diff --git a/.just/machine.just b/.just/machine.just index cbdf345..098e101 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -1,11 +1,11 @@ -@_default: list - -[doc('List machines')] -@list: - ls -1 ../systems/x86_64-linux/ - -[no-exit-message] -[doc('Update the target machine')] -@update machine: - just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} \ No newline at end of file +@_default: list + +[doc('List machines')] +@list: + ls -1 ../systems/x86_64-linux/ + +[doc('Update the target machine')] +[no-exit-message] +@update machine: + just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')" + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} diff --git a/.just/vars.just b/.just/vars.just index d8bd181..0d381ef 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,36 +1,36 @@ -set unstable - -base_path := invocation_directory() / "systems/x86_64-linux" -# sops := "nix shell nixpkgs#sops --command sops" -# yq := "nix shell nixpkgs#yq --command yq" -sops := "sops" -yq := "yq" - -@_default: - just --list - -[doc('list all vars of the target machine')] -list machine: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml - -@edit machine: - sops edit {{ base_path }}/{{ machine }}/secrets.yml - -@set machine key value: - sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" - - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - - echo "Done" - -@get machine key: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" - -@remove machine key: - sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" - - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - +set unstable + +base_path := invocation_directory() / "systems/x86_64-linux" +# sops := "nix shell nixpkgs#sops --command sops" +# yq := "nix shell nixpkgs#yq --command yq" +sops := "sops" +yq := "yq" + +@_default: + just --list + +[doc('list all vars of the target machine')] +list machine: + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml + +@edit machine: + sops edit {{ base_path }}/{{ machine }}/secrets.yml + +@set machine key value: + sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + + echo "Done" + +@get machine key: + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" + +@remove machine key: + sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + echo "Done" \ No newline at end of file diff --git a/.justfile b/.justfile index 3a15d20..87563d0 100644 --- a/.justfile +++ b/.justfile @@ -1,33 +1,33 @@ -@_default: - just --list --list-submodules - -[doc('Manage vars')] -mod vars '.just/vars.just' - -[doc('Manage machines')] -mod machine '.just/machine.just' - -[doc('Show information about project')] -@show: - echo "show" - -[doc('update the flake dependencies')] -@update: - nix flake update - git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null - echo "Done" - -[doc('Introspection on flake output')] -@select key: - nix eval --json .#{{ key }} | jq . - - - -#=============================================================================================== -# Utils -#=============================================================================================== -[no-exit-message] -[no-cd] -[private] -@assert condition message: +@_default: + just --list --list-submodules + +[doc('Manage vars')] +mod vars '.just/vars.just' + +[doc('Manage machines')] +mod machine '.just/machine.just' + +[doc('Show information about project')] +@show: + echo "show" + +[doc('update the flake dependencies')] +@update: + nix flake update + git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null + echo "Done" + +[doc('Introspection on flake output')] +@select key: + nix eval --json .#{{ key }} | jq . + + + +#=============================================================================================== +# Utils +#=============================================================================================== +[no-exit-message] +[no-cd] +[private] +@assert condition message: [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; } \ No newline at end of file diff --git a/flake.lock b/flake.lock index 9d38839..cab88a5 100644 --- a/flake.lock +++ b/flake.lock @@ -402,7 +402,7 @@ }, "flake-utils-plus": { "inputs": { - "flake-utils": "flake-utils_4" + "flake-utils": "flake-utils_5" }, "locked": { "lastModified": 1715533576, @@ -457,7 +457,25 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_6" + "systems": "systems_5" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "inputs": { + "systems": "systems_7" }, "locked": { "lastModified": 1694529238, @@ -662,6 +680,25 @@ "type": "github" } }, + "mydia": { + "inputs": { + "flake-utils": "flake-utils_3", + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1764568388, + "narHash": "sha256-kl8165eI0lUz9E96sdreZ48/nApydDfJP8IksjBveAw=", + "owner": "getmydia", + "repo": "mydia", + "rev": "74f0cf9a8ca782581ec0a35acf6526fccfbb6e2a", + "type": "github" + }, + "original": { + "owner": "getmydia", + "repo": "mydia", + "type": "github" + } + }, "nix-darwin": { "inputs": { "nixpkgs": [ @@ -708,8 +745,8 @@ "nix-minecraft": { "inputs": { "flake-compat": "flake-compat_3", - "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_5" + "flake-utils": "flake-utils_4", + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1763171892, @@ -856,6 +893,22 @@ "type": "github" } }, + "nixpkgs_10": { + "locked": { + "lastModified": 1762977756, + "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1763469780, @@ -905,6 +958,22 @@ } }, "nixpkgs_5": { + "locked": { + "lastModified": 1764242076, + "narHash": "sha256-sKoIWfnijJ0+9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2fad6eac6077f03fe109c4d4eb171cf96791faa4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1748929857, "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", @@ -920,7 +989,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1763421233, "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=", @@ -936,7 +1005,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1761880412, "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", @@ -952,7 +1021,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1763191728, "narHash": "sha256-esRhOS0APE6k40Hs/jjReXg+rx+J5LkWw7cuWFKlwYA=", @@ -968,22 +1037,6 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1762977756, - "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nur": { "inputs": { "flake-parts": [ @@ -1014,8 +1067,8 @@ "flake-compat": "flake-compat_4", "flake-parts": "flake-parts_2", "mnw": "mnw", - "nixpkgs": "nixpkgs_7", - "systems": "systems_5" + "nixpkgs": "nixpkgs_8", + "systems": "systems_6" }, "locked": { "lastModified": 1762622004, @@ -1065,11 +1118,12 @@ "himmelblau": "himmelblau", "home-manager": "home-manager", "jovian": "jovian", + "mydia": "mydia", "nix-minecraft": "nix-minecraft", "nixos-boot": "nixos-boot", "nixos-generators": "nixos-generators", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_7", "nvf": "nvf", "plasma-manager": "plasma-manager", "snowfall-lib": "snowfall-lib", @@ -1162,7 +1216,7 @@ }, "sops-nix_2": { "inputs": { - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_9" }, "locked": { "lastModified": 1763509310, @@ -1187,9 +1241,9 @@ "firefox-gnome-theme": "firefox-gnome-theme", "flake-parts": "flake-parts_3", "gnome-shell": "gnome-shell", - "nixpkgs": "nixpkgs_9", + "nixpkgs": "nixpkgs_10", "nur": "nur", - "systems": "systems_7", + "systems": "systems_8", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -1330,13 +1384,28 @@ "type": "github" } }, + "systems_9": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "terranix": { "inputs": { "flake-parts": "flake-parts_4", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_8" + "systems": "systems_9" }, "locked": { "lastModified": 1762472226, diff --git a/flake.nix b/flake.nix index d7a7508..5668380 100644 --- a/flake.nix +++ b/flake.nix @@ -88,49 +88,54 @@ url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; + + mydia = { + url = "github:getmydia/mydia"; + }; }; - outputs = inputs: inputs.snowfall-lib.mkFlake { - inherit inputs; - src = ./.; + outputs = inputs: + inputs.snowfall-lib.mkFlake { + inherit inputs; + src = ./.; - snowfall = { - namespace = "sneeuwvlok"; + snowfall = { + namespace = "sneeuwvlok"; - meta = { - name = "sneeuwvlok"; - title = "Sneeuwvlok"; + meta = { + name = "sneeuwvlok"; + title = "Sneeuwvlok"; + }; }; - }; - channels-config = { - allowUnfree = true; - permittedInsecurePackages = [ - # Due to *arr stack - "dotnet-sdk-6.0.428" - "aspnetcore-runtime-6.0.36" + channels-config = { + allowUnfree = true; + permittedInsecurePackages = [ + # Due to *arr stack + "dotnet-sdk-6.0.428" + "aspnetcore-runtime-6.0.36" - # I think this is because of zen - "qtwebengine-5.15.19" + # I think this is because of zen + "qtwebengine-5.15.19" - # For Nheko, the matrix client - "olm-3.2.16" + # For Nheko, the matrix client + "olm-3.2.16" + ]; + }; + + overlays = with inputs; [ + fenix.overlays.default + nix-minecraft.overlay + flux.overlays.default + ]; + + systems.modules = with inputs; [ + clan-core.nixosModules.default + ]; + + homes.modules = with inputs; [ + stylix.homeModules.stylix + plasma-manager.homeModules.plasma-manager ]; }; - - overlays = with inputs; [ - fenix.overlays.default - nix-minecraft.overlay - flux.overlays.default - ]; - - systems.modules = with inputs; [ - clan-core.nixosModules.default - ]; - - homes.modules = with inputs; [ - stylix.homeModules.stylix - plasma-manager.homeModules.plasma-manager - ]; - }; } diff --git a/modules/home/application/steam/default.nix b/modules/home/application/steam/default.nix index 4e62c41..ec47942 100644 --- a/modules/home/application/steam/default.nix +++ b/modules/home/application/steam/default.nix @@ -1,55 +1,55 @@ -{ inputs, config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.application.steam; -in -{ - options.