chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

kaas

Browse source
This commit is contained in:
Chris Kruining 2025-12-01 14:14:32 +01:00 committed by chris
parent e6829d99ce
commit afbf168c35
16 changed files with 541 additions and 467 deletions
Download patch file Download diff file Expand all files Collapse all files

110
modules/home/application/steam/default.nix
View file

@ -1,55 +1,55 @@
{ inputs, config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.application.steam;
in
{
options.${namespace}.application.steam = {
enable = mkEnableOption "enable steam";
};
config = mkIf cfg.enable {
home.packages = with pkgs; [ protonup-ng ];
home.sessionVariables = {
STEAM_EXTRA_COMPAT_TOOLS_PATHS = "\${HOME}/.steam/root/compatibilitytools.d";
};
programs = {
# steam = {
# enable = true;
# package = pkgs.steam-small.override {
# extraEnv = {
# DXVK_HUD = "compiler";
# MANGOHUD = true;
# };
# };
# gamescopeSession = {
# enable = true;
# args = ["--immediate-flips"];
# };
# };
# https://github.com/FeralInteractive/gamemode
# gamemode = {
# enable = true;
# enableRenice = true;
# settings = {};
# };
# gamescope = {
# enable = true;
# capSysNice = true;
# env = {
# DXVK_HDR = "1";
# ENABLE_GAMESCOPE_WSI = "1";
# WINE_FULLSCREEN_FSR = "1";
# WLR_RENDERER = "vulkan";
# };
# args = ["--hdr-enabled"];
# };
};
};
}
{ inputs, config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.application.steam;
in
{
options.${namespace}.application.steam = {
enable = mkEnableOption "enable steam";
};
config = mkIf cfg.enable {
home.packages = with pkgs; [ protonup-ng ];
home.sessionVariables = {
STEAM_EXTRA_COMPAT_TOOLS_PATHS = "\${HOME}/.steam/root/compatibilitytools.d";
};
programs = {
# steam = {
# enable = true;
# package = pkgs.steam-small.override {
# extraEnv = {
# DXVK_HUD = "compiler";
# MANGOHUD = true;
# };
# };
# gamescopeSession = {
# enable = true;
# args = ["--immediate-flips"];
# };
# };
# https://github.com/FeralInteractive/gamemode
# gamemode = {
# enable = true;
# enableRenice = true;
# settings = {};
# };
# gamescope = {
# enable = true;
# capSysNice = true;
# env = {
# DXVK_HDR = "1";
# ENABLE_GAMESCOPE_WSI = "1";
# WINE_FULLSCREEN_FSR = "1";
# WLR_RENDERER = "vulkan";
# };
# args = ["--hdr-enabled"];
# };
};
};
}

30
modules/home/application/teamspeak/default.nix
View file

@ -1,15 +1,15 @@
{ inputs, config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.application.teamspeak;
in
{
options.${namespace}.application.teamspeak = {
enable = mkEnableOption "enable teamspeak";
};
config = mkIf cfg.enable {
home.packages = with pkgs; [ teamspeak3 teamspeak6-client ];
};
}
{ inputs, config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.application.teamspeak;
in
{
options.${namespace}.application.teamspeak = {
enable = mkEnableOption "enable teamspeak";
};
config = mkIf cfg.enable {
home.packages = with pkgs; [ teamspeak3 teamspeak6-client ];
};
}

