diff --git a/.just/machine.just b/.just/machine.just index 420197a..8d0d37f 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -4,11 +4,9 @@ @list: ls -1 ../systems/x86_64-linux/ -[doc('Update target machine')] +[doc('Update the target machine')] [no-exit-message] @update machine: - echo "Checking vars" cd .. && just vars _check {{ machine }} - echo "" just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')" nixos-rebuild switch -L --sudo --target-host {{ machine }} --build-host {{ machine }} --flake ..#{{ machine }} --log-format internal-json -v |& nom --json diff --git a/.just/vars.just b/.just/vars.just index 7f464fb..2c16d1b 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,7 +1,7 @@ set unstable := true set quiet := true -base_path := justfile_directory() + "/systems/x86_64-linux" +base_path := invocation_directory() / "systems/x86_64-linux" _default: just --list vars @@ -25,7 +25,7 @@ edit machine: [doc('Get var by {key} from {machine}')] get machine key: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g') // \"\"" + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" [doc('Remove var by {key} for {machine}')] remove machine key: @@ -36,20 +36,6 @@ remove machine key: echo "Done" -[doc('Remove var by {key} for {machine}')] -[script] -generate machine: - for key in $(nix eval --apply 'builtins.attrNames' --json ..#nixosConfigurations.{{ machine }}.config.sops.secrets | jq -r '.[]'); do - # Skip if there's no script - [ -f "{{ justfile_directory() }}/script/$key" ] || continue - - # Skip if we already have a value - [ $(just vars get {{ machine }} "$key" | jq -r) ] && continue - - echo "Executing script for $key" - just vars set {{ machine }} "$key" "$(cd -- "$(dirname "{{ justfile_directory() }}/script/$key")" && source "./$(basename $key)")" - done - [script] check: cd .. diff --git a/modules/nixos/services/authentication/authelia/default.nix b/modules/nixos/services/authentication/authelia/default.nix index 7aea103..9990003 100644 --- a/modules/nixos/services/authentication/authelia/default.nix +++ b/modules/nixos/services/authentication/authelia/default.nix @@ -1,36 +1,16 @@ -{ - config, - lib, - pkgs, - namespace, - ... -}: let +{ config, lib, pkgs, namespace, ... }: +let inherit (lib) mkIf mkEnableOption; user = "authelia-testing"; cfg = config.${namespace}.services.authentication.authelia; -in { +in +{ options.${namespace}.services.authentication.authelia = { enable = mkEnableOption "Authelia"; }; config = mkIf cfg.enable { - ${namespace}.services.networking.caddy = { - hosts = { - "auth.kruining.eu".extraConfig = '' - reverse_proxy http://127.0.0.1:9091 - ''; - }; - extraConfig = '' - (auth) { - forward_auth http://127.0.0.1:9091 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - } - ''; - }; - environment.systemPackages = with pkgs; [ authelia ]; @@ -132,8 +112,8 @@ in { authorization_policy = "one_factor"; userinfo_signed_response_alg = "none"; consent_mode = "implicit"; - scopes = ["openid" "profile" "groups"]; - redirect_uris = ["https://jellyfin.kruining.eu/sso/OID/redirect/authelia"]; + scopes = [ "openid" "profile" "groups" ]; + redirect_uris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/authelia" ]; } { client_id = "streamarr"; @@ -147,8 +127,8 @@ in { authorization_policy = "one_factor"; userinfo_signed_response_alg = "none"; consent_mode = "implicit"; - scopes = ["offline_access" "openid" "email" "picture" "profile" "groups"]; - redirect_uris = ["http://localhost:3000/api/auth/oauth2/callback/authelia"]; + scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; + redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ]; } { client_id = "forgejo"; @@ -162,10 +142,10 @@ in { authorization_policy = "one_factor"; userinfo_signed_response_alg = "none"; consent_mode = "implicit"; - scopes = ["offline_access" "openid" "email" "picture" "profile" "groups"]; - response_types = ["code"]; - grant_types = ["authorization_code"]; - redirect_uris = ["http://localhost:5002/user/oauth2/authelia/callback"]; + scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; + response_types = [ "code" ]; + grant_types = [ "authorization_code" ]; + redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ]; } ]; }; @@ -215,8 +195,48 @@ in { - jellyfin-users - admin - dev + + jacqueline: + disabled: false + displayname: Jacqueline Bevers + password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18 + groups: + - jellyfin-users + + martijn: + disabled: false + displayname: Martijn Kruining + password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18 + groups: + - jellyfin-users + + andrea: + disabled: false + displayname: Andrea Kruining + password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18 + groups: + - jellyfin-users ''; }; }; + + services.caddy = { + enable = true; + virtualHosts = { + "auth.kruining.eu".extraConfig = '' + reverse_proxy http://127.0.0.1:9091 + ''; + }; + extraConfig = '' + (auth) { + forward_auth http://127.0.0.1:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + } + ''; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; }; } diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 082330e..aaf64f6 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -537,25 +537,7 @@ in }; in mkIf cfg.enable { - ${namespace}.services = { - persistance.postgresql.enable = true; - - networking.caddy = { - hosts = { - "auth.kruining.eu" = '' - reverse_proxy h2c://::1:9092 - ''; - }; - extraConfig = '' - (auth) { - forward_auth h2c://::1:9092 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - } - ''; - }; - }; + ${namespace}.services.persistance.postgresql.enable = true; environment.systemPackages = with pkgs; [ zitadel @@ -696,6 +678,23 @@ in } ]; }; + + caddy = { + enable = true; + virtualHosts = { + "auth.kruining.eu".extraConfig = '' + reverse_proxy h2c://::1:9092 + ''; + }; + extraConfig = '' + (auth) { + forward_auth h2c://::1:9092 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + } + ''; + }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index f20e1ac..8bb79fe 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -25,75 +25,6 @@ in { ${namespace}.services = { persistance.postgresql.enable = true; # virtualisation.podman.enable = true; - - networking.caddy = { - # globalConfig = '' - # layer4 { - # 127.0.0.1:4004 - # route { - # proxy { - # upstream synapse:4004 - # } - # } - # } - # 127.0.0.1:4005 - # route { - # proxy { - # upstream synapse:4005 - # } - # } - # } - # } - # ''; - hosts = let - server = { - "m.server" = "${fqn}:443"; - }; - client = { - "m.homeserver".base_url = "https://${fqn}"; - "m.identity_server".base_url = "https://auth.${domain}"; - "org.matrix.msc3575.proxy".url = "https://${domain}"; - "org.matrix.msc4143.rtc_foci" = [ - { - type = "livekit"; - livekit_service_url = "https://${domain}/livekit/jwt"; - } - ]; - }; - in { - "${domain}, darkch.at" = '' - # Route for lk-jwt-service - handle /livekit/jwt* { - uri strip_prefix /livekit/jwt - reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} { - header_up Host {host} - header_up X-Forwarded-Server {host} - header_up X-Real-IP {remote_host} - header_up X-Forwarded-For {remote_host} - } - } - - handle_path /livekit/sfu* { - reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} { - header_up Host {host} - header_up X-Forwarded-Server {host} - header_up X-Real-IP {remote_host} - header_up X-Forwarded-For {remote_host} - } - } - - header /.well-known/matrix/* Content-Type application/json - header /.well-known/matrix/* Access-Control-Allow-Origin * - respond /.well-known/matrix/server `${toJSON server}` - respond /.well-known/matrix/client `${toJSON client}` - ''; - - "${fqn}" = '' - reverse_proxy /_matrix/* http://::1:${toString port} - reverse_proxy /_synapse/client/* http://::1:${toString port} - ''; - }; - }; }; services = { @@ -266,6 +197,75 @@ in { ]; }; + caddy = { + enable = true; + # globalConfig = '' + # layer4 { + # 127.0.0.1:4004 + # route { + # proxy { + # upstream synapse:4004 + # } + # } + # } + # 127.0.0.1:4005 + # route { + # proxy { + # upstream synapse:4005 + # } + # } + # } + # } + # ''; + virtualHosts = let + server = { + "m.server" = "${fqn}:443"; + }; + client = { + "m.homeserver".base_url = "https://${fqn}"; + "m.identity_server".base_url = "https://auth.