From 39253ca0803ba43f0ced8035a218da70c71093e2 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 31 Aug 2025 17:30:45 +0200 Subject: [PATCH 001/174] update deps --- flake.lock | 108 ++++++++++++++++++++++++++--------------------------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/flake.lock b/flake.lock index 27521bd..d422094 100644 --- a/flake.lock +++ b/flake.lock @@ -73,11 +73,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1755108317, - "narHash": "sha256-j7RGK7nyoHuJzQjVFBngpsVowIn4DAtprn66UyAFNRQ=", + "lastModified": 1756593129, + "narHash": "sha256-xpdGBk57lErbo03ZJS8uDDF5cZjoza7kzr7X+y0wj2g=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "5aa322a6e586a2b46af65ab6c9a3d6042a95ff2e", + "rev": "f28776c49ddb4d34abc01092009fba0cd96836bd", "type": "github" }, "original": { @@ -94,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1755153894, - "narHash": "sha256-DEKeIg3MQy5GMFiFRUzcx1hGGBN2ypUPTo0jrMAdmH4=", + "lastModified": 1756622179, + "narHash": "sha256-K3CimrAcMhdDYkErd3oiWPZNaoyaGZEuvGrFuDPFMZY=", "owner": "nix-community", "repo": "fenix", - "rev": "f6874c6e512bc69d881d979a45379b988b80a338", + "rev": "0abcb15ae6279dcb40a8ae7c1ed980705245cb79", "type": "github" }, "original": { @@ -114,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1755083788, - "narHash": "sha256-CXiS6gfw0NH+luSpNhtRZjy4NqVFrmsYpoetu3N/fMk=", + "lastModified": 1756643456, + "narHash": "sha256-SbRGlArZnspW/xd/vnMPSyuZGXSVtxyJEoXpvpzDpSE=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "523078b104590da5850a61dfe291650a6b49809c", + "rev": "6772a49573fc08b3e05502cccd90a8f5a82ee42e", "type": "github" }, "original": { @@ -411,11 +411,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1755072091, - "narHash": "sha256-FCkbELHIFXlVREaopW13QFMzwLPr/otjucmyNLQQXeg=", + "lastModified": 1756381920, + "narHash": "sha256-h6FZq485lEhkTICK779ZQ2kUWe3BieUqIKuJ2jef7SI=", "owner": "vinceliuice", "repo": "grub2-themes", - "rev": "03d8c9cf0d1bcf67765ac5fa35263f1b08c584fa", + "rev": "8f30385f556a92ecbcc0c1800521730187da1cd7", "type": "github" }, "original": { @@ -432,11 +432,11 @@ ] }, "locked": { - "lastModified": 1754593854, - "narHash": "sha256-fiWzQKZP92+2nm9wGBa/UYuEdVJkshHqNpCFfklas8k=", + "lastModified": 1756413980, + "narHash": "sha256-pxTwEjWZ1GohJeTEpxoZRHRoLDZjDw9CarGqxE5e908=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "e0b9a3efdcf0c6c59ed3352ffb2b003ab6aa2fed", + "rev": "0c12a2b5862cd673307bbe191c1f7b52cf0f091a", "type": "github" }, "original": { @@ -452,11 +452,11 @@ ] }, "locked": { - "lastModified": 1755121891, - "narHash": "sha256-UtYkukiGnPRJ5rpd4W/wFVrLMh8fqtNkqHTPgHEtrqU=", + "lastModified": 1756650373, + "narHash": "sha256-Iz0dNCNvLLxVGjOOF1/TJvZ4iKXE96BTgKDObCs9u+M=", "owner": "nix-community", "repo": "home-manager", - "rev": "279ca5addcdcfa31ac852b3ecb39fc372684f426", + "rev": "e44549074a574d8bda612945a88e4a1fd3c456a8", "type": "github" }, "original": { @@ -473,11 +473,11 @@ ] }, "locked": { - "lastModified": 1755151620, - "narHash": "sha256-fVMalQZ+tRXR8oue2SdWu4CdlsS2NII+++rI40XQ8rU=", + "lastModified": 1756638688, + "narHash": "sha256-ddxbPTnIchM6tgxb6fRrCvytlPE2KLifckTnde/irVQ=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "16e12d22754d97064867006acae6e16da7a142a6", + "rev": "e7b8679cba79f4167199f018b05c82169249f654", "type": "github" }, "original": { @@ -507,11 +507,11 @@ }, "mnw": { "locked": { - "lastModified": 1748710831, - "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=", + "lastModified": 1756580127, + "narHash": "sha256-XK+ZQWjnd96Uko73jY1dc23ksnuWnF/Myc4rT/LQOmc=", "owner": "Gerg-L", "repo": "mnw", - "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d", + "rev": "ecdb5ba1b08ac198d9e9bfbf9de3b234fb1eb252", "type": "github" }, "original": { @@ -549,11 +549,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1755137329, - "narHash": "sha256-9MxuOLH7jk58IVUUDWwLeqk9U4ATE6X37955Ld+4/zw=", + "lastModified": 1756518625, + "narHash": "sha256-Mxh2wumeSsb968dSDksblubQqHTTdRTC5lH0gmhq9jI=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "d9330bc35048238597880e89fb173799de9db5e9", + "rev": "92654796f8f6c3279e4b7d409a3e5b43b0539a19", "type": "github" }, "original": { @@ -621,11 +621,11 @@ ] }, "locked": { - "lastModified": 1755171343, - "narHash": "sha256-h6bbfhqWcHlx9tcyYa7dhaEiNpusLCcFYkJ/AnltLW8=", + "lastModified": 1755261305, + "narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "e37cfef071466a9ca649f6899aff05226ce17e9e", + "rev": "203a7b463f307c60026136dd1191d9001c43457f", "type": "github" }, "original": { @@ -683,11 +683,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1755061300, - "narHash": "sha256-eov82CkCrpiECJa3dyQ2da1sPGnAP3HK0UEra5eupaM=", + "lastModified": 1756578978, + "narHash": "sha256-dLgwMLIMyHlSeIDsoT2OcZBkuruIbjhIAv1sGANwtes=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d4df8d6cc1ccfd3e4349a1d54e4fb1171e7ec1f5", + "rev": "a85a50bef870537a9705f64ed75e54d1f4bf9c23", "type": "github" }, "original": { @@ -715,11 +715,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1755178357, - "narHash": "sha256-rzgUmlO5/pt7uPAlY6E70clNjg9JmrgBxalEj2zKq08=", + "lastModified": 1756653691, + "narHash": "sha256-tx6C07uPiAzq57mfb4EWDqPRV4BZVqvrlvDfibzL67U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6eac4364f979ef460fb6ebd17ca65b8dae03cba4", + "rev": "7a1057ff3f7636bc71f58671c3a1210742149f3b", "type": "github" }, "original": { @@ -747,11 +747,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1755027561, - "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=", + "lastModified": 1756542300, + "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3", + "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa", "type": "github" }, "original": { @@ -763,11 +763,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1755049066, - "narHash": "sha256-ANrc15FSoOAdNbfKHxqEJjZLftIwIsenJGRb/04K41s=", + "lastModified": 1756536218, + "narHash": "sha256-ynQxPVN2FIPheUgTFhv01gYLbaiSOS7NgWJPm9LF9D0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e45f8f193029378d0aaee5431ba098dc80054e9a", + "rev": "a918bb3594dd243c2f8534b3be01b3cb4ed35fd1", "type": "github" }, "original": { @@ -843,11 +843,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1755115677, - "narHash": "sha256-98Ad2F5w1xW94KymQiBohNBYpFqMa0K28v9S1SzyTY8=", + "lastModified": 1756646417, + "narHash": "sha256-1dU+BRKjczVnsTznKGaM0xrWzg2+MGQqWlde0Id9JnI=", "owner": "notashelf", "repo": "nvf", - "rev": "c5dc7192496a1fad38134e54f8b4fca8ac51a9fe", + "rev": "939fb8cfc630190cd5607526f81693525e3d593b", "type": "github" }, "original": { @@ -866,11 +866,11 @@ ] }, "locked": { - "lastModified": 1754501628, - "narHash": "sha256-FExJ54tVB5iu7Dh2tLcyCSWpaV+lmUzzWKZUkemwXvo=", + "lastModified": 1756632588, + "narHash": "sha256-ydam6eggXf3ZwRutyCABwSbMAlX+5lW6w1SVZQ+kfSo=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "cca090f8115c4172b9aef6c5299ae784bdd5e133", + "rev": "d47428e5390d6a5a8f764808a4db15929347cd77", "type": "github" }, "original": { @@ -905,11 +905,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1755004716, - "narHash": "sha256-TbhPR5Fqw5LjAeI3/FOPhNNFQCF3cieKCJWWupeZmiA=", + "lastModified": 1756597274, + "narHash": "sha256-wfaKRKsEVQDB7pQtAt04vRgFphkVscGRpSx3wG1l50E=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "b2a58b8c6eff3c3a2c8b5c70dbf69ead78284194", + "rev": "21614ed2d3279a9aa1f15c88d293e65a98991b30", "type": "github" }, "original": { @@ -978,11 +978,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1755027820, - "narHash": "sha256-hBSU7BEhd05y/pC9tliYjkFp8AblkbNEkPei229+0Pg=", + "lastModified": 1755997543, + "narHash": "sha256-/fejmCQ7AWa655YxyPxRDbhdU7c5+wYsFSjmEMXoBCM=", "owner": "nix-community", "repo": "stylix", - "rev": "c592717e9f713bbae5f718c784013d541346363d", + "rev": "f47c0edcf71e802378b1b7725fa57bb44fe85ee8", "type": "github" }, "original": { From 5ddcaf35f638be39ecf9ecf96b3304d98e65036d Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 10:32:38 +0200 Subject: [PATCH 002/174] fix zen --- flake.lock | 32 ++++++++++++++++++++---- flake.nix | 6 +++-- modules/home/application/zen/default.nix | 28 ++++++++++++++++++--- 3 files changed, 55 insertions(+), 11 deletions(-) diff --git a/flake.lock b/flake.lock index d422094..51907f8 100644 --- a/flake.lock +++ b/flake.lock @@ -465,6 +465,27 @@ "type": "github" } }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "zen-browser", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1756842514, + "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "jovian": { "inputs": { "nix-github-actions": "nix-github-actions", @@ -1164,18 +1185,19 @@ }, "zen-browser": { "inputs": { + "home-manager": "home-manager_2", "nixpkgs": "nixpkgs_10" }, "locked": { - "lastModified": 1727721329, - "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=", - "owner": "MarceColl", + "lastModified": 1756876659, + "narHash": "sha256-B2bpNR7VOoZuKfuNnASfWI/jGveetP2yhG44S3XnI/k=", + "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc", + "rev": "07c14b39cad581d9a8bb2dc8959a59e17d26d529", "type": "github" }, "original": { - "owner": "MarceColl", + "owner": "0xc000022070", "repo": "zen-browser-flake", "type": "github" } diff --git a/flake.nix b/flake.nix index d696f4b..0712e81 100644 --- a/flake.nix +++ b/flake.nix @@ -41,7 +41,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - zen-browser.url = "github:MarceColl/zen-browser-flake"; + zen-browser.url = "github:0xc000022070/zen-browser-flake"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; @@ -95,6 +95,7 @@ permittedInsecurePackages = [ "dotnet-sdk-6.0.428" "aspnetcore-runtime-6.0.36" + "qtwebengine-5.15.19" ]; }; @@ -106,7 +107,8 @@ homes.modules = with inputs; [ stylix.homeModules.stylix - plasma-manager.homeManagerModules.plasma-manager + zen-browser.homeModules.default + plasma-manager.homeModules.plasma-manager ]; }; } diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index ad4cb92..86fc3b6 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -10,8 +10,6 @@ in }; config = mkIf cfg.enable { - home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ]; - home.sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; }; @@ -20,20 +18,42 @@ in policies = { AutofillAddressEnabled = true; AutofillCreditCardEnabled = false; + + AppAutoUpdate = false; DisableAppUpdate = true; + ManualAppUpdateOnly = true; + DisableFeedbackCommands = true; DisableFirefoxStudies = true; DisablePocket = true; DisableTelemetry = true; - # DontCheckDefaultBrowser = false; + + DontCheckDefaultBrowser = false; NoDefaultBookmarks = true; - # OfferToSaveLogins = false; + OfferToSaveLogins = false; EnableTrackingProtection = { Value = true; Locked = true; Cryptomining = true; Fingerprinting = true; }; + + HttpAllowlist = [ + "http://ulmo" + ]; + }; + + policies.ExtensionSettings = let + mkExtension = id: { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi"; + installation_mode = "force_installed"; + }; + in + { + ublock_origin = 4531307; + ghostry = 4562168; + bitwarden = 4562769; + sponsorblock = 4541835; }; }; }; From a29b75753016bbe5132d8d00192337c954261348 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 15:12:30 +0200 Subject: [PATCH 003/174] restructure media services --- modules/nixos/services/media/default.nix | 137 +++++++++++++++-------- 1 file changed, 88 insertions(+), 49 deletions(-) diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index f76e4ae..bc41fb4 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -66,38 +66,73 @@ in # Services #========================================================================= services = let - serviceConf = { + arrService = { + enable = true; + openFirewall = true; + + settings = { + auth.AuthenticationMethod = "External"; + + # postgres = { + # PostgresHost = "localhost"; + # PostgresPort = "5432"; + # PostgresUser = "media"; + # }; + }; + }; + + withPort = port: service: service // { settings.server.Port = builtins.toString port; }; + + withUserAndGroup = service: service // { + user = cfg.user; + group = cfg.group; + }; + in { + radarr = + arrService + |> withPort 2001 + |> withUserAndGroup; + + sonarr = + arrService + |> withPort 2002 + |> withUserAndGroup; + + lidarr = + arrService + |> withPort 2003 + |> withUserAndGroup; + + prowlarr = + arrService + |> withPort 2004; + + bazarr = { + enable = true; + openFirewall = true; + user = cfg.user; + group = cfg.group; + listenPort = 2005; + }; + + # port is harcoded in nixpkgs module + jellyfin = { enable = true; openFirewall = true; user = cfg.user; group = cfg.group; }; - in { - jellyfin = serviceConf; - radarr = serviceConf; - sonarr = serviceConf; - bazarr = serviceConf; - lidarr = serviceConf; flaresolverr = { enable = true; openFirewall = true; - }; - - jellyseerr = { - enable = true; - openFirewall = true; - }; - - prowlarr = { - enable = true; - openFirewall = true; + port = 2007; }; qbittorrent = { enable = true; openFirewall = true; - webuiPort = 5000; + webuiPort = 2008; serverConfig = { LegalNotice.Accepted = true; @@ -107,6 +142,7 @@ in group = cfg.group; }; + # port is harcoded in nixpkgs module sabnzbd = { enable = true; openFirewall = true; @@ -116,46 +152,49 @@ in group = cfg.group; }; + # postgresql = { + # enable = true; + # ensureDatabases = [ + # "radarr-main" "radarr-log" + # "sonarr-main" "sonarr-log" + # "lidarr-main" "lidarr-log" + # "prowlarr-main" "prowlarr-log" + # ]; + # identMap = '' + # media media radarr-main + # media media radarr-log + # media media sonarr-main + # media media sonarr-log + # media media lidarr-main + # media media lidarr-log + # media media prowlarr-main + # media media prowlarr-log + # ''; + # ensureUsers = [ + # { name = "radarr-main"; ensureDBOwnership = true; } + # { name = "radarr-log"; ensureDBOwnership = true; } + + # { name = "sonarr-main"; ensureDBOwnership = true; } + # { name = "sonarr-log"; ensureDBOwnership = true; } + + # { name = "lidarr-main"; ensureDBOwnership = true; } + # { name = "lidarr-log"; ensureDBOwnership = true; } + + # { name = "prowlarr-main"; ensureDBOwnership = true; } + # { name = "prowlarr-log"; ensureDBOwnership = true; } + # ]; + # }; + caddy = { enable = true; virtualHosts = { - "media.kruining.eu".extraConfig = '' - import auth - - reverse_proxy http://127.0.0.1:9494 - ''; "jellyfin.kruining.eu".extraConfig = '' - reverse_proxy http://127.0.0.1:8096 + reverse_proxy http://[::1]:8096 ''; }; }; }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; - - ${namespace}.services.virtualisation.podman.enable = true; - - virtualisation = { - oci-containers = { - backend = "podman"; - - containers = { - # flaresolverr = { - # image = "flaresolverr/flaresolverr"; - # autoStart = true; - # ports = [ "127.0.0.1:8191:8191" ]; - # }; - - reiverr = { - image = "ghcr.io/aleksilassila/reiverr:v2.2.0"; - autoStart = true; - ports = [ "127.0.0.1:9494:9494" ]; - volumes = [ "${cfg.path}/reiverr/config:/config" ]; - }; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 6969 ]; }; } From 77588062829c85f58e9cff7d383adc1fcd7b4b0b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 15:12:41 +0200 Subject: [PATCH 004/174] add homer dashboard --- .../nixos/services/media/homer/default.nix | 73 +++++++++++++++++++ systems/x86_64-linux/ulmo/default.nix | 1 + 2 files changed, 74 insertions(+) create mode 100644 modules/nixos/services/media/homer/default.nix diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix new file mode 100644 index 0000000..263af83 --- /dev/null +++ b/modules/nixos/services/media/homer/default.nix @@ -0,0 +1,73 @@ +{ config, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.media.homer; +in +{ + options.${namespace}.services.media.homer = { + enable = mkEnableOption "Enable homer"; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 2000 ]; + + services = { + homer = { + enable = true; + + virtualHost = { + caddy.enable = true; + domain = "http://:2000"; + }; + + settings = { + title = "Ulmo dashboard"; + + columns = 4; + connectivityCheck = true; + + links = [ + { + name = "Git"; + icon = "fab fa-forgejo"; + url = "https://git.amarth.cloud"; + + } + ]; + + services = [ + { + name = "Services"; + items = [ + { + name = "Zitadel"; + tag = "authentication"; + keywords = "auth"; + url = "https://auth.amarth.cloud"; + } + ]; + } + + { + name = "Media"; + items = [ + { + name = "Radarr"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; + } + + { + name = "Sonarr"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; + } + ]; + } + ]; + }; + }; + }; + }; +} diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 9876768..4108dc9 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -15,6 +15,7 @@ networking.ssh.enable = true; media.enable = true; + media.homer.enable = true; media.nfs.enable = true; observability = { From 6379b5e2de250d8203750727ecb9fe7934bca62b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 16:45:20 +0200 Subject: [PATCH 005/174] improve zen config --- flake.nix | 4 +++- modules/home/application/zen/default.nix | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 0712e81..07479a7 100644 --- a/flake.nix +++ b/flake.nix @@ -93,8 +93,11 @@ channels-config = { allowUnfree = true; permittedInsecurePackages = [ + # Due to *arr stack "dotnet-sdk-6.0.428" "aspnetcore-runtime-6.0.36" + + # I think this is because of zen "qtwebengine-5.15.19" ]; }; @@ -107,7 +110,6 @@ homes.modules = with inputs; [ stylix.homeModules.stylix - zen-browser.homeModules.default plasma-manager.homeModules.plasma-manager ]; }; diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index 86fc3b6..4995216 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -5,6 +5,10 @@ let cfg = config.${namespace}.application.zen; in { + imports = [ + inputs.zen-browser.homeModules.default + ]; + options.${namespace}.application.zen = { enable = mkEnableOption "enable zen"; }; From 44e7a6fa0fd33ad37905a882149c9a39cdebf370 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 16:45:32 +0200 Subject: [PATCH 006/174] harden vaultwarden --- modules/nixos/services/security/vaultwarden/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index 0bb05f7..db8e162 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -76,6 +76,12 @@ in "vault.kruining.eu".extraConfig = '' encode zstd gzip + handle_path /admin { + respond 401 { + close + } + } + reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { header_up X-Real-IP {remote_host} } From 7c75cab11b86e33fd72f934bfffaa5bed864faa7 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:24:27 +0200 Subject: [PATCH 007/174] improve podman config --- modules/nixos/services/virtualisation/podman/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/nixos/services/virtualisation/podman/default.nix b/modules/nixos/services/virtualisation/podman/default.nix index 9b9dc89..0faf8ce 100644 --- a/modules/nixos/services/virtualisation/podman/default.nix +++ b/modules/nixos/services/virtualisation/podman/default.nix @@ -12,6 +12,7 @@ in config = mkIf cfg.enable { virtualisation = { containers.enable = true; + oci-containers.backend = "podman"; podman = { enable = true; From 6d7867b45c24ed8b41ae1061f318af673bb393e6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:24:43 +0200 Subject: [PATCH 008/174] update fogejo runner image --- modules/nixos/services/development/forgejo/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index bdabbd6..4b98b9c 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -136,10 +136,10 @@ in # tokenFile = config.age.secrets.forgejo-runner-token.path; token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; labels = [ - "default:docker://node:22-bullseye" + "default:docker://node:24-bookworm" ]; settings = { - + log.level = "info"; }; }; }; From a91afd3b0a90db865ced5116fab0ece99e1acd1f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:44:01 +0200 Subject: [PATCH 009/174] expand homer --- .../nixos/services/media/homer/default.nix | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index 263af83..c683e8b 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -52,6 +52,12 @@ in { name = "Media"; items = [ + { + name = "Jellyfin"; + tag = "app"; + url = "http://${config.networking.hostName}:8096"; + } + { name = "Radarr"; tag = "app"; @@ -63,6 +69,25 @@ in tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; } + + { + name = "Lidarr"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; + } + + { + name = "qBitTorrent"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; + } + + { + name = "SabNZB"; + tag = "app"; + url = "http://${config.networking.hostName}:8080"; + } + ]; } ]; From b8b8e015c5e601654fbd9075cf95ea429d8c5efd Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:44:19 +0200 Subject: [PATCH 010/174] add pipe-operator nix feature --- modules/nixos/nix/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 7d1f069..14060bf 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -15,10 +15,10 @@ in nix = { package = pkgs.nixVersions.latest; - extraOptions = "experimental-features = nix-command flakes"; + extraOptions = "experimental-features = nix-command flakes pipe-operator"; settings = { - experimental-features = [ "nix-command" "flakes" ]; + experimental-features = [ "nix-command" "flakes" "pipe-operator" ]; allowed-users = [ "@wheel" ]; trusted-users = [ "@wheel" ]; From fa81dbdcf6fdd19b634c25791de96125c67eb92c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:47:38 +0200 Subject: [PATCH 011/174] even more homer --- .../nixos/services/media/homer/default.nix | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index c683e8b..dd5e13b 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -42,10 +42,32 @@ in items = [ { name = "Zitadel"; - tag = "authentication"; - keywords = "auth"; + tag = "app"; url = "https://auth.amarth.cloud"; } + + { + name = "Forgejo"; + tag = "app"; + url = "https://git.amarth.cloud"; + } + + { + name = "Vaultwarden"; + tag = "app"; + url = "https://vault.kruining.eu"; + } + ]; + } + + { + name = "Observability"; + items = [ + { + name = "Grafana"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; + } ]; } From 41a4fde9f21fd5b606f7a13628a60f462e7aeeec Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:08:59 +0200 Subject: [PATCH 012/174] first attempt to push an image --- .forgejo/workflows/runner-image.yml | 34 +++++++++++++++++++ .../development/forgejo/Dockerfile.default | 5 +++ .../services/development/forgejo/default.nix | 4 ++- 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 .forgejo/workflows/runner-image.yml create mode 100644 modules/nixos/services/development/forgejo/Dockerfile.default diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml new file mode 100644 index 0000000..ed38be2 --- /dev/null +++ b/.forgejo/workflows/runner-image.yml @@ -0,0 +1,34 @@ +name: Test action + +on: + workflow_dispatch: + push: + branches: + - main + +env: + registry: git.amarth.cloud + owner: chris + image: default + tag: latest + +jobs: + hello: + name: Print hello world + runs-on: default + steps: + - name: Pull dependencies + run: >- + git clone https://${{ registry }}/${{ owner }}/sneeuwvlok.git + && cd sneeuwvlok + + - name: Log into registry + run: docker login ${{ registry }} + + - name: Build image + run: >- + docker build + -t ${{registry}}/${{ owner }}/${{ image }}:${{ tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default + + - name: Push image + run: docker push ${{registry}}/${{ owner }}/${{ image }}:${{ tag }} \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default new file mode 100644 index 0000000..799cd67 --- /dev/null +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -0,0 +1,5 @@ +FROM nixos/nix:latest + +RUN nix-env -iA nixpkgs.nodejs_24 + +CMD ["/bin/bash"] \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 4b98b9c..d7f170e 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -91,6 +91,7 @@ in actions = { ENABLED = true; + # DEFAULT_ACTIONS_URL = "https://data.forgejo.org"; }; other = { @@ -136,7 +137,8 @@ in # tokenFile = config.age.secrets.forgejo-runner-token.path; token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; labels = [ - "default:docker://node:24-bookworm" + "default:docker://nixos/nix:latest" + "ubuntu:docker://ubuntu:24-bookworm" ]; settings = { log.level = "info"; From 9ed5cbded0902b9e7e4ca5d81ad7e82058b8d70e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:09:08 +0200 Subject: [PATCH 013/174] update homer --- .../nixos/services/media/homer/default.nix | 65 +++++++++++++++---- 1 file changed, 53 insertions(+), 12 deletions(-) diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index dd5e13b..8fd0ac6 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -27,14 +27,7 @@ in columns = 4; connectivityCheck = true; - links = [ - { - name = "Git"; - icon = "fab fa-forgejo"; - url = "https://git.amarth.cloud"; - - } - ]; + links = []; services = [ { @@ -42,20 +35,28 @@ in items = [ { name = "Zitadel"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg"; tag = "app"; url = "https://auth.amarth.cloud"; + target = "_blank"; } { name = "Forgejo"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg"; tag = "app"; + type = "Gitea"; url = "https://git.amarth.cloud"; + target = "_blank"; } { name = "Vaultwarden"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg"; + type = "Vaultwarden"; tag = "app"; url = "https://vault.kruining.eu"; + target = "_blank"; } ]; } @@ -65,8 +66,20 @@ in items = [ { name = "Grafana"; + type = "Grafana"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; + target = "_blank"; + } + + { + name = "Prometheus"; + type = "Prometheus"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}"; + target = "_blank"; } ]; } @@ -75,41 +88,69 @@ in name = "Media"; items = [ { - name = "Jellyfin"; + name = "Jellyfin (Movies)"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg"; tag = "app"; + type = "Emby"; url = "http://${config.networking.hostName}:8096"; + apikey = "e3ceed943eeb409ba8342738db7cc1f5"; + libraryType = "movies"; + target = "_blank"; } { name = "Radarr"; + type = "Radarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; + target = "_blank"; } { name = "Sonarr"; + type = "Sonarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; + target = "_blank"; } { name = "Lidarr"; + type = "Lidarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; + target = "_blank"; } { - name = "qBitTorrent"; + name = "Prowlarr"; + type = "Prowlarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}"; + target = "_blank"; + } + + { + name = "qBittorrent"; + type = "qBittorrent"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; + target = "_blank"; } { - name = "SabNZB"; + name = "SABnzbd"; + type = "SABnzbd"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg"; tag = "app"; url = "http://${config.networking.hostName}:8080"; + target = "_blank"; } - ]; } ]; From 0b23548559a3dfb84ec54187421e7a77029b8728 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:11:59 +0200 Subject: [PATCH 014/174] whoopsie --- .forgejo/workflows/runner-image.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index ed38be2..e41a197 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -19,16 +19,16 @@ jobs: steps: - name: Pull dependencies run: >- - git clone https://${{ registry }}/${{ owner }}/sneeuwvlok.git + git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git && cd sneeuwvlok - name: Log into registry - run: docker login ${{ registry }} + run: docker login ${{ env.registry }} - name: Build image run: >- docker build - -t ${{registry}}/${{ owner }}/${{ image }}:${{ tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default + -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default - name: Push image - run: docker push ${{registry}}/${{ owner }}/${{ image }}:${{ tag }} \ No newline at end of file + run: docker push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 2b887f188c1a3fdecd429c79016c06fea64e0dcf Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:14:06 +0200 Subject: [PATCH 015/174] aaaaaiiii --- .forgejo/workflows/runner-image.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index e41a197..879ec36 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -22,6 +22,12 @@ jobs: git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git && cd sneeuwvlok + - name: Install docker + run: nix-env -iA nixos.podman + + - name: __DEBUG__ + run: which podman + - name: Log into registry run: docker login ${{ env.registry }} From 95f6b2b8d3d7c19ebbe8b264f5ea2e69ebfce743 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:14:44 +0200 Subject: [PATCH 016/174] nixpkgs instead???? --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 879ec36..a0a26ac 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -23,7 +23,7 @@ jobs: && cd sneeuwvlok - name: Install docker - run: nix-env -iA nixos.podman + run: nix-env -iA nixpkgs.podman - name: __DEBUG__ run: which podman From 863956c38b33a38c1fb9940cb4e58ae1b7576f8e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:17:08 +0200 Subject: [PATCH 017/174] oooooh, closer --- .forgejo/workflows/runner-image.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index a0a26ac..33889dd 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -28,13 +28,16 @@ jobs: - name: __DEBUG__ run: which podman + - name: __DEBUG__ + run: podman --version + - name: Log into registry - run: docker login ${{ env.registry }} + run: podman login ${{ env.registry }} - name: Build image run: >- - docker build + podman build -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default - name: Push image - run: docker push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file + run: podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From e048ada01ff0dcd0bdd3a4041b819098089c1fbc Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:38:46 +0200 Subject: [PATCH 018/174] whoops --- modules/nixos/nix/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 14060bf..3104ecd 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -15,10 +15,10 @@ in nix = { package = pkgs.nixVersions.latest; - extraOptions = "experimental-features = nix-command flakes pipe-operator"; + extraOptions = "experimental-features = nix-command flakes pipe-operators"; settings = { - experimental-features = [ "nix-command" "flakes" "pipe-operator" ]; + experimental-features = [ "nix-command" "flakes" "pipe-operators" ]; allowed-users = [ "@wheel" ]; trusted-users = [ "@wheel" ]; From 0d6fb5aab6b0ea7021ad9468ae06fa2d5746dc46 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:39:31 +0200 Subject: [PATCH 019/174] update default runner dockerfile --- modules/nixos/services/development/forgejo/Dockerfile.default | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index 799cd67..b252554 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,5 +1,6 @@ FROM nixos/nix:latest RUN nix-env -iA nixpkgs.nodejs_24 +RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf CMD ["/bin/bash"] \ No newline at end of file From fa0a4917a212227c95d63f38e29ec2be391150b5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:04:13 +0200 Subject: [PATCH 020/174] cool shizzle --- .forgejo/workflows/runner-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 33889dd..2603866 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -7,7 +7,7 @@ on: - main env: - registry: git.amarth.cloud + registry: ${{ forge.server_url }} owner: chris image: default tag: latest @@ -32,7 +32,7 @@ jobs: run: podman --version - name: Log into registry - run: podman login ${{ env.registry }} + run: podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image run: >- From 4762d4189e471f496cdeffbbb08533b7cd66d27b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:06:57 +0200 Subject: [PATCH 021/174] right. obviously... --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 2603866..3cc9a79 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -7,7 +7,7 @@ on: - main env: - registry: ${{ forge.server_url }} + registry: git.amarth.cloud owner: chris image: default tag: latest From da1a4d42eddc50d5c7b2a2599e8e251dde913cf9 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:07:58 +0200 Subject: [PATCH 022/174] woooot, more success!!! --- .forgejo/workflows/runner-image.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 3cc9a79..7a7e41d 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -26,10 +26,7 @@ jobs: run: nix-env -iA nixpkgs.podman - name: __DEBUG__ - run: which podman - - - name: __DEBUG__ - run: podman --version + run: ls -al - name: Log into registry run: podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} From fdf1bc34e834fc9ee2808a51b8b0076537f44ab5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:11:06 +0200 Subject: [PATCH 023/174] . --- .forgejo/workflows/runner-image.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 7a7e41d..89427fd 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -18,9 +18,10 @@ jobs: runs-on: default steps: - name: Pull dependencies - run: >- + run: | git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git - && cd sneeuwvlok + cd sneeuwvlok + ls -al - name: Install docker run: nix-env -iA nixpkgs.podman From 4a26a4ad11dd3f2fc367743eaa41739237a7b846 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:13:15 +0200 Subject: [PATCH 024/174] . --- .forgejo/workflows/runner-image.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 89427fd..a70dd09 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -18,24 +18,18 @@ jobs: runs-on: default steps: - name: Pull dependencies - run: | - git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git - cd sneeuwvlok - ls -al + run: git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git - name: Install docker run: nix-env -iA nixpkgs.podman - - name: __DEBUG__ - run: ls -al - - name: Log into registry run: podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image run: >- podman build - -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default + -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} sneeuwvlok/modules/nixos/services/development/forgejo/Dockerfile.default - name: Push image run: podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 8b07f55593f09c526bbbd58b0ff9756b2d491228 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:14:41 +0200 Subject: [PATCH 025/174] . --- .forgejo/workflows/runner-image.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index a70dd09..526550f 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -18,7 +18,10 @@ jobs: runs-on: default steps: - name: Pull dependencies - run: git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git + run: | + ls -al + git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . + ls -al - name: Install docker run: nix-env -iA nixpkgs.podman @@ -29,7 +32,7 @@ jobs: - name: Build image run: >- podman build - -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} sneeuwvlok/modules/nixos/services/development/forgejo/Dockerfile.default + -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} modules/nixos/services/development/forgejo/Dockerfile.default - name: Push image run: podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From b3a9ea605761f5cd53fea1afd3468d92c1ec8e2f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:19:43 +0200 Subject: [PATCH 026/174] . --- .forgejo/workflows/runner-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 526550f..b09ac1d 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -21,6 +21,7 @@ jobs: run: | ls -al git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . + echo "$PWD" ls -al - name: Install docker From f9328cd72eeaf57fc229693c6d535c3eee04919f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:22:59 +0200 Subject: [PATCH 027/174] I am an idiot, as proven once more... --- .forgejo/workflows/runner-image.