${namespace}.application.steam = { - enable = mkEnableOption "enable steam"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ protonup ]; - - home.sessionVariables = { - STEAM_EXTRA_COMPAT_TOOLS_PATHS = "\${HOME}/.steam/root/compatibilitytools.d"; - }; - - programs = { - # steam = { - # enable = true; - # package = pkgs.steam-small.override { - # extraEnv = { - # DXVK_HUD = "compiler"; - # MANGOHUD = true; - # }; - # }; - - # gamescopeSession = { - # enable = true; - # args = ["--immediate-flips"]; - # }; - # }; - - # https://github.com/FeralInteractive/gamemode - # gamemode = { - # enable = true; - # enableRenice = true; - # settings = {}; - # }; - - # gamescope = { - # enable = true; - # capSysNice = true; - # env = { - # DXVK_HDR = "1"; - # ENABLE_GAMESCOPE_WSI = "1"; - # WINE_FULLSCREEN_FSR = "1"; - # WLR_RENDERER = "vulkan"; - # }; - # args = ["--hdr-enabled"]; - # }; - }; - }; -} +{ inputs, config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.application.steam; +in +{ + options.${namespace}.application.steam = { + enable = mkEnableOption "enable steam"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ protonup-ng ]; + + home.sessionVariables = { + STEAM_EXTRA_COMPAT_TOOLS_PATHS = "\${HOME}/.steam/root/compatibilitytools.d"; + }; + + programs = { + # steam = { + # enable = true; + # package = pkgs.steam-small.override { + # extraEnv = { + # DXVK_HUD = "compiler"; + # MANGOHUD = true; + # }; + # }; + + # gamescopeSession = { + # enable = true; + # args = ["--immediate-flips"]; + # }; + # }; + + # https://github.com/FeralInteractive/gamemode + # gamemode = { + # enable = true; + # enableRenice = true; + # settings = {}; + # }; + + # gamescope = { + # enable = true; + # capSysNice = true; + # env = { + # DXVK_HDR = "1"; + # ENABLE_GAMESCOPE_WSI = "1"; + # WINE_FULLSCREEN_FSR = "1"; + # WLR_RENDERER = "vulkan"; + # }; + # args = ["--hdr-enabled"]; + # }; + }; + }; +} diff --git a/modules/home/application/teamspeak/default.nix b/modules/home/application/teamspeak/default.nix index e15bd96..aab3c5d 100644 --- a/modules/home/application/teamspeak/default.nix +++ b/modules/home/application/teamspeak/default.nix @@ -1,15 +1,15 @@ -{ inputs, config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.application.teamspeak; -in -{ - options.${namespace}.application.teamspeak = { - enable = mkEnableOption "enable teamspeak"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ teamspeak_client ]; - }; -} +{ inputs, config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.application.teamspeak; +in +{ + options.${namespace}.application.teamspeak = { + enable = mkEnableOption "enable teamspeak"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ teamspeak3 teamspeak6-client ]; + }; +} diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 9a02f01..1b400bb 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -13,7 +13,7 @@ in organization = mkOption { type = types.attrsOf (types.submodule ({ name, ... }: { - options = + options = let org = name; in @@ -23,11 +23,11 @@ in default = false; example = "true"; description = '' - True sets the org as default org for the instance. Only one org can be default org. + True sets the '${org}' org as default org for the instance. Only one org can be default org. Nothing happens if you set it to false until you set another org as default org. ''; }; - + project = mkOption { default = {}; type = types.attrsOf (types.submodule { @@ -46,7 +46,7 @@ in default = null; example = "enforceProjectResourceOwnerPolicy"; description = '' - Defines from where the private labeling should be triggered, + Defines from where the private labeling should be triggered, supported values: - unspecified @@ -54,7 +54,7 @@ in - allowLoginUserResourceOwnerPolicy ''; }; - + projectRoleAssertion = mkOption { type = types.bool; default = false; @@ -63,7 +63,7 @@ in Describes if roles of user should be added in token. ''; }; - + projectRoleCheck = mkOption { type = types.bool; default = false; @@ -72,11 +72,11 @@ in ZITADEL checks if the user has at least one on this project. ''; }; - + role = mkOption { default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { - options = + options = let roleName = name; in @@ -101,12 +101,12 @@ in }; })); }; - + assign = mkOption { default = {}; type = types.attrsOf (types.listOf types.str); }; - + application = mkOption { default = {}; type = types.attrsOf (types.submodule { @@ -141,8 +141,8 @@ in ''; }; - exportMap = - let + exportMap = + let strOpt = mkOption { type = types.nullOr types.str; default = null; }; in mkOption { @@ -164,11 +164,11 @@ in }; }); }; - + user = mkOption { default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { - options = + options = let username = name; in @@ -226,7 +226,7 @@ in }; })); }; - + action = mkOption { default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { @@ -263,7 +263,7 @@ in }; })); }; - + triggers = mkOption { default = []; type = types.listOf (types.submodule { @@ -321,28 +321,20 @@ in accessTokenType = mapEnum "OIDC_TOKEN_TYPE" value; }."${type}" or value); - toResource = name: value: nameValuePair + toResource = name: value: nameValuePair (toSnakeCase name) (lib.mapAttrs' (k: v: nameValuePair (toSnakeCase k) (mapValue k v)) value); withRef = type: name: attrs: attrs // (mapRef type name); select = keys: callback: set: - if (length keys) == 0 then + if (length keys) == 0 then mapAttrs' callback set else let key = head keys; in concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set ; append = attrList: set: set // (listToAttrs attrList); - forEach = src: key: set: - let - _key = concatMapStringsSep "_" (k: "\${item.