${domain}"; + "org.matrix.msc3575.proxy".url = "https://${domain}"; + "org.matrix.msc4143.rtc_foci" = [ + { + type = "livekit"; + livekit_service_url = "https://${domain}/livekit/jwt"; + } + ]; + }; + in { + "${domain}, darkch.at".extraConfig = '' + # Route for lk-jwt-service + handle /livekit/jwt* { + uri strip_prefix /livekit/jwt + reverse_proxy http://[::1]:${toString config.services.lk-jwt-service.port} { + header_up Host {host} + header_up X-Forwarded-Server {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + } + } + + handle_path /livekit/sfu* { + reverse_proxy http://[::1]:${toString config.services.livekit.settings.port} { + header_up Host {host} + header_up X-Forwarded-Server {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + } + } + + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + respond /.well-known/matrix/server `${toJSON server}` + respond /.well-known/matrix/client `${toJSON client}` + ''; + "${fqn}".extraConfig = '' + reverse_proxy /_matrix/* http://::1:${toString port} + reverse_proxy /_synapse/client/* http://::1:${toString port} + ''; + }; + }; + livekit = { enable = true; openFirewall = true; @@ -370,17 +370,9 @@ in { sops = { secrets = { - "synapse/oidc_id" = { - restartUnits = ["synapse-matrix.service"]; - }; - "synapse/oidc_secret" = { - restartUnits = ["synapse-matrix.service"]; - }; - "coturn/secret" = { - owner = config.systemd.services.coturn.serviceConfig.User; - group = config.systemd.services.coturn.serviceConfig.Group; - restartUnits = ["coturn.service"]; - }; + "synapse/oidc_id" = {}; + "synapse/oidc_secret" = {}; + "coturn/secret" = {}; }; templates = { diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index f190b0c..dfae9f0 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -28,20 +28,6 @@ in { ${namespace}.services = { persistance.postgresql.enable = true; virtualisation.podman.enable = true; - - networking.caddy = { - hosts = { - "${domain}" = '' - # import auth - - # stupid dumb way to prevent the login page and go to zitadel instead - # be aware that this does not disable local login at all! - # rewrite /user/login /user/oauth2/Zitadel - - reverse_proxy http://127.0.0.1:${toString cfg.port} - ''; - }; - }; }; environment.systemPackages = with pkgs; [forgejo]; @@ -182,6 +168,21 @@ in { }; }; }; + + caddy = { + enable = true; + virtualHosts = { + "${domain}".extraConfig = '' + # import auth + + # stupid dumb way to prevent the login page and go to zitadel instead + # be aware that this does not disable local login at all! + # rewrite /user/login /user/oauth2/Zitadel + + reverse_proxy http://127.0.0.1:${toString cfg.port} + ''; + }; + }; }; users = { diff --git a/modules/nixos/services/media/jellyfin/default.nix b/modules/nixos/services/media/jellyfin/default.nix index de19896..d4323f3 100644 --- a/modules/nixos/services/media/jellyfin/default.nix +++ b/modules/nixos/services/media/jellyfin/default.nix @@ -17,14 +17,6 @@ in { }; config = mkIf cfg.enable { - ${namespace}.services.networking.caddy = { - hosts = { - "jellyfin.kruining.eu" = '' - reverse_proxy http://[::1]:8096 - ''; - }; - }; - environment.systemPackages = with pkgs; [ jellyfin jellyfin-web @@ -42,6 +34,15 @@ in { user = "media"; group = "media"; }; + + caddy = { + enable = true; + virtualHosts = { + "jellyfin.kruining.eu".extraConfig = '' + reverse_proxy http://[::1]:8096 + ''; + }; + }; }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; diff --git a/modules/nixos/services/media/nextcloud/default.nix b/modules/nixos/services/media/nextcloud/default.nix index 06904c6..14d6863 100644 --- a/modules/nixos/services/media/nextcloud/default.nix +++ b/modules/nixos/services/media/nextcloud/default.nix @@ -1,15 +1,11 @@ -{ - config, - lib, - pkgs, - namespace, - ... -}: let +{ config, lib, pkgs, namespace, ... }: +let inherit (lib) mkIf mkEnableOption mkOption; inherit (lib.types) str; cfg = config.