diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..0f94eed --- /dev/null +++ b/.envrc @@ -0,0 +1,2 @@ +# shellcheck shell=bash +use flake diff --git a/.just/machine.just b/.just/machine.just index 1ce791f..cbdf345 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -4,6 +4,7 @@ @list: ls -1 ../systems/x86_64-linux/ +[no-exit-message] [doc('Update the target machine')] @update machine: just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" diff --git a/.just/vars.just b/.just/vars.just index 167144a..b4d6be2 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -16,7 +16,7 @@ list machine: {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" @@ -27,6 +27,6 @@ list machine: {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" \ No newline at end of file diff --git a/flake.lock b/flake.lock index 935fbaf..5ed2f72 100644 --- a/flake.lock +++ b/flake.lock @@ -68,6 +68,81 @@ "type": "github" } }, + "clan-core": { + "inputs": { + "data-mesher": "data-mesher", + "disko": "disko", + "flake-parts": "flake-parts", + "nix-darwin": "nix-darwin", + "nix-select": "nix-select", + "nixos-facter-modules": "nixos-facter-modules", + "nixpkgs": [ + "nixpkgs" + ], + "sops-nix": "sops-nix", + "systems": "systems", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1762254206, + "narHash": "sha256-ZyQUrUSuIUZRmMPzeCXI4vDFhHOLNtGUMBaHXCD6nEQ=", + "rev": "43a7652624e76d60a93325c711d01620801d4382", + "type": "tarball", + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/43a7652624e76d60a93325c711d01620801d4382.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://git.clan.lol/clan/clan-core/archive/main.tar.gz" + } + }, + "data-mesher": { + "inputs": { + "flake-parts": [ + "clan-core", + "flake-parts" + ], + "nixpkgs": [ + "clan-core", + "nixpkgs" + ], + "treefmt-nix": [ + "clan-core", + "treefmt-nix" + ] + }, + "locked": { + "lastModified": 1760612273, + "narHash": "sha256-pP/bSqUHubxAOTI7IHD5ZBQ2Qm11Nb4pXXTPv334UEM=", + "rev": "0099739c78be750b215cbdefafc9ba1533609393", + "type": "tarball", + "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0099739c78be750b215cbdefafc9ba1533609393.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://git.clan.lol/clan/data-mesher/archive/main.tar.gz" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1761899396, + "narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=", + "owner": "nix-community", + "repo": "disko", + "rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "erosanix": { "inputs": { "flake-compat": "flake-compat", @@ -224,6 +299,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1762040540, + "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "0010412d62a25d959151790968765a70c436598b", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nvf", @@ -244,7 +340,7 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -265,7 +361,7 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "terranix", @@ -288,7 +384,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -325,7 +421,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -343,7 +439,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1731533236, @@ -361,7 +457,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_5" + "systems": "systems_6" }, "locked": { "lastModified": 1694529238, @@ -564,6 +660,27 @@ "type": "github" } }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1762186368, + "narHash": "sha256-dzLBZKccS0jMefj+WAYwsk7gKDluqavC7I4KfFwVh8k=", + "owner": "nix-darwin", + "repo": "nix-darwin", + "rev": "69921864a70b58787abf5ba189095566c3f0ffd3", + "type": "github" + }, + "original": { + "owner": "nix-darwin", + "repo": "nix-darwin", + "type": "github" + } + }, "nix-github-actions": { "inputs": { "nixpkgs": [ @@ -606,6 +723,19 @@ "type": "github" } }, + "nix-select": { + "locked": { + "lastModified": 1755887746, + "narHash": "sha256-lzWbpHKX0WAn/jJDoCijIDss3rqYIPawe46GDaE6U3g=", + "rev": "92c2574c5e113281591be01e89bb9ddb31d19156", + "type": "tarball", + "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/92c2574c5e113281591be01e89bb9ddb31d19156.