        imap = true;
+        lmtp = true;
+      };
+      ssl_cert = "${certDir}/fullchain.pem";
+      ssl_key = "${certDir}/key.pem";
+      auth_username_format = "%n";
+      namespace = {
+        inbox = true;
+        separator = "/";
+      };
+      userdb = {
+        driver = "static";
+        args = [
+          "allow_all_users=yes"
+          "uid=${config.services.dovecot2.mailUser}"
+          "gid=${config.services.dovecot2.mailGroup}"
+          "home=/var/mail/virtual/%d/%n"
+        ];
+      };
+
+      passdb = {
+        driver = "ldap";
+        args = ldapConfig;
+      };
+      "service auth" = {
+        "unix_listener auth" = {
+          mode = "0660";
+          inherit (postfixCfg) user group;
+        };
+      };
+    };
+
     sieve = {
       extensions = [
         "fileinto"
       ];
       scripts.before = ./sieve/spam.sieve;
     };
-
-    extraConfig = with config.services.dovecot2; ''
-      auth_username_format = %n
-
-      namespace {
-        inbox = yes
-        separator = /
-      }
-      userdb {
-        driver = static
-        args = allow_all_users=yes uid=${mailUser} gid=${mailUser} home=/var/mail/virtual/%d/%n
-      }
-      passdb {
-        driver = ldap
-        args = ${ldapConfig}
-      }
-
-      service auth {
-        unix_listener auth {
-          mode = 0660
-          user = ${postfixCfg.user}
-          group = ${postfixCfg.group}
-        }
-      }
-
-      auth_mechanisms = plain login
-    '';
   };
 
   systemd.services.dovecot.serviceConfig.ExecStartPre = [ "${writeLdapConfig}/bin/write-ldap-config" ];

diff --git a/cluster/services/storage/garage-options.nix b/cluster/services/storage/garage-options.nix
@@ -141,7 +141,7 @@ in
           fi
 
           ${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: layout: let
-              unit = lib.optionalString (lib.versionAtLeast cfg.package.version "0.9") "GB";
+              unit = lib.optionalString (lib.versionAtLeast cfg.package.version "0.9") "GiB";
           in ''
             garage layout assign -z '${layout.zone}' -c '${toString layout.capacity}${unit}' "$(getNodeId '${name}')"
           '') cfg.layout.initial)}
@@ -201,7 +201,7 @@ in
         key = {
           destroyAfterDays = 0;
           create = key: ''
-            if [[ "$(garage key info ${lib.escapeShellArg key} 2>&1 >/dev/null)" == *" 0 matching keys"* ]]; then
+            if [[ "$(garage key info ${lib.escapeShellArg key} 2>&1 >/dev/null)" == *"Access key not found"* ]]; then
               # don't print secret key
               garage ${if lib.versionAtLeast cfg.package.version "0.9" then "key create" else "key new --name"} ${lib.escapeShellArg key} >/dev/null
               echo Key ${lib.escapeShellArg key} was created.

diff --git a/cluster/services/storage/simulacrum/test.nix b/cluster/services/storage/simulacrum/test.nix
@@ -50,7 +50,7 @@ in
           };
           system.ascensions.garage-layout.incantations = lib.mkForce (i: [
             (i.runGarage ''
-              garage layout assign -z eu-central -c 2000GB "$(garage node id -q | cut -d@ -f1)"
+              garage layout assign -z eu-central -c 2TiB "$(garage node id -q | cut -d@ -f1)"
               garage layout apply --version 2
             '')
           ]);
@@ -95,9 +95,9 @@ in
         node.succeed("/run/booted-system/specialisation/modifiedLayout/bin/switch-to-configuration test")
 
       for node in nodes:
-        node.wait_until_succeeds("garage layout show | grep -w 'eu-central  *2\\.0 TB'")
-        assert "1" in node.succeed("garage layout show | grep -w 'eu-central  *2\\.0 TB' | wc -l")
-        assert "2" in node.succeed("garage layout show | grep -w 'eu-central  *1000\\.0 GB' | wc -l")
+        node.wait_until_succeeds("garage layout show | grep -w 'eu-central  *2\\.0 TiB'")
+        assert "1" in node.succeed("garage layout show | grep -w 'eu-central  *2\\.0 TiB' | wc -l")
+        assert "2" in node.succeed("garage layout show | grep -w 'eu-central  *1000\\.0 GiB' | wc -l")
 