124
modules/nixos/services/authentication/zitadel/default.nix
View file

@ -13,7 +13,7 @@ in
organization = mkOption {
type = types.attrsOf (types.submodule ({ name, ... }: {
options =
options =
let
org = name;
in
@ -23,11 +23,11 @@ in
default = false;
example = "true";
description = ''
True sets the org as default org for the instance. Only one org can be default org.
True sets the '${org}' org as default org for the instance. Only one org can be default org.
Nothing happens if you set it to false until you set another org as default org.
'';
};
project = mkOption {
default = {};
type = types.attrsOf (types.submodule {
@ -46,7 +46,7 @@ in
default = null;
example = "enforceProjectResourceOwnerPolicy";
description = ''
Defines from where the private labeling should be triggered,
Defines from where the private labeling should be triggered,
supported values:
- unspecified
@ -54,7 +54,7 @@ in
- allowLoginUserResourceOwnerPolicy
'';
};
projectRoleAssertion = mkOption {
type = types.bool;
default = false;
@ -63,7 +63,7 @@ in
Describes if roles of user should be added in token.
'';
};
projectRoleCheck = mkOption {
type = types.bool;
default = false;
@ -72,11 +72,11 @@ in
ZITADEL checks if the user has at least one on this project.
'';
};
role = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ name, ... }: {
options =
options =
let
roleName = name;
in
@ -101,12 +101,12 @@ in
};
}));
};
assign = mkOption {
default = {};
type = types.attrsOf (types.listOf types.str);
};
application = mkOption {
default = {};
type = types.attrsOf (types.submodule {
@ -141,8 +141,8 @@ in
'';
};
exportMap =
let
exportMap =
let
strOpt = mkOption { type = types.nullOr types.str; default = null; };
in
mkOption {
@ -164,11 +164,11 @@ in
};
});
};
user = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ name, ... }: {
options =
options =
let
username = name;
in
@ -226,7 +226,7 @@ in
};
}));
};
action = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ name, ... }: {
@ -263,7 +263,7 @@ in
};
}));
};
triggers = mkOption {
default = [];
type = types.listOf (types.submodule {
@ -321,26 +321,26 @@ in
accessTokenType = mapEnum "OIDC_TOKEN_TYPE" value;
}."${type}" or value);
toResource = name: value: nameValuePair
toResource = name: value: nameValuePair
(toSnakeCase name)
(lib.mapAttrs' (k: v: nameValuePair (toSnakeCase k) (mapValue k v)) value);
withRef = type: name: attrs: attrs // (mapRef type name);
select = keys: callback: set:
if (length keys) == 0 then
if (length keys) == 0 then
mapAttrs' callback set
else let key = head keys; in
concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set
;
append = attrList: set: set // (listToAttrs attrList);
forEach = src: key: set:
forEach = src: key: set:
let
_key = concatMapStringsSep "_" (k: "\${item.${k}}") key;
in
{
forEach = "{ for item in ${src} : \"${_key}\" => item }";
{
forEach = "{ for item in ${src} : \"${_key}\" => item }";
}
// set;
@ -376,18 +376,18 @@ in
}
] ])
";
orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id");
orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id");
};
resource = {
# Organizations
zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }:
zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }:
{ inherit name isDefault; }
|> toResource name
);
# Projects per organization
zitadel_project = cfg.organization |> select [ "project" ] (org: name: { hasProjectCheck, privateLabelingSetting, projectRoleAssertion, projectRoleCheck, ... }:
zitadel_project = cfg.organization |> select [ "project" ] (org: name: { hasProjectCheck, privateLabelingSetting, projectRoleAssertion, projectRoleCheck, ... }:
{
inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck;
}
@ -396,7 +396,7 @@ in
);
# Each OIDC app per project
zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: { redirectUris, grantTypes, responseTypes, ...}:
zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: { redirectUris, grantTypes, responseTypes, ...}:
{
inherit name redirectUris grantTypes responseTypes;
@ -404,41 +404,41 @@ in
idTokenRoleAssertion = true;
accessTokenType = "JWT";
}
|> withRef "org" org
|> withRef "project" "${org}_${project}"
|> withRef "org" org
|> withRef "project" "${org}_${project}"
