chore: re-harden matrix server

They dirty the output too much when nix fails

.envrc

@@ -0,0 +1,2 @@
+# shellcheck shell=bash
+use flake

.just/machine.just

@@ -4,6 +4,7 @@
 @list:
   ls -1 ../systems/x86_64-linux/
 
+[no-exit-message]
 [doc('Update the target machine')]
 @update machine:
   just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')"

.just/vars.just

@@ -16,7 +16,7 @@ list machine:
   {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"'
 
   git add {{ base_path }}/{{ machine }}/secrets.yml
-  git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
+  git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
 
   echo "Done"
   
@@ -27,6 +27,6 @@ list machine:
   {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')"
 
   git add {{ base_path }}/{{ machine }}/secrets.yml
-  git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
+  git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
 
   echo "Done"

flake.lock

@@ -68,6 +68,81 @@
         "type": "github"
       }
     },
+    "clan-core": {
+      "inputs": {
+        "data-mesher": "data-mesher",
+        "disko": "disko",
+        "flake-parts": "flake-parts",
+        "nix-darwin": "nix-darwin",
+        "nix-select": "nix-select",
+        "nixos-facter-modules": "nixos-facter-modules",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "sops-nix": "sops-nix",
+        "systems": "systems",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1762254206,
+        "narHash": "sha256-ZyQUrUSuIUZRmMPzeCXI4vDFhHOLNtGUMBaHXCD6nEQ=",
+        "rev": "43a7652624e76d60a93325c711d01620801d4382",
+        "type": "tarball",
+        "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/43a7652624e76d60a93325c711d01620801d4382.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.clan.lol/clan/clan-core/archive/main.tar.gz"
+      }
+    },
+    "data-mesher": {
+      "inputs": {
+        "flake-parts": [
+          "clan-core",
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "clan-core",
+          "nixpkgs"
+        ],
+        "treefmt-nix": [
+          "clan-core",
+          "treefmt-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1760612273,
+        "narHash": "sha256-pP/bSqUHubxAOTI7IHD5ZBQ2Qm11Nb4pXXTPv334UEM=",
+        "rev": "0099739c78be750b215cbdefafc9ba1533609393",
+        "type": "tarball",
+        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0099739c78be750b215cbdefafc9ba1533609393.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.clan.lol/clan/data-mesher/archive/main.tar.gz"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "clan-core",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1761899396,
+        "narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "erosanix": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -224,6 +299,27 @@
       }
     },
     "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "clan-core",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1762040540,
+        "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "0010412d62a25d959151790968765a70c436598b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": [
           "nvf",
@@ -244,7 +340,7 @@
         "type": "github"
       }
     },
-    "flake-parts_2": {
+    "flake-parts_3": {
       "inputs": {
         "nixpkgs-lib": [
           "stylix",
@@ -265,7 +361,7 @@
         "type": "github"
       }
     },
-    "flake-parts_3": {
+    "flake-parts_4": {
       "inputs": {
         "nixpkgs-lib": [
           "terranix",
@@ -288,7 +384,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1731533236,
@@ -325,7 +421,7 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1731533236,
@@ -343,7 +439,7 @@
     },
     "flake-utils_3": {
       "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1731533236,
@@ -361,7 +457,7 @@
     },
     "flake-utils_4": {
       "inputs": {
-        "systems": "systems_5"
+        "systems": "systems_6"
       },
       "locked": {
         "lastModified": 1694529238,
@@ -564,6 +660,27 @@
         "type": "github"
       }
     },
+    "nix-darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "clan-core",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1762186368,
+        "narHash": "sha256-dzLBZKccS0jMefj+WAYwsk7gKDluqavC7I4KfFwVh8k=",
+        "owner": "nix-darwin",
+        "repo": "nix-darwin",
+        "rev": "69921864a70b58787abf5ba189095566c3f0ffd3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-darwin",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "nix-github-actions": {
       "inputs": {
         "nixpkgs": [
@@ -606,6 +723,19 @@
         "type": "github"
       }
     },
+    "nix-select": {
+      "locked": {
+        "lastModified": 1755887746,
+        "narHash": "sha256-lzWbpHKX0WAn/jJDoCijIDss3rqYIPawe46GDaE6U3g=",
+        "rev": "92c2574c5e113281591be01e89bb9ddb31d19156",
+        "type": "tarball",
+        "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/92c2574c5e113281591be01e89bb9ddb31d19156.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.clan.lol/clan/nix-select/archive/main.tar.gz"
+      }
+    },
     "nixlib": {
       "locked": {
         "lastModified": 1736643958,
@@ -636,6 +766,21 @@
         "type": "github"
       }
     },
+    "nixos-facter-modules": {
+      "locked": {
+        "lastModified": 1761137276,
+        "narHash": "sha256-4lDjGnWRBLwqKQ4UWSUq6Mvxu9r8DSqCCydodW/Jsi8=",
+        "owner": "nix-community",
+        "repo": "nixos-facter-modules",
+        "rev": "70bcd64225d167c7af9b475c4df7b5abba5c7de8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-facter-modules",
+        "type": "github"
+      }
+    },
     "nixos-generators": {
       "inputs": {
         "nixlib": "nixlib",
@@ -865,10 +1010,10 @@
     "nvf": {
       "inputs": {
         "flake-compat": "flake-compat_4",
-        "flake-parts": "flake-parts",
+        "flake-parts": "flake-parts_2",
         "mnw": "mnw",
         "nixpkgs": "nixpkgs_7",
-        "systems": "systems_4"
+        "systems": "systems_5"
       },
       "locked": {
         "lastModified": 1760153667,
@@ -909,6 +1054,7 @@
     },
     "root": {
       "inputs": {
+        "clan-core": "clan-core",
         "erosanix": "erosanix",
         "fenix": "fenix",
         "firefox": "firefox",
@@ -925,7 +1071,7 @@
         "nvf": "nvf",
         "plasma-manager": "plasma-manager",
         "snowfall-lib": "snowfall-lib",
-        "sops-nix": "sops-nix",
+        "sops-nix": "sops-nix_2",
         "stylix": "stylix",
         "terranix": "terranix",
         "zen-browser": "zen-browser"
@@ -992,6 +1138,27 @@
       }
     },
     "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "clan-core",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1760998189,
+        "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
+    "sops-nix_2": {
       "inputs": {
         "nixpkgs": "nixpkgs_8"
       },
@@ -1016,11 +1183,11 @@
         "base16-helix": "base16-helix",
         "base16-vim": "base16-vim",
         "firefox-gnome-theme": "firefox-gnome-theme",
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts_3",
         "gnome-shell": "gnome-shell",
         "nixpkgs": "nixpkgs_9",
         "nur": "nur",
-        "systems": "systems_6",
+        "systems": "systems_7",
         "tinted-foot": "tinted-foot",
         "tinted-kitty": "tinted-kitty",
         "tinted-schemes": "tinted-schemes",
@@ -1146,13 +1313,28 @@
         "type": "github"
       }
     },
+    "systems_8": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "terranix": {
       "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_4",
         "nixpkgs": [
           "nixpkgs"
         ],
-        "systems": "systems_7"
+        "systems": "systems_8"
       },
       "locked": {
         "lastModified": 1757278723,
@@ -1249,6 +1431,27 @@
         "type": "github"
       }
     },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "clan-core",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1761311587,
+        "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
     "zen-browser": {
       "inputs": {
         "home-manager": "home-manager_2",

