WIP: trying to get smtp configured for zitadel

.just/machine.just

@@ -0,0 +1,9 @@
+@_default: list
+
+[doc('List machines')]
+@list:
+  ls -1 ../systems/x86_64-linux/
+
+[doc('Update the target machine')]
+update machine:
+  nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }}

.just/vars.just

@@ -0,0 +1,28 @@
+base_path := invocation_directory() / "systems/x86_64-linux"
+sops := "nix shell nixpkgs#sops --command sops"
+
+@_default:
+  just --list
+
+[doc('list all vars of the target machine')]
+list machine:
+  {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml
+  
+@edit machine:
+  {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml
+  
+@set machine key value:
+  {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"'
+
+  git add {{ base_path }}/{{ machine }}/secrets.yml
+  git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
+
+  echo "Done"
+  
+@remove machine key:
+  {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')"
+
+  git add {{ base_path }}/{{ machine }}/secrets.yml
+  git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
+
+  echo "Done"

.justfile

@@ -1,7 +1,18 @@
+@_default:
+  just --list --list-submodules
 
-try-again:
-    nix flake update amarth-customer-portal
-    nix flake check --all-systems --show-trace
+[doc('Manage vars')]
+mod vars '.just/vars.just'
 
-update machine:
-    nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }}
+[doc('Manage machines')]
+mod machine '.just/machine.just'
+
+[doc('Show information about project')]
+@show:
+  echo "show"
+
+[doc('update the flake dependencies')]
+@update:
+  nix flake update
+  git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null
+  echo "Done"

.sops.yaml

@@ -0,0 +1,11 @@
+keys:
+  - &ulmo_1 age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq
+  - &ulmo_2 age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
+
+creation_rules:
+  # All Machine secrets
+  - path_regex: systems/[^/]+/[^/]+/[^/]+\.(yml|yaml)$
+    key_groups:
+      - age:
+          - *ulmo_1
+          - *ulmo_2

.sops.yml

@@ -1,8 +0,0 @@
-keys:
-  - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
-
-creation_rules:
-  - path_regex: secrets/secrets.yml$
-    key_groups:
-      - age:
-          - *primary

_secrets/secrets.yaml

@@ -1,30 +0,0 @@
-#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment]
-example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str]
-#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment]
-#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment]
-example:
-    my_subdir:
-        my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR
-            ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz
-            YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB
-            dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR
-            Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-09T11:37:49Z"
-    mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.4
-
-zitadel:
-  masterKey: thisWillBeAnEncryptedValueInTheFuture

modules/home/themes/default.nix

@@ -31,7 +31,9 @@ in {
       base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml";
       image = ./${cfg.theme}.jpg;
       polarity = cfg.polarity;
+
 #      targets.qt.platform = mkDefault "kde";
+      targets.zen-browser.profileNames = [ "Chris" ];
 
       fonts = {
         serif = {

modules/nixos/services/authentication/zitadel/default.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, namespace, system, inputs, ... }:
 let
-  inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair;
+  inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair mapAttrs' concatMapAttrs getAttrs getAttr hasAttr typeOf head drop length;
   inherit (lib.${namespace}.strings) toSnakeCase;
 
   cfg = config.${namespace}.services.authentication.zitadel;
@@ -129,21 +129,19 @@ in
     withName = name: attrs: attrs // { inherit name; };
     withRef = type: name: attrs: attrs // (mapRef type name);
 
+    select = keys: callback: set:
+      if (length keys) == 0 then 
+        mapAttrs' callback set
+      else let key = head keys; in
+        concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set;
+
+    config' = config;
+
     # this is a nix package, the generated json file to be exact
     terraformConfiguration = inputs.terranix.lib.terranixConfiguration {
       inherit system;
 
-      modules = 
-      let
-        inherit (lib) mapAttrs' concatMapAttrs nameValuePair getAttrs getAttr hasAttr typeOf head drop length;
-
-        select = keys: callback: set:
-          if (length keys) == 0 then 
-            mapAttrs' callback set
-          else let key = head keys; in
-            concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set;
-      in
-      [
+      modules = [
         ({ config, lib, ... }: {
           config = {
             terraform.required_providers.zitadel = {
@@ -181,6 +179,15 @@ in
                   |> withRef "project" project 
                   |> toResource name
               );
+
+              zitadel_smtp_config.default = {
+                sender_address = "chris@kruining.eu";
+                sender_name = "no-reply (Zitadel)";
+                tls = true;
+                host = "black-mail.nl";
+                user = "chris@kruining.eu";
+                password = "\${file(\"${config'.sops.templates."kaas".path}\")}";
+              };
             };
           };
         })
@@ -214,7 +221,6 @@ in
         ${lib.getExe pkgs.opentofu} init
 
         # Run the infrastructure code
-        # ${lib.getExe pkgs.opentofu} plan
         ${lib.getExe pkgs.opentofu} apply -auto-approve
       '';
 
@@ -250,31 +256,30 @@ in
             SecretHasher.Hasher.Algorithm = "argon2id";
           };
 