|> toResource "${org}_${project}_${name}"
);
# Each project role
zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value:
zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value:
{ inherit (value) displayName group; roleKey = name; }
|> withRef "org" org
|> withRef "project" "${org}_${project}"
|> withRef "org" org
|> withRef "project" "${org}_${project}"
|> toResource "${org}_${project}_${name}"
);
# Each project role assignment
zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles:
{ roleKeys = roles; }
|> withRef "org" org
|> withRef "project" "${org}_${project}"
|> withRef "user" "${org}_${user}"
|> withRef "org" org
|> withRef "project" "${org}_${project}"
|> withRef "user" "${org}_${user}"
|> toResource "${org}_${project}_${user}"
);
# Users
zitadel_human_user =
cfg.organization
|> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }:
zitadel_human_user =
cfg.organization
|> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }:
{
inherit email userName firstName lastName;
isEmailVerified = true;
}
}
|> withRef "org" org
|> toResource "${org}_${name}"
)
|> append
|> append
[
(forEach "local.extra_users" [ "org" "name" ] {
orgId = lib.tfRef "local.orgs[each.value.org]";
@ -446,7 +446,7 @@ in
email = lib.tfRef "each.value.email";
firstName = lib.tfRef "each.value.firstName";
lastName = lib.tfRef "each.value.lastName";
isEmailVerified = true;
}
|> toResource "extraUsers")
@ -454,20 +454,20 @@ in
;
# Global user roles
zitadel_instance_member =
cfg.organization
zitadel_instance_member =
cfg.organization
|> filterAttrsRecursive (n: v: !(v ? "instanceRoles" && (length v.instanceRoles) == 0))
|> select [ "user" ] (org: name: { instanceRoles, ... }:
{ roles = instanceRoles; }
|> select [ "user" ] (org: name: { instanceRoles, ... }:
{ roles = instanceRoles; }
|> withRef "user" "${org}_${name}"
|> toResource "${org}_${name}"
);
# Organazation specific roles
zitadel_org_member =
zitadel_org_member =
cfg.organization
|> filterAttrsRecursive (n: v: !(v ? "roles" && (length v.roles) == 0))
|> select [ "user" ] (org: name: { roles, ... }:
|> select [ "user" ] (org: name: { roles, ... }:
{ inherit roles; }
|> withRef "org" org
|> withRef "user" "${org}_${name}"
@ -475,9 +475,9 @@ in
);
# Organazation's actions
zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}:
{
inherit allowedToFail name;
zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}:
{
inherit allowedToFail name;
timeout = "${toString timeout}s";
script = "const ${name} = ${script}";
}
@ -486,20 +486,20 @@ in
);
# Organazation's action assignments
zitadel_trigger_actions =
zitadel_trigger_actions =
cfg.organization
|> concatMapAttrs (org: { triggers, ... }:
triggers
|> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in
{
inherit flowType triggerType;
inherit flowType triggerType;
actionIds =
actions
actionIds =
actions
|> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id"));
}
|> withRef "org" org
|> toResource "${org}_${name}"
}
|> withRef "org" org
|> toResource "${org}_${name}"
))
|> listToAttrs
);
@ -516,7 +516,7 @@ in
};
# Client credentials per app
local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }:
local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }:
nameValuePair "${org}_${project}_${name}" {
content = ''
${if exportMap.client_id != null then exportMap.client_id else "CLIENT_ID"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"}
@ -530,7 +530,7 @@ in
})
];
};
in
in
mkIf cfg.enable {
${namespace}.services.persistance.postgresql.enable = true;
@ -548,7 +548,7 @@ in
wantedBy = [ "multi-user.target" ];
wants = [ "zitadel.service" ];
script = ''
#!/usr/bin/env bash
@ -628,7 +628,7 @@ in
Org = {
Name = "kruining";
Human = {
UserName = "chris";
FirstName = "Chris";
@ -639,7 +639,7 @@ in
};
Password = "KaasIsAwesome1!";
};
Machine = {
Machine = {
Username = "terraform-service-user";
@ -648,7 +648,7 @@ in
MachineKey = { ExpirationDate = "2026-01-01T00:00:00Z"; Type = 1; };
# Pat = { ExpirationDate = "2026-01-01T00:00:00Z"; };
};
# LoginClient.Machine = {
# Username = "terraform-service-user";
# Name = "Terraform";
@ -689,7 +689,7 @@ in
'';
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
# Secrets

