diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml index 684cfad..2c61087 100644 --- a/.forgejo/workflows/action.yml +++ b/.forgejo/workflows/action.yml @@ -12,4 +12,4 @@ jobs: steps: - name: Echo run: | - nix --version \ No newline at end of file + nix --version diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..780e15a --- /dev/null +++ b/.gitattributes @@ -0,0 +1,4 @@ +* text=auto +core.autocrlf=false +core.eol=lf +core.filemode=false diff --git a/.just/machine.just b/.just/machine.just index cbdf345..3e3ba14 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -1,11 +1,14 @@ -@_default: list +set unstable := true +set quiet := true + +_default: list [doc('List machines')] -@list: - ls -1 ../systems/x86_64-linux/ +list: + ls -1 ../systems/x86_64-linux/ -[no-exit-message] [doc('Update the target machine')] -@update machine: - just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} \ No newline at end of file +[no-exit-message] +update machine: + just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} diff --git a/.just/vars.just b/.just/vars.just index d8bd181..230f00c 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,36 +1,33 @@ -set unstable +set unstable := true +set quiet := true base_path := invocation_directory() / "systems/x86_64-linux" -# sops := "nix shell nixpkgs#sops --command sops" -# yq := "nix shell nixpkgs#yq --command yq" -sops := "sops" -yq := "yq" -@_default: - just --list +_default: + just --list [doc('list all vars of the target machine')] list machine: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml - -@edit machine: - sops edit {{ base_path }}/{{ machine }}/secrets.yml - + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml + +edit machine: + sops edit {{ base_path }}/{{ machine }}/secrets.yml + @set machine key value: - sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" + sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine }}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - echo "Done" - -@get machine key: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" - -@remove machine key: - sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + echo "Done" - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null +get machine key: + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" - echo "Done" \ No newline at end of file +remove machine key: + sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine }}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + + echo "Done" diff --git a/.justfile b/.justfile index 3a15d20..1937f04 100644 --- a/.justfile +++ b/.justfile @@ -1,33 +1,40 @@ -@_default: - just --list --list-submodules +_default: + just --list --list-submodules + +set unstable +set quiet -[doc('Manage vars')] mod vars '.just/vars.just' - -[doc('Manage machines')] mod machine '.just/machine.just' [doc('Show information about project')] -@show: - echo "show" +show: + echo "show" [doc('update the flake dependencies')] -@update: - nix flake update - git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null - echo "Done" +update: + nix flake update + git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null + echo "Done" + +[doc('Rebase branch on main')] +rebase: + git stash -q \ + && git fetch \ + && git rebase origin/main \ + && git stash pop -q + + echo "Done" [doc('Introspection on flake output')] -@select key: - nix eval --json .#{{ key }} | jq . - - +select key: + nix eval --json .#{{ key }} | jq . #=============================================================================================== # Utils -#=============================================================================================== -[no-exit-message] +# =============================================================================================== [no-cd] +[no-exit-message] [private] -@assert condition message: - [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; } \ No newline at end of file +assert condition message: + [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; } diff --git a/flake.lock b/flake.lock index 9d38839..07a2120 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ "base16-helix": { "flake": false, "locked": { - "lastModified": 1752979451, - "narHash": "sha256-0CQM+FkYy0fOO/sMGhOoNL80ftsAzYCg9VhIrodqusM=", + "lastModified": 1760703920, + "narHash": "sha256-m82fGUYns4uHd+ZTdoLX2vlHikzwzdu2s2rYM2bNwzw=", "owner": "tinted-theming", "repo": "base16-helix", - "rev": "27cf1e66e50abc622fb76a3019012dc07c678fac", + "rev": "d646af9b7d14bff08824538164af99d0c521b185", "type": "github" }, "original": { @@ -84,11 +84,19 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1763547157, - "narHash": "sha256-lJcMap2uT+x1R8WUUKKQ6ndynysJ/JOkrMThMGz6DP0=", - "rev": "2cb2134a6ee32d427097077c4fb4c416b52ae988", +<<<<<<< HEAD + "lastModified": 1765033957, + "narHash": "sha256-yL5IjUOne+h6AodxxqoqwPgRy2HXle6+W4Aa2GVJruk=", + "rev": "9985ce76af367e7c9e3022c5b893418059a17491", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/2cb2134a6ee32d427097077c4fb4c416b52ae988.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/9985ce76af367e7c9e3022c5b893418059a17491.tar.gz" +======= + "lastModified": 1764220269, + "narHash": "sha256-rSSmhTCjfZLZog3qO6Q5C58pINmDv8EheGUhcojxd6c=", + "rev": "c70c04d09477ceee5820a8da4d9c0d1b50eb6cc6", + "type": "tarball", + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/c70c04d09477ceee5820a8da4d9c0d1b50eb6cc6.tar.gz" +>>>>>>> 122a796 (chore: update dependencies) }, "original": { "type": "tarball", @@ -130,11 +138,19 @@ ] }, "locked": { - "lastModified": 1762276996, - "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=", +<<<<<<< HEAD + "lastModified": 1764627417, + "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=", "owner": "nix-community", "repo": "disko", - "rev": "af087d076d3860760b3323f6b583f4d828c1ac17", + "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3", +======= + "lastModified": 1764110879, + "narHash": "sha256-xanUzIb0tf3kJ+PoOFmXEXV1jM3PjkDT/TQ5DYeNYRc=", + "owner": "nix-community", + "repo": "disko", + "rev": "aecba248f9a7d68c5d1ed15de2d1c8a4c994a3c5", +>>>>>>> 122a796 (chore: update dependencies) "type": "github" }, "original": { @@ -149,11 +165,19 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1762360792, - "narHash": "sha256-YR7vqk+XEvFUQ/miuBAD3+p+97QUN86ya9Aw0K5feJE=", +<<<<<<< HEAD + "lastModified": 1764775116, + "narHash": "sha256-S4fY3fytcqXBuOSbQjEVke2eqK9/e/6Jy3jp0JGM2X4=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "9075dff5685d3e7269284e53ca496da0beb24596", + "rev": "172661ccc78b1529a294eee5e99ca1616c934f37", +======= + "lastModified": 1763851335, + "narHash": "sha256-mmDc9dREBGGZW1iCB3AbMLBzsXrf48hJ+EzJ6g7Tdbk=", + "owner": "emmanuelrosa", + "repo": "erosanix", + "rev": "17407369c38ac2ade3be648666d30f6469908bdb", +>>>>>>> 122a796 (chore: update dependencies) "type": "github" }, "original": { @@ -170,11 +194,19 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1763534658, - "narHash": "sha256-i/51/Zi/1pM9hZxxSuA3nVPpyqlGoWwJwajyA/loOpo=", +<<<<<<< HEAD + "lastModified": 1764915802, + "narHash": "sha256-eHTucU43sRCpvvTt5eey9htcWipS7ZN3B7ts6MiXLxo=", "owner": "nix-community", "repo": "fenix", - "rev": "69e40ddf45698d0115a62a7a15d8412f35dd4c09", + "rev": "a83a78fd3587d9f3388f0b459ad9c2bbd6d1b6d8", +======= + "lastModified": 1764226020, + "narHash": "sha256-FzUCFwXNjLnnZmVqYj/FjlBhUpat59SExflEaIGT62s=", + "owner": "nix-community", + "repo": "fenix", + "rev": "2d8176c02f7be6d13578d24d5fd5049f1b46a4c5", +>>>>>>> 122a796 (chore: update dependencies) "type": "github" }, "original": { @@ -190,11 +222,19 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1763504432, - "narHash": "sha256-kpmPI67TdoTxiK7LsmgmkKW3iHoyvZJwZeiJhpwPfmw=", +<<<<<<< HEAD + "lastModified": 1765024561, + "narHash": "sha256-xtfg5gNfyiyBTfWwbKgatV1sPeJjEnUczHCaSWi+crY=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "49d5d8d42a7650e5353f8467c813839290cb7c9f", + "rev": "e6f559729459a7890f01b258c33c1025800f5dbb", +======= + "lastModified": 1764242161, + "narHash": "sha256-Yxeu6Zm85RwER/0z0fv3mX2xaBy38PZKgdAAE57huRU=", + "owner": "nix-community", + "repo": "flake-firefox-nightly", + "rev": "ca10e2ff1ec58b1a3722ccb3c052c57c5e070780", +>>>>>>> 122a796 (chore: update dependencies) "type": "github" }, "original": { @@ -206,11 +246,11 @@ "firefox-gnome-theme": { "flake": false, "locked": { - "lastModified": 1758112371, - "narHash": "sha256-lizRM2pj6PHrR25yimjyFn04OS4wcdbc38DCdBVa2rk=", + "lastModified": 1764724327, + "narHash": "sha256-OkFLrD3pFR952TrjQi1+Vdj604KLcMnkpa7lkW7XskI=", "owner": "rafaelmardojai", "repo": "firefox-gnome-theme", - "rev": "0909cfe4a2af8d358ad13b20246a350e14c2473d", + "rev": "66b7c635763d8e6eb86bd766de5a1e1fbfcc1047", "type": "github" }, "original": { @@ -306,11 +346,11 @@ ] }, "locked": { - "lastModified": 1762980239, - "narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=", + "lastModified": 1763759067, + "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "52a2caecc898d0b46b2b905f058ccc5081f842da", + "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0", "type": "github" }, "original": { @@ -320,6 +360,27 @@ } }, "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "mydia", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1763759067, + "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "nvf", @@ -340,7 +401,7 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -348,11 +409,11 @@ ] }, "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", + "lastModified": 1763759067, + "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", + "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0", "type": "github" }, "original": { @@ -361,7 +422,7 @@ "type": "github" } }, - "flake-parts_4": { + "flake-parts_5": { "inputs": { "nixpkgs-lib": [ "terranix", @@ -511,11 +572,11 @@ "flake": false, "locked": { "host": "gitlab.gnome.org", - "lastModified": 1762869044, - "narHash": "sha256-nwm/GJ2Syigf7VccLAZ66mFC8mZJFqpJmIxSGKl7+Ds=", + "lastModified": 1764524476, + "narHash": "sha256-bTmNn3Q4tMQ0J/P0O5BfTQwqEnCiQIzOGef9/aqAZvk=", "owner": "GNOME", "repo": "gnome-shell", - "rev": "680e3d195a92203f28d4bf8c6e8bb537cc3ed4ad", + "rev": "c0e1ad9f0f703fd0519033b8f46c3267aab51a22", "type": "gitlab" }, "original": { @@ -553,11 +614,19 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1763486183, - "narHash": "sha256-10EvBTF9ELezWg+KoKZJ3bxrPzT1Xz95ifurC6HixLY=", +<<<<<<< HEAD + "lastModified": 1764617621, + "narHash": "sha256-Eq0TvWs6xhKZs5HXH1hlrNasrHD7AOEdeLkTis//X7w=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "fb27f4bee812e4b4df9df9f78bd5280f0aa2193c", + "rev": "c19494250d8c15e7c75e9301bdc271579a6dc77a", +======= + "lastModified": 1764184347, + "narHash": "sha256-xhzCn/rnBDTybHtuFV2IhCgjLMsCVpbzpEL0w//4Na8=", + "owner": "himmelblau-idm", + "repo": "himmelblau", + "rev": "9f0f6e27b6a9acdb12c4807cc1402132b21009f3", +>>>>>>> 122a796 (chore: update dependencies) "type": "github" }, "original": { @@ -573,11 +642,11 @@ ] }, "locked": { - "lastModified": 1763416652, - "narHash": "sha256-8EBEEvtzQ11LCxpQHMNEBQAGtQiCu/pqP9zSovDSbNM=", + "lastModified": 1764194569, + "narHash": "sha256-iUM9ktarEzThkayyZrzQ7oycPshAY2XRQqVKz0xX/L0=", "owner": "nix-community", "repo": "home-manager", - "rev": "ea164b7c9ccdc2321379c2ff78fd4317b4c41312", + "rev": "9651819d75f6c7ffaf8a9227490ac704f29659f0", "type": "github" }, "original": { @@ -615,11 +684,11 @@ ] }, "locked": { - "lastModified": 1763453666, - "narHash": "sha256-Hu8lDUlbMFvcYX30LBXX7Gq5FbU35bERH0pSX5qHf/Q=", + "lastModified": 1764236397, + "narHash": "sha256-s/6WrJJryLI6BgphsY8l0s0UmGUg3mgkSFuvvsbN0FM=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "b843b551415c7aecc97c8b3ab3fff26fd0cd8bbf", + "rev": "50026908d1501193afdcccdf7359d1a485074eda", "type": "github" }, "original": { @@ -634,11 +703,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1754828166, - "narHash": "sha256-i7c+fpXVsnvj2+63Gl3YfU1hVyxbLeqeFj55ZBZACWI=", + "lastModified": 1764506612, + "narHash": "sha256-47a2OvGsq1AfffWQqKAGlB9GjmoVa1yXVyfZP3f3kog=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "f01c8d121a3100230612be96e4ac668e15eafb77", + "rev": "f7208cc4a3200a2573fc566066ef4d3c041bc924", "type": "github" }, "original": { @@ -662,6 +731,25 @@ "type": "github" } }, + "mydia": { + "inputs": { + "flake-parts": "flake-parts_2", + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1764866402, + "narHash": "sha256-0NOWsPks+/vV5ZM9ti71hUPMLy3FzbEIlFI6vxARvuY=", + "owner": "chris-kruining", + "repo": "mydia", + "rev": "458fc9a21c6987d994bc7932efb6c49df25ba806", + "type": "github" + }, + "original": { + "owner": "chris-kruining", + "repo": "mydia", + "type": "github" + } + }, "nix-darwin": { "inputs": { "nixpkgs": [ @@ -670,11 +758,11 @@ ] }, "locked": { - "lastModified": 1763136804, - "narHash": "sha256-6p2ljK42s0S8zS0UU59EsEqupz0GVCaBYRylpUadeBM=", + "lastModified": 1764161084, + "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=", "owner": "nix-darwin", "repo": "nix-darwin", - "rev": "973db96394513fd90270ea5a1211a82a4a0ba47f", + "rev": "e95de00a471d07435e0527ff4db092c84998698e", "type": "github" }, "original": { @@ -709,14 +797,14 @@ "inputs": { "flake-compat": "flake-compat_3", "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1763171892, - "narHash": "sha256-6cg9zSiqKA89yJzVtYhBaBptqq6bX4pr4g7WLAHOD4Y=", + "lastModified": 1764208886, + "narHash": "sha256-voOx8RsK3miw3EHw05nwuOS4ltzeH8tKJnVr+mxtTPQ=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "316858c27d278b20e776cd4dd8f787812f587ba2", + "rev": "7da8a2d675f9cc56b3f6d654b4cccdca5016ac8e", "type": "github" }, "original": { @@ -770,11 +858,11 @@ }, "nixos-facter-modules": { "locked": { - "lastModified": 1762264948, - "narHash": "sha256-iaRf6n0KPl9hndnIft3blm1YTAyxSREV1oX0MFZ6Tk4=", + "lastModified": 1764252389, + "narHash": "sha256-3bbuneTKZBkYXlm0bE36kUjiDsasoIC1GWBw/UEJ9T4=", "owner": "nix-community", "repo": "nixos-facter-modules", - "rev": "fa695bff9ec37fd5bbd7ee3181dbeb5f97f53c96", + "rev": "5ea68886d95218646d11d3551a476d458df00778", "type": "github" }, "original": { @@ -791,11 +879,11 @@ ] }, "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", + "lastModified": 1764234087, + "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", + "rev": "032a1878682fafe829edfcf5fdfad635a2efe748", "type": "github" }, "original": { @@ -812,11 +900,11 @@ ] }, "locked": { - "lastModified": 1763537456, - "narHash": "sha256-/WRqcqeE9C+mxxWgI7jy5blMrvg2lHFSlTFjC8pRWos=", + "lastModified": 1764072830, + "narHash": "sha256-ezkjlUCohD9o9c47Ey0/I4CamSS0QEORTqGvyGqMud0=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "cd9eb5225fc91eb67629966844d2ff371824abb1", + "rev": "c7832dd786175e20f2697179e0e03efadffe4201", "type": "github" }, "original": { @@ -827,11 +915,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1761828793, - "narHash": "sha256-xjdPwMD4wVuDD85U+3KST62VzFkJueI6oBwIzpzUHLY=", + "lastModified": 1764255304, + "narHash": "sha256-oQPux8afXmkbb88ceRtz1lgSGqL9auOgdYnBSqpVgSA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "843859a08e114403f44aaf5b996b44c38094aa46", + "rev": "6e86c955fc372d12face4a9c0d932a6e0f7bff4d", "type": "github" }, "original": { @@ -843,11 +931,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", + "lastModified": 1764465291, + "narHash": "sha256-jJ/E4B9Hp7U2ZmT3E0tD1LtAfATw/xjVf8sueNyeYmc=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", + "rev": "e9537535ae8f4a2f78dbef0aaa0cbb6af4abd047", "type": "github" }, "original": { @@ -856,13 +944,29 @@ "type": "github" } }, + "nixpkgs_10": { + "locked": { + "lastModified": 1764517877, + "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { - "lastModified": 1763469780, - "narHash": "sha256-IW67Db/wBNQwJ5e0fF9Yk4SmdivMcecrUVDs7QJoC/s=", + "lastModified": 1764201071, + "narHash": "sha256-ACX5IcJTSoZYBPVtgFAOHvo/FZ70n9AmaAhoeIF+O9Y=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a70b03ca5dc9d46294740f165abdef9f9bea5632", + "rev": "8c40e16ba896a3657226780454734265b0534f6a", "type": "github" }, "original": { @@ -890,11 +994,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1763547551, - "narHash": "sha256-YOdXVAqEGmrPUgs71r8ziuu9qqpn3jJEiIxsIls+VQA=", + "lastModified": 1764243589, + "narHash": "sha256-JoCEZJaU1Ex0MFG3A2DwTtu+jOCLigyXUAmlZLROBdg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "06aa4d5f488875b6af46e10b45b8000ed0906860", + "rev": "57dcc6d4a389a7b6d1fb4cf20c9435f12b11f98d", "type": "github" }, "original": { @@ -905,6 +1009,22 @@ } }, "nixpkgs_5": { + "locked": { + "lastModified": 1764242076, + "narHash": "sha256-sKoIWfnijJ0+9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2fad6eac6077f03fe109c4d4eb171cf96791faa4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1748929857, "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", @@ -920,13 +1040,13 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { - "lastModified": 1763421233, - "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=", + "lastModified": 1763966396, + "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648", + "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a", "type": "github" }, "original": { @@ -936,7 +1056,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1761880412, "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", @@ -952,13 +1072,13 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { - "lastModified": 1763191728, - "narHash": "sha256-esRhOS0APE6k40Hs/jjReXg+rx+J5LkWw7cuWFKlwYA=", + "lastModified": 1763618868, + "narHash": "sha256-v5afmLjn/uyD9EQuPBn7nZuaZVV9r+JerayK/4wvdWA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1d4c88323ac36805d09657d13a5273aea1b34f0c", + "rev": "a8d610af3f1a5fb71e23e08434d8d61a466fc942", "type": "github" }, "original": { @@ -968,22 +1088,6 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1762977756, - "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nur": { "inputs": { "flake-parts": [ @@ -996,11 +1100,11 @@ ] }, "locked": { - "lastModified": 1758998580, - "narHash": "sha256-VLx0z396gDCGSiowLMFz5XRO/XuNV+4EnDYjdJhHvUk=", + "lastModified": 1764773531, + "narHash": "sha256-mCBl7MD1WZ7yCG6bR9MmpPO2VydpNkWFgnslJRIT1YU=", "owner": "nix-community", "repo": "NUR", - "rev": "ba8d9c98f5f4630bcb0e815ab456afd90c930728", + "rev": "1d9616689e98beded059ad0384b9951e967a17fa", "type": "github" }, "original": { @@ -1012,17 +1116,17 @@ "nvf": { "inputs": { "flake-compat": "flake-compat_4", - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "mnw": "mnw", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "systems": "systems_5" }, "locked": { - "lastModified": 1762622004, - "narHash": "sha256-NpzzgaoMK8aRHnndHWbYNKLcZN0r1y6icCoJvGoBsoE=", + "lastModified": 1764904740, + "narHash": "sha256-TzqXUQlESmS5XGJ3tR1/xdoU0vySyp6YUUpmGF5F0kY=", "owner": "notashelf", "repo": "nvf", - "rev": "09470524a214ed26633ddc2b6ec0c9bf31a8b909", + "rev": "249cabe0c5392c384c82fa9d28d3f49fbeb04266", "type": "github" }, "original": { @@ -1041,11 +1145,11 @@ ] }, "locked": { - "lastModified": 1762784320, - "narHash": "sha256-odsk96Erywk5hs0dhArF38zb7Oe0q6LZ70gXbxAPKno=", + "lastModified": 1763909441, + "narHash": "sha256-56LwV51TX/FhgX+5LCG6akQ5KrOWuKgcJa+eUsRMxsc=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "7911a0f8a44c7e8b29d031be3149ee8943144321", + "rev": "b24ed4b272256dfc1cc2291f89a9821d5f9e14b4", "type": "github" }, "original": { @@ -1065,11 +1169,12 @@ "himmelblau": "himmelblau", "home-manager": "home-manager", "jovian": "jovian", + "mydia": "mydia", "nix-minecraft": "nix-minecraft", "nixos-boot": "nixos-boot", "nixos-generators": "nixos-generators", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_7", "nvf": "nvf", "plasma-manager": "plasma-manager", "snowfall-lib": "snowfall-lib", @@ -1082,11 +1187,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1762860488, - "narHash": "sha256-rMfWMCOo/pPefM2We0iMBLi2kLBAnYoB9thi4qS7uk4=", + "lastModified": 1764175386, + "narHash": "sha256-LfgFqvPz3C80VjaffSjy8lLyRWfbThhB7gE7IWXHjYU=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "2efc80078029894eec0699f62ec8d5c1a56af763", + "rev": "71ddf07c1c75046df3bb496cf824de5c053d99ad", "type": "github" }, "original": { @@ -1147,11 +1252,11 @@ ] }, "locked": { - "lastModified": 1763264763, - "narHash": "sha256-N0BEoJIlJ+M6sWZJ8nnfAjGY9VLvM6MXMitRenmhBkY=", + "lastModified": 1764021963, + "narHash": "sha256-1m84V2ROwNEbqeS9t37/mkry23GBhfMt8qb6aHHmjuc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "882e56c8293e44d57d882b800a82f8b2ee7a858f", + "rev": "c482a1c1bbe030be6688ed7dc84f7213f304f1ec", "type": "github" }, "original": { @@ -1162,14 +1267,14 @@ }, "sops-nix_2": { "inputs": { - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_9" }, "locked": { - "lastModified": 1763509310, - "narHash": "sha256-s2WzTAD3vJtPACBCZXezNUMTG/wC6SFsU9DxazB9wDI=", + "lastModified": 1764021963, + "narHash": "sha256-1m84V2ROwNEbqeS9t37/mkry23GBhfMt8qb6aHHmjuc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "3ee33c0ed7c5aa61b4e10484d2ebdbdc98afb03e", + "rev": "c482a1c1bbe030be6688ed7dc84f7213f304f1ec", "type": "github" }, "original": { @@ -1185,9 +1290,9 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_4", "gnome-shell": "gnome-shell", - "nixpkgs": "nixpkgs_9", + "nixpkgs": "nixpkgs_10", "nur": "nur", "systems": "systems_7", "tinted-foot": "tinted-foot", @@ -1197,11 +1302,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1763497248, - "narHash": "sha256-OGP6MYc+lVkLVQOTS6ORszDcCnZm7kDOGpFBdDoLd0k=", + "lastModified": 1764191810, + "narHash": "sha256-rofXPD/9TGpHveo1MTlUfpnF0MCG1/uHUB9f0rosdqc=", "owner": "nix-community", "repo": "stylix", - "rev": "f19ac46f6aa26188b2020ed40066a5b832be9c53", + "rev": "70c444a10d0c9ef71a25580dfa79af9cd43f3a5e", "type": "github" }, "original": { @@ -1332,7 +1437,7 @@ }, "terranix": { "inputs": { - "flake-parts": "flake-parts_4", + "flake-parts": "flake-parts_5", "nixpkgs": [ "nixpkgs" ], @@ -1388,11 +1493,11 @@ "tinted-schemes": { "flake": false, "locked": { - "lastModified": 1757716333, - "narHash": "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=", + "lastModified": 1763914658, + "narHash": "sha256-Hju0WtMf3iForxtOwXqGp3Ynipo0EYx1AqMKLPp9BJw=", "owner": "tinted-theming", "repo": "schemes", - "rev": "317a5e10c35825a6c905d912e480dfe8e71c7559", + "rev": "0f6be815d258e435c9b137befe5ef4ff24bea32c", "type": "github" }, "original": { @@ -1404,11 +1509,11 @@ "tinted-tmux": { "flake": false, "locked": { - "lastModified": 1757811970, - "narHash": "sha256-n5ZJgmzGZXOD9pZdAl1OnBu3PIqD+X3vEBUGbTi4JiI=", + "lastModified": 1764465359, + "narHash": "sha256-lbSVPqLEk2SqMrnpvWuKYGCaAlfWFMA6MVmcOFJjdjE=", "owner": "tinted-theming", "repo": "tinted-tmux", - "rev": "d217ba31c846006e9e0ae70775b0ee0f00aa6b1e", + "rev": "edf89a780e239263cc691a987721f786ddc4f6aa", "type": "github" }, "original": { @@ -1420,11 +1525,11 @@ "tinted-zed": { "flake": false, "locked": { - "lastModified": 1757811247, - "narHash": "sha256-4EFOUyLj85NRL3OacHoLGEo0wjiRJzfsXtR4CZWAn6w=", + "lastModified": 1764464512, + "narHash": "sha256-rCD/pAhkMdCx6blsFwxIyvBJbPZZ1oL2sVFrH07lmqg=", "owner": "tinted-theming", "repo": "base16-zed", - "rev": "824fe0aacf82b3c26690d14e8d2cedd56e18404e", + "rev": "907dbba5fb8cf69ebfd90b00813418a412d0a29a", "type": "github" }, "original": { @@ -1462,11 +1567,11 @@ ] }, "locked": { - "lastModified": 1763521945, - "narHash": "sha256-Zcrafbe4niRJMbzaVOwg7+iedJhwBFttre2DpyCC6qA=", + "lastModified": 1764217570, + "narHash": "sha256-vgqUC6lI/gW70uekA0bpNFU6yR0tcZRfLIZcxGfN76g=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "24d7381b9231c23daceec5d372cc28e877f7785d", + "rev": "3dc281d86044322f9182b20abbc21db8824c130a", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index d7a7508..7ccab59 100644 --- a/flake.nix +++ b/flake.nix @@ -88,49 +88,55 @@ url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; + + mydia = { + url = "github:chris-kruining/mydia"; + # url = "github:getmydia/mydia"; + }; }; - outputs = inputs: inputs.snowfall-lib.mkFlake { - inherit inputs; - src = ./.; + outputs = inputs: + inputs.snowfall-lib.mkFlake { + inherit inputs; + src = ./.; - snowfall = { - namespace = "sneeuwvlok"; + snowfall = { + namespace = "sneeuwvlok"; - meta = { - name = "sneeuwvlok"; - title = "Sneeuwvlok"; + meta = { + name = "sneeuwvlok"; + title = "Sneeuwvlok"; + }; }; - }; - channels-config = { - allowUnfree = true; - permittedInsecurePackages = [ - # Due to *arr stack - "dotnet-sdk-6.0.428" - "aspnetcore-runtime-6.0.36" + channels-config = { + allowUnfree = true; + permittedInsecurePackages = [ + # Due to *arr stack + "dotnet-sdk-6.0.428" + "aspnetcore-runtime-6.0.36" - # I think this is because of zen - "qtwebengine-5.15.19" + # I think this is because of zen + "qtwebengine-5.15.19" - # For Nheko, the matrix client - "olm-3.2.16" + # For Nheko, the matrix client + "olm-3.2.16" + ]; + }; + + overlays = with inputs; [ + fenix.overlays.default + nix-minecraft.overlay + flux.overlays.default + ]; + + systems.modules = with inputs; [ + clan-core.nixosModules.default + ]; + + homes.modules = with inputs; [ + stylix.homeModules.stylix + plasma-manager.homeModules.plasma-manager ]; }; - - overlays = with inputs; [ - fenix.overlays.default - nix-minecraft.overlay - flux.overlays.default - ]; - - systems.modules = with inputs; [ - clan-core.nixosModules.default - ]; - - homes.modules = with inputs; [ - stylix.homeModules.stylix - plasma-manager.homeModules.plasma-manager - ]; - }; } diff --git a/homes/x86_64-linux/chris@mandos/default.nix b/homes/x86_64-linux/chris@mandos/default.nix index 6989314..ba87e73 100644 --- a/homes/x86_64-linux/chris@mandos/default.nix +++ b/homes/x86_64-linux/chris@mandos/default.nix @@ -1,10 +1,11 @@ -{ osConfig, ... }: -{ +{osConfig, ...}: { home.stateVersion = osConfig.system.stateVersion; programs.git = { - userName = "Chris Kruining"; - userEmail = "chris@kruining.eu"; + settings.user = { + name = "Chris Kruining"; + email = "chris@kruining.eu"; + }; }; sneeuwvlok = { diff --git a/homes/x86_64-linux/chris@manwe/default.nix b/homes/x86_64-linux/chris@manwe/default.nix index 9abe613..0aced9b 100644 --- a/homes/x86_64-linux/chris@manwe/default.nix +++ b/homes/x86_64-linux/chris@manwe/default.nix @@ -1,10 +1,11 @@ -{ osConfig, ... }: -{ +{osConfig, ...}: { home.stateVersion = osConfig.system.stateVersion; programs.git = { - userName = "Chris Kruining"; - userEmail = "chris@kruining.eu"; + settings.user = { + name = "Chris Kruining"; + email = "chris@kruining.eu"; + }; }; sneeuwvlok = { diff --git a/homes/x86_64-linux/chris@orome/default.nix b/homes/x86_64-linux/chris@orome/default.nix index dece506..7a1dc43 100644 --- a/homes/x86_64-linux/chris@orome/default.nix +++ b/homes/x86_64-linux/chris@orome/default.nix @@ -1,10 +1,11 @@ -{ osConfig, ... }: -{ +{osConfig, ...}: { home.stateVersion = osConfig.system.stateVersion; programs.git = { - userName = "Chris Kruining"; - userEmail = "chris@kruining.eu"; + settings.user = { + name = "Chris Kruining"; + email = "chris@kruining.eu"; + }; }; sneeuwvlok = { diff --git a/homes/x86_64-linux/chris@tulkas/default.nix b/homes/x86_64-linux/chris@tulkas/default.nix index 6989314..ba87e73 100644 --- a/homes/x86_64-linux/chris@tulkas/default.nix +++ b/homes/x86_64-linux/chris@tulkas/default.nix @@ -1,10 +1,11 @@ -{ osConfig, ... }: -{ +{osConfig, ...}: { home.stateVersion = osConfig.system.stateVersion; programs.git = { - userName = "Chris Kruining"; - userEmail = "chris@kruining.eu"; + settings.user = { + name = "Chris Kruining"; + email = "chris@kruining.eu"; + }; }; sneeuwvlok = { diff --git a/modules/home/application/onlyoffice/default.nix b/modules/home/application/onlyoffice/default.nix index 8153b68..0479539 100644 --- a/modules/home/application/onlyoffice/default.nix +++ b/modules/home/application/onlyoffice/default.nix @@ -1,16 +1,20 @@ -{ inputs, config, lib, pkgs, namespace, ... }: -let +{ + inputs, + config, + lib, + pkgs, + namespace, + ... +}: let inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.application.onlyoffice; -in -{ +in { options.${namespace}.application.onlyoffice = { enable = mkEnableOption "enable onlyoffice"; }; config = mkIf cfg.enable { - home.packages = with pkgs; [ onlyoffice-bin ]; - # fonts.packages = with pkgs; [ corefonts ]; + home.packages = with pkgs; [onlyoffice-desktopeditors]; }; } diff --git a/modules/home/application/steam/default.nix b/modules/home/application/steam/default.nix index 4e62c41..8c87b40 100644 --- a/modules/home/application/steam/default.nix +++ b/modules/home/application/steam/default.nix @@ -10,7 +10,7 @@ in }; config = mkIf cfg.enable { - home.packages = with pkgs; [ protonup ]; + home.packages = with pkgs; [ protonup-ng ]; home.sessionVariables = { STEAM_EXTRA_COMPAT_TOOLS_PATHS = "\${HOME}/.steam/root/compatibilitytools.d"; diff --git a/modules/home/application/teamspeak/default.nix b/modules/home/application/teamspeak/default.nix index e15bd96..d234e9a 100644 --- a/modules/home/application/teamspeak/default.nix +++ b/modules/home/application/teamspeak/default.nix @@ -10,6 +10,6 @@ in }; config = mkIf cfg.enable { - home.packages = with pkgs; [ teamspeak_client ]; + home.packages = with pkgs; [ teamspeak3 teamspeak6-client ]; }; } diff --git a/modules/home/shell/toolset/git/default.nix b/modules/home/shell/toolset/git/default.nix index 299b2a6..dd138c8 100644 --- a/modules/home/shell/toolset/git/default.nix +++ b/modules/home/shell/toolset/git/default.nix @@ -1,10 +1,14 @@ -{ config, lib, pkgs, namespace, ... }: -let +{ + config, + lib, + pkgs, + namespace, + ... +}: let inherit (lib) mkEnableOption mkIf; cfg = config.${namespace}.shell.toolset.git; -in -{ +in { options.${namespace}.shell.toolset.git = { enable = mkEnableOption "version-control system"; }; @@ -12,7 +16,7 @@ in config = mkIf cfg.enable { home.sessionVariables.GITHUB_TOKEN = "$(cat /run/agenix/tokenGH)"; - home.packages = with pkgs; [ lazygit lazyjj jujutsu ]; + home.packages = with pkgs; [lazygit lazyjj jujutsu]; programs = { zsh.initContent = '' @@ -29,14 +33,6 @@ in git = { enable = true; package = pkgs.gitFull; - difftastic = { - enable = true; - options = { - background = "dark"; - color = "always"; - display = "inline"; - }; - }; ignores = [ # General: @@ -69,7 +65,7 @@ in "*.elc" ]; - extraConfig = { + settings = { init.defaultBranch = "main"; core = { editor = "nvim"; @@ -106,6 +102,16 @@ in }; }; }; + + difftastic = { + enable = true; + git.enable = true; + options = { + background = "dark"; + color = "always"; + display = "inline"; + }; + }; }; }; } diff --git a/modules/nixos/application/steam/default.nix b/modules/nixos/application/steam/default.nix index 6170e8a..735aa80 100644 --- a/modules/nixos/application/steam/default.nix +++ b/modules/nixos/application/steam/default.nix @@ -1,10 +1,15 @@ -{ inputs, config, lib, pkgs, namespace, ... }: -let +{ + inputs, + config, + lib, + pkgs, + namespace, + ... +}: let inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.application.steam; -in -{ +in { options.