diff --git a/.just/vars.just b/.just/vars.just index d8bd181..b4d6be2 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,23 +1,19 @@ -set unstable - base_path := invocation_directory() / "systems/x86_64-linux" -# sops := "nix shell nixpkgs#sops --command sops" -# yq := "nix shell nixpkgs#yq --command yq" -sops := "sops" -yq := "yq" +sops := "nix shell nixpkgs#sops --command sops" +yq := "nix shell nixpkgs#yq --command yq" @_default: just --list [doc('list all vars of the target machine')] list machine: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml + {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml @edit machine: - sops edit {{ base_path }}/{{ machine }}/secrets.yml + {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml @set machine key value: - sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" + {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' git add {{ base_path }}/{{ machine }}/secrets.yml git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null @@ -25,10 +21,10 @@ list machine: echo "Done" @get machine key: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" + {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml | {{ yq }} ".$(echo "{{ key }}" | sed -E 's/\//./g')" @remove machine key: - sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" git add {{ base_path }}/{{ machine }}/secrets.yml git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null diff --git a/flake.lock b/flake.lock index 9d38839..5ed2f72 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1763547157, - "narHash": "sha256-lJcMap2uT+x1R8WUUKKQ6ndynysJ/JOkrMThMGz6DP0=", - "rev": "2cb2134a6ee32d427097077c4fb4c416b52ae988", + "lastModified": 1762254206, + "narHash": "sha256-ZyQUrUSuIUZRmMPzeCXI4vDFhHOLNtGUMBaHXCD6nEQ=", + "rev": "43a7652624e76d60a93325c711d01620801d4382", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/2cb2134a6ee32d427097077c4fb4c416b52ae988.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/43a7652624e76d60a93325c711d01620801d4382.tar.gz" }, "original": { "type": "tarball", @@ -111,11 +111,11 @@ ] }, "locked": { - "lastModified": 1762942435, - "narHash": "sha256-zIWGs5FIytTtJN+dhDb8Yx+q4TQI/yczuL539yVcyPE=", - "rev": "0ee328404b12c65e8106bde9e9fab8abf4ecada4", + "lastModified": 1760612273, + "narHash": "sha256-pP/bSqUHubxAOTI7IHD5ZBQ2Qm11Nb4pXXTPv334UEM=", + "rev": "0099739c78be750b215cbdefafc9ba1533609393", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0ee328404b12c65e8106bde9e9fab8abf4ecada4.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0099739c78be750b215cbdefafc9ba1533609393.tar.gz" }, "original": { "type": "tarball", @@ -130,11 +130,11 @@ ] }, "locked": { - "lastModified": 1762276996, - "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=", + "lastModified": 1761899396, + "narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=", "owner": "nix-community", "repo": "disko", - "rev": "af087d076d3860760b3323f6b583f4d828c1ac17", + "rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998", "type": "github" }, "original": { @@ -149,11 +149,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1762360792, - "narHash": "sha256-YR7vqk+XEvFUQ/miuBAD3+p+97QUN86ya9Aw0K5feJE=", + "lastModified": 1759842236, + "narHash": "sha256-JNFyiEDo1wS+mjNAEM8Q2jjvHQzQt+3hnuP1srIdFeM=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "9075dff5685d3e7269284e53ca496da0beb24596", + "rev": "df8a29239b2459d6ee7373be8133d9aa7d6f6d1a", "type": "github" }, "original": { @@ -170,11 +170,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1763534658, - "narHash": "sha256-i/51/Zi/1pM9hZxxSuA3nVPpyqlGoWwJwajyA/loOpo=", + "lastModified": 1760510549, + "narHash": "sha256-NP+kmLMm7zSyv4Fufv+eSJXyqjLMUhUfPT6lXRlg/bU=", "owner": "nix-community", "repo": "fenix", - "rev": "69e40ddf45698d0115a62a7a15d8412f35dd4c09", + "rev": "ef7178cf086f267113b5c48fdeb6e510729c8214", "type": "github" }, "original": { @@ -190,11 +190,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1763504432, - "narHash": "sha256-kpmPI67TdoTxiK7LsmgmkKW3iHoyvZJwZeiJhpwPfmw=", + "lastModified": 1760548798, + "narHash": "sha256-LbqqHQklp58hKCO6IMcslsqX0mR32775PG3Z+k2GcwU=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "49d5d8d42a7650e5353f8467c813839290cb7c9f", + "rev": "fdd8c18c8d3497d267c0750ef08678d32a2dd753", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "flake-compat_2": { "locked": { - "lastModified": 1761640442, - "narHash": "sha256-AtrEP6Jmdvrqiv4x2xa5mrtaIp3OEe8uBYCDZDS+hu8=", + "lastModified": 1746162366, + "narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=", "owner": "nix-community", "repo": "flake-compat", - "rev": "4a56054d8ffc173222d09dad23adf4ba946c8884", + "rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b", "type": "github" }, "original": { @@ -306,11 +306,11 @@ ] }, "locked": { - "lastModified": 1762980239, - "narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=", + "lastModified": 1762040540, + "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "52a2caecc898d0b46b2b905f058ccc5081f842da", + "rev": "0010412d62a25d959151790968765a70c436598b", "type": "github" }, "original": { @@ -327,11 +327,11 @@ ] }, "locked": { - "lastModified": 1760948891, - "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=", + "lastModified": 1759362264, + "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04", + "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", "type": "github" }, "original": { @@ -510,20 +510,18 @@ "gnome-shell": { "flake": false, "locked": { - "host": "gitlab.gnome.org", - "lastModified": 