diff --git a/.just/machine.just b/.just/machine.just new file mode 100644 index 0000000..65d1a7b --- /dev/null +++ b/.just/machine.just @@ -0,0 +1,9 @@ +@_default: list + +[doc('List machines')] +@list: + ls -1 ../systems/x86_64-linux/ + +[doc('Update the target machine')] +update machine: + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file diff --git a/.just/vars.just b/.just/vars.just new file mode 100644 index 0000000..46bb5fd --- /dev/null +++ b/.just/vars.just @@ -0,0 +1,28 @@ +base_path := invocation_directory() / "systems/x86_64-linux" +sops := "nix shell nixpkgs#sops --command sops" + +@_default: + just --list + +[doc('list all vars of the target machine')] +list machine: + {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml + +@edit machine: + {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml + +@set machine key value: + {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + + echo "Done" + +@remove machine key: + {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + + echo "Done" \ No newline at end of file diff --git a/.justfile b/.justfile index 67ac3a4..1c9fc03 100644 --- a/.justfile +++ b/.justfile @@ -1,7 +1,18 @@ +@_default: + just --list --list-submodules -try-again: - nix flake update amarth-customer-portal - nix flake check --all-systems --show-trace +[doc('Manage vars')] +mod vars '.just/vars.just' -update machine: - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file +[doc('Manage machines')] +mod machine '.just/machine.just' + +[doc('Show information about project')] +@show: + echo "show" + +[doc('update the flake dependencies')] +@update: + nix flake update + git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null + echo "Done" \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..9e7956c --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +keys: + - &ulmo_1 age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq + - &ulmo_2 age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + +creation_rules: + # All Machine secrets + - path_regex: systems/[^/]+/[^/]+/[^/]+\.(yml|yaml)$ + key_groups: + - age: + - *ulmo_1 + - *ulmo_2 \ No newline at end of file diff --git a/.sops.yml b/.sops.yml deleted file mode 100644 index 96e09c3..0000000 --- a/.sops.yml +++ /dev/null @@ -1,8 +0,0 @@ -keys: - - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - -creation_rules: - - path_regex: secrets/secrets.yml$ - key_groups: - - age: - - *primary diff --git a/_secrets/secrets.yaml b/_secrets/secrets.yaml deleted file mode 100644 index 78b1a8c..0000000 --- a/_secrets/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment] -example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str] -#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment] -#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment] -example: - my_subdir: - my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR - ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz - YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB - dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR - Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-09T11:37:49Z" - mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.4 - -zitadel: - masterKey: thisWillBeAnEncryptedValueInTheFuture diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index ede7c53..3fa74b9 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -31,7 +31,9 @@ in { base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml"; image = ./${cfg.theme}.jpg; polarity = cfg.polarity; + # targets.qt.platform = mkDefault "kde"; + targets.zen-browser.profileNames = [ "Chris" ]; fonts = { serif = { diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 66f5fc0..59abcf3 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair; + inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair mapAttrs' concatMapAttrs getAttrs getAttr hasAttr typeOf head drop length; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -129,21 +129,19 @@ in withName = name: attrs: attrs // { inherit name; }; withRef = type: name: attrs: attrs // (mapRef type name); + select = keys: callback: set: + if (length keys) == 0 then + mapAttrs' callback set + else let key = head keys; in + concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; + + config' = config; + # this is a nix package, the generated json file to be exact terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; - modules = - let - inherit (lib) mapAttrs' concatMapAttrs nameValuePair getAttrs getAttr hasAttr typeOf head drop length; - - select = keys: callback: set: - if (length keys) == 0 then - mapAttrs' callback set - else let key = head keys; in - concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; - in - [ + modules = [ ({ config, lib, ... }: { config = { terraform.required_providers.zitadel = { @@ -181,6 +179,15 @@ in |> withRef "project" project |> toResource name ); + + zitadel_smtp_config.default = { + sender_address = "chris@kruining.eu"; + sender_name = "no-reply (Zitadel)"; + tls = true; + host = "black-mail.nl"; + user = "chris@kruining.eu"; + password = "\${file(\"${config'.sops.templates."kaas".path}\")}"; + }; }; }; }) @@ -214,7 +221,6 @@ in ${lib.getExe pkgs.opentofu} init # Run the infrastructure code - # ${lib.getExe pkgs.opentofu} plan ${lib.getExe pkgs.opentofu} apply -auto-approve ''; @@ -250,31 +256,30 @@ in SecretHasher.Hasher.Algorithm = "argon2id"; }; - # DefaultInstance = { - # # PasswordComplexityPolicy = { - # # MinLength = 0; - # # HasLowercase = false; - # # HasUppercase = false; - # # HasNumber = false; - # # HasSymbol = false; - # # }; - # LoginPolicy = { - # AllowRegister = false; - # ForceMFA = true; - # }; - # LockoutPolicy = { - # MaxPasswordAttempts = 5; - # MaxOTPAttempts = 10; - # }; - # # SMTPConfiguration = { - # # SMTP = { - # # Host = "black-mail.nl:587"; - # # User = "chris@kruining.eu"; - # # Password = "__TODO_USE_SOPS__"; - # # }; - # # FromName = "Amarth Zitadel"; - # # }; - # }; + DefaultInstance = { + # PasswordComplexityPolicy = { + # MinLength = 0; + # HasLowercase = false; + # HasUppercase = false; + # HasNumber = false; + # HasSymbol = false; + # }; + # LoginPolicy = { + # AllowRegister = false; + # ForceMFA = true; + # }; + # LockoutPolicy = { + # MaxPasswordAttempts = 5; + # MaxOTPAttempts = 10; + # }; + SMTPConfiguration = { + SMTP = { + Host = "black-mail.nl:587"; + User = "chris@kruining.eu"; + }; + FromName = "Amarth Zitadel"; + }; + }; Database.postgres = { Host = "localhost"; @@ -330,6 +335,9 @@ in }; }; }; + extraStepsPaths = [ + config.sops.templates."secrets.yaml".path + ]; }; postgresql = { @@ -364,10 +372,37 @@ in networking.firewall.allowedTCPPorts = [ 80 443 ]; # Secrets - sops.secrets."zitadel/masterKey" = { - owner = "zitadel"; - group = "zitadel"; - restartUnits = [ "zitadel.service" ]; + sops = { + secrets = { + "zitadel/masterKey" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; #EMGDB#6O$8qpGoLI1XjhUhnng1san@0 + }; + + "email/chris_kruining_eu" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; + }; + }; + + templates."secrets.yaml" = { + owner = "zitadel"; + group = "zitadel"; + content = '' + DefaultInstance: + SMTPConfiguration: + SMTP: + Password: ${config.sops.placeholder."email/chris_kruining_eu"} + ''; + }; + + templates."kaas" = { + owner = "zitadel"; + group = "zitadel"; + content = config.sops.placeholder."email/chris_kruining_eu"; + }; }; }; } diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index 68ab4ca..bee7b3c 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -1,4 +1,4 @@ -{ pkgs, config, namespace, inputs, ... }: +{ pkgs, config, namespace, inputs, system, ... }: let cfg = config.${namespace}.system.security.sops; in @@ -13,10 +13,14 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { - defaultSopsFile = ../../../../../_secrets/secrets.yaml; defaultSopsFormat = "yaml"; + defaultSopsFile = inputs.self + "/systems/${system}/${config.networking.hostName}/secrets.yml"; - age.keyFile = "/home/"; + age = { + # keyFile = "~/.config/sops/age/keys.txt"; + # sshKeyPaths = [ "~/.ssh/id_ed25519" ]; + # generateKey = true; + }; }; }; } \ No newline at end of file diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml new file mode 100644 index 0000000..6add209 --- /dev/null +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -0,0 +1,30 @@ +email: + info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] + chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] + info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] +zitadel: + masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str] +sops: + age: + - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdDZyZkxvNU4zM3NHb2gx + ZlhLZk5JWUFGMWZGeUVHNkFFU1NtZlBQVVhjCmZGai9NdmdUeU5VcW9ROVZKTW5q + cmZaQ2JlaldaTWduQklocUZLT2FUcGcKLS0tIHlqVU0wdXJ0dTE4dlZSVEczd2Yv + RVFxVHFxbkVNbEZsaVcwYXZCdUc5R1kKQdAN6LEKmGLCSkKhNuEr0YK2zl9Aw1kK + 6C25lN532mG55zIRectZda1Fmi1GMZ/2v3b5qz7x+TDMA9m/47OjmA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoK3lqRDhEMXEvaUp3OWdV + eFlZSGpJcGs0RTdRbllWdmdZTzl3RTlDNlIwCm92R290NjNyK2NNbWpINTBhazNS + NTJYWEw0SGc1TUtrd0NZSmowakMvSlEKLS0tIG5uUEIrZGVORkRNVnBVOHgyMXZG + TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb + Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-23T14:25:59Z" + mac: ENC[AES256_GCM,data:p3A1ZSr6S21SUjEZbL4V0uh3HVqcRhFi1N93IeUKs2yVbBYAXzWJ+2ejSxfM+W9MSCAYxx27i0ZoBPjQJu/xQzwmW8HWn4rRfCsa2TGqOw25PLvkHgnBUc70X759cKxvR0Pm7ha22JCnzJVrzvUMlBVs61wxHT57x0El9Gan8eY=,iv:SKN+R4wsN/L2pZW/s5ocEtCXXZB5wK4tgFIYWGWtRPA=,tag:CNLl4lVO06gAcsSCfU2KjA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0