diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index ad4cb92..4723cc3 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -15,26 +15,5 @@ in home.sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; }; - - programs.zen-browser = { - policies = { - AutofillAddressEnabled = true; - AutofillCreditCardEnabled = false; - DisableAppUpdate = true; - DisableFeedbackCommands = true; - DisableFirefoxStudies = true; - DisablePocket = true; - DisableTelemetry = true; - # DontCheckDefaultBrowser = false; - NoDefaultBookmarks = true; - # OfferToSaveLogins = false; - EnableTrackingProtection = { - Value = true; - Locked = true; - Cryptomining = true; - Fingerprinting = true; - }; - }; - }; }; } diff --git a/modules/home/default.nix b/modules/home/default.nix index 6dc81b5..e3185e0 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -37,12 +37,11 @@ in { config = { home.sessionVariables = { - SHELL = cfg.shell; EDITOR = cfg.editor; TERMINAL = cfg.terminal; BROWSER = cfg.browser; }; - # users.defaultUserShell = pkgs.${cfg.shell}; + # home.shell = pkgs.${cfg.shell}; }; } diff --git a/modules/home/desktop/plasma/default.nix b/modules/home/desktop/plasma/default.nix index 13476fb..8614a97 100644 --- a/modules/home/desktop/plasma/default.nix +++ b/modules/home/desktop/plasma/default.nix @@ -20,11 +20,6 @@ in panels = import ./panels.nix; powerdevil = import ./power.nix; - kwin = { - edgeBarrier = 0; - cornerBarrier = false; - }; - session = { general.askForConfirmationOnLogout = false; sessionRestore.restoreOpenApplicationsOnLogin = "onLastLogout"; diff --git a/modules/home/terminal/ghostty/default.nix b/modules/home/terminal/ghostty/default.nix index 4681b53..00d925c 100644 --- a/modules/home/terminal/ghostty/default.nix +++ b/modules/home/terminal/ghostty/default.nix @@ -13,7 +13,6 @@ in programs.ghostty = { enable = true; settings = { - command = config.${namespace}.defaults.shell; background-blur-radius = 20; theme = "dark:stylix,light:stylix"; window-theme = (config.${namespace}.themes.polarity or "dark"); diff --git a/modules/nixos/desktop/default.nix b/modules/nixos/desktop/default.nix index 9fd9192..f38a28e 100644 --- a/modules/nixos/desktop/default.nix +++ b/modules/nixos/desktop/default.nix @@ -17,12 +17,18 @@ in example = "plasma"; description = "Which desktop to enable"; }; + + autoLogin = mkEnableOption "Enable plasma's auto login feature."; }; config = mkMerge [ ({ services.displayManager = { enable = true; + + autoLogin = mkIf cfg.autoLogin { + enable = true; + }; }; }) diff --git a/modules/nixos/hardware/bluetooth/default.nix b/modules/nixos/hardware/bluetooth/default.nix index 98fc678..1b99eef 100644 --- a/modules/nixos/hardware/bluetooth/default.nix +++ b/modules/nixos/hardware/bluetooth/default.nix @@ -11,9 +11,6 @@ in hardware.bluetooth = { enable = true; powerOnBoot = true; - settings = { - General.Experimental = true; # Show battery charge of Bluetooth devices - }; }; services.pipewire.wireplumber.extraConfig.bluetoothEnhancements = { diff --git a/modules/nixos/services/authentication/authelia/default.nix b/modules/nixos/services/authentication/authelia.nix similarity index 90% rename from modules/nixos/services/authentication/authelia/default.nix rename to modules/nixos/services/authentication/authelia.nix index 9990003..e706439 100644 --- a/modules/nixos/services/authentication/authelia/default.nix +++ b/modules/nixos/services/authentication/authelia.nix @@ -130,23 +130,6 @@ in scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ]; } - { - client_id = "forgejo"; - client_name = "forgejo"; - # ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F - client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg"; - public = false; - require_pkce = true; - pkce_challenge_method = "S256"; - token_endpoint_auth_method = "client_secret_post"; - authorization_policy = "one_factor"; - userinfo_signed_response_alg = "none"; - consent_mode = "implicit"; - scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; - response_types = [ "code" ]; - grant_types = [ "authorization_code" ]; - redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ]; - } ]; }; }; diff --git a/modules/nixos/services/authentication/default.nix b/modules/nixos/services/authentication/default.nix new file mode 100644 index 0000000..c157af7 --- /dev/null +++ b/modules/nixos/services/authentication/default.nix @@ -0,0 +1 @@ +{ ... }: {} diff --git a/modules/nixos/services/authentication/himmelblau/default.nix b/modules/nixos/services/authentication/himmelblau.nix similarity index 100% rename from modules/nixos/services/authentication/himmelblau/default.nix rename to modules/nixos/services/authentication/himmelblau.nix diff --git a/modules/nixos/services/authentication/zitadel.nix b/modules/nixos/services/authentication/zitadel.nix new file mode 100644 index 0000000..6142857 --- /dev/null +++ b/modules/nixos/services/authentication/zitadel.nix @@ -0,0 +1,86 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.authentication.zitadel; + + db_name = "zitadel"; + db_user = "zitadel"; +in +{ + options.