From 7b9e07ee4b338c5ffbe29ff26a934163d42ca42d Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 14:07:04 +0000 Subject: [PATCH 1/9] ops(secrets): set secret "forgejo/action_runner_token" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index f9e4a82..7ff94ef 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,6 +3,8 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] +forgejo: + action_runner_token: ENC[AES256_GCM,data:9rnVy+qIpfdXPxLV2yh09VrVWUzwoy5XwShctSqPeQM=,iv:0Bydo8Bs9TQ2LSjU/zDfGYk/aCq2OH0U8I+linkQcA4=,tag:Sw4cx48EmpvsjF0cZxcAvg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +25,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-27T13:11:41Z" - mac: ENC[AES256_GCM,data:0LS7xQlkfIZRVwAZPE33KmPA19CpnXj/t4hpDrVW+BbESpnBku2oxPB/Cvp0dY5MGnDFgU4Htp0JoppHCgKvkaSBhvjxjW2DT1Nkk5PBmAtuzZLW4qc25ZVlqiKgzj1LE3XPTbqUJyp+X3U23BnU1ViTGgHuBcdEV7TFNHjmnwk=,iv:HpVIDAU1FbrUKXW8klWq0Kn9ZtKcgwR1jKXLkGtDd5A=,tag:50P0UZtj77npD92zxCaZHw==,type:str] + lastmodified: "2025-10-30T14:07:03Z" + mac: ENC[AES256_GCM,data:81HSgWBj+piT5LvvFHcJVTSoyKNFHteo0yLRPp/lJ4st25JyachSIC0s6ApJiFSzoMH12C2LumcjrVafpvLQXITxhkEAkt0fm9uK1isrWNGpQcLnLAlcbrPZuf5TB8FWjAyHoisafHYzO9XhNYHT9vhxGKGIXf6pOJG8LGebqNM=,iv:y8ty2BAvQvMOpCw2HSC82OEaOv59VERdM09JBCwqlHk=,tag:0ZjSUKT5KJgNjJr07hVabg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 7edfdf92e096d5695b80aa276f25d4c171ffa765 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 14:07:56 +0000 Subject: [PATCH 2/9] ops(secrets): set secret "forgejo/action_runner_token" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 7ff94ef..4f2f8ae 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] forgejo: - action_runner_token: ENC[AES256_GCM,data:9rnVy+qIpfdXPxLV2yh09VrVWUzwoy5XwShctSqPeQM=,iv:0Bydo8Bs9TQ2LSjU/zDfGYk/aCq2OH0U8I+linkQcA4=,tag:Sw4cx48EmpvsjF0cZxcAvg==,type:str] + action_runner_token: ENC[AES256_GCM,data:ve7im4kIWyfFSVVXq5TNIdhT95TcJ2o8iNy829juImQCVHt9wU8=,iv:5uOm5W6srD+dCu2ElnEzuI7BlsDa0PfqaMoyJrnIqqU=,tag:fFpWwgs6UPjvVlx6AXmrCw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -25,7 +25,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T14:07:03Z" - mac: ENC[AES256_GCM,data:81HSgWBj+piT5LvvFHcJVTSoyKNFHteo0yLRPp/lJ4st25JyachSIC0s6ApJiFSzoMH12C2LumcjrVafpvLQXITxhkEAkt0fm9uK1isrWNGpQcLnLAlcbrPZuf5TB8FWjAyHoisafHYzO9XhNYHT9vhxGKGIXf6pOJG8LGebqNM=,iv:y8ty2BAvQvMOpCw2HSC82OEaOv59VERdM09JBCwqlHk=,tag:0ZjSUKT5KJgNjJr07hVabg==,type:str] + lastmodified: "2025-10-30T14:07:55Z" + mac: ENC[AES256_GCM,data:YX60ajX1LFjVkmMTYAVRj28N6IMMwHrFerq7EJ8DHMaQ75pCRrH1EbX0YTIRnSA7aYo0gGpPiHTbMKkMA6Dq6XOVxXFtqYaFC9jwVjVoXg58zdd2Yvtf7m9yrFX9ohEScQPLHwwZfWJFSqdOY0iSHotW0/duMm65zzC5MgcYoeE=,iv:61m1hBVZ+ASIykvVqC7XaPpOSWuEbTBo9NRpo6MQbeg=,tag:SNyqhMQ/BwWo49kCHwBoBQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From eac33f7cef4192decb15dff7530cb3b7ca559ce9 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 14:12:56 +0000 Subject: [PATCH 3/9] ops(secrets): set secret "forgejo/action_runner_token" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4f2f8ae..dd7b2a7 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] forgejo: - action_runner_token: ENC[AES256_GCM,data:ve7im4kIWyfFSVVXq5TNIdhT95TcJ2o8iNy829juImQCVHt9wU8=,iv:5uOm5W6srD+dCu2ElnEzuI7BlsDa0PfqaMoyJrnIqqU=,tag:fFpWwgs6UPjvVlx6AXmrCw==,type:str] + action_runner_token: ENC[AES256_GCM,data:V6V6Lt2XhV9NiSEKjS57vf5IgGUHLvmmG+uUcdNT4tvgezVhPOK/h5F4hxmCKg==,iv:UlHIFDsKeg4hFyXKyhYE3h/77xXeW+/kBJigDU5dP90=,tag:ES0z0bHv1uomsyYWyjsLfw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -25,7 +25,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T14:07:55Z" - mac: ENC[AES256_GCM,data:YX60ajX1LFjVkmMTYAVRj28N6IMMwHrFerq7EJ8DHMaQ75pCRrH1EbX0YTIRnSA7aYo0gGpPiHTbMKkMA6Dq6XOVxXFtqYaFC9jwVjVoXg58zdd2Yvtf7m9yrFX9ohEScQPLHwwZfWJFSqdOY0iSHotW0/duMm65zzC5MgcYoeE=,iv:61m1hBVZ+ASIykvVqC7XaPpOSWuEbTBo9NRpo6MQbeg=,tag:SNyqhMQ/BwWo49kCHwBoBQ==,type:str] + lastmodified: "2025-10-30T14:12:56Z" + mac: ENC[AES256_GCM,data:G+aGa5bbZsHjsIEOF7/bHPddasbaVTK+WUj25byqyoKSfTqeru25fZoBHP/6dnVkTmHHuktHTcRtSubBhz+kKjBSovKk3fUL14W4og7+ULcWtmgcuF2usAMywi2/N0vkpp/IuU/qj62R1fGqpHLxxjDZJGjX+a5mkl+DV2yJmCE=,iv:X5o0hrBOE3hbNH2OxPHGpKXAUOUhRVZ5NEsdE2SxLbM=,tag:/qTqy/d6N2CoeegkDo2Yfg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From b11ca6bd05615d8bd808c56d18ae5c9519c71422 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 14:24:06 +0000 Subject: [PATCH 4/9] ops(secrets): set secret "forgejo/action_runner_token" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index dd7b2a7..adace84 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] forgejo: - action_runner_token: ENC[AES256_GCM,data:V6V6Lt2XhV9NiSEKjS57vf5IgGUHLvmmG+uUcdNT4tvgezVhPOK/h5F4hxmCKg==,iv:UlHIFDsKeg4hFyXKyhYE3h/77xXeW+/kBJigDU5dP90=,tag:ES0z0bHv1uomsyYWyjsLfw==,type:str] + action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -25,7 +25,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T14:12:56Z" - mac: ENC[AES256_GCM,data:G+aGa5bbZsHjsIEOF7/bHPddasbaVTK+WUj25byqyoKSfTqeru25fZoBHP/6dnVkTmHHuktHTcRtSubBhz+kKjBSovKk3fUL14W4og7+ULcWtmgcuF2usAMywi2/N0vkpp/IuU/qj62R1fGqpHLxxjDZJGjX+a5mkl+DV2yJmCE=,iv:X5o0hrBOE3hbNH2OxPHGpKXAUOUhRVZ5NEsdE2SxLbM=,tag:/qTqy/d6N2CoeegkDo2Yfg==,type:str] + lastmodified: "2025-10-30T14:24:06Z" + mac: ENC[AES256_GCM,data:nZA2oHESh/NCHhAG5u7xAMRdd6J7Pvocc9jg5gFSAcSxrrjaAX4xK/MX5LEG3YTbIHD+/b7CxpalJ6IEJi2X5cr4p0trQmes8Eu6+VXs14bOk7Mfa1Yu5jfzwOwlZcmP/0k+rB8RzuOUlzgILL1OKqyJ/Xi5tItDAaKl9jGzczM=,iv:/Z9hU+o3SNBZU+jL3+fk7nzB69ownTHhT2Iq3VnyYU4=,tag:EapUHp+jMosjiGcR2FGVyQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 138bb67ffb1530330105056e2db70e44fa425564 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 30 Oct 2025 21:26:18 +0100 Subject: [PATCH 5/9] feat(just): add assert utility function/recipe --- .just/machine.just | 3 ++- .justfile | 13 ++++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.just/machine.just b/.just/machine.just index 6dabbc0..1ce791f 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -5,5 +5,6 @@ ls -1 ../systems/x86_64-linux/ [doc('Update the target machine')] -update machine: +@update machine: + just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} \ No newline at end of file diff --git a/.justfile b/.justfile index 2788376..3a15d20 100644 --- a/.justfile +++ b/.justfile @@ -19,4 +19,15 @@ mod machine '.just/machine.just' [doc('Introspection on flake output')] @select key: - nix eval --json .#{{ key }} | jq . \ No newline at end of file + nix eval --json .#{{ key }} | jq . + + + +#=============================================================================================== +# Utils +#=============================================================================================== +[no-exit-message] +[no-cd] +[private] +@assert condition message: + [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; } \ No newline at end of file From 15103b16baaa0333ef585050a0b4f78f8ab99c3e Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 20:57:39 +0000 Subject: [PATCH 6/9] ops(secrets): set secret "synapse/oidc_id" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index adace84..bc92d4e 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -5,6 +5,8 @@ zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] +synapse: + oidc_id: ENC[AES256_GCM,data:GPc4XBmIqWKbisN8patC0MNR,iv:wKCZ7PWn1WZOboc9I3JQXaxn4NiqMckCgC4d001F7jk=,tag:CBKcW4luhrJ+BOGH+UBmog==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -25,7 +27,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T14:24:06Z" - mac: ENC[AES256_GCM,data:nZA2oHESh/NCHhAG5u7xAMRdd6J7Pvocc9jg5gFSAcSxrrjaAX4xK/MX5LEG3YTbIHD+/b7CxpalJ6IEJi2X5cr4p0trQmes8Eu6+VXs14bOk7Mfa1Yu5jfzwOwlZcmP/0k+rB8RzuOUlzgILL1OKqyJ/Xi5tItDAaKl9jGzczM=,iv:/Z9hU+o3SNBZU+jL3+fk7nzB69ownTHhT2Iq3VnyYU4=,tag:EapUHp+jMosjiGcR2FGVyQ==,type:str] + lastmodified: "2025-10-30T20:57:37Z" + mac: ENC[AES256_GCM,data:Al8mN4HtSaTjlSBjYEgdcuR0YmqRNNhvW1tGRzQvQgXpC1tkM4HWpVuYQdpHXqtyz2DYMFRhTX4VqVJFvgh/MD1wN+6KGj05uJOlcr4yGr7DBlO2xX2aF0q+4w/mNnBbyFF7QwRMFWH3YBW3PDq+eDAQ5aqquucT+1HeDxcwWFI=,iv:PhNv0Pa/Wuxn4plzExeLBHHYGtE54IKj7AuuPJ3VPlU=,tag:fQz/DUp54isRUjSmnUnuZA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 01f9340cfb83907ab64de6807431b3452d092aca Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 20:58:02 +0000 Subject: [PATCH 7/9] ops(secrets): set secret "synapse/oidc_secret" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index bc92d4e..250b1af 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -7,6 +7,7 @@ forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: oidc_id: ENC[AES256_GCM,data:GPc4XBmIqWKbisN8patC0MNR,iv:wKCZ7PWn1WZOboc9I3JQXaxn4NiqMckCgC4d001F7jk=,tag:CBKcW4luhrJ+BOGH+UBmog==,type:str] + oidc_secret: ENC[AES256_GCM,data:3Z8XwAPBHUG7Z09uTkd0ZH80lRVPF2a8tt0cFvrFA9s5R6G2ULkbHZM5V2VZBZ7FNhv7JINilGdRaibvF3U3Tg==,iv:U5Z3VcuWxwX5kNTvmG7YFiPJSl8Xg2nRDPdz0tekric=,tag:o2s67WjB7mXJlyo8jlcUzw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -27,7 +28,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T20:57:37Z" - mac: ENC[AES256_GCM,data:Al8mN4HtSaTjlSBjYEgdcuR0YmqRNNhvW1tGRzQvQgXpC1tkM4HWpVuYQdpHXqtyz2DYMFRhTX4VqVJFvgh/MD1wN+6KGj05uJOlcr4yGr7DBlO2xX2aF0q+4w/mNnBbyFF7QwRMFWH3YBW3PDq+eDAQ5aqquucT+1HeDxcwWFI=,iv:PhNv0Pa/Wuxn4plzExeLBHHYGtE54IKj7AuuPJ3VPlU=,tag:fQz/DUp54isRUjSmnUnuZA==,type:str] + lastmodified: "2025-10-30T20:58:01Z" + mac: ENC[AES256_GCM,data:7vQ5wV58UNUH5bOgyUxaifAbU3GTqZi2gH+rpAR+d/31rx8yeKVNMj0aWA5ianpUvVt2kbaap6Aj+Sxl3M8wI9jtg2o/3FmR+xEHEWgQ/jw1q9zvKIAUV6SeM1Hg639iV3xcC8F8U+Xy50H85f4B3XQWGJMnUamqH9LYrUjv8nY=,iv:vOGvilRSrPZW3uir1nwlxzhg+hXE5yw6r8vCr5Cxmt0=,tag:X9OYdCPuDz3o5kYLUKHmXg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From f33f05a5b64e1e7a16245f69d50ab4d60c4b1254 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 3 Nov 2025 15:18:53 +0100 Subject: [PATCH 8/9] feat(zitadel): implement and use even more of the zitadel API --- .../authentication/zitadel/default.nix | 236 +++++++++++++++--- .../services/communication/matrix/default.nix | 55 ++-- systems/x86_64-linux/ulmo/default.nix | 38 +++ 3 files changed, 271 insertions(+), 58 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index eaa3c60..917bde4 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair mapAttrs' concatMapAttrs getAttrs getAttr hasAttr typeOf head drop length; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs concatMap listToAttrs imap0 getAttrs getAttr hasAttr typeOf head drop length; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -73,6 +73,40 @@ in ''; }; + role = mkOption { + default = {}; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = + let + roleName = name; + in + { + displayName = mkOption { + type = types.str; + default = toSentenceCase name; + example = "RoleName"; + description = '' + Name used for project role. + ''; + }; + + group = mkOption { + type = types.nullOr types.str; + default = null; + example = "some_group"; + description = '' + Group used for project role. + ''; + }; + }; + })); + }; + + assign = mkOption { + default = {}; + type = types.attrsOf (types.listOf types.str); + }; + application = mkOption { default = {}; type = types.attrsOf (types.submodule { @@ -174,6 +208,74 @@ in }; })); }; + + action = mkOption { + default = {}; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + script = mkOption { + type = types.str; + example = '' + (ctx, api) => { + api.v1.claims.setClaim('some_claim', 'some_value'); + }; + ''; + description = '' + The script to run. This must be a function that receives 2 parameters, and returns void. During the creation of the action's script this module simly does `const {{name}} = {{script}}`. + ''; + }; + + timeout = mkOption { + type = (types.ints.between 0 20); + default = 10; + example = "10"; + description = '' + After which time the action will be terminated if not finished. + ''; + }; + + allowedToFail = mkOption { + type = types.bool; + default = true; + example = "true"; + description = '' + Allowed to fail. + ''; + }; + }; + })); + }; + + triggers = mkOption { + default = []; + type = types.listOf (types.submodule { + options = { + flowType = mkOption { + type = types.enum [ "authentication" "customiseToken" "internalAuthentication" "samlResponse" ]; + example = "customiseToken"; + description = '' + Type of the flow to which the action triggers belong. + ''; + }; + + triggerType = mkOption { + type = types.enum [ "postAuthentication" "preCreation" "postCreation" "preUserinfoCreation" "preAccessTokenCreation" "preSamlResponse" ]; + example = "postAuthentication"; + description = '' + Trigger type on when the actions get triggered. + ''; + }; + + actions = mkOption { + type = types.nonEmptyListOf types.str; + example = ''[ "action_name" ]''; + description = '' + Names of actions to trigger + ''; + }; + }; + }); + }; }; })); }; @@ -191,23 +293,28 @@ in mapEnum = prefix: value: "${prefix}_${value |> toSnakeCase |> toUpper}"; mapValue = type: value: ({ + appType = mapEnum "OIDC_APP_TYPE" value; grantTypes = map (t: mapEnum "OIDC_GRANT_TYPE" t) value; responseTypes = map (t: mapEnum "OIDC_RESPONSE_TYPE" t) value; + authMethodType = mapEnum "OIDC_AUTH_METHOD_TYPE" value; + + flowType = mapEnum "FLOW_TYPE" value; + triggerType = mapEnum "TRIGGER_TYPE" value; + accessTokenType = mapEnum "OIDC_TOKEN_TYPE" value; }."${type}" or value); toResource = name: value: nameValuePair (toSnakeCase name) (lib.mapAttrs' (k: v: nameValuePair (toSnakeCase k) (mapValue k v)) value); - withName = name: attrs: attrs // { inherit name; }; withRef = type: name: attrs: attrs // (mapRef type name); - withDefaults = defaults: attrs: defaults // attrs; select = keys: callback: set: if (length keys) == 0 then mapAttrs' callback set else let key = head keys; in - concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; + concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set + ; config' = config; @@ -231,57 +338,105 @@ in resource = { # Organizations - zitadel_org = cfg.organization |> select [] (name: value: - value - |> getAttrs [ "isDefault" ] - |> withName name + zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: + { inherit name isDefault; } |> toResource name ); # Projects per organization - zitadel_project = cfg.organization |> select [ "project" ] (org: name: value: - value - |> getAttrs [ "hasProjectCheck" "privateLabelingSetting" "projectRoleAssertion" "projectRoleCheck" ] - |> withName name - |> withRef "org" org - |> toResource name + zitadel_project = cfg.organization |> select [ "project" ] (org: name: { hasProjectCheck, privateLabelingSetting, projectRoleAssertion, projectRoleCheck, ... }: + { + inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck; + } + |> withRef "org" org + |> toResource "${org}_${name}" ); # Each OIDC app per project - zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: value: - value - |> getAttrs [ "redirectUris" "grantTypes" "responseTypes" ] - |> withName name + zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: { redirectUris, grantTypes, responseTypes, ...