${namespace}.application.steam = { enable = mkEnableOption "enable steam"; }; @@ -13,7 +18,7 @@ in programs = { steam = { enable = true; - package = pkgs.steam-small.override { + package = pkgs.steam.override { extraEnv = { DXVK_HUD = "compiler"; MANGOHUD = true; diff --git a/modules/nixos/services/authentication/himmelblau/default.nix b/modules/nixos/services/authentication/himmelblau/default.nix index 1228759..d39d4cf 100644 --- a/modules/nixos/services/authentication/himmelblau/default.nix +++ b/modules/nixos/services/authentication/himmelblau/default.nix @@ -1,10 +1,15 @@ -{ inputs, lib, config, namespace, ... }: let +{ + inputs, + lib, + config, + namespace, + ... +}: let inherit (lib) mkEnableOption mkIf; cfg = config.${namespace}.services.authentication.himmelblau; -in -{ - imports = [ inputs.himmelblau.nixosModules.himmelblau ]; +in { + imports = [inputs.himmelblau.nixosModules.himmelblau]; options.${namespace}.services.authentication.himmelblau = { enable = mkEnableOption "enable azure entra ID authentication"; @@ -14,7 +19,7 @@ in services.himmelblau = { enable = true; settings = { - domains = []; + domain = ""; pam_allow_groups = []; local_groups = []; }; diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 9a02f01..c0d9dc5 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -13,7 +13,7 @@ in organization = mkOption { type = types.attrsOf (types.submodule ({ name, ... }: { - options = + options = let org = name; in @@ -23,11 +23,11 @@ in default = false; example = "true"; description = '' - True sets the org as default org for the instance. Only one org can be default org. + True sets the '${org}' org as default org for the instance. Only one org can be default org. Nothing happens if you set it to false until you set another org as default org. ''; }; - + project = mkOption { default = {}; type = types.attrsOf (types.submodule { @@ -46,7 +46,7 @@ in default = null; example = "enforceProjectResourceOwnerPolicy"; description = '' - Defines from where the private labeling should be triggered, + Defines from where the private labeling should be triggered, supported values: - unspecified @@ -54,7 +54,7 @@ in - allowLoginUserResourceOwnerPolicy ''; }; - + projectRoleAssertion = mkOption { type = types.bool; default = false; @@ -63,7 +63,7 @@ in Describes if roles of user should be added in token. ''; }; - + projectRoleCheck = mkOption { type = types.bool; default = false; @@ -72,11 +72,11 @@ in ZITADEL checks if the user has at least one on this project. ''; }; - + role = mkOption { default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { - options = + options = let roleName = name; in @@ -101,12 +101,12 @@ in }; })); }; - + assign = mkOption { default = {}; type = types.attrsOf (types.listOf types.str); }; - + application = mkOption { default = {}; type = types.attrsOf (types.submodule { @@ -141,8 +141,8 @@ in ''; }; - exportMap = - let + exportMap = + let strOpt = mkOption { type = types.nullOr types.str; default = null; }; in mkOption { @@ -164,11 +164,11 @@ in }; }); }; - + user = mkOption { default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { - options = + options = let username = name; in @@ -226,7 +226,7 @@ in }; })); }; - + action = mkOption { default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { @@ -263,7 +263,7 @@ in }; })); }; - + triggers = mkOption { default = []; type = types.listOf (types.submodule { @@ -321,28 +321,20 @@ in accessTokenType = mapEnum "OIDC_TOKEN_TYPE" value; }."${type}" or value); - toResource = name: value: nameValuePair + toResource = name: value: nameValuePair (toSnakeCase name) (lib.mapAttrs' (k: v: nameValuePair (toSnakeCase k) (mapValue k v)) value); withRef = type: name: attrs: attrs // (mapRef type name); select = keys: callback: set: - if (length keys) == 0 then + if (length keys) == 0 then mapAttrs' callback set else let key = head keys; in concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set ; append = attrList: set: set // (listToAttrs attrList); - forEach = src: key: set: - let - _key = concatMapStringsSep "_" (k: "\${item.${k}}") key; - in - { - forEach = "{ for item in ${src} : \"${_key}\" => item }"; - } - // set; config' = config; @@ -352,7 +344,21 @@ in modules = [ ({ config, lib, ... }: { - config = { + config = + let + forEach = src: key: set: + let + _key = concatMapStringsSep "_" (k: "\${item.${k}}") key; + in + { + forEach = lib.tfRef ''{ + for item in ${src} : + "''${item.org}_''${item.name}" => item + }''; + } + // set; + in + { terraform.required_providers.zitadel = { source = "zitadel/zitadel"; version = "2.2.0"; @@ -376,18 +382,18 @@ in } ] ]) "; - orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id"); + orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id"); }; resource = { # Organizations - zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: + zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: { inherit name isDefault; } |> toResource name ); # Projects per organization - zitadel_project = cfg.organization |> select [ "project" ] (org: name: { hasProjectCheck, privateLabelingSetting, projectRoleAssertion, projectRoleCheck, ... }: + zitadel_project = cfg.organization |> select [ "project" ] (org: name: { hasProjectCheck, privateLabelingSetting, projectRoleAssertion, projectRoleCheck, ... }: { inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck; } @@ -396,7 +402,7 @@ in ); # Each OIDC app per project - zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: { redirectUris, grantTypes, responseTypes, ...}: + zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: { redirectUris, grantTypes, responseTypes, ...}: { inherit name redirectUris grantTypes responseTypes; @@ -404,41 +410,41 @@ in idTokenRoleAssertion = true; accessTokenType = "JWT"; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" |> toResource "${org}_${project}_${name}" ); # Each project role - zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: + zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: { inherit (value) displayName group; roleKey = name; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" |> toResource "${org}_${project}_${name}" ); # Each project role assignment zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles: { roleKeys = roles; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> withRef "user" "${org}_${user}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> withRef "user" "${org}_${user}" |> toResource "${org}_${project}_${user}" ); # Users - zitadel_human_user = - cfg.organization - |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: + zitadel_human_user = + cfg.organization + |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: { inherit email userName firstName lastName; isEmailVerified = true; - } + } |> withRef "org" org |> toResource "${org}_${name}" ) - |> append + |> append [ (forEach "local.extra_users" [ "org" "name" ] { orgId = lib.tfRef "local.orgs[each.value.org]"; @@ -446,7 +452,7 @@ in email = lib.tfRef "each.value.email"; firstName = lib.tfRef "each.value.firstName"; lastName = lib.tfRef "each.value.lastName"; - + isEmailVerified = true; } |> toResource "extraUsers") @@ -454,20 +460,20 @@ in ; # Global user roles - zitadel_instance_member = - cfg.organization + zitadel_instance_member = + cfg.organization |> filterAttrsRecursive (n: v: !(v ? "instanceRoles" && (length v.instanceRoles) == 0)) - |> select [ "user" ] (org: name: { instanceRoles, ... }: - { roles = instanceRoles; } + |> select [ "user" ] (org: name: { instanceRoles, ... }: + { roles = instanceRoles; } |> withRef "user" "${org}_${name}" |> toResource "${org}_${name}" ); # Organazation specific roles - zitadel_org_member = + zitadel_org_member = cfg.organization |> filterAttrsRecursive (n: v: !(v ? "roles" && (length v.roles) == 0)) - |> select [ "user" ] (org: name: { roles, ... }: + |> select [ "user" ] (org: name: { roles, ... }: { inherit roles; } |> withRef "org" org |> withRef "user" "${org}_${name}" @@ -475,9 +481,9 @@ in ); # Organazation's actions - zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: - { - inherit allowedToFail name; + zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: + { + inherit allowedToFail name; timeout = "${toString timeout}s"; script = "const ${name} = ${script}"; } @@ -486,20 +492,20 @@ in ); # Organazation's action assignments - zitadel_trigger_actions = + zitadel_trigger_actions = cfg.organization |> concatMapAttrs (org: { triggers, ... }: triggers |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in { - inherit flowType triggerType; + inherit flowType triggerType; - actionIds = - actions + actionIds = + actions |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); - } - |> withRef "org" org - |> toResource "${org}_${name}" + } + |> withRef "org" org + |> toResource "${org}_${name}" )) |> listToAttrs ); @@ -516,7 +522,7 @@ in }; # Client credentials per app - local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }: + local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }: nameValuePair "${org}_${project}_${name}" { content = '' ${if exportMap.client_id != null then exportMap.client_id else "CLIENT_ID"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} @@ -530,7 +536,7 @@ in }) ]; }; - in + in mkIf cfg.enable { ${namespace}.services.persistance.postgresql.enable = true; @@ -548,10 +554,12 @@ in wantedBy = [ "multi-user.target" ]; wants = [ "zitadel.service" ]; - - script = '' - #!