1762869044, - "narHash": "sha256-nwm/GJ2Syigf7VccLAZ66mFC8mZJFqpJmIxSGKl7+Ds=", + "lastModified": 1748186689, + "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=", "owner": "GNOME", "repo": "gnome-shell", - "rev": "680e3d195a92203f28d4bf8c6e8bb537cc3ed4ad", - "type": "gitlab" + "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0", + "type": "github" }, "original": { - "host": "gitlab.gnome.org", "owner": "GNOME", - "ref": "gnome-49", + "ref": "48.2", "repo": "gnome-shell", - "type": "gitlab" + "type": "github" } }, "grub2-themes": { @@ -553,11 +551,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1763486183, - "narHash": "sha256-10EvBTF9ELezWg+KoKZJ3bxrPzT1Xz95ifurC6HixLY=", + "lastModified": 1760546650, + "narHash": "sha256-ByUcM+gMEob6uWpDt6AAg/v4eX9yvpgOPX6KyHd9/BE=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "fb27f4bee812e4b4df9df9f78bd5280f0aa2193c", + "rev": "ba54075737cb9c688cfadde8048f83371dbaba8d", "type": "github" }, "original": { @@ -573,11 +571,11 @@ ] }, "locked": { - "lastModified": 1763416652, - "narHash": "sha256-8EBEEvtzQ11LCxpQHMNEBQAGtQiCu/pqP9zSovDSbNM=", + "lastModified": 1760500983, + "narHash": "sha256-zfY4F4CpeUjTGgecIJZ+M7vFpwLc0Gm9epM/iMQd4w8=", "owner": "nix-community", "repo": "home-manager", - "rev": "ea164b7c9ccdc2321379c2ff78fd4317b4c41312", + "rev": "c53e65ec92f38d30e3c14f8d628ab55d462947aa", "type": "github" }, "original": { @@ -594,11 +592,11 @@ ] }, "locked": { - "lastModified": 1762964643, - "narHash": "sha256-RYHN8O/Aja59XDji6WSJZPkJpYVUfpSkyH+PEupBJqM=", + "lastModified": 1752603129, + "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=", "owner": "nix-community", "repo": "home-manager", - "rev": "827f2a23373a774a8805f84ca5344654c31f354b", + "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b", "type": "github" }, "original": { @@ -615,11 +613,11 @@ ] }, "locked": { - "lastModified": 1763453666, - "narHash": "sha256-Hu8lDUlbMFvcYX30LBXX7Gq5FbU35bERH0pSX5qHf/Q=", + "lastModified": 1760534924, + "narHash": "sha256-OIOCC86DxTxp1VG7xAiM+YABtVqp6vTkYIoAiGQMqso=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "b843b551415c7aecc97c8b3ab3fff26fd0cd8bbf", + "rev": "100b4e000032b865563a9754e5bca189bc544764", "type": "github" }, "original": { @@ -670,11 +668,11 @@ ] }, "locked": { - "lastModified": 1763136804, - "narHash": "sha256-6p2ljK42s0S8zS0UU59EsEqupz0GVCaBYRylpUadeBM=", + "lastModified": 1762186368, + "narHash": "sha256-dzLBZKccS0jMefj+WAYwsk7gKDluqavC7I4KfFwVh8k=", "owner": "nix-darwin", "repo": "nix-darwin", - "rev": "973db96394513fd90270ea5a1211a82a4a0ba47f", + "rev": "69921864a70b58787abf5ba189095566c3f0ffd3", "type": "github" }, "original": { @@ -712,11 +710,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1763171892, - "narHash": "sha256-6cg9zSiqKA89yJzVtYhBaBptqq6bX4pr4g7WLAHOD4Y=", + "lastModified": 1760493654, + "narHash": "sha256-DRJZnMoBw+p6o0XjaAOfAJjwr4s93d1+eCsCRsAP/jY=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "316858c27d278b20e776cd4dd8f787812f587ba2", + "rev": "4ca5164f23948b4b5429d8fdcddc142079c6aa6b", "type": "github" }, "original": { @@ -727,11 +725,11 @@ }, "nix-select": { "locked": { - "lastModified": 1763303120, - "narHash": "sha256-yxcNOha7Cfv2nhVpz9ZXSNKk0R7wt4AiBklJ8D24rVg=", - "rev": "3d1e3860bef36857a01a2ddecba7cdb0a14c35a9", + "lastModified": 1755887746, + "narHash": "sha256-lzWbpHKX0WAn/jJDoCijIDss3rqYIPawe46GDaE6U3g=", + "rev": "92c2574c5e113281591be01e89bb9ddb31d19156", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/3d1e3860bef36857a01a2ddecba7cdb0a14c35a9.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/92c2574c5e113281591be01e89bb9ddb31d19156.tar.gz" }, "original": { "type": "tarball", @@ -770,11 +768,11 @@ }, "nixos-facter-modules": { "locked": { - "lastModified": 1762264948, - "narHash": "sha256-iaRf6n0KPl9hndnIft3blm1YTAyxSREV1oX0MFZ6Tk4=", + "lastModified": 1761137276, + "narHash": "sha256-4lDjGnWRBLwqKQ4UWSUq6Mvxu9r8DSqCCydodW/Jsi8=", "owner": "nix-community", "repo": "nixos-facter-modules", - "rev": "fa695bff9ec37fd5bbd7ee3181dbeb5f97f53c96", + "rev": "70bcd64225d167c7af9b475c4df7b5abba5c7de8", "type": "github" }, "original": { @@ -812,11 +810,11 @@ ] }, "locked": { - "lastModified": 1763537456, - "narHash": "sha256-/WRqcqeE9C+mxxWgI7jy5blMrvg2lHFSlTFjC8pRWos=", + "lastModified": 1760536587, + "narHash": "sha256-wfWqt+igns/VazjPLkyb4Z/wpn4v+XIjUeI3xY/1ENg=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "cd9eb5225fc91eb67629966844d2ff371824abb1", + "rev": "f98ee1de1fa36eca63c67b600f5d617e184e82ea", "type": "github" }, "original": { @@ -827,11 +825,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1761828793, - "narHash": "sha256-xjdPwMD4wVuDD85U+3KST62VzFkJueI6oBwIzpzUHLY=", + "lastModified": 1759360550, + "narHash": "sha256-feL8xklo97a8o8ISOszUU2tfHskJdu3zKbpcltzSblw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "843859a08e114403f44aaf5b996b44c38094aa46", + "rev": "28b8fe20c34f94a537f71950a9b0c1dc7224d036", "type": "github" }, "original": { @@ -858,11 +856,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1763469780, - "narHash": "sha256-IW67Db/wBNQwJ5e0fF9Yk4SmdivMcecrUVDs7QJoC/s=", + "lastModified": 1760479263, + "narHash": "sha256-eoVGUqcMyDeT/VwjczlZu7rhrE9wkj3ErWjJhB4Zjpg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a70b03ca5dc9d46294740f165abdef9f9bea5632", + "rev": "20158056cdd0dd06bfbd04fd1e686d09fbef3db5", "type": "github" }, "original": { @@ -890,11 +888,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1763547551, - "narHash": "sha256-YOdXVAqEGmrPUgs71r8ziuu9qqpn3jJEiIxsIls+VQA=", + "lastModified": 