     consulConfig = json.loads(garage1.succeed("cat /etc/consul.json"))
     addr = consulConfig["addresses"]["http"]
@@ -119,9 +119,9 @@ in
         node.wait_until_fails("garage status | grep 'NO ROLE ASSIGNED'")
 
       for node in nodes:
-        node.wait_until_succeeds("garage layout show | grep -w 'eu-central  *2\\.0 TB'")
-        assert "1" in node.succeed("garage layout show | grep -w 'eu-central  *2\\.0 TB' | wc -l")
-        assert "${toString ((lib.length nodes.garage) - 1)}" in node.succeed("garage layout show | grep -w 'eu-central  *1000\\.0 GB' | wc -l")
+        node.wait_until_succeeds("garage layout show | grep -w 'eu-central  *2\\.0 TiB'")
+        assert "1" in node.succeed("garage layout show | grep -w 'eu-central  *2\\.0 TiB' | wc -l")
+        assert "${toString ((lib.length nodes.garage) - 1)}" in node.succeed("garage layout show | grep -w 'eu-central  *1000\\.0 GiB' | wc -l")
 
     with subtest("should create specified buckets and keys"):
       for node in nodes:

diff --git a/flake.lock b/flake.lock
diff --git a/packages/patched-derivations.nix b/packages/patched-derivations.nix
@@ -17,7 +17,7 @@ super: rec {
 
   forgejo = patch super.forgejo "patches/base/forgejo";
 
-  garage = super.garage_2;
+  garage = patch super.garage_2 "patches/base/garage";
 
   gotosocial = patch super.gotosocial "patches/base/gotosocial";
 

diff --git a/packages/web-apps/excalidraw/default.nix b/packages/web-apps/excalidraw/default.nix
@@ -1,16 +1,19 @@
-{ lib
-, fetchFromGitHub
-, mkYarnPackage
-, fetchYarnDeps
-, fixup_yarn_lock
-, mkNpinsSource
-, pins
+{
+  lib,
+  fetchFromGitHub,
+  fetchYarnDeps,
+  mkNpinsSource,
+  nodejs,
+  pins,
+  stdenv,
+  yarnBuildHook,
+  yarnConfigHook
 }:
 
 let
   inherit (pins) excalidraw;
 
-  app = mkYarnPackage rec {
+  app = stdenv.mkDerivation rec {
     pname = "excalidraw";
     version = "0.0.0+${builtins.substring 0 7 excalidraw.revision}";
 
@@ -22,30 +25,18 @@ let
 
     packageJSON = "${excalidraw}/package.json";
 
-    nativeBuildInputs = [ fixup_yarn_lock ];
+    nativeBuildInputs = [
+      yarnConfigHook
+      yarnBuildHook
+      nodejs
+    ];
 
     offlineCache = fetchYarnDeps {
       name = "excalidraw-yarn-cache-${builtins.hashString "sha256" (builtins.readFile "${excalidraw}/yarn.lock")}";
       yarnLock = src + "/yarn.lock";
       hash = "sha256-v2ycGVq0q/Rs3UaSh/mExmf3ehWaCQg+CeWS2qQ/674=";
     };
 
-    configurePhase = ''
-      runHook preConfigure
-
-      export HOME="$TMPDIR"
-      yarn config --offline set yarn-offline-mirror "$offlineCache"
-      fixup_yarn_lock yarn.lock
-      yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
-      patchShebangs node_modules/
-
-      runHook postConfigure
-    '';
-
-    buildPhase = ''
-      yarn --offline build:app
-    '';
-
     installPhase = ''
       distRoot=$out/share/www
       dist=$distRoot/excalidraw
@@ -54,8 +45,6 @@ let
       find $dist -type f -name "*.map" -delete
     '';
 
-    doDist = false;
-
     passthru.webroot = "${app}/share/www/excalidraw";
 
     meta = with lib; {