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://git.clan.lol/clan/nix-select/archive/main.tar.gz" + } + }, "nixlib": { "locked": { "lastModified": 1736643958, @@ -636,6 +766,21 @@ "type": "github" } }, + "nixos-facter-modules": { + "locked": { + "lastModified": 1761137276, + "narHash": "sha256-4lDjGnWRBLwqKQ4UWSUq6Mvxu9r8DSqCCydodW/Jsi8=", + "owner": "nix-community", + "repo": "nixos-facter-modules", + "rev": "70bcd64225d167c7af9b475c4df7b5abba5c7de8", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-facter-modules", + "type": "github" + } + }, "nixos-generators": { "inputs": { "nixlib": "nixlib", @@ -865,10 +1010,10 @@ "nvf": { "inputs": { "flake-compat": "flake-compat_4", - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "mnw": "mnw", "nixpkgs": "nixpkgs_7", - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1760153667, @@ -909,6 +1054,7 @@ }, "root": { "inputs": { + "clan-core": "clan-core", "erosanix": "erosanix", "fenix": "fenix", "firefox": "firefox", @@ -925,7 +1071,7 @@ "nvf": "nvf", "plasma-manager": "plasma-manager", "snowfall-lib": "snowfall-lib", - "sops-nix": "sops-nix", + "sops-nix": "sops-nix_2", "stylix": "stylix", "terranix": "terranix", "zen-browser": "zen-browser" @@ -992,6 +1138,27 @@ } }, "sops-nix": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1760998189, + "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "sops-nix_2": { "inputs": { "nixpkgs": "nixpkgs_8" }, @@ -1016,11 +1183,11 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "gnome-shell": "gnome-shell", "nixpkgs": "nixpkgs_9", "nur": "nur", - "systems": "systems_6", + "systems": "systems_7", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -1146,13 +1313,28 @@ "type": "github" } }, + "systems_8": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "terranix": { "inputs": { - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_4", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_7" + "systems": "systems_8" }, "locked": { "lastModified": 1757278723, @@ -1249,6 +1431,27 @@ "type": "github" } }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1761311587, + "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "zen-browser": { "inputs": { "home-manager": "home-manager_2", diff --git a/flake.nix b/flake.nix index 8ea1571..d7a7508 100644 --- a/flake.nix +++ b/flake.nix @@ -83,6 +83,11 @@ url = "github:terranix/terranix"; inputs.nixpkgs.follows = "nixpkgs"; }; + + clan-core = { + url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs: inputs.snowfall-lib.mkFlake { @@ -119,6 +124,10 @@ flux.overlays.default ]; + systems.modules = with inputs; [ + clan-core.nixosModules.default + ]; + homes.modules = with inputs; [ stylix.homeModules.stylix plasma-manager.homeModules.plasma-manager diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 7540e2f..402d59d 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs concatMap listToAttrs imap0 getAttrs getAttr hasAttr typeOf head drop length; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -340,7 +340,7 @@ in # Organizations zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: { inherit name isDefault; } - |> toResource name + |> toResource name ); # Projects per organization @@ -348,8 +348,8 @@ in { inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck; } - |> withRef "org" org - |> toResource "${org}_${name}" + |> withRef "org" org + |> toResource "${org}_${name}" ); # Each OIDC app per project @@ -361,26 +361,26 @@ in idTokenRoleAssertion = true; accessTokenType = "JWT"; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> toResource "${org}_${project}_${name}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" ); # Each project role zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: { inherit (value) displayName group; roleKey = name; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> toResource "${org}_${project}_${name}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" ); # Each project role assignment zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles: { roleKeys = roles; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> withRef "user" "${org}_${user}" - |> toResource "${org}_${project}_${user}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> withRef "user" "${org}_${user}" + |> toResource "${org}_${project}_${user}" ); # Users @@ -390,24 +390,30 @@ in isEmailVerified = true; } - |> withRef "org" org - |> toResource "${org}_${name}" + |> withRef "org" org + |> toResource "${org}_${name}" ); # Global user roles - zitadel_instance_member = cfg.organization |> select [ "user" ] (org: name: value: - { roles = value.instanceRoles; } + zitadel_instance_member = + cfg.organization + |> filterAttrsRecursive (n: v: !(v ? "instanceRoles" && (length v.instanceRoles) == 0)) + |> select [ "user" ] (org: name: { instanceRoles, ... }: + { roles = instanceRoles; } |> withRef "user" "${org}_${name}" |> toResource "${org}_${name}" - ); + ); # Organazation specific roles - zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: { roles, ... }: - { inherit roles; } + zitadel_org_member = + cfg.organization + |> filterAttrsRecursive (n: v: !