${namespace}.services.authentication.zitadel = { + enable = mkEnableOption "Zitadel"; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + zitadel + ]; + + services = { + zitadel = { + enable = true; + openFirewall = true; + masterKeyFile = config.sops.secrets."zitadel/masterKey".path; + tlsMode = "external"; + settings = { + Port = 9092; + Database = { + Host = "/run/postgresql"; + # Zitadel will report error if port is not set + Port = 5432; + Database = db_name; + User.Username = db_user; + }; + }; + steps = { + TestInstance = { + InstanceName = "Zitadel test"; + Org = { + Name = "Kruining.eu"; + Human = { + UserName = "admin"; + Password = "kaas"; + }; + }; + }; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ db_name ]; + ensureUsers = [ + { + name = db_user; + ensureDBOwnership = true; + } + ]; + }; + + caddy = { + enable = true; + virtualHosts = { + "auth-z.kruining.eu".extraConfig = '' + reverse_proxy h2c://127.0.0.1:9092 + ''; + }; + # extraConfig = '' + # (auth) { + # forward_auth h2c://127.0.0.1:9092 { + # uri /api/authz/forward-auth + # copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + # } + # } + # ''; + }; + }; + + # Secrets + sops.secrets."zitadel/masterKey" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; + }; + }; +} diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix deleted file mode 100644 index aa1a0dd..0000000 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption mkForce; - - cfg = config.${namespace}.services.authentication.zitadel; - - db_name = "zitadel"; - db_user = "zitadel"; -in -{ - options.${namespace}.services.authentication.zitadel = { - enable = mkEnableOption "Zitadel"; - }; - - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - zitadel - ]; - - services = { - zitadel = { - enable = true; - openFirewall = true; - # masterKeyFile = config.sops.secrets."zitadel/masterKey".path; - masterKeyFile = "/var/lib/zitadel/master_key"; - tlsMode = "external"; - settings = { - Port = 9092; - ExternalDomain = "auth-z.kruining.eu"; - ExternalPort = 443; - ExternalSecure = true; - - Database.postgres = { - Host = "localhost"; - # Zitadel will report error if port is not set - Port = 5432; - Database = db_name; - User = { - Username = db_user; - SSL.Mode = "disable"; - }; - Admin = { - Username = "postgres"; - SSL.Mode = "disable"; - }; - }; - }; - steps = { - FirstInstance = { - InstanceName = "auth-z.kruining.eu"; - Org = { - Name = "Default"; - Human = { - UserName = "chris"; - FirstName = "Chris"; - LastName = "Kruining"; - Email = { - Address = "chris@kruining.eu"; - Verified = true; - }; - Password = "KaasIsAwesome1!"; - }; - }; - }; - }; - }; - - postgresql = { - enable = true; - ensureDatabases = [ db_name ]; - ensureUsers = [ - { - name = db_user; - ensureDBOwnership = true; - } - ]; - authentication = mkForce '' - # Generated file, do not edit! - # TYPE DATABASE USER ADDRESS METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - ''; - }; - - caddy = { - enable = true; - virtualHosts = { - "auth-z.kruining.eu".extraConfig = '' - reverse_proxy h2c://127.0.0.1:9092 - ''; - }; - extraConfig = '' - (auth-z) { - forward_auth h2c://127.0.0.1:9092 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - } - ''; - }; - }; - - # Secrets - sops.secrets."zitadel/masterKey" = { - owner = "zitadel"; - group = "zitadel"; - restartUnits = [ "zitadel.service" ]; - }; - }; -} diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix deleted file mode 100644 index 5342b56..0000000 --- a/modules/nixos/services/development/forgejo/default.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.development.forgejo; - domain = "git.kruining.eu"; -in -{ - options.${namespace}.services.development.forgejo = { - enable = mkEnableOption "Forgejo"; - }; - - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ forgejo ]; - - services = { - forgejo = { - enable = true; - useWizard = false; - database.type = "postgres"; - - settings = { - DEFAULT = { - APP_NAME = "Chris' Forge"; - }; - - server = { - DOMAIN = domain; - ROOT_URL = "https://${domain}/"; - HTTP_PORT = 5002; - }; - - security = { - PASSWORD_HASH_ALGO = "argon2"; - }; - - service = { - REQUIRE_SIGNIN_VIEW = true; # must be signed in to see anything - DISABLE_REGISTRATION = true; - ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - SHOW_REGISTRATION_BUTTON = false; - }; - - openid = { - ENABLE_OPENID_SIGNIN = true; - ENABLE_OPENID_SIGNUP = true; - WHITELISTED_URIS = "https://auth-z.kruining.eu"; - }; - - oauth2_client = { - ENABLE_AUTO_REGISTRATION = true; - UPDATE_AVATAR = true; - }; - - # actions = { - # ENABLED = true; - # DEFAULT_ACTIONS_URL = "forgejo"; - # }; - - session = { - COOKIE_SECURE = true; - }; - }; - }; - - # gitea-actions-runner = { - # package = pkgs.forgejo-actions-runner; - # instances.default = { - # enable = true; - # name = "monolith"; - # url = "https://git.kruining.eu"; - # # Obtaining the path to the runner token file may differ - # # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd - # tokenFile = config.age.secrets.forgejo-runner-token.path; - # labels = [ - # "ubuntu-latest:docker://node:16-bullseye" - # "ubuntu-22.04:docker://node:16-bullseye" - # "ubuntu-20.04:docker://node:16-bullseye" - # "ubuntu-18.04:docker://node:16-buster" - # "native:host" - # ]; - # }; - # }; - - caddy = { - enable = true; - virtualHosts = { - ${domain}.extraConfig = '' - # import auth-z - - # stupid dumb way to prevent the login page and go to zitadel instead - # be aware that this does not disable local login at all! - rewrite /user/login /user/oauth2/Zitadel - - reverse_proxy http://127.0.0.1:5002 - ''; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index f76e4ae..7d76794 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -79,11 +79,6 @@ in bazarr = serviceConf; lidarr = serviceConf; - flaresolverr = { - enable = true; - openFirewall = true; - }; - jellyseerr = { enable = true; openFirewall = true; @@ -140,11 +135,11 @@ in backend = "podman"; containers = { - # flaresolverr = { - # image = "flaresolverr/flaresolverr"; - # autoStart = true; - # ports = [ "127.0.0.1:8191:8191" ]; - # }; + flaresolverr = { + image = "flaresolverr/flaresolverr"; + autoStart = true; + ports = [ "127.0.0.1:8191:8191" ]; + }; reiverr = { image = "ghcr.io/aleksilassila/reiverr:v2.2.0"; diff --git a/modules/nixos/services/media/nextcloud/default.nix b/modules/nixos/services/media/nextcloud.nix similarity index 96% rename from modules/nixos/services/media/nextcloud/default.nix rename to modules/nixos/services/media/nextcloud.nix index 14d6863..658a5b4 100644 --- a/modules/nixos/services/media/nextcloud/default.nix +++ b/modules/nixos/services/media/nextcloud.nix @@ -6,7 +6,7 @@ let cfg = config.${namespace}.services.media.nextcloud; in { - options.${namespace}.services.media.nextcloud = { + options.modules.services.nextcloud = { enable = mkEnableOption "Nextcloud"; user = mkOption { @@ -40,7 +40,7 @@ in services.nextcloud = { enable = true; - # webserver = "caddy"; + webserver = "caddy"; package = pkgs.nextcloud31; hostName = "localhost"; diff --git a/modules/nixos/services/media/nfs/default.nix b/modules/nixos/services/media/nfs.nix similarity index 79% rename from modules/nixos/services/media/nfs/default.nix rename to modules/nixos/services/media/nfs.nix index 54b58e7..7674e69 100644 --- a/modules/nixos/services/media/nfs/default.nix +++ b/modules/nixos/services/media/nfs.nix @@ -2,10 +2,10 @@ let inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.services.media.nfs; + cfg = config.${namespace}.media.nfs; in { - options.${namespace}.services.media.nfs = { + options.${namespace}.media.nfs = { enable = mkEnableOption "Enable NFS"; }; diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index 68ab4ca..a75856d 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -13,7 +13,7 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { - defaultSopsFile = ../../../../../_secrets/secrets.yaml; + defaultSopsFile = ../../../../secrets/secrets.yaml; defaultSopsFormat = "yaml"; age.keyFile = "/home/"; diff --git a/modules/nixos/system/security/sudo/default.nix b/modules/nixos/system/security/sudo/default.nix index b79efbc..6dedf50 100644 --- a/modules/nixos/system/security/sudo/default.nix +++ b/modules/nixos/system/security/sudo/default.nix @@ -14,8 +14,9 @@ in sudo-rs = { enable = true; - execWheelOnly = true; - extraConfig = ''Defaults env_keep += "EDITOR PATH DISPLAY"''; + extraConfig = '' + Defaults env_keep += "EDITOR PATH DISPLAY" + ''; }; }; }; diff --git a/systems/x86_64-linux/manwe/default.nix b/systems/x86_64-linux/manwe/default.nix index 76d4e6d..c333f85 100644 --- a/systems/x86_64-linux/manwe/default.nix +++ b/systems/x86_64-linux/manwe/default.nix @@ -28,11 +28,5 @@ }; }; - - services.displayManager.autoLogin = { - enable = true; - user = "chris"; - }; - system.stateVersion = "23.11"; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index f47c580..7a2540f 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -7,15 +7,8 @@ sneeuwvlok = { services = { - authentication.authelia.enable = true; - authentication.zitadel.enable = true; - networking.ssh.enable = true; - media.enable = true; - media.nfs.enable = true; - - development.forgejo.enable = true; }; editor = {