24
modules/nixos/services/communication/matrix/default.nix
View file

@ -1,5 +1,10 @@
{ config, lib, pkgs, namespace, ... }:
let
{
config,
lib,
pkgs,
namespace,
...
}: let
inherit (builtins) toString toJSON;
inherit (lib) mkIf mkEnableOption;
@ -10,8 +15,7 @@ let
port = 4001;
database = "synapse";
in
{
in {
options.${namespace}.services.communication.matrix = {
enable = mkEnableOption "Matrix server (Synapse)";
};
@ -22,13 +26,13 @@ in
# virtualisation.podman.enable = true;
};
networking.firewall.allowedTCPPorts = [ 4001 ];
networking.firewall.allowedTCPPorts = [4001];
services = {
matrix-synapse = {
enable = true;
extras = [ "oidc" ];
extras = ["oidc"];
extraConfigFiles = [
config.sops.templates."synapse-oidc.yaml".path
@ -52,7 +56,7 @@ in
backchannel_logout_enabled = true;
sso = {
client_whitelist = [ "http://[::1]:9092" ];
client_whitelist = ["http://[::1]:9092"];
update_profile_information = true;
};
@ -75,7 +79,7 @@ in
resources = [
{
names = [ "client" "federation" "openid" "metrics" "media" "health" ];
names = ["client" "federation" "openid" "metrics" "media" "health"];
compress = true;
}
];
@ -132,7 +136,7 @@ in
postgresql = {
enable = true;
ensureDatabases = [ database ];
ensureDatabases = [database];
ensureUsers = [
{
name = database;
@ -192,7 +196,7 @@ in
localpart_template: "{{ user.preferred_username }}"
display_name_template: "{{ user.name }}"
'';
restartUnits = [ "matrix-synapse.service" ];
restartUnits = ["matrix-synapse.service"];
};
};
};

20
modules/nixos/services/development/forgejo/default.nix
View file

@ -1,12 +1,16 @@
{ config, lib, pkgs, namespace, ... }:
let
{
config,
lib,
pkgs,
namespace,
...
}: let
inherit (builtins) toString;
inherit (lib) mkIf mkEnableOption mkOption;
cfg = config.${namespace}.services.development.forgejo;
domain = "git.amarth.cloud";
in
{
in {
options.${namespace}.services.development.forgejo = {
enable = mkEnableOption "Forgejo";
@ -26,7 +30,7 @@ in
virtualisation.podman.enable = true;
};
environment.systemPackages = with pkgs; [ forgejo ];
environment.systemPackages = with pkgs; [forgejo];
services = {
forgejo = {
@ -141,7 +145,7 @@ in
};
};
openssh.settings.AllowUsers = [ "forgejo" ];
openssh.settings.AllowUsers = ["forgejo"];
gitea-actions-runner = {
package = pkgs.forgejo-runner;
@ -184,14 +188,14 @@ in
"forgejo/action_runner_token" = {
owner = "gitea-runner";
group = "gitea-runner";
restartUnits = [ "gitea-runner-default.service" ];
restartUnits = ["gitea-runner-default.service"];
};
"forgejo/email" = {
owner = "forgejo";
group = "forgejo";
key = "email/chris_kruining_eu";
restartUnits = [ "forgejo.service" ];
restartUnits = ["forgejo.service"];
};
};
};

51
modules/nixos/services/media/mydia/default.nix Normal file
View file

@ -0,0 +1,51 @@
{
config,
lib,
namespace,
inputs,
system,
...
}: let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.media.mydia;
in {
imports = [
inputs.mydia.nixosModules.default
];
options.${namespace}.services.media.mydia = {
enable = mkEnableOption "Enable Mydia";
};
config = mkIf cfg.enable {
services.mydia = {
enable = true;
package = inputs.mydia.packages.${system}.default;
port = 2010;
openFirewall = true;
secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path;
guardianSecretKeyFile = config.sops.secrets."mydia/guardian_secret".path;
oidc = {
enable = true;
issuer = "https://auth.kruining.eu";
clientIdFile = config.sops.secrets."mydia/oidc_id".path;
clientSecretFile = config.sops.secrets."mydia/oidc_secret".path;
scopes = ["openid" "profile" "email"];
};
};
sops.secrets =
["secret_key_base" "guardian_secret" "oidc_id" "oidc_secret"]
|> lib.map (name:
lib.nameValuePair "mydia/${name}" {
owner = config.services.mydia.user;
group = config.services.mydia.group;
restartUnits = ["mydia.service"];
})
|> lib.listToAttrs;
};
}