${k}}") key; - in - { - forEach = "{ for item in ${src} : \"${_key}\" => item }"; - } - // set; config' = config; @@ -352,7 +344,21 @@ in modules = [ ({ config, lib, ... }: { - config = { + config = + let + forEach = src: key: set: + let + _key = concatMapStringsSep "_" (k: "\${item.${k}}") key; + in + { + forEach = lib.tfRef ''{ + for item in ${src} : + "''${item.org}_''${item.name}" => item + }''; + } + // set; + in + { terraform.required_providers.zitadel = { source = "zitadel/zitadel"; version = "2.2.0"; @@ -376,18 +382,18 @@ in } ] ]) "; - orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id"); + orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id"); }; resource = { # Organizations - zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: + zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: { inherit name isDefault; } |> toResource name ); # Projects per organization - zitadel_project = cfg.organization |> select [ "project" ] (org: name: { hasProjectCheck, privateLabelingSetting, projectRoleAssertion, projectRoleCheck, ... }: + zitadel_project = cfg.organization |> select [ "project" ] (org: name: { hasProjectCheck, privateLabelingSetting, projectRoleAssertion, projectRoleCheck, ... }: { inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck; } @@ -396,7 +402,7 @@ in ); # Each OIDC app per project - zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: { redirectUris, grantTypes, responseTypes, ...}: + zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: { redirectUris, grantTypes, responseTypes, ...}: { inherit name redirectUris grantTypes responseTypes; @@ -404,41 +410,41 @@ in idTokenRoleAssertion = true; accessTokenType = "JWT"; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" |> toResource "${org}_${project}_${name}" ); # Each project role - zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: + zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: { inherit (value) displayName group; roleKey = name; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" |> toResource "${org}_${project}_${name}" ); # Each project role assignment zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles: { roleKeys = roles; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> withRef "user" "${org}_${user}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> withRef "user" "${org}_${user}" |> toResource "${org}_${project}_${user}" ); # Users - zitadel_human_user = - cfg.organization - |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: + zitadel_human_user = + cfg.organization + |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: { inherit email userName firstName lastName; isEmailVerified = true; - } + } |> withRef "org" org |> toResource "${org}_${name}" ) - |> append + |> append [ (forEach "local.extra_users" [ "org" "name" ] { orgId = lib.tfRef "local.orgs[each.value.org]"; @@ -446,7 +452,7 @@ in email = lib.tfRef "each.value.email"; firstName = lib.tfRef "each.value.firstName"; lastName = lib.tfRef "each.value.lastName"; - + isEmailVerified = true; } |> toResource "extraUsers") @@ -454,20 +460,20 @@ in ; # Global user roles - zitadel_instance_member = - cfg.organization + zitadel_instance_member = + cfg.organization |> filterAttrsRecursive (n: v: !(v ? "instanceRoles" && (length v.instanceRoles) == 0)) - |> select [ "user" ] (org: name: { instanceRoles, ... }: - { roles = instanceRoles; } + |> select [ "user" ] (org: name: { instanceRoles, ... }: + { roles = instanceRoles; } |> withRef "user" "${org}_${name}" |> toResource "${org}_${name}" ); # Organazation specific roles - zitadel_org_member = + zitadel_org_member = cfg.organization |> filterAttrsRecursive (n: v: !(v ? "roles" && (length v.roles) == 0)) - |> select [ "user" ] (org: name: { roles, ... }: + |> select [ "user" ] (org: name: { roles, ... }: { inherit roles; } |> withRef "org" org |> withRef "user" "${org}_${name}" @@ -475,9 +481,9 @@ in ); # Organazation's actions - zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: - { - inherit allowedToFail name; + zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: + { + inherit allowedToFail name; timeout = "${toString timeout}s"; script = "const ${name} = ${script}"; } @@ -486,20 +492,20 @@ in ); # Organazation's action assignments - zitadel_trigger_actions = + zitadel_trigger_actions = cfg.organization |> concatMapAttrs (org: { triggers, ... }: triggers |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in { - inherit flowType triggerType; + inherit flowType triggerType; - actionIds = - actions + actionIds = + actions |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); - } - |> withRef "org" org - |> toResource "${org}_${name}" + } + |> withRef "org" org + |> toResource "${org}_${name}" )) |> listToAttrs ); @@ -516,7 +522,7 @@ in }; # Client credentials per app - local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }: + local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }: nameValuePair "${org}_${project}_${name}" { content = '' ${if exportMap.client_id != null then exportMap.client_id else "CLIENT_ID"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} @@ -530,7 +536,7 @@ in }) ]; }; - in + in mkIf cfg.enable { ${namespace}.services.persistance.postgresql.enable = true; @@ -548,8 +554,12 @@ in wantedBy = [ "multi-user.target" ]; wants = [ "zitadel.service" ]; - - script = '' + + script = + let + tofu = lib.getExe pkgs.opentofu; + in + '' #!