-          # DefaultInstance = {
-          #   # PasswordComplexityPolicy = {
-          #   #   MinLength = 0;
-          #   #   HasLowercase = false;
-          #   #   HasUppercase = false;
-          #   #   HasNumber = false;
-          #   #   HasSymbol = false;
-          #   # };
-          #   LoginPolicy = {
-          #     AllowRegister = false;
-          #     ForceMFA = true;
-          #   };
-          #   LockoutPolicy = {
-          #     MaxPasswordAttempts = 5;
-          #     MaxOTPAttempts = 10;
-          #   };
-          #   # SMTPConfiguration = {
-          #   #   SMTP = {
-          #   #     Host = "black-mail.nl:587";
-          #   #     User = "chris@kruining.eu";
-          #   #     Password = "__TODO_USE_SOPS__";
-          #   #   };
-          #   #   FromName = "Amarth Zitadel";
-          #   # };
-          # };
+          DefaultInstance = {
+            # PasswordComplexityPolicy = {
+            #   MinLength = 0;
+            #   HasLowercase = false;
+            #   HasUppercase = false;
+            #   HasNumber = false;
+            #   HasSymbol = false;
+            # };
+            # LoginPolicy = {
+            #   AllowRegister = false;
+            #   ForceMFA = true;
+            # };
+            # LockoutPolicy = {
+            #   MaxPasswordAttempts = 5;
+            #   MaxOTPAttempts = 10;
+            # };
+            SMTPConfiguration = {
+              SMTP = {
+                Host = "black-mail.nl:587";
+                User = "chris@kruining.eu";
+              };
+              FromName = "Amarth Zitadel";
+            };
+          };
 
           Database.postgres = {
             Host = "localhost";
@@ -330,6 +335,9 @@ in
             };
           };
         };
+        extraStepsPaths = [
+          config.sops.templates."secrets.yaml".path
+        ];
       };
 
       postgresql = {
@@ -364,10 +372,37 @@ in
     networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     # Secrets
-    sops.secrets."zitadel/masterKey" = {
-      owner = "zitadel";
-      group = "zitadel";
-      restartUnits = [ "zitadel.service" ];
+    sops = {
+      secrets = {
+        "zitadel/masterKey" = {
+          owner = "zitadel";
+          group = "zitadel";
+          restartUnits = [ "zitadel.service" ]; #EMGDB#6O$8qpGoLI1XjhUhnng1san@0
+        };
+
+        "email/chris_kruining_eu" = {
+          owner = "zitadel";
+          group = "zitadel";
+          restartUnits = [ "zitadel.service" ];
+        };
+      };
+
+      templates."secrets.yaml" = {
+        owner = "zitadel";
+        group = "zitadel";
+        content = ''
+          DefaultInstance:
+            SMTPConfiguration:
+              SMTP:
+                Password: ${config.sops.placeholder."email/chris_kruining_eu"}
+        '';
+      };
+
+      templates."kaas" = {
+        owner = "zitadel";
+        group = "zitadel";
+        content = config.sops.placeholder."email/chris_kruining_eu";
+      };
     };
   };
 }

modules/nixos/system/security/sops/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, namespace, inputs, ... }:
+{ pkgs, config, namespace, inputs, system, ... }:
 let
   cfg = config.${namespace}.system.security.sops;
 in
@@ -13,10 +13,14 @@ in
     environment.systemPackages = with pkgs; [ sops ];
 
     sops = {
-      defaultSopsFile = ../../../../../_secrets/secrets.yaml;
       defaultSopsFormat = "yaml";
+      defaultSopsFile = inputs.self + "/systems/${system}/${config.networking.hostName}/secrets.yml";
 
-      age.keyFile = "/home/";
+      age = {
+        # keyFile = "~/.config/sops/age/keys.txt";
+        # sshKeyPaths = [ "~/.ssh/id_ed25519" ];
+        # generateKey = true;
+      };
     };
   };
 }

systems/x86_64-linux/ulmo/secrets.yml

@@ -0,0 +1,30 @@
+email:
+    info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str]
+    chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str]
+    info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str]
+zitadel:
+    masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str]
+sops:
+    age:
+        - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdDZyZkxvNU4zM3NHb2gx
+            ZlhLZk5JWUFGMWZGeUVHNkFFU1NtZlBQVVhjCmZGai9NdmdUeU5VcW9ROVZKTW5q
+            cmZaQ2JlaldaTWduQklocUZLT2FUcGcKLS0tIHlqVU0wdXJ0dTE4dlZSVEczd2Yv
+            RVFxVHFxbkVNbEZsaVcwYXZCdUc5R1kKQdAN6LEKmGLCSkKhNuEr0YK2zl9Aw1kK
+            6C25lN532mG55zIRectZda1Fmi1GMZ/2v3b5qz7x+TDMA9m/47OjmA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoK3lqRDhEMXEvaUp3OWdV
+            eFlZSGpJcGs0RTdRbllWdmdZTzl3RTlDNlIwCm92R290NjNyK2NNbWpINTBhazNS
+            NTJYWEw0SGc1TUtrd0NZSmowakMvSlEKLS0tIG5uUEIrZGVORkRNVnBVOHgyMXZG
+            TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb
+            Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-23T14:25:59Z"
+    mac: ENC[AES256_GCM,data:p3A1ZSr6S21SUjEZbL4V0uh3HVqcRhFi1N93IeUKs2yVbBYAXzWJ+2ejSxfM+W9MSCAYxx27i0ZoBPjQJu/xQzwmW8HWn4rRfCsa2TGqOw25PLvkHgnBUc70X759cKxvR0Pm7ha22JCnzJVrzvUMlBVs61wxHT57x0El9Gan8eY=,iv:SKN+R4wsN/L2pZW/s5ocEtCXXZB5wK4tgFIYWGWtRPA=,tag:CNLl4lVO06gAcsSCfU2KjA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0