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index b09ac1d..c07ca95 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -19,21 +19,23 @@ jobs: steps: - name: Pull dependencies run: | - ls -al git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . - echo "$PWD" - ls -al - name: Install docker - run: nix-env -iA nixpkgs.podman + run: | + nix-env -iA nixpkgs.podman - name: Log into registry - run: podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} + run: | + podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image run: >- podman build - -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} modules/nixos/services/development/forgejo/Dockerfile.default + -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} + -f Dockerfile.default + modules/nixos/services/development/forgejo - name: Push image - run: podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file + run: | + podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 4d4f4e67e032139115d43ef07f6e71be2572242e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:23:50 +0200 Subject: [PATCH 028/174] add registry? --- modules/nixos/services/development/forgejo/Dockerfile.default | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index b252554..ce4bbac 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,4 +1,4 @@ -FROM nixos/nix:latest +FROM docker.io/nixos/nix:latest RUN nix-env -iA nixpkgs.nodejs_24 RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf From a42446985c2eafa3b8ef92f5a1344d20652535e4 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:02:40 +0200 Subject: [PATCH 029/174] another attempt --- .forgejo/workflows/runner-image.yml | 3 +++ modules/nixos/services/development/forgejo/Dockerfile.default | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index c07ca95..285c5ac 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,6 +24,7 @@ jobs: - name: Install docker run: | nix-env -iA nixpkgs.podman + echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > /etc/containers/policy.json - name: Log into registry run: | @@ -35,6 +36,8 @@ jobs: -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} -f Dockerfile.default modules/nixos/services/development/forgejo + env: + DOCKER_BUILDKIT: 1 - name: Push image run: | diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index ce4bbac..d26212c 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,6 +1,8 @@ FROM docker.io/nixos/nix:latest -RUN nix-env -iA nixpkgs.nodejs_24 +RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman + RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf +RUN echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json CMD ["/bin/bash"] \ No newline at end of file From 68f662038399e6c74d38029411ef4dfc3990cfd7 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:03:26 +0200 Subject: [PATCH 030/174] right --- .forgejo/workflows/runner-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 285c5ac..f0b89ee 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,6 +24,7 @@ jobs: - name: Install docker run: | nix-env -iA nixpkgs.podman + mkdir -p /etc/containers echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > /etc/containers/policy.json - name: Log into registry From 9ea18b18d554d102c95480fbc334a35697e3985c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:04:28 +0200 Subject: [PATCH 031/174] . --- .forgejo/workflows/runner-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index f0b89ee..361f842 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,8 +24,8 @@ jobs: - name: Install docker run: | nix-env -iA nixpkgs.podman - mkdir -p /etc/containers - echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > /etc/containers/policy.json + mkdir -p ~/.config/containers + echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - name: Log into registry run: | From efd98d4b44e44316c64773dd65ea15070ae85a34 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:05:12 +0200 Subject: [PATCH 032/174] gotta love the typos... --- .forgejo/workflows/runner-image.yml | 2 +- modules/nixos/services/development/forgejo/Dockerfile.default | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 361f842..f37b598 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -25,7 +25,7 @@ jobs: run: | nix-env -iA nixpkgs.podman mkdir -p ~/.config/containers - echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json + echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - name: Log into registry run: | diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index d26212c..d9ff5f8 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -3,6 +3,6 @@ FROM docker.io/nixos/nix:latest RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf -RUN echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json +RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json CMD ["/bin/bash"] \ No newline at end of file From 55d5ea483940d8e81c8dda9185e3cd6915a50597 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:08:38 +0200 Subject: [PATCH 033/174] is it a missing dep???? --- .forgejo/workflows/runner-image.yml | 2 +- modules/nixos/services/development/forgejo/Dockerfile.default | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index f37b598..5ce46d8 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -23,7 +23,7 @@ jobs: - name: Install docker run: | - nix-env -iA nixpkgs.podman + nix-env -iA nixpkgs.podman nixpkgs.libfuse mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index d9ff5f8..15a65a4 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,6 +1,6 @@ FROM docker.io/nixos/nix:latest -RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman +RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman nixpkgs.libfuse RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json From 833f4ce5e692d60be619b3d745ab8983b8d9da9c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:09:44 +0200 Subject: [PATCH 034/174] just fuse, got it --- .forgejo/workflows/runner-image.yml | 2 +- modules/nixos/services/development/forgejo/Dockerfile.default | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 5ce46d8..8893fd5 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -23,7 +23,7 @@ jobs: - name: Install docker run: | - nix-env -iA nixpkgs.podman nixpkgs.libfuse + nix-env -iA nixpkgs.podman nixpkgs.fuse mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index 15a65a4..d632617 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,6 +1,6 @@ FROM docker.io/nixos/nix:latest -RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman nixpkgs.libfuse +RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman nixpkgs.fuse RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json From 25ae5ea1accd0f79c19e561bac3ac981c006f694 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:09:31 +0200 Subject: [PATCH 035/174] next round --- .forgejo/workflows/runner-image.yml | 18 ++++++++++++++++-- .../development/forgejo/Dockerfile.default | 2 +- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 8893fd5..1490afa 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -21,11 +21,24 @@ jobs: run: | git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . - - name: Install docker + - name: Prepare podman run: | - nix-env -iA nixpkgs.podman nixpkgs.fuse + # configure container policy to accept insecure registry + nix-env -iA nixpkgs.podman + + # configure container policy to accept insecure registry mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json + + # ensure all required directories exist with proper permissions + mkdir -p /tmp/podman /var/tmp ~/.local/share/containers + chmod 755 /tmp/podman /var/tmp || true + + # set multiple environment variables for skopeo temporary directories + export TMPDIR=/tmp/podman + export TMP=/tmp/podman + export TEMP=/tmp/podman + export XDG_RUNTIME_DIR=/tmp/podman - name: Log into registry run: | @@ -34,6 +47,7 @@ jobs: - name: Build image run: >- podman build + --privileged -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} -f Dockerfile.default modules/nixos/services/development/forgejo diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index d632617..d9ff5f8 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,6 +1,6 @@ FROM docker.io/nixos/nix:latest -RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman nixpkgs.fuse +RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json From b2cb74657ef0f1addb520f6bda09997b138a92b6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:11:35 +0200 Subject: [PATCH 036/174] ahhh shit, here we go again --- .forgejo/workflows/runner-image.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 1490afa..e24ef25 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -46,8 +46,7 @@ jobs: - name: Build image run: >- - podman build - --privileged + sudo podman build -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} -f Dockerfile.default modules/nixos/services/development/forgejo From c7f3ed7cd667ea96ca7b78e5d99a8378d7e75ca0 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:21:05 +0200 Subject: [PATCH 037/174] . --- .forgejo/workflows/runner-image.yml | 4 +- .../nixos/services/development/forgejo/temp | 80 +++++++++++++++++++ 2 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 modules/nixos/services/development/forgejo/temp diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index e24ef25..4b94a2f 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -40,13 +40,15 @@ jobs: export TEMP=/tmp/podman export XDG_RUNTIME_DIR=/tmp/podman + modprobe fuse + - name: Log into registry run: | podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image run: >- - sudo podman build + podman build -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} -f Dockerfile.default modules/nixos/services/development/forgejo diff --git a/modules/nixos/services/development/forgejo/temp b/modules/nixos/services/development/forgejo/temp new file mode 100644 index 0000000..33a7313 --- /dev/null +++ b/modules/nixos/services/development/forgejo/temp @@ -0,0 +1,80 @@ +Error: mounting new container: + mounting build container "a1c1da9d2422b5d6571a79559039f60ba8771e4a05b9b2f8cae814a8f64bb8e3": + creating overlay mount to /var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/merged, + mount_data=" + lowerdir=/var/lib/containers/storage/overlay/l/XSOABRIRTTFZPQI37OU77T3XP6 + :/var/lib/containers/storage/overlay/l/F3M2D6K25OPTUC4ID73P2NIJ3A + :/var/lib/containers/storage/overlay/l/Q53OUMURARX52AYNVQGFGNVUMQ + :/var/lib/containers/storage/overlay/l/NHNXRY3S7TPPYSGNG6BFA7756K + :/var/lib/containers/storage/overlay/l/XWANZP5SNP5QFXQ7RPR2SN3GND + :/var/lib/containers/storage/overlay/l/QUS3NWAGIVW5KOT7EBHCH2THSP + :/var/lib/containers/storage/overlay/l/P24JFYKBFJWRZF4QCI65JNYDSH + :/var/lib/containers/storage/overlay/l/5U53LA6AULMQOF5JAVLNDQMETC + :/var/lib/containers/storage/overlay/l/SWCKHLKQYKOUWBHWGJ5VPBJ7RH + :/var/lib/containers/storage/overlay/l/KLPPEZB6CRL3I6R6LBCJWMKWPC + :/var/lib/containers/storage/overlay/l/RAI54LOZXCFNWNF54D5YLSZJZO + :/var/lib/containers/storage/overlay/l/NLXXIPBMH7EAMNSOZBGBYXWGV5 + :/var/lib/containers/storage/overlay/l/HP5E2J4HRMO6XYJANMEB4KT7F5 + :/var/lib/containers/storage/overlay/l/JZ3QIR7Y7HTWYCCZRNFZCMQSHH + :/var/lib/containers/storage/overlay/l/IYGILU3HMTXZLIKNELEPBOZXWS + :/var/lib/containers/storage/overlay/l/K52NCFVUIEMQALGI4CTKSORFQ6 + :/var/lib/containers/storage/overlay/l/DM5R63KXPSUHMGXMXGHV2Z7L6O + :/var/lib/containers/storage/overlay/l/3BJ5A4CHITM36J3WL7DUJN7HI5 + :/var/lib/containers/storage/overlay/l/3KY56KPCGUTAOCABRQOPB5E7KI + :/var/lib/containers/storage/overlay/l/4ISDZ7Y23WWZAZ6TISWAVXAKTA + :/var/lib/containers/storage/overlay/l/7WFY6347EYETD2DSHOWWGORMY7 + :/var/lib/containers/storage/overlay/l/RBDQUQQAQ4M3DNDP7JQDSTFPDC + :/var/lib/containers/storage/overlay/l/CZPS35AEHSSOCX2SETGG5RWAWK + :/var/lib/containers/storage/overlay/l/VTV4IYIPIMV7HUVW3YUCEZGVIF + :/var/lib/containers/storage/overlay/l/LOGNN4O7UYRJDINC3EU6MCK2JQ + :/var/lib/containers/storage/overlay/l/XCTPWOKP4A3NITB5YJEGDOYP53 + :/var/lib/containers/storage/overlay/l/57WPQF43V53AQIH5AJAFS2ZJLN + :/var/lib/containers/storage/overlay/l/BURD55A3XF6AHWWN5NFYVKHLFR + :/var/lib/containers/storage/overlay/l/SJBWDEB4R6KHHUWYVWHVFXZUML + :/var/lib/containers/storage/overlay/l/EFH5DWZ6VD7XHRBJI3MSGCSL5C + :/var/lib/containers/storage/overlay/l/LNJD656RHN73JQIOG5QP72XH6D + :/var/lib/containers/storage/overlay/l/BYKGR5QA32CNM3PNW7OJZGL7PI + :/var/lib/containers/storage/overlay/l/KEBZ34OPOPZSF56MMUIYJC62VQ + :/var/lib/containers/storage/overlay/l/AXUJ2DTXCFUNLLHVBNZT7HOOHV + :/var/lib/containers/storage/overlay/l/W2GQPDXQWNE4PJ2FK242CNBP3G + :/var/lib/containers/storage/overlay/l/HSHTMFX2BNZ6MN3YKZNP5GACK3 + :/var/lib/containers/storage/overlay/l/5EV6E33HXQTMDYA55D2KVDQN6O + :/var/lib/containers/storage/overlay/l/5YXUGLZ3U5V2GABHAGMOQQLZYD + :/var/lib/containers/storage/overlay/l/WNM6BFUABXRYMF3QXGOWIMSFGS + :/var/lib/containers/storage/overlay/l/EM6L4BR3WMU427KN3WHNXLPXLK + :/var/lib/containers/storage/overlay/l/WKG62FRJYJHG4PIYLUWPOIGIFR + :/var/lib/containers/storage/overlay/l/EIT5DRSEKJFGSXHNDISGIBHEET + :/var/lib/containers/storage/overlay/l/PW2HEYGQKHNXSSQFCTQ3RTW3RU + :/var/lib/containers/storage/overlay/l/LYCJF4GBFFSP5MCC6TGBDGWXLY + :/var/lib/containers/storage/overlay/l/3YXKKFLTDRPWC6Y3VW3A5HCHPC + :/var/lib/containers/storage/overlay/l/RJTCZEVFZ4GZ4WT36ZHWVQPHBE + :/var/lib/containers/storage/overlay/l/AT3GLGCW22SPL4FDEMUHM7SEC3 + :/var/lib/containers/storage/overlay/l/VPT2VRWXG6F5UOROWNVZJUYIXS + :/var/lib/containers/storage/overlay/l/IHIXWAURUCUAYZEWBQU6N37UL5 + :/var/lib/containers/storage/overlay/l/IGMNOUI3RRH3KFAOSHZUJJAYA6 + :/var/lib/containers/storage/overlay/l/KQTWTENKAQ7WIMPQO5HY4SQKSL + :/var/lib/containers/storage/overlay/l/7GQIS3UWTUQESKJI6NQ5A63FMB + :/var/lib/containers/storage/overlay/l/MXGQVTYACLV4M7PRZRGGXNOLCY + :/var/lib/containers/storage/overlay/l/6T6MXUMJ74EIDYDFZJU6642WDR + :/var/lib/containers/storage/overlay/l/QG53GGUJAUZLLCRGHLDVNBIG5M + :/var/lib/containers/storage/overlay/l/CWKPW6SM2HIEROK4XOFGURSEYZ + :/var/lib/containers/storage/overlay/l/EFAHS5T2ZS5ZVCY4WGZ4WW45WC + :/var/lib/containers/storage/overlay/l/CRT42BUU43KSCBUDTOB55WVML2 + :/var/lib/containers/storage/overlay/l/KA53IG4NUWMJM5GBFUKDSUP7WM + :/var/lib/containers/storage/overlay/l/DELTO3DZAGCCUKFOKYU5POUVO5 + :/var/lib/containers/storage/overlay/l/KM7KLUMSMCIUGMOUZHCCJVNY3S + :/var/lib/containers/storage/overlay/l/IAXMV7ZFALQU4XFQFLLXXUKBX7 + :/var/lib/containers/storage/overlay/l/6VVTPVXHDYPHOT42CWJXOL6SMB + :/var/lib/containers/storage/overlay/l/OHO5IA7AJ2EOGAFUPT3MPJMZSY + :/var/lib/containers/storage/overlay/l/Q3ZXKGFN6Q2APXQKRXMNE6YR4M + :/var/lib/containers/storage/overlay/l/FSGYM4J5NR6AY3LUWZ2WTBQG3N + :/var/lib/containers/storage/overlay/l/M44HLHAQGLWFYVTS4J55CDEDLY + :/var/lib/containers/storage/overlay/l/36CIGRUHNNFDCBWSEN3KXUQAZR + :/var/lib/containers/storage/overlay/l/5QE5JTSJB23BDSXCGYPXTTJUSS + :/var/lib/containers/storage/overlay/l/DREIPLSBGAK4XBL57M3NJAT5XA, + upperdir=/var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/diff, + workdir=/var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/work, + volatile": using mount program /nix/store/mr0jx11v1z2sfjlndisw7v3jrk57x7l3-fuse-overlayfs-1.14/bin/fuse-overlayfs: unknown argument ignored: lazytime + +fuse: device not found, try 'modprobe fuse' first +fuse-overlayfs: cannot mount: No such file or directory \ No newline at end of file From 7d7c3aa53ada12f5155337aa0339b2a3ccc60c3b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:22:43 +0200 Subject: [PATCH 038/174] . --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 4b94a2f..8979d94 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,7 +24,7 @@ jobs: - name: Prepare podman run: | # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman + nix-env -iA nixpkgs.podman nixpkgs.u-root-cmds # configure container policy to accept insecure registry mkdir -p ~/.config/containers From 33f9a7fbd8c741a331ddb122039e9d61c88c5482 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:24:37 +0200 Subject: [PATCH 039/174] fix package conflict? --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 8979d94..61200dd 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,7 +24,7 @@ jobs: - name: Prepare podman run: | # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman nixpkgs.u-root-cmds + nix-env -iA nixpkgs.podman nixpkgs.kmod # configure container policy to accept insecure registry mkdir -p ~/.config/containers From b8e43fedba72b129d8d94b535a13abea7f63f0cc Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:47:02 +0200 Subject: [PATCH 040/174] lets try another avenue... --- .forgejo/workflows/runner-image.yml | 32 +++++++------------ .../development/forgejo/Dockerfile.default | 8 ----- .../development/forgejo/runners/default.nix | 11 +++++++ 3 files changed, 23 insertions(+), 28 deletions(-) delete mode 100644 modules/nixos/services/development/forgejo/Dockerfile.default create mode 100644 modules/nixos/services/development/forgejo/runners/default.nix diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 61200dd..47737cc 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,36 +24,28 @@ jobs: - name: Prepare podman run: | # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman nixpkgs.kmod + nix-env -iA nixpkgs.podman # configure container policy to accept insecure registry mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - - # ensure all required directories exist with proper permissions - mkdir -p /tmp/podman /var/tmp ~/.local/share/containers - chmod 755 /tmp/podman /var/tmp || true - - # set multiple environment variables for skopeo temporary directories - export TMPDIR=/tmp/podman - export TMP=/tmp/podman - export TEMP=/tmp/podman - export XDG_RUNTIME_DIR=/tmp/podman - - modprobe fuse - name: Log into registry run: | podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image - run: >- - podman build - -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} - -f Dockerfile.default - modules/nixos/services/development/forgejo - env: - DOCKER_BUILDKIT: 1 + run: nix-build modules/nixos/services/development/forgejo/runners/default.nix + # run: >- + # podman build + # -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} + # -f Dockerfile.default + # modules/nixos/services/development/forgejo + + - name: __DEBUG__ + run: | + ls -al result + podman load < result - name: Push image run: | diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default deleted file mode 100644 index d9ff5f8..0000000 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ /dev/null @@ -1,8 +0,0 @@ -FROM docker.io/nixos/nix:latest - -RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman - -RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf -RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json - -CMD ["/bin/bash"] \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix new file mode 100644 index 0000000..af44418 --- /dev/null +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -0,0 +1,11 @@ +{ + pkgs ? import {}, + pkgs_linux ? import { system = "x86_64-linux"; }, +}: + +pkgs.dockerTools.buildImage { + name = "default"; + config = { + Cmd = [ "${pkgs_linux.hello}/bin/hello" ]; + }; +} \ No newline at end of file From d917f93a9f1242b0beb308e3de6724b13b74bae5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:55:13 +0200 Subject: [PATCH 041/174] finally some more success????? --- .forgejo/workflows/runner-image.yml | 4 ++-- .../nixos/services/development/forgejo/runners/default.nix | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 47737cc..2a4311a 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -45,8 +45,8 @@ jobs: - name: __DEBUG__ run: | ls -al result - podman load < result - name: Push image run: | - podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file + podman load < result + podman push localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index af44418..8b9355e 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -5,6 +5,8 @@ pkgs.dockerTools.buildImage { name = "default"; + tag = "latest"; + config = { Cmd = [ "${pkgs_linux.hello}/bin/hello" ]; }; From 9c048aca0577b00324270433a1f5a777e0d27d48 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:56:16 +0200 Subject: [PATCH 042/174] hmmmm --- .forgejo/workflows/runner-image.yml | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 2a4311a..507e2a1 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -30,23 +30,11 @@ jobs: mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - - name: Log into registry - run: | - podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - - name: Build image run: nix-build modules/nixos/services/development/forgejo/runners/default.nix - # run: >- - # podman build - # -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} - # -f Dockerfile.default - # modules/nixos/services/development/forgejo - - - name: __DEBUG__ - run: | - ls -al result - name: Push image run: | + podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} podman load < result podman push localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From e4843997ea7fe2aa07bcb8b70609eeb8e3ad4ff7 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:58:51 +0200 Subject: [PATCH 043/174] add credentials, but then why do I need to log in???? --- .forgejo/workflows/runner-image.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 507e2a1..a72601d 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -30,11 +30,18 @@ jobs: mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - - name: Build image - run: nix-build modules/nixos/services/development/forgejo/runners/default.nix - - - name: Push image + - name: Log into registry run: | podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} + + - name: Create image + run: | + nix-build modules/nixos/services/development/forgejo/runners/default.nix podman load < result - podman push localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file + + - name: Push image + run: >- + podman push + --creds="${{ forge.actor }}:${{ forge.token }}" + localhost/default:latest + ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 716342d556fb524b0998aa11aeebf9cc86ae8725 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:02:34 +0200 Subject: [PATCH 044/174] . --- .forgejo/workflows/runner-image.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index a72601d..1694cd8 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -39,6 +39,11 @@ jobs: nix-build modules/nixos/services/development/forgejo/runners/default.nix podman load < result + - name: __DEBUG__ + run: | + cat ${XDG_RUNTIME_DIR}/containers/auth.json + cat ~/.docker/config.json + - name: Push image run: >- podman push From b158df262e8e53f99585e210ef43c2a9b1315260 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:07:06 +0200 Subject: [PATCH 045/174] ugh --- .forgejo/workflows/runner-image.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 1694cd8..3aaa967 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -30,6 +30,18 @@ jobs: mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json + # Create authentication file for podman + mkdir -p ~/.docker + cat > ~/.docker/config.json <- From 09a5df6253e3dd5556800388e34f64b9ae234ba3 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:53:50 +0200 Subject: [PATCH 046/174] fix? --- .forgejo/workflows/runner-image.yml | 1 + .../development/forgejo/runners/default.nix | 28 +++++++++++++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 3aaa967..724b8f1 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -59,6 +59,7 @@ jobs: - name: Push image run: >- podman push + --auth-file=${XDG_RUNTIME_DIR}/containers/auth.json& --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 8b9355e..1308408 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -3,11 +3,35 @@ pkgs_linux ? import { system = "x86_64-linux"; }, }: -pkgs.dockerTools.buildImage { +with pkgs; +dockerTools.buildImage { name = "default"; tag = "latest"; + contents = [ + coreutils + u-root-cmds + bash + nix + nodejs + podman + ]; + + runAsRoot = '' + #!${stdenv.shell} + ${dockerTools.shadowSetup} + groupadd -r runner + useradd -r -g runner -d /data -M runner + mkdir /data + chown runner:runner /data + ''; + config = { - Cmd = [ "${pkgs_linux.hello}/bin/hello" ]; + # User = "root"; + Cmd = [ "${lib.getExe bashInteractive}" ]; + WorkingDir = "/data"; + Volumes = { + "/data" = {}; + }; }; } \ No newline at end of file From 101bf129093e46ff49651c5fa96b7f716c16ebd4 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:55:37 +0200 Subject: [PATCH 047/174] fix warning --- .../development/forgejo/runners/default.nix | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 1308408..4dcdbc6 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -8,14 +8,18 @@ dockerTools.buildImage { name = "default"; tag = "latest"; - contents = [ - coreutils - u-root-cmds - bash - nix - nodejs - podman - ]; + copyToRoot = buildEnv { + name = "image-root"; + pathsToLink = [ "/bin" ]; + paths = [ + coreutils + u-root-cmds + bash + nix + nodejs + podman + ]; + }; runAsRoot = '' #!${stdenv.shell} From 40cd9d3745c9f1c101ec21543d4a22735cacfba1 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:56:44 +0200 Subject: [PATCH 048/174] is it podman that needs the kvm? --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 4dcdbc6..f2faae5 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -17,7 +17,7 @@ dockerTools.buildImage { bash nix nodejs - podman + # podman ]; }; From 22333b143bb4b70de6d5994287e455e29e564887 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:58:31 +0200 Subject: [PATCH 049/174] hmmmmm --- .../services/development/forgejo/runners/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index f2faae5..5046b4d 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -13,10 +13,10 @@ dockerTools.buildImage { pathsToLink = [ "/bin" ]; paths = [ coreutils - u-root-cmds + # u-root-cmds bash - nix - nodejs + # nix + # nodejs # podman ]; }; @@ -31,7 +31,7 @@ dockerTools.buildImage { ''; config = { - # User = "root"; + User = "runner"; Cmd = [ "${lib.getExe bashInteractive}" ]; WorkingDir = "/data"; Volumes = { From e0002d7254399adc5a47872c7137f4247069d571 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:00:37 +0200 Subject: [PATCH 050/174] shadowSetup than??? --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 5046b4d..dd71c4e 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -23,7 +23,7 @@ dockerTools.buildImage { runAsRoot = '' #!${stdenv.shell} - ${dockerTools.shadowSetup} + # ${dockerTools.shadowSetup} groupadd -r runner useradd -r -g runner -d /data -M runner mkdir /data From 2653f3fc93108a67dc9802f4fcc39321be79327c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:05:40 +0200 Subject: [PATCH 051/174] sooooo lost right now.... --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 724b8f1..31bb238 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,7 +24,7 @@ jobs: - name: Prepare podman run: | # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman + nix-env -iA nixpkgs.podman nixpkgs.kvmtool # configure container policy to accept insecure registry mkdir -p ~/.config/containers From e0c37a10a59f4527d576f78222863560412f8d1e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:08:48 +0200 Subject: [PATCH 052/174] another attempt --- .../services/development/forgejo/runners/default.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index dd71c4e..2db69fc 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -4,9 +4,16 @@ }: with pkgs; +let + debian = dockerTools.pullImage { + imageName = "debian"; + sha256 = "1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; + }; +in dockerTools.buildImage { name = "default"; tag = "latest"; + # fromImage = debian; copyToRoot = buildEnv { name = "image-root"; @@ -23,7 +30,6 @@ dockerTools.buildImage { runAsRoot = '' #!${stdenv.shell} - # ${dockerTools.shadowSetup} groupadd -r runner useradd -r -g runner -d /data -M runner mkdir /data From 61505943f95d21b76f091bd175c090091c81236f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:09:34 +0200 Subject: [PATCH 053/174] add base image --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 2db69fc..74660aa 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -13,7 +13,7 @@ in dockerTools.buildImage { name = "default"; tag = "latest"; - # fromImage = debian; + fromImage = debian; copyToRoot = buildEnv { name = "image-root"; From 66e400e7c0d3753af0dc5fd205c5d72699c4b036 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:11:32 +0200 Subject: [PATCH 054/174] uuuuuugh --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 74660aa..718e168 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -7,7 +7,7 @@ with pkgs; let debian = dockerTools.pullImage { imageName = "debian"; - sha256 = "1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; + imageDigest = "sha256:1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; }; in dockerTools.buildImage { From 898cb6c5129fff1c0bf896c6d31abd19560a6294 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:17:49 +0200 Subject: [PATCH 055/174] local builds again --- modules/nixos/services/development/forgejo/runners/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 718e168..f959621 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -8,6 +8,8 @@ let debian = dockerTools.pullImage { imageName = "debian"; imageDigest = "sha256:1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; + # hash = lib.fakeSha256; + sha256 = "sha256-GDxa0yegZDaagKfl3tS6prhQI0ECXduWrdPgr8uLClU="; }; in dockerTools.buildImage { @@ -30,6 +32,7 @@ dockerTools.buildImage { runAsRoot = '' #!${stdenv.shell} + ${dockerTools.shadowSetup} groupadd -r runner useradd -r -g runner -d /data -M runner mkdir /data From a39cb0cf532863c9915b07e5d7851b48e78ca790 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:19:14 +0200 Subject: [PATCH 056/174] ? --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index f959621..5862f12 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -15,7 +15,7 @@ in dockerTools.buildImage { name = "default"; tag = "latest"; - fromImage = debian; + # fromImage = debian; copyToRoot = buildEnv { name = "image-root"; From 3d02de9c6c7035b745939fd2e3ff5ab271defbe5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:20:38 +0200 Subject: [PATCH 057/174] I really don't get it anymore... --- .../development/forgejo/runners/default.nix | 35 +++++++------------ 1 file changed, 13 insertions(+), 22 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 5862f12..2f0332d 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -3,41 +3,32 @@ pkgs_linux ? import { system = "x86_64-linux"; }, }: -with pkgs; -let - debian = dockerTools.pullImage { - imageName = "debian"; - imageDigest = "sha256:1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; - # hash = lib.fakeSha256; - sha256 = "sha256-GDxa0yegZDaagKfl3tS6prhQI0ECXduWrdPgr8uLClU="; - }; -in +with pkgs; dockerTools.buildImage { name = "default"; tag = "latest"; - # fromImage = debian; copyToRoot = buildEnv { name = "image-root"; pathsToLink = [ "/bin" ]; paths = [ coreutils - # u-root-cmds + u-root-cmds bash - # nix - # nodejs - # podman + nix + nodejs + podman ]; }; - runAsRoot = '' - #!${stdenv.shell} - ${dockerTools.shadowSetup} - groupadd -r runner - useradd -r -g runner -d /data -M runner - mkdir /data - chown runner:runner /data - ''; + # runAsRoot = '' + # #!${stdenv.shell} + # ${dockerTools.shadowSetup} + # groupadd -r runner + # useradd -r -g runner -d /data -M runner + # mkdir /data + # chown runner:runner /data + # ''; config = { User = "runner"; From 3aaad47c2bdb1a32b708657b04e429783149f075 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:23:23 +0200 Subject: [PATCH 058/174] whoops --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 31bb238..b472489 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -59,7 +59,7 @@ jobs: - name: Push image run: >- podman push - --auth-file=${XDG_RUNTIME_DIR}/containers/auth.json& + --auth-file=${XDG_RUNTIME_DIR}/containers/auth.json --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From a114f0a7f8b435d4f922ca98abefb8de42745088 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:26:18 +0200 Subject: [PATCH 059/174] . --- .forgejo/workflows/runner-image.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index b472489..1d56b4e 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -55,11 +55,12 @@ jobs: run: | [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json [ -r ~/.docker/config.json ] && cat ~/.docker/config.json + podman run localhost/default:latest 'nix --version' - name: Push image run: >- podman push - --auth-file=${XDG_RUNTIME_DIR}/containers/auth.json + --authfile=${XDG_RUNTIME_DIR}/containers/auth.json --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 237d208e930abaa5b419d8270ca78cc4bc056ad6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:28:59 +0200 Subject: [PATCH 060/174] siiiiigh --- .../development/forgejo/runners/default.nix | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 2f0332d..eb0759b 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -21,14 +21,13 @@ dockerTools.buildImage { ]; }; - # runAsRoot = '' - # #!${stdenv.shell} - # ${dockerTools.shadowSetup} - # groupadd -r runner - # useradd -r -g runner -d /data -M runner - # mkdir /data - # chown runner:runner /data - # ''; + runAsRoot = '' + #!${lib.getExe bashInteractive} + groupadd -r runner + useradd -r -g runner -d /data -M runner + mkdir /data + chown runner:runner /data + ''; config = { User = "runner"; From 1cbfb6b5c0c89e381e799825579745bbe45fe8f8 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:34:40 +0200 Subject: [PATCH 061/174] . --- .../nixos/services/development/forgejo/runners/default.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index eb0759b..e656e2d 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -22,11 +22,7 @@ dockerTools.buildImage { }; runAsRoot = '' - #!${lib.getExe bashInteractive} - groupadd -r runner - useradd -r -g runner -d /data -M runner - mkdir /data - chown runner:runner /data + echo "je moeder!"; ''; config = { From 7070382596163aa7062a412e0c39f169da74339b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:43:18 +0200 Subject: [PATCH 062/174] runAsRoot requires kvm... --- .../services/development/forgejo/runners/default.