flake.nix

@@ -83,6 +83,11 @@
       url = "github:terranix/terranix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    clan-core = {
+      url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = inputs: inputs.snowfall-lib.mkFlake {
@@ -119,6 +124,10 @@
       flux.overlays.default
     ];
 
+    systems.modules = with inputs; [
+      clan-core.nixosModules.default
+    ];
+
     homes.modules = with inputs; [
       stylix.homeModules.stylix
       plasma-manager.homeModules.plasma-manager

modules/nixos/services/authentication/zitadel/default.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, namespace, system, inputs, ... }:
 let
-  inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs concatMap listToAttrs imap0 getAttrs getAttr hasAttr typeOf head drop length;
+  inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length;
   inherit (lib.${namespace}.strings) toSnakeCase;
 
   cfg = config.${namespace}.services.authentication.zitadel;
@@ -395,14 +395,20 @@ in
               );
 
               # Global user roles
-              zitadel_instance_member = cfg.organization |> select [ "user" ] (org: name: value: 
+              zitadel_instance_member = 
-                { roles = value.instanceRoles; } 
+                cfg.organization 
+                |> filterAttrsRecursive (n: v: !(v ? "instanceRoles" && (length v.instanceRoles) == 0))
+                |> select [ "user" ] (org: name: { instanceRoles, ... }: 
+                  { roles = instanceRoles; } 
                   |> withRef "user" "${org}_${name}"
                   |> toResource "${org}_${name}"
                 );
 