1760548845, + "narHash": "sha256-41gkEmco/WLdEkeCKVRalOpx19e0/VgfS7N9n+DasHs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "06aa4d5f488875b6af46e10b45b8000ed0906860", + "rev": "631597d659c37aa267eed8334271d5205244195e", "type": "github" }, "original": { @@ -922,11 +920,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1763421233, - "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=", + "lastModified": 1760284886, + "narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", "owner": "nixos", "repo": "nixpkgs", - "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648", + "rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43", "type": "github" }, "original": { @@ -938,11 +936,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1761880412, - "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", + "lastModified": 1759386674, + "narHash": "sha256-wg1Lz/1FC5Q13R+mM5a2oTV9TA9L/CHHTm3/PiLayfA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386", + "rev": "625ad6366178f03acd79f9e3822606dd7985b657", "type": "github" }, "original": { @@ -954,11 +952,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1763191728, - "narHash": "sha256-esRhOS0APE6k40Hs/jjReXg+rx+J5LkWw7cuWFKlwYA=", + "lastModified": 1760164275, + "narHash": "sha256-gKl2Gtro/LNf8P+4L3S2RsZ0G390ccd5MyXYrTdMCFE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1d4c88323ac36805d09657d13a5273aea1b34f0c", + "rev": "362791944032cb532aabbeed7887a441496d5e6e", "type": "github" }, "original": { @@ -970,11 +968,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1762977756, - "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", + "lastModified": 1758690382, + "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55", + "rev": "e643668fd71b949c53f8626614b21ff71a07379d", "type": "github" }, "original": { @@ -1018,11 +1016,11 @@ "systems": "systems_5" }, "locked": { - "lastModified": 1762622004, - "narHash": "sha256-NpzzgaoMK8aRHnndHWbYNKLcZN0r1y6icCoJvGoBsoE=", + "lastModified": 1760153667, + "narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=", "owner": "notashelf", "repo": "nvf", - "rev": "09470524a214ed26633ddc2b6ec0c9bf31a8b909", + "rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d", "type": "github" }, "original": { @@ -1041,11 +1039,11 @@ ] }, "locked": { - "lastModified": 1762784320, - "narHash": "sha256-odsk96Erywk5hs0dhArF38zb7Oe0q6LZ70gXbxAPKno=", + "lastModified": 1759321049, + "narHash": "sha256-8XkU4gIrLT2DJZWQyvsP5woXGZF5eE/7AnKfwQkiwYU=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "7911a0f8a44c7e8b29d031be3149ee8943144321", + "rev": "205dcfd4a30d4a5d1b4f28defee69daa7c7252cd", "type": "github" }, "original": { @@ -1082,11 +1080,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1762860488, - "narHash": "sha256-rMfWMCOo/pPefM2We0iMBLi2kLBAnYoB9thi4qS7uk4=", + "lastModified": 1760457219, + "narHash": "sha256-WJOUGx42hrhmvvYcGkwea+BcJuQJLcns849OnewQqX4=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "2efc80078029894eec0699f62ec8d5c1a56af763", + "rev": "8747cf81540bd1bbbab9ee2702f12c33aa887b46", "type": "github" }, "original": { @@ -1104,11 +1102,11 @@ ] }, "locked": { - "lastModified": 1759977258, - "narHash": "sha256-hOxEFSEBoqDmJb7BGX1CzT1gvUPK6r+Qs+n3IxBgfTs=", + "lastModified": 1760495781, + "narHash": "sha256-3OGPAQNJswy6L4VJyX3U9/z7fwgPFvK6zQtB2NHBV0Y=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "1d0c6173f57d07db7957b50e799240d4f2d7520f", + "rev": "11e0852a2aa3a65955db5824262d76933750e299", "type": "github" }, "original": { @@ -1147,11 +1145,11 @@ ] }, "locked": { - "lastModified": 1763264763, - "narHash": "sha256-N0BEoJIlJ+M6sWZJ8nnfAjGY9VLvM6MXMitRenmhBkY=", + "lastModified": 1760998189, + "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "882e56c8293e44d57d882b800a82f8b2ee7a858f", + "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", "type": "github" }, "original": { @@ -1165,11 +1163,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1763509310, - "narHash": "sha256-s2WzTAD3vJtPACBCZXezNUMTG/wC6SFsU9DxazB9wDI=", + "lastModified": 1760393368, + "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", "owner": "Mic92", "repo": "sops-nix", - "rev": "3ee33c0ed7c5aa61b4e10484d2ebdbdc98afb03e", + "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", "type": "github" }, "original": { @@ -1197,11 +1195,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1763497248, - "narHash": "sha256-OGP6MYc+lVkLVQOTS6ORszDcCnZm7kDOGpFBdDoLd0k=", + "lastModified": 1760472212, + "narHash": "sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx+MUkuE+E=", "owner": "nix-community", "repo": "stylix", - "rev": "f19ac46f6aa26188b2020ed40066a5b832be9c53", + "rev": "8d008296a1b3be9b57ad570f7acea00dd2fc92db", "type": "github" }, "original": { @@ -1339,11 +1337,11 @@ "systems": "systems_8" }, "locked": { - "lastModified": 1762472226, - "narHash": "sha256-iVS4sxVgGn+T74rGJjEJbzx+kjsuaP3wdQVXBNJ79A0=", + "lastModified": 1757278723, + "narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=", "owner": "terranix", "repo": "terranix", - "rev": "3b5947a48da5694094b301a3b1ef7b22ec8b19fc", + "rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb", "type": "github" }, "original": { @@ -1441,11 +1439,11 @@ ] }, "locked": { - "lastModified": 1762938485, - "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=", + "lastModified": 1761311587, + "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4", + "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc", "type": "github" }, "original": { @@ -1462,11 +1460,11 @@ ] }, "locked": { - "lastModified": 1763521945, - "narHash": "sha256-Zcrafbe4niRJMbzaVOwg7+iedJhwBFttre2DpyCC6qA=", + "lastModified": 1760466542, + "narHash": "sha256-q2QZhrrjHbvW4eFzoEGkj/wUHNU6bVGPyflurx5ka6U=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "24d7381b9231c23daceec5d372cc28e877f7785d", + "rev": "3446bcbf5f46ecb18e82244888730c4983c30b22", "type": "github" }, "original": { diff --git a/lib/options/default.nix b/lib/options/default.nix deleted file mode 100644 index 72e8621..0000000 --- a/lib/options/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ lib, ...