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index e656e2d..c4c9a92 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -21,16 +21,8 @@ dockerTools.buildImage { ]; }; - runAsRoot = '' - echo "je moeder!"; - ''; - config = { User = "runner"; Cmd = [ "${lib.getExe bashInteractive}" ]; - WorkingDir = "/data"; - Volumes = { - "/data" = {}; - }; }; } \ No newline at end of file From a0e2d8db7100f41812a4c61e27b559556628ed93 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:46:25 +0200 Subject: [PATCH 063/174] . --- .forgejo/workflows/runner-image.yml | 2 +- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 1d56b4e..1b742b0 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -55,7 +55,7 @@ jobs: run: | [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json [ -r ~/.docker/config.json ] && cat ~/.docker/config.json - podman run localhost/default:latest 'nix --version' + # podman run localhost/default:latest 'nix --version' - name: Push image run: >- diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index c4c9a92..a7bc883 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -11,7 +11,7 @@ dockerTools.buildImage { copyToRoot = buildEnv { name = "image-root"; pathsToLink = [ "/bin" ]; - paths = [ + paths = with pkgs_linux [ coreutils u-root-cmds bash From 8b9e1a14a8ad45f518e3b19941b188ec8b20bd79 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:47:10 +0200 Subject: [PATCH 064/174] ,... --- .forgejo/workflows/runner-image.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 1b742b0..f30be6e 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -55,7 +55,6 @@ jobs: run: | [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json [ -r ~/.docker/config.json ] && cat ~/.docker/config.json - # podman run localhost/default:latest 'nix --version' - name: Push image run: >- From 522041cbaed64b9cc9699e7feb82c2eceea81e6f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:47:37 +0200 Subject: [PATCH 065/174] waaaaaaggh --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index a7bc883..608cc69 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -11,7 +11,7 @@ dockerTools.buildImage { copyToRoot = buildEnv { name = "image-root"; pathsToLink = [ "/bin" ]; - paths = with pkgs_linux [ + paths = with pkgs_linux; [ coreutils u-root-cmds bash From cd53e4c008478a58d09121e73b9ed2df8f8e9244 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:50:38 +0200 Subject: [PATCH 066/174] sdfasdfg --- .forgejo/workflows/runner-image.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index f30be6e..9a1c7a9 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -53,7 +53,10 @@ jobs: - name: __DEBUG__ run: | + echo "${XDG_RUNTIME_DIR}/containers/auth.json" [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json + + echo "~/.docker/config.json" [ -r ~/.docker/config.json ] && cat ~/.docker/config.json - name: Push image From f31317304e076e43425fdb7978a2c42c86120262 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:53:35 +0200 Subject: [PATCH 067/174] riiight, should've seen that one coming.... --- .forgejo/workflows/runner-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 9a1c7a9..d8b7ebb 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -55,14 +55,14 @@ jobs: run: | echo "${XDG_RUNTIME_DIR}/containers/auth.json" [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json - + echo "~/.docker/config.json" [ -r ~/.docker/config.json ] && cat ~/.docker/config.json - name: Push image run: >- podman push - --authfile=${XDG_RUNTIME_DIR}/containers/auth.json + --authfile=~/.docker/config.json --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 7ac547bd815a460017ba87bf4aecfa43a8ab87a3 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:55:38 +0200 Subject: [PATCH 068/174] parameterize git clone --- .forgejo/workflows/runner-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index d8b7ebb..e2bc6fb 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -17,9 +17,9 @@ jobs: name: Print hello world runs-on: default steps: - - name: Pull dependencies + - name: Checkout run: | - git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . + git clone ${{ forge.server_url }}/${{ forge.repository }}.git . - name: Prepare podman run: | From d3e7de5f5a7f76050bc630015bf625b3569be4d2 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:57:29 +0200 Subject: [PATCH 069/174] asdf --- .forgejo/workflows/runner-image.yml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index e2bc6fb..ac05b21 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -30,18 +30,6 @@ jobs: mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - # Create authentication file for podman - mkdir -p ~/.docker - cat > ~/.docker/config.json <- podman push - --authfile=~/.docker/config.json --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 98c9424db58bf94b9f0ee60a22ed5ba19575d0e5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 17:30:46 +0200 Subject: [PATCH 070/174] aaha, there is the code I forgot to commit... --- .../authentication/zitadel/default.nix | 11 +++----- .../services/development/forgejo/default.nix | 3 ++- .../persistance/postgesql/default.nix | 26 +++++++++++++++++++ 3 files changed, 31 insertions(+), 9 deletions(-) create mode 100644 modules/nixos/services/persistance/postgesql/default.nix diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index a95d849..2f65f6f 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, ... }: let - inherit (lib) mkIf mkEnableOption mkForce; + inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.authentication.zitadel; @@ -13,6 +13,8 @@ in }; config = mkIf cfg.enable { + ${namespace}.services.persistance.postgresql.enable = true; + environment.systemPackages = with pkgs; [ zitadel ]; @@ -110,13 +112,6 @@ in ensureDBOwnership = true; } ]; - authentication = mkForce '' - # Generated file, do not edit! - # TYPE DATABASE USER ADDRESS METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - ''; }; caddy = { diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index d7f170e..5c7d7aa 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -12,6 +12,7 @@ in config = mkIf cfg.enable { ${namespace}.services.virtualisation.podman.enable = true; + ${namespace}.services.persistance.postgresql.enable = true; environment.systemPackages = with pkgs; [ forgejo ]; @@ -154,7 +155,7 @@ in # stupid dumb way to prevent the login page and go to zitadel instead # be aware that this does not disable local login at all! - rewrite /user/login /user/oauth2/Zitadel + # rewrite /user/login /user/oauth2/Zitadel reverse_proxy http://127.0.0.1:5002 ''; diff --git a/modules/nixos/services/persistance/postgesql/default.nix b/modules/nixos/services/persistance/postgesql/default.nix new file mode 100644 index 0000000..ce198a8 --- /dev/null +++ b/modules/nixos/services/persistance/postgesql/default.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.peristance.postgresql; +in +{ + options.${namespace}.services.peristance.postgresql = { + enable = mkEnableOption "Postgresql"; + }; + + config = mkIf cfg.enable { + services = { + postgresql = { + enable = true; + authentication = '' + # Generated file, do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; + }; + }; + }; +} From 2ca6339fe60844664cfbe738158f4daf2846b4a8 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 18:11:36 +0200 Subject: [PATCH 071/174] fix typo --- modules/nixos/services/persistance/postgesql/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/persistance/postgesql/default.nix b/modules/nixos/services/persistance/postgesql/default.nix index ce198a8..dbd6604 100644 --- a/modules/nixos/services/persistance/postgesql/default.nix +++ b/modules/nixos/services/persistance/postgesql/default.nix @@ -2,10 +2,10 @@ let inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.services.peristance.postgresql; + cfg = config.${namespace}.services.persistance.postgresql; in { - options.${namespace}.services.peristance.postgresql = { + options.${namespace}.services.persistance.postgresql = { enable = mkEnableOption "Postgresql"; }; From 0689c338ac44bebdac34dbbcfb5c99bb4fcd4321 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 18:12:08 +0200 Subject: [PATCH 072/174] solve compilation errors --- modules/nixos/services/development/forgejo/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 5c7d7aa..f143b12 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -11,8 +11,10 @@ in }; config = mkIf cfg.enable { - ${namespace}.services.virtualisation.podman.enable = true; - ${namespace}.services.persistance.postgresql.enable = true; + ${namespace}.services = { + persistance.postgresql.enable = true; + virtualisation.podman.enable = true; + }; environment.systemPackages = with pkgs; [ forgejo ]; From 288e354edf03cfa0f4ba4b89f154748893d7e85c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 20:06:56 +0200 Subject: [PATCH 073/174] add nheko --- flake.nix | 7 +++++-- homes/x86_64-linux/chris@manwe/default.nix | 1 + modules/home/application/nheko/default.nix | 15 +++++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 modules/home/application/nheko/default.nix diff --git a/flake.nix b/flake.nix index 07479a7..60e9853 100644 --- a/flake.nix +++ b/flake.nix @@ -63,11 +63,11 @@ url = "github:Jovian-Experiments/Jovian-NixOS"; inputs.nixpkgs.follows = "nixpkgs"; }; - + grub2-themes = { url = "github:vinceliuice/grub2-themes"; }; - + nixos-wsl = { url = "github:nix-community/nixos-wsl"; inputs = { @@ -99,6 +99,9 @@ # I think this is because of zen "qtwebengine-5.15.19" + + # For Nheko, the matrix client + "olm-3.2.16" ]; }; diff --git a/homes/x86_64-linux/chris@manwe/default.nix b/homes/x86_64-linux/chris@manwe/default.nix index cd6fa1a..abeb606 100644 --- a/homes/x86_64-linux/chris@manwe/default.nix +++ b/homes/x86_64-linux/chris@manwe/default.nix @@ -35,6 +35,7 @@ bitwarden.enable = true; discord.enable = true; ladybird.enable = true; + nheko.enable = true; obs.enable = true; onlyoffice.enable = true; signal.enable = true; diff --git a/modules/home/application/nheko/default.nix b/modules/home/application/nheko/default.nix new file mode 100644 index 0000000..b04b375 --- /dev/null +++ b/modules/home/application/nheko/default.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, namespace, osConfig ? {}, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.application.nheko; +in +{ + options.${namespace}.application.nheko = { + enable = mkEnableOption "enable nheko (matrix client)"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ nheko ]; + }; +} From 7f6f1166a4a6a7d18cf67776c9527b039fddd800 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 20:34:37 +0200 Subject: [PATCH 074/174] add backup extension for home manager --- modules/home/home-manager/default.nix | 6 ++++-- modules/nixos/home-manager/default.nix | 6 ++++++ 2 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 modules/nixos/home-manager/default.nix diff --git a/modules/home/home-manager/default.nix b/modules/home/home-manager/default.nix index 93bae2e..5f3be03 100644 --- a/modules/home/home-manager/default.nix +++ b/modules/home/home-manager/default.nix @@ -4,7 +4,9 @@ let in { systemd.user.startServices = "sd-switch"; - programs.home-manager.enable = true; + programs.home-manager = { + enable = true; + }; home.stateVersion = mkDefault (osConfig.system.stateVersion or "25.05"); -} \ No newline at end of file +} diff --git a/modules/nixos/home-manager/default.nix b/modules/nixos/home-manager/default.nix new file mode 100644 index 0000000..1a5a964 --- /dev/null +++ b/modules/nixos/home-manager/default.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + config = { + home-manager.backupFileExtension = "back"; + }; +} From ce7b147d0496f3ce80211197449df0cd62595756 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 20:47:45 +0200 Subject: [PATCH 075/174] move runner --- .../services/development/forgejo/runners => runners}/default.nix | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {modules/nixos/services/development/forgejo/runners => runners}/default.nix (100%) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/runners/default.nix similarity index 100% rename from modules/nixos/services/development/forgejo/runners/default.nix rename to runners/default.nix From fe5cce0946fa4b2f65f9cfcbe5e7b0065b53d2a0 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 22:26:09 +0200 Subject: [PATCH 076/174] initial conduit setup --- .../communication/conduit/default.nix | 56 +++++++++++++++++++ systems/x86_64-linux/ulmo/default.nix | 2 + 2 files changed, 58 insertions(+) create mode 100644 modules/nixos/services/communication/conduit/default.nix diff --git a/modules/nixos/services/communication/conduit/default.nix b/modules/nixos/services/communication/conduit/default.nix new file mode 100644 index 0000000..aa4d5c1 --- /dev/null +++ b/modules/nixos/services/communication/conduit/default.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.communication.conduit; + domain = "matrix.kruining.eu"; +in +{ + options.${namespace}.services.communication.conduit = { + enable = mkEnableOption "conduit (Matrix server)"; + }; + + config = mkIf cfg.enable { + # ${namespace}.services = { + # persistance.postgresql.enable = true; + # virtualisation.podman.enable = true; + # }; + + services = { + matrix-conduit = { + enable = true; + + settings.global = { + address = "::1"; + port = 4001; + + database_backend = "rocksdb"; + + server_name = "chris-matrix"; + }; + }; + + # postgresql = { + # enable = true; + # ensureDatabases = [ "conduit" ]; + # ensureUsers = [ + # { + # name = "conduit"; + # ensureDBOwnership = true; + # } + # ]; + # }; + + caddy = { + enable = true; + virtualHosts = { + ${domain}.extraConfig = '' + # import auth-z + + # reverse_proxy http://127.0.0.1:5002 + ''; + }; + }; + }; + }; +} diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 4108dc9..3b35750 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -10,6 +10,8 @@ authentication.authelia.enable = true; authentication.zitadel.enable = true; + communication.conduit.enable = true; + development.forgejo.enable = true; networking.ssh.enable = true; From ec827c4187adc39d10525b904e2ecc6e9a7af962 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Sep 2025 07:53:05 +0200 Subject: [PATCH 077/174] update pipeline --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index ac05b21..19ba8ae 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -36,7 +36,7 @@ jobs: - name: Create image run: | - nix-build modules/nixos/services/development/forgejo/runners/default.nix + nix-build runners/default.nix podman load < result - name: Push image From 1d6f488ebd68f5f315e4c2077857b3b4cc8047ea Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Sep 2025 16:14:15 +0200 Subject: [PATCH 078/174] . --- runners/default.nix | 54 ++++++++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/runners/default.nix b/runners/default.nix index 608cc69..9493d52 100644 --- a/runners/default.nix +++ b/runners/default.nix @@ -1,28 +1,28 @@ -{ - pkgs ? import {}, - pkgs_linux ? import { system = "x86_64-linux"; }, -}: - -with pkgs; -dockerTools.buildImage { - name = "default"; - tag = "latest"; - - copyToRoot = buildEnv { - name = "image-root"; - pathsToLink = [ "/bin" ]; - paths = with pkgs_linux; [ - coreutils - u-root-cmds - bash - nix - nodejs - podman - ]; - }; - - config = { - User = "runner"; - Cmd = [ "${lib.getExe bashInteractive}" ]; - }; +{ + pkgs ? import {}, + pkgs_linux ? import { system = "x86_64-linux"; }, +}: + +with pkgs; +dockerTools.buildImage { + name = "default"; + tag = "latest"; + + copyToRoot = buildEnv { + name = "image-root"; + pathsToLink = [ "/bin" ]; + paths = with pkgs_linux; [ + coreutils + u-root-cmds + bash + nix + nodejs + podman + ]; + }; + + config = { + User = "runner"; + Cmd = [ "${lib.getExe bashInteractive}" ]; + }; } \ No newline at end of file From 2a79a4eb63bd5e7010d88df2d9a803f287fc6967 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Sep 2025 16:18:02 +0200 Subject: [PATCH 079/174] next iteration for forgejo runners --- .forgejo/workflows/runner-image.yml | 47 ----------- .gitignore | 8 +- .../services/development/forgejo/default.nix | 1 + .../nixos/services/development/forgejo/temp | 80 ------------------- runners/default.nix | 28 ------- 5 files changed, 8 insertions(+), 156 deletions(-) delete mode 100644 .forgejo/workflows/runner-image.yml delete mode 100644 modules/nixos/services/development/forgejo/temp delete mode 100644 runners/default.nix diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml deleted file mode 100644 index 19ba8ae..0000000 --- a/.forgejo/workflows/runner-image.yml +++ /dev/null @@ -1,47 +0,0 @@ -name: Test action - -on: - workflow_dispatch: - push: - branches: - - main - -env: - registry: git.amarth.cloud - owner: chris - image: default - tag: latest - -jobs: - hello: - name: Print hello world - runs-on: default - steps: - - name: Checkout - run: | - git clone ${{ forge.server_url }}/${{ forge.repository }}.git . - - - name: Prepare podman - run: | - # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman nixpkgs.kvmtool - - # configure container policy to accept insecure registry - mkdir -p ~/.config/containers - echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - - - name: Log into registry - run: | - podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - - - name: Create image - run: | - nix-build runners/default.nix - podman load < result - - - name: Push image - run: >- - podman push - --creds="${{ forge.actor }}:${{ forge.token }}" - localhost/default:latest - ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file diff --git a/.gitignore b/.gitignore index 87a3018..3cb44c3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,8 @@ +# ---> Nix +# Ignore build outputs from performing a nix-build or `nix build` command result -*.qcow2 +result-* + +# Ignore automatically generated direnv output +.direnv + diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index f143b12..46e0995 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -142,6 +142,7 @@ in labels = [ "default:docker://nixos/nix:latest" "ubuntu:docker://ubuntu:24-bookworm" + "nix:docker://git.amarth.cloud/amarth/runners/default:latest" ]; settings = { log.level = "info"; diff --git a/modules/nixos/services/development/forgejo/temp b/modules/nixos/services/development/forgejo/temp deleted file mode 100644 index 33a7313..0000000 --- a/modules/nixos/services/development/forgejo/temp +++ /dev/null @@ -1,80 +0,0 @@ -Error: mounting new container: - mounting build container "a1c1da9d2422b5d6571a79559039f60ba8771e4a05b9b2f8cae814a8f64bb8e3": - creating overlay mount to /var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/merged, - mount_data=" - lowerdir=/var/lib/containers/storage/overlay/l/XSOABRIRTTFZPQI37OU77T3XP6 - :/var/lib/containers/storage/overlay/l/F3M2D6K25OPTUC4ID73P2NIJ3A - :/var/lib/containers/storage/overlay/l/Q53OUMURARX52AYNVQGFGNVUMQ - :/var/lib/containers/storage/overlay/l/NHNXRY3S7TPPYSGNG6BFA7756K - :/var/lib/containers/storage/overlay/l/XWANZP5SNP5QFXQ7RPR2SN3GND - :/var/lib/containers/storage/overlay/l/QUS3NWAGIVW5KOT7EBHCH2THSP - :/var/lib/containers/storage/overlay/l/P24JFYKBFJWRZF4QCI65JNYDSH - :/var/lib/containers/storage/overlay/l/5U53LA6AULMQOF5JAVLNDQMETC - :/var/lib/containers/storage/overlay/l/SWCKHLKQYKOUWBHWGJ5VPBJ7RH - :/var/lib/containers/storage/overlay/l/KLPPEZB6CRL3I6R6LBCJWMKWPC - :/var/lib/containers/storage/overlay/l/RAI54LOZXCFNWNF54D5YLSZJZO - :/var/lib/containers/storage/overlay/l/NLXXIPBMH7EAMNSOZBGBYXWGV5 - :/var/lib/containers/storage/overlay/l/HP5E2J4HRMO6XYJANMEB4KT7F5 - :/var/lib/containers/storage/overlay/l/JZ3QIR7Y7HTWYCCZRNFZCMQSHH - :/var/lib/containers/storage/overlay/l/IYGILU3HMTXZLIKNELEPBOZXWS - :/var/lib/containers/storage/overlay/l/K52NCFVUIEMQALGI4CTKSORFQ6 - :/var/lib/containers/storage/overlay/l/DM5R63KXPSUHMGXMXGHV2Z7L6O - :/var/lib/containers/storage/overlay/l/3BJ5A4CHITM36J3WL7DUJN7HI5 - :/var/lib/containers/storage/overlay/l/3KY56KPCGUTAOCABRQOPB5E7KI - :/var/lib/containers/storage/overlay/l/4ISDZ7Y23WWZAZ6TISWAVXAKTA - :/var/lib/containers/storage/overlay/l/7WFY6347EYETD2DSHOWWGORMY7 - :/var/lib/containers/storage/overlay/l/RBDQUQQAQ4M3DNDP7JQDSTFPDC - :/var/lib/containers/storage/overlay/l/CZPS35AEHSSOCX2SETGG5RWAWK - :/var/lib/containers/storage/overlay/l/VTV4IYIPIMV7HUVW3YUCEZGVIF - :/var/lib/containers/storage/overlay/l/LOGNN4O7UYRJDINC3EU6MCK2JQ - :/var/lib/containers/storage/overlay/l/XCTPWOKP4A3NITB5YJEGDOYP53 - :/var/lib/containers/storage/overlay/l/57WPQF43V53AQIH5AJAFS2ZJLN - :/var/lib/containers/storage/overlay/l/BURD55A3XF6AHWWN5NFYVKHLFR - :/var/lib/containers/storage/overlay/l/SJBWDEB4R6KHHUWYVWHVFXZUML - :/var/lib/containers/storage/overlay/l/EFH5DWZ6VD7XHRBJI3MSGCSL5C - :/var/lib/containers/storage/overlay/l/LNJD656RHN73JQIOG5QP72XH6D - :/var/lib/containers/storage/overlay/l/BYKGR5QA32CNM3PNW7OJZGL7PI - :/var/lib/containers/storage/overlay/l/KEBZ34OPOPZSF56MMUIYJC62VQ - :/var/lib/containers/storage/overlay/l/AXUJ2DTXCFUNLLHVBNZT7HOOHV - :/var/lib/containers/storage/overlay/l/W2GQPDXQWNE4PJ2FK242CNBP3G - :/var/lib/containers/storage/overlay/l/HSHTMFX2BNZ6MN3YKZNP5GACK3 - :/var/lib/containers/storage/overlay/l/5EV6E33HXQTMDYA55D2KVDQN6O - :/var/lib/containers/storage/overlay/l/5YXUGLZ3U5V2GABHAGMOQQLZYD - :/var/lib/containers/storage/overlay/l/WNM6BFUABXRYMF3QXGOWIMSFGS - :/var/lib/containers/storage/overlay/l/EM6L4BR3WMU427KN3WHNXLPXLK - :/var/lib/containers/storage/overlay/l/WKG62FRJYJHG4PIYLUWPOIGIFR - :/var/lib/containers/storage/overlay/l/EIT5DRSEKJFGSXHNDISGIBHEET - :/var/lib/containers/storage/overlay/l/PW2HEYGQKHNXSSQFCTQ3RTW3RU - :/var/lib/containers/storage/overlay/l/LYCJF4GBFFSP5MCC6TGBDGWXLY - :/var/lib/containers/storage/overlay/l/3YXKKFLTDRPWC6Y3VW3A5HCHPC - :/var/lib/containers/storage/overlay/l/RJTCZEVFZ4GZ4WT36ZHWVQPHBE - :/var/lib/containers/storage/overlay/l/AT3GLGCW22SPL4FDEMUHM7SEC3 - :/var/lib/containers/storage/overlay/l/VPT2VRWXG6F5UOROWNVZJUYIXS - :/var/lib/containers/storage/overlay/l/IHIXWAURUCUAYZEWBQU6N37UL5 - :/var/lib/containers/storage/overlay/l/IGMNOUI3RRH3KFAOSHZUJJAYA6 - :/var/lib/containers/storage/overlay/l/KQTWTENKAQ7WIMPQO5HY4SQKSL - :/var/lib/containers/storage/overlay/l/7GQIS3UWTUQESKJI6NQ5A63FMB - :/var/lib/containers/storage/overlay/l/MXGQVTYACLV4M7PRZRGGXNOLCY - :/var/lib/containers/storage/overlay/l/6T6MXUMJ74EIDYDFZJU6642WDR - :/var/lib/containers/storage/overlay/l/QG53GGUJAUZLLCRGHLDVNBIG5M - :/var/lib/containers/storage/overlay/l/CWKPW6SM2HIEROK4XOFGURSEYZ - :/var/lib/containers/storage/overlay/l/EFAHS5T2ZS5ZVCY4WGZ4WW45WC - :/var/lib/containers/storage/overlay/l/CRT42BUU43KSCBUDTOB55WVML2 - :/var/lib/containers/storage/overlay/l/KA53IG4NUWMJM5GBFUKDSUP7WM - :/var/lib/containers/storage/overlay/l/DELTO3DZAGCCUKFOKYU5POUVO5 - :/var/lib/containers/storage/overlay/l/KM7KLUMSMCIUGMOUZHCCJVNY3S - :/var/lib/containers/storage/overlay/l/IAXMV7ZFALQU4XFQFLLXXUKBX7 - :/var/lib/containers/storage/overlay/l/6VVTPVXHDYPHOT42CWJXOL6SMB - :/var/lib/containers/storage/overlay/l/OHO5IA7AJ2EOGAFUPT3MPJMZSY - :/var/lib/containers/storage/overlay/l/Q3ZXKGFN6Q2APXQKRXMNE6YR4M - :/var/lib/containers/storage/overlay/l/FSGYM4J5NR6AY3LUWZ2WTBQG3N - :/var/lib/containers/storage/overlay/l/M44HLHAQGLWFYVTS4J55CDEDLY - :/var/lib/containers/storage/overlay/l/36CIGRUHNNFDCBWSEN3KXUQAZR - :/var/lib/containers/storage/overlay/l/5QE5JTSJB23BDSXCGYPXTTJUSS - :/var/lib/containers/storage/overlay/l/DREIPLSBGAK4XBL57M3NJAT5XA, - upperdir=/var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/diff, - workdir=/var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/work, - volatile": using mount program /nix/store/mr0jx11v1z2sfjlndisw7v3jrk57x7l3-fuse-overlayfs-1.14/bin/fuse-overlayfs: unknown argument ignored: lazytime - -fuse: device not found, try 'modprobe fuse' first -fuse-overlayfs: cannot mount: No such file or directory \ No newline at end of file diff --git a/runners/default.nix b/runners/default.nix deleted file mode 100644 index 9493d52..0000000 --- a/runners/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - pkgs ? import {}, - pkgs_linux ? import { system = "x86_64-linux"; }, -}: - -with pkgs; -dockerTools.buildImage { - name = "default"; - tag = "latest"; - - copyToRoot = buildEnv { - name = "image-root"; - pathsToLink = [ "/bin" ]; - paths = with pkgs_linux; [ - coreutils - u-root-cmds - bash - nix - nodejs - podman - ]; - }; - - config = { - User = "runner"; - Cmd = [ "${lib.getExe bashInteractive}" ]; - }; -} \ No newline at end of file From 9ebe4fd4e706c30babeb32df1abb6e2ad0d071fe Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Sep 2025 16:24:36 +0200 Subject: [PATCH 080/174] alright, time to try it --- .forgejo/workflows/action.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml index 4aac00e..684cfad 100644 --- a/.forgejo/workflows/action.yml +++ b/.forgejo/workflows/action.yml @@ -7,10 +7,9 @@ on: - main jobs: - hello: - name: Print hello world - runs-on: default + kaas: + runs-on: nix steps: - name: Echo run: | - echo "Hello, world!" \ No newline at end of file + nix --version \ No newline at end of file From cc2f7bbea403b06f52ec1bd261a8bd5eb8fca687 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Sep 2025 10:53:10 +0200 Subject: [PATCH 081/174] replace nheko with fractal --- homes/x86_64-linux/chris@manwe/default.nix | 2 +- modules/home/application/matrix/default.nix | 15 +++++++++++++++ modules/home/application/nheko/default.nix | 15 --------------- 3 files changed, 16 insertions(+), 16 deletions(-) create mode 100644 modules/home/application/matrix/default.nix delete mode 100644 modules/home/application/nheko/default.nix diff --git a/homes/x86_64-linux/chris@manwe/default.nix b/homes/x86_64-linux/chris@manwe/default.nix index abeb606..9abe613 100644 --- a/homes/x86_64-linux/chris@manwe/default.nix +++ b/homes/x86_64-linux/chris@manwe/default.nix @@ -35,7 +35,7 @@ bitwarden.enable = true; discord.enable = true; ladybird.enable = true; - nheko.enable = true; + matrix.enable = true; obs.enable = true; onlyoffice.enable = true; signal.enable = true; diff --git a/modules/home/application/matrix/default.nix b/modules/home/application/matrix/default.nix new file mode 100644 index 0000000..1a33a0c --- /dev/null +++ b/modules/home/application/matrix/default.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, namespace, osConfig ? {}, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.application.matrix; +in +{ + options.${namespace}.application.matrix = { + enable = mkEnableOption "enable Matrix client (Fractal)"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ fractal ]; + }; +} diff --git a/modules/home/application/nheko/default.nix b/modules/home/application/nheko/default.nix deleted file mode 100644 index b04b375..0000000 --- a/modules/home/application/nheko/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, namespace, osConfig ? {}, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.application.nheko; -in -{ - options.${namespace}.application.nheko = { - enable = mkEnableOption "enable nheko (matrix client)"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ nheko ]; - }; -} From d4eff470499f55c490c7dda2775dda5b53f338ff Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Sep 2025 10:53:17 +0200 Subject: [PATCH 082/174] finally have a working matrix set up --- .../communication/conduit/default.nix | 36 +++++++++++++++---- 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/modules/nixos/services/communication/conduit/default.nix b/modules/nixos/services/communication/conduit/default.nix index aa4d5c1..13a2cbc 100644 --- a/modules/nixos/services/communication/conduit/default.nix +++ b/modules/nixos/services/communication/conduit/default.nix @@ -16,17 +16,25 @@ in # virtualisation.podman.enable = true; # }; + networking.firewall.allowedTCPPorts = [ 4001 8448 ]; + services = { matrix-conduit = { enable = true; settings.global = { - address = "::1"; + address = "::"; port = 4001; - database_backend = "rocksdb"; + server_name = "matrix.kruining.eu"; - server_name = "chris-matrix"; + database_backend = "rocksdb"; + # database_path = "/var/lib/matrix-conduit/"; + + allow_check_for_updates = false; + allow_registration = false; + + enable_lightning_bolt = false; }; }; @@ -43,11 +51,25 @@ in caddy = { enable = true; - virtualHosts = { - ${domain}.extraConfig = '' - # import auth-z + virtualHosts = let + inherit (builtins) toJSON; - # reverse_proxy http://127.0.0.1:5002 + server = { + "m.server" = "${domain}:443"; + }; + client = { + "m.homeserver".base_url = "https://${domain}"; + "m.identity_server".base_url = "https://auth.amarth.cloud"; + }; + in { + "${domain}".extraConfig = '' + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + respond /.well-known/matrix/server `${toJSON server}` + respond /.well-known/matrix/client `${toJSON client}` + + reverse_proxy /_matrix/* http://::1:4001 + # reverse_proxy /_synapse/client/* http://::1:4001 ''; }; }; From d74f67e4fbb4f98f94be0111808d834619ca941b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Sep 2025 16:43:54 +0200 Subject: [PATCH 083/174] switch to synapse away from conduit --- .../authentication/zitadel/default.nix | 11 +- .../communication/conduit/default.nix | 135 +++++++++++++++--- 2 files changed, 120 insertions(+), 26 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 2f65f6f..7edccc1 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -4,8 +4,7 @@ let cfg = config.${namespace}.services.authentication.zitadel; - db_name = "zitadel"; - db_user = "zitadel"; + database = "zitadel"; in { options.${namespace}.services.authentication.zitadel = { @@ -72,9 +71,9 @@ in Host = "localhost"; # Zitadel will report error if port is not set Port = 5432; - Database = db_name; + Database = database; User = { - Username = db_user; + Username = database; SSL.Mode = "disable"; }; Admin = { @@ -105,10 +104,10 @@ in postgresql = { enable = true; - ensureDatabases = [ db_name ]; + ensureDatabases = [ database ]; ensureUsers = [ { - name = db_user; + name = database; ensureDBOwnership = true; } ]; diff --git a/modules/nixos/services/communication/conduit/default.nix b/modules/nixos/services/communication/conduit/default.nix index 13a2cbc..3e909ff 100644 --- a/modules/nixos/services/communication/conduit/default.nix +++ b/modules/nixos/services/communication/conduit/default.nix @@ -1,9 +1,15 @@ { config, lib, pkgs, namespace, ... }: let + inherit (builtins) toString toJSON; inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.communication.conduit; - domain = "matrix.kruining.eu"; + + domain = "kruining.eu"; + fqn = "matrix.${domain}"; + port = 4001; + + database = "synapse"; in { options.${namespace}.services.communication.conduit = { @@ -20,13 +26,13 @@ in services = { matrix-conduit = { - enable = true; + enable = false; settings.global = { address = "::"; - port = 4001; + port = port; - server_name = "matrix.kruining.eu"; + server_name = domain; database_backend = "rocksdb"; # database_path = "/var/lib/matrix-conduit/"; @@ -38,27 +44,115 @@ in }; }; - # postgresql = { - # enable = true; - # ensureDatabases = [ "conduit" ]; - # ensureUsers = [ - # { - # name = "conduit"; - # ensureDBOwnership = true; - # } - # ]; - # }; + matrix-synapse = { + enable = true; + + extras = [ "oidc" ]; + plugins = with config.services.matrix-synapse.package.plugins; []; + + settings = { + server_name = domain; + public_baseurl = "https://${fqn}"; + + enable_registration = false; + registration_shared_secret = "tZtBnlhEmLbMwF0lQ112VH1Rl5MkZzYH9suI4pEoPXzk6nWUB8FJF4eEnwLkbstz"; + + url_preview_enabled = true; + precence.enabled = true; + + database = { + # this is postgresql (also the default, but I prefer to be explicit) + name = "psycopg2"; + args = { + database = database; + user = database; + }; + }; + + listeners = [ + { + bind_addresses = ["::"]; + port = port; + type = "http"; + tls = false; + x_forwarded = true; + + resources = [ + { + names = [ "client" "federation" ]; + compress = true; + } + ]; + } + ]; + }; + }; + + mautrix-signal = { + enable = true; + registerToSynapse = true; + + settings = { + appservice = { + provisioning.enabled = false; + port = 40011; + }; + + homeserver = { + address = "http://[::1]:${toString port}"; + domain = domain; + }; + + bridge = { + permissions = { + "@chris:${domain}" = "admin"; + }; + }; + }; + }; + + mautrix-whatsapp = { + enable = true; + registerToSynapse = true; + + settings = { + appservice = { + provisioning.enabled = false; + port = 40012; + }; + + homeserver = { + address = "http://[::1]:${toString port}"; + domain = domain; + }; + + bridge = { + permissions = { + "@chris:${domain}" = "admin"; + }; + }; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ database ]; + ensureUsers = [ + { + name = database; + ensureDBOwnership = true; + } + ]; + }; caddy = { enable = true; virtualHosts = let - inherit (builtins) toJSON; - server = { - "m.server" = "${domain}:443"; + "m.server" = "${fqn}:443"; }; client = { - "m.homeserver".base_url = "https://${domain}"; + "m.homeserver".base_url = "https://${fqn}"; "m.identity_server".base_url = "https://auth.amarth.cloud"; }; in { @@ -67,9 +161,10 @@ in header /.well-known/matrix/* Access-Control-Allow-Origin * respond /.well-known/matrix/server `${toJSON server}` respond /.well-known/matrix/client `${toJSON client}` - + ''; + "${fqn}".extraConfig = '' reverse_proxy /_matrix/* http://::1:4001 - # reverse_proxy /_synapse/client/* http://::1:4001 + reverse_proxy /_synapse/client/* http://::1:4001 ''; }; }; From 953c238a47cf95ee874eaefca9f710a8c899fd87 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Sep 2025 22:03:10 +0200 Subject: [PATCH 084/174] fix nix config --- modules/nixos/nix/default.nix | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 3104ecd..bf96f59 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -1,15 +1,11 @@ { pkgs, lib, namespace, config, ... }: let - inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.nix; in { - options.${namespace}.nix = { - enable = mkEnableOption "Enable nix command"; - }; + options.${namespace}.nix = {}; - config = mkIf cfg.enable { + config = { programs.git.enable = true; nix = { From 992ddba373757578ccc8c06350ebf285a8accad3 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Sep 2025 22:09:47 +0200 Subject: [PATCH 085/174] rename matrix module --- .../{conduit => matrix}/default.nix | 37 +++++-------------- systems/x86_64-linux/ulmo/default.nix | 2 +- 2 files changed, 10 insertions(+), 29 deletions(-) rename modules/nixos/services/communication/{conduit => matrix}/default.nix (81%) diff --git a/modules/nixos/services/communication/conduit/default.nix b/modules/nixos/services/communication/matrix/default.nix similarity index 81% rename from modules/nixos/services/communication/conduit/default.nix rename to modules/nixos/services/communication/matrix/default.nix index 3e909ff..b339b82 100644 --- a/modules/nixos/services/communication/conduit/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -3,7 +3,7 @@ let inherit (builtins) toString toJSON; inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.services.communication.conduit; + cfg = config.