/usr/bin/env bash + script = + let + tofu = lib.getExe pkgs.opentofu; + in + '' if [ "$(systemctl is-active zitadel)" != "active" ]; then echo "Zitadel is not running" exit 1 @@ -564,11 +572,11 @@ in cp -f ${terraformConfiguration} config.tf.json # Initialize OpenTofu - ${lib.getExe pkgs.opentofu} init + ${tofu} init # Run the infrastructure code - # ${lib.getExe pkgs.opentofu} plan - ${lib.getExe pkgs.opentofu} apply -auto-approve + ${tofu} plan -refresh=false -out=tfplan + ${tofu} apply -auto-approve tfplan ''; serviceConfig = { @@ -628,7 +636,7 @@ in Org = { Name = "kruining"; - + Human = { UserName = "chris"; FirstName = "Chris"; @@ -639,7 +647,7 @@ in }; Password = "KaasIsAwesome1!"; }; - + Machine = { Machine = { Username = "terraform-service-user"; @@ -648,7 +656,7 @@ in MachineKey = { ExpirationDate = "2026-01-01T00:00:00Z"; Type = 1; }; # Pat = { ExpirationDate = "2026-01-01T00:00:00Z"; }; }; - + # LoginClient.Machine = { # Username = "terraform-service-user"; # Name = "Terraform"; @@ -689,7 +697,7 @@ in ''; }; }; - + networking.firewall.allowedTCPPorts = [ 80 443 ]; # Secrets diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index ce92df4..6405932 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -1,5 +1,10 @@ -{ config, lib, pkgs, namespace, ... }: -let +{ + config, + lib, + pkgs, + namespace, + ... +}: let inherit (builtins) toString toJSON; inherit (lib) mkIf mkEnableOption; @@ -10,8 +15,7 @@ let port = 4001; database = "synapse"; -in -{ +in { options.${namespace}.services.communication.matrix = { enable = mkEnableOption "Matrix server (Synapse)"; }; @@ -22,13 +26,13 @@ in # virtualisation.podman.enable = true; }; - networking.firewall.allowedTCPPorts = [ 4001 ]; + networking.firewall.allowedTCPPorts = [4001]; services = { matrix-synapse = { enable = true; - extras = [ "oidc" ]; + extras = ["oidc"]; extraConfigFiles = [ config.sops.templates."synapse-oidc.yaml".path @@ -52,7 +56,7 @@ in backchannel_logout_enabled = true; sso = { - client_whitelist = [ "http://[::1]:9092" ]; + client_whitelist = ["http://[::1]:9092"]; update_profile_information = true; }; @@ -75,7 +79,7 @@ in resources = [ { - names = [ "client" "federation" "openid" "metrics" "media" "health" ]; + names = ["client" "federation" "openid" "metrics" "media" "health"]; compress = true; } ]; @@ -132,7 +136,7 @@ in postgresql = { enable = true; - ensureDatabases = [ database ]; + ensureDatabases = [database]; ensureUsers = [ { name = database; @@ -192,7 +196,7 @@ in localpart_template: "{{ user.preferred_username }}" display_name_template: "{{ user.name }}" ''; - restartUnits = [ "matrix-synapse.service" ]; + restartUnits = ["matrix-synapse.service"]; }; }; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 52f026f..114726e 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -1,12 +1,16 @@ -{ config, lib, pkgs, namespace, ... }: -let +{ + config, + lib, + pkgs, + namespace, + ... +}: let inherit (builtins) toString; inherit (lib) mkIf mkEnableOption mkOption; cfg = config.${namespace}.services.development.forgejo; domain = "git.amarth.cloud"; -in -{ +in { options.${namespace}.services.development.forgejo = { enable = mkEnableOption "Forgejo"; @@ -26,7 +30,7 @@ in virtualisation.podman.enable = true; }; - environment.systemPackages = with pkgs; [ forgejo ]; + environment.systemPackages = with pkgs; [forgejo]; services = { forgejo = { @@ -141,7 +145,7 @@ in }; }; - openssh.settings.AllowUsers = [ "forgejo" ]; + openssh.settings.AllowUsers = ["forgejo"]; gitea-actions-runner = { package = pkgs.forgejo-runner; @@ -180,18 +184,26 @@ in }; }; + users = { + users."gitea-runner" = { + isSystemUser = true; + group = "gitea-runner"; + }; + groups."gitea-runner" = {}; + }; + sops.secrets = { "forgejo/action_runner_token" = { owner = "gitea-runner"; group = "gitea-runner"; - restartUnits = [ "gitea-runner-default.service" ]; + restartUnits = ["gitea-runner-default.service"]; }; "forgejo/email" = { owner = "forgejo"; group = "forgejo"; key = "email/chris_kruining_eu"; - restartUnits = [ "forgejo.service" ]; + restartUnits = ["forgejo.service"]; }; }; }; diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 1950bf0..d257aea 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -1,13 +1,15 @@ -{ pkgs, lib, namespace, config, inputs, system, ... }: -let +{ + pkgs, + lib, + namespace, + config, + ... +}: let inherit (lib) mkIf mkEnableOption mkOption; inherit (lib.types) str; cfg = config.${namespace}.services.media; - - arr = ["radarr" ]; -in -{ +in { options.${namespace}.services.media = { enable = mkEnableOption "Enable media services"; @@ -54,56 +56,19 @@ in }; systemd.tmpfiles.rules = [ - "d '${cfg.path}/series' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/movies' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/music' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/qbittorrent' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/sabnzbd' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/reiverr/config' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/downloads/incomplete' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/downloads/done' 0700 ${cfg.user} ${cfg.group} - -" - "d /var/lib/radarrApplyTerraform 0755 ${cfg.user} ${cfg.group} -" + # "d '${cfg.path}/series' 0770 ${cfg.user} ${cfg.group} - -" + # "d '${cfg.path}/movies' 0770 ${cfg.user} ${cfg.group} - -" + # "d '${cfg.path}/music' 0770 ${cfg.user} ${cfg.group} - -" + "d '${cfg.path}/qbittorrent' 0770 ${cfg.user} ${cfg.group} - -" + "d '${cfg.path}/sabnzbd' 0770 ${cfg.user} ${cfg.group} - -" + "d '${cfg.path}/downloads/incomplete' 0770 ${cfg.user} ${cfg.group} - -" + "d '${cfg.path}/downloads/done' 0770 ${cfg.user} ${cfg.group} - -" ]; #========================================================================= # Services #========================================================================= - services = let - arr-services = - arr - |> lib.imap (i: service: { - name = service; - value = { - enable = true; - openFirewall = true; - - environmentFiles = [ - config.sops.templates."${service}/config.env".path - ]; - - settings = { - auth.authenticationMethod = "External"; - - server = { - bindaddress = "0.0.0.0"; - port = 2000 + i; - }; - - postgres = { - host = "localhost"; - port = "5432"; - user = service; - maindb = service; - logdb = service; - }; - }; - } - // (if service != "prowlarr" then { user = cfg.user; group = cfg.group; } else {}); - }) - |> lib.listToAttrs - ; - in - arr-services // { + services = { bazarr = { enable = true; openFirewall = true; @@ -112,6 +77,12 @@ in listenPort = 2005; }; + flaresolverr = { + enable = true; + openFirewall = true; + port = 2007; + }; + # port is harcoded in nixpkgs module jellyfin = { enable = true; @@ -120,46 +91,8 @@ in group = cfg.group; }; - flaresolverr = { + postgresql = { enable = true; - openFirewall = true; - port = 2007; - }; - - qbittorrent = { - enable = true; - openFirewall = true; - webuiPort = 2008; - - serverConfig = { - LegalNotice.Accepted = true; - }; - - user = cfg.user; - group = cfg.group; - }; - - # port is harcoded in nixpkgs module - sabnzbd = { - enable = true; - openFirewall = true; - configFile = "${cfg.path}/sabnzbd/config.ini"; - - user = cfg.user; - group = cfg.group; - }; - - postgresql = - let - databases = arr |> lib.concatMap (s: [ s "${s}-log" ]); - in - { - enable = true; - ensureDatabases = arr; - ensureUsers = arr |> lib.map (service: { - name = service; - ensureDBOwnership = true; - }); }; caddy = { @@ -172,136 +105,26 @@ in }; }; - systemd.services.radarrApplyTerraform = - let - # this is a nix package, the generated json file to be exact - terraformConfiguration = inputs.terranix.lib.terranixConfiguration { - inherit system; - - modules = [ - ({ config, lib, ... }: { - config = { - variable = { - api_key = { - type = "string"; - description = "Radarr api key"; - }; - }; - - terraform.required_providers.radarr = { - source = "devopsarr/radarr"; - version = "2.2.0"; - }; - - provider.radarr = { - url = "http://127.0.0.1:2001"; - api_key = lib.tfRef "var.api_key"; - }; - - resource = { - radarr_root_folder.local = { - path = "/var/media/movies"; - }; - }; - }; - }) - ]; - }; - in - { - description = "Radarr terraform apply"; - - wantedBy = [ "multi-user.target" ]; - wants = [ "radarr.service" ]; - - script = '' - #!/usr/bin/env bash - - if [ "$(systemctl is-active radarr)" != "active" ]; then - echo "Radarr is not running" - exit 1 - fi - - # Sleep for a bit to give radarr the chance to start up - sleep 5s - - # Print the path to the source for easier debugging - echo "config location: ${terraformConfiguration}" - - # Copy infra code into workspace - cp -f ${terraformConfiguration} config.tf.json - - # Initialize OpenTofu - ${lib.getExe pkgs.opentofu} init - - # Run the infrastructure code - # ${lib.getExe pkgs.opentofu} plan -var-file='${config.sops.templates."radarr/config.tfvars".path}' - ${lib.getExe pkgs.opentofu} apply -auto-approve -var-file='${config.sops.templates."radarr/config.tfvars".path}' - ''; - - serviceConfig = { - Type = "oneshot"; - User = cfg.user; - Group = cfg.group; - - WorkingDirectory = "/var/lib/radarrApplyTerraform"; - - EnvironmentFile = [ - config.sops.templates."radarr/config.env".path - ]; - }; - }; - systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; sops = { - secrets = - arr - |> lib.map (service: { - name = "${service}/apikey"; - value = { - owner = cfg.user; - group = cfg.group; - restartUnits = [ "${service}.service" ]; - }; - }) - |> lib.listToAttrs - ; + secrets = { + # "qbittorrent/password" = {}; + "qbittorrent/password_hash" = {}; + }; - templates = - let - apikeys = - arr - |> lib.map (service: { - name = "${service}/config.env"; - value = { - owner = cfg.user; - group = cfg.group; - restartUnits = [ "${service}.service" ]; - content = '' - ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" - ''; - }; - }) - |> lib.listToAttrs; - - tfvars = - arr - |> lib.map(service: { - name = "${service}/config.tfvars"; - value = { - owner = cfg.user; - group = cfg.group; - restartUnits = [ "${service}ApplyTerraform.service" ]; - content = '' - api_key = "${config.sops.placeholder."${service}/apikey"}" - ''; - }; - }) - |> lib.listToAttrs; - in - apikeys // tfvars - ; + templates = { + "qbittorrent/password.conf" = { + owner = cfg.user; + group = cfg.group; + restartUnits = ["qbittorrent.service"]; + path = "${config.services.qbittorrent.profileDir}/qBittorrent/config/password.conf"; + content = '' + [Preferences] + WebUI\Password_PBKDF2="${config.sops.placeholder."qbittorrent/password_hash"}" + ''; + }; + }; }; }; } diff --git a/modules/nixos/services/media/glance/default.nix b/modules/nixos/services/media/glance/default.nix new file mode 100644 index 0000000..333035d --- /dev/null +++ b/modules/nixos/services/media/glance/default.nix @@ -0,0 +1,183 @@ +{ + config, + lib, + namespace, + ... +}: let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.media.glance; +in { + options.