}: -let - inherit (builtins) isString typeOf; - inherit (lib) mkOption types throwIfNot concatStringsSep splitStringBy toLower map; -in -{ - options = { - mkUrlOptions = - defaults: - { - host = mkOption { - type = types.str; - example = "host.tld"; - description = '' - Hostname - ''; - } // (defaults.host or {}); - - port = mkOption { - type = types.port; - default = 1234; - example = "1234"; - description = '' - Port - ''; - } // (defaults.port or {}); - - protocol = mkOption { - type = types.str; - default = "https"; - example = "https"; - description = '' - Which protocol to use when creating a url string - ''; - } // (defaults.protocol or {}); - }; - }; -} \ No newline at end of file diff --git a/lib/strings/default.nix b/lib/strings/default.nix index 0c15699..52b05e3 100644 --- a/lib/strings/default.nix +++ b/lib/strings/default.nix @@ -1,15 +1,10 @@ { lib, ...}: let - inherit (builtins) isString typeOf match toString head; - inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map concatMapAttrsStringSep; + inherit (builtins) isString typeOf; + inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map; in { strings = { - #======================================================================================== - # Converts a string to snake case - # - # simply replaces any uppercase letter to its lowercase variant preceeded by an underscore - #======================================================================================== toSnakeCase = str: throwIfNot (isString str) "toSnakeCase only accepts string values, but got ${typeOf str}" ( @@ -18,22 +13,5 @@ in |> map (p: toLower p) |> concatStringsSep "_" ); - - #======================================================================================== - # Converts a set of url parts to a string - #======================================================================================== - toUrl = - { protocol ? null, host, port ? null, path ? null, query ? null, hash ? null }: - let - trim_slashes = str: str |> match "^\/*(.+?)\/*$" |> head; - encode_to_str = set: concatMapAttrsStringSep "&" (n: v: "${n}=${v}") set; - - _protocol = if protocol != null then "${protocol}://" else ""; - _port = if port != null then ":${toString port}" else ""; - _path = if path != null then "/${path |> trim_slashes}" else ""; - _query = if query != null then "?${query |> encode_to_str}" else ""; - _hash = if hash != null then "#${hash |> encode_to_str}" else ""; - in - "${_protocol}${host}${_port}${_path}${_query}${_hash}"; }; } \ No newline at end of file diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index 3fb8f15..3fa74b9 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -52,7 +52,7 @@ in { }; emoji = { - package = pkgs.noto-fonts-color-emoji; + package = pkgs.noto-fonts-emoji; name = "Noto Color Emoji"; }; }; diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 9a02f01..402d59d 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs mapAttrs' concatMapAttrs concatMapStringsSep filterAttrsRecursive listToAttrs imap0 head drop length literalExpression attrNames; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -140,24 +140,6 @@ in . ''; }; - - exportMap = - let - strOpt = mkOption { type = types.nullOr types.str; default = null; }; - in - mkOption { - type = types.submodule { options = { client_id = strOpt; client_secret = strOpt; }; }; - default = {}; - example = literalExpression '' - { - client_id = "SSO_CLIENT_ID"; - client_secret = "SSO_CLIENT_SECRET"; - } - ''; - description = '' - Remap the outputted variables to another key. - ''; - }; }; }); }; @@ -334,16 +316,6 @@ in concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set ; - append = attrList: set: set // (listToAttrs attrList); - forEach = src: key: set: - let - _key = concatMapStringsSep "_" (k: "\${item.${k}}") key; - in - { - forEach = "{ for item in ${src} : \"${_key}\" => item }"; - } - // set; - config' = config; # this is a nix package, the generated json file to be exact @@ -364,21 +336,6 @@ in jwt_profile_file = "/var/lib/zitadel/machine-key.json"; }; - locals = { - extra_users = lib.tfRef " - flatten([ for org, users in jsondecode(file(\"${config'.sops.secrets."zitadel/users".path}\")): [ - for name, details in users: { - org = org - name = name - email = details.email - firstName = details.firstName - lastName = details.lastName - } - ] ]) - "; - orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id"); - }; - resource = { # Organizations zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: @@ -427,31 +384,15 @@ in ); # Users - zitadel_human_user = - cfg.organization - |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: - { - inherit email userName firstName lastName; + zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: + { + inherit email userName firstName lastName; - isEmailVerified = true; - } - |> withRef "org" org - |> toResource "${org}_${name}" - ) - |> append - [ - (forEach "local.extra_users" [ "org" "name" ] { - orgId = lib.tfRef "local.orgs[each.value.org]"; - userName = lib.tfRef "each.value.name"; - email = lib.tfRef "each.value.email"; - firstName = lib.tfRef "each.value.firstName"; - lastName = lib.tfRef "each.value.lastName"; - - isEmailVerified = true; - } - |> toResource "extraUsers") - ] - ; + isEmailVerified = true; + } + |> withRef "org" org + |> toResource "${org}_${name}" + ); # Global user roles zitadel_instance_member = @@ -516,11 +457,11 @@ in }; # Client credentials per app - local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }: + local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: value: nameValuePair "${org}_${project}_${name}" { content = '' - ${if exportMap.client_id != null then exportMap.client_id else "CLIENT_ID"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} - ${if exportMap.client_secret != null then exportMap.client_secret else "CLIENT_SECRET"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"} + CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} + CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"} ''; filename = "/var/lib/zitadel/clients/${org}_${project}_${name}"; } @@ -707,18 +648,6 @@ in key = "email/chris_kruining_eu"; restartUnits = [ "zitadel.service" ]; }; - - "zitadel/users" = { - owner = "zitadel"; - group = "zitadel"; - restartUnits = [ "zitadelApplyTerraform.service" ]; - }; - }; - - templates = { - "users.yml" = { - - }; }; }; }; diff --git a/modules/nixos/services/backup/borg/default.nix b/modules/nixos/services/backup/borg/default.nix index 9cbbea0..e200505 100644 --- a/modules/nixos/services/backup/borg/default.nix +++ b/modules/nixos/services/backup/borg/default.nix @@ -10,22 +10,13 @@ in }; config = mkIf cfg.enable { - programs.ssh.extraConfig = '' - Host beheer.hazelhof.nl - Port 222 - User chris - AddressFamily inet - IdentityFile /home/chris/.ssh/id_ed25519 - ''; - services = { borgbackup.jobs = { media = { paths = "/var/media/test"; encryption.mode = "none"; - # environment.BORG_SSH = "ssh -4 -i /home/chris/.ssh/id_ed25519"; - environment.BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; - repo = "ssh://beheer.hazelhof.nl//media"; + environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4"; + repo = "ssh://chris@beheer.hazelhof.nl:222/media"; compression = "auto,zstd"; startAt = "daily"; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 52f026f..dbcef87 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -144,7 +144,7 @@ in openssh.settings.AllowUsers = [ "forgejo" ]; gitea-actions-runner = { - package = pkgs.forgejo-runner; + package = pkgs.forgejo-actions-runner; instances.default = { enable = true; name = "default"; diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 1950bf0..9d915da 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -1,11 +1,9 @@ -{ pkgs, lib, namespace, config, inputs, system, ... }: +{ pkgs, lib, namespace, config, ... }: let inherit (lib) mkIf mkEnableOption mkOption; inherit (lib.types) str; cfg = config.${namespace}.services.media; - - arr = ["radarr" ]; in { options.${namespace}.services.media = { @@ -62,48 +60,47 @@ in "d '${cfg.path}/reiverr/config' 0700 ${cfg.user} ${cfg.group} - -" "d '${cfg.path}/downloads/incomplete' 0700 ${cfg.user} ${cfg.group} - -" "d '${cfg.path}/downloads/done' 0700 ${cfg.user} ${cfg.group} - -" - "d /var/lib/radarrApplyTerraform 0755 ${cfg.user} ${cfg.group} -" ]; #========================================================================= # Services #========================================================================= services = let - arr-services = - arr - |> lib.imap (i: service: { - name = service; - value = { - enable = true; - openFirewall = true; + arrService = { + enable = true; + openFirewall = true; - environmentFiles = [ - config.sops.templates."${service}/config.env".path - ]; + settings = { + auth.AuthenticationMethod = "External"; + }; + }; - settings = { - auth.authenticationMethod = "External"; + withPort = port: service: service // { settings.server.Port = builtins.toString port; }; - server = { - bindaddress = "0.0.0.0"; - port = 2000 + i; - }; + withUserAndGroup = service: service // { + user = cfg.user; + group = cfg.group; + }; + in { + radarr = + arrService + |> withPort 2001 + |> withUserAndGroup; + + sonarr = + arrService + |> withPort 2002 + |> withUserAndGroup; + + lidarr = + arrService + |> withPort 2003 + |> withUserAndGroup; + + prowlarr = + arrService + |> withPort 2004; - postgres = { - host = "localhost"; - port = "5432"; - user = service; - maindb = service; - logdb = service; - }; - }; - } - // (if service != "prowlarr" then { user = cfg.user; group = cfg.group; } else {}); - }) - |> lib.listToAttrs - ; - in - arr-services // { bazarr = { enable = true; openFirewall = true; @@ -149,19 +146,6 @@ in group = cfg.group; }; - postgresql = - let - databases = arr |> lib.concatMap (s: [ s "${s}-log" ]); - in - { - enable = true; - ensureDatabases = arr; - ensureUsers = arr |> lib.map (service: { - name = service; - ensureDBOwnership = true; - }); - }; - caddy = { enable = true; virtualHosts = { @@ -172,136 +156,6 @@ in }; }; - systemd.services.radarrApplyTerraform = - let - # this is a nix package, the generated json file to be exact - terraformConfiguration = inputs.terranix.lib.terranixConfiguration { - inherit system; - - modules = [ - ({ config, lib, ... }: { - config = { - variable = { - api_key = { - type = "string"; - description = "Radarr api key"; - }; - }; - - terraform.required_providers.radarr = { - source = "devopsarr/radarr"; - version = "2.2.0"; - }; - - provider.radarr = { - url = "http://127.0.0.1:2001"; - api_key = lib.tfRef "var.api_key"; - }; - - resource = { - radarr_root_folder.local = { - path = "/var/media/movies"; - }; - }; - }; - }) - ]; - }; - in - { - description = "Radarr terraform apply"; - - wantedBy = [ "multi-user.target" ]; - wants = [ "radarr.service" ]; - - script = '' - #!