/usr/bin/env bash if [ "$(systemctl is-active zitadel)" != "active" ]; then @@ -564,11 +574,11 @@ in cp -f ${terraformConfiguration} config.tf.json # Initialize OpenTofu - ${lib.getExe pkgs.opentofu} init + ${tofu} init # Run the infrastructure code - # ${lib.getExe pkgs.opentofu} plan - ${lib.getExe pkgs.opentofu} apply -auto-approve + ${tofu} plan -refresh=false -out=tfplan + ${tofu} apply -auto-approve tfplan ''; serviceConfig = { @@ -628,7 +638,7 @@ in Org = { Name = "kruining"; - + Human = { UserName = "chris"; FirstName = "Chris"; @@ -639,7 +649,7 @@ in }; Password = "KaasIsAwesome1!"; }; - + Machine = { Machine = { Username = "terraform-service-user"; @@ -648,7 +658,7 @@ in MachineKey = { ExpirationDate = "2026-01-01T00:00:00Z"; Type = 1; }; # Pat = { ExpirationDate = "2026-01-01T00:00:00Z"; }; }; - + # LoginClient.Machine = { # Username = "terraform-service-user"; # Name = "Terraform"; @@ -689,7 +699,7 @@ in ''; }; }; - + networking.firewall.allowedTCPPorts = [ 80 443 ]; # Secrets diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index ce92df4..6405932 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -1,5 +1,10 @@ -{ config, lib, pkgs, namespace, ... }: -let +{ + config, + lib, + pkgs, + namespace, + ... +}: let inherit (builtins) toString toJSON; inherit (lib) mkIf mkEnableOption; @@ -10,8 +15,7 @@ let port = 4001; database = "synapse"; -in -{ +in { options.${namespace}.services.communication.matrix = { enable = mkEnableOption "Matrix server (Synapse)"; }; @@ -22,13 +26,13 @@ in # virtualisation.podman.enable = true; }; - networking.firewall.allowedTCPPorts = [ 4001 ]; + networking.firewall.allowedTCPPorts = [4001]; services = { matrix-synapse = { enable = true; - extras = [ "oidc" ]; + extras = ["oidc"]; extraConfigFiles = [ config.sops.templates."synapse-oidc.yaml".path @@ -52,7 +56,7 @@ in backchannel_logout_enabled = true; sso = { - client_whitelist = [ "http://[::1]:9092" ]; + client_whitelist = ["http://[::1]:9092"]; update_profile_information = true; }; @@ -75,7 +79,7 @@ in resources = [ { - names = [ "client" "federation" "openid" "metrics" "media" "health" ]; + names = ["client" "federation" "openid" "metrics" "media" "health"]; compress = true; } ]; @@ -132,7 +136,7 @@ in postgresql = { enable = true; - ensureDatabases = [ database ]; + ensureDatabases = [database]; ensureUsers = [ { name = database; @@ -192,7 +196,7 @@ in localpart_template: "{{ user.preferred_username }}" display_name_template: "{{ user.name }}" ''; - restartUnits = [ "matrix-synapse.service" ]; + restartUnits = ["matrix-synapse.service"]; }; }; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 52f026f..c7aff89 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -1,12 +1,16 @@ -{ config, lib, pkgs, namespace, ... }: -let +{ + config, + lib, + pkgs, + namespace, + ... +}: let inherit (builtins) toString; inherit (lib) mkIf mkEnableOption mkOption; cfg = config.${namespace}.services.development.forgejo; domain = "git.amarth.cloud"; -in -{ +in { options.${namespace}.services.development.forgejo = { enable = mkEnableOption "Forgejo"; @@ -26,7 +30,7 @@ in virtualisation.podman.enable = true; }; - environment.systemPackages = with pkgs; [ forgejo ]; + environment.systemPackages = with pkgs; [forgejo]; services = { forgejo = { @@ -141,7 +145,7 @@ in }; }; - openssh.settings.AllowUsers = [ "forgejo" ]; + openssh.settings.AllowUsers = ["forgejo"]; gitea-actions-runner = { package = pkgs.forgejo-runner; @@ -184,14 +188,14 @@ in "forgejo/action_runner_token" = { owner = "gitea-runner"; group = "gitea-runner"; - restartUnits = [ "gitea-runner-default.service" ]; + restartUnits = ["gitea-runner-default.service"]; }; "forgejo/email" = { owner = "forgejo"; group = "forgejo"; key = "email/chris_kruining_eu"; - restartUnits = [ "forgejo.service" ]; + restartUnits = ["forgejo.service"]; }; }; }; diff --git a/modules/nixos/services/media/mydia/default.nix b/modules/nixos/services/media/mydia/default.nix new file mode 100644 index 0000000..aa44856 --- /dev/null +++ b/modules/nixos/services/media/mydia/default.nix @@ -0,0 +1,52 @@ +{ + config, + lib, + namespace, + inputs, + system, + ... +}: let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.media.mydia; +in { + imports = [ + inputs.mydia.nixosModules.default + ]; + + options.${namespace}.services.media.mydia = { + enable = mkEnableOption "Enable Mydia"; + }; + + config = mkIf cfg.enable { + services.mydia = { + enable = true; + package = inputs.mydia.packages.