${namespace}.services.communication.matrix; domain = "kruining.eu"; fqn = "matrix.${domain}"; @@ -12,38 +12,19 @@ let database = "synapse"; in { - options.${namespace}.services.communication.conduit = { - enable = mkEnableOption "conduit (Matrix server)"; + options.${namespace}.services.communication.matrix = { + enable = mkEnableOption "Matrix server (Synapse)"; }; config = mkIf cfg.enable { - # ${namespace}.services = { - # persistance.postgresql.enable = true; - # virtualisation.podman.enable = true; - # }; + ${namespace}.services = { + persistance.postgresql.enable = true; + # virtualisation.podman.enable = true; + }; - networking.firewall.allowedTCPPorts = [ 4001 8448 ]; + networking.firewall.allowedTCPPorts = [ 4001 ]; services = { - matrix-conduit = { - enable = false; - - settings.global = { - address = "::"; - port = port; - - server_name = domain; - - database_backend = "rocksdb"; - # database_path = "/var/lib/matrix-conduit/"; - - allow_check_for_updates = false; - allow_registration = false; - - enable_lightning_bolt = false; - }; - }; - matrix-synapse = { enable = true; @@ -56,7 +37,7 @@ in enable_registration = false; registration_shared_secret = "tZtBnlhEmLbMwF0lQ112VH1Rl5MkZzYH9suI4pEoPXzk6nWUB8FJF4eEnwLkbstz"; - + url_preview_enabled = true; precence.enabled = true; diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 3b35750..4d1c4ab 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -10,7 +10,7 @@ authentication.authelia.enable = true; authentication.zitadel.enable = true; - communication.conduit.enable = true; + communication.matrix.enable = true; development.forgejo.enable = true; From 3816942600ebc21d01fb790f2d18bec17559c656 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 14 Sep 2025 22:00:53 +0200 Subject: [PATCH 086/174] finally have the matrix bridges working! --- modules/nixos/services/communication/matrix/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index b339b82..6a75f43 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -29,7 +29,7 @@ in enable = true; extras = [ "oidc" ]; - plugins = with config.services.matrix-synapse.package.plugins; []; + # plugins = with config.services.matrix-synapse.package.plugins; []; settings = { server_name = domain; @@ -76,7 +76,7 @@ in settings = { appservice = { provisioning.enabled = false; - port = 40011; + # port = 40011; }; homeserver = { @@ -99,7 +99,7 @@ in settings = { appservice = { provisioning.enabled = false; - port = 40012; + # port = 40012; }; homeserver = { From d35165ebc0ab1927aca8675e88ef4ee28ce3149c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 14 Sep 2025 22:01:09 +0200 Subject: [PATCH 087/174] add sso support for matrix server --- .../services/communication/matrix/default.nix | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index 6a75f43..a93d7c8 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -41,6 +41,28 @@ in url_preview_enabled = true; precence.enabled = true; + sso = { + client_whitelist = [ "http://[::1]:9092" ]; + update_profile_information = true; + }; + + oidc_providers = [ + { + discover = true; + + idp_id = "zitadel"; + idp_name = "Zitadel"; + issuer = "https://auth.amarth.cloud"; + client_id = "337858153251143939"; + client_secret = "ePkf5n8BxGD5DF7t1eNThTL0g6PVBO5A1RC0EqPp61S7VsiyXvDs8aJeczrpCpsH"; + scopes = [ "openid" "profile" ]; + # user_mapping_provider.config = { + # localpart_template = "{{ user.prefered_username }}"; + # display_name_template = "{{ user.name }}"; + # }; + } + ]; + database = { # this is postgresql (also the default, but I prefer to be explicit) name = "psycopg2"; From 1a4746819b166eb57ad0a24a03f1260abba4cf1a Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 14 Sep 2025 22:03:21 +0200 Subject: [PATCH 088/174] - fix matrix clients - fix zen - uuuugh, stupid home-manager... --- flake.lock | 20 +++----------------- flake.nix | 5 ++++- modules/home/application/matrix/default.nix | 6 +++++- modules/home/application/zen/default.nix | 2 ++ modules/home/desktop/plasma/default.nix | 2 +- modules/nixos/home-manager/default.nix | 2 +- 6 files changed, 16 insertions(+), 21 deletions(-) diff --git a/flake.lock b/flake.lock index 51907f8..e10acab 100644 --- a/flake.lock +++ b/flake.lock @@ -686,22 +686,6 @@ "type": "github" } }, - "nixpkgs_10": { - "locked": { - "lastModified": 1727348695, - "narHash": "sha256-J+PeFKSDV+pHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "1925c603f17fc89f4c8f6bf6f631a802ad85d784", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { "locked": { "lastModified": 1756578978, @@ -1186,7 +1170,9 @@ "zen-browser": { "inputs": { "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs_10" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1756876659, diff --git a/flake.nix b/flake.nix index 60e9853..c659d4f 100644 --- a/flake.nix +++ b/flake.nix @@ -41,7 +41,10 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - zen-browser.url = "github:0xc000022070/zen-browser-flake"; + zen-browser = { + url = "github:0xc000022070/zen-browser-flake"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; diff --git a/modules/home/application/matrix/default.nix b/modules/home/application/matrix/default.nix index 1a33a0c..867a94f 100644 --- a/modules/home/application/matrix/default.nix +++ b/modules/home/application/matrix/default.nix @@ -10,6 +10,10 @@ in }; config = mkIf cfg.enable { - home.packages = with pkgs; [ fractal ]; + home.packages = with pkgs; [ fractal element-desktop ]; + + programs.element-desktop = { + enable = true; + }; }; } diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index 4995216..b7cec03 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -19,6 +19,8 @@ in }; programs.zen-browser = { + enable = true; + policies = { AutofillAddressEnabled = true; AutofillCreditCardEnabled = false; diff --git a/modules/home/desktop/plasma/default.nix b/modules/home/desktop/plasma/default.nix index 13476fb..0b679a0 100644 --- a/modules/home/desktop/plasma/default.nix +++ b/modules/home/desktop/plasma/default.nix @@ -64,7 +64,7 @@ in }; kwalletrc = { - Wallet.Enabled = false; + Wallet.Enabled = true; }; plasmarc = { diff --git a/modules/nixos/home-manager/default.nix b/modules/nixos/home-manager/default.nix index 1a5a964..d147d46 100644 --- a/modules/nixos/home-manager/default.nix +++ b/modules/nixos/home-manager/default.nix @@ -1,6 +1,6 @@ { ... }: { config = { - home-manager.backupFileExtension = "back"; + home-manager.backupFileExtension = "homeManagerBackup"; }; } From 6ed8bd861b5074084a67d3bf150cdf732476bf31 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 14 Sep 2025 22:03:45 +0200 Subject: [PATCH 089/174] start borg backups --- .../nixos/services/backup/borg/default.nix | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 modules/nixos/services/backup/borg/default.nix diff --git a/modules/nixos/services/backup/borg/default.nix b/modules/nixos/services/backup/borg/default.nix new file mode 100644 index 0000000..fbe5235 --- /dev/null +++ b/modules/nixos/services/backup/borg/default.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.backup.borg; +in +{ + options.${namespace}.services.backup.borg = { + enable = mkEnableOption "Borg Backup"; + }; + + config = mkIf cfg.enable { + services = { + borgbackup.jobs = { + media = { + paths = "/var/media/test"; + encryption.mode = "none"; + environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4"; + repo = "ssh://chris@beheer.hazelhof.nl:222/home/chris/backups/media"; + compression = "auto,zstd"; + startAt = "daily"; + }; + }; + }; + }; +} From 188988f930e35dc9daac6e373a737fe867207706 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 14 Sep 2025 22:13:19 +0200 Subject: [PATCH 090/174] disable password auth for matrix --- modules/nixos/services/communication/matrix/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index a93d7c8..d0c6e45 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -35,12 +35,15 @@ in server_name = domain; public_baseurl = "https://${fqn}"; - enable_registration = false; registration_shared_secret = "tZtBnlhEmLbMwF0lQ112VH1Rl5MkZzYH9suI4pEoPXzk6nWUB8FJF4eEnwLkbstz"; url_preview_enabled = true; precence.enabled = true; + # Since we'll be using OIDC for auth disable all local options + enable_registration = false; + password_config.enabled = false; + sso = { client_whitelist = [ "http://[::1]:9092" ]; update_profile_information = true; From e55ec9c32380fe872ed977aa065e6d69e3c6d74b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 17 Sep 2025 23:02:17 +0200 Subject: [PATCH 091/174] Update flake.lock --- flake.lock | 210 +++++++++++++++++++++++++++++------------------------ 1 file changed, 116 insertions(+), 94 deletions(-) diff --git a/flake.lock b/flake.lock index e10acab..528d3cd 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "fromYaml": "fromYaml" }, "locked": { - "lastModified": 1746562888, - "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=", + "lastModified": 1755819240, + "narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=", "owner": "SenchoPens", "repo": "base16.nix", - "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89", + "rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6", "type": "github" }, "original": { @@ -73,11 +73,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1756593129, - "narHash": "sha256-xpdGBk57lErbo03ZJS8uDDF5cZjoza7kzr7X+y0wj2g=", + "lastModified": 1757697130, + "narHash": "sha256-xEL7Ou/TQ1gYz4EXTwWOuMbySDNak9aTZHggjgWIh3E=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "f28776c49ddb4d34abc01092009fba0cd96836bd", + "rev": "e15b6c60f9d93ef0dcfdd7d333b234fbe225288d", "type": "github" }, "original": { @@ -94,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1756622179, - "narHash": "sha256-K3CimrAcMhdDYkErd3oiWPZNaoyaGZEuvGrFuDPFMZY=", + "lastModified": 1758091097, + "narHash": "sha256-p2FIwAaUCoKY9mZSPAMQYQ7CwwhfvGC4VIfLapAdfOE=", "owner": "nix-community", "repo": "fenix", - "rev": "0abcb15ae6279dcb40a8ae7c1ed980705245cb79", + "rev": "b60fe116b9495df516f57837bb04a4f89f3aa7ed", "type": "github" }, "original": { @@ -114,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1756643456, - "narHash": "sha256-SbRGlArZnspW/xd/vnMPSyuZGXSVtxyJEoXpvpzDpSE=", + "lastModified": 1758026061, + "narHash": "sha256-C9k9zXbQrXCA4mgaEwpV8YyOWz/hLEc+Yu0GGWf3SVs=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "6772a49573fc08b3e05502cccd90a8f5a82ee42e", + "rev": "3ec1499fdac54c0d3e14d6a69470cfe267b364a9", "type": "github" }, "original": { @@ -130,11 +130,11 @@ "firefox-gnome-theme": { "flake": false, "locked": { - "lastModified": 1748383148, - "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=", + "lastModified": 1756083905, + "narHash": "sha256-UqYGTBgI5ypGh0Kf6zZjom/vABg7HQocB4gmxzl12uo=", "owner": "rafaelmardojai", "repo": "firefox-gnome-theme", - "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf", + "rev": "b655eaf16d4cbec9c3472f62eee285d4b419a808", "type": "github" }, "original": { @@ -230,11 +230,11 @@ ] }, "locked": { - "lastModified": 1754487366, - "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "lastModified": 1756770412, + "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "rev": "4524271976b625a4a605beefd893f270620fd751", "type": "github" }, "original": { @@ -251,11 +251,11 @@ ] }, "locked": { - "lastModified": 1751413152, - "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", + "lastModified": 1756770412, + "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", + "rev": "4524271976b625a4a605beefd893f270620fd751", "type": "github" }, "original": { @@ -411,11 +411,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1756381920, - "narHash": "sha256-h6FZq485lEhkTICK779ZQ2kUWe3BieUqIKuJ2jef7SI=", + "lastModified": 1757136219, + "narHash": "sha256-tKU+vq34KHu/A2wD7WdgP5A4/RCmSD8hB0TyQAUlixA=", "owner": "vinceliuice", "repo": "grub2-themes", - "rev": "8f30385f556a92ecbcc0c1800521730187da1cd7", + "rev": "80dd04ddf3ba7b284a7b1a5df2b1e95ee2aad606", "type": "github" }, "original": { @@ -429,14 +429,15 @@ "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" - ] + ], + "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1756413980, - "narHash": "sha256-pxTwEjWZ1GohJeTEpxoZRHRoLDZjDw9CarGqxE5e908=", + "lastModified": 1758132240, + "narHash": "sha256-Pie3Hfqc9MMUmzSj17ikYsF+DWbJt0TWcmROaQkyliw=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "0c12a2b5862cd673307bbe191c1f7b52cf0f091a", + "rev": "aee341588eb2cd23ba0ca2c8c4e36a74c81e9676", "type": "github" }, "original": { @@ -452,11 +453,11 @@ ] }, "locked": { - "lastModified": 1756650373, - "narHash": "sha256-Iz0dNCNvLLxVGjOOF1/TJvZ4iKXE96BTgKDObCs9u+M=", + "lastModified": 1758119172, + "narHash": "sha256-LnVuGLf0PJHqqIHroxEzwXS57mjAdHSrXi0iODKbbiU=", "owner": "nix-community", "repo": "home-manager", - "rev": "e44549074a574d8bda612945a88e4a1fd3c456a8", + "rev": "9f408dc51c8e8216a94379e6356bdadbe8b4fef9", "type": "github" }, "original": { @@ -473,11 +474,11 @@ ] }, "locked": { - "lastModified": 1756842514, - "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=", + "lastModified": 1752603129, + "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=", "owner": "nix-community", "repo": "home-manager", - "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382", + "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b", "type": "github" }, "original": { @@ -494,11 +495,11 @@ ] }, "locked": { - "lastModified": 1756638688, - "narHash": "sha256-ddxbPTnIchM6tgxb6fRrCvytlPE2KLifckTnde/irVQ=", + "lastModified": 1757230583, + "narHash": "sha256-4uqu7sFPOaVTCogsxaGMgbzZ2vK40GVGMfUmrvK3/LY=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "e7b8679cba79f4167199f018b05c82169249f654", + "rev": "fc3960e6c32c9d4f95fff2ef84444284d24d3bea", "type": "github" }, "original": { @@ -528,11 +529,11 @@ }, "mnw": { "locked": { - "lastModified": 1756580127, - "narHash": "sha256-XK+ZQWjnd96Uko73jY1dc23ksnuWnF/Myc4rT/LQOmc=", + "lastModified": 1756659871, + "narHash": "sha256-v6Rh4aQ6RKjM2N02kK9Usn0Ix7+OY66vNpeklc1MnGE=", "owner": "Gerg-L", "repo": "mnw", - "rev": "ecdb5ba1b08ac198d9e9bfbf9de3b234fb1eb252", + "rev": "ed6cc3e48557ba18266e598a5ebb6602499ada16", "type": "github" }, "original": { @@ -570,11 +571,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1756518625, - "narHash": "sha256-Mxh2wumeSsb968dSDksblubQqHTTdRTC5lH0gmhq9jI=", + "lastModified": 1758073856, + "narHash": "sha256-2KU4Sb2WynjwKQ/+MkKjc6mpCiGfuRRQozR267cK8WI=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "92654796f8f6c3279e4b7d409a3e5b43b0539a19", + "rev": "e8c58a920fb430a70498b3c517fd91c768423c4b", "type": "github" }, "original": { @@ -642,11 +643,11 @@ ] }, "locked": { - "lastModified": 1755261305, - "narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=", + "lastModified": 1758123407, + "narHash": "sha256-4qwMlR0Q4Zr2rjUFauYIldfjzffYt3G5tZ1uPFPPYGU=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "203a7b463f307c60026136dd1191d9001c43457f", + "rev": "ba2b3b6c0bc42442559a3b090f032bc8d501f5e3", "type": "github" }, "original": { @@ -657,11 +658,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1754002724, - "narHash": "sha256-1NBby4k2UU9FR7a9ioXtCOpv8jYO0tZAGarMsxN8sz8=", + "lastModified": 1756686622, + "narHash": "sha256-7RIjltx7tQAr/pDmcb/zNNgRtUDlXh+EppSEqD4IIa8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8271ed4b2e366339dd622f329151e45745ade121", + "rev": "23da0aa9ec413ed894af3fdc6313e6b8ff623833", "type": "github" }, "original": { @@ -688,11 +689,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1756578978, - "narHash": "sha256-dLgwMLIMyHlSeIDsoT2OcZBkuruIbjhIAv1sGANwtes=", + "lastModified": 1758012326, + "narHash": "sha256-5xX26DjtxxFAw4IyZATzUs2UYghdmcpyZ93whojp828=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a85a50bef870537a9705f64ed75e54d1f4bf9c23", + "rev": "1bc4de0728f2eb1602fc5cce4122f2e999bc9d35", "type": "github" }, "original": { @@ -720,11 +721,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1756653691, - "narHash": "sha256-tx6C07uPiAzq57mfb4EWDqPRV4BZVqvrlvDfibzL67U=", + "lastModified": 1758141327, + "narHash": "sha256-s21soW4Y0C+unFk4zfQc33npYfW9dV5GOE6zjofn2vc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7a1057ff3f7636bc71f58671c3a1210742149f3b", + "rev": "f6bf53c73226d0809b9f1e5bcf9a58ba00234738", "type": "github" }, "original": { @@ -752,11 +753,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1756542300, - "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=", + "lastModified": 1757745802, + "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa", + "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1", "type": "github" }, "original": { @@ -768,11 +769,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1756536218, - "narHash": "sha256-ynQxPVN2FIPheUgTFhv01gYLbaiSOS7NgWJPm9LF9D0=", + "lastModified": 1756696532, + "narHash": "sha256-6FWagzm0b7I/IGigOv9pr6LL7NQ86mextfE8g8Q6HBg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a918bb3594dd243c2f8534b3be01b3cb4ed35fd1", + "rev": "58dcbf1ec551914c3756c267b8b9c8c86baa1b2f", "type": "github" }, "original": { @@ -784,11 +785,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1744868846, - "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", + "lastModified": 1757746433, + "narHash": "sha256-fEvTiU4s9lWgW7mYEU/1QUPirgkn+odUBTaindgiziY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "rev": "6d7ec06d6868ac6d94c371458fc2391ded9ff13d", "type": "github" }, "original": { @@ -800,11 +801,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1751792365, - "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", + "lastModified": 1756819007, + "narHash": "sha256-12V64nKG/O/guxSYnr5/nq1EfqwJCdD2+cIGmhz3nrE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", + "rev": "aaff8c16d7fc04991cac6245bee1baa31f72b1e1", "type": "github" }, "original": { @@ -826,11 +827,11 @@ ] }, "locked": { - "lastModified": 1751906969, - "narHash": "sha256-BSQAOdPnzdpOuCdAGSJmefSDlqmStFNScEnrWzSqKPw=", + "lastModified": 1756961635, + "narHash": "sha256-hETvQcILTg5kChjYNns1fD5ELdsYB/VVgVmBtqKQj9A=", "owner": "nix-community", "repo": "NUR", - "rev": "ddb679f4131e819efe3bbc6457ba19d7ad116f25", + "rev": "6ca27b2654ac55e3f6e0ca434c1b4589ae22b370", "type": "github" }, "original": { @@ -848,11 +849,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1756646417, - "narHash": "sha256-1dU+BRKjczVnsTznKGaM0xrWzg2+MGQqWlde0Id9JnI=", + "lastModified": 1757955071, + "narHash": "sha256-owSpkt551cIqDDk5iHesdEus9REFeOIY3rY4C5ZPm/Y=", "owner": "notashelf", "repo": "nvf", - "rev": "939fb8cfc630190cd5607526f81693525e3d593b", + "rev": "1bd9fc116420db4c1156819d61df5d5312e1bbea", "type": "github" }, "original": { @@ -910,11 +911,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1756597274, - "narHash": "sha256-wfaKRKsEVQDB7pQtAt04vRgFphkVscGRpSx3wG1l50E=", + "lastModified": 1757362324, + "narHash": "sha256-/PAhxheUq4WBrW5i/JHzcCqK5fGWwLKdH6/Lu1tyS18=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "21614ed2d3279a9aa1f15c88d293e65a98991b30", + "rev": "9edc9cbe5d8e832b5864e09854fa94861697d2fd", "type": "github" }, "original": { @@ -924,6 +925,27 @@ "type": "github" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "himmelblau", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1758076341, + "narHash": "sha256-ZKi6pyRDw2/3xU7qxd+2+lneQXUOe92TiF+10DflolM=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "562fb6f14678eb9b8a36829140f6a4d0737776d2", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "snowfall-lib": { "inputs": { "flake-compat": "flake-compat_5", @@ -951,11 +973,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1754988908, - "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", + "lastModified": 1758007585, + "narHash": "sha256-HYnwlbY6RE5xVd5rh0bYw77pnD8lOgbT4mlrfjgNZ0c=", "owner": "Mic92", "repo": "sops-nix", - "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", + "rev": "f77d4cfa075c3de66fc9976b80e0c4fc69e2c139", "type": "github" }, "original": { @@ -983,11 +1005,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1755997543, - "narHash": "sha256-/fejmCQ7AWa655YxyPxRDbhdU7c5+wYsFSjmEMXoBCM=", + "lastModified": 1757956156, + "narHash": "sha256-f0W7qbsCqpi6swQ5w8H+0YrAbNwsHgCFDkNRMTJjqrE=", "owner": "nix-community", "repo": "stylix", - "rev": "f47c0edcf71e802378b1b7725fa57bb44fe85ee8", + "rev": "0ce0103b498bb22f899ed8862d8d7f9503ed9cdb", "type": "github" }, "original": { @@ -1122,11 +1144,11 @@ "tinted-schemes": { "flake": false, "locked": { - "lastModified": 1750770351, - "narHash": "sha256-LI+BnRoFNRa2ffbe3dcuIRYAUcGklBx0+EcFxlHj0SY=", + "lastModified": 1754779259, + "narHash": "sha256-8KG2lXGaXLUE0F/JVwLQe7kOVm21IDfNEo0gfga5P4M=", "owner": "tinted-theming", "repo": "schemes", - "rev": "5a775c6ffd6e6125947b393872cde95867d85a2a", + "rev": "097d751b9e3c8b97ce158e7d141e5a292545b502", "type": "github" }, "original": { @@ -1138,11 +1160,11 @@ "tinted-tmux": { "flake": false, "locked": { - "lastModified": 1751159871, - "narHash": "sha256-UOHBN1fgHIEzvPmdNMHaDvdRMgLmEJh2hNmDrp3d3LE=", + "lastModified": 1754788770, + "narHash": "sha256-LAu5nBr7pM/jD9jwFc6/kyFY4h7Us4bZz7dvVvehuwo=", "owner": "tinted-theming", "repo": "tinted-tmux", - "rev": "bded5e24407cec9d01bd47a317d15b9223a1546c", + "rev": "fb2175accef8935f6955503ec9dd3c973eec385c", "type": "github" }, "original": { @@ -1154,11 +1176,11 @@ "tinted-zed": { "flake": false, "locked": { - "lastModified": 1751158968, - "narHash": "sha256-ksOyv7D3SRRtebpXxgpG4TK8gZSKFc4TIZpR+C98jX8=", + "lastModified": 1755613540, + "narHash": "sha256-zBFrrTxHLDMDX/OYxkCwGGbAhPXLi8FrnLhYLsSOKeY=", "owner": "tinted-theming", "repo": "base16-zed", - "rev": "86a470d94204f7652b906ab0d378e4231a5b3384", + "rev": "937bada16cd3200bdbd3a2f5776fc3b686d5cba0", "type": "github" }, "original": { @@ -1175,11 +1197,11 @@ ] }, "locked": { - "lastModified": 1756876659, - "narHash": "sha256-B2bpNR7VOoZuKfuNnASfWI/jGveetP2yhG44S3XnI/k=", + "lastModified": 1758140427, + "narHash": "sha256-c23dzaQm2s57MN1kB3P5wORzIy0Ux0HMizBCQSPU8Fg=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "07c14b39cad581d9a8bb2dc8959a59e17d26d529", + "rev": "a22c92d3424bacc159e7fbd1fb679e52396f0022", "type": "github" }, "original": { From 0fd9b0264f0b6d8745741cf7cd08185c29d5aaa5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 8 Oct 2025 07:45:27 +0200 Subject: [PATCH 092/174] add static ip's --- systems/x86_64-linux/ulmo/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 4d1c4ab..0f3ac1c 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -5,6 +5,16 @@ ./hardware.nix ]; + networking.interfaces.enp2s0 = { + ipv6.addresses = [ + { address = "2a0d:6e00:1dc9:0::dead:beef"; prefixLength = 64; } + ]; + + ipv4.addresses = [ + { address = "192.168.1.3"; prefixLength = 16; } + ]; + }; + sneeuwvlok = { services = { authentication.authelia.enable = true; From 8c6fe96e598a115c42e37d7d694cd977e13472a8 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 8 Oct 2025 20:17:20 +0200 Subject: [PATCH 093/174] kaas --- justfile | 4 ++++ modules/home/themes/default.nix | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 justfile diff --git a/justfile b/justfile new file mode 100644 index 0000000..ab466bb --- /dev/null +++ b/justfile @@ -0,0 +1,4 @@ + +try-again: + nix flake update amarth-customer-portal + nix flake check --all-systems --show-trace \ No newline at end of file diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index 276e850..f69e2bb 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -31,7 +31,7 @@ in { base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml"; image = ./${cfg.theme}.jpg; polarity = cfg.polarity; - targets.qt.platform = mkDefault "kde6"; + targets.qt.platform = mkDefault "kde"; fonts = { serif = { From 96dc1d47e6525a403d6112bdd40a9327186086ed Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 8 Oct 2025 20:21:38 +0200 Subject: [PATCH 094/174] update deps --- flake.lock | 174 ++++++++++++++++++++++++++--------------------------- 1 file changed, 87 insertions(+), 87 deletions(-) diff --git a/flake.lock b/flake.lock index 528d3cd..97e955b 100644 --- a/flake.lock +++ b/flake.lock @@ -73,11 +73,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1757697130, - "narHash": "sha256-xEL7Ou/TQ1gYz4EXTwWOuMbySDNak9aTZHggjgWIh3E=", + "lastModified": 1759842236, + "narHash": "sha256-JNFyiEDo1wS+mjNAEM8Q2jjvHQzQt+3hnuP1srIdFeM=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "e15b6c60f9d93ef0dcfdd7d333b234fbe225288d", + "rev": "df8a29239b2459d6ee7373be8133d9aa7d6f6d1a", "type": "github" }, "original": { @@ -94,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1758091097, - "narHash": "sha256-p2FIwAaUCoKY9mZSPAMQYQ7CwwhfvGC4VIfLapAdfOE=", + "lastModified": 1759732757, + "narHash": "sha256-RUR2yXYbKSoDvI/JdH0AvojFjhCfxBXOA/BtGUpaoR0=", "owner": "nix-community", "repo": "fenix", - "rev": "b60fe116b9495df516f57837bb04a4f89f3aa7ed", + "rev": "1d3600dda5c27ddbc9c424bb4edae744bdb9b14d", "type": "github" }, "original": { @@ -114,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1758026061, - "narHash": "sha256-C9k9zXbQrXCA4mgaEwpV8YyOWz/hLEc+Yu0GGWf3SVs=", + "lastModified": 1759927047, + "narHash": "sha256-B+uj2hquUMs+TND/8Q18oPBMZuROZXSOmebw6KxczhU=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "3ec1499fdac54c0d3e14d6a69470cfe267b364a9", + "rev": "b609976b0eee8b774b97a75cb4e85b4625b6669a", "type": "github" }, "original": { @@ -130,11 +130,11 @@ "firefox-gnome-theme": { "flake": false, "locked": { - "lastModified": 1756083905, - "narHash": "sha256-UqYGTBgI5ypGh0Kf6zZjom/vABg7HQocB4gmxzl12uo=", + "lastModified": 1758112371, + "narHash": "sha256-lizRM2pj6PHrR25yimjyFn04OS4wcdbc38DCdBVa2rk=", "owner": "rafaelmardojai", "repo": "firefox-gnome-theme", - "rev": "b655eaf16d4cbec9c3472f62eee285d4b419a808", + "rev": "0909cfe4a2af8d358ad13b20246a350e14c2473d", "type": "github" }, "original": { @@ -230,11 +230,11 @@ ] }, "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", + "lastModified": 1759362264, + "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", + "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", "type": "github" }, "original": { @@ -433,11 +433,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1758132240, - "narHash": "sha256-Pie3Hfqc9MMUmzSj17ikYsF+DWbJt0TWcmROaQkyliw=", + "lastModified": 1759784366, + "narHash": "sha256-q+V22+67JYhsplUaimsDDX+oPaYke5f0UGewDiB9Vgc=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "aee341588eb2cd23ba0ca2c8c4e36a74c81e9676", + "rev": "e7d38a60b679a556201a29b94a60d996369f996d", "type": "github" }, "original": { @@ -453,11 +453,11 @@ ] }, "locked": { - "lastModified": 1758119172, - "narHash": "sha256-LnVuGLf0PJHqqIHroxEzwXS57mjAdHSrXi0iODKbbiU=", + "lastModified": 1759853171, + "narHash": "sha256-uqbhyXtqMbYIiMqVqUhNdSuh9AEEkiasoK3mIPIVRhk=", "owner": "nix-community", "repo": "home-manager", - "rev": "9f408dc51c8e8216a94379e6356bdadbe8b4fef9", + "rev": "1a09eb84fa9e33748432a5253102d01251f72d6d", "type": "github" }, "original": { @@ -495,11 +495,11 @@ ] }, "locked": { - "lastModified": 1757230583, - "narHash": "sha256-4uqu7sFPOaVTCogsxaGMgbzZ2vK40GVGMfUmrvK3/LY=", + "lastModified": 1759815224, + "narHash": "sha256-HbdOyjqHm38j6o5mV24i0bn+r5ykS+VJBnWJuZ0fE+A=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "fc3960e6c32c9d4f95fff2ef84444284d24d3bea", + "rev": "ee974f496a080c61b3164992c850f43741edcc52", "type": "github" }, "original": { @@ -529,11 +529,11 @@ }, "mnw": { "locked": { - "lastModified": 1756659871, - "narHash": "sha256-v6Rh4aQ6RKjM2N02kK9Usn0Ix7+OY66vNpeklc1MnGE=", + "lastModified": 1758834834, + "narHash": "sha256-Y7IvY4F8vajZyp3WGf+KaiIVwondEkMFkt92Cr9NZmg=", "owner": "Gerg-L", "repo": "mnw", - "rev": "ed6cc3e48557ba18266e598a5ebb6602499ada16", + "rev": "cfbc7d1cc832e318d0863a5fc91d940a96034001", "type": "github" }, "original": { @@ -571,11 +571,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1758073856, - "narHash": "sha256-2KU4Sb2WynjwKQ/+MkKjc6mpCiGfuRRQozR267cK8WI=", + "lastModified": 1758765258, + "narHash": "sha256-orU21BYUJn/7zMhIYbY7T5EDqZ8NtRMSH/f8Qtu047Q=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "e8c58a920fb430a70498b3c517fd91c768423c4b", + "rev": "5a6c66b90ab4519b7578b54300abc308008c544e", "type": "github" }, "original": { @@ -643,11 +643,11 @@ ] }, "locked": { - "lastModified": 1758123407, - "narHash": "sha256-4qwMlR0Q4Zr2rjUFauYIldfjzffYt3G5tZ1uPFPPYGU=", + "lastModified": 1759833546, + "narHash": "sha256-rOfkgIiiZNPUbf61OqEym60wXEODeDG8XH+gV/SUoUc=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "ba2b3b6c0bc42442559a3b090f032bc8d501f5e3", + "rev": "7c0c0f4c3a51761434f18209fa9499b8579ff730", "type": "github" }, "original": { @@ -658,11 +658,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1756686622, - "narHash": "sha256-7RIjltx7tQAr/pDmcb/zNNgRtUDlXh+EppSEqD4IIa8=", + "lastModified": 1759360550, + "narHash": "sha256-feL8xklo97a8o8ISOszUU2tfHskJdu3zKbpcltzSblw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "23da0aa9ec413ed894af3fdc6313e6b8ff623833", + "rev": "28b8fe20c34f94a537f71950a9b0c1dc7224d036", "type": "github" }, "original": { @@ -689,11 +689,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1758012326, - "narHash": "sha256-5xX26DjtxxFAw4IyZATzUs2UYghdmcpyZ93whojp828=", + "lastModified": 1759860509, + "narHash": "sha256-c7eJvqAlWLhwNc9raHkQ7mvoFbHLUO/cLMrww1ds4Zg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1bc4de0728f2eb1602fc5cce4122f2e999bc9d35", + "rev": "b574dcadf3fb578dee8d104b565bd745a5a9edc0", "type": "github" }, "original": { @@ -721,11 +721,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1758141327, - "narHash": "sha256-s21soW4Y0C+unFk4zfQc33npYfW9dV5GOE6zjofn2vc=", + "lastModified": 1759946387, + "narHash": "sha256-osFkgEOTMn7OkodiJWsW2gBoG6SUYEeTjnJ0w3xhTUE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f6bf53c73226d0809b9f1e5bcf9a58ba00234738", + "rev": "5515ead7186c905b21b9858706b4d8e965df507f", "type": "github" }, "original": { @@ -753,11 +753,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1757745802, - "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=", + "lastModified": 1759831965, + "narHash": "sha256-vgPm2xjOmKdZ0xKA6yLXPJpjOtQPHfaZDRtH+47XEBo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1", + "rev": "c9b6fb798541223bbb396d287d16f43520250518", "type": "github" }, "original": { @@ -769,11 +769,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1756696532, - "narHash": "sha256-6FWagzm0b7I/IGigOv9pr6LL7NQ86mextfE8g8Q6HBg=", + "lastModified": 1759386674, + "narHash": "sha256-wg1Lz/1FC5Q13R+mM5a2oTV9TA9L/CHHTm3/PiLayfA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "58dcbf1ec551914c3756c267b8b9c8c86baa1b2f", + "rev": "625ad6366178f03acd79f9e3822606dd7985b657", "type": "github" }, "original": { @@ -785,11 +785,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1757746433, - "narHash": "sha256-fEvTiU4s9lWgW7mYEU/1QUPirgkn+odUBTaindgiziY=", + "lastModified": 1759570798, + "narHash": "sha256-kbkzsUKYzKhuvMOuxt/aTwWU2mnrwoY964yN3Y4dE98=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6d7ec06d6868ac6d94c371458fc2391ded9ff13d", + "rev": "0d4f673a88f8405ae14484e6a1ea870e0ba4ca26", "type": "github" }, "original": { @@ -801,11 +801,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1756819007, - "narHash": "sha256-12V64nKG/O/guxSYnr5/nq1EfqwJCdD2+cIGmhz3nrE=", + "lastModified": 1758690382, + "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "aaff8c16d7fc04991cac6245bee1baa31f72b1e1", + "rev": "e643668fd71b949c53f8626614b21ff71a07379d", "type": "github" }, "original": { @@ -827,11 +827,11 @@ ] }, "locked": { - "lastModified": 1756961635, - "narHash": "sha256-hETvQcILTg5kChjYNns1fD5ELdsYB/VVgVmBtqKQj9A=", + "lastModified": 1758998580, + "narHash": "sha256-VLx0z396gDCGSiowLMFz5XRO/XuNV+4EnDYjdJhHvUk=", "owner": "nix-community", "repo": "NUR", - "rev": "6ca27b2654ac55e3f6e0ca434c1b4589ae22b370", + "rev": "ba8d9c98f5f4630bcb0e815ab456afd90c930728", "type": "github" }, "original": { @@ -849,11 +849,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1757955071, - "narHash": "sha256-owSpkt551cIqDDk5iHesdEus9REFeOIY3rY4C5ZPm/Y=", + "lastModified": 1759942631, + "narHash": "sha256-guXaJ4ktb5DW2RrtRhThX6PyH5A2wW+XTJ4Qu1AEXhA=", "owner": "notashelf", "repo": "nvf", - "rev": "1bd9fc116420db4c1156819d61df5d5312e1bbea", + "rev": "314962bcb4d4da82c53ab343da1b09cffaa68c61", "type": "github" }, "original": { @@ -872,11 +872,11 @@ ] }, "locked": { - "lastModified": 1756632588, - "narHash": "sha256-ydam6eggXf3ZwRutyCABwSbMAlX+5lW6w1SVZQ+kfSo=", + "lastModified": 1759321049, + "narHash": "sha256-8XkU4gIrLT2DJZWQyvsP5woXGZF5eE/7AnKfwQkiwYU=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "d47428e5390d6a5a8f764808a4db15929347cd77", + "rev": "205dcfd4a30d4a5d1b4f28defee69daa7c7252cd", "type": "github" }, "original": { @@ -911,11 +911,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1757362324, - "narHash": "sha256-/PAhxheUq4WBrW5i/JHzcCqK5fGWwLKdH6/Lu1tyS18=", + "lastModified": 1759691178, + "narHash": "sha256-O11yp/in47Ef1jLsEgNACXuziuRSSV4RAuxIWTdKI9w=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "9edc9cbe5d8e832b5864e09854fa94861697d2fd", + "rev": "f0b496cbc774f589de0d46bb9c291ff7ff0329da", "type": "github" }, "original": { @@ -933,11 +933,11 @@ ] }, "locked": { - "lastModified": 1758076341, - "narHash": "sha256-ZKi6pyRDw2/3xU7qxd+2+lneQXUOe92TiF+10DflolM=", + "lastModified": 1759890791, + "narHash": "sha256-KN1xkrQ4x6u8plgg43ZiYbQmESxeCKKOzALKjqbn4LM=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "562fb6f14678eb9b8a36829140f6a4d0737776d2", + "rev": "74fcbc183aa6685f86008606bb7824bf2f40adbd", "type": "github" }, "original": { @@ -973,11 +973,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1758007585, - "narHash": "sha256-HYnwlbY6RE5xVd5rh0bYw77pnD8lOgbT4mlrfjgNZ0c=", + "lastModified": 1759635238, + "narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=", "owner": "Mic92", "repo": "sops-nix", - "rev": "f77d4cfa075c3de66fc9976b80e0c4fc69e2c139", + "rev": "6e5a38e08a2c31ae687504196a230ae00ea95133", "type": "github" }, "original": { @@ -1005,11 +1005,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1757956156, - "narHash": "sha256-f0W7qbsCqpi6swQ5w8H+0YrAbNwsHgCFDkNRMTJjqrE=", + "lastModified": 1759690047, + "narHash": "sha256-Vlpa0d1xOgPO9waHwxJNi6LcD2PYqB3EjwLRtSxXlHc=", "owner": "nix-community", "repo": "stylix", - "rev": "0ce0103b498bb22f899ed8862d8d7f9503ed9cdb", + "rev": "09022804b2bcd217f3a41a644d26b23d30375d12", "type": "github" }, "original": { @@ -1144,11 +1144,11 @@ "tinted-schemes": { "flake": false, "locked": { - "lastModified": 1754779259, - "narHash": "sha256-8KG2lXGaXLUE0F/JVwLQe7kOVm21IDfNEo0gfga5P4M=", + "lastModified": 1757716333, + "narHash": "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=", "owner": "tinted-theming", "repo": "schemes", - "rev": "097d751b9e3c8b97ce158e7d141e5a292545b502", + "rev": "317a5e10c35825a6c905d912e480dfe8e71c7559", "type": "github" }, "original": { @@ -1160,11 +1160,11 @@ "tinted-tmux": { "flake": false, "locked": { - "lastModified": 1754788770, - "narHash": "sha256-LAu5nBr7pM/jD9jwFc6/kyFY4h7Us4bZz7dvVvehuwo=", + "lastModified": 1757811970, + "narHash": "sha256-n5ZJgmzGZXOD9pZdAl1OnBu3PIqD+X3vEBUGbTi4JiI=", "owner": "tinted-theming", "repo": "tinted-tmux", - "rev": "fb2175accef8935f6955503ec9dd3c973eec385c", + "rev": "d217ba31c846006e9e0ae70775b0ee0f00aa6b1e", "type": "github" }, "original": { @@ -1176,11 +1176,11 @@ "tinted-zed": { "flake": false, "locked": { - "lastModified": 1755613540, - "narHash": "sha256-zBFrrTxHLDMDX/OYxkCwGGbAhPXLi8FrnLhYLsSOKeY=", + "lastModified": 1757811247, + "narHash": "sha256-4EFOUyLj85NRL3OacHoLGEo0wjiRJzfsXtR4CZWAn6w=", "owner": "tinted-theming", "repo": "base16-zed", - "rev": "937bada16cd3200bdbd3a2f5776fc3b686d5cba0", + "rev": "824fe0aacf82b3c26690d14e8d2cedd56e18404e", "type": "github" }, "original": { @@ -1197,11 +1197,11 @@ ] }, "locked": { - "lastModified": 1758140427, - "narHash": "sha256-c23dzaQm2s57MN1kB3P5wORzIy0Ux0HMizBCQSPU8Fg=", + "lastModified": 1759900726, + "narHash": "sha256-DXgznNT8CA50WUIlQkI5BsEqNcbPDFF+26PPRYeB3sA=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "a22c92d3424bacc159e7fbd1fb679e52396f0022", + "rev": "8ce7d926dbec820ab5686d599bc6a1bd19ed1273", "type": "github" }, "original": { From ce2002884e751465fa5a13160a49823a6a8f0dea Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 8 Oct 2025 20:25:39 +0200 Subject: [PATCH 095/174] fix updated option --- modules/nixos/hardware/gpu/amd/default.