(v ? "roles" && (length v.roles) == 0)) + |> select [ "user" ] (org: name: { roles, ... }: + { inherit roles; } |> withRef "org" org |> withRef "user" "${org}_${name}" |> toResource "${org}_${name}" - ); + ); # Organazation's actions zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: @@ -416,25 +422,27 @@ in timeout = "${toString timeout}s"; script = "const ${name} = ${script}"; } - |> withRef "org" org - |> toResource "${org}_${name}" + |> withRef "org" org + |> toResource "${org}_${name}" ); # Organazation's action assignments - zitadel_trigger_actions = cfg.organization + zitadel_trigger_actions = + cfg.organization |> concatMapAttrs (org: { triggers, ... }: triggers - |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in - { - inherit flowType triggerType; + |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in + { + inherit flowType triggerType; - actionIds = actions - |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); - } - |> withRef "org" org - |> toResource "${org}_${name}" - )) - |> listToAttrs + actionIds = + actions + |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); + } + |> withRef "org" org + |> toResource "${org}_${name}" + )) + |> listToAttrs ); # SMTP config diff --git a/modules/nixos/services/backup/borg/default.nix b/modules/nixos/services/backup/borg/default.nix index fbe5235..e200505 100644 --- a/modules/nixos/services/backup/borg/default.nix +++ b/modules/nixos/services/backup/borg/default.nix @@ -16,7 +16,7 @@ in paths = "/var/media/test"; encryption.mode = "none"; environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4"; - repo = "ssh://chris@beheer.hazelhof.nl:222/home/chris/backups/media"; + repo = "ssh://chris@beheer.hazelhof.nl:222/media"; compression = "auto,zstd"; startAt = "daily"; }; diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index f84c002..ce92df4 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -46,8 +46,8 @@ in precence.enabled = true; # Since we'll be using OIDC for auth disable all local options - enable_registration = true; - enable_registration_without_verification = true; + enable_registration = false; + enable_registration_without_verification = false; password_config.enabled = false; backchannel_logout_enabled = true; @@ -186,6 +186,11 @@ in - profile client_id: '${config.sops.placeholder."synapse/oidc_id"}' client_secret: '${config.sops.placeholder."synapse/oidc_secret"}' + backchannel_logout_enabled: true + user_mapping_provider: + config: + localpart_template: "{{ user.preferred_username }}" + display_name_template: "{{ user.name }}" ''; restartUnits = [ "matrix-synapse.service" ]; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 39e8215..dbcef87 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -121,7 +121,7 @@ in }; mirror = { - ENABLED = false; + ENABLED = true; }; session = { diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index bc41fb4..9d915da 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -72,12 +72,6 @@ in settings = { auth.AuthenticationMethod = "External"; - - # postgres = { - # PostgresHost = "localhost"; - # PostgresPort = "5432"; - # PostgresUser = "media"; - # }; }; }; @@ -152,39 +146,6 @@ in group = cfg.group; }; - # postgresql = { - # enable = true; - # ensureDatabases = [ - # "radarr-main" "radarr-log" - # "sonarr-main" "sonarr-log" - # "lidarr-main" "lidarr-log" - # "prowlarr-main" "prowlarr-log" - # ]; - # identMap = '' - # media media radarr-main - # media media radarr-log - # media media sonarr-main - # media media sonarr-log - # media media lidarr-main - # media media lidarr-log - # media media prowlarr-main - # media media prowlarr-log - # ''; - # ensureUsers = [ - # { name = "radarr-main"; ensureDBOwnership = true; } - # { name = "radarr-log"; ensureDBOwnership = true; } - - # { name = "sonarr-main"; ensureDBOwnership = true; } - # { name = "sonarr-log"; ensureDBOwnership = true; } - - # { name = "lidarr-main"; ensureDBOwnership = true; } - # { name = "lidarr-log"; ensureDBOwnership = true; } - - # { name = "prowlarr-main"; ensureDBOwnership = true; } - # { name = "prowlarr-log"; ensureDBOwnership = true; } - # ]; - # }; - caddy = { enable = true; virtualHosts = { diff --git a/shells/default/default.nix b/shells/default/default.nix new file mode 100644 index 0000000..0361f88 --- /dev/null +++ b/shells/default/default.nix @@ -0,0 +1,10 @@ +{ mkShell, inputs, pkgs, ... }: + +mkShell { + packages = with pkgs; [ + bash + sops + just + inputs.clan-core.packages.x86_64-linux.clan-cli + ]; +} \ No newline at end of file diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 7657eac..027dad6 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -38,7 +38,8 @@ sneeuwvlok = { services = { - # authentication.authelia.enable = true; + backup.borg.enable = true; + authentication.zitadel = { enable = true;