${namespace}.services.media.nextcloud; -in { +in +{ options.${namespace}.services.media.nextcloud = { enable = mkEnableOption "Nextcloud"; @@ -25,14 +21,6 @@ in { }; config = mkIf cfg.enable { - ${namespace}.services.networking.caddy = { - hosts."cloud.kruining.eu" = '' - php_fastcgi unix//run/phpfpm/nextcloud.sock { - env front_controller_active true - } - ''; - }; - users = { users.${cfg.user} = { isSystemUser = true; @@ -87,5 +75,14 @@ in { # startServices = true; # }; + + services.caddy = { + enable = true; + virtualHosts."cloud.kruining.eu".extraConfig = '' + php_fastcgi unix//run/phpfpm/nextcloud.sock { + env front_controller_active true + } + ''; + }; }; } diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix index f868313..bc911f7 100644 --- a/modules/nixos/services/media/servarr/default.nix +++ b/modules/nixos/services/media/servarr/default.nix @@ -86,7 +86,7 @@ in { Prefecences.WebUI = { Username = "admin"; - Password_PBKDF2 = config.sops.secrets."qbittorrent/password_hash".path; + Password_PBKDF2 = "@ByteArray(JpfX3wSUcMolUFD+8AD67w==:fr5kmc6sK9xsCfGW6HkPX2K1lPYHL6g2ncLLwuOVmjphmxkwBJ8pi/XQDsDWzyM/MRh5zPhUld2Xqn8o7BWv3Q==)"; }; }; @@ -94,35 +94,12 @@ in { group = "media"; }; + # port is harcoded in nixpkgs module sabnzbd = { enable = true; openFirewall = true; - - allowConfigWrite = false; - configFile = lib.mkForce null; - - secretFiles = [ - config.sops.templates."sabnzbd/config.ini".path - ]; - - settings = { - misc = { - port = 2009; - - download_dir = "/var/media/downloads/incomplete"; - complete_dir = "/var/media/downloads/done"; - }; - - servers = { - "news.sunnyusenet.com" = { - name = "news.sunnyusenet.com"; - displayname = "news.sunnyusenet.com"; - host = "news.sunnyusenet.com"; - port = 563; - timeout = 60; - }; - }; - }; + configFile = "/var/media/sabnzbd/config.ini"; + # configFile = config.sops.templates."sabnzbd/config.ini".path; user = "sabnzbd"; group = "media"; @@ -230,6 +207,7 @@ in { host = "localhost"; username = "admin"; password = lib.tfRef "var.qbittorrent_api_key"; + # password = "poChieN5feeph0igeaCadeJ9Xux0ohmuy6ruH5ieThaPheib3iuzoo0ahw1aiceif1feegioh9Aimau0pai5thoh5ieH0aechohw"; url_base = "/"; port = 2008; }; @@ -272,126 +250,47 @@ in { priority = 1; name = "Nyaa"; - implementation = "Cardigann"; - config_contract = "CardigannSettings"; + implementation = "nyaa"; + config_contract = "nyaa_settings"; protocol = "torrent"; fields = [ { - name = "definitionFile"; - text_value = "nyaasi"; - } - { - name = "baseSettings.limitsUnit"; - number_value = 0; - } - { - name = "torrentBaseSettings.preferMagnetUrl"; - bool_value = false; - } - { - name = "prefer_magnet_links"; - bool_value = true; - } - { - name = "sonarr_compatibility"; - bool_value = false; - } - { - name = "strip_s01"; - bool_value = false; - } - { - name = "radarr_compatibility"; - bool_value = false; - } - { - name = "filter-id"; - number_value = 0; - } - { - name = "cat-id"; - number_value = 0; - } - { - name = "sort"; - number_value = 0; - } - { - name = "type"; - number_value = 1; + name = "targetType"; + value = ""; } ]; }; - # "_1337x" = { - # enable = true; + "nzbgeek" = { + enable = true; - # app_profile_id = 1; - # priority = 1; + app_profile_id = 2; + priority = 1; - # name = "1337x"; - # implementation = "Cardigann"; - # config_contract = "CardigannSettings"; - # protocol = "torrent"; - # tags = [1]; + name = "NZBgeek"; + implementation = "nzbgeek"; + config_contract = "nzbgeek_settings"; + protocol = "torrent"; - # fields = [ - # { - # name = "definitionFile"; - # text_value = "1337x"; - # } - # { - # name = "baseSettings.limitsUnit"; - # number_value = 0; - # } - # { - # name = "torrentBaseSettings.preferMagnetUrl"; - # bool_value = false; - # } - # { - # name = "disablesort"; - # bool_value = false; - # } - # { - # name = "sort"; - # number_value = 2; - # } - # { - # name = "type"; - # number_value = 1; - # } - # ]; - # }; + fields = [ + ]; + }; # "nzbgeek" = { # enable = true; - # app_profile_id = 2; - # priority = 1; - + # app_profile_id = 1; # name = "NZBgeek"; - # implementation = "Newznab"; - # config_contract = "NewznabSettings"; - # protocol = "usenet"; + # implementation = "nzbgeek"; + # config_contract = "nzbgeek_settings"; + # protocol = "torrent"; # fields = [ - # { - # name = "baseUrl"; - # text_value = "https://api.nzbgeek.info"; - # } - # { - # name = "apiPath"; - # text_value = "/api"; - # } - # { - # name = "apiKey"; - # text_value = "__TODO_API_KEY_SECRET__"; - # } - # { - # name = "baseSettings.limitsUnit"; - # number_value = 5; - # } + # # { + # # name = ""; + # # value = ""; + # # } # ]; # }; }; @@ -502,12 +401,7 @@ in { { secrets = { "qbittorrent/password" = {}; - "qbittorrent/password_hash" = { - owner = "qbittorrent"; - group = "media"; - }; "sabnzbd/apikey" = {}; - "sabnzbd/nzbkey" = {}; "sabnzbd/sunnyweb/username" = {}; "sabnzbd/sunnyweb/password" = {}; }; @@ -534,14 +428,36 @@ in { group = "media"; mode = "0660"; content = '' + __version__ = 19 + __encoding__ = utf-8 [misc] + download_dir = /var/media/downloads/incomplete + complete_dir = /var/media/downloads/done api_key = ${config.sops.placeholder."sabnzbd/apikey"} - nzb_key = ${config.sops.placeholder."sabnzbd/nzbkey"} + log_dir = logs [servers] [[news.sunnyusenet.com]] + name = news.sunnyusenet.com + displayname = news.sunnyusenet.com + host = news.sunnyusenet.com + port = 563 + timeout = 60 username = ${config.sops.placeholder."sabnzbd/sunnyweb/username"} password = ${config.sops.placeholder."sabnzbd/sunnyweb/password"} + connections = 8 + ssl = 1 + ssl_verify = 3 + ssl_ciphers = "" + enable = 1 + required = 0 + optional = 0 + retention = 0 + expire_date = "" + quota = "" + usage_at_start = 0 + priority = 1 + notes = "" ''; }; }; diff --git a/modules/nixos/services/networking/caddy/default.nix b/modules/nixos/services/networking/caddy/default.nix deleted file mode 100644 index f17c737..0000000 --- a/modules/nixos/services/networking/caddy/default.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - config, - pkgs, - lib, - namespace, - ... -}: let - inherit (builtins) length; - inherit (lib) mkIf mkEnableOption mkOption types attrNames mapAttrs; - - cfg = config.${namespace}.services.networking.caddy; - hasHosts = (cfg.hosts |> attrNames |> length) > 0; -in { - options.${namespace}.services.networking.caddy = { - enable = mkEnableOption "enable caddy" // {default = true;}; - - hosts = mkOption { - type = types.attrsOf types.str; - }; - - extraConfig = mkOption { - type = types.str; - }; - }; - - config = mkIf hasHosts { - services.caddy = { - enable = cfg.enable; - - package = pkgs.caddy.withPlugins { - plugins = ["github.com/corazawaf/coraza-caddy/v2@v2.1.0"]; - hash = "sha256-AdL/LFKXbWmCsJ/xZWZmYBnw57c7sS6s1miR3sSx1Ow="; - }; - - virtualHosts = - cfg.hosts - |> mapAttrs (host: extraConfig: {inherit extraConfig;}); - }; - }; -} diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index 7dce380..07f7058 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -91,22 +91,6 @@ in { }; config = mkIf cfg.enable { - ${namespace}.services.networking.caddy.hosts = { - "vault.kruining.eu" = '' - encode zstd gzip - - handle_path /admin { - respond 401 { - close - } - } - - reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { - header_up X-Real-IP {remote_host} - } - ''; - }; - systemd.tmpfiles.rules = [ "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" ]; @@ -166,6 +150,25 @@ in { } ]; }; + + caddy = { + enable = true; + virtualHosts = { + "vault.kruining.eu".extraConfig = '' + encode zstd gzip + + handle_path /admin { + respond 401 { + close + } + } + + reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { + header_up X-Real-IP {remote_host} + } + ''; + }; + }; }; sops = { diff --git a/packages/studio/default.nix b/packages/studio/default.nix index 1e6b457..84610a3 100644 --- a/packages/studio/default.nix +++ b/packages/studio/default.nix @@ -1,109 +1,105 @@ -{ - pkgs, - inputs, -}: let +{ pkgs, inputs }: let inherit (builtins) fetchurl; - inherit (pkgs) makeDesktopItem copyDesktopItems wineWow64Packages; + inherit (pkgs) makeDesktopItem copyDesktopItems wineWowPackages; inherit (inputs.erosanix.lib.x86_64-linux) mkWindowsAppNoCC makeDesktopIcon copyDesktopIcons; - wine = wineWow64Packages.base; -in - mkWindowsAppNoCC rec { - inherit wine; + wine = wineWowPackages.base; +in mkWindowsAppNoCC rec { + inherit wine; - pname = "studio"; - version = "2.25.4"; + pname = "studio"; + version = "2.25.4"; - src = fetchurl { - url = "https://studio.download.bricklink.info/Studio2.0+EarlyAccess/Archive/2.25.12_1/Studio+2.0+EarlyAccess.exe"; - sha256 = "sha256:1xl3zvzkzr64zphk7rnpfx3whhbaykzw06m3nd5dc12r2p4sdh3v"; - }; + src = fetchurl { + url = "https://studio.download.bricklink.info/Studio2.0+EarlyAccess/Archive/2.25.12_1/Studio+2.0+EarlyAccess.exe"; + sha256 = "sha256:1xl3zvzkzr64zphk7rnpfx3whhbaykzw06m3nd5dc12r2p4sdh3v"; + }; - enableMonoBootPrompt = false; - dontUnpack = true; + enableMonoBootPrompt = false; + dontUnpack = true; - wineArch = "win64"; - enableInstallNotification = true; + wineArch = "win64"; + enableInstallNotification = true; - fileMap = { - "$HOME/.config/${pname}/Stud.io" = "drive_c/users/$USER/AppData/Local/Stud.io"; - "$HOME/.config/${pname}/Bricklink" = "drive_c/users/$USER/AppData/LocalLow/Bricklink"; - }; + fileMap = { + "$HOME/.config/${pname}/Stud.io" = "drive_c/users/$USER/AppData/Local/Stud.io"; + "$HOME/.config/${pname}/Bricklink" = "drive_c/users/$USER/AppData/LocalLow/Bricklink"; + }; - fileMapDuringAppInstall = false; + fileMapDuringAppInstall = false; - persistRegistry = false; - persistRuntimeLayer = true; - inputHashMethod = "version"; + persistRegistry = false; + persistRuntimeLayer = true; + inputHashMethod = "version"; - # Can be used to precisely select the Direct3D implementation. - # - # | enableVulkan | rendererOverride | Direct3D implementation | - # |--------------|------------------|-------------------------| - # | false | null | OpenGL | - # | true | null | Vulkan (DXVK) | - # | * | dxvk-vulkan | Vulkan (DXVK) | - # | * | wine-opengl | OpenGL | - # | * | wine-vulkan | Vulkan (VKD3D) | - enableVulkan = false; - rendererOverride = null; + # Can be used to precisely select the Direct3D implementation. + # + # | enableVulkan | rendererOverride | Direct3D implementation | + # |--------------|------------------|-------------------------| + # | false | null | OpenGL | + # | true | null | Vulkan (DXVK) | + # | * | dxvk-vulkan | Vulkan (DXVK) | + # | * | wine-opengl | OpenGL | + # | * | wine-vulkan | Vulkan (VKD3D) | + enableVulkan = false; + rendererOverride = null; - enableHUD = false; + enableHUD = false; - enabledWineSymlinks = {}; - graphicsDriver = "auto"; - inhibitIdle = false; + enabledWineSymlinks = { }; + graphicsDriver = "auto"; + inhibitIdle = false; - nativeBuildInputs = [copyDesktopIcons copyDesktopItems]; + nativeBuildInputs = [ copyDesktopIcons copyDesktopItems ]; - winAppInstall = '' - wine64 ${src} + winAppInstall = '' + wine64 ${src} - wineserver -W - wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f - ''; + wineserver -W + wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f + ''; - winAppPreRun = '' - wineserver -W - wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f - ''; + winAppPreRun = '' + wineserver -W + wine64 reg add 'HKEY_CURRENT_USER\Software\Wine\X11 Driver' /t REG_SZ /v UseTakeFocus /d N /f + ''; - winAppRun = '' - wine64 "$WINEPREFIX/drive_c/Program Files/Studio 2.0/Studio.exe" "$ARGS" - ''; + winAppRun = '' + wine64 "$WINEPREFIX/drive_c/Program Files/Studio 2.0/Studio.exe" "$ARGS" + ''; - winAppPostRun = ""; - installPhase = '' - runHook preInstall + winAppPostRun = ""; + installPhase = '' + runHook preInstall - ln -s $out/bin/.launcher $out/bin/${pname} + ln -s $out/bin/.launcher $out/bin/${pname} - runHook postInstall - ''; + runHook postInstall + ''; - desktopItems = [ - (makeDesktopItem { - mimeTypes = []; + desktopItems = [ + (makeDesktopItem { + mimeTypes = []; - name = pname; - exec = pname; - icon = pname; - desktopName = "Bricklink studio"; - genericName = "Lego creation app"; - categories = []; - }) - ]; - - desktopIcon = makeDesktopIcon { name = pname; - src = ./studio.png; - }; + exec = pname; + icon = pname; + desktopName = "Bricklink studio"; + genericName = "Lego creation app"; + categories = []; + }) + ]; - meta = { - description = "App for creating lego builds"; - homepage = "https://www.bricklink.com/v3/studio/main.page"; - license = ""; - maintainers = []; - platforms = ["x86_64-linux"]; - }; - } + desktopIcon = makeDesktopIcon { + name = pname; + src = ./studio.png; + }; + + meta = { + description = "App for creating lego builds"; + homepage = "https://www.bricklink.com/v3/studio/main.page"; + license = ""; + maintainers = []; + platforms = [ "x86_64-linux" ]; + }; +} diff --git a/script/qbittorrent/hash.py b/script/qbittorrent/hash.py deleted file mode 100644 index a92343f..0000000 --- a/script/qbittorrent/hash.py +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/bash - -import base64 -import hashlib -import sys -import uuid - -password = sys.argv[1] -salt = uuid.uuid4() -salt_bytes = salt.bytes - -password = str.encode(password) -hashed_password = hashlib.pbkdf2_hmac("sha512", password, salt_bytes, 100000, dklen=64) -b64_salt = base64.b64encode(salt_bytes).decode("utf-8") -b64_password = base64.b64encode(hashed_password).decode("utf-8") -password_string = "@ByteArray({salt}:{password})".format( - salt=b64_salt, password=b64_password -) -print(password_string) diff --git a/script/qbittorrent/password b/script/qbittorrent/password deleted file mode 100644 index 85fc69f..0000000 --- a/script/qbittorrent/password +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -pwgen -s 128 1 diff --git a/script/qbittorrent/password_hash b/script/qbittorrent/password_hash deleted file mode 100644 index 86ba315..0000000 --- a/script/qbittorrent/password_hash +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash - -python ./hash.py "$(just vars get ulmo qbittorrent/password | jq -r)" diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 43a5760..7440933 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -27,6 +27,17 @@ }; }; + # Expose amarht cloud stuff like this until I have a proper solution + services.caddy.virtualHosts = { + "auth.amarth.cloud".extraConfig = '' + reverse_proxy http://192.168.1.223:9092 + ''; + + "amarth.cloud".extraConfig = '' + reverse_proxy http://192.168.1.223:8080 + ''; + }; + # virtualisation = { # containers.enable = true; # podman = { @@ -193,16 +204,6 @@ development.forgejo.enable = true; networking.ssh.enable = true; - networking.caddy.hosts = { - # Expose amarht cloud stuff like this until I have a proper solution - "auth.amarth.cloud" = '' - reverse_proxy http://192.168.1.223:9092 - ''; - - "amarth.cloud" = '' - reverse_proxy http://192.168.1.223:8080 - ''; - }; media.enable = true; media.glance.enable = true; diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 005042c..729bed1 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -23,6 +23,9 @@ mydia: oidc_secret: ENC[AES256_GCM,data:PgI4hmP/3wt9uj+1QvCYcT8Wav0hgCRADouzWM3V695SSfXfbwDgez8tA/tm1/1jymAU2F2sZH8G2hZ1cdHyHQ==,iv:h3o3jsTmnoNE3+mGX12J3ZU0/6PlQNjdndEvaj/czj0=,tag:p3+p4E8fBtR7a8UpM8cUsg==,type:str] secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str] guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] +qbittorrent: + password_hash: ENC[AES256_GCM,data:yCfCslj01wtfwzzPOGlwA6wLLf+EUuEweYa3ZxvDtd/VGMxuV38quV+ob1Of+W0UH3+U4Qmgh4BK3I3IJZuKOvNdkZ0i81YBwW6cgvZUmnxwh8wokpNzxCKbYk5nF7y7SaGEdzQLvV7ad3fNMJsQ+s2zCsKWbm+j8Bwgq0E=,iv:IIktPS9pYXaYPzH0r4wrkp31CpunKnr70Ainu6hOeWY=,tag:bYCfhDfIwiQZ1tKAvITewQ==,type:str] + password: ENC[AES256_GCM,data:UepYY6UjJV/jo2aXTOEnKRtsjSqOSYPQlKlrAa7rf9rdnt2UXGjCkvN+A72pICuIBCAmhXZBAUMvmWTV9trk6NREHe0cY1xTC7pNv3x9TM/ZQmH498pbT/95pYAKwouHp9heJQ==,iv:FzjF+xPoaOp+gplxpz940V2dkWSTWe8dWUxexCoxxHc=,tag:TDZsboq9fEmmBrwJN/HTpQ==,type:str] grafana: oidc_id: ENC[AES256_GCM,data:NVdIgCQ6nz4BSUDJYCKyILtK,iv:tcljy9PzC/yyd7TSdngyJt+uh60uXi2PKu47czErbaQ=,tag:zE4q3dD4UQaHIpGeZ1L48Q==,type:str] oidc_secret: ENC[AES256_GCM,data:b7qILK9ZHW2khtM1Hl/KdjCv3Wq6eOo2Ym/cbjcMB8/3Hn2UelpP4K4lFyiV3bn1/GF6Jl5Z7A0EwMybOx0InA==,iv:3HL/7BiyObwT8DmFxzNPI9CdmCH/4j/4oc9x7qBE1k0=,tag:dBhcq1zLKy6N+jp/v42R4A==,type:str] @@ -32,14 +35,10 @@ sabnzbd: password: ENC[AES256_GCM,data:flw8AahqO1Mx,iv:Qhu8iVWMzzqy18y8dj3aHoBnSZatm74/tYvZ456l2sA=,tag:sCYBdw7kD0zJZFFr5EyPIQ==,type:str] username: ENC[AES256_GCM,data:IboJ8WDWuVNgvrk7c3V8I5S6Xg==,iv:BRohMuQFQz2S+HFasIaok6npT3C5v/SlhAhbLQXfB0s=,tag:M3/u0WBQ3AufHqe4DCtsrA==,type:str] apikey: ENC[AES256_GCM,data:j5sPXKbBhMdNHOuoTfZ+c8nGu5JameOgK2z428iLdP01Hi6MvHVaN8Zs8YxMoSBtOjdtIEC8MS+3m1S1rU/P4pCRfZpK5ua1DBHq4l0xROUqokFWjDcAmJJv3pYXl0cQxQcGKQ==,iv:v5hu3gmO1Zn1FfXkHLPGN9f7JOcQjzoQahdqJwfM+xY=,tag:uI1LFcTgcyRgAaTJ1kzKow==,type:str] - nzbkey: ENC[AES256_GCM,data:tGFnZ24XNI7U8pVYq45ENSVTeVkkcWfT5/NewqSJ3sm7Bexxml/PFTMBIl+97mWzNMMFklBurX/115P06NHCj1mxEvIjIc1bF4yuYhZFdSTlqRVWaESE/Ei7gke758FCt37N43wADgaKj4i5jizDHJMIbaw8ncP3qBSCy1F4BAU=,iv:RA+3oYGhVLBG+ikHMwBG3t2iN15lGsncdmlkfF6vJhY=,tag:6FNM18KCSzzpIXYDpQfHSg==,type:str] whisparr: apikey: ENC[AES256_GCM,data:kIGCsd4mszm90PoQMzlSEBKw9Ow0GvP1qdLtwXYKkAb6b65l89v8lMWJ2X1MyD2gJX+P+Bv1F/2BSjUFXErq/UYnp4dAjwKi/ezGCbhjMutDM1FvwFWEHRnR3gjd9uXPWJ8Xhg==,iv:98aPQlcZHJovpnzACDs6RtKblLnHg6wyi+Er5DAowj8=,tag:Tl8jz/pWYWAtBCfoztKdyw==,type:str] coturn: secret: ENC[AES256_GCM,data:5RmLZ7vQIAvIzvax8oNJkImQ6vXR+MZ2eqxaBJCBlccnFC1rP16/6UtausXVf0eWysw+fpMW5yEmUtAdyxQoPiBCK8lziAZBdkekQnAvFouBaWy8WIZt6XRa71P4xDCDGudpMiGwGGNt+R9yylez+azaLrLyJM3481RPohDMoOM=,iv:2P83lgxGtHwYr+ApAdHopVfRWagxWlC+nt53API/SiQ=,tag:Qv+A03BE1QvEqJMtORiQVA==,type:str] -qbittorrent: - password: ENC[AES256_GCM,data:LIDxh0Ni0JgQGWFix/Ihw7IlUPgzMhrMlWNP5LKkAnEM6EoqA9kFwiPeizB0CZ20+vSqRiL9fikBf8qGLA17L7AKh8I4OTFDlpKpMRtRlMq9S5UBEyOqtOMcvkCSf6/qGoORd1KJSlaitZk47SYRuccOpy/2vAvbMRdLm0SYEqc=,iv:tQdN1N9kXoq7OZbR2eYyy50FltsMAAUI4Lr7U4/SpJE=,tag:3ZOLvjHXD7i7WFy1/Ggqtg==,type:str] - password_hash: ENC[AES256_GCM,data:urufJbSErLqPdU6jLLZk+27fe4k+cKLXcGRGSqroUDdGMzDnhSF+ZWuPxwDlJQR3ws2GnuiEASncwNO/SALKXFDk2V2gsKJ4hsjyiIbsqCwSEFB/XMY0nY/x0xrcIfMVE0HdrNYeQ3zT01Z5jQpSd7wo2M63LaULL/Av498=,iv:tnUVhOgrImKa6iii2hJZn5LKrySM5v47B2zDZMgmUow=,tag:g3xa/4Z+t1Q9Wnd4XzefLg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -60,7 +59,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-05T10:38:19Z" - mac: ENC[AES256_GCM,data:gS6YTRTl6UdOC7Afrj1LrkgA7MWRLF0HNWytfzhkvThLW+JJrHPEhvWiYrsPW1Bm6o2JkKqVP5HfzcuGNIHJySkEQ4HV02BbibtMNiUKqk+voATsWOpo6957bwRJaTbvDvxmzIQ38TSUoj/pt8Z8WTl0hSPAlqNlWYffXX0y8K4=,iv:53R2bKYKiHJi9DTecg7hiuGNb3Kj9rA2U/oPJ+AFO5I=,tag:5uqvmEJCaCS/yNqyt/FPZg==,type:str] + lastmodified: "2026-02-25T07:35:41Z" + mac: ENC[AES256_GCM,data:UKAWLSj/OpyCGj1U9rhCX2rQr5E2CXodU+Z5RZddTdFis1+1opw7GLr+2s4OTRbREdZsNP3JSoXycgCssf4na88p/PTZh/VUa9ymbRr9eTacJq6ZkqRC5J8WyDK6gI+Qv4gv5CxdxZd92vUa4uXlwrZ4VsYepvrrkatCe9YTA9w=,iv:dkm+hkdyzJsIXp4uB36wYa/uzl8VA7LwhmvQT3hQlog=,tag:zHxeEze6RVfTCcduVkwuoQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0