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/nixos/hardware/gpu/amd/default.nix b/modules/nixos/hardware/gpu/amd/default.nix index 68db574..cdc9d1e 100644 --- a/modules/nixos/hardware/gpu/amd/default.nix +++ b/modules/nixos/hardware/gpu/amd/default.nix @@ -17,11 +17,6 @@ in }; amdgpu = { - amdvlk = { - enable = true; - support32Bit.enable = true; - }; - initrd.enable = true; }; }; From 22383b005a224fecadc1b8f6432a2f9d74f87064 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 8 Oct 2025 20:35:16 +0200 Subject: [PATCH 096/174] renamed options --- modules/home/shell/toolset/git/default.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/home/shell/toolset/git/default.nix b/modules/home/shell/toolset/git/default.nix index 3edfb60..299b2a6 100644 --- a/modules/home/shell/toolset/git/default.nix +++ b/modules/home/shell/toolset/git/default.nix @@ -31,9 +31,11 @@ in package = pkgs.gitFull; difftastic = { enable = true; - background = "dark"; - color = "always"; - display = "inline"; + options = { + background = "dark"; + color = "always"; + display = "inline"; + }; }; ignores = [ From d7dc0c1428bd8c2751bde7a0abea937a437c258f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 14 Oct 2025 18:33:28 +0200 Subject: [PATCH 097/174] update deps --- flake.lock | 109 +++++++++++++++++++++++++++-------------------------- 1 file changed, 55 insertions(+), 54 deletions(-) diff --git a/flake.lock b/flake.lock index 97e955b..0f6b5fd 100644 --- a/flake.lock +++ b/flake.lock @@ -21,16 +21,17 @@ "base16-fish": { "flake": false, "locked": { - "lastModified": 1622559957, - "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", + "lastModified": 1754405784, + "narHash": "sha256-l9xHIy+85FN+bEo6yquq2IjD1rSg9fjfjpyGP1W8YXo=", "owner": "tomyun", "repo": "base16-fish", - "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", + "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561", "type": "github" }, "original": { "owner": "tomyun", "repo": "base16-fish", + "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561", "type": "github" } }, @@ -94,11 +95,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1759732757, - "narHash": "sha256-RUR2yXYbKSoDvI/JdH0AvojFjhCfxBXOA/BtGUpaoR0=", + "lastModified": 1760424233, + "narHash": "sha256-8jLfVik1ccwmacVW5BlprmsuK534rT5HjdPhkSaew44=", "owner": "nix-community", "repo": "fenix", - "rev": "1d3600dda5c27ddbc9c424bb4edae744bdb9b14d", + "rev": "48a763cdc0b2d07199a021de99c2ca50af76e49f", "type": "github" }, "original": { @@ -114,11 +115,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1759927047, - "narHash": "sha256-B+uj2hquUMs+TND/8Q18oPBMZuROZXSOmebw6KxczhU=", + "lastModified": 1760448784, + "narHash": "sha256-C3Q8dUspgTLyCgo+WbmuPjOqRyToj/RyOKgoYdVaWCk=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "b609976b0eee8b774b97a75cb4e85b4625b6669a", + "rev": "7fc4743ff124f7eef21cfbaf92ced47e997a19ca", "type": "github" }, "original": { @@ -433,11 +434,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1759784366, - "narHash": "sha256-q+V22+67JYhsplUaimsDDX+oPaYke5f0UGewDiB9Vgc=", + "lastModified": 1760385966, + "narHash": "sha256-Wy6uaCERp2Hvh+lFkdg9Z1z5j8/asZ5zbhI1q2eYv98=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "e7d38a60b679a556201a29b94a60d996369f996d", + "rev": "4361431c4c69af34f75aa74cdb18625c4dbc3f7e", "type": "github" }, "original": { @@ -453,11 +454,11 @@ ] }, "locked": { - "lastModified": 1759853171, - "narHash": "sha256-uqbhyXtqMbYIiMqVqUhNdSuh9AEEkiasoK3mIPIVRhk=", + "lastModified": 1760312644, + "narHash": "sha256-U9SkK45314urw9P7MmjhEgiQwwD/BTj+T3HTuz1JU1Q=", "owner": "nix-community", "repo": "home-manager", - "rev": "1a09eb84fa9e33748432a5253102d01251f72d6d", + "rev": "e121f3773fa596ecaba5b22e518936a632d72a90", "type": "github" }, "original": { @@ -495,11 +496,11 @@ ] }, "locked": { - "lastModified": 1759815224, - "narHash": "sha256-HbdOyjqHm38j6o5mV24i0bn+r5ykS+VJBnWJuZ0fE+A=", + "lastModified": 1760266702, + "narHash": "sha256-TP19RpzIyo1JeYAhKii13seYwmhkv7IOD+dCnQOrcgQ=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "ee974f496a080c61b3164992c850f43741edcc52", + "rev": "3d7e970d4cac5d3ee3fe7cafa17cc9868fa21fed", "type": "github" }, "original": { @@ -571,11 +572,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1758765258, - "narHash": "sha256-orU21BYUJn/7zMhIYbY7T5EDqZ8NtRMSH/f8Qtu047Q=", + "lastModified": 1760406860, + "narHash": "sha256-f8BSmC/juCHkptH7MCI/6rAbgFjnvuNpZFaM79Cz7gI=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "5a6c66b90ab4519b7578b54300abc308008c544e", + "rev": "d7faac42b9378fb328c075d0009bf5360c3b70a3", "type": "github" }, "original": { @@ -643,11 +644,11 @@ ] }, "locked": { - "lastModified": 1759833546, - "narHash": "sha256-rOfkgIiiZNPUbf61OqEym60wXEODeDG8XH+gV/SUoUc=", + "lastModified": 1760454217, + "narHash": "sha256-qG4cQaYRKrAMj4OjISYYoWqJc+xcoJnLx2jsws7EdGg=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "7c0c0f4c3a51761434f18209fa9499b8579ff730", + "rev": "a8209ae46721f2a70214d0a70388a812ec7740da", "type": "github" }, "original": { @@ -689,11 +690,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1759860509, - "narHash": "sha256-c7eJvqAlWLhwNc9raHkQ7mvoFbHLUO/cLMrww1ds4Zg=", + "lastModified": 1760435515, + "narHash": "sha256-E9D5sWHmPCmWsrCB3Jogvr/7ODiVaKynDrOpG4ba2tI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b574dcadf3fb578dee8d104b565bd745a5a9edc0", + "rev": "db25466bd95abdbe3012be2900a5562fcfb95d51", "type": "github" }, "original": { @@ -721,11 +722,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1759946387, - "narHash": "sha256-osFkgEOTMn7OkodiJWsW2gBoG6SUYEeTjnJ0w3xhTUE=", + "lastModified": 1760459309, + "narHash": "sha256-jEf6CyFUeKxnivJegy4z1AfJplv+PR3+2SpLfAiV0sc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5515ead7186c905b21b9858706b4d8e965df507f", + "rev": "e657b896620d59da27648042cbe13a29e688ef8a", "type": "github" }, "original": { @@ -753,11 +754,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1759831965, - "narHash": "sha256-vgPm2xjOmKdZ0xKA6yLXPJpjOtQPHfaZDRtH+47XEBo=", + "lastModified": 1760284886, + "narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c9b6fb798541223bbb396d287d16f43520250518", + "rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43", "type": "github" }, "original": { @@ -785,11 +786,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1759570798, - "narHash": "sha256-kbkzsUKYzKhuvMOuxt/aTwWU2mnrwoY964yN3Y4dE98=", + "lastModified": 1760164275, + "narHash": "sha256-gKl2Gtro/LNf8P+4L3S2RsZ0G390ccd5MyXYrTdMCFE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0d4f673a88f8405ae14484e6a1ea870e0ba4ca26", + "rev": "362791944032cb532aabbeed7887a441496d5e6e", "type": "github" }, "original": { @@ -849,11 +850,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1759942631, - "narHash": "sha256-guXaJ4ktb5DW2RrtRhThX6PyH5A2wW+XTJ4Qu1AEXhA=", + "lastModified": 1760153667, + "narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=", "owner": "notashelf", "repo": "nvf", - "rev": "314962bcb4d4da82c53ab343da1b09cffaa68c61", + "rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d", "type": "github" }, "original": { @@ -911,11 +912,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1759691178, - "narHash": "sha256-O11yp/in47Ef1jLsEgNACXuziuRSSV4RAuxIWTdKI9w=", + "lastModified": 1760260966, + "narHash": "sha256-pOVvZz/aa+laeaUKyE6PtBevdo4rywMwjhWdSZE/O1c=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "f0b496cbc774f589de0d46bb9c291ff7ff0329da", + "rev": "c5181dbbe33af6f21b9d83e02fdb6fda298a3b65", "type": "github" }, "original": { @@ -933,11 +934,11 @@ ] }, "locked": { - "lastModified": 1759890791, - "narHash": "sha256-KN1xkrQ4x6u8plgg43ZiYbQmESxeCKKOzALKjqbn4LM=", + "lastModified": 1760409263, + "narHash": "sha256-GvcdHmY3nZnU6GnUkEG1a7pDZPgFcuN+zGv3OgvfPH0=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "74fcbc183aa6685f86008606bb7824bf2f40adbd", + "rev": "5694018463c2134e2369996b38deed41b1b9afc1", "type": "github" }, "original": { @@ -973,11 +974,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1759635238, - "narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=", + "lastModified": 1760393368, + "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", "owner": "Mic92", "repo": "sops-nix", - "rev": "6e5a38e08a2c31ae687504196a230ae00ea95133", + "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", "type": "github" }, "original": { @@ -1005,11 +1006,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1759690047, - "narHash": "sha256-Vlpa0d1xOgPO9waHwxJNi6LcD2PYqB3EjwLRtSxXlHc=", + "lastModified": 1760350849, + "narHash": "sha256-JqcM5Pkm5q1c9D5zpINJsN1yCB4Vq1cL12ZuFyo32T4=", "owner": "nix-community", "repo": "stylix", - "rev": "09022804b2bcd217f3a41a644d26b23d30375d12", + "rev": "7b4957d716f4fb615bf0e37d3b23c112579b1408", "type": "github" }, "original": { @@ -1197,11 +1198,11 @@ ] }, "locked": { - "lastModified": 1759900726, - "narHash": "sha256-DXgznNT8CA50WUIlQkI5BsEqNcbPDFF+26PPRYeB3sA=", + "lastModified": 1760426393, + "narHash": "sha256-wKiqhDgXwicdVNSJGwJPeTxnNPhzKcy9RqptzFcdFe4=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "8ce7d926dbec820ab5686d599bc6a1bd19ed1273", + "rev": "0618a22e6fb6f13181807f0e14087192d459b2a0", "type": "github" }, "original": { From ac0a2d523e7965d0cced677a16cec5ea7c15c8d3 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 15 Oct 2025 21:18:12 +0200 Subject: [PATCH 098/174] . --- justfile => .justfile | 0 flake.lock | 78 ++++++++++----------- modules/home/shell/default.nix | 1 + modules/home/shell/toolset/just/default.nix | 15 ++++ modules/home/themes/default.nix | 2 +- modules/nixos/desktop/plasma/default.nix | 13 +++- systems/x86_64-linux/manwe/default.nix | 2 + systems/x86_64-linux/manwe/disks.nix | 10 +-- 8 files changed, 75 insertions(+), 46 deletions(-) rename justfile => .justfile (100%) create mode 100644 modules/home/shell/toolset/just/default.nix diff --git a/justfile b/.justfile similarity index 100% rename from justfile rename to .justfile diff --git a/flake.lock b/flake.lock index 0f6b5fd..2bc7385 100644 --- a/flake.lock +++ b/flake.lock @@ -95,11 +95,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1760424233, - "narHash": "sha256-8jLfVik1ccwmacVW5BlprmsuK534rT5HjdPhkSaew44=", + "lastModified": 1760510549, + "narHash": "sha256-NP+kmLMm7zSyv4Fufv+eSJXyqjLMUhUfPT6lXRlg/bU=", "owner": "nix-community", "repo": "fenix", - "rev": "48a763cdc0b2d07199a021de99c2ca50af76e49f", + "rev": "ef7178cf086f267113b5c48fdeb6e510729c8214", "type": "github" }, "original": { @@ -115,11 +115,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1760448784, - "narHash": "sha256-C3Q8dUspgTLyCgo+WbmuPjOqRyToj/RyOKgoYdVaWCk=", + "lastModified": 1760548798, + "narHash": "sha256-LbqqHQklp58hKCO6IMcslsqX0mR32775PG3Z+k2GcwU=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "7fc4743ff124f7eef21cfbaf92ced47e997a19ca", + "rev": "fdd8c18c8d3497d267c0750ef08678d32a2dd753", "type": "github" }, "original": { @@ -434,11 +434,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1760385966, - "narHash": "sha256-Wy6uaCERp2Hvh+lFkdg9Z1z5j8/asZ5zbhI1q2eYv98=", + "lastModified": 1760546650, + "narHash": "sha256-ByUcM+gMEob6uWpDt6AAg/v4eX9yvpgOPX6KyHd9/BE=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "4361431c4c69af34f75aa74cdb18625c4dbc3f7e", + "rev": "ba54075737cb9c688cfadde8048f83371dbaba8d", "type": "github" }, "original": { @@ -454,11 +454,11 @@ ] }, "locked": { - "lastModified": 1760312644, - "narHash": "sha256-U9SkK45314urw9P7MmjhEgiQwwD/BTj+T3HTuz1JU1Q=", + "lastModified": 1760500983, + "narHash": "sha256-zfY4F4CpeUjTGgecIJZ+M7vFpwLc0Gm9epM/iMQd4w8=", "owner": "nix-community", "repo": "home-manager", - "rev": "e121f3773fa596ecaba5b22e518936a632d72a90", + "rev": "c53e65ec92f38d30e3c14f8d628ab55d462947aa", "type": "github" }, "original": { @@ -496,11 +496,11 @@ ] }, "locked": { - "lastModified": 1760266702, - "narHash": "sha256-TP19RpzIyo1JeYAhKii13seYwmhkv7IOD+dCnQOrcgQ=", + "lastModified": 1760534924, + "narHash": "sha256-OIOCC86DxTxp1VG7xAiM+YABtVqp6vTkYIoAiGQMqso=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "3d7e970d4cac5d3ee3fe7cafa17cc9868fa21fed", + "rev": "100b4e000032b865563a9754e5bca189bc544764", "type": "github" }, "original": { @@ -572,11 +572,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1760406860, - "narHash": "sha256-f8BSmC/juCHkptH7MCI/6rAbgFjnvuNpZFaM79Cz7gI=", + "lastModified": 1760493654, + "narHash": "sha256-DRJZnMoBw+p6o0XjaAOfAJjwr4s93d1+eCsCRsAP/jY=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "d7faac42b9378fb328c075d0009bf5360c3b70a3", + "rev": "4ca5164f23948b4b5429d8fdcddc142079c6aa6b", "type": "github" }, "original": { @@ -644,11 +644,11 @@ ] }, "locked": { - "lastModified": 1760454217, - "narHash": "sha256-qG4cQaYRKrAMj4OjISYYoWqJc+xcoJnLx2jsws7EdGg=", + "lastModified": 1760536587, + "narHash": "sha256-wfWqt+igns/VazjPLkyb4Z/wpn4v+XIjUeI3xY/1ENg=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "a8209ae46721f2a70214d0a70388a812ec7740da", + "rev": "f98ee1de1fa36eca63c67b600f5d617e184e82ea", "type": "github" }, "original": { @@ -690,11 +690,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1760435515, - "narHash": "sha256-E9D5sWHmPCmWsrCB3Jogvr/7ODiVaKynDrOpG4ba2tI=", + "lastModified": 1760479263, + "narHash": "sha256-eoVGUqcMyDeT/VwjczlZu7rhrE9wkj3ErWjJhB4Zjpg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "db25466bd95abdbe3012be2900a5562fcfb95d51", + "rev": "20158056cdd0dd06bfbd04fd1e686d09fbef3db5", "type": "github" }, "original": { @@ -722,11 +722,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1760459309, - "narHash": "sha256-jEf6CyFUeKxnivJegy4z1AfJplv+PR3+2SpLfAiV0sc=", + "lastModified": 1760548845, + "narHash": "sha256-41gkEmco/WLdEkeCKVRalOpx19e0/VgfS7N9n+DasHs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e657b896620d59da27648042cbe13a29e688ef8a", + "rev": "631597d659c37aa267eed8334271d5205244195e", "type": "github" }, "original": { @@ -912,11 +912,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1760260966, - "narHash": "sha256-pOVvZz/aa+laeaUKyE6PtBevdo4rywMwjhWdSZE/O1c=", + "lastModified": 1760457219, + "narHash": "sha256-WJOUGx42hrhmvvYcGkwea+BcJuQJLcns849OnewQqX4=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "c5181dbbe33af6f21b9d83e02fdb6fda298a3b65", + "rev": "8747cf81540bd1bbbab9ee2702f12c33aa887b46", "type": "github" }, "original": { @@ -934,11 +934,11 @@ ] }, "locked": { - "lastModified": 1760409263, - "narHash": "sha256-GvcdHmY3nZnU6GnUkEG1a7pDZPgFcuN+zGv3OgvfPH0=", + "lastModified": 1760495781, + "narHash": "sha256-3OGPAQNJswy6L4VJyX3U9/z7fwgPFvK6zQtB2NHBV0Y=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "5694018463c2134e2369996b38deed41b1b9afc1", + "rev": "11e0852a2aa3a65955db5824262d76933750e299", "type": "github" }, "original": { @@ -1006,11 +1006,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1760350849, - "narHash": "sha256-JqcM5Pkm5q1c9D5zpINJsN1yCB4Vq1cL12ZuFyo32T4=", + "lastModified": 1760472212, + "narHash": "sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx+MUkuE+E=", "owner": "nix-community", "repo": "stylix", - "rev": "7b4957d716f4fb615bf0e37d3b23c112579b1408", + "rev": "8d008296a1b3be9b57ad570f7acea00dd2fc92db", "type": "github" }, "original": { @@ -1198,11 +1198,11 @@ ] }, "locked": { - "lastModified": 1760426393, - "narHash": "sha256-wKiqhDgXwicdVNSJGwJPeTxnNPhzKcy9RqptzFcdFe4=", + "lastModified": 1760466542, + "narHash": "sha256-q2QZhrrjHbvW4eFzoEGkj/wUHNU6bVGPyflurx5ka6U=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "0618a22e6fb6f13181807f0e14087192d459b2a0", + "rev": "3446bcbf5f46ecb18e82244888730c4983c30b22", "type": "github" }, "original": { diff --git a/modules/home/shell/default.nix b/modules/home/shell/default.nix index d1df4cb..9968e54 100644 --- a/modules/home/shell/default.nix +++ b/modules/home/shell/default.nix @@ -17,6 +17,7 @@ in eza.enable = true; fzf.enable = true; git.enable = true; + just.enable = true; starship.enable = true; tmux.enable = true; yazi.enable = true; diff --git a/modules/home/shell/toolset/just/default.nix b/modules/home/shell/toolset/just/default.nix new file mode 100644 index 0000000..e956b2a --- /dev/null +++ b/modules/home/shell/toolset/just/default.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkEnableOption mkIf; + + cfg = config.${namespace}.shell.toolset.just; +in +{ + options.${namespace}.shell.toolset.just = { + enable = mkEnableOption "version-control system"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ just gum ]; + }; +} diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index f69e2bb..ede7c53 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -31,7 +31,7 @@ in { base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml"; image = ./${cfg.theme}.jpg; polarity = cfg.polarity; - targets.qt.platform = mkDefault "kde"; +# targets.qt.platform = mkDefault "kde"; fonts = { serif = { diff --git a/modules/nixos/desktop/plasma/default.nix b/modules/nixos/desktop/plasma/default.nix index 11c0cd9..d1e2a28 100644 --- a/modules/nixos/desktop/plasma/default.nix +++ b/modules/nixos/desktop/plasma/default.nix @@ -12,7 +12,18 @@ in }; config = mkIf cfg.enable { - environment.plasma6.excludePackages = with pkgs.kdePackages; [ konsole kate ghostwriter oxygen ]; + environment.plasma6.excludePackages = with pkgs.kdePackages; [ + elisa + kmahjongg + kmines + konversation + kpat + ksudoku + konsole + kate + ghostwriter + oxygen + ]; environment.sessionVariables.NIXOS_OZONE_WL = "1"; services = { diff --git a/systems/x86_64-linux/manwe/default.nix b/systems/x86_64-linux/manwe/default.nix index 76d4e6d..c2d9978 100644 --- a/systems/x86_64-linux/manwe/default.nix +++ b/systems/x86_64-linux/manwe/default.nix @@ -5,6 +5,8 @@ ./hardware.nix ]; + system.activationScripts.remove-gtkrc.text = "rm -f /home/chris/.gtkrc-2.0"; + sneeuwvlok = { hardware.has = { gpu.amd = true; diff --git a/systems/x86_64-linux/manwe/disks.nix b/systems/x86_64-linux/manwe/disks.nix index d68db6a..f33ec71 100644 --- a/systems/x86_64-linux/manwe/disks.nix +++ b/systems/x86_64-linux/manwe/disks.nix @@ -8,7 +8,7 @@ in swapDevices = []; boot.supportedFilesystems = [ "nfs" ]; - + fileSystems = { "/" = { device = "/dev/disk/by-label/nixos"; @@ -26,9 +26,9 @@ in fsType = "nfs"; }; - "/home/chris/mandos" = { - device = "mandos:/"; - fsType = "nfs"; - }; + # "/home/chris/mandos" = { + # device = "mandos:/"; + # fsType = "nfs"; + # }; }; } From 09a004ad9aec34c31b3f206ecdfe670691cdc633 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 9 Oct 2025 10:45:32 +0200 Subject: [PATCH 099/174] fix some ulmo config --- systems/x86_64-linux/ulmo/default.nix | 24 +++++++++++++++++------- systems/x86_64-linux/ulmo/disks.nix | 4 +--- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 0f3ac1c..a601960 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -5,14 +5,24 @@ ./hardware.nix ]; - networking.interfaces.enp2s0 = { - ipv6.addresses = [ - { address = "2a0d:6e00:1dc9:0::dead:beef"; prefixLength = 64; } - ]; + networking = { + interfaces.enp2s0 = { + ipv6.addresses = [ + { address = "2a0d:6e00:1dc9:0::dead:beef"; prefixLength = 64; } + ]; - ipv4.addresses = [ - { address = "192.168.1.3"; prefixLength = 16; } - ]; + useDHCP = true; + }; + + defaultGateway = { + address = "192.168.1.1"; + interface = "enp2s0"; + }; + + defaultGateway6 = { + address = "fe80::1"; + interface = "enp2s0"; + }; }; sneeuwvlok = { diff --git a/systems/x86_64-linux/ulmo/disks.nix b/systems/x86_64-linux/ulmo/disks.nix index a4033f7..0b272f4 100644 --- a/systems/x86_64-linux/ulmo/disks.nix +++ b/systems/x86_64-linux/ulmo/disks.nix @@ -5,9 +5,7 @@ in { # TODO :: Implement disko at some point - swapDevices = [ - { device = "/dev/disk/by-uuid/0ddf001a-5679-482e-b254-04a1b9094794"; } - ]; + swapDevices = []; boot.supportedFilesystems = [ "nfs" ]; From 6111ec165b69580cd0e6deffb8ec95a25eef722d Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 16 Oct 2025 14:53:29 +0200 Subject: [PATCH 100/174] move zitadel back to kruining.eu --- modules/nixos/services/authentication/zitadel/default.nix | 8 ++++---- modules/nixos/services/communication/matrix/default.nix | 4 ++-- modules/nixos/services/media/homer/default.nix | 2 +- modules/nixos/services/observability/grafana/default.nix | 6 +++--- modules/nixos/services/security/vaultwarden/default.nix | 6 +++--- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 7edccc1..3b2a4a3 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -28,7 +28,7 @@ in settings = { Port = 9092; - ExternalDomain = "auth.amarth.cloud"; + ExternalDomain = "auth.kruining.eu"; ExternalPort = 443; ExternalSecure = true; @@ -60,7 +60,7 @@ in SMTPConfiguration = { SMTP = { Host = "black-mail.nl:587"; - User = "info@amarth.cloud"; + User = "chris@kruining.eu"; Password = "__TODO_USE_SOPS__"; }; FromName = "Amarth Zitadel"; @@ -84,7 +84,7 @@ in }; steps = { FirstInstance = { - InstanceName = "auth.amarth.cloud"; + InstanceName = "auth.kruining.eu"; Org = { Name = "Amarth"; Human = { @@ -116,7 +116,7 @@ in caddy = { enable = true; virtualHosts = { - "auth.amarth.cloud".extraConfig = '' + "auth.kruining.eu".extraConfig = '' reverse_proxy h2c://127.0.0.1:9092 ''; }; diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index d0c6e45..38dfe0c 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -55,7 +55,7 @@ in idp_id = "zitadel"; idp_name = "Zitadel"; - issuer = "https://auth.amarth.cloud"; + issuer = "https://auth.kruining.eu"; client_id = "337858153251143939"; client_secret = "ePkf5n8BxGD5DF7t1eNThTL0g6PVBO5A1RC0EqPp61S7VsiyXvDs8aJeczrpCpsH"; scopes = [ "openid" "profile" ]; @@ -159,7 +159,7 @@ in }; client = { "m.homeserver".base_url = "https://${fqn}"; - "m.identity_server".base_url = "https://auth.amarth.cloud"; + "m.identity_server".base_url = "https://auth.kruining.eu"; }; in { "${domain}".extraConfig = '' diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index 8fd0ac6..41535cd 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -37,7 +37,7 @@ in name = "Zitadel"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg"; tag = "app"; - url = "https://auth.amarth.cloud"; + url = "https://auth.kruining.eu"; target = "_blank"; } diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix index c399729..6503493 100644 --- a/modules/nixos/services/observability/grafana/default.nix +++ b/modules/nixos/services/observability/grafana/default.nix @@ -42,9 +42,9 @@ in login_attribute_path = "username"; name_attribute_path = "full_name"; role_attribute_path = "contains(urn:zitadel:iam:org:project:roles[*], 'owner') && 'GrafanaAdmin' || contains(urn:zitadel:iam:org:project:roles[*], 'contributer') && 'Editor' || 'Viewer'"; - auth_url = "https://auth.amarth.cloud/oauth/v2/authorize"; - token_url = "https://auth.amarth.cloud/oauth/v2/token"; - api_url = "https://auth.amarth.cloud/oidc/v1/userinfo"; + auth_url = "https://auth.kruining.eu/oauth/v2/authorize"; + token_url = "https://auth.kruining.eu/oauth/v2/token"; + api_url = "https://auth.kruining.eu/oidc/v1/userinfo"; allow_sign_up = true; auto_login = true; use_pkce = true; diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index db8e162..de50be7 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -39,7 +39,7 @@ in SSO_ROLES_ENABLED = true; SSO_ORGANIZATIONS_ENABLED = true; SSO_ORGANIZATIONS_REVOCATION = true; - SSO_AUTHORITY = "https://auth.amarth.cloud/"; + SSO_AUTHORITY = "https://auth.kruining.eu/"; SSO_SCOPES = "email profile offline_access"; SSO_AUDIENCE_TRUSTED = "^333297815511892227$"; SSO_CLIENT_ID = "335178854421299459"; @@ -52,9 +52,9 @@ in SMTP_HOST = "black-mail.nl"; SMTP_PORT = 587; SMTP_SECURITY = "starttls"; - SMTP_USERNAME = "info@amarth.cloud"; + SMTP_USERNAME = "chris@kruining.eu"; SMTP_PASSWORD = ""; - SMTP_FROM = "info@amarth.cloud"; + SMTP_FROM = "chris@kruining.eu"; SMTP_FROM_NAME = "Chris' Vaultwarden"; }; }; From f62fa502db83408678f7ced236db4f745bd13416 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 20 Oct 2025 10:28:23 +0200 Subject: [PATCH 101/174] fix zitadel --- .justfile | 5 ++++- modules/nixos/services/authentication/zitadel/default.nix | 2 +- systems/x86_64-linux/ulmo/default.nix | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.justfile b/.justfile index ab466bb..67ac3a4 100644 --- a/.justfile +++ b/.justfile @@ -1,4 +1,7 @@ try-again: nix flake update amarth-customer-portal - nix flake check --all-systems --show-trace \ No newline at end of file + nix flake check --all-systems --show-trace + +update machine: + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 3b2a4a3..2693ed5 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -121,7 +121,7 @@ in ''; }; extraConfig = '' - (auth-z) { + (auth) { forward_auth h2c://127.0.0.1:9092 { uri /api/authz/forward-auth copy_headers Remote-User Remote-Groups Remote-Email Remote-Name diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index a601960..f93d7d1 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -27,7 +27,7 @@ sneeuwvlok = { services = { - authentication.authelia.enable = true; + # authentication.authelia.enable = true; authentication.zitadel.enable = true; communication.matrix.enable = true; From 81e1574023c457f20a7cb40524355164988f1b0c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 21 Oct 2025 09:01:22 +0200 Subject: [PATCH 102/174] some fixes --- .../nixos/services/authentication/zitadel/default.nix | 6 ++++-- modules/nixos/services/observability/loki/default.nix | 2 +- .../nixos/services/observability/promtail/default.nix | 8 +++++--- systems/x86_64-linux/ulmo/default.nix | 11 +++++++++++ 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 2693ed5..e0e4a59 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -117,12 +117,12 @@ in enable = true; virtualHosts = { "auth.kruining.eu".extraConfig = '' - reverse_proxy h2c://127.0.0.1:9092 + reverse_proxy h2c://::1:9092 ''; }; extraConfig = '' (auth) { - forward_auth h2c://127.0.0.1:9092 { + forward_auth h2c://::1:9092 { uri /api/authz/forward-auth copy_headers Remote-User Remote-Groups Remote-Email Remote-Name } @@ -130,6 +130,8 @@ in ''; }; }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; # Secrets sops.secrets."zitadel/masterKey" = { diff --git a/modules/nixos/services/observability/loki/default.nix b/modules/nixos/services/observability/loki/default.nix index 8f6e0e3..d4774ac 100644 --- a/modules/nixos/services/observability/loki/default.nix +++ b/modules/nixos/services/observability/loki/default.nix @@ -23,7 +23,7 @@ in common = { ring = { instance_addr = "127.0.0.1"; - kvstore.store = "inmmemory"; + kvstore.store = "inmemory"; }; replication_factor = 1; path_prefix = "/tmp/loki"; diff --git a/modules/nixos/services/observability/promtail/default.nix b/modules/nixos/services/observability/promtail/default.nix index 1f32adc..25aabbd 100644 --- a/modules/nixos/services/observability/promtail/default.nix +++ b/modules/nixos/services/observability/promtail/default.nix @@ -29,9 +29,11 @@ in filename = "filename"; }; - clients = { - url = "http://127.0.0.1:3100/loki/api/v1/push"; - }; + clients = [ + { + url = "http://::1:9003/loki/api/v1/push"; + } + ]; scrape_configs = [ { diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index f93d7d1..0794585 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -25,6 +25,17 @@ }; }; + # Expose amarht cloud stuff like this until I have a proper solution + services.caddy.virtualHosts = { + "auth.amarth.cloud".extraConfig = '' + reverse_proxy http://192.168.1.223:9092 + ''; + + "amarth.cloud".extraConfig = '' + reverse_proxy http://192.168.1.223:8080 + ''; + }; + sneeuwvlok = { services = { # authentication.authelia.enable = true; From 1873bb717054809bafbab3a48975b540081e75e1 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 22 Oct 2025 23:26:47 +0200 Subject: [PATCH 103/174] initial implementation of terranix for zitadel. SUPER HAPPY, SUPER COOL!!! --- flake.lock | 59 ++++ flake.nix | 5 + lib/strings/default.nix | 17 + .../authentication/zitadel/default.nix | 290 ++++++++++++++++-- systems/x86_64-linux/ulmo/default.nix | 28 +- 5 files changed, 368 insertions(+), 31 deletions(-) create mode 100644 lib/strings/default.nix diff --git a/flake.lock b/flake.lock index 2bc7385..935fbaf 100644 --- a/flake.lock +++ b/flake.lock @@ -265,6 +265,27 @@ "type": "github" } }, + "flake-parts_3": { + "inputs": { + "nixpkgs-lib": [ + "terranix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -906,6 +927,7 @@ "snowfall-lib": "snowfall-lib", "sops-nix": "sops-nix", "stylix": "stylix", + "terranix": "terranix", "zen-browser": "zen-browser" } }, @@ -1109,6 +1131,43 @@ "type": "github" } }, + "systems_7": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "terranix": { + "inputs": { + "flake-parts": "flake-parts_3", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems_7" + }, + "locked": { + "lastModified": 1757278723, + "narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=", + "owner": "terranix", + "repo": "terranix", + "rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb", + "type": "github" + }, + "original": { + "owner": "terranix", + "repo": "terranix", + "type": "github" + } + }, "tinted-foot": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index c659d4f..8ea1571 100644 --- a/flake.nix +++ b/flake.nix @@ -78,6 +78,11 @@ flake-compat.follows = ""; }; }; + + terranix = { + url = "github:terranix/terranix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs: inputs.snowfall-lib.mkFlake { diff --git a/lib/strings/default.nix b/lib/strings/default.nix new file mode 100644 index 0000000..52b05e3 --- /dev/null +++ b/lib/strings/default.nix @@ -0,0 +1,17 @@ +{ lib, ...}: +let + inherit (builtins) isString typeOf; + inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map; +in +{ + strings = { + toSnakeCase = + str: + throwIfNot (isString str) "toSnakeCase only accepts string values, but got ${typeOf str}" ( + str + |> splitStringBy (prev: curr: builtins.match "[a-z]" prev != null && builtins.match "[A-Z]" curr != null) true + |> map (p: toLower p) + |> concatStringsSep "_" + ); + }; +} \ No newline at end of file diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index e0e4a59..66f5fc0 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,7 @@ -{ config, lib, pkgs, namespace, ... }: +{ config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption; + inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair; + inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -9,15 +10,223 @@ in { options.${namespace}.services.authentication.zitadel = { enable = mkEnableOption "Zitadel"; + + organization = mkOption { + type = types.attrsOf (types.submodule { + options = { + isDefault = mkOption { + type = types.bool; + default = false; + example = "true"; + description = '' + True sets the org as default org for the instance. Only one org can be default org. + Nothing happens if you set it to false until you set another org as default org. + ''; + }; + + project = mkOption { + default = {}; + type = types.attrsOf (types.submodule { + options = { + hasProjectCheck = mkOption { + type = types.bool; + default = false; + example = "true"; + description = '' + ZITADEL checks if the org of the user has permission to this project. + ''; + }; + + privateLabelingSetting = mkOption { + type = types.nullOr (types.enum [ "unspecified" "enforceProjectResourceOwnerPolicy" "allowLoginUserResourceOwnerPolicy" ]); + default = null; + example = "enforceProjectResourceOwnerPolicy"; + description = '' + Defines from where the private labeling should be triggered, + + supported values: + - unspecified + - enforceProjectResourceOwnerPolicy + - allowLoginUserResourceOwnerPolicy + ''; + }; + + projectRoleAssertion = mkOption { + type = types.bool; + default = false; + example = "true"; + description = '' + Describes if roles of user should be added in token. + ''; + }; + + projectRoleCheck = mkOption { + type = types.bool; + default = false; + example = "true"; + description = '' + ZITADEL checks if the user has at least one on this project. + ''; + }; + + application = mkOption { + default = {}; + type = types.attrsOf (types.submodule { + options = { + redirectUris = mkOption { + type = types.nonEmptyListOf types.str; + example = '' + [ "https://example.com/redirect/url" ] + ''; + description = '' + . + ''; + }; + + grantTypes = mkOption { + type = types.nonEmptyListOf (types.enum [ "authorizationCode" "implicit" "refreshToken" "deviceCode" "tokenExchange" ]); + example = '' + [ "authorizationCode" ] + ''; + description = '' + . + ''; + }; + + responseTypes = mkOption { + type = types.nonEmptyListOf (types.enum [ "code" "idToken" "idTokenToken" ]); + example = '' + [ "code" ] + ''; + description = '' + . + ''; + }; + }; + }); + }; + }; + }); + }; + }; + }); + }; }; - config = mkIf cfg.enable { + config = let + mapRef = type: name: { "${type}Id" = "\${ resource.zitadel_${type}.${toSnakeCase name}.id }"; }; + mapEnum = prefix: value: "${prefix}_${value |> toSnakeCase |> toUpper}"; + + mapValue = type: value: ({ + grantTypes = map (t: mapEnum "OIDC_GRANT_TYPE" t) value; + responseTypes = map (t: mapEnum "OIDC_RESPONSE_TYPE" t) value; + }."