/usr/bin/env bash - - if [ "$(systemctl is-active radarr)" != "active" ]; then - echo "Radarr is not running" - exit 1 - fi - - # Sleep for a bit to give radarr the chance to start up - sleep 5s - - # Print the path to the source for easier debugging - echo "config location: ${terraformConfiguration}" - - # Copy infra code into workspace - cp -f ${terraformConfiguration} config.tf.json - - # Initialize OpenTofu - ${lib.getExe pkgs.opentofu} init - - # Run the infrastructure code - # ${lib.getExe pkgs.opentofu} plan -var-file='${config.sops.templates."radarr/config.tfvars".path}' - ${lib.getExe pkgs.opentofu} apply -auto-approve -var-file='${config.sops.templates."radarr/config.tfvars".path}' - ''; - - serviceConfig = { - Type = "oneshot"; - User = cfg.user; - Group = cfg.group; - - WorkingDirectory = "/var/lib/radarrApplyTerraform"; - - EnvironmentFile = [ - config.sops.templates."radarr/config.env".path - ]; - }; - }; - systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; - - sops = { - secrets = - arr - |> lib.map (service: { - name = "${service}/apikey"; - value = { - owner = cfg.user; - group = cfg.group; - restartUnits = [ "${service}.service" ]; - }; - }) - |> lib.listToAttrs - ; - - templates = - let - apikeys = - arr - |> lib.map (service: { - name = "${service}/config.env"; - value = { - owner = cfg.user; - group = cfg.group; - restartUnits = [ "${service}.service" ]; - content = '' - ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" - ''; - }; - }) - |> lib.listToAttrs; - - tfvars = - arr - |> lib.map(service: { - name = "${service}/config.tfvars"; - value = { - owner = cfg.user; - group = cfg.group; - restartUnits = [ "${service}ApplyTerraform.service" ]; - content = '' - api_key = "${config.sops.placeholder."${service}/apikey"}" - ''; - }; - }) - |> lib.listToAttrs; - in - apikeys // tfvars - ; - }; }; } diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index 79633ab..41535cd 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -103,7 +103,7 @@ in type = "Radarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:2001"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; target = "_blank"; } @@ -112,7 +112,7 @@ in type = "Sonarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:2002"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; target = "_blank"; } @@ -121,7 +121,7 @@ in type = "Lidarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:2003"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; target = "_blank"; } @@ -130,7 +130,7 @@ in type = "Prowlarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:2004"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}"; target = "_blank"; } diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix deleted file mode 100644 index 097a36b..0000000 --- a/modules/nixos/services/media/servarr/default.nix +++ /dev/null @@ -1,214 +0,0 @@ -{ pkgs, config, lib, namespace, inputs, system, ... }: -let - inherit (builtins) toString; - inherit (lib) mkIf mkEnableOption mkOption types; - - cfg = config.${namespace}.services.media.servarr; -in -{ - options.${namespace}.services.media = { - servarr = mkOption { - type = types.attrsOf (types.submodule ({ name, ... }: { - options = { - enable = mkEnableOption "Enable ${name}"; - debug = mkEnableOption "Use tofu plan instead of tofu apply for ${name} "; - - port = mkOption { - type = types.port; - }; - - rootFolders = mkOption { - type = types.listOf types.str; - default = []; - }; - }; - })); - default = {}; - }; - }; - - config = { - services = - cfg - |> lib.mapAttrsToList (service: { enable, port, ... }: (mkIf enable { - "${service}" = { - enable = true; - openFirewall = true; - - environmentFiles = [ - config.sops.templates."${service}/config.env".path - ]; - - settings = { - auth.authenticationMethod = "External"; - - server = { - bindaddress = "0.0.0.0"; - port = port; - }; - - postgres = { - host = "localhost"; - port = "5432"; - user = service; - maindb = service; - logdb = service; - }; - }; - }; - })) - |> lib.mergeAttrsList - |> (set: set // { - postgres = { - ensureDatabases = cfg |> lib.attrNames; - ensureUsers = cfg |> lib.attrNames |> lib.map (service: { - name = service; - ensureDBOwnership = true; - }); - }; - }) - ; - - systemd = - cfg - |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { - tmpfiles.rules = [ - "d /var/lib/${service}ApplyTerraform 0755 ${service} ${service} -" - ]; - - services."${service}ApplyTerraform" = - let - terraformConfiguration = inputs.terranix.lib.terranixConfiguration { - inherit system; - - modules = [ - ({ config, lib, ... }: { - config = { - variable = { - api_key = { - type = "string"; - description = "${service} api key"; - }; - }; - - terraform.required_providers.${service} = { - source = "devopsarr/${service}"; - version = "2.2.0"; - }; - - provider.${service} = { - url = "http://127.0.0.1:${toString port}"; - api_key = lib.tfRef "var.api_key"; - }; - - resource = { - "${service}_root_folder" = - rootFolders - |> lib.imap (i: f: lib.nameValuePair "local${toString i}" { path = f; }) - |> lib.listToAttrs - ; - }; - }; - }) - ]; - }; - in - { - description = "${service} terraform apply"; - - wantedBy = [ "multi-user.target" ]; - wants = [ "${service}.service" ]; - - script = '' - #!