}: + { + inherit name redirectUris grantTypes responseTypes; + + accessTokenRoleAssertion = true; + idTokenRoleAssertion = true; + accessTokenType = "JWT"; + } |> withRef "org" org - |> withRef "project" project - |> toResource name + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" + ); + + # Each project role + zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: + { inherit (value) displayName group; roleKey = name; } + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" + ); + + # Each project role assignment + zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles: + { roleKeys = roles; } + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> withRef "user" "${org}_${user}" + |> toResource "${org}_${project}_${user}" ); # Users - zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: value: - value - |> getAttrs [ "email" "userName" "firstName" "lastName" ] + zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: + { + inherit email userName firstName lastName; + + isEmailVerified = true; + } |> withRef "org" org - |> withDefaults { isEmailVerified = true; } - |> toResource name + |> toResource "${org}_${name}" ); # Global user roles zitadel_instance_member = cfg.organization |> select [ "user" ] (org: name: value: { roles = value.instanceRoles; } - |> withRef "user" name - |> toResource name + |> withRef "user" "${org}_${name}" + |> toResource "${org}_${name}" ); # Organazation specific roles - zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: value: - value - |> getAttrs [ "roles" ] + zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: { roles, ... }: + { inherit roles; } |> withRef "org" org - |> withRef "user" name - |> toResource name + |> withRef "user" "${org}_${name}" + |> toResource "${org}_${name}" ); + # Organazation's actions + zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: + { + inherit allowedToFail name; + timeout = "${toString timeout}s"; + script = "const ${name} = ${script}"; + } + |> withRef "org" org + |> toResource "${org}_${name}" + ); + + # Organazation's action assignments + zitadel_trigger_actions = cfg.organization + |> concatMapAttrs (org: { triggers, ... }: + triggers + |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in + { + inherit flowType triggerType; + + actionIds = actions + |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); + } + |> withRef "org" org + |> toResource "${org}_${name}" + )) + |> listToAttrs + ); + # SMTP config zitadel_smtp_config.default = { sender_address = "chris@kruining.eu"; @@ -289,18 +444,18 @@ in tls = true; host = "black-mail.nl:587"; user = "chris@kruining.eu"; - password = lib.tfRef "file(\"${config'.sops.secrets."email/chris_kruining_eu".path}\")"; + password = lib.tfRef "file(\"${config'.sops.secrets."zitadel/email".path}\")"; set_active = true; }; # Client credentials per app local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: value: - nameValuePair name { + nameValuePair "${org}_${project}_${name}" { content = '' - CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${name}.client_id"} - CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${name}.client_secret"} + CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} + CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"} ''; - filename = "/var/lib/zitadel/clients/${name}"; + filename = "/var/lib/zitadel/clients/${org}_${project}_${name}"; } ); }; @@ -335,6 +490,9 @@ in exit 1 fi + # Print the path to the source for easier debugging + echo "config location: ${terraformConfiguration}" + # Copy infra code into workspace cp -f ${terraformConfiguration} config.tf.json @@ -342,6 +500,7 @@ in ${lib.getExe pkgs.opentofu} init # Run the infrastructure code + # ${lib.getExe pkgs.opentofu} plan ${lib.getExe pkgs.opentofu} apply -auto-approve ''; @@ -475,9 +634,10 @@ in restartUnits = [ "zitadel.service" ]; #EMGDB#6O$8qpGoLI1XjhUhnng1san@0 }; - "email/chris_kruining_eu" = { + "zitadel/email" = { owner = "zitadel"; group = "zitadel"; + key = "email/chris_kruining_eu"; restartUnits = [ "zitadel.service" ]; }; }; diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index 38dfe0c..2d9ecd5 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -29,43 +29,33 @@ in enable = true; extras = [ "oidc" ]; - # plugins = with config.services.matrix-synapse.package.plugins; []; + + extraConfigFiles = [ + config.sops.templates."synapse-oidc.yaml".path + ]; settings = { server_name = domain; public_baseurl = "https://${fqn}"; + enable_metrics = true; + registration_shared_secret = "tZtBnlhEmLbMwF0lQ112VH1Rl5MkZzYH9suI4pEoPXzk6nWUB8FJF4eEnwLkbstz"; url_preview_enabled = true; precence.enabled = true; # Since we'll be using OIDC for auth disable all local options - enable_registration = false; + enable_registration = true; + enable_registration_without_verification = true; password_config.enabled = false; + backchannel_logout_enabled = true; sso = { client_whitelist = [ "http://[::1]:9092" ]; update_profile_information = true; }; - oidc_providers = [ - { - discover = true; - - idp_id = "zitadel"; - idp_name = "Zitadel"; - issuer = "https://auth.kruining.eu"; - client_id = "337858153251143939"; - client_secret = "ePkf5n8BxGD5DF7t1eNThTL0g6PVBO5A1RC0EqPp61S7VsiyXvDs8aJeczrpCpsH"; - scopes = [ "openid" "profile" ]; - # user_mapping_provider.config = { - # localpart_template = "{{ user.prefered_username }}"; - # display_name_template = "{{ user.name }}"; - # }; - } - ]; - database = { # this is postgresql (also the default, but I prefer to be explicit) name = "psycopg2"; @@ -85,7 +75,7 @@ in resources = [ { - names = [ "client" "federation" ]; + names = [ "client" "federation" "openid" "metrics" "media" "health" ]; compress = true; } ]; @@ -175,5 +165,30 @@ in }; }; }; + + sops = { + secrets = { + "synapse/oidc_id" = {}; + "synapse/oidc_secret" = {}; + }; + + templates = { + "synapse-oidc.yaml" = { + owner = "matrix-synapse"; + content = '' + oidc_providers: + - discover: true + idp_id: zitadel + idp_name: Zitadel + issuer: "https://auth.kruining.eu" + scopes: + - openid + - profile + client_id: '${config.sops.placeholder."synapse/oidc_id"}' + client_secret: '${config.sops.placeholder."synapse/oidc_secret"}' + ''; + }; + }; + }; }; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index e776927..0c8a67b 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -57,6 +57,23 @@ project = { ulmo = { + projectRoleCheck = true; + projectRoleAssertion = true; + hasProjectCheck = true; + + role = { + jellyfin = { + group = "jellyfin"; + }; + jellyfin_admin = { + group = "jellyfin"; + }; + }; + + assign = { + chris = [ "jellyfin" "jellyfin_admin" ]; + }; + application = { jellyfin = { redirectUris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/zitadel" ]; @@ -78,6 +95,27 @@ }; }; }; + + action = { + flattenRoles = { + script = '' + (ctx, api) => { + if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) { + return; + } + + const roles = ctx.v1.user.grants.grants.flatMap(({ roles, projectId }) => roles.map(role => projectId + ':' + role)); + + api.v1.claims.setClaim('nix:zitadel:custom', JSON.stringify({ roles })); + }; + ''; + }; + }; + + triggers = [ + { flowType = "customiseToken"; triggerType = "preUserinfoCreation"; actions = [ "flattenRoles" ]; } + { flowType = "customiseToken"; triggerType = "preAccessTokenCreation"; actions = [ "flattenRoles" ]; } + ]; }; }; }; From 9b819a2a58397bee38aa1d25d1fedf093d18dab6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 3 Nov 2025 15:19:41 +0100 Subject: [PATCH 9/9] feat(forgejo): update config to use secrets --- .../services/development/forgejo/default.nix | 51 +++++++++++++++---- 1 file changed, 40 insertions(+), 11 deletions(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 46e0995..39e8215 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, namespace, ... }: let - inherit (lib) mkIf mkEnableOption; + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption mkOption; cfg = config.${namespace}.services.development.forgejo; domain = "git.amarth.cloud"; @@ -8,6 +9,15 @@ in { options.${namespace}.services.development.forgejo = { enable = mkEnableOption "Forgejo"; + + port = mkOption { + type = lib.types.port; + default = 5002; + example = "1234"; + description = '' + Which port to bind forgejo to + ''; + }; }; config = mkIf cfg.enable { @@ -33,7 +43,7 @@ in server = { DOMAIN = domain; ROOT_URL = "https://${domain}/"; - HTTP_PORT = 5002; + HTTP_PORT = cfg.port; LANDING_PAGE = "explore"; }; @@ -83,7 +93,7 @@ in openid = { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = true; - WHITELISTED_URIS = "https://auth.amarth.cloud"; + WHITELISTED_URIS = "https://auth.kruining.eu"; }; oauth2_client = { @@ -102,6 +112,10 @@ in SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; }; + metrics = { + ENABLED = true; + }; + api = { ENABLE_SWAGGER = false; }; @@ -120,9 +134,9 @@ in PROTOCOL = "smtp+starttls"; SMTP_ADDR = "black-mail.nl"; SMTP_PORT = 587; - FROM = "info@amarth.cloud"; - USER = "info@amarth.cloud"; - PASSWD = "__TODO_USE_SOPS__"; + FROM = "chris@kruining.eu"; + USER = "chris@kruining.eu"; + PASSWD_URI = "file:${config.sops.secrets."forgejo/email".path}"; }; }; }; @@ -137,8 +151,8 @@ in url = "https://git.amarth.cloud"; # Obtaining the path to the runner token file may differ # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd - # tokenFile = config.age.secrets.forgejo-runner-token.path; - token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; + tokenFile = config.sops.secrets."forgejo/action_runner_token".path; + # token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; labels = [ "default:docker://nixos/nix:latest" "ubuntu:docker://ubuntu:24-bookworm" @@ -153,17 +167,32 @@ in caddy = { enable = true; virtualHosts = { - ${domain}.extraConfig = '' - # import auth-z + "${domain}".extraConfig = '' + # import auth # stupid dumb way to prevent the login page and go to zitadel instead # be aware that this does not disable local login at all! # rewrite /user/login /user/oauth2/Zitadel - reverse_proxy http://127.0.0.1:5002 + reverse_proxy http://127.0.0.1:${toString cfg.port} ''; }; }; }; + + sops.secrets = { + "forgejo/action_runner_token" = { + owner = "gitea-runner"; + group = "gitea-runner"; + restartUnits = [ "gitea-runner-default.service" ]; + }; + + "forgejo/email" = { + owner = "forgejo"; + group = "forgejo"; + key = "email/chris_kruining_eu"; + restartUnits = [ "forgejo.service" ]; + }; + }; }; }