${type}" or value); + + toResource = name: value: nameValuePair + (toSnakeCase name) + (lib.mapAttrs' (k: v: nameValuePair (toSnakeCase k) (mapValue k v)) value); + + withName = name: attrs: attrs // { inherit name; }; + withRef = type: name: attrs: attrs // (mapRef type name); + + # this is a nix package, the generated json file to be exact + terraformConfiguration = inputs.terranix.lib.terranixConfiguration { + inherit system; + + modules = + let + inherit (lib) mapAttrs' concatMapAttrs nameValuePair getAttrs getAttr hasAttr typeOf head drop length; + + select = keys: callback: set: + if (length keys) == 0 then + mapAttrs' callback set + else let key = head keys; in + concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; + in + [ + ({ config, lib, ... }: { + config = { + terraform.required_providers.zitadel = { + source = "zitadel/zitadel"; + version = "2.2.0"; + }; + + provider.zitadel = { + domain = "auth.kruining.eu"; + insecure = "false"; + jwt_profile_file = "/var/lib/zitadel/machine-key.json"; + }; + + resource = { + zitadel_org = cfg.organization |> select [] (name: value: + value + |> getAttrs [ "isDefault" ] + |> withName name + |> toResource name + ); + + zitadel_project = cfg.organization |> select [ "project" ] (org: name: value: + value + |> getAttrs [ "hasProjectCheck" "privateLabelingSetting" "projectRoleAssertion" "projectRoleCheck" ] + |> withName name + |> withRef "org" org + |> toResource name + ); + + zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: value: + value + |> getAttrs [ "redirectUris" "grantTypes" "responseTypes" ] + |> withName name + |> withRef "org" org + |> withRef "project" project + |> toResource name + ); + }; + }; + }) + ]; + }; + in + mkIf cfg.enable { ${namespace}.services.persistance.postgresql.enable = true; environment.systemPackages = with pkgs; [ zitadel ]; + systemd.tmpfiles.rules = [ + "d /tmp/zitadelApplyTerraform 0755 zitadel zitadel -" + ]; + + systemd.services.zitadelApplyTerraform = { + description = "Zitadel terraform apply"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "zitadel.service" ]; + + script = '' + #!/usr/bin/env bash + + # Copy infra code into workspace + cp -f ${terraformConfiguration} config.tf.json + + # Initialize OpenTofu + ${lib.getExe pkgs.opentofu} init + + # Run the infrastructure code + # ${lib.getExe pkgs.opentofu} plan + ${lib.getExe pkgs.opentofu} apply -auto-approve + ''; + + serviceConfig = { + Type = "oneshot"; + User = "zitadel"; + Group = "zitadel"; + + WorkingDirectory = "/tmp/zitadelApplyTerraform"; + }; + }; + services = { zitadel = { enable = true; @@ -41,31 +250,31 @@ in SecretHasher.Hasher.Algorithm = "argon2id"; }; - DefaultInstance = { - PasswordComplexityPolicy = { - MinLength = 20; - HasLowercase = false; - HasUppercase = false; - HasNumber = false; - HasSymbol = false; - }; - LoginPolicy = { - AllowRegister = false; - ForceMFA = true; - }; - LockoutPolicy = { - MaxPasswordAttempts = 5; - MaxOTPAttempts = 10; - }; - SMTPConfiguration = { - SMTP = { - Host = "black-mail.nl:587"; - User = "chris@kruining.eu"; - Password = "__TODO_USE_SOPS__"; - }; - FromName = "Amarth Zitadel"; - }; - }; + # DefaultInstance = { + # # PasswordComplexityPolicy = { + # # MinLength = 0; + # # HasLowercase = false; + # # HasUppercase = false; + # # HasNumber = false; + # # HasSymbol = false; + # # }; + # LoginPolicy = { + # AllowRegister = false; + # ForceMFA = true; + # }; + # LockoutPolicy = { + # MaxPasswordAttempts = 5; + # MaxOTPAttempts = 10; + # }; + # # SMTPConfiguration = { + # # SMTP = { + # # Host = "black-mail.nl:587"; + # # User = "chris@kruining.eu"; + # # Password = "__TODO_USE_SOPS__"; + # # }; + # # FromName = "Amarth Zitadel"; + # # }; + # }; Database.postgres = { Host = "localhost"; @@ -84,9 +293,16 @@ in }; steps = { FirstInstance = { - InstanceName = "auth.kruining.eu"; + # Not sure, this option seems to be mostly irrelevant + InstanceName = "eu"; + + MachineKeyPath = "/var/lib/zitadel/machine-key.json"; + # PatPath = "/var/lib/zitadel/machine-key.pat"; + # LoginClientPatPath = "/var/lib/zitadel/machine-key.json"; + Org = { - Name = "Amarth"; + Name = "kruining"; + Human = { UserName = "chris"; FirstName = "Chris"; @@ -97,6 +313,20 @@ in }; Password = "KaasIsAwesome1!"; }; + + Machine = { + Machine = { + Username = "terraform-service-user"; + Name = "Terraform"; + }; + MachineKey = { ExpirationDate = "2026-01-01T00:00:00Z"; Type = 1; }; + # Pat = { ExpirationDate = "2026-01-01T00:00:00Z"; }; + }; + + # LoginClient.Machine = { + # Username = "terraform-service-user"; + # Name = "Terraform"; + # }; }; }; }; diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 0794585..4845e73 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -39,7 +39,33 @@ sneeuwvlok = { services = { # authentication.authelia.enable = true; - authentication.zitadel.enable = true; + authentication.zitadel = { + enable = true; + + organization = { + thisIsMyAwesomeOrg = {}; + + nix = { + project = { + ulmo = { + application = { + jellyfin = { + redirectUris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/zitadel" ]; + grantTypes = [ "authorizationCode" ]; + responseTypes = [ "code" ]; + }; + + forgejo = { + redirectUris = [ "https://git.amarth.cloud/user/oauth2/zitadel/callback" ]; + grantTypes = [ "authorizationCode" ]; + responseTypes = [ "code" ]; + }; + }; + }; + }; + }; + }; + }; communication.matrix.enable = true; From b11a33de6e3986e30ee3ad1d0519100dc57225d2 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:43:51 +0000 Subject: [PATCH 104/174] ops(secrets): removed secret "je_moeder" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 29 +++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 systems/x86_64-linux/ulmo/secrets.yml diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml new file mode 100644 index 0000000..a4847e5 --- /dev/null +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -0,0 +1,29 @@ +email: + chris@kruining.eu: ENC[AES256_GCM,data:uS85B/xn2a+c6Cys66pyfth2Bm4zZx4=,iv:vo8VKON3B9/Yau6PqAHI0xyCpqpU2UuU/WEH1Z7SMos=,tag:jVIHPxRI/0IpUxoKzO9GAA==,type:str] + info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] +zitadel: + masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] +sops: + age: + - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdDZyZkxvNU4zM3NHb2gx + ZlhLZk5JWUFGMWZGeUVHNkFFU1NtZlBQVVhjCmZGai9NdmdUeU5VcW9ROVZKTW5q + cmZaQ2JlaldaTWduQklocUZLT2FUcGcKLS0tIHlqVU0wdXJ0dTE4dlZSVEczd2Yv + RVFxVHFxbkVNbEZsaVcwYXZCdUc5R1kKQdAN6LEKmGLCSkKhNuEr0YK2zl9Aw1kK + 6C25lN532mG55zIRectZda1Fmi1GMZ/2v3b5qz7x+TDMA9m/47OjmA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoK3lqRDhEMXEvaUp3OWdV + eFlZSGpJcGs0RTdRbllWdmdZTzl3RTlDNlIwCm92R290NjNyK2NNbWpINTBhazNS + NTJYWEw0SGc1TUtrd0NZSmowakMvSlEKLS0tIG5uUEIrZGVORkRNVnBVOHgyMXZG + TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb + Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-23T12:43:51Z" + mac: ENC[AES256_GCM,data:3pYyKM07BQ3xB866YsKhqIyuuk0x1fNW5i5DmZ7C9wPV7sM/4Xh1kItA71pf8Jh4Us7ztNt/td1KgH1Aux2RTgi8rSooKlqjoMOQP75q0BjHqyCPJdLCmXe95C7YvwCFYBadbcsJsOJKRpOldwxHz8mwpsDs9hLwiFQFeBc7orY=,iv:VjrNJw3JFeSavSjrQ/x45LJ1Xqq7TnGu68aFl0bkIjw=,tag:oqyr2XxwY6gNniDnDBYPlQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 From a8dbf792e32b5b557c23e8aed3a26cf8ffb7d93b Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:44:08 +0000 Subject: [PATCH 105/174] ops(secrets): removed secret "je_moeder/0/awesome/2" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index a4847e5..4eb461f 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,6 +3,9 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] zitadel: masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] +je_moeder: + - awesome: + - ENC[AES256_GCM,data:3htXBQ==,iv:f8LZSfHxkQ+RJlaFgq4lUjjtNisjwJZJtFqm1l/HC0o=,tag:BK0gx2gxrNPdfqOn/01KWg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +26,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:43:51Z" - mac: ENC[AES256_GCM,data:3pYyKM07BQ3xB866YsKhqIyuuk0x1fNW5i5DmZ7C9wPV7sM/4Xh1kItA71pf8Jh4Us7ztNt/td1KgH1Aux2RTgi8rSooKlqjoMOQP75q0BjHqyCPJdLCmXe95C7YvwCFYBadbcsJsOJKRpOldwxHz8mwpsDs9hLwiFQFeBc7orY=,iv:VjrNJw3JFeSavSjrQ/x45LJ1Xqq7TnGu68aFl0bkIjw=,tag:oqyr2XxwY6gNniDnDBYPlQ==,type:str] + lastmodified: "2025-10-23T12:44:07Z" + mac: ENC[AES256_GCM,data:ns/UoRJG/czGOy4cztz/ynuvf29z+K0Tx7ck6/G5hFyZ+r2fqLoK/Kqn/qjjB69knA8EbarIcrGiFRmXeRXydK3VRFhVNAbl15baIBMXTiUxG+rzEEPr/9upobRTIZNgOiNJDnsBm5A//MTLro2KIMepW/pJ1QfTjOnbSg0vH7E=,iv:r7Y6mkujSWxYf6N/edJRjKb/hkIf/q11P0b3+jpdeLU=,tag:RUshke1gKAnfB0UHrYSrkQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From e17b144c9f361901b304a5a41ae1e7c690173254 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:45:25 +0000 Subject: [PATCH 106/174] ops(secrets): removed secret "je_moeder" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4eb461f..2fdce33 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,9 +3,6 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] zitadel: masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] -je_moeder: - - awesome: - - ENC[AES256_GCM,data:3htXBQ==,iv:f8LZSfHxkQ+RJlaFgq4lUjjtNisjwJZJtFqm1l/HC0o=,tag:BK0gx2gxrNPdfqOn/01KWg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -26,7 +23,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:44:07Z" - mac: ENC[AES256_GCM,data:ns/UoRJG/czGOy4cztz/ynuvf29z+K0Tx7ck6/G5hFyZ+r2fqLoK/Kqn/qjjB69knA8EbarIcrGiFRmXeRXydK3VRFhVNAbl15baIBMXTiUxG+rzEEPr/9upobRTIZNgOiNJDnsBm5A//MTLro2KIMepW/pJ1QfTjOnbSg0vH7E=,iv:r7Y6mkujSWxYf6N/edJRjKb/hkIf/q11P0b3+jpdeLU=,tag:RUshke1gKAnfB0UHrYSrkQ==,type:str] + lastmodified: "2025-10-23T12:45:24Z" + mac: ENC[AES256_GCM,data:hfTa17ELKJQIATXrDupWHv83mOaKAx6s0kpTfiLpBW6BjG0Ae5/oRF8b3oeP6Yp263PFT0uINFz5MjBsoPk9lCJu6zJDdWLliRrjM73Ob/y/EXG07rzEup5kFHblSWsRNteF9Xhd7C+OgOebxWzgr/AoE6FldhTLOyiKfNuaR6U=,iv:gElzOo9HZlcjfBJQbUeJc7v3hwJavn0cE7rbtFkLFTg=,tag:TVGLZSHIM/kZZ6CKXS77JA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 40da937ee0a8737bc4f39e135eedff4cd884f09b Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:45:28 +0000 Subject: [PATCH 107/174] ops(secrets): set secret "je_moeder/0/awesome/2" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 2fdce33..293e901 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,6 +3,9 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] zitadel: masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] +je_moeder: + - awesome: + - ENC[AES256_GCM,data:VftBLg==,iv:Rtfi+AlMB7bhsTS8d1IT8l358F2QQP+952Mxzpk5JMA=,tag:rDyanvogMKPbLRyyGHAUVw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +26,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:45:24Z" - mac: ENC[AES256_GCM,data:hfTa17ELKJQIATXrDupWHv83mOaKAx6s0kpTfiLpBW6BjG0Ae5/oRF8b3oeP6Yp263PFT0uINFz5MjBsoPk9lCJu6zJDdWLliRrjM73Ob/y/EXG07rzEup5kFHblSWsRNteF9Xhd7C+OgOebxWzgr/AoE6FldhTLOyiKfNuaR6U=,iv:gElzOo9HZlcjfBJQbUeJc7v3hwJavn0cE7rbtFkLFTg=,tag:TVGLZSHIM/kZZ6CKXS77JA==,type:str] + lastmodified: "2025-10-23T12:45:27Z" + mac: ENC[AES256_GCM,data:QtQAU1vxUvlK/XrN5bxwMY+KC7yOMKqGkHIB6y3KE/eiRKZAGXNNyG81Z4aGhhFwQj3lmIeU2/Qw3ZeLJz8evRDeJ7JNZH/ZDFNyeUyRqGMldtqKHKAQDJDC5OVAFxf/6owgiYbr4og2J7PFqfoiG0ODM9+bPN4V7axmtd5KFkg=,iv:nFdTrIe+eEhG1H4VeAshuvI3ELpxe54CVP2LSdPj1fE=,tag:JvGKgiDvepytiKVuwxN8cQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From e9fef516ecbc90f56d33e7ff2e18313a642f2292 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 14:47:53 +0200 Subject: [PATCH 108/174] feat(sops): finally somewhat properly set up with sops --- .just/machine.just | 9 +++++++++ .just/vars.just | 28 ++++++++++++++++++++++++++++ .justfile | 15 ++++++++++----- .sops.yaml | 11 +++++++++++ .sops.yml | 8 -------- _secrets/secrets.yaml | 30 ------------------------------ 6 files changed, 58 insertions(+), 43 deletions(-) create mode 100644 .just/machine.just create mode 100644 .just/vars.just create mode 100644 .sops.yaml delete mode 100644 .sops.yml delete mode 100644 _secrets/secrets.yaml diff --git a/.just/machine.just b/.just/machine.just new file mode 100644 index 0000000..65d1a7b --- /dev/null +++ b/.just/machine.just @@ -0,0 +1,9 @@ +@_default: list + +[doc('List machines')] +@list: + ls -1 ../systems/x86_64-linux/ + +[doc('Update the target machine')] +update machine: + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file diff --git a/.just/vars.just b/.just/vars.just new file mode 100644 index 0000000..78b7cb5 --- /dev/null +++ b/.just/vars.just @@ -0,0 +1,28 @@ +base_path := invocation_directory() / "systems/x86_64-linux" +sops := "nix shell nixpkgs#sops --command sops" + +@_default: + just --list + +[doc('list all vars of the target machine')] +list machine: + {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml + +@edit machine: + {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml + +@set machine key value: + {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" \"{{ value }}\" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml + + echo "Done" + +@remove machine key: + {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml + + echo "Done" \ No newline at end of file diff --git a/.justfile b/.justfile index 67ac3a4..4e8a323 100644 --- a/.justfile +++ b/.justfile @@ -1,7 +1,12 @@ +@_default: + just --list --list-submodules -try-again: - nix flake update amarth-customer-portal - nix flake check --all-systems --show-trace +[doc('Manage vars')] +mod vars '.just/vars.just' -update machine: - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file +[doc('Manage machines')] +mod machine '.just/machine.just' + +[doc('Show information about project')] +@show: + echo "show" \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..9e7956c --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +keys: + - &ulmo_1 age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq + - &ulmo_2 age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + +creation_rules: + # All Machine secrets + - path_regex: systems/[^/]+/[^/]+/[^/]+\.(yml|yaml)$ + key_groups: + - age: + - *ulmo_1 + - *ulmo_2 \ No newline at end of file diff --git a/.sops.yml b/.sops.yml deleted file mode 100644 index 96e09c3..0000000 --- a/.sops.yml +++ /dev/null @@ -1,8 +0,0 @@ -keys: - - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - -creation_rules: - - path_regex: secrets/secrets.yml$ - key_groups: - - age: - - *primary diff --git a/_secrets/secrets.yaml b/_secrets/secrets.yaml deleted file mode 100644 index 78b1a8c..0000000 --- a/_secrets/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment] -example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str] -#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment] -#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment] -example: - my_subdir: - my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR - ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz - YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB - dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR - Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-09T11:37:49Z" - mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.4 - -zitadel: - masterKey: thisWillBeAnEncryptedValueInTheFuture From e3ae7220d3b468561a122e5f9a983ddc19c97a9b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 14:49:47 +0200 Subject: [PATCH 109/174] fix(stylix): add zen-browser profile --- modules/home/themes/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index ede7c53..3fa74b9 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -31,7 +31,9 @@ in { base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml"; image = ./${cfg.theme}.jpg; polarity = cfg.polarity; + # targets.qt.platform = mkDefault "kde"; + targets.zen-browser.profileNames = [ "Chris" ]; fonts = { serif = { From 352c05765222b1cefdfddf5b8ac6f6b96c48c10a Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 14:50:42 +0200 Subject: [PATCH 110/174] refactor: tidy up zitadel service module --- .../authentication/zitadel/default.nix | 21 +++++++------------ 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 66f5fc0..75b1bf2 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair; + inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair mapAttrs' concatMapAttrs getAttrs getAttr hasAttr typeOf head drop length; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -129,21 +129,17 @@ in withName = name: attrs: attrs // { inherit name; }; withRef = type: name: attrs: attrs // (mapRef type name); + select = keys: callback: set: + if (length keys) == 0 then + mapAttrs' callback set + else let key = head keys; in + concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; + # this is a nix package, the generated json file to be exact terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; - modules = - let - inherit (lib) mapAttrs' concatMapAttrs nameValuePair getAttrs getAttr hasAttr typeOf head drop length; - - select = keys: callback: set: - if (length keys) == 0 then - mapAttrs' callback set - else let key = head keys; in - concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; - in - [ + modules = [ ({ config, lib, ... }: { config = { terraform.required_providers.zitadel = { @@ -214,7 +210,6 @@ in ${lib.getExe pkgs.opentofu} init # Run the infrastructure code - # ${lib.getExe pkgs.opentofu} plan ${lib.getExe pkgs.opentofu} apply -auto-approve ''; From dd9e79b8890a420b2c8c527a7055eabafb22d630 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:53:40 +0000 Subject: [PATCH 111/174] ops(secrets): removed secret "je_moeder" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 293e901..1bd3967 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,9 +3,6 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] zitadel: masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] -je_moeder: - - awesome: - - ENC[AES256_GCM,data:VftBLg==,iv:Rtfi+AlMB7bhsTS8d1IT8l358F2QQP+952Mxzpk5JMA=,tag:rDyanvogMKPbLRyyGHAUVw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -26,7 +23,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:45:27Z" - mac: ENC[AES256_GCM,data:QtQAU1vxUvlK/XrN5bxwMY+KC7yOMKqGkHIB6y3KE/eiRKZAGXNNyG81Z4aGhhFwQj3lmIeU2/Qw3ZeLJz8evRDeJ7JNZH/ZDFNyeUyRqGMldtqKHKAQDJDC5OVAFxf/6owgiYbr4og2J7PFqfoiG0ODM9+bPN4V7axmtd5KFkg=,iv:nFdTrIe+eEhG1H4VeAshuvI3ELpxe54CVP2LSdPj1fE=,tag:JvGKgiDvepytiKVuwxN8cQ==,type:str] + lastmodified: "2025-10-23T12:53:39Z" + mac: ENC[AES256_GCM,data:d4caeqSPWSaRNHcGKrxTCarX3OWJVf7uDx4pd5ldjdvHxUZu8xThDLpq850/jzCoX3T6bCes52o4TSSBYQCX+blPLdWetqJ/GulOvlsmudQJArZIcg4ZY96nVSv+sIJnP/1YEw0g6QxYxLa7IeEs6ZxNlBIaF/bff7AEHbtRNGs=,iv:DN/vvD2smUt+SFEfm08IpW+H7QtCChXYYKVLwE7SXPU=,tag:Uua+KE5+V6OT1O0aNrm6+g==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From fe628075d984b5fa68db5e40d468b4f20f8bb855 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 13:58:11 +0000 Subject: [PATCH 112/174] ops(secrets): removed secret "zitadel/masterkey" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 1bd3967..6f7ded0 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,8 +1,7 @@ email: chris@kruining.eu: ENC[AES256_GCM,data:uS85B/xn2a+c6Cys66pyfth2Bm4zZx4=,iv:vo8VKON3B9/Yau6PqAHI0xyCpqpU2UuU/WEH1Z7SMos=,tag:jVIHPxRI/0IpUxoKzO9GAA==,type:str] info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] -zitadel: - masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] +zitadel: {} sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +22,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:53:39Z" - mac: ENC[AES256_GCM,data:d4caeqSPWSaRNHcGKrxTCarX3OWJVf7uDx4pd5ldjdvHxUZu8xThDLpq850/jzCoX3T6bCes52o4TSSBYQCX+blPLdWetqJ/GulOvlsmudQJArZIcg4ZY96nVSv+sIJnP/1YEw0g6QxYxLa7IeEs6ZxNlBIaF/bff7AEHbtRNGs=,iv:DN/vvD2smUt+SFEfm08IpW+H7QtCChXYYKVLwE7SXPU=,tag:Uua+KE5+V6OT1O0aNrm6+g==,type:str] + lastmodified: "2025-10-23T13:58:10Z" + mac: ENC[AES256_GCM,data:ZiK2BIND4a7cCh0HaYzqU4oicnrG9o83D9q63GiCNU6RSj8JKDeVdZ6zu+Nj0rzFgk7k42pv5LGaDf9F/G4vYwlvYYDah2aZOFVMFuE1lvUgZNKkWwIRd+Oe4Fo1yghhCkQOv6Ctcym9/2ALTKbgF8+ZkaxIkwV2o8w/VWnr4HM=,iv:SxA5sdPXo4ALAFTiD/6jYRICsXyjcBake5QPP7mmqn8=,tag:wEI2pVcNz9Ypyi3vt+cg+g==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 5f0f986c598c994d3ea3a41b0686ee89e0dd03b9 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 14:23:22 +0000 Subject: [PATCH 113/174] ops(secrets): set secret "email/chris_kruining_eu" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 6f7ded0..1eeb402 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,7 +1,9 @@ email: chris@kruining.eu: ENC[AES256_GCM,data:uS85B/xn2a+c6Cys66pyfth2Bm4zZx4=,iv:vo8VKON3B9/Yau6PqAHI0xyCpqpU2UuU/WEH1Z7SMos=,tag:jVIHPxRI/0IpUxoKzO9GAA==,type:str] info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] -zitadel: {} + chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] +zitadel: + masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -22,7 +24,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T13:58:10Z" - mac: ENC[AES256_GCM,data:ZiK2BIND4a7cCh0HaYzqU4oicnrG9o83D9q63GiCNU6RSj8JKDeVdZ6zu+Nj0rzFgk7k42pv5LGaDf9F/G4vYwlvYYDah2aZOFVMFuE1lvUgZNKkWwIRd+Oe4Fo1yghhCkQOv6Ctcym9/2ALTKbgF8+ZkaxIkwV2o8w/VWnr4HM=,iv:SxA5sdPXo4ALAFTiD/6jYRICsXyjcBake5QPP7mmqn8=,tag:wEI2pVcNz9Ypyi3vt+cg+g==,type:str] + lastmodified: "2025-10-23T14:23:21Z" + mac: ENC[AES256_GCM,data:BVxgNIS+o5TW3XdTFJPd5BwsYPB5/iLPRLC72KV4zLALxO+ZzgZni1ADlDKpNf0W1pB67brguQvT0Jk/3jl/mSGAUS0AC+d2fBAl4m1I8KgRkhFTlzKJBaHn39iNJBkgM0ILNqdxNjFF6r472Ib3p/UNe1EPJgCQzqq5WVSumoo=,iv:aEBuJcjVaEYdCOAW3AiwVoskhH/+P3uSwZScssLi3OQ=,tag:kzJg99OjRsLaL7/hKHzs9Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 34fd079fb7ed77f71a89b314786f5ccb8bf23860 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 14:23:40 +0000 Subject: [PATCH 114/174] ops(secrets): removed secret "email/chris@kruining.eu" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 1eeb402..1fb64b9 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,5 +1,4 @@ email: - chris@kruining.eu: ENC[AES256_GCM,data:uS85B/xn2a+c6Cys66pyfth2Bm4zZx4=,iv:vo8VKON3B9/Yau6PqAHI0xyCpqpU2UuU/WEH1Z7SMos=,tag:jVIHPxRI/0IpUxoKzO9GAA==,type:str] info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] zitadel: @@ -24,7 +23,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T14:23:21Z" - mac: ENC[AES256_GCM,data:BVxgNIS+o5TW3XdTFJPd5BwsYPB5/iLPRLC72KV4zLALxO+ZzgZni1ADlDKpNf0W1pB67brguQvT0Jk/3jl/mSGAUS0AC+d2fBAl4m1I8KgRkhFTlzKJBaHn39iNJBkgM0ILNqdxNjFF6r472Ib3p/UNe1EPJgCQzqq5WVSumoo=,iv:aEBuJcjVaEYdCOAW3AiwVoskhH/+P3uSwZScssLi3OQ=,tag:kzJg99OjRsLaL7/hKHzs9Q==,type:str] + lastmodified: "2025-10-23T14:23:39Z" + mac: ENC[AES256_GCM,data:FoQYZwmra35BdYu/5RO4P9KdfKDZ1DPYN1q0fUFJ95eowK+rCXHAO9Bftjk1rEYTWO1bdKS7lYCLPgAh0sQHhovQoMXC5wlCkKpgMoi47Ji/qCbXXmDiayMpMxosKcrCMEV4wPvcLEVXgS5MlPUOT4xhm7tCa+h9d7WBZmU2ho8=,iv:P0s+TcMlnxToPl6roU8ZE9l8x4vOsfu/4BzrbcPSIec=,tag:ZO5yFyoCA/8RBdLQIOhsgw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 47df6b544a46c35e2e88ef9320be0eae55ccd4f0 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 14:26:00 +0000 Subject: [PATCH 115/174] ops(secrets): set secret "email/info_amarth_cloud" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 1fb64b9..6add209 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,6 +1,7 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] + info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str] sops: @@ -23,7 +24,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T14:23:39Z" - mac: ENC[AES256_GCM,data:FoQYZwmra35BdYu/5RO4P9KdfKDZ1DPYN1q0fUFJ95eowK+rCXHAO9Bftjk1rEYTWO1bdKS7lYCLPgAh0sQHhovQoMXC5wlCkKpgMoi47Ji/qCbXXmDiayMpMxosKcrCMEV4wPvcLEVXgS5MlPUOT4xhm7tCa+h9d7WBZmU2ho8=,iv:P0s+TcMlnxToPl6roU8ZE9l8x4vOsfu/4BzrbcPSIec=,tag:ZO5yFyoCA/8RBdLQIOhsgw==,type:str] + lastmodified: "2025-10-23T14:25:59Z" + mac: ENC[AES256_GCM,data:p3A1ZSr6S21SUjEZbL4V0uh3HVqcRhFi1N93IeUKs2yVbBYAXzWJ+2ejSxfM+W9MSCAYxx27i0ZoBPjQJu/xQzwmW8HWn4rRfCsa2TGqOw25PLvkHgnBUc70X759cKxvR0Pm7ha22JCnzJVrzvUMlBVs61wxHT57x0El9Gan8eY=,iv:SKN+R4wsN/L2pZW/s5ocEtCXXZB5wK4tgFIYWGWtRPA=,tag:CNLl4lVO06gAcsSCfU2KjA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 4f0d0f7f0e0454b305e08415ce64f601a46fa6c5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 16:31:19 +0200 Subject: [PATCH 116/174] fix: various fixes to just commands --- .just/vars.just | 6 +++--- .justfile | 8 +++++++- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.just/vars.just b/.just/vars.just index 78b7cb5..46bb5fd 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -12,10 +12,10 @@ list machine: {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml @set machine key value: - {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" \"{{ value }}\" + {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" @@ -23,6 +23,6 @@ list machine: {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" \ No newline at end of file diff --git a/.justfile b/.justfile index 4e8a323..1c9fc03 100644 --- a/.justfile +++ b/.justfile @@ -9,4 +9,10 @@ mod machine '.just/machine.just' [doc('Show information about project')] @show: - echo "show" \ No newline at end of file + echo "show" + +[doc('update the flake dependencies')] +@update: + nix flake update + git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null + echo "Done" \ No newline at end of file From f390d4195562e69aa43fc326ca6efb33167cc6ad Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 16:31:56 +0200 Subject: [PATCH 117/174] WIP: trying to get smtp configured for zitadel --- .../authentication/zitadel/default.nix | 98 +++++++++++++------ .../nixos/system/security/sops/default.nix | 10 +- 2 files changed, 76 insertions(+), 32 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 75b1bf2..59abcf3 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -135,6 +135,8 @@ in else let key = head keys; in concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; + config' = config; + # this is a nix package, the generated json file to be exact terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; @@ -177,6 +179,15 @@ in |> withRef "project" project |> toResource name ); + + zitadel_smtp_config.default = { + sender_address = "chris@kruining.eu"; + sender_name = "no-reply (Zitadel)"; + tls = true; + host = "black-mail.nl"; + user = "chris@kruining.eu"; + password = "\${file(\"${config'.sops.templates."kaas".path}\")}"; + }; }; }; }) @@ -245,31 +256,30 @@ in SecretHasher.Hasher.Algorithm = "argon2id"; }; - # DefaultInstance = { - # # PasswordComplexityPolicy = { - # # MinLength = 0; - # # HasLowercase = false; - # # HasUppercase = false; - # # HasNumber = false; - # # HasSymbol = false; - # # }; - # LoginPolicy = { - # AllowRegister = false; - # ForceMFA = true; - # }; - # LockoutPolicy = { - # MaxPasswordAttempts = 5; - # MaxOTPAttempts = 10; - # }; - # # SMTPConfiguration = { - # # SMTP = { - # # Host = "black-mail.nl:587"; - # # User = "chris@kruining.eu"; - # # Password = "__TODO_USE_SOPS__"; - # # }; - # # FromName = "Amarth Zitadel"; - # # }; - # }; + DefaultInstance = { + # PasswordComplexityPolicy = { + # MinLength = 0; + # HasLowercase = false; + # HasUppercase = false; + # HasNumber = false; + # HasSymbol = false; + # }; + # LoginPolicy = { + # AllowRegister = false; + # ForceMFA = true; + # }; + # LockoutPolicy = { + # MaxPasswordAttempts = 5; + # MaxOTPAttempts = 10; + # }; + SMTPConfiguration = { + SMTP = { + Host = "black-mail.nl:587"; + User = "chris@kruining.eu"; + }; + FromName = "Amarth Zitadel"; + }; + }; Database.postgres = { Host = "localhost"; @@ -325,6 +335,9 @@ in }; }; }; + extraStepsPaths = [ + config.sops.templates."secrets.yaml".path + ]; }; postgresql = { @@ -359,10 +372,37 @@ in networking.firewall.allowedTCPPorts = [ 80 443 ]; # Secrets - sops.secrets."zitadel/masterKey" = { - owner = "zitadel"; - group = "zitadel"; - restartUnits = [ "zitadel.service" ]; + sops = { + secrets = { + "zitadel/masterKey" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; #EMGDB#6O$8qpGoLI1XjhUhnng1san@0 + }; + + "email/chris_kruining_eu" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; + }; + }; + + templates."secrets.yaml" = { + owner = "zitadel"; + group = "zitadel"; + content = '' + DefaultInstance: + SMTPConfiguration: + SMTP: + Password: ${config.sops.placeholder."email/chris_kruining_eu"} + ''; + }; + + templates."kaas" = { + owner = "zitadel"; + group = "zitadel"; + content = config.sops.placeholder."email/chris_kruining_eu"; + }; }; }; } diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index 68ab4ca..bee7b3c 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -1,4 +1,4 @@ -{ pkgs, config, namespace, inputs, ... }: +{ pkgs, config, namespace, inputs, system, ... }: let cfg = config.${namespace}.system.security.sops; in @@ -13,10 +13,14 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { - defaultSopsFile = ../../../../../_secrets/secrets.yaml; defaultSopsFormat = "yaml"; + defaultSopsFile = inputs.self + "/systems/${system}/${config.networking.hostName}/secrets.yml"; - age.keyFile = "/home/"; + age = { + # keyFile = "~/.config/sops/age/keys.txt"; + # sshKeyPaths = [ "~/.ssh/id_ed25519" ]; + # generateKey = true; + }; }; }; } \ No newline at end of file From 334c0b54cc4d13dd5f8b3902cecc28e9e37a67fd Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 27 Oct 2025 07:41:12 +0000 Subject: [PATCH 118/174] ops(secrets): removed secret "email/info@amarth.cloud" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 6add209..3fa58fa 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,5 +1,4 @@ email: - info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: @@ -24,7 +23,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T14:25:59Z" - mac: ENC[AES256_GCM,data:p3A1ZSr6S21SUjEZbL4V0uh3HVqcRhFi1N93IeUKs2yVbBYAXzWJ+2ejSxfM+W9MSCAYxx27i0ZoBPjQJu/xQzwmW8HWn4rRfCsa2TGqOw25PLvkHgnBUc70X759cKxvR0Pm7ha22JCnzJVrzvUMlBVs61wxHT57x0El9Gan8eY=,iv:SKN+R4wsN/L2pZW/s5ocEtCXXZB5wK4tgFIYWGWtRPA=,tag:CNLl4lVO06gAcsSCfU2KjA==,type:str] + lastmodified: "2025-10-27T07:41:09Z" + mac: ENC[AES256_GCM,data:jc/hbXqdsLHkOldzmk68Uj9FnToLgfbF4YDzLv5SqPEBt1lihkOjeBD8tGq1w0LIJnWZTHv4yC1IEsJkB3r1a5E9OtukdNpdpDKfo5mf9+tACJ/d27RyYrLfmo/HUfAuk2WEbhQ3pqP8z+JhZ2R32+tfUi0hrmBlgtSJ7w53vpM=,iv:C/5HpoyVO9lDJBmBTROVGux74c0ZIP6N93urzk+kZ2E=,tag:LwTWbBToKkKEPyzBKvtr3A==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From e92f2cf82c7a4bb662cdcc15cc85d38c8b8af3d9 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 27 Oct 2025 11:34:11 +0100 Subject: [PATCH 119/174] add some commands to read secret values --- .just/vars.just | 4 ++++ .justfile | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.just/vars.just b/.just/vars.just index 46bb5fd..167144a 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,5 +1,6 @@ base_path := invocation_directory() / "systems/x86_64-linux" sops := "nix shell nixpkgs#sops --command sops" +yq := "nix shell nixpkgs#yq --command yq" @_default: just --list @@ -19,6 +20,9 @@ list machine: echo "Done" +@get machine key: + {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml | {{ yq }} ".$(echo "{{ key }}" | sed -E 's/\//./g')" + @remove machine key: {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" diff --git a/.justfile b/.justfile index 1c9fc03..2788376 100644 --- a/.justfile +++ b/.justfile @@ -15,4 +15,8 @@ mod machine '.just/machine.just' @update: nix flake update git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null - echo "Done" \ No newline at end of file + echo "Done" + +[doc('Introspection on flake output')] +@select key: + nix eval --json .#{{ key }} | jq . \ No newline at end of file From 6c9667831a54f5097ef276a8317d3fb5f3ebe43a Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 27 Oct 2025 13:11:42 +0000 Subject: [PATCH 120/174] ops(secrets): set secret "zitadel/masterKey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 3fa58fa..f9e4a82 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -2,7 +2,7 @@ email: chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: - masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str] + masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +23,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-27T07:41:09Z" - mac: ENC[AES256_GCM,data:jc/hbXqdsLHkOldzmk68Uj9FnToLgfbF4YDzLv5SqPEBt1lihkOjeBD8tGq1w0LIJnWZTHv4yC1IEsJkB3r1a5E9OtukdNpdpDKfo5mf9+tACJ/d27RyYrLfmo/HUfAuk2WEbhQ3pqP8z+JhZ2R32+tfUi0hrmBlgtSJ7w53vpM=,iv:C/5HpoyVO9lDJBmBTROVGux74c0ZIP6N93urzk+kZ2E=,tag:LwTWbBToKkKEPyzBKvtr3A==,type:str] + lastmodified: "2025-10-27T13:11:41Z" + mac: ENC[AES256_GCM,data:0LS7xQlkfIZRVwAZPE33KmPA19CpnXj/t4hpDrVW+BbESpnBku2oxPB/Cvp0dY5MGnDFgU4Htp0JoppHCgKvkaSBhvjxjW2DT1Nkk5PBmAtuzZLW4qc25ZVlqiKgzj1LE3XPTbqUJyp+X3U23BnU1ViTGgHuBcdEV7TFNHjmnwk=,iv:HpVIDAU1FbrUKXW8klWq0Kn9ZtKcgwR1jKXLkGtDd5A=,tag:50P0UZtj77npD92zxCaZHw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 84cc5ff5c4586136e091c3c087b787c9326fd869 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 27 Oct 2025 17:07:51 +0100 Subject: [PATCH 121/174] feat(zitadel): expand terranix resources WOOP WOOP, it all works! now the next, big, huge, giant, hurdle to overcome is the chicken and egg problem of needing zitadel to generate values that I need inside the nix config of synapse, forgejo, and jellyfin --- .just/machine.just | 2 +- .../authentication/zitadel/default.nix | 184 +++++++++++++----- systems/x86_64-linux/ulmo/default.nix | 19 +- 3 files changed, 149 insertions(+), 56 deletions(-) diff --git a/.just/machine.just b/.just/machine.just index 65d1a7b..6dabbc0 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -6,4 +6,4 @@ [doc('Update the target machine')] update machine: - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} \ No newline at end of file diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 59abcf3..eaa3c60 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -12,8 +12,12 @@ in enable = mkEnableOption "Zitadel"; organization = mkOption { - type = types.attrsOf (types.submodule { - options = { + type = types.attrsOf (types.submodule ({ name, ... }: { + options = + let + org = name; + in + { isDefault = mkOption { type = types.bool; default = false; @@ -108,13 +112,82 @@ in }; }); }; + + user = mkOption { + default = {}; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = + let + username = name; + in + { + email = mkOption { + type = types.str; + example = "someone@some.domain"; + description = '' + Username. + ''; + }; + + userName = mkOption { + type = types.nullOr types.str; + default = cfg.organization.${org}.user.${username}.email; + example = "someone@some.domain"; + description = '' + Username. Default value is the user's email, you can overwrite that by setting this option + ''; + }; + + firstName = mkOption { + type = types.str; + example = "John"; + description = '' + First name of the user. + ''; + }; + + lastName = mkOption { + type = types.str; + example = "Doe"; + description = '' + Last name of the user. + ''; + }; + + roles = mkOption { + type = types.listOf types.str; + default = []; + example = "[ \"ORG_OWNER\" ]"; + description = '' + List of roles granted to organisation. + ''; + }; + + instanceRoles = mkOption { + type = types.listOf types.str; + default = []; + example = "[ \"IAM_OWNER\" ]"; + description = '' + List of roles granted to instance. + ''; + }; + }; + })); + }; }; - }); + })); }; }; config = let - mapRef = type: name: { "${type}Id" = "\${ resource.zitadel_${type}.${toSnakeCase name}.id }"; }; + _refTypeMap = { + org = { type = "org"; }; + project = { type = "project"; }; + user = { type = "user"; tfType = "human_user"; }; + }; + + mapRef' = { type, tfType ? type }: name: { "${type}Id" = "\${ resource.zitadel_${tfType}.