               # Organazation specific roles
-              zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: { roles, ... }: 
+              zitadel_org_member = 
+                cfg.organization
+                |> filterAttrsRecursive (n: v: !(v ? "roles" && (length v.roles) == 0))
+                |> select [ "user" ] (org: name: { roles, ... }: 
                   { inherit roles; }
                   |> withRef "org" org
                   |> withRef "user" "${org}_${name}"
@@ -421,14 +427,16 @@ in
               );
 
               # Organazation's action assignments
-              zitadel_trigger_actions = cfg.organization
+              zitadel_trigger_actions = 
+                cfg.organization
                 |> concatMapAttrs (org: { triggers, ... }:
                   triggers
                   |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in
                     {
                       inherit flowType triggerType; 
 
-                        actionIds = actions 
+                      actionIds = 
+                        actions 
                         |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id"));
                     } 
                     |> withRef "org" org 

modules/nixos/services/backup/borg/default.nix

@@ -16,7 +16,7 @@ in
           paths = "/var/media/test";
           encryption.mode = "none";
           environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4";
-          repo = "ssh://chris@beheer.hazelhof.nl:222/home/chris/backups/media";
+          repo = "ssh://chris@beheer.hazelhof.nl:222/media";
           compression = "auto,zstd";
           startAt = "daily";
         };

modules/nixos/services/communication/matrix/default.nix

@@ -46,8 +46,8 @@ in
           precence.enabled = true;
 
           # Since we'll be using OIDC for auth disable all local options
-          enable_registration = true;
+          enable_registration = false;
-          enable_registration_without_verification = true;
+          enable_registration_without_verification = false;
           password_config.enabled = false;
           backchannel_logout_enabled = true;
 
@@ -186,6 +186,11 @@ in
                   - profile
                 client_id: '${config.sops.placeholder."synapse/oidc_id"}'
                 client_secret: '${config.sops.placeholder."synapse/oidc_secret"}'
+                backchannel_logout_enabled: true
+                user_mapping_provider:
+                  config:
+                    localpart_template: "{{ user.preferred_username }}"
+                    display_name_template: "{{ user.name }}"
           '';
           restartUnits = [ "matrix-synapse.service" ];
         };

modules/nixos/services/development/forgejo/default.nix

@@ -121,7 +121,7 @@ in
           };
 
           mirror = {
-            ENABLED = false;
+            ENABLED = true;
           };
 
           session = {

modules/nixos/services/media/default.nix

@@ -72,12 +72,6 @@ in
 
         settings = {
           auth.AuthenticationMethod = "External";
-
-          # postgres = {
-          #   PostgresHost = "localhost";
-          #   PostgresPort = "5432";
-          #   PostgresUser = "media";
-          # };
         };
       };
 
@@ -152,39 +146,6 @@ in
         group = cfg.group;
       };
 
-      # postgresql = {
-      #   enable = true;
-      #   ensureDatabases = [
-      #     "radarr-main" "radarr-log"
-      #     "sonarr-main" "sonarr-log"
-      #     "lidarr-main" "lidarr-log"
-      #     "prowlarr-main" "prowlarr-log"
-      #   ];
-      #   identMap = ''
-      #     media media radarr-main
-      #     media media radarr-log
-      #     media media sonarr-main
-      #     media media sonarr-log
-      #     media media lidarr-main
-      #     media media lidarr-log
-      #     media media prowlarr-main
-      #     media media prowlarr-log
-      #   '';
-      #   ensureUsers = [
-      #     { name = "radarr-main"; ensureDBOwnership = true; }
-      #     { name = "radarr-log"; ensureDBOwnership = true; }
-
-      #     { name = "sonarr-main"; ensureDBOwnership = true; }
-      #     { name = "sonarr-log"; ensureDBOwnership = true; }
-          
-      #     { name = "lidarr-main"; ensureDBOwnership = true; }
-      #     { name = "lidarr-log"; ensureDBOwnership = true; }
-          
-      #     { name = "prowlarr-main"; ensureDBOwnership = true; }
-      #     { name = "prowlarr-log"; ensureDBOwnership = true; }
-      #   ];
-      # };
-
       caddy = {
         enable = true;
         virtualHosts = {

shells/default/default.nix

@@ -0,0 +1,10 @@
+{ mkShell, inputs, pkgs, ... }:
+
+mkShell {
+  packages = with pkgs; [
+    bash
+    sops
+    just
+    inputs.clan-core.packages.x86_64-linux.clan-cli
+  ];
+}

systems/x86_64-linux/ulmo/default.nix

@@ -38,7 +38,8 @@
 
   sneeuwvlok = {
     services = {
-      # authentication.authelia.enable = true;
+      backup.borg.enable = true;
+      
       authentication.zitadel = {
         enable = true;