115
modules/nixos/services/media/servarr/default.nix
View file

@ -1,14 +1,20 @@
{ pkgs, config, lib, namespace, inputs, system, ... }:
let
{
pkgs,
config,
lib,
namespace,
inputs,
system,
...
}: let
inherit (builtins) toString;
inherit (lib) mkIf mkEnableOption mkOption types;
cfg = config.${namespace}.services.media.servarr;
in
{
in {
options.${namespace}.services.media = {
servarr = mkOption {
type = types.attrsOf (types.submodule ({ name, ... }: {
type = types.attrsOf (types.submodule ({name, ...}: {
options = {
enable = mkEnableOption "Enable ${name}";
debug = mkEnableOption "Use tofu plan instead of tofu apply for ${name} ";
@ -28,9 +34,13 @@ in
};
config = {
services =
services =
cfg
|> lib.mapAttrsToList (service: { enable, port, ... }: (mkIf enable {
|> lib.mapAttrsToList (service: {
enable,
port,
...
}: (mkIf enable {
"${service}" = {
enable = true;
openFirewall = true;
@ -58,31 +68,44 @@ in
};
}))
|> lib.mergeAttrsList
|> (set: set // {
postgresql = {
ensureDatabases = cfg |> lib.attrNames;
ensureUsers = cfg |> lib.attrNames |> lib.map (service: {
name = service;
ensureDBOwnership = true;
});
};
})
;
|> (set:
set
// {
postgresql = {
ensureDatabases = cfg |> lib.attrNames;
ensureUsers =
cfg
|> lib.attrNames
|> lib.map (service: {
name = service;
ensureDBOwnership = true;
});
};
});
systemd =
systemd =
cfg
|> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable {
|> lib.mapAttrsToList (service: {
enable,
debug,
port,
rootFolders,
...
}: (mkIf enable {
tmpfiles.rules = [
"d /var/lib/${service}ApplyTerraform 0755 ${service} ${service} -"
];
services."${service}ApplyTerraform" =
let
services."${service}ApplyTerraform" = let
terraformConfiguration = inputs.terranix.lib.terranixConfiguration {
inherit system;
modules = [
({ config, lib, ... }: {
({
config,
lib,
...
}: {
config = {
variable = {
api_key = {
@ -102,23 +125,21 @@ in
};
resource = {
"${service}_root_folder" =
"${service}_root_folder" =
rootFolders
|> lib.imap (i: f: lib.nameValuePair "local${toString i}" { path = f; })
|> lib.listToAttrs
;
|> lib.imap (i: f: lib.nameValuePair "local${toString i}" {path = f;})
|> lib.listToAttrs;
};
};
})
];
};
in
{
in {
description = "${service} terraform apply";
wantedBy = [ "multi-user.target" ];
wants = [ "${service}.service" ];
wantedBy = ["multi-user.target"];
wants = ["${service}.service"];
script = ''
#!/usr/bin/env bash
@ -141,7 +162,11 @@ in
# Run the infrastructure code
${lib.getExe pkgs.opentofu} \
${if debug then "plan" else "apply -auto-approve"} \
${
if debug
then "plan"
else "apply -auto-approve"
} \
-var-file='${config.sops.templates."${service}/config.tfvars".path}'
'';
@ -158,31 +183,29 @@ in
};
};
}))
|> lib.mergeAttrsList
;
|> lib.mergeAttrsList;
users.users =
users.users =
cfg
|> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable {
"${service}".extraGroups = [ "media" ];
|> lib.mapAttrsToList (service: {enable, ...}: (mkIf enable {
"${service}".extraGroups = ["media"];
}))
|> lib.mergeAttrsList
;
|> lib.mergeAttrsList;
sops =
sops =
cfg
|> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable {
|> lib.mapAttrsToList (service: {enable, ...}: (mkIf enable {
secrets."${service}/apikey" = {
owner = service;
group = service;
restartUnits = [ "${service}.service" ];
restartUnits = ["${service}.service"];
};
templates = {
"${service}/config.env" = {
owner = service;
group = service;
restartUnits = [ "${service}.service" ];
restartUnits = ["${service}.service"];
content = ''
${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}"
'';
@ -191,18 +214,16 @@ in
"${service}/config.tfvars" = {
owner = service;
group = service;
restartUnits = [ "${service}.service" ];
restartUnits = ["${service}.service"];
content = ''
api_key = "${config.sops.placeholder."${service}/apikey"}"
'';
};
};
}))
|> lib.mergeAttrsList
;
|> lib.mergeAttrsList;
};
# cfg
# |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable {

7
modules/nixos/shells/default.nix
View file

@ -1,2 +1,5 @@
{ ... }:
{}
{...}: {
config = {
programs.bash.enableCompletion = true;
};
}