${system}.default; + + port = 2010; + listenAddress = "0.0.0.0"; + openFirewall = true; + + secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path; + guardianSecretKeyFile = config.sops.secrets."mydia/guardian_secret".path; + + oidc = { + enable = true; + issuer = "https://auth.kruining.eu"; + clientIdFile = config.sops.secrets."mydia/oidc_id".path; + clientSecretFile = config.sops.secrets."mydia/oidc_secret".path; + scopes = ["openid" "profile" "email"]; + }; + }; + + sops.secrets = + ["secret_key_base" "guardian_secret" "oidc_id" "oidc_secret"] + |> lib.map (name: + lib.nameValuePair "mydia/${name}" { + owner = config.services.mydia.user; + group = config.services.mydia.group; + restartUnits = ["mydia.service"]; + }) + |> lib.listToAttrs; + }; +} diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix index 097a36b..733fe99 100644 --- a/modules/nixos/services/media/servarr/default.nix +++ b/modules/nixos/services/media/servarr/default.nix @@ -1,14 +1,20 @@ -{ pkgs, config, lib, namespace, inputs, system, ... }: -let +{ + pkgs, + config, + lib, + namespace, + inputs, + system, + ... +}: let inherit (builtins) toString; inherit (lib) mkIf mkEnableOption mkOption types; cfg = config.${namespace}.services.media.servarr; -in -{ +in { options.${namespace}.services.media = { servarr = mkOption { - type = types.attrsOf (types.submodule ({ name, ... }: { + type = types.attrsOf (types.submodule ({name, ...}: { options = { enable = mkEnableOption "Enable ${name}"; debug = mkEnableOption "Use tofu plan instead of tofu apply for ${name} "; @@ -28,9 +34,13 @@ in }; config = { - services = + services = cfg - |> lib.mapAttrsToList (service: { enable, port, ... }: (mkIf enable { + |> lib.mapAttrsToList (service: { + enable, + port, + ... + }: (mkIf enable { "${service}" = { enable = true; openFirewall = true; @@ -58,31 +68,44 @@ in }; })) |> lib.mergeAttrsList - |> (set: set // { - postgres = { - ensureDatabases = cfg |> lib.attrNames; - ensureUsers = cfg |> lib.attrNames |> lib.map (service: { - name = service; - ensureDBOwnership = true; - }); - }; - }) - ; + |> (set: + set + // { + postgresql = { + ensureDatabases = cfg |> lib.attrNames; + ensureUsers = + cfg + |> lib.attrNames + |> lib.map (service: { + name = service; + ensureDBOwnership = true; + }); + }; + }); - systemd = + systemd = cfg - |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { + |> lib.mapAttrsToList (service: { + enable, + debug, + port, + rootFolders, + ... + }: (mkIf enable { tmpfiles.rules = [ "d /var/lib/${service}ApplyTerraform 0755 ${service} ${service} -" ]; - services."${service}ApplyTerraform" = - let + services."${service}ApplyTerraform" = let terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; modules = [ - ({ config, lib, ... }: { + ({ + config, + lib, + ... + }: { config = { variable = { api_key = { @@ -102,23 +125,21 @@ in }; resource = { - "${service}_root_folder" = + "${service}_root_folder" = rootFolders - |> lib.imap (i: f: lib.nameValuePair "local${toString i}" { path = f; }) - |> lib.listToAttrs - ; + |> lib.imap (i: f: lib.nameValuePair "local${toString i}" {path = f;}) + |> lib.listToAttrs; }; }; }) ]; }; - in - { + in { description = "${service} terraform apply"; - wantedBy = [ "multi-user.target" ]; - wants = [ "${service}.service" ]; - + wantedBy = ["multi-user.target"]; + wants = ["${service}.service"]; + script = '' #!/usr/bin/env bash @@ -141,7 +162,11 @@ in # Run the infrastructure code ${lib.getExe pkgs.opentofu} \ - ${if debug then "plan" else "apply -auto-approve"} \ + ${ + if debug + then "plan" + else "apply -auto-approve" + } \ -var-file='${config.sops.templates."${service}/config.tfvars".path}' ''; @@ -158,31 +183,29 @@ in }; }; })) - |> lib.mergeAttrsList - ; + |> lib.mergeAttrsList; - users.users = + users.users = cfg - |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { - "${service}".extraGroups = [ "media" ]; + |> lib.mapAttrsToList (service: {enable, ...}: (mkIf enable { + "${service}".extraGroups = ["media"]; })) - |> lib.mergeAttrsList - ; + |> lib.mergeAttrsList; - sops = + sops = cfg - |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { + |> lib.mapAttrsToList (service: {enable, ...}: (mkIf enable { secrets."${service}/apikey" = { owner = service; group = service; - restartUnits = [ "${service}.service" ]; + restartUnits = ["${service}.service"]; }; templates = { "${service}/config.env" = { owner = service; group = service; - restartUnits = [ "${service}.service" ]; + restartUnits = ["${service}.service"]; content = '' ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" ''; @@ -191,18 +214,16 @@ in "${service}/config.tfvars" = { owner = service; group = service; - restartUnits = [ "${service}.service" ]; + restartUnits = ["${service}.service"]; content = '' api_key = "${config.sops.placeholder."${service}/apikey"}" ''; }; }; })) - |> lib.mergeAttrsList - ; + |> lib.mergeAttrsList; }; - # cfg # |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index abab566..07f7058 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,25 +1,31 @@ -{ pkgs, config, lib, namespace, ... }: -let +{ + pkgs, + config, + lib, + namespace, + ... +}: let inherit (builtins) toString; inherit (lib) mkIf mkEnableOption mkOption types getAttrs toUpper concatMapAttrsStringSep; cfg = config.