${toSnakeCase name}.id }"; }; + mapRef = type: name: mapRef' (_refTypeMap.${type}) name; mapEnum = prefix: value: "${prefix}_${value |> toSnakeCase |> toUpper}"; mapValue = type: value: ({ @@ -128,6 +201,7 @@ in withName = name: attrs: attrs // { inherit name; }; withRef = type: name: attrs: attrs // (mapRef type name); + withDefaults = defaults: attrs: defaults // attrs; select = keys: callback: set: if (length keys) == 0 then @@ -156,6 +230,7 @@ in }; resource = { + # Organizations zitadel_org = cfg.organization |> select [] (name: value: value |> getAttrs [ "isDefault" ] @@ -163,6 +238,7 @@ in |> toResource name ); + # Projects per organization zitadel_project = cfg.organization |> select [ "project" ] (org: name: value: value |> getAttrs [ "hasProjectCheck" "privateLabelingSetting" "projectRoleAssertion" "projectRoleCheck" ] @@ -171,6 +247,7 @@ in |> toResource name ); + # Each OIDC app per project zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: value: value |> getAttrs [ "redirectUris" "grantTypes" "responseTypes" ] @@ -180,14 +257,52 @@ in |> toResource name ); + # Users + zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: value: + value + |> getAttrs [ "email" "userName" "firstName" "lastName" ] + |> withRef "org" org + |> withDefaults { isEmailVerified = true; } + |> toResource name + ); + + # Global user roles + zitadel_instance_member = cfg.organization |> select [ "user" ] (org: name: value: + { roles = value.instanceRoles; } + |> withRef "user" name + |> toResource name + ); + + # Organazation specific roles + zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: value: + value + |> getAttrs [ "roles" ] + |> withRef "org" org + |> withRef "user" name + |> toResource name + ); + + # SMTP config zitadel_smtp_config.default = { sender_address = "chris@kruining.eu"; sender_name = "no-reply (Zitadel)"; tls = true; - host = "black-mail.nl"; + host = "black-mail.nl:587"; user = "chris@kruining.eu"; - password = "\${file(\"${config'.sops.templates."kaas".path}\")}"; + password = lib.tfRef "file(\"${config'.sops.secrets."email/chris_kruining_eu".path}\")"; + set_active = true; }; + + # Client credentials per app + local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: value: + nameValuePair name { + content = '' + CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${name}.client_id"} + CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${name}.client_secret"} + ''; + filename = "/var/lib/zitadel/clients/${name}"; + } + ); }; }; }) @@ -203,6 +318,7 @@ in systemd.tmpfiles.rules = [ "d /tmp/zitadelApplyTerraform 0755 zitadel zitadel -" + "d /var/lib/zitadel/clients 0755 zitadel zitadel -" ]; systemd.services.zitadelApplyTerraform = { @@ -214,6 +330,11 @@ in script = '' #!/usr/bin/env bash + if [ "$(systemctl is-active zitadel)" != "active" ]; then + echo "Zitadel is not running" + exit 1 + fi + # Copy infra code into workspace cp -f ${terraformConfiguration} config.tf.json @@ -237,8 +358,7 @@ in zitadel = { enable = true; openFirewall = true; - # masterKeyFile = config.sops.secrets."zitadel/masterKey".path; - masterKeyFile = "/var/lib/zitadel/master_key"; + masterKeyFile = config.sops.secrets."zitadel/masterKey".path; tlsMode = "external"; settings = { Port = 9092; @@ -256,31 +376,6 @@ in SecretHasher.Hasher.Algorithm = "argon2id"; }; - DefaultInstance = { - # PasswordComplexityPolicy = { - # MinLength = 0; - # HasLowercase = false; - # HasUppercase = false; - # HasNumber = false; - # HasSymbol = false; - # }; - # LoginPolicy = { - # AllowRegister = false; - # ForceMFA = true; - # }; - # LockoutPolicy = { - # MaxPasswordAttempts = 5; - # MaxOTPAttempts = 10; - # }; - SMTPConfiguration = { - SMTP = { - Host = "black-mail.nl:587"; - User = "chris@kruining.eu"; - }; - FromName = "Amarth Zitadel"; - }; - }; - Database.postgres = { Host = "localhost"; # Zitadel will report error if port is not set @@ -335,9 +430,9 @@ in }; }; }; - extraStepsPaths = [ - config.sops.templates."secrets.yaml".path - ]; + # extraStepsPaths = [ + # config.sops.templates."secrets.yaml".path + # ]; }; postgresql = { @@ -386,23 +481,6 @@ in restartUnits = [ "zitadel.service" ]; }; }; - - templates."secrets.yaml" = { - owner = "zitadel"; - group = "zitadel"; - content = '' - DefaultInstance: - SMTPConfiguration: - SMTP: - Password: ${config.sops.placeholder."email/chris_kruining_eu"} - ''; - }; - - templates."kaas" = { - owner = "zitadel"; - group = "zitadel"; - content = config.sops.placeholder."email/chris_kruining_eu"; - }; }; }; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 4845e73..e776927 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -43,9 +43,18 @@ enable = true; organization = { - thisIsMyAwesomeOrg = {}; - nix = { + user = { + chris = { + email = "chris@kruining.eu"; + firstName = "Chris"; + lastName = "Kruining"; + + roles = [ "ORG_OWNER" ]; + instanceRoles = [ "IAM_OWNER" ]; + }; + }; + project = { ulmo = { application = { @@ -60,6 +69,12 @@ grantTypes = [ "authorizationCode" ]; responseTypes = [ "code" ]; }; + + matrix = { + redirectUris = [ "https://matrix.kruining.eu/_synapse/client/oidc/callback" ]; + grantTypes = [ "authorizationCode" ]; + responseTypes = [ "code" ]; + }; }; }; }; From 5157a57f32bc736e151903438a284bad4a16b31a Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 27 Oct 2025 21:11:08 +0100 Subject: [PATCH 122/174] feat(zed): add just language server plugin --- modules/home/editor/zed/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/home/editor/zed/default.nix b/modules/home/editor/zed/default.nix index b35acba..f0fe7fa 100644 --- a/modules/home/editor/zed/default.nix +++ b/modules/home/editor/zed/default.nix @@ -15,7 +15,7 @@ in { programs.zed-editor = { enable = true; - extensions = [ "nix" "toml" "html" ]; + extensions = [ "nix" "toml" "html" "just-ls" ]; userSettings = { assistant.enabled = false; From 7b9e07ee4b338c5ffbe29ff26a934163d42ca42d Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 14:07:04 +0000 Subject: [PATCH 123/174] ops(secrets): set secret "forgejo/action_runner_token" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index f9e4a82..7ff94ef 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,6 +3,8 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] +forgejo: + action_runner_token: ENC[AES256_GCM,data:9rnVy+qIpfdXPxLV2yh09VrVWUzwoy5XwShctSqPeQM=,iv:0Bydo8Bs9TQ2LSjU/zDfGYk/aCq2OH0U8I+linkQcA4=,tag:Sw4cx48EmpvsjF0cZxcAvg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +25,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-27T13:11:41Z" - mac: ENC[AES256_GCM,data:0LS7xQlkfIZRVwAZPE33KmPA19CpnXj/t4hpDrVW+BbESpnBku2oxPB/Cvp0dY5MGnDFgU4Htp0JoppHCgKvkaSBhvjxjW2DT1Nkk5PBmAtuzZLW4qc25ZVlqiKgzj1LE3XPTbqUJyp+X3U23BnU1ViTGgHuBcdEV7TFNHjmnwk=,iv:HpVIDAU1FbrUKXW8klWq0Kn9ZtKcgwR1jKXLkGtDd5A=,tag:50P0UZtj77npD92zxCaZHw==,type:str] + lastmodified: "2025-10-30T14:07:03Z" + mac: ENC[AES256_GCM,data:81HSgWBj+piT5LvvFHcJVTSoyKNFHteo0yLRPp/lJ4st25JyachSIC0s6ApJiFSzoMH12C2LumcjrVafpvLQXITxhkEAkt0fm9uK1isrWNGpQcLnLAlcbrPZuf5TB8FWjAyHoisafHYzO9XhNYHT9vhxGKGIXf6pOJG8LGebqNM=,iv:y8ty2BAvQvMOpCw2HSC82OEaOv59VERdM09JBCwqlHk=,tag:0ZjSUKT5KJgNjJr07hVabg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 7edfdf92e096d5695b80aa276f25d4c171ffa765 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 14:07:56 +0000 Subject: [PATCH 124/174] ops(secrets): set secret "forgejo/action_runner_token" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 7ff94ef..4f2f8ae 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] forgejo: - action_runner_token: ENC[AES256_GCM,data:9rnVy+qIpfdXPxLV2yh09VrVWUzwoy5XwShctSqPeQM=,iv:0Bydo8Bs9TQ2LSjU/zDfGYk/aCq2OH0U8I+linkQcA4=,tag:Sw4cx48EmpvsjF0cZxcAvg==,type:str] + action_runner_token: ENC[AES256_GCM,data:ve7im4kIWyfFSVVXq5TNIdhT95TcJ2o8iNy829juImQCVHt9wU8=,iv:5uOm5W6srD+dCu2ElnEzuI7BlsDa0PfqaMoyJrnIqqU=,tag:fFpWwgs6UPjvVlx6AXmrCw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -25,7 +25,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T14:07:03Z" - mac: ENC[AES256_GCM,data:81HSgWBj+piT5LvvFHcJVTSoyKNFHteo0yLRPp/lJ4st25JyachSIC0s6ApJiFSzoMH12C2LumcjrVafpvLQXITxhkEAkt0fm9uK1isrWNGpQcLnLAlcbrPZuf5TB8FWjAyHoisafHYzO9XhNYHT9vhxGKGIXf6pOJG8LGebqNM=,iv:y8ty2BAvQvMOpCw2HSC82OEaOv59VERdM09JBCwqlHk=,tag:0ZjSUKT5KJgNjJr07hVabg==,type:str] + lastmodified: "2025-10-30T14:07:55Z" + mac: ENC[AES256_GCM,data:YX60ajX1LFjVkmMTYAVRj28N6IMMwHrFerq7EJ8DHMaQ75pCRrH1EbX0YTIRnSA7aYo0gGpPiHTbMKkMA6Dq6XOVxXFtqYaFC9jwVjVoXg58zdd2Yvtf7m9yrFX9ohEScQPLHwwZfWJFSqdOY0iSHotW0/duMm65zzC5MgcYoeE=,iv:61m1hBVZ+ASIykvVqC7XaPpOSWuEbTBo9NRpo6MQbeg=,tag:SNyqhMQ/BwWo49kCHwBoBQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From eac33f7cef4192decb15dff7530cb3b7ca559ce9 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 14:12:56 +0000 Subject: [PATCH 125/174] ops(secrets): set secret "forgejo/action_runner_token" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4f2f8ae..dd7b2a7 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] forgejo: - action_runner_token: ENC[AES256_GCM,data:ve7im4kIWyfFSVVXq5TNIdhT95TcJ2o8iNy829juImQCVHt9wU8=,iv:5uOm5W6srD+dCu2ElnEzuI7BlsDa0PfqaMoyJrnIqqU=,tag:fFpWwgs6UPjvVlx6AXmrCw==,type:str] + action_runner_token: ENC[AES256_GCM,data:V6V6Lt2XhV9NiSEKjS57vf5IgGUHLvmmG+uUcdNT4tvgezVhPOK/h5F4hxmCKg==,iv:UlHIFDsKeg4hFyXKyhYE3h/77xXeW+/kBJigDU5dP90=,tag:ES0z0bHv1uomsyYWyjsLfw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -25,7 +25,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T14:07:55Z" - mac: ENC[AES256_GCM,data:YX60ajX1LFjVkmMTYAVRj28N6IMMwHrFerq7EJ8DHMaQ75pCRrH1EbX0YTIRnSA7aYo0gGpPiHTbMKkMA6Dq6XOVxXFtqYaFC9jwVjVoXg58zdd2Yvtf7m9yrFX9ohEScQPLHwwZfWJFSqdOY0iSHotW0/duMm65zzC5MgcYoeE=,iv:61m1hBVZ+ASIykvVqC7XaPpOSWuEbTBo9NRpo6MQbeg=,tag:SNyqhMQ/BwWo49kCHwBoBQ==,type:str] + lastmodified: "2025-10-30T14:12:56Z" + mac: ENC[AES256_GCM,data:G+aGa5bbZsHjsIEOF7/bHPddasbaVTK+WUj25byqyoKSfTqeru25fZoBHP/6dnVkTmHHuktHTcRtSubBhz+kKjBSovKk3fUL14W4og7+ULcWtmgcuF2usAMywi2/N0vkpp/IuU/qj62R1fGqpHLxxjDZJGjX+a5mkl+DV2yJmCE=,iv:X5o0hrBOE3hbNH2OxPHGpKXAUOUhRVZ5NEsdE2SxLbM=,tag:/qTqy/d6N2CoeegkDo2Yfg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From b11ca6bd05615d8bd808c56d18ae5c9519c71422 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 14:24:06 +0000 Subject: [PATCH 126/174] ops(secrets): set secret "forgejo/action_runner_token" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index dd7b2a7..adace84 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] forgejo: - action_runner_token: ENC[AES256_GCM,data:V6V6Lt2XhV9NiSEKjS57vf5IgGUHLvmmG+uUcdNT4tvgezVhPOK/h5F4hxmCKg==,iv:UlHIFDsKeg4hFyXKyhYE3h/77xXeW+/kBJigDU5dP90=,tag:ES0z0bHv1uomsyYWyjsLfw==,type:str] + action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -25,7 +25,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T14:12:56Z" - mac: ENC[AES256_GCM,data:G+aGa5bbZsHjsIEOF7/bHPddasbaVTK+WUj25byqyoKSfTqeru25fZoBHP/6dnVkTmHHuktHTcRtSubBhz+kKjBSovKk3fUL14W4og7+ULcWtmgcuF2usAMywi2/N0vkpp/IuU/qj62R1fGqpHLxxjDZJGjX+a5mkl+DV2yJmCE=,iv:X5o0hrBOE3hbNH2OxPHGpKXAUOUhRVZ5NEsdE2SxLbM=,tag:/qTqy/d6N2CoeegkDo2Yfg==,type:str] + lastmodified: "2025-10-30T14:24:06Z" + mac: ENC[AES256_GCM,data:nZA2oHESh/NCHhAG5u7xAMRdd6J7Pvocc9jg5gFSAcSxrrjaAX4xK/MX5LEG3YTbIHD+/b7CxpalJ6IEJi2X5cr4p0trQmes8Eu6+VXs14bOk7Mfa1Yu5jfzwOwlZcmP/0k+rB8RzuOUlzgILL1OKqyJ/Xi5tItDAaKl9jGzczM=,iv:/Z9hU+o3SNBZU+jL3+fk7nzB69ownTHhT2Iq3VnyYU4=,tag:EapUHp+jMosjiGcR2FGVyQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 138bb67ffb1530330105056e2db70e44fa425564 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 30 Oct 2025 21:26:18 +0100 Subject: [PATCH 127/174] feat(just): add assert utility function/recipe --- .just/machine.just | 3 ++- .justfile | 13 ++++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.just/machine.just b/.just/machine.just index 6dabbc0..1ce791f 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -5,5 +5,6 @@ ls -1 ../systems/x86_64-linux/ [doc('Update the target machine')] -update machine: +@update machine: + just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} \ No newline at end of file diff --git a/.justfile b/.justfile index 2788376..3a15d20 100644 --- a/.justfile +++ b/.justfile @@ -19,4 +19,15 @@ mod machine '.just/machine.just' [doc('Introspection on flake output')] @select key: - nix eval --json .#{{ key }} | jq . \ No newline at end of file + nix eval --json .#{{ key }} | jq . + + + +#=============================================================================================== +# Utils +#=============================================================================================== +[no-exit-message] +[no-cd] +[private] +@assert condition message: + [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; } \ No newline at end of file From 15103b16baaa0333ef585050a0b4f78f8ab99c3e Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 20:57:39 +0000 Subject: [PATCH 128/174] ops(secrets): set secret "synapse/oidc_id" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index adace84..bc92d4e 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -5,6 +5,8 @@ zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] +synapse: + oidc_id: ENC[AES256_GCM,data:GPc4XBmIqWKbisN8patC0MNR,iv:wKCZ7PWn1WZOboc9I3JQXaxn4NiqMckCgC4d001F7jk=,tag:CBKcW4luhrJ+BOGH+UBmog==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -25,7 +27,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T14:24:06Z" - mac: ENC[AES256_GCM,data:nZA2oHESh/NCHhAG5u7xAMRdd6J7Pvocc9jg5gFSAcSxrrjaAX4xK/MX5LEG3YTbIHD+/b7CxpalJ6IEJi2X5cr4p0trQmes8Eu6+VXs14bOk7Mfa1Yu5jfzwOwlZcmP/0k+rB8RzuOUlzgILL1OKqyJ/Xi5tItDAaKl9jGzczM=,iv:/Z9hU+o3SNBZU+jL3+fk7nzB69ownTHhT2Iq3VnyYU4=,tag:EapUHp+jMosjiGcR2FGVyQ==,type:str] + lastmodified: "2025-10-30T20:57:37Z" + mac: ENC[AES256_GCM,data:Al8mN4HtSaTjlSBjYEgdcuR0YmqRNNhvW1tGRzQvQgXpC1tkM4HWpVuYQdpHXqtyz2DYMFRhTX4VqVJFvgh/MD1wN+6KGj05uJOlcr4yGr7DBlO2xX2aF0q+4w/mNnBbyFF7QwRMFWH3YBW3PDq+eDAQ5aqquucT+1HeDxcwWFI=,iv:PhNv0Pa/Wuxn4plzExeLBHHYGtE54IKj7AuuPJ3VPlU=,tag:fQz/DUp54isRUjSmnUnuZA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 01f9340cfb83907ab64de6807431b3452d092aca Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 20:58:02 +0000 Subject: [PATCH 129/174] ops(secrets): set secret "synapse/oidc_secret" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index bc92d4e..250b1af 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -7,6 +7,7 @@ forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: oidc_id: ENC[AES256_GCM,data:GPc4XBmIqWKbisN8patC0MNR,iv:wKCZ7PWn1WZOboc9I3JQXaxn4NiqMckCgC4d001F7jk=,tag:CBKcW4luhrJ+BOGH+UBmog==,type:str] + oidc_secret: ENC[AES256_GCM,data:3Z8XwAPBHUG7Z09uTkd0ZH80lRVPF2a8tt0cFvrFA9s5R6G2ULkbHZM5V2VZBZ7FNhv7JINilGdRaibvF3U3Tg==,iv:U5Z3VcuWxwX5kNTvmG7YFiPJSl8Xg2nRDPdz0tekric=,tag:o2s67WjB7mXJlyo8jlcUzw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -27,7 +28,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T20:57:37Z" - mac: ENC[AES256_GCM,data:Al8mN4HtSaTjlSBjYEgdcuR0YmqRNNhvW1tGRzQvQgXpC1tkM4HWpVuYQdpHXqtyz2DYMFRhTX4VqVJFvgh/MD1wN+6KGj05uJOlcr4yGr7DBlO2xX2aF0q+4w/mNnBbyFF7QwRMFWH3YBW3PDq+eDAQ5aqquucT+1HeDxcwWFI=,iv:PhNv0Pa/Wuxn4plzExeLBHHYGtE54IKj7AuuPJ3VPlU=,tag:fQz/DUp54isRUjSmnUnuZA==,type:str] + lastmodified: "2025-10-30T20:58:01Z" + mac: ENC[AES256_GCM,data:7vQ5wV58UNUH5bOgyUxaifAbU3GTqZi2gH+rpAR+d/31rx8yeKVNMj0aWA5ianpUvVt2kbaap6Aj+Sxl3M8wI9jtg2o/3FmR+xEHEWgQ/jw1q9zvKIAUV6SeM1Hg639iV3xcC8F8U+Xy50H85f4B3XQWGJMnUamqH9LYrUjv8nY=,iv:vOGvilRSrPZW3uir1nwlxzhg+hXE5yw6r8vCr5Cxmt0=,tag:X9OYdCPuDz3o5kYLUKHmXg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From f33f05a5b64e1e7a16245f69d50ab4d60c4b1254 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 3 Nov 2025 15:18:53 +0100 Subject: [PATCH 130/174] feat(zitadel): implement and use even more of the zitadel API --- .../authentication/zitadel/default.nix | 236 +++++++++++++++--- .../services/communication/matrix/default.nix | 55 ++-- systems/x86_64-linux/ulmo/default.nix | 38 +++ 3 files changed, 271 insertions(+), 58 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index eaa3c60..917bde4 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair mapAttrs' concatMapAttrs getAttrs getAttr hasAttr typeOf head drop length; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs concatMap listToAttrs imap0 getAttrs getAttr hasAttr typeOf head drop length; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -73,6 +73,40 @@ in ''; }; + role = mkOption { + default = {}; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = + let + roleName = name; + in + { + displayName = mkOption { + type = types.str; + default = toSentenceCase name; + example = "RoleName"; + description = '' + Name used for project role. + ''; + }; + + group = mkOption { + type = types.nullOr types.str; + default = null; + example = "some_group"; + description = '' + Group used for project role. + ''; + }; + }; + })); + }; + + assign = mkOption { + default = {}; + type = types.attrsOf (types.listOf types.str); + }; + application = mkOption { default = {}; type = types.attrsOf (types.submodule { @@ -174,6 +208,74 @@ in }; })); }; + + action = mkOption { + default = {}; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + script = mkOption { + type = types.str; + example = '' + (ctx, api) => { + api.v1.claims.setClaim('some_claim', 'some_value'); + }; + ''; + description = '' + The script to run. This must be a function that receives 2 parameters, and returns void. During the creation of the action's script this module simly does `const {{name}} = {{script}}`. + ''; + }; + + timeout = mkOption { + type = (types.ints.between 0 20); + default = 10; + example = "10"; + description = '' + After which time the action will be terminated if not finished. + ''; + }; + + allowedToFail = mkOption { + type = types.bool; + default = true; + example = "true"; + description = '' + Allowed to fail. + ''; + }; + }; + })); + }; + + triggers = mkOption { + default = []; + type = types.listOf (types.submodule { + options = { + flowType = mkOption { + type = types.enum [ "authentication" "customiseToken" "internalAuthentication" "samlResponse" ]; + example = "customiseToken"; + description = '' + Type of the flow to which the action triggers belong. + ''; + }; + + triggerType = mkOption { + type = types.enum [ "postAuthentication" "preCreation" "postCreation" "preUserinfoCreation" "preAccessTokenCreation" "preSamlResponse" ]; + example = "postAuthentication"; + description = '' + Trigger type on when the actions get triggered. + ''; + }; + + actions = mkOption { + type = types.nonEmptyListOf types.str; + example = ''[ "action_name" ]''; + description = '' + Names of actions to trigger + ''; + }; + }; + }); + }; }; })); }; @@ -191,23 +293,28 @@ in mapEnum = prefix: value: "${prefix}_${value |> toSnakeCase |> toUpper}"; mapValue = type: value: ({ + appType = mapEnum "OIDC_APP_TYPE" value; grantTypes = map (t: mapEnum "OIDC_GRANT_TYPE" t) value; responseTypes = map (t: mapEnum "OIDC_RESPONSE_TYPE" t) value; + authMethodType = mapEnum "OIDC_AUTH_METHOD_TYPE" value; + + flowType = mapEnum "FLOW_TYPE" value; + triggerType = mapEnum "TRIGGER_TYPE" value; + accessTokenType = mapEnum "OIDC_TOKEN_TYPE" value; }."${type}" or value); toResource = name: value: nameValuePair (toSnakeCase name) (lib.mapAttrs' (k: v: nameValuePair (toSnakeCase k) (mapValue k v)) value); - withName = name: attrs: attrs // { inherit name; }; withRef = type: name: attrs: attrs // (mapRef type name); - withDefaults = defaults: attrs: defaults // attrs; select = keys: callback: set: if (length keys) == 0 then mapAttrs' callback set else let key = head keys; in - concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; + concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set + ; config' = config; @@ -231,57 +338,105 @@ in resource = { # Organizations - zitadel_org = cfg.organization |> select [] (name: value: - value - |> getAttrs [ "isDefault" ] - |> withName name + zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: + { inherit name isDefault; } |> toResource name ); # Projects per organization - zitadel_project = cfg.organization |> select [ "project" ] (org: name: value: - value - |> getAttrs [ "hasProjectCheck" "privateLabelingSetting" "projectRoleAssertion" "projectRoleCheck" ] - |> withName name - |> withRef "org" org - |> toResource name + zitadel_project = cfg.organization |> select [ "project" ] (org: name: { hasProjectCheck, privateLabelingSetting, projectRoleAssertion, projectRoleCheck, ... }: + { + inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck; + } + |> withRef "org" org + |> toResource "${org}_${name}" ); # Each OIDC app per project - zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: value: - value - |> getAttrs [ "redirectUris" "grantTypes" "responseTypes" ] - |> withName name + zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: { redirectUris, grantTypes, responseTypes, ...}: + { + inherit name redirectUris grantTypes responseTypes; + + accessTokenRoleAssertion = true; + idTokenRoleAssertion = true; + accessTokenType = "JWT"; + } |> withRef "org" org - |> withRef "project" project - |> toResource name + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" + ); + + # Each project role + zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: + { inherit (value) displayName group; roleKey = name; } + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" + ); + + # Each project role assignment + zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles: + { roleKeys = roles; } + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> withRef "user" "${org}_${user}" + |> toResource "${org}_${project}_${user}" ); # Users - zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: value: - value - |> getAttrs [ "email" "userName" "firstName" "lastName" ] + zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: + { + inherit email userName firstName lastName; + + isEmailVerified = true; + } |> withRef "org" org - |> withDefaults { isEmailVerified = true; } - |> toResource name + |> toResource "${org}_${name}" ); # Global user roles zitadel_instance_member = cfg.organization |> select [ "user" ] (org: name: value: { roles = value.instanceRoles; } - |> withRef "user" name - |> toResource name + |> withRef "user" "${org}_${name}" + |> toResource "${org}_${name}" ); # Organazation specific roles - zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: value: - value - |> getAttrs [ "roles" ] + zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: { roles, ... }: + { inherit roles; } |> withRef "org" org - |> withRef "user" name - |> toResource name + |> withRef "user" "${org}_${name}" + |> toResource "${org}_${name}" ); + # Organazation's actions + zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: + { + inherit allowedToFail name; + timeout = "${toString timeout}s"; + script = "const ${name} = ${script}"; + } + |> withRef "org" org + |> toResource "${org}_${name}" + ); + + # Organazation's action assignments + zitadel_trigger_actions = cfg.organization + |> concatMapAttrs (org: { triggers, ... }: + triggers + |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in + { + inherit flowType triggerType; + + actionIds = actions + |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); + } + |> withRef "org" org + |> toResource "${org}_${name}" + )) + |> listToAttrs + ); + # SMTP config zitadel_smtp_config.default = { sender_address = "chris@kruining.eu"; @@ -289,18 +444,18 @@ in tls = true; host = "black-mail.nl:587"; user = "chris@kruining.eu"; - password = lib.tfRef "file(\"${config'.sops.secrets."email/chris_kruining_eu".path}\")"; + password = lib.tfRef "file(\"${config'.sops.secrets."zitadel/email".path}\")"; set_active = true; }; # Client credentials per app local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: value: - nameValuePair name { + nameValuePair "${org}_${project}_${name}" { content = '' - CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${name}.client_id"} - CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${name}.client_secret"} + CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} + CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"} ''; - filename = "/var/lib/zitadel/clients/${name}"; + filename = "/var/lib/zitadel/clients/${org}_${project}_${name}"; } ); }; @@ -335,6 +490,9 @@ in exit 1 fi + # Print the path to the source for easier debugging + echo "config location: ${terraformConfiguration}" + # Copy infra code into workspace cp -f ${terraformConfiguration} config.tf.json @@ -342,6 +500,7 @@ in ${lib.getExe pkgs.opentofu} init # Run the infrastructure code + # ${lib.getExe pkgs.opentofu} plan ${lib.getExe pkgs.opentofu} apply -auto-approve ''; @@ -475,9 +634,10 @@ in restartUnits = [ "zitadel.service" ]; #EMGDB#6O$8qpGoLI1XjhUhnng1san@0 }; - "email/chris_kruining_eu" = { + "zitadel/email" = { owner = "zitadel"; group = "zitadel"; + key = "email/chris_kruining_eu"; restartUnits = [ "zitadel.service" ]; }; }; diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index 38dfe0c..2d9ecd5 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -29,43 +29,33 @@ in enable = true; extras = [ "oidc" ]; - # plugins = with config.services.matrix-synapse.package.plugins; []; + + extraConfigFiles = [ + config.sops.templates."synapse-oidc.yaml".path + ]; settings = { server_name = domain; public_baseurl = "https://${fqn}"; + enable_metrics = true; + registration_shared_secret = "tZtBnlhEmLbMwF0lQ112VH1Rl5MkZzYH9suI4pEoPXzk6nWUB8FJF4eEnwLkbstz"; url_preview_enabled = true; precence.enabled = true; # Since we'll be using OIDC for auth disable all local options - enable_registration = false; + enable_registration = true; + enable_registration_without_verification = true; password_config.enabled = false; + backchannel_logout_enabled = true; sso = { client_whitelist = [ "http://[::1]:9092" ]; update_profile_information = true; }; - oidc_providers = [ - { - discover = true; - - idp_id = "zitadel"; - idp_name = "Zitadel"; - issuer = "https://auth.kruining.eu"; - client_id = "337858153251143939"; - client_secret = "ePkf5n8BxGD5DF7t1eNThTL0g6PVBO5A1RC0EqPp61S7VsiyXvDs8aJeczrpCpsH"; - scopes = [ "openid" "profile" ]; - # user_mapping_provider.config = { - # localpart_template = "{{ user.prefered_username }}"; - # display_name_template = "{{ user.name }}"; - # }; - } - ]; - database = { # this is postgresql (also the default, but I prefer to be explicit) name = "psycopg2"; @@ -85,7 +75,7 @@ in resources = [ { - names = [ "client" "federation" ]; + names = [ "client" "federation" "openid" "metrics" "media" "health" ]; compress = true; } ]; @@ -175,5 +165,30 @@ in }; }; }; + + sops = { + secrets = { + "synapse/oidc_id" = {}; + "synapse/oidc_secret" = {}; + }; + + templates = { + "synapse-oidc.yaml" = { + owner = "matrix-synapse"; + content = '' + oidc_providers: + - discover: true + idp_id: zitadel + idp_name: Zitadel + issuer: "https://auth.kruining.eu" + scopes: + - openid + - profile + client_id: '${config.sops.placeholder."synapse/oidc_id"}' + client_secret: '${config.sops.placeholder."synapse/oidc_secret"}' + ''; + }; + }; + }; }; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index e776927..0c8a67b 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -57,6 +57,23 @@ project = { ulmo = { + projectRoleCheck = true; + projectRoleAssertion = true; + hasProjectCheck = true; + + role = { + jellyfin = { + group = "jellyfin"; + }; + jellyfin_admin = { + group = "jellyfin"; + }; + }; + + assign = { + chris = [ "jellyfin" "jellyfin_admin" ]; + }; + application = { jellyfin = { redirectUris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/zitadel" ]; @@ -78,6 +95,27 @@ }; }; }; + + action = { + flattenRoles = { + script = '' + (ctx, api) => { + if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) { + return; + } + + const roles = ctx.v1.user.grants.grants.flatMap(({ roles, projectId }) => roles.map(role => projectId + ':' + role)); + + api.v1.claims.setClaim('nix:zitadel:custom', JSON.stringify({ roles })); + }; + ''; + }; + }; + + triggers = [ + { flowType = "customiseToken"; triggerType = "preUserinfoCreation"; actions = [ "flattenRoles" ]; } + { flowType = "customiseToken"; triggerType = "preAccessTokenCreation"; actions = [ "flattenRoles" ]; } + ]; }; }; }; From 9b819a2a58397bee38aa1d25d1fedf093d18dab6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 3 Nov 2025 15:19:41 +0100 Subject: [PATCH 131/174] feat(forgejo): update config to use secrets --- .../services/development/forgejo/default.nix | 51 +++++++++++++++---- 1 file changed, 40 insertions(+), 11 deletions(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 46e0995..39e8215 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, namespace, ... }: let - inherit (lib) mkIf mkEnableOption; + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption mkOption; cfg = config.${namespace}.services.development.forgejo; domain = "git.amarth.cloud"; @@ -8,6 +9,15 @@ in { options.${namespace}.services.development.forgejo = { enable = mkEnableOption "Forgejo"; + + port = mkOption { + type = lib.types.port; + default = 5002; + example = "1234"; + description = '' + Which port to bind forgejo to + ''; + }; }; config = mkIf cfg.enable { @@ -33,7 +43,7 @@ in server = { DOMAIN = domain; ROOT_URL = "https://${domain}/"; - HTTP_PORT = 5002; + HTTP_PORT = cfg.port; LANDING_PAGE = "explore"; }; @@ -83,7 +93,7 @@ in openid = { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = true; - WHITELISTED_URIS = "https://auth.amarth.cloud"; + WHITELISTED_URIS = "https://auth.kruining.eu"; }; oauth2_client = { @@ -102,6 +112,10 @@ in SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; }; + metrics = { + ENABLED = true; + }; + api = { ENABLE_SWAGGER = false; }; @@ -120,9 +134,9 @@ in PROTOCOL = "smtp+starttls"; SMTP_ADDR = "black-mail.nl"; SMTP_PORT = 587; - FROM = "info@amarth.cloud"; - USER = "info@amarth.cloud"; - PASSWD = "__TODO_USE_SOPS__"; + FROM = "chris@kruining.eu"; + USER = "chris@kruining.eu"; + PASSWD_URI = "file:${config.sops.secrets."forgejo/email".path}"; }; }; }; @@ -137,8 +151,8 @@ in url = "https://git.amarth.cloud"; # Obtaining the path to the runner token file may differ # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd - # tokenFile = config.age.secrets.forgejo-runner-token.path; - token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; + tokenFile = config.sops.secrets."forgejo/action_runner_token".path; + # token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; labels = [ "default:docker://nixos/nix:latest" "ubuntu:docker://ubuntu:24-bookworm" @@ -153,17 +167,32 @@ in caddy = { enable = true; virtualHosts = { - ${domain}.extraConfig = '' - # import auth-z + "${domain}".extraConfig = '' + # import auth # stupid dumb way to prevent the login page and go to zitadel instead # be aware that this does not disable local login at all! # rewrite /user/login /user/oauth2/Zitadel - reverse_proxy http://127.0.0.1:5002 + reverse_proxy http://127.0.0.1:${toString cfg.port} ''; }; }; }; + + sops.secrets = { + "forgejo/action_runner_token" = { + owner = "gitea-runner"; + group = "gitea-runner"; + restartUnits = [ "gitea-runner-default.service" ]; + }; + + "forgejo/email" = { + owner = "forgejo"; + group = "forgejo"; + key = "email/chris_kruining_eu"; + restartUnits = [ "forgejo.service" ]; + }; + }; }; } From 13697bfc51a80ae4aa5fd055a87eaba1da797feb Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 3 Nov 2025 15:22:55 +0000 Subject: [PATCH 132/174] ops(secrets): set secret "synapse/oidc_id" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 250b1af..b241d67 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -6,7 +6,7 @@ zitadel: forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: - oidc_id: ENC[AES256_GCM,data:GPc4XBmIqWKbisN8patC0MNR,iv:wKCZ7PWn1WZOboc9I3JQXaxn4NiqMckCgC4d001F7jk=,tag:CBKcW4luhrJ+BOGH+UBmog==,type:str] + oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:3Z8XwAPBHUG7Z09uTkd0ZH80lRVPF2a8tt0cFvrFA9s5R6G2ULkbHZM5V2VZBZ7FNhv7JINilGdRaibvF3U3Tg==,iv:U5Z3VcuWxwX5kNTvmG7YFiPJSl8Xg2nRDPdz0tekric=,tag:o2s67WjB7mXJlyo8jlcUzw==,type:str] sops: age: @@ -28,7 +28,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T20:58:01Z" - mac: ENC[AES256_GCM,data:7vQ5wV58UNUH5bOgyUxaifAbU3GTqZi2gH+rpAR+d/31rx8yeKVNMj0aWA5ianpUvVt2kbaap6Aj+Sxl3M8wI9jtg2o/3FmR+xEHEWgQ/jw1q9zvKIAUV6SeM1Hg639iV3xcC8F8U+Xy50H85f4B3XQWGJMnUamqH9LYrUjv8nY=,iv:vOGvilRSrPZW3uir1nwlxzhg+hXE5yw6r8vCr5Cxmt0=,tag:X9OYdCPuDz3o5kYLUKHmXg==,type:str] + lastmodified: "2025-11-03T15:22:54Z" + mac: ENC[AES256_GCM,data:VCZ394QncfeahWhVb08LUUIyGP0XdRkuH+uXij1SF3r9yiNZPS97oDCacoqZ7qZZ0/0jvcPBWp0HuYqLobIT0ACuhndN7nKHo5xZqlVa/nXqclvXU4iXWoqfhFs8vO5eAX+8gOhtTzJxfJF8CXzG4k2NG/wAgoyPWlJP8McnXkk=,iv:/Bkid1GN9o43eEyLokY3TeXOgG05GHKkcVu7D+dXX2g=,tag:4b3U+vTSexPuQHuqNVHACA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 7125d8d375f542cb5acd0ec4b6d4ff8c06c3f558 Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 3 Nov 2025 15:23:12 +0000 Subject: [PATCH 133/174] ops(secrets): set secret "synapse/oidc_secret" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index b241d67..0222f74 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -7,7 +7,7 @@ forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] - oidc_secret: ENC[AES256_GCM,data:3Z8XwAPBHUG7Z09uTkd0ZH80lRVPF2a8tt0cFvrFA9s5R6G2ULkbHZM5V2VZBZ7FNhv7JINilGdRaibvF3U3Tg==,iv:U5Z3VcuWxwX5kNTvmG7YFiPJSl8Xg2nRDPdz0tekric=,tag:o2s67WjB7mXJlyo8jlcUzw==,type:str] + oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -28,7 +28,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-03T15:22:54Z" - mac: ENC[AES256_GCM,data:VCZ394QncfeahWhVb08LUUIyGP0XdRkuH+uXij1SF3r9yiNZPS97oDCacoqZ7qZZ0/0jvcPBWp0HuYqLobIT0ACuhndN7nKHo5xZqlVa/nXqclvXU4iXWoqfhFs8vO5eAX+8gOhtTzJxfJF8CXzG4k2NG/wAgoyPWlJP8McnXkk=,iv:/Bkid1GN9o43eEyLokY3TeXOgG05GHKkcVu7D+dXX2g=,tag:4b3U+vTSexPuQHuqNVHACA==,type:str] + lastmodified: "2025-11-03T15:23:12Z" + mac: ENC[AES256_GCM,data:XJW6H5FTjkGhbXtiGvscfm5W+04OqtUmYPrrzfZ5brNRviYiikwKR4OB2yFFNmRpMxseWOy+3a4Nk+/oTqJ4ycBIlatzoL3GxwfysLi6f5+Qtdjr+EG4MzZRaQobJ9NXjB6pAYGBe5OxDMvHHOuhv5lMI9SFsNzdIHzFRLQv0QQ=,iv:UUZzsyqnJG/eZktkRrnPhC5DYB3MeACh7ldx/k9+ZDk=,tag:42cI9dvQowQzeqkqFvzUGQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 7100d1c59c1b73dca6d6e0f67ef205c79fe0fb2c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 3 Nov 2025 16:33:08 +0100 Subject: [PATCH 134/174] restart synapse when secrets change --- modules/nixos/services/communication/matrix/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index 2d9ecd5..f84c002 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -187,6 +187,7 @@ in client_id: '${config.sops.placeholder."synapse/oidc_id"}' client_secret: '${config.sops.placeholder."synapse/oidc_secret"}' ''; + restartUnits = [ "matrix-synapse.service" ]; }; }; }; From 8104ba7e932d028a0a3beba6047cc4fecf8bb451 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 3 Nov 2025 16:36:19 +0100 Subject: [PATCH 135/174] feat(zitadel): change the default value of the username to the key instead of the email. This should ensure that binding to the apps goes more smoothly --- modules/nixos/services/authentication/zitadel/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 917bde4..7540e2f 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -165,10 +165,10 @@ in userName = mkOption { type = types.nullOr types.str; - default = cfg.organization.