/usr/bin/env bash - - # Sleep for a bit to give the service a chance to start up - sleep 5s - - if [ "$(systemctl is-active ${service})" != "active" ]; then - echo "${service} is not running" - exit 1 - fi - - # Print the path to the source for easier debugging - echo "config location: ${terraformConfiguration}" - - # Copy infra code into workspace - cp -f ${terraformConfiguration} config.tf.json - - # Initialize OpenTofu - ${lib.getExe pkgs.opentofu} init - - # Run the infrastructure code - ${lib.getExe pkgs.opentofu} \ - ${if debug then "plan" else "apply -auto-approve"} \ - -var-file='${config.sops.templates."${service}/config.tfvars".path}' - ''; - - serviceConfig = { - Type = "oneshot"; - User = service; - Group = service; - - WorkingDirectory = "/var/lib/${service}ApplyTerraform"; - - EnvironmentFile = [ - config.sops.templates."${service}/config.env".path - ]; - }; - }; - })) - |> lib.mergeAttrsList - ; - - users.users = - cfg - |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { - "${service}".extraGroups = [ "media" ]; - })) - |> lib.mergeAttrsList - ; - - sops = - cfg - |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { - secrets."${service}/apikey" = { - owner = service; - group = service; - restartUnits = [ "${service}.service" ]; - }; - - templates = { - "${service}/config.env" = { - owner = service; - group = service; - restartUnits = [ "${service}.service" ]; - content = '' - ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" - ''; - }; - - "${service}/config.tfvars" = { - owner = service; - group = service; - restartUnits = [ "${service}.service" ]; - content = '' - api_key = "${config.sops.placeholder."${service}/apikey"}" - ''; - }; - }; - })) - |> lib.mergeAttrsList - ; - }; - - - # cfg - # |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { - - # # sops = { - # # }; - # })) - # |> lib.mergeAttrsList - # ; -} diff --git a/modules/nixos/services/observability/uptime-kuma/default.nix b/modules/nixos/services/observability/uptime-kuma/default.nix deleted file mode 100644 index c23977b..0000000 --- a/modules/nixos/services/observability/uptime-kuma/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ pkgs, config, lib, namespace, ... }: -let - inherit (builtins) toString; - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.observability.uptime-kuma; -in -{ - options.${namespace}.services.observability.uptime-kuma = { - enable = mkEnableOption "enable uptime kuma"; - }; - - config = mkIf cfg.enable { - services.uptime-kuma = { - enable = true; - - settings = { - PORT = toString 9006; - HOST = "0.0.0.0"; - }; - }; - - networking.firewall.allowedTCPPorts = [ 9006 ]; - }; -} diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index abab566..de50be7 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,87 +1,13 @@ { pkgs, config, lib, namespace, ... }: let inherit (builtins) toString; - inherit (lib) mkIf mkEnableOption mkOption types getAttrs toUpper concatMapAttrsStringSep; + inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.security.vaultwarden; - - databaseProviderSqlite = types.submodule ({ ... }: { - options = { - type = mkOption { - type = types.enum [ "sqlite" ]; - }; - - file = mkOption { - type = types.str; - description = ''''; - }; - }; - }); - - databaseProviderPostgresql = types.submodule ({ ... }: - let - urlOptions = lib.${namespace}.options.mkUrlOptions { - host = { - description = '' - Hostname of the postgresql server - ''; - }; - - port = { - default = 5432; - example = "5432"; - description = '' - Port of the postgresql server - ''; - }; - - protocol = mkOption { - default = "postgres"; - example = "postgres"; - }; - }; - in - { - options = { - type = mkOption { - type = types.enum [ "postgresql" ]; - }; - - sslMode = mkOption { - type = types.enum [ "verify-ca" "verify-full" "require" "prefer" "allow" "disabled" ]; - default = "verify-full"; - example = "verify-ca"; - description = '' - How to verify the server's ssl - - | mode | eavesdropping protection | MITM protection | Statement | - |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| - | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | - | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | - | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | - | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | - | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | - | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | - - [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) - ''; - }; - } // (urlOptions |> getAttrs [ "protocol" "host" "port" ]); - }); in { options.${namespace}.services.security.vaultwarden = { enable = mkEnableOption "enable vaultwarden"; - - database = mkOption { - type = types.oneOf [ - (types.addCheck databaseProviderSqlite (x: x ? type && x.type == "sqlite")) - (types.addCheck databaseProviderPostgresql (x: x ? type && x.type == "postgresql")) - null - ]; - default = null; - description = ''''; - }; }; config = mkIf cfg.enable { @@ -89,8 +15,6 @@ in "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" ]; - # systemd.services.vaultwarden.wants = [ "zitadelApplyTerraform.service" ]; - services = { vaultwarden = { enable = true; @@ -102,6 +26,8 @@ in SIGNUPS_ALLOWED = false; DOMAIN = "https://vault.kruining.eu"; + ADMIN_TOKEN = ""; + DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable"; WEB_VAULT_ENABLED = true; @@ -115,6 +41,9 @@ in SSO_ORGANIZATIONS_REVOCATION = true; SSO_AUTHORITY = "https://auth.kruining.eu/"; SSO_SCOPES = "email profile offline_access"; + SSO_AUDIENCE_TRUSTED = "^333297815511892227$"; + SSO_CLIENT_ID = "335178854421299459"; + SSO_CLIENT_SECRET = ""; ROCKET_ADDRESS = "::1"; ROCKET_PORT = 8222; @@ -124,14 +53,10 @@ in SMTP_PORT = 587; SMTP_SECURITY = "starttls"; SMTP_USERNAME = "chris@kruining.eu"; + SMTP_PASSWORD = ""; SMTP_FROM = "chris@kruining.eu"; SMTP_FROM_NAME = "Chris' Vaultwarden"; }; - - environmentFile = [ - "/var/lib/zitadel/clients/nix_ulmo_vaultwarden" - config.sops.templates."vaultwarden/config.env".path - ]; }; postgresql = { @@ -164,54 +89,5 @@ in }; }; }; - - sops = { - secrets = { - "vaultwarden/email" = { - owner = config.users.users.vaultwarden.name; - group = config.users.users.vaultwarden.name; - key = "email/chris_kruining_eu"; - restartUnits = [ "vaultwarden.service" ]; - }; - }; - - templates = { - "vaultwarden/config.env" = { - content = '' - SMTP_PASSWORD='${config.sops.placeholder."vaultwarden/email"}'; - ''; - owner = config.users.users.vaultwarden.name; - group = config.users.groups.vaultwarden.name; - }; - temp-db-output.content = - let - config = - cfg.database - |> ({ type, ... }@db: - if type == "sqlite" then - { inherit (db) type file; } - else if type == "postgresql" then - { - inherit (db) type; - url = lib.${namespace}.strings.toUrl { - inherit (db) protocol host port; - path = "vaultwarden"; - query = { - sslmode = db.sslMode; - }; - }; - } - else - {} - ) - |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}") - ; - in - '' - # GENERATED VALUES - ${config} - ''; - }; - }; }; } diff --git a/shells/default/default.nix b/shells/default/default.nix index 1749c48..0361f88 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -5,8 +5,6 @@ mkShell { bash sops just - yq - pwgen inputs.clan-core.packages.x86_64-linux.clan-cli ]; } \ No newline at end of file diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 0310818..027dad6 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -95,16 +95,6 @@ responseTypes = [ "code" ]; }; - vaultwarden = { - redirectUris = [ "https://vault.kruining.eu/identity/connect/oidc-signin" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; - exportMap = { - client_id = "SSO_CLIENT_ID"; - client_secret = "SSO_CLIENT_SECRET"; - }; - }; - matrix = { redirectUris = [ "https://matrix.kruining.eu/_synapse/client/oidc/callback" ]; grantTypes = [ "authorizationCode" ]; @@ -147,56 +137,15 @@ media.enable = true; media.homer.enable = true; media.nfs.enable = true; - media.servarr = { - # radarr = { - # port = 2001; - # }; - - sonarr = { - enable = true; - # debug = true; - port = 2002; - rootFolders = [ - "/var/media/series" - ]; - }; - - lidarr = { - enable = true; - debug = true; - port = 2003; - rootFolders = [ - "/var/media/music" - ]; - }; - - prowlarr = { - enable = true; - debug = true; - port = 2004; - }; - }; observability = { grafana.enable = true; prometheus.enable = true; loki.enable = true; promtail.enable = true; - # uptime-kuma.enable = true; }; - security.vaultwarden = { - enable = true; - database = { - # type = "sqlite"; - # file = "/var/lib/vaultwarden/state.db"; - - type = "postgresql"; - host = "localhost"; - port = 5432; - sslMode = "disabled"; - }; - }; + security.vaultwarden.enable = true; }; editor = { diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 7a26401..0222f74 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,22 +3,11 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] - nix: {} - users: ENC[AES256_GCM,data:xkjm0+PBt6gmZyfi3n3OIEe5b+d4OtN0Y3UfmdcbcJHbJZuiz+60oUjlAN0vjtsi0muufoAqtGJTIpm9nDZzzN7b7LK43TAhcuSlIm5LpbZFp1U3H4laRbTwauAT6wA0aDCfAkwTozxAuEUk1jAu+65ktJNJb7b0PR7s/I/wf7IgW2+K4Jv3LIOZIipUwfuvXuTzsxCElYRvGZXmIuXrYq1EaymksHHggemrKeMWLAae7mzz5v3aBbwxiVjQNkQkS4ApsO/5nZUat0oqXA==,iv:fptZn4NmX3iYKSEPLJAOFpt+KQ6TR1w9KaY9IF4p/Wk=,tag:UKvMOSIT5/mhfZA3usbLhQ==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] -kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] -radarr: - apikey: ENC[AES256_GCM,data:G141GW4PyS5pbAV39HcVscMw3s30txOgTZzWaL7o+ccZfnfDLv796O6xKXdqGZ8saLsveghLw9Z6a5luusHyQ3Q5ESL6W7SVeZVTuSqSC3i/4jl75FJxhnsgVsfrnYxzLGpKiw==,iv:sZl/XLh6y3WgSAn6nH3sFB6atBifZdghm+QsCNDbcjY=,tag:Tw+R80nrF0T0yDti0Uf+ig==,type:str] -sonarr: - apikey: ENC[AES256_GCM,data:s8bgDJ+LpIH1Mt3KSiIKB8LnxztOkHdc8J6+50o+HoDUAfIIsZkA2oX/m7UecrTSRi6ay8D9yjhe6ZwSNXhJh6wQqTS7gZWn8f6QfrfI+8DKdc9enh91suQxjkz8Q+wnKK0zBg==,iv:LmAe6v+6ItVnHB6gko6mhiGOuVBksBYP4dXfbxpAIPE=,tag:DZ8kwOwaWwWTGWEGu5S0Kg==,type:str] -lidarr: - apikey: ENC[AES256_GCM,data:I2eKaxidmxem7C7ukmyIfwASNqrkS4vEOiCcU5kSNY6DR0pXsYg0PBdgu8vzK6llbXODLdG5t55BordIWvVRJGAauo0FMvtp59NSNpza7cK68tdKGvNefD6bqhUIR06BY11niQ==,iv:48AD7cd17TlWY5yAagepLOIVwgxhD/d13Pnup6GsWDA=,tag:teOVtW8opE99hqAXQwvlrA==,type:str] -prowlarr: - apikey: ENC[AES256_GCM,data:pyZ2WGEs/PlIdhDsQq2TPGJbplkd5fLF0ZkBjITqIJlnAzYHb+rl+KOM4rHqQcI6yAJM8X1Y3ymGrD7vG7GiRxB7yoEG13SKhZIWOddTnxIhbkz81RfrL2fUJIydOaP6sS//9Q==,iv:Tr6MWoC6nC7rdVTOjT1T2itT+lVL4GnUiAr5/+IHAs0=,tag:keIJNuGeVht8+xSN3FnBGA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -39,7 +28,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:51:26Z" - mac: ENC[AES256_GCM,data:pMMkxHPochpI8si/oHhU7MHqC1JjNhMP7HCRNQQEkwBQI489xiC02t+qUwpmG4oIheqi8lEcZPpL4t9HzRN9sZImaI2LrJn3cHFojHzXzo7FPfvfUilZe1+JXLfm+wn+bflAEutIcfDiZc/MjiKOxRHwZy5Pr41Mj6uPIUr62zk=,iv:GwvMVgJ6m1DQcRZMVzshbuMK/Kx8vE8Ym83KbxuvYRg=,tag:wVSol9LDRzoFjQppB8J9gA==,type:str] + lastmodified: "2025-11-03T15:23:12Z" + mac: ENC[AES256_GCM,data:XJW6H5FTjkGhbXtiGvscfm5W+04OqtUmYPrrzfZ5brNRviYiikwKR4OB2yFFNmRpMxseWOy+3a4Nk+/oTqJ4ycBIlatzoL3GxwfysLi6f5+Qtdjr+EG4MzZRaQobJ9NXjB6pAYGBe5OxDMvHHOuhv5lMI9SFsNzdIHzFRLQv0QQ=,iv:UUZzsyqnJG/eZktkRrnPhC5DYB3MeACh7ldx/k9+ZDk=,tag:42cI9dvQowQzeqkqFvzUGQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0