${namespace}.services.security.vaultwarden; - databaseProviderSqlite = types.submodule ({ ... }: { + databaseProviderSqlite = types.submodule ({...}: { options = { type = mkOption { - type = types.enum [ "sqlite" ]; + type = types.enum ["sqlite"]; }; file = mkOption { - type = types.str; - description = ''''; + type = types.path; + description = '' + Path to sqlite database file. + ''; }; }; }); - databaseProviderPostgresql = types.submodule ({ ... }: - let + databaseProviderPostgresql = types.submodule ({...}: let urlOptions = lib.${namespace}.options.mkUrlOptions { host = { description = '' @@ -40,36 +46,36 @@ let example = "postgres"; }; }; - in - { - options = { - type = mkOption { - type = types.enum [ "postgresql" ]; - }; + in { + options = + { + type = mkOption { + type = types.enum ["postgresql"]; + }; - sslMode = mkOption { - type = types.enum [ "verify-ca" "verify-full" "require" "prefer" "allow" "disabled" ]; - default = "verify-full"; - example = "verify-ca"; - description = '' - How to verify the server's ssl + sslMode = mkOption { + type = types.enum ["verify-ca" "verify-full" "require" "prefer" "allow" "disabled"]; + default = "verify-full"; + example = "verify-ca"; + description = '' + How to verify the server's ssl - | mode | eavesdropping protection | MITM protection | Statement | - |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| - | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | - | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | - | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | - | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | - | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | - | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | - - [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) - ''; - }; - } // (urlOptions |> getAttrs [ "protocol" "host" "port" ]); + | mode | eavesdropping protection | MITM protection | Statement | + |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| + | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | + | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | + | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | + | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | + | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | + | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | + + [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) + ''; + }; + } + // (urlOptions |> getAttrs ["protocol" "host" "port"]); }); -in -{ +in { options.${namespace}.services.security.vaultwarden = { enable = mkEnableOption "enable vaultwarden"; @@ -136,7 +142,7 @@ in postgresql = { enable = true; - ensureDatabases = [ "vaultwarden" ]; + ensureDatabases = ["vaultwarden"]; ensureUsers = [ { name = "vaultwarden"; @@ -171,7 +177,7 @@ in owner = config.users.users.vaultwarden.name; group = config.users.users.vaultwarden.name; key = "email/chris_kruining_eu"; - restartUnits = [ "vaultwarden.service" ]; + restartUnits = ["vaultwarden.service"]; }; }; @@ -183,34 +189,31 @@ in owner = config.users.users.vaultwarden.name; group = config.users.groups.vaultwarden.name; }; - temp-db-output.content = - let - config = - cfg.database - |> ({ type, ... }@db: - if type == "sqlite" then - { inherit (db) type file; } - else if type == "postgresql" then - { - inherit (db) type; - url = lib.${namespace}.strings.toUrl { - inherit (db) protocol host port; - path = "vaultwarden"; - query = { - sslmode = db.sslMode; - }; + temp-db-output.content = let + config = + cfg.database + |> ( + {type, ...} @ db: + if type == "sqlite" + then {inherit (db) type file;} + else if type == "postgresql" + then { + inherit (db) type; + url = lib.${namespace}.strings.toUrl { + inherit (db) protocol host port; + path = "vaultwarden"; + query = { + sslmode = db.sslMode; }; - } - else - {} - ) - |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}") - ; - in - '' - # GENERATED VALUES - ${config} - ''; + }; + } + else {} + ) + |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}"); + in '' + # GENERATED VALUES + ${config} + ''; }; }; }; diff --git a/modules/nixos/shells/default.nix b/modules/nixos/shells/default.nix index 6b5c058..ea8f50d 100644 --- a/modules/nixos/shells/default.nix +++ b/modules/nixos/shells/default.nix @@ -1,2 +1,2 @@ -{ ... }: -{} \ No newline at end of file +{...}: { +} diff --git a/shells/default/default.nix b/shells/default/default.nix index 1749c48..5bd5b5f 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -1,5 +1,10 @@ -{ mkShell, inputs, pkgs, ... }: - +{ + mkShell, + inputs, + pkgs, + stdenv, + ... +}: mkShell { packages = with pkgs; [ bash @@ -7,6 +12,10 @@ mkShell { just yq pwgen - inputs.clan-core.packages.x86_64-linux.clan-cli + alejandra + nil + nixd + openssl + inputs.clan-core.packages.${stdenv.hostPlatform.system}.clan-cli ]; -} \ No newline at end of file +} diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 0310818..93171d8 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ./disks.nix ./hardware.nix @@ -8,7 +7,10 @@ networking = { interfaces.enp2s0 = { ipv6.addresses = [ - { address = "2a0d:6e00:1dc9:0::dead:beef"; prefixLength = 64; } + { + address = "2a0d:6e00:1dc9:0::dead:beef"; + prefixLength = 64; + } ]; useDHCP = true; @@ -39,7 +41,7 @@ sneeuwvlok = { services = { backup.borg.enable = true; - + authentication.zitadel = { enable = true; @@ -51,8 +53,8 @@ firstName = "Chris"; lastName = "Kruining"; - roles = [ "ORG_OWNER" ]; - instanceRoles = [ "IAM_OWNER" ]; + roles = ["ORG_OWNER"]; + instanceRoles = ["IAM_OWNER"]; }; kaas = { @@ -78,27 +80,27 @@ }; assign = { - chris = [ "jellyfin" "jellyfin_admin" ]; - kaas = [ "jellyfin" ]; + chris = ["jellyfin" "jellyfin_admin"]; + kaas = ["jellyfin"]; }; application = { jellyfin = { - redirectUris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/zitadel" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; + redirectUris = ["https://jellyfin.kruining.eu/sso/OID/redirect/zitadel"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; }; forgejo = { - redirectUris = [ "https://git.amarth.cloud/user/oauth2/zitadel/callback" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; + redirectUris = ["https://git.amarth.cloud/user/oauth2/zitadel/callback"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; }; vaultwarden = { - redirectUris = [ "https://vault.kruining.eu/identity/connect/oidc-signin" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; + redirectUris = ["https://vault.kruining.eu/identity/connect/oidc-signin"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; exportMap = { client_id = "SSO_CLIENT_ID"; client_secret = "SSO_CLIENT_SECRET"; @@ -106,9 +108,15 @@ }; matrix = { - redirectUris = [ "https://matrix.kruining.eu/_synapse/client/oidc/callback" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; + redirectUris = ["https://matrix.kruining.eu/_synapse/client/oidc/callback"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; + }; + + mydia = { + redirectUris = ["http://localhost:2010/auth/oidc/callback"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; }; }; }; @@ -121,9 +129,9 @@ if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) { return; } - + const roles = ctx.v1.user.grants.grants.flatMap(({ roles, projectId }) => roles.map(role => projectId + ':' + role)); - + api.v1.claims.setClaim('nix:zitadel:custom', JSON.stringify({ roles })); }; ''; @@ -131,8 +139,16 @@ }; triggers = [ - { flowType = "customiseToken"; triggerType = "preUserinfoCreation"; actions = [ "flattenRoles" ]; } - { flowType = "customiseToken"; triggerType = "preAccessTokenCreation"; actions = [ "flattenRoles" ]; } + { + flowType = "customiseToken"; + triggerType = "preUserinfoCreation"; + actions = ["flattenRoles"]; + } + { + flowType = "customiseToken"; + triggerType = "preAccessTokenCreation"; + actions = ["flattenRoles"]; + } ]; }; }; @@ -146,6 +162,7 @@ media.enable = true; media.homer.enable = true; + media.mydia.enable = true; media.nfs.enable = true; media.servarr = { # radarr = { @@ -190,7 +207,7 @@ database = { # type = "sqlite"; # file = "/var/lib/vaultwarden/state.db"; - + type = "postgresql"; host = "localhost"; port = 5432; diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 7a26401..9e80086 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -19,6 +19,11 @@ lidarr: apikey: ENC[AES256_GCM,data:I2eKaxidmxem7C7ukmyIfwASNqrkS4vEOiCcU5kSNY6DR0pXsYg0PBdgu8vzK6llbXODLdG5t55BordIWvVRJGAauo0FMvtp59NSNpza7cK68tdKGvNefD6bqhUIR06BY11niQ==,iv:48AD7cd17TlWY5yAagepLOIVwgxhD/d13Pnup6GsWDA=,tag:teOVtW8opE99hqAXQwvlrA==,type:str] prowlarr: apikey: ENC[AES256_GCM,data:pyZ2WGEs/PlIdhDsQq2TPGJbplkd5fLF0ZkBjITqIJlnAzYHb+rl+KOM4rHqQcI6yAJM8X1Y3ymGrD7vG7GiRxB7yoEG13SKhZIWOddTnxIhbkz81RfrL2fUJIydOaP6sS//9Q==,iv:Tr6MWoC6nC7rdVTOjT1T2itT+lVL4GnUiAr5/+IHAs0=,tag:keIJNuGeVht8+xSN3FnBGA==,type:str] +mydia: + oidc_id: ENC[AES256_GCM,data:LfYWh9EC0aio3w1Xsj/jtU6z,iv:+dX9KkNtfQMYSX4yr83KyXalWMD/aWby7fC8aL4ZT3I=,tag:CvdbMoMTuC9FohTMIE5pmg==,type:str] + oidc_secret: ENC[AES256_GCM,data:PgI4hmP/3wt9uj+1QvCYcT8Wav0hgCRADouzWM3V695SSfXfbwDgez8tA/tm1/1jymAU2F2sZH8G2hZ1cdHyHQ==,iv:h3o3jsTmnoNE3+mGX12J3ZU0/6PlQNjdndEvaj/czj0=,tag:p3+p4E8fBtR7a8UpM8cUsg==,type:str] + secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str] + guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -39,7 +44,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:51:26Z" - mac: ENC[AES256_GCM,data:pMMkxHPochpI8si/oHhU7MHqC1JjNhMP7HCRNQQEkwBQI489xiC02t+qUwpmG4oIheqi8lEcZPpL4t9HzRN9sZImaI2LrJn3cHFojHzXzo7FPfvfUilZe1+JXLfm+wn+bflAEutIcfDiZc/MjiKOxRHwZy5Pr41Mj6uPIUr62zk=,iv:GwvMVgJ6m1DQcRZMVzshbuMK/Kx8vE8Ym83KbxuvYRg=,tag:wVSol9LDRzoFjQppB8J9gA==,type:str] + lastmodified: "2025-12-01T14:27:13Z" + mac: ENC[AES256_GCM,data:v8t65zlWw6UuFeFQ5oBNVGjnuewPlZZG7ea8P4cEHXN+JnSAE67HivSCyjhUAFmX/UbksxnSLYdl72swTb9ASv6JaW2FVJsaF+5zmZbuM5pAjZl4MR6Y7+Vc9YqAi+axnSE1s8pRe9U1PYmcbLWaY9kRZdccavfM2bsoAIpJRTk=,iv:EevmWMh6ygEAlf9RE4qZ1KVKm6yDR5dTZeraoFHmdRg=,tag:sCdtEYc9iNjfEvyYyXH8rQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0