${namespace}.services.media.glance = { + enable = mkEnableOption "Enable Glance"; + }; + + config = mkIf cfg.enable { + services.glance = { + enable = true; + openFirewall = true; + + environmentFile = config.sops.templates."glance/secrets.env".path; + + settings = { + server = { + host = "0.0.0.0"; + port = 2000; + }; + + theme = { + # Teal city predefined theme (https://github.com/glanceapp/glance/blob/main/docs/themes.md#teal-city) + background-color = "225 14 15"; + primary-color = "157 47 65"; + contrast-multiplier = 1.1; + }; + + pages = [ + { + name = "Home"; + columns = [ + { + size = "small"; + widgets = [ + { + type = "calendar"; + first-day-of-the-week = "monday"; + } + ]; + } + + { + size = "full"; + widgets = [ + { + type = "monitor"; + cache = "1m"; + title = "Services"; + sites = [ + { + title = "Zitadel"; + url = "https://auth.kruining.eu"; + icon = "sh:zitadel"; + } + { + title = "Forgejo"; + url = "https://git.amarth.cloud/chris"; + icon = "sh:forgejo"; + } + { + title = "Vaultwarden"; + url = "https://vault.kruining.eu"; + icon = "sh:vaultwarden"; + } + ]; + } + { + type = "monitor"; + cache = "1m"; + title = "Observability"; + sites = [ + { + title = "Grafana"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; + icon = "sh:grafana"; + } + { + title = "Prometheus"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}"; + icon = "sh:prometheus"; + } + ]; + } + { + type = "monitor"; + cache = "1m"; + title = "Media"; + sites = [ + { + title = "Jellyfin"; + url = "http://${config.networking.hostName}:8096"; + icon = "sh:jellyfin"; + } + { + title = "Radarr"; + url = "http://${config.networking.hostName}:2001"; + icon = "sh:radarr"; + } + { + title = "Sonarr"; + url = "http://${config.networking.hostName}:2002"; + icon = "sh:sonarr"; + } + { + title = "Lidarr"; + url = "http://${config.networking.hostName}:2003"; + icon = "sh:lidarr"; + } + { + title = "Prowlarr"; + url = "http://${config.networking.hostName}:2004"; + icon = "sh:prowlarr"; + } + { + title = "qBittorrent"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; + icon = "sh:qbittorrent"; + } + { + title = "SABnzbd"; + url = "http://${config.networking.hostName}:8080"; + icon = "sh:sabnzbd"; + } + ]; + } + { + type = "videos"; + channels = [ + "UCXuqSBlHAE6Xw-yeJA0Tunw" # Linus Tech Tips + "UCR-DXc1voovS8nhAvccRZhg" # Jeff Geerling + "UCsBjURrPoezykLs9EqgamOA" # Fireship + "UCBJycsmduvYEL83R_U4JriQ" # Marques Brownlee + "UCHnyfMqiRRG1u-2MsSQLbXA" # Veritasium + ]; + } + ]; + } + + { + size = "small"; + widgets = [ + { + type = "weather"; + location = "Amsterdam, The Netherlands"; + units = "metric"; + hour-format = "24h"; + } + + { + type = "server-stats"; + servers = [ + { + type = "local"; + name = "Ulmo"; + } + ]; + } + ]; + } + ]; + } + ]; + }; + }; + + sops.templates."glance/secrets.env" = { + # owner = config.services.glance.user; + # group = config.services.glance.group; + content = '' + RADARR_KEY="${config.sops.placeholder."radarr/apikey"}" + SONARR_KEY="${config.sops.placeholder."sonarr/apikey"}" + LIDARR_KEY="${config.sops.placeholder."lidarr/apikey"}" + ''; + }; + }; +} diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix deleted file mode 100644 index 79633ab..0000000 --- a/modules/nixos/services/media/homer/default.nix +++ /dev/null @@ -1,161 +0,0 @@ -{ config, lib, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.media.homer; -in -{ - options.${namespace}.services.media.homer = { - enable = mkEnableOption "Enable homer"; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ 2000 ]; - - services = { - homer = { - enable = true; - - virtualHost = { - caddy.enable = true; - domain = "http://:2000"; - }; - - settings = { - title = "Ulmo dashboard"; - - columns = 4; - connectivityCheck = true; - - links = []; - - services = [ - { - name = "Services"; - items = [ - { - name = "Zitadel"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg"; - tag = "app"; - url = "https://auth.kruining.eu"; - target = "_blank"; - } - - { - name = "Forgejo"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg"; - tag = "app"; - type = "Gitea"; - url = "https://git.amarth.cloud"; - target = "_blank"; - } - - { - name = "Vaultwarden"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg"; - type = "Vaultwarden"; - tag = "app"; - url = "https://vault.kruining.eu"; - target = "_blank"; - } - ]; - } - - { - name = "Observability"; - items = [ - { - name = "Grafana"; - type = "Grafana"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; - target = "_blank"; - } - - { - name = "Prometheus"; - type = "Prometheus"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}"; - target = "_blank"; - } - ]; - } - - { - name = "Media"; - items = [ - { - name = "Jellyfin (Movies)"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg"; - tag = "app"; - type = "Emby"; - url = "http://${config.networking.hostName}:8096"; - apikey = "e3ceed943eeb409ba8342738db7cc1f5"; - libraryType = "movies"; - target = "_blank"; - } - - { - name = "Radarr"; - type = "Radarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:2001"; - target = "_blank"; - } - - { - name = "Sonarr"; - type = "Sonarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:2002"; - target = "_blank"; - } - - { - name = "Lidarr"; - type = "Lidarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:2003"; - target = "_blank"; - } - - { - name = "Prowlarr"; - type = "Prowlarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:2004"; - target = "_blank"; - } - - { - name = "qBittorrent"; - type = "qBittorrent"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; - target = "_blank"; - } - - { - name = "SABnzbd"; - type = "SABnzbd"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:8080"; - target = "_blank"; - } - ]; - } - ]; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/media/mydia/default.nix b/modules/nixos/services/media/mydia/default.nix new file mode 100644 index 0000000..2bee38a --- /dev/null +++ b/modules/nixos/services/media/mydia/default.nix @@ -0,0 +1,86 @@ +{ + config, + lib, + namespace, + inputs, + system, + ... +}: let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.media.mydia; +in { + imports = [ + inputs.mydia.nixosModules.default + ]; + + options.${namespace}.services.media.mydia = { + enable = mkEnableOption "Enable Mydia"; + }; + + config = mkIf cfg.enable { + services.mydia = { + enable = true; + + port = 2010; + listenAddress = "0.0.0.0"; + openFirewall = true; + + mediaLibraries = [ + "/var/mydia/movies" + "/var/mydia/series" + ]; + + database = { + # type = "sqlite"; + # uri = "file:///var/lib/mydia/mydia.db"; + type = "postgres"; + uri = "postgres://mydia@localhost:5432/mydia?sslmode=disable"; + passwordFile = config.sops.secrets."mydia/qbittorrent_password".path; + }; + + secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path; + guardianSecretKeyFile = config.sops.secrets."mydia/guardian_secret".path; + + oidc = { + enable = true; + issuer = "https://auth.kruining.eu"; + clientIdFile = config.sops.secrets."mydia/oidc_id".path; + clientSecretFile = config.sops.secrets."mydia/oidc_secret".path; + scopes = ["openid" "profile" "email"]; + }; + + downloadClients = { + qbittorrent = { + type = "qbittorrent"; + host = "localhost"; + port = 2008; + username = "admin"; + passwordFile = config.sops.secrets."mydia/qbittorrent_password".path; + useSsl = false; + }; + }; + }; + + sops.secrets = let + base = + ["secret_key_base" "guardian_secret" "oidc_id" "oidc_secret"] + |> lib.map (name: + lib.nameValuePair "mydia/${name}" { + owner = config.services.mydia.user; + group = config.services.mydia.group; + restartUnits = ["mydia.service"]; + }) + |> lib.listToAttrs; + in + base + // { + "mydia/qbittorrent_password" = { + owner = config.services.mydia.user; + group = config.services.mydia.group; + restartUnits = ["mydia.service"]; + key = "qbittorrent/password"; + }; + }; + }; +} diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix index 097a36b..373e09b 100644 --- a/modules/nixos/services/media/servarr/default.nix +++ b/modules/nixos/services/media/servarr/default.nix @@ -1,14 +1,20 @@ -{ pkgs, config, lib, namespace, inputs, system, ... }: -let +{ + pkgs, + config, + lib, + namespace, + inputs, + system, + ... +}: let inherit (builtins) toString; inherit (lib) mkIf mkEnableOption mkOption types; cfg = config.${namespace}.services.media.servarr; -in -{ +in { options.${namespace}.services.media = { servarr = mkOption { - type = types.attrsOf (types.submodule ({ name, ... }: { + type = types.attrsOf (types.submodule ({name, ...}: { options = { enable = mkEnableOption "Enable ${name}"; debug = mkEnableOption "Use tofu plan instead of tofu apply for ${name} "; @@ -28,61 +34,106 @@ in }; config = { - services = + services = cfg - |> lib.mapAttrsToList (service: { enable, port, ... }: (mkIf enable { - "${service}" = { - enable = true; - openFirewall = true; + |> lib.mapAttrsToList (service: { + enable, + port, + ... + }: (mkIf enable { + "${service}" = + { + enable = true; + openFirewall = true; - environmentFiles = [ - config.sops.templates."${service}/config.env".path - ]; + environmentFiles = [ + config.sops.templates."${service}/config.env".path + ]; - settings = { - auth.authenticationMethod = "External"; + settings = { + auth.authenticationMethod = "External"; - server = { - bindaddress = "0.0.0.0"; - port = port; + server = { + bindaddress = "0.0.0.0"; + port = port; + }; + + postgres = { + host = "localhost"; + port = "5432"; + user = service; + maindb = service; + logdb = service; + }; }; - - postgres = { - host = "localhost"; - port = "5432"; - user = service; - maindb = service; - logdb = service; - }; - }; - }; - })) - |> lib.mergeAttrsList - |> (set: set // { - postgres = { - ensureDatabases = cfg |> lib.attrNames; - ensureUsers = cfg |> lib.attrNames |> lib.map (service: { - name = service; - ensureDBOwnership = true; + } + // (lib.optionalAttrs (service != "prowlarr") { + user = service; + group = "media"; }); - }; - }) - ; + })) + |> lib.mkMerge + |> (set: + set + // { + qbittorrent = { + enable = true; + openFirewall = true; + webuiPort = 2008; - systemd = + serverConfig = { + LegalNotice.Accepted = true; + + Prefecences.WebUI = { + Username = "admin"; + }; + }; + + user = "qbittorrent"; + group = "media"; + }; + + # port is harcoded in nixpkgs module + sabnzbd = { + enable = true; + openFirewall = true; + configFile = "${cfg.path}/sabnzbd/config.ini"; + + user = "sabnzbd"; + group = "media"; + }; + + postgresql = { + ensureDatabases = cfg |> lib.attrNames; + ensureUsers = + cfg + |> lib.attrNames + |> lib.map (service: { + name = service; + ensureDBOwnership = true; + }); + }; + }); + + systemd.services = cfg - |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { - tmpfiles.rules = [ - "d /var/lib/${service}ApplyTerraform 0755 ${service} ${service} -" - ]; - - services."${service}ApplyTerraform" = - let + |> lib.mapAttrsToList (service: { + enable, + debug, + port, + rootFolders, + ... + }: (mkIf enable { + "${service}ApplyTerraform" = let terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; modules = [ - ({ config, lib, ... }: { + ({ + config, + lib, + ... + }: { config = { variable = { api_key = { @@ -93,7 +144,17 @@ in terraform.required_providers.${service} = { source = "devopsarr/${service}"; - version = "2.2.0"; + version = + { + radarr = "2.3.3"; + sonarr = "3.4.0"; + prowlarr = "3.1.0"; + lidarr = "1.13.0"; + readarr = "2.1.0"; + whisparr = "1.2.0"; + }.${ + service + }; }; provider.${service} = { @@ -102,26 +163,32 @@ in }; resource = { - "${service}_root_folder" = + "${service}_root_folder" = mkIf (lib.elem service ["radarr" "sonarr" "whisparr"]) ( rootFolders - |> lib.imap (i: f: lib.nameValuePair "local${toString i}" { path = f; }) + |> lib.imap (i: f: lib.nameValuePair "local${toString i}" {path = f;}) |> lib.listToAttrs - ; + ); }; }; }) ]; }; - in - { + in { description = "${service} terraform apply"; - wantedBy = [ "multi-user.target" ]; - wants = [ "${service}.service" ]; - - script = '' - #!/usr/bin/env bash + wantedBy = ["multi-user.target"]; + wants = ["${service}.service"]; + preStart = '' + install -d -m 0770 -o ${service} -g media /var/lib/${service}ApplyTerraform + ${ + rootFolders + |> lib.map (folder: "install -d -m 0770 -o media -g media ${folder}") + |> lib.join "\n" + } + ''; + + script = '' # Sleep for a bit to give the service a chance to start up sleep 5s @@ -137,18 +204,22 @@ in cp -f ${terraformConfiguration} config.tf.json # Initialize OpenTofu - ${lib.getExe pkgs.opentofu} init + ${lib.getExe pkgs.opentofu} init -upgrade # Run the infrastructure code ${lib.getExe pkgs.opentofu} \ - ${if debug then "plan" else "apply -auto-approve"} \ + ${ + if debug + then "plan" + else "apply -auto-approve" + } \ -var-file='${config.sops.templates."${service}/config.tfvars".path}' ''; serviceConfig = { Type = "oneshot"; User = service; - Group = service; + Group = "media"; WorkingDirectory = "/var/lib/${service}ApplyTerraform"; @@ -158,31 +229,34 @@ in }; }; })) - |> lib.mergeAttrsList - ; + |> lib.mkMerge; - users.users = + users = cfg - |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { - "${service}".extraGroups = [ "media" ]; + |> lib.mapAttrsToList (service: {enable, ...}: (mkIf enable { + users.${service} = { + isSystemUser = true; + group = lib.mkDefault service; + extraGroups = ["media"]; + }; + groups.${service} = {}; })) - |> lib.mergeAttrsList - ; + |> lib.mkMerge; - sops = + sops = cfg - |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { + |> lib.mapAttrsToList (service: {enable, ...}: (mkIf enable { secrets."${service}/apikey" = { owner = service; - group = service; - restartUnits = [ "${service}.service" ]; + group = "media"; + restartUnits = ["${service}.service"]; }; templates = { "${service}/config.env" = { owner = service; - group = service; - restartUnits = [ "${service}.service" ]; + group = "media"; + restartUnits = ["${service}.service"]; content = '' ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" ''; @@ -190,25 +264,14 @@ in "${service}/config.tfvars" = { owner = service; - group = service; - restartUnits = [ "${service}.service" ]; + group = "media"; + restartUnits = ["${service}.service"]; content = '' api_key = "${config.sops.placeholder."${service}/apikey"}" ''; }; }; })) - |> lib.mergeAttrsList - ; + |> lib.mkMerge; }; - - - # cfg - # |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { - - # # sops = { - # # }; - # })) - # |> lib.mergeAttrsList - # ; } diff --git a/modules/nixos/services/persistance/convex/default.nix b/modules/nixos/services/persistance/convex/default.nix new file mode 100644 index 0000000..3e01c59 --- /dev/null +++ b/modules/nixos/services/persistance/convex/default.nix @@ -0,0 +1,21 @@ +{ config, pkgs, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.persistance.convex; +in +{ + imports = [ ./source.nix ]; + + options.${namespace}.services.persistance.convex = { + enable = mkEnableOption "enable Convex"; + }; + + config = mkIf cfg.enable { + services.convex = { + enable = true; + package = pkgs.${namespace}.convex; + secret = "ThisIsMyAwesomeSecret"; + }; + }; +} diff --git a/modules/nixos/services/persistance/convex/source.nix b/modules/nixos/services/persistance/convex/source.nix new file mode 100644 index 0000000..c56e3ab --- /dev/null +++ b/modules/nixos/services/persistance/convex/source.nix @@ -0,0 +1,149 @@ +{ config, pkgs, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption mkPackageOption mkOption optional types; + + cfg = config.services.convex; + + default_user = "convex"; + default_group = "convex"; +in +{ + options.services.convex = { + enable = mkEnableOption "enable Convex (backend only for now)"; + + package = mkPackageOption pkgs "convex" {}; + + name = lib.mkOption { + type = types.str; + default = "convex"; + description = '' + Name for the instance. + ''; + }; + + secret = lib.mkOption { + type = types.str; + default = ""; + description = '' + Secret for the instance. + ''; + }; + + apiPort = mkOption { + type = types.port; + default = 3210; + description = '' + The TCP port to use for the API. + ''; + }; + + actionsPort = mkOption { + type = types.port; + default = 3211; + description = '' + The TCP port to use for the HTTP actions. + ''; + }; + + dashboardPort = mkOption { + type = types.port; + default = 6791; + description = '' + The TCP port to use for the Dashboard. + ''; + }; + + openFirewall = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to open ports in the firewall for the server. + ''; + }; + + user = lib.mkOption { + type = types.str; + default = default_user; + description = '' + As which user to run the service. + ''; + }; + + group = lib.mkOption { + type = types.str; + default = default_group; + description = '' + As which group to run the service. + ''; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.secret != ""; + message = '' + No secret provided for convex + ''; + } + ]; + + users = { + users.${cfg.user} = { + description = "System user for convex service"; + isSystemUser = true; + group = cfg.group; + }; + + groups.${cfg.group} = {}; + }; + + networking.firewall.allowedTCPPorts = optional cfg.openFirewall [ cfg.apiPort cfg.actionsPort cfg.dashboardPort ]; + + environment.systemPackages = [ cfg.package ]; + + systemd.services.convex = { + description = "Convex Backend server"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${cfg.package}/bin --instance-name ${cfg.name} --instance-secret ${cfg.secret}"; + Type = "notify"; + + User = cfg.user; + Group = cfg.group; + + RuntimeDirectory = "convex"; + RuntimeDirectoryMode = "0775"; + StateDirectory = "convex"; + StateDirectoryMode = "0775"; + Umask = "0077"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + LockPersonality = true; + }; + }; + }; +} diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index abab566..07f7058 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,25 +1,31 @@ -{ pkgs, config, lib, namespace, ... }: -let +{ + pkgs, + config, + lib, + namespace, + ... +}: let inherit (builtins) toString; inherit (lib) mkIf mkEnableOption mkOption types getAttrs toUpper concatMapAttrsStringSep; cfg = config.${namespace}.services.security.vaultwarden; - databaseProviderSqlite = types.submodule ({ ... }: { + databaseProviderSqlite = types.submodule ({...}: { options = { type = mkOption { - type = types.enum [ "sqlite" ]; + type = types.enum ["sqlite"]; }; file = mkOption { - type = types.str; - description = ''''; + type = types.path; + description = '' + Path to sqlite database file. + ''; }; }; }); - databaseProviderPostgresql = types.submodule ({ ... }: - let + databaseProviderPostgresql = types.submodule ({...}: let urlOptions = lib.${namespace}.options.mkUrlOptions { host = { description = '' @@ -40,36 +46,36 @@ let example = "postgres"; }; }; - in - { - options = { - type = mkOption { - type = types.enum [ "postgresql" ]; - }; + in { + options = + { + type = mkOption { + type = types.enum ["postgresql"]; + }; - sslMode = mkOption { - type = types.enum [ "verify-ca" "verify-full" "require" "prefer" "allow" "disabled" ]; - default = "verify-full"; - example = "verify-ca"; - description = '' - How to verify the server's ssl + sslMode = mkOption { + type = types.enum ["verify-ca" "verify-full" "require" "prefer" "allow" "disabled"]; + default = "verify-full"; + example = "verify-ca"; + description = '' + How to verify the server's ssl - | mode | eavesdropping protection | MITM protection | Statement | - |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| - | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | - | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | - | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | - | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | - | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | - | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | - - [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) - ''; - }; - } // (urlOptions |> getAttrs [ "protocol" "host" "port" ]); + | mode | eavesdropping protection | MITM protection | Statement | + |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| + | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | + | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | + | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | + | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | + | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | + | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | + + [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) + ''; + }; + } + // (urlOptions |> getAttrs ["protocol" "host" "port"]); }); -in -{ +in { options.${namespace}.services.security.vaultwarden = { enable = mkEnableOption "enable vaultwarden"; @@ -136,7 +142,7 @@ in postgresql = { enable = true; - ensureDatabases = [ "vaultwarden" ]; + ensureDatabases = ["vaultwarden"]; ensureUsers = [ { name = "vaultwarden"; @@ -171,7 +177,7 @@ in owner = config.users.users.vaultwarden.name; group = config.users.users.vaultwarden.name; key = "email/chris_kruining_eu"; - restartUnits = [ "vaultwarden.service" ]; + restartUnits = ["vaultwarden.service"]; }; }; @@ -183,34 +189,31 @@ in owner = config.users.users.vaultwarden.name; group = config.users.groups.vaultwarden.name; }; - temp-db-output.content = - let - config = - cfg.database - |> ({ type, ... }@db: - if type == "sqlite" then - { inherit (db) type file; } - else if type == "postgresql" then - { - inherit (db) type; - url = lib.${namespace}.strings.toUrl { - inherit (db) protocol host port; - path = "vaultwarden"; - query = { - sslmode = db.sslMode; - }; + temp-db-output.content = let + config = + cfg.database + |> ( + {type, ...} @ db: + if type == "sqlite" + then {inherit (db) type file;} + else if type == "postgresql" + then { + inherit (db) type; + url = lib.${namespace}.strings.toUrl { + inherit (db) protocol host port; + path = "vaultwarden"; + query = { + sslmode = db.sslMode; }; - } - else - {} - ) - |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}") - ; - in - '' - # GENERATED VALUES - ${config} - ''; + }; + } + else {} + ) + |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}"); + in '' + # GENERATED VALUES + ${config} + ''; }; }; }; diff --git a/modules/nixos/shells/default.nix b/modules/nixos/shells/default.nix index 6b5c058..ea8f50d 100644 --- a/modules/nixos/shells/default.nix +++ b/modules/nixos/shells/default.nix @@ -1,2 +1,2 @@ -{ ... }: -{} \ No newline at end of file +{...}: { +} diff --git a/packages/convex/default.nix b/packages/convex/default.nix new file mode 100644 index 0000000..9dab056 --- /dev/null +++ b/packages/convex/default.nix @@ -0,0 +1,59 @@ +{ + lib, + stdenv, + rustPlatform, + fetchFromGitHub, + + # dependencies + openssl, + pkg-config, + cmake, + llvmPackages, + postgresql, + sqlite, + + #options + dbBackend ? "postgresql", + + ... +}: +rustPlatform.buildRustPackage rec { + pname = "convex"; + version = "2025-08-20-c9b561e"; + + src = fetchFromGitHub { + owner = "get-convex"; + repo = "convex-backend"; + rev = "c9b561e1b365c85ef28af35d742cb7dd174b5555"; + hash = "sha256-4h4AQt+rQ+nTw6eTbbB5vqFt9MFjKYw3Z7bGXdXijJ0="; + }; + + cargoHash = "sha256-pcDNWGrk9D0qcF479QAglPLFDZp27f8RueP5/lq9jho="; + + cargoBuildFlags = [ + "-p" "local_backend" + "--bin" "convex-local-backend" + ]; + + env = { + LIBCLANG_PATH = "${llvmPackages.libclang}/lib"; + }; + + strictDeps = true; + + # Build-time dependencies + nativeBuildInputs = [ pkg-config cmake rustPlatform.bindgenHook ]; + + # Run-time dependencies + buildInputs = + [ openssl ] + ++ lib.optional (dbBackend == "sqlite") sqlite + ++ lib.optional (dbBackend == "postgresql") postgresql; + + buildFeatures = ""; + + meta = with lib; { + license = licenses.fsl11Asl20; + mainProgram = "convex"; + }; +} \ No newline at end of file diff --git a/shells/default/default.nix b/shells/default/default.nix index 1749c48..5bd5b5f 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -1,5 +1,10 @@ -{ mkShell, inputs, pkgs, ... }: - +{ + mkShell, + inputs, + pkgs, + stdenv, + ... +}: mkShell { packages = with pkgs; [ bash @@ -7,6 +12,10 @@ mkShell { just yq pwgen - inputs.clan-core.packages.x86_64-linux.clan-cli + alejandra + nil + nixd + openssl + inputs.clan-core.packages.${stdenv.hostPlatform.system}.clan-cli ]; -} \ No newline at end of file +} diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 0310818..e8602b5 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ./disks.nix ./hardware.nix @@ -8,7 +7,10 @@ networking = { interfaces.enp2s0 = { ipv6.addresses = [ - { address = "2a0d:6e00:1dc9:0::dead:beef"; prefixLength = 64; } + { + address = "2a0d:6e00:1dc9:0::dead:beef"; + prefixLength = 64; + } ]; useDHCP = true; @@ -39,7 +41,7 @@ sneeuwvlok = { services = { backup.borg.enable = true; - + authentication.zitadel = { enable = true; @@ -51,8 +53,8 @@ firstName = "Chris"; lastName = "Kruining"; - roles = [ "ORG_OWNER" ]; - instanceRoles = [ "IAM_OWNER" ]; + roles = ["ORG_OWNER"]; + instanceRoles = ["IAM_OWNER"]; }; kaas = { @@ -78,27 +80,27 @@ }; assign = { - chris = [ "jellyfin" "jellyfin_admin" ]; - kaas = [ "jellyfin" ]; + chris = ["jellyfin" "jellyfin_admin"]; + kaas = ["jellyfin"]; }; application = { jellyfin = { - redirectUris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/zitadel" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; + redirectUris = ["https://jellyfin.kruining.eu/sso/OID/redirect/zitadel"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; }; forgejo = { - redirectUris = [ "https://git.amarth.cloud/user/oauth2/zitadel/callback" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; + redirectUris = ["https://git.amarth.cloud/user/oauth2/zitadel/callback"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; }; vaultwarden = { - redirectUris = [ "https://vault.kruining.eu/identity/connect/oidc-signin" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; + redirectUris = ["https://vault.kruining.eu/identity/connect/oidc-signin"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; exportMap = { client_id = "SSO_CLIENT_ID"; client_secret = "SSO_CLIENT_SECRET"; @@ -106,9 +108,15 @@ }; matrix = { - redirectUris = [ "https://matrix.kruining.eu/_synapse/client/oidc/callback" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; + redirectUris = ["https://matrix.kruining.eu/_synapse/client/oidc/callback"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; + }; + + mydia = { + redirectUris = ["http://localhost:2010/auth/oidc/callback"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; }; }; }; @@ -121,9 +129,9 @@ if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) { return; } - + const roles = ctx.v1.user.grants.grants.flatMap(({ roles, projectId }) => roles.map(role => projectId + ':' + role)); - + api.v1.claims.setClaim('nix:zitadel:custom', JSON.stringify({ roles })); }; ''; @@ -131,8 +139,16 @@ }; triggers = [ - { flowType = "customiseToken"; triggerType = "preUserinfoCreation"; actions = [ "flattenRoles" ]; } - { flowType = "customiseToken"; triggerType = "preAccessTokenCreation"; actions = [ "flattenRoles" ]; } + { + flowType = "customiseToken"; + triggerType = "preUserinfoCreation"; + actions = ["flattenRoles"]; + } + { + flowType = "customiseToken"; + triggerType = "preAccessTokenCreation"; + actions = ["flattenRoles"]; + } ]; }; }; @@ -145,12 +161,17 @@ networking.ssh.enable = true; media.enable = true; - media.homer.enable = true; + media.glance.enable = true; + media.mydia.enable = true; media.nfs.enable = true; media.servarr = { - # radarr = { - # port = 2001; - # }; + radarr = { + enable = true; + port = 2001; + rootFolders = [ + "/var/media/movies" + ]; + }; sonarr = { enable = true; @@ -185,12 +206,14 @@ # uptime-kuma.enable = true; }; + persistance.convex.enable = true; + security.vaultwarden = { enable = true; database = { # type = "sqlite"; # file = "/var/lib/vaultwarden/state.db"; - + type = "postgresql"; host = "localhost"; port = 5432; diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 7a26401..086d86d 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -19,6 +19,14 @@ lidarr: apikey: ENC[AES256_GCM,data:I2eKaxidmxem7C7ukmyIfwASNqrkS4vEOiCcU5kSNY6DR0pXsYg0PBdgu8vzK6llbXODLdG5t55BordIWvVRJGAauo0FMvtp59NSNpza7cK68tdKGvNefD6bqhUIR06BY11niQ==,iv:48AD7cd17TlWY5yAagepLOIVwgxhD/d13Pnup6GsWDA=,tag:teOVtW8opE99hqAXQwvlrA==,type:str] prowlarr: apikey: ENC[AES256_GCM,data:pyZ2WGEs/PlIdhDsQq2TPGJbplkd5fLF0ZkBjITqIJlnAzYHb+rl+KOM4rHqQcI6yAJM8X1Y3ymGrD7vG7GiRxB7yoEG13SKhZIWOddTnxIhbkz81RfrL2fUJIydOaP6sS//9Q==,iv:Tr6MWoC6nC7rdVTOjT1T2itT+lVL4GnUiAr5/+IHAs0=,tag:keIJNuGeVht8+xSN3FnBGA==,type:str] +mydia: + oidc_id: ENC[AES256_GCM,data:LfYWh9EC0aio3w1Xsj/jtU6z,iv:+dX9KkNtfQMYSX4yr83KyXalWMD/aWby7fC8aL4ZT3I=,tag:CvdbMoMTuC9FohTMIE5pmg==,type:str] + oidc_secret: ENC[AES256_GCM,data:PgI4hmP/3wt9uj+1QvCYcT8Wav0hgCRADouzWM3V695SSfXfbwDgez8tA/tm1/1jymAU2F2sZH8G2hZ1cdHyHQ==,iv:h3o3jsTmnoNE3+mGX12J3ZU0/6PlQNjdndEvaj/czj0=,tag:p3+p4E8fBtR7a8UpM8cUsg==,type:str] + secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str] + guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] +qbittorrent: + password_hash: ENC[AES256_GCM,data:QWuQYmfBn9eLDYztH7TmQvw74MvmzCQ98OlBtyjm1Icr2c63epRuHWzQbm+Q+1jrCSiQreOB3ZyjLzkeV6SlLonryUSD71uBWVwctgPXO0XDrxE1Vi6dkiwC3TF65JTMDhyjDLEj1YkiMP25Fz5NidJTP/r9GlXTfM7gjWo=,iv:bpgL5IoAv+1PUtgNIjLcbzN8C9z55ndypz4LEELAhLc=,tag:VB+XTCwLeIEYKnOr/0f7zA==,type:str] + password: ENC[AES256_GCM,data:UepYY6UjJV/jo2aXTOEnKRtsjSqOSYPQlKlrAa7rf9rdnt2UXGjCkvN+A72pICuIBCAmhXZBAUMvmWTV9trk6NREHe0cY1xTC7pNv3x9TM/ZQmH498pbT/95pYAKwouHp9heJQ==,iv:FzjF+xPoaOp+gplxpz940V2dkWSTWe8dWUxexCoxxHc=,tag:TDZsboq9fEmmBrwJN/HTpQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -39,7 +47,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:51:26Z" - mac: ENC[AES256_GCM,data:pMMkxHPochpI8si/oHhU7MHqC1JjNhMP7HCRNQQEkwBQI489xiC02t+qUwpmG4oIheqi8lEcZPpL4t9HzRN9sZImaI2LrJn3cHFojHzXzo7FPfvfUilZe1+JXLfm+wn+bflAEutIcfDiZc/MjiKOxRHwZy5Pr41Mj6uPIUr62zk=,iv:GwvMVgJ6m1DQcRZMVzshbuMK/Kx8vE8Ym83KbxuvYRg=,tag:wVSol9LDRzoFjQppB8J9gA==,type:str] + lastmodified: "2025-12-04T11:24:52Z" + mac: ENC[AES256_GCM,data:jIgkl1lcVDSlKqJs9fjaHUAZsGL+22T86/qqKyDziHl0+VU763Ezwm8P+la+55jIIT2zLhFcUjhn2BabBi90OeEPztAC4rGpZj6+ZZ0GDCj/JhjPAAo3LgAKOCG0Xgf8MZWr/rXd6bLhW7Qj36PMJnap26rjEiUZeSvpWS2dz8g=,iv:CDx8fBI9Dl1uwrbMD1fa7/h3C7haK3xZxJI59mtL1LA=,tag:2UDRFJoevGEBKZA/9eUiOw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0