${org}.user.${username}.email; - example = "someone@some.domain"; + default = username; + example = "some_user_name"; description = '' - Username. Default value is the user's email, you can overwrite that by setting this option + Username. Default value is the key of the config object you created, you can overwrite that by setting this option ''; }; From 5668e1048da9153d17336616c8bcc93fe4ad1911 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 3 Nov 2025 16:47:09 +0100 Subject: [PATCH 136/174] chore: create temporary extra user in zitadel --- systems/x86_64-linux/ulmo/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 0c8a67b..7657eac 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -53,6 +53,12 @@ roles = [ "ORG_OWNER" ]; instanceRoles = [ "IAM_OWNER" ]; }; + + kaas = { + email = "chris+kaas@kruining.eu"; + firstName = "Kaas"; + lastName = "Kruining"; + }; }; project = { @@ -72,6 +78,7 @@ assign = { chris = [ "jellyfin" "jellyfin_admin" ]; + kaas = [ "jellyfin" ]; }; application = { From 2402ec0761117dc0e1b3727368fd6834136a5367 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 4 Nov 2025 09:46:19 +0100 Subject: [PATCH 137/174] fix(synapse): add user mapping to fix login via sso --- modules/nixos/services/communication/matrix/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index f84c002..c9dd26a 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -186,6 +186,11 @@ in - profile client_id: '${config.sops.placeholder."synapse/oidc_id"}' client_secret: '${config.sops.placeholder."synapse/oidc_secret"}' + backchannel_logout_enabled: true + user_mapping_provider: + config: + localpart_template: "{{ user.preferred_username }}" + display_name_template: "{{ user.name }}" ''; restartUnits = [ "matrix-synapse.service" ]; }; From c98b3eefe1f5e65202da31f587a8d2fcb616bdfb Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 4 Nov 2025 13:30:34 +0100 Subject: [PATCH 138/174] feat: set up clan cli --- .envrc | 2 + flake.lock | 229 ++++++++++++++++++++++++++++++++++--- flake.nix | 9 ++ shells/default/default.nix | 10 ++ 4 files changed, 237 insertions(+), 13 deletions(-) create mode 100644 .envrc create mode 100644 shells/default/default.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..0f94eed --- /dev/null +++ b/.envrc @@ -0,0 +1,2 @@ +# shellcheck shell=bash +use flake diff --git a/flake.lock b/flake.lock index 935fbaf..5ed2f72 100644 --- a/flake.lock +++ b/flake.lock @@ -68,6 +68,81 @@ "type": "github" } }, + "clan-core": { + "inputs": { + "data-mesher": "data-mesher", + "disko": "disko", + "flake-parts": "flake-parts", + "nix-darwin": "nix-darwin", + "nix-select": "nix-select", + "nixos-facter-modules": "nixos-facter-modules", + "nixpkgs": [ + "nixpkgs" + ], + "sops-nix": "sops-nix", + "systems": "systems", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1762254206, + "narHash": "sha256-ZyQUrUSuIUZRmMPzeCXI4vDFhHOLNtGUMBaHXCD6nEQ=", + "rev": "43a7652624e76d60a93325c711d01620801d4382", + "type": "tarball", + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/43a7652624e76d60a93325c711d01620801d4382.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://git.clan.lol/clan/clan-core/archive/main.tar.gz" + } + }, + "data-mesher": { + "inputs": { + "flake-parts": [ + "clan-core", + "flake-parts" + ], + "nixpkgs": [ + "clan-core", + "nixpkgs" + ], + "treefmt-nix": [ + "clan-core", + "treefmt-nix" + ] + }, + "locked": { + "lastModified": 1760612273, + "narHash": "sha256-pP/bSqUHubxAOTI7IHD5ZBQ2Qm11Nb4pXXTPv334UEM=", + "rev": "0099739c78be750b215cbdefafc9ba1533609393", + "type": "tarball", + "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0099739c78be750b215cbdefafc9ba1533609393.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://git.clan.lol/clan/data-mesher/archive/main.tar.gz" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1761899396, + "narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=", + "owner": "nix-community", + "repo": "disko", + "rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "erosanix": { "inputs": { "flake-compat": "flake-compat", @@ -224,6 +299,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1762040540, + "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "0010412d62a25d959151790968765a70c436598b", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nvf", @@ -244,7 +340,7 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -265,7 +361,7 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "terranix", @@ -288,7 +384,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -325,7 +421,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -343,7 +439,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1731533236, @@ -361,7 +457,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_5" + "systems": "systems_6" }, "locked": { "lastModified": 1694529238, @@ -564,6 +660,27 @@ "type": "github" } }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1762186368, + "narHash": "sha256-dzLBZKccS0jMefj+WAYwsk7gKDluqavC7I4KfFwVh8k=", + "owner": "nix-darwin", + "repo": "nix-darwin", + "rev": "69921864a70b58787abf5ba189095566c3f0ffd3", + "type": "github" + }, + "original": { + "owner": "nix-darwin", + "repo": "nix-darwin", + "type": "github" + } + }, "nix-github-actions": { "inputs": { "nixpkgs": [ @@ -606,6 +723,19 @@ "type": "github" } }, + "nix-select": { + "locked": { + "lastModified": 1755887746, + "narHash": "sha256-lzWbpHKX0WAn/jJDoCijIDss3rqYIPawe46GDaE6U3g=", + "rev": "92c2574c5e113281591be01e89bb9ddb31d19156", + "type": "tarball", + "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/92c2574c5e113281591be01e89bb9ddb31d19156.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://git.clan.lol/clan/nix-select/archive/main.tar.gz" + } + }, "nixlib": { "locked": { "lastModified": 1736643958, @@ -636,6 +766,21 @@ "type": "github" } }, + "nixos-facter-modules": { + "locked": { + "lastModified": 1761137276, + "narHash": "sha256-4lDjGnWRBLwqKQ4UWSUq6Mvxu9r8DSqCCydodW/Jsi8=", + "owner": "nix-community", + "repo": "nixos-facter-modules", + "rev": "70bcd64225d167c7af9b475c4df7b5abba5c7de8", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-facter-modules", + "type": "github" + } + }, "nixos-generators": { "inputs": { "nixlib": "nixlib", @@ -865,10 +1010,10 @@ "nvf": { "inputs": { "flake-compat": "flake-compat_4", - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "mnw": "mnw", "nixpkgs": "nixpkgs_7", - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1760153667, @@ -909,6 +1054,7 @@ }, "root": { "inputs": { + "clan-core": "clan-core", "erosanix": "erosanix", "fenix": "fenix", "firefox": "firefox", @@ -925,7 +1071,7 @@ "nvf": "nvf", "plasma-manager": "plasma-manager", "snowfall-lib": "snowfall-lib", - "sops-nix": "sops-nix", + "sops-nix": "sops-nix_2", "stylix": "stylix", "terranix": "terranix", "zen-browser": "zen-browser" @@ -992,6 +1138,27 @@ } }, "sops-nix": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1760998189, + "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "sops-nix_2": { "inputs": { "nixpkgs": "nixpkgs_8" }, @@ -1016,11 +1183,11 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "gnome-shell": "gnome-shell", "nixpkgs": "nixpkgs_9", "nur": "nur", - "systems": "systems_6", + "systems": "systems_7", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -1146,13 +1313,28 @@ "type": "github" } }, + "systems_8": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "terranix": { "inputs": { - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_4", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_7" + "systems": "systems_8" }, "locked": { "lastModified": 1757278723, @@ -1249,6 +1431,27 @@ "type": "github" } }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1761311587, + "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "zen-browser": { "inputs": { "home-manager": "home-manager_2", diff --git a/flake.nix b/flake.nix index 8ea1571..d7a7508 100644 --- a/flake.nix +++ b/flake.nix @@ -83,6 +83,11 @@ url = "github:terranix/terranix"; inputs.nixpkgs.follows = "nixpkgs"; }; + + clan-core = { + url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs: inputs.snowfall-lib.mkFlake { @@ -119,6 +124,10 @@ flux.overlays.default ]; + systems.modules = with inputs; [ + clan-core.nixosModules.default + ]; + homes.modules = with inputs; [ stylix.homeModules.stylix plasma-manager.homeModules.plasma-manager diff --git a/shells/default/default.nix b/shells/default/default.nix new file mode 100644 index 0000000..0361f88 --- /dev/null +++ b/shells/default/default.nix @@ -0,0 +1,10 @@ +{ mkShell, inputs, pkgs, ... }: + +mkShell { + packages = with pkgs; [ + bash + sops + just + inputs.clan-core.packages.x86_64-linux.clan-cli + ]; +} \ No newline at end of file From fab1df76c783a87587d961718e8411ec68413f72 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 4 Nov 2025 13:31:15 +0100 Subject: [PATCH 139/174] chore: update commit message in just recipes --- .just/vars.just | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.just/vars.just b/.just/vars.just index 167144a..b4d6be2 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -16,7 +16,7 @@ list machine: {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" @@ -27,6 +27,6 @@ list machine: {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" \ No newline at end of file From e7cedfb6393a0f824713737782c531dc174c1902 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 4 Nov 2025 15:08:54 +0100 Subject: [PATCH 140/174] fix(Zitadel): filter out empty roles --- .../authentication/zitadel/default.nix | 78 ++++++++++--------- 1 file changed, 43 insertions(+), 35 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 7540e2f..402d59d 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs concatMap listToAttrs imap0 getAttrs getAttr hasAttr typeOf head drop length; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -340,7 +340,7 @@ in # Organizations zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: { inherit name isDefault; } - |> toResource name + |> toResource name ); # Projects per organization @@ -348,8 +348,8 @@ in { inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck; } - |> withRef "org" org - |> toResource "${org}_${name}" + |> withRef "org" org + |> toResource "${org}_${name}" ); # Each OIDC app per project @@ -361,26 +361,26 @@ in idTokenRoleAssertion = true; accessTokenType = "JWT"; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> toResource "${org}_${project}_${name}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" ); # Each project role zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: { inherit (value) displayName group; roleKey = name; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> toResource "${org}_${project}_${name}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" ); # Each project role assignment zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles: { roleKeys = roles; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> withRef "user" "${org}_${user}" - |> toResource "${org}_${project}_${user}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> withRef "user" "${org}_${user}" + |> toResource "${org}_${project}_${user}" ); # Users @@ -390,24 +390,30 @@ in isEmailVerified = true; } - |> withRef "org" org - |> toResource "${org}_${name}" + |> withRef "org" org + |> toResource "${org}_${name}" ); # Global user roles - zitadel_instance_member = cfg.organization |> select [ "user" ] (org: name: value: - { roles = value.instanceRoles; } + zitadel_instance_member = + cfg.organization + |> filterAttrsRecursive (n: v: !(v ? "instanceRoles" && (length v.instanceRoles) == 0)) + |> select [ "user" ] (org: name: { instanceRoles, ... }: + { roles = instanceRoles; } |> withRef "user" "${org}_${name}" |> toResource "${org}_${name}" - ); + ); # Organazation specific roles - zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: { roles, ... }: - { inherit roles; } + zitadel_org_member = + cfg.organization + |> filterAttrsRecursive (n: v: !(v ? "roles" && (length v.roles) == 0)) + |> select [ "user" ] (org: name: { roles, ... }: + { inherit roles; } |> withRef "org" org |> withRef "user" "${org}_${name}" |> toResource "${org}_${name}" - ); + ); # Organazation's actions zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: @@ -416,25 +422,27 @@ in timeout = "${toString timeout}s"; script = "const ${name} = ${script}"; } - |> withRef "org" org - |> toResource "${org}_${name}" + |> withRef "org" org + |> toResource "${org}_${name}" ); # Organazation's action assignments - zitadel_trigger_actions = cfg.organization + zitadel_trigger_actions = + cfg.organization |> concatMapAttrs (org: { triggers, ... }: triggers - |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in - { - inherit flowType triggerType; + |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in + { + inherit flowType triggerType; - actionIds = actions - |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); - } - |> withRef "org" org - |> toResource "${org}_${name}" - )) - |> listToAttrs + actionIds = + actions + |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); + } + |> withRef "org" org + |> toResource "${org}_${name}" + )) + |> listToAttrs ); # SMTP config From 2e81d16f24fcb70422021321c7290a1890127cc3 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 4 Nov 2025 15:09:41 +0100 Subject: [PATCH 141/174] chore: suppress error messages They dirty the output too much when nix fails --- .just/machine.just | 1 + 1 file changed, 1 insertion(+) diff --git a/.just/machine.just b/.just/machine.just index 1ce791f..cbdf345 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -4,6 +4,7 @@ @list: ls -1 ../systems/x86_64-linux/ +[no-exit-message] [doc('Update the target machine')] @update machine: just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" From 5f92a379966dd24ec2872f59c128597df3ab0b78 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 4 Nov 2025 15:10:02 +0100 Subject: [PATCH 142/174] feat(Forgejo): enable mirroring --- modules/nixos/services/development/forgejo/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 39e8215..dbcef87 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -121,7 +121,7 @@ in }; mirror = { - ENABLED = false; + ENABLED = true; }; session = { From c64e98e0c0902e1841e170bdc8581196ad0cd0ac Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 5 Nov 2025 09:32:18 +0100 Subject: [PATCH 143/174] chore: clean up code --- .../nixos/services/backup/borg/default.nix | 2 +- modules/nixos/services/media/default.nix | 39 ------------------- systems/x86_64-linux/ulmo/default.nix | 3 +- 3 files changed, 3 insertions(+), 41 deletions(-) diff --git a/modules/nixos/services/backup/borg/default.nix b/modules/nixos/services/backup/borg/default.nix index fbe5235..e200505 100644 --- a/modules/nixos/services/backup/borg/default.nix +++ b/modules/nixos/services/backup/borg/default.nix @@ -16,7 +16,7 @@ in paths = "/var/media/test"; encryption.mode = "none"; environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4"; - repo = "ssh://chris@beheer.hazelhof.nl:222/home/chris/backups/media"; + repo = "ssh://chris@beheer.hazelhof.nl:222/media"; compression = "auto,zstd"; startAt = "daily"; }; diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index bc41fb4..9d915da 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -72,12 +72,6 @@ in settings = { auth.AuthenticationMethod = "External"; - - # postgres = { - # PostgresHost = "localhost"; - # PostgresPort = "5432"; - # PostgresUser = "media"; - # }; }; }; @@ -152,39 +146,6 @@ in group = cfg.group; }; - # postgresql = { - # enable = true; - # ensureDatabases = [ - # "radarr-main" "radarr-log" - # "sonarr-main" "sonarr-log" - # "lidarr-main" "lidarr-log" - # "prowlarr-main" "prowlarr-log" - # ]; - # identMap = '' - # media media radarr-main - # media media radarr-log - # media media sonarr-main - # media media sonarr-log - # media media lidarr-main - # media media lidarr-log - # media media prowlarr-main - # media media prowlarr-log - # ''; - # ensureUsers = [ - # { name = "radarr-main"; ensureDBOwnership = true; } - # { name = "radarr-log"; ensureDBOwnership = true; } - - # { name = "sonarr-main"; ensureDBOwnership = true; } - # { name = "sonarr-log"; ensureDBOwnership = true; } - - # { name = "lidarr-main"; ensureDBOwnership = true; } - # { name = "lidarr-log"; ensureDBOwnership = true; } - - # { name = "prowlarr-main"; ensureDBOwnership = true; } - # { name = "prowlarr-log"; ensureDBOwnership = true; } - # ]; - # }; - caddy = { enable = true; virtualHosts = { diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 7657eac..027dad6 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -38,7 +38,8 @@ sneeuwvlok = { services = { - # authentication.authelia.enable = true; + backup.borg.enable = true; + authentication.zitadel = { enable = true; From e3238aa60cfa9440249fcdb2ab1b0d4485251fe2 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 5 Nov 2025 09:34:08 +0100 Subject: [PATCH 144/174] chore: re-harden matrix server --- modules/nixos/services/communication/matrix/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index c9dd26a..ce92df4 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -46,8 +46,8 @@ in precence.enabled = true; # Since we'll be using OIDC for auth disable all local options - enable_registration = true; - enable_registration_without_verification = true; + enable_registration = false; + enable_registration_without_verification = false; password_config.enabled = false; backchannel_logout_enabled = true; From 5ff60d46c75c9a9633fe598f5a854a4af5f4c16f Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:09:40 +0000 Subject: [PATCH 145/174] chore(secrets): set secret "test.users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 0222f74..c9133c2 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -8,6 +8,15 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] +test.users: + je_moeder: + email: ENC[AES256_GCM,data:oBY+8lUZby+MU2RPNdCx9A==,iv:MAxRGLLrhgsvPAuJua3sR+wmfELo7DLXxICye+BuoCg=,tag:qpEu2ga8rFOU6YoZNizOqQ==,type:str] + firstName: ENC[AES256_GCM,data:RlU=,iv:OK91Ql1em+05YkM6OtGQjfe0P3OexS460EBDm7sJOAo=,tag:Dlg/BZbQFTaSLl4l9/GGrw==,type:str] + lastName: ENC[AES256_GCM,data:1FMBOVqD,iv:Hyl5pQYp2Pr1HHDpwKzVZ5DzaG7Lnm9GG4BDL66im+E=,tag:KwOCbIaTYo8J3iGnFBYuBQ==,type:str] + je_vader: + email: ENC[AES256_GCM,data:wjRm8mWD/9E4LjyEpPfD,iv:vKAjMUO81zyYZ9PdGsUkCk1MhTcpat86jVcYv5lhpUc=,tag:pDrI+8JulE9WGhb7brrEAA==,type:str] + firstName: ENC[AES256_GCM,data:KmU=,iv:M4KKh/DlJt3+CGoJu7faF6AUJXPf7ukCOMdvy1zEsow=,tag:wVPFHmHuzlg9Ib8qTZlaIg==,type:str] + lastName: ENC[AES256_GCM,data:PmkNwlc=,iv:B7IZ6+WTA9eRZizt73/iam1QXMf0kp0BWwPqpn+LHvA=,tag:SK8WMCIvAGoZn5b+wHLmKQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -28,7 +37,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-03T15:23:12Z" - mac: ENC[AES256_GCM,data:XJW6H5FTjkGhbXtiGvscfm5W+04OqtUmYPrrzfZ5brNRviYiikwKR4OB2yFFNmRpMxseWOy+3a4Nk+/oTqJ4ycBIlatzoL3GxwfysLi6f5+Qtdjr+EG4MzZRaQobJ9NXjB6pAYGBe5OxDMvHHOuhv5lMI9SFsNzdIHzFRLQv0QQ=,iv:UUZzsyqnJG/eZktkRrnPhC5DYB3MeACh7ldx/k9+ZDk=,tag:42cI9dvQowQzeqkqFvzUGQ==,type:str] + lastmodified: "2025-11-12T13:09:38Z" + mac: ENC[AES256_GCM,data:2+QMYauDL/A9yk7wQ+37yxr2FBZ0EAaYlVtCsZ0gb4CZjolapL8EdHWvD7OuqwA57xpOOyXazUjpw0yOxuqwpvSoBAOwMf/qDTLaAfRAHNoAqcUeuCO1SdX2Yhgy/XMXPAP32LpjOsejQIIcYSmq4xQ8W0bVjUGtSdWRpFOfJJw=,iv:IVI7u2iqLPbthXCa8k7jAX/SK8bPfzSK5CrsYoU4BBA=,tag:6u2BDG+7SZPE3WFVZtIhgg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 61deef854f9ab8c00fe154c8e924382b51be0865 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:11:05 +0000 Subject: [PATCH 146/174] chore(secrets): set secret "test/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index c9133c2..5715896 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -17,6 +17,16 @@ test.users: email: ENC[AES256_GCM,data:wjRm8mWD/9E4LjyEpPfD,iv:vKAjMUO81zyYZ9PdGsUkCk1MhTcpat86jVcYv5lhpUc=,tag:pDrI+8JulE9WGhb7brrEAA==,type:str] firstName: ENC[AES256_GCM,data:KmU=,iv:M4KKh/DlJt3+CGoJu7faF6AUJXPf7ukCOMdvy1zEsow=,tag:wVPFHmHuzlg9Ib8qTZlaIg==,type:str] lastName: ENC[AES256_GCM,data:PmkNwlc=,iv:B7IZ6+WTA9eRZizt73/iam1QXMf0kp0BWwPqpn+LHvA=,tag:SK8WMCIvAGoZn5b+wHLmKQ==,type:str] +test: + users: + je_moeder: + email: ENC[AES256_GCM,data:fqwAh0RW2BbOMblczBl85A==,iv:HGrrFtdVpzv3jxnXcTTB46YzYnG4pd+Rrv0qS7gVg3o=,tag:4vZfHzEffvatg8kF5ASrAQ==,type:str] + firstName: ENC[AES256_GCM,data:hPo=,iv:49TQZVxzOq7cx9FL6mI+c9yzjMQKHgee3BeI0M2uBSY=,tag:hilJ5tkNIVi8UqJ2K2lGPA==,type:str] + lastName: ENC[AES256_GCM,data:m6F+qILM,iv:nzt6ALx5rPzcO7OXJl9r8+BNJ6gy3bwpI5EzjfVCpy4=,tag:giSOQfl6LZvr8Ii/RIJfZg==,type:str] + je_vader: + email: ENC[AES256_GCM,data:UIAQTCfDDtZSGB+R1W2M,iv:5jN7z5ExMHLxdNxJZgGiDCNlKIwYfF/q9r2GlYVONAs=,tag:4JZIk2CMhHt3uERXHCW7JA==,type:str] + firstName: ENC[AES256_GCM,data:yRs=,iv:ktZnOiXLV13xa6Y8jnyCETKwONTmAPtc3jeFoq6TLwA=,tag:LCTRmB3MfgHIAYLh5mlPTg==,type:str] + lastName: ENC[AES256_GCM,data:7F0ebJ0=,iv:iKkexa0DVk40IdMHP9ZtGVHQ+JuwdaUr37ql9ImhMUo=,tag:7VfUTtbdQTyIrgWqhydxog==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -37,7 +47,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:09:38Z" - mac: ENC[AES256_GCM,data:2+QMYauDL/A9yk7wQ+37yxr2FBZ0EAaYlVtCsZ0gb4CZjolapL8EdHWvD7OuqwA57xpOOyXazUjpw0yOxuqwpvSoBAOwMf/qDTLaAfRAHNoAqcUeuCO1SdX2Yhgy/XMXPAP32LpjOsejQIIcYSmq4xQ8W0bVjUGtSdWRpFOfJJw=,iv:IVI7u2iqLPbthXCa8k7jAX/SK8bPfzSK5CrsYoU4BBA=,tag:6u2BDG+7SZPE3WFVZtIhgg==,type:str] + lastmodified: "2025-11-12T13:11:04Z" + mac: ENC[AES256_GCM,data:Wjp8M3j/nhtb6rBTwodkZ3F7oZjLs/iHzBoQha+rI7yFLpOHs1CLju68FDEueD7viP6hO3gvdGOBydsk+DZXD6PoGzFYaY3Q2dSH5Rohh7hOtKbJ65Zf9b8Rsg2zj05moqeB8HU8NwTCOcwlIYiZs/Afs50NQlxD6vdt35ppCCE=,iv:od/nSPOluh7RdM9Rxq6ktXozNEQM5KWa/ROAc2OrN/0=,tag:+oYWtfHHSMXxzeXGDcYQUw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 6fd6b74a745d7b3f0ad752705c02a984b13ce6ce Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:11:36 +0000 Subject: [PATCH 147/174] chore(secrets): removed secret "test.users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 5715896..883e406 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -8,15 +8,6 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] -test.users: - je_moeder: - email: ENC[AES256_GCM,data:oBY+8lUZby+MU2RPNdCx9A==,iv:MAxRGLLrhgsvPAuJua3sR+wmfELo7DLXxICye+BuoCg=,tag:qpEu2ga8rFOU6YoZNizOqQ==,type:str] - firstName: ENC[AES256_GCM,data:RlU=,iv:OK91Ql1em+05YkM6OtGQjfe0P3OexS460EBDm7sJOAo=,tag:Dlg/BZbQFTaSLl4l9/GGrw==,type:str] - lastName: ENC[AES256_GCM,data:1FMBOVqD,iv:Hyl5pQYp2Pr1HHDpwKzVZ5DzaG7Lnm9GG4BDL66im+E=,tag:KwOCbIaTYo8J3iGnFBYuBQ==,type:str] - je_vader: - email: ENC[AES256_GCM,data:wjRm8mWD/9E4LjyEpPfD,iv:vKAjMUO81zyYZ9PdGsUkCk1MhTcpat86jVcYv5lhpUc=,tag:pDrI+8JulE9WGhb7brrEAA==,type:str] - firstName: ENC[AES256_GCM,data:KmU=,iv:M4KKh/DlJt3+CGoJu7faF6AUJXPf7ukCOMdvy1zEsow=,tag:wVPFHmHuzlg9Ib8qTZlaIg==,type:str] - lastName: ENC[AES256_GCM,data:PmkNwlc=,iv:B7IZ6+WTA9eRZizt73/iam1QXMf0kp0BWwPqpn+LHvA=,tag:SK8WMCIvAGoZn5b+wHLmKQ==,type:str] test: users: je_moeder: @@ -47,7 +38,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:11:04Z" - mac: ENC[AES256_GCM,data:Wjp8M3j/nhtb6rBTwodkZ3F7oZjLs/iHzBoQha+rI7yFLpOHs1CLju68FDEueD7viP6hO3gvdGOBydsk+DZXD6PoGzFYaY3Q2dSH5Rohh7hOtKbJ65Zf9b8Rsg2zj05moqeB8HU8NwTCOcwlIYiZs/Afs50NQlxD6vdt35ppCCE=,iv:od/nSPOluh7RdM9Rxq6ktXozNEQM5KWa/ROAc2OrN/0=,tag:+oYWtfHHSMXxzeXGDcYQUw==,type:str] + lastmodified: "2025-11-12T13:11:35Z" + mac: ENC[AES256_GCM,data:L1I7DPNxfUclb75KrArcgLF74jzH0LsNYYxqRUqBtJuhBA/4X/VOhfj6qkE2FsRass7ReRhmzWjXq+MygCcBcwo3ixk5vnqm33+NfjISpdHl8aAyJQXcfIlTofyWMXDemxfxSMpqrOmGejOser3xL5NIxPQ9OpEE853wQh4PYgE=,iv:ocUZbPytKP6cNe2UrVD7B/VKElwEoxcMKxntT+ec8QE=,tag:5I8H8O7CNQlAJzLOABpqBQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From c6f1e93f7ebe7965bc75b6bfb65c0425360f8dc3 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:12:15 +0000 Subject: [PATCH 148/174] chore(secrets): removed secret "test/users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 883e406..fc959c4 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -8,16 +8,7 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] -test: - users: - je_moeder: - email: ENC[AES256_GCM,data:fqwAh0RW2BbOMblczBl85A==,iv:HGrrFtdVpzv3jxnXcTTB46YzYnG4pd+Rrv0qS7gVg3o=,tag:4vZfHzEffvatg8kF5ASrAQ==,type:str] - firstName: ENC[AES256_GCM,data:hPo=,iv:49TQZVxzOq7cx9FL6mI+c9yzjMQKHgee3BeI0M2uBSY=,tag:hilJ5tkNIVi8UqJ2K2lGPA==,type:str] - lastName: ENC[AES256_GCM,data:m6F+qILM,iv:nzt6ALx5rPzcO7OXJl9r8+BNJ6gy3bwpI5EzjfVCpy4=,tag:giSOQfl6LZvr8Ii/RIJfZg==,type:str] - je_vader: - email: ENC[AES256_GCM,data:UIAQTCfDDtZSGB+R1W2M,iv:5jN7z5ExMHLxdNxJZgGiDCNlKIwYfF/q9r2GlYVONAs=,tag:4JZIk2CMhHt3uERXHCW7JA==,type:str] - firstName: ENC[AES256_GCM,data:yRs=,iv:ktZnOiXLV13xa6Y8jnyCETKwONTmAPtc3jeFoq6TLwA=,tag:LCTRmB3MfgHIAYLh5mlPTg==,type:str] - lastName: ENC[AES256_GCM,data:7F0ebJ0=,iv:iKkexa0DVk40IdMHP9ZtGVHQ+JuwdaUr37ql9ImhMUo=,tag:7VfUTtbdQTyIrgWqhydxog==,type:str] +test: {} sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -38,7 +29,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:11:35Z" - mac: ENC[AES256_GCM,data:L1I7DPNxfUclb75KrArcgLF74jzH0LsNYYxqRUqBtJuhBA/4X/VOhfj6qkE2FsRass7ReRhmzWjXq+MygCcBcwo3ixk5vnqm33+NfjISpdHl8aAyJQXcfIlTofyWMXDemxfxSMpqrOmGejOser3xL5NIxPQ9OpEE853wQh4PYgE=,iv:ocUZbPytKP6cNe2UrVD7B/VKElwEoxcMKxntT+ec8QE=,tag:5I8H8O7CNQlAJzLOABpqBQ==,type:str] + lastmodified: "2025-11-12T13:12:14Z" + mac: ENC[AES256_GCM,data:DMRV+I9fJ+WzNyrU/vz5ZYkEchDhfQ1tx6eG5key+FMudorZj2hi8rnVhDeEn4PMqoJacpPYL+8JuBjJR/J13yK1UvtBiobbASzcB821ZTd8qDykAQmrFeXdJIaK1mtSI/nWMhb5CHz8UBPJ+buUnz2XFP4r7MPLGuOddQrkivI=,iv:sUE7on2vNUJWCpdnNOhYfvAPUYRSOnnGAEkHYJzSOIA=,tag:xi9dbQn982Ja/Km+l/XOhw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From d02f5fc4ee2a9b61e9886026e68de7418b899fca Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:12:27 +0000 Subject: [PATCH 149/174] chore(secrets): set secret "users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index fc959c4..b9b8adb 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -9,6 +9,15 @@ synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] test: {} +users: + je_moeder: + email: ENC[AES256_GCM,data:cufs2y9YJkdmMah+DKAokw==,iv:jtmcvA/CIIbTuXnCoI2qnz+gjPyCXsarIEGioPo+fo0=,tag:Nb9nBA+8ulfVaxj6axvcdA==,type:str] + firstName: ENC[AES256_GCM,data:ZsI=,iv:7kUjaEaZfJk11YpyTjd898iUmOKJuKP8U8E2yMVy3i0=,tag:0IGJ1NmAiKrSy8s0xUwPdA==,type:str] + lastName: ENC[AES256_GCM,data:sCBUiXxq,iv:ulK4iEGmzryR0X9K4mYS9Byx1lvQiw+6jKa4rFJaXBI=,tag:Gp8Qb3Aoha+jdPmRTGUS6w==,type:str] + je_vader: + email: ENC[AES256_GCM,data:rN68Hmi1FUPKKpwUhiKq,iv:1vN2ng0VpgjZYPd+UnjbAOEowTCPZzcp/adeWSzFJf4=,tag:qaPblcuIX7r2O8DD2vo/Vg==,type:str] + firstName: ENC[AES256_GCM,data:P3U=,iv:/Hwr3uYxlSAZhoTstPiKviYNWWQiQkmnK0LLnJbzaGc=,tag:0PMGs0eAnWKwr5CxnZGP3g==,type:str] + lastName: ENC[AES256_GCM,data:b1lV0eA=,iv:yHJkXwmobOKENCJ/C/ywhZw0jbRC9QPOMuERbxOYuSk=,tag:l64ky+AoVMleZHLv3HSQGQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -29,7 +38,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:12:14Z" - mac: ENC[AES256_GCM,data:DMRV+I9fJ+WzNyrU/vz5ZYkEchDhfQ1tx6eG5key+FMudorZj2hi8rnVhDeEn4PMqoJacpPYL+8JuBjJR/J13yK1UvtBiobbASzcB821ZTd8qDykAQmrFeXdJIaK1mtSI/nWMhb5CHz8UBPJ+buUnz2XFP4r7MPLGuOddQrkivI=,iv:sUE7on2vNUJWCpdnNOhYfvAPUYRSOnnGAEkHYJzSOIA=,tag:xi9dbQn982Ja/Km+l/XOhw==,type:str] + lastmodified: "2025-11-12T13:12:26Z" + mac: ENC[AES256_GCM,data:NwqAfh//TKzJaMYMU2awH8Z5IYfQZ/vZVedRSjy6KF9TSvxd8WeJiGoF1i4i7dGiGtEfvIEVmskDSDRq4sHNrBffg1Hc3j5cprmpayMYz5zCr1H+gbFNyqigzsyVRw12PEY5JhX/3yBcr+aqPvE/9D9Ti3hmh1RVuS9YqdnccaQ=,iv:PhZ/XRDjpWLeD0S+uhIDSn+jitMeghnIyWHx3eOIRjU=,tag:RG+Y1r8O7ck7Jbjb0OuBtA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 95f115f04c8ea52d06520a8526a088666bdd240d Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:12:57 +0000 Subject: [PATCH 150/174] chore(secrets): removed secret "users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index b9b8adb..a66b270 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -9,15 +9,6 @@ synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] test: {} -users: - je_moeder: - email: ENC[AES256_GCM,data:cufs2y9YJkdmMah+DKAokw==,iv:jtmcvA/CIIbTuXnCoI2qnz+gjPyCXsarIEGioPo+fo0=,tag:Nb9nBA+8ulfVaxj6axvcdA==,type:str] - firstName: ENC[AES256_GCM,data:ZsI=,iv:7kUjaEaZfJk11YpyTjd898iUmOKJuKP8U8E2yMVy3i0=,tag:0IGJ1NmAiKrSy8s0xUwPdA==,type:str] - lastName: ENC[AES256_GCM,data:sCBUiXxq,iv:ulK4iEGmzryR0X9K4mYS9Byx1lvQiw+6jKa4rFJaXBI=,tag:Gp8Qb3Aoha+jdPmRTGUS6w==,type:str] - je_vader: - email: ENC[AES256_GCM,data:rN68Hmi1FUPKKpwUhiKq,iv:1vN2ng0VpgjZYPd+UnjbAOEowTCPZzcp/adeWSzFJf4=,tag:qaPblcuIX7r2O8DD2vo/Vg==,type:str] - firstName: ENC[AES256_GCM,data:P3U=,iv:/Hwr3uYxlSAZhoTstPiKviYNWWQiQkmnK0LLnJbzaGc=,tag:0PMGs0eAnWKwr5CxnZGP3g==,type:str] - lastName: ENC[AES256_GCM,data:b1lV0eA=,iv:yHJkXwmobOKENCJ/C/ywhZw0jbRC9QPOMuERbxOYuSk=,tag:l64ky+AoVMleZHLv3HSQGQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -38,7 +29,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:12:26Z" - mac: ENC[AES256_GCM,data:NwqAfh//TKzJaMYMU2awH8Z5IYfQZ/vZVedRSjy6KF9TSvxd8WeJiGoF1i4i7dGiGtEfvIEVmskDSDRq4sHNrBffg1Hc3j5cprmpayMYz5zCr1H+gbFNyqigzsyVRw12PEY5JhX/3yBcr+aqPvE/9D9Ti3hmh1RVuS9YqdnccaQ=,iv:PhZ/XRDjpWLeD0S+uhIDSn+jitMeghnIyWHx3eOIRjU=,tag:RG+Y1r8O7ck7Jbjb0OuBtA==,type:str] + lastmodified: "2025-11-12T13:12:56Z" + mac: ENC[AES256_GCM,data:yIDCoYdcBAvwuU/JLxGEiRo5NJQRtC25RzUFHpq6FY6fEg3IsnfL9iJcSZIkKA6MVx1bB7xvRyOxh6AFePznJlOzht/Mr5quP2zX+ARsEvjSgxsz21bbdBTAsz5lorac1zFJp1/eg1ny9YYg2+1yfhXDjH557mCPgqa2MptWI1c=,iv:wrY1OHZSEtHSj7ehWRg5hRq5GBpsY35yYEifjvMXuRg=,tag:TI+viHQqQKMCHLJN1HGvyg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From d61e9e19ca57cc9c525bf97b3a8e68bbd7050eec Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:13:06 +0000 Subject: [PATCH 151/174] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index a66b270..60fcd7c 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,6 +3,15 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] + users: + je_moeder: + email: ENC[AES256_GCM,data:K8pZBUCIDUlGmjjF9S+OCg==,iv:o0Sruyj1JVOg9LcaOVV8WFV9F2F8E5yB+RlunUJt0ak=,tag:JJ1+rYl2i0O5Jw5Yq7PLEw==,type:str] + firstName: ENC[AES256_GCM,data:e5o=,iv:oE7fdhPArt3yCOgVFS+2POn9kYV5xd35CRaQiqVqRLE=,tag:T/rZoZvx+ehuMQXD9mLI/g==,type:str] + lastName: ENC[AES256_GCM,data:HSBa6CbV,iv:5vjdeJNjnvAu2fez4YLKc6FC3KEgn4FSA8oOaCpO2Mo=,tag:bCuE+JelyHk0Kh7Svq3t0A==,type:str] + je_vader: + email: ENC[AES256_GCM,data:Q1ecbn8liNRvuRZa8EOU,iv:+dd6E2BV4+coGtS84myqgW+eTB9i8rnjPhYTMGeK/gs=,tag:owE2iHUFboUvC0nFpMdG4w==,type:str] + firstName: ENC[AES256_GCM,data:KRE=,iv:tHDfQ8pMnO4J1Yu1SgPNQjMtVr26tVTtivyTxGGF1Kc=,tag:N3djEu5AAi8hHAbNq23Czg==,type:str] + lastName: ENC[AES256_GCM,data:rjd/IRM=,iv:inrY04n3XWYhPMPiXKcdaQJr4rjV1zSuCCintc+i7DM=,tag:f72ELx2K6UypllMUFdJ3fA==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -29,7 +38,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:12:56Z" - mac: ENC[AES256_GCM,data:yIDCoYdcBAvwuU/JLxGEiRo5NJQRtC25RzUFHpq6FY6fEg3IsnfL9iJcSZIkKA6MVx1bB7xvRyOxh6AFePznJlOzht/Mr5quP2zX+ARsEvjSgxsz21bbdBTAsz5lorac1zFJp1/eg1ny9YYg2+1yfhXDjH557mCPgqa2MptWI1c=,iv:wrY1OHZSEtHSj7ehWRg5hRq5GBpsY35yYEifjvMXuRg=,tag:TI+viHQqQKMCHLJN1HGvyg==,type:str] + lastmodified: "2025-11-12T13:13:05Z" + mac: ENC[AES256_GCM,data:9cYUu7cuPLg80b+wxRwKQkHIdrc+y4C/XFO42f0hJ8o1uK+syzDFOeP7L5eaeZxAlRGpGtJAdd/LKMwOJ016GgGafF8PAQc6k43I6ZFfc/k/3FqQvvI8inRKJu7ptg6ISPfC5WfAtOIc/rg/uwB0vvfxCd/epEGuKO9Dw7TmaXY=,iv:uMamMMCmHPzNG/JfEZeGHvo30uNpcYYbmuLRv8EMePc=,tag:ioDShXxVb6VM0OaSu2KLiA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 4c3adb782c2d887b7deda0f087c5e0d276acb3dc Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:31:01 +0000 Subject: [PATCH 152/174] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 60fcd7c..0844135 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,15 +3,7 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] - users: - je_moeder: - email: ENC[AES256_GCM,data:K8pZBUCIDUlGmjjF9S+OCg==,iv:o0Sruyj1JVOg9LcaOVV8WFV9F2F8E5yB+RlunUJt0ak=,tag:JJ1+rYl2i0O5Jw5Yq7PLEw==,type:str] - firstName: ENC[AES256_GCM,data:e5o=,iv:oE7fdhPArt3yCOgVFS+2POn9kYV5xd35CRaQiqVqRLE=,tag:T/rZoZvx+ehuMQXD9mLI/g==,type:str] - lastName: ENC[AES256_GCM,data:HSBa6CbV,iv:5vjdeJNjnvAu2fez4YLKc6FC3KEgn4FSA8oOaCpO2Mo=,tag:bCuE+JelyHk0Kh7Svq3t0A==,type:str] - je_vader: - email: ENC[AES256_GCM,data:Q1ecbn8liNRvuRZa8EOU,iv:+dd6E2BV4+coGtS84myqgW+eTB9i8rnjPhYTMGeK/gs=,tag:owE2iHUFboUvC0nFpMdG4w==,type:str] - firstName: ENC[AES256_GCM,data:KRE=,iv:tHDfQ8pMnO4J1Yu1SgPNQjMtVr26tVTtivyTxGGF1Kc=,tag:N3djEu5AAi8hHAbNq23Czg==,type:str] - lastName: ENC[AES256_GCM,data:rjd/IRM=,iv:inrY04n3XWYhPMPiXKcdaQJr4rjV1zSuCCintc+i7DM=,tag:f72ELx2K6UypllMUFdJ3fA==,type:str] + users: ENC[AES256_GCM,data:fj6NCe3hPGewuReJ3jeT4WGy8Q2Yag+CdpK9pQHRIkC0XAM4VjDSn44S3N5n4Vf0IWCoN5AECkQ2gTquwahGkZftKU+exd4+nM1YQrjskmtxjR6VZlpEdwYnzX3nGQ3njzj3q7EO3NCAsINsnEwDdzX0hhzxlnhV4ImRZ8nIt1nGAC6WIFtkagvof4l1IOrgQz4EUBhjvzBI/LWuXsCfXdpmAzV5B6QPpWPwhmg=,iv:mX9bxBFhiXzbj7qOlRbv6vpqVkGUcwEYe2OqWkjhKVM=,tag:Bb+afO3Fc8PC64XCVV7c0Q==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -38,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:13:05Z" - mac: ENC[AES256_GCM,data:9cYUu7cuPLg80b+wxRwKQkHIdrc+y4C/XFO42f0hJ8o1uK+syzDFOeP7L5eaeZxAlRGpGtJAdd/LKMwOJ016GgGafF8PAQc6k43I6ZFfc/k/3FqQvvI8inRKJu7ptg6ISPfC5WfAtOIc/rg/uwB0vvfxCd/epEGuKO9Dw7TmaXY=,iv:uMamMMCmHPzNG/JfEZeGHvo30uNpcYYbmuLRv8EMePc=,tag:ioDShXxVb6VM0OaSu2KLiA==,type:str] + lastmodified: "2025-11-12T13:31:00Z" + mac: ENC[AES256_GCM,data:L+Y6kxveMKadtFSZA7nWa7QEBOvtq5eZDfFfq6UzsHhLsqsMskvzj1UopMYFAjvGT9dXd0Z5rwUQcSaqEAv8DEaPkFLAODY4zMgY563dsSkqEdQfpa6lx1g4h3BlvXu446oKt14q5I4lUDB4QWH2mb+wv2rJQjVbSwYgh3g8vP8=,iv:bbKweYmFwEpzlevRig9JTj1/BvjYuKLo2B8grSuHchs=,tag:VBPskgd5Kaki0aFlVWZ64g==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From cebc2ec0403699b8349f61729a360845e3333d67 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:31:42 +0000 Subject: [PATCH 153/174] chore(secrets): removed secret "test" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 0844135..04fab75 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -9,7 +9,6 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] -test: {} sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -30,7 +29,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:31:00Z" - mac: ENC[AES256_GCM,data:L+Y6kxveMKadtFSZA7nWa7QEBOvtq5eZDfFfq6UzsHhLsqsMskvzj1UopMYFAjvGT9dXd0Z5rwUQcSaqEAv8DEaPkFLAODY4zMgY563dsSkqEdQfpa6lx1g4h3BlvXu446oKt14q5I4lUDB4QWH2mb+wv2rJQjVbSwYgh3g8vP8=,iv:bbKweYmFwEpzlevRig9JTj1/BvjYuKLo2B8grSuHchs=,tag:VBPskgd5Kaki0aFlVWZ64g==,type:str] + lastmodified: "2025-11-12T13:31:41Z" + mac: ENC[AES256_GCM,data:86tmpvp690SF1Cfeq3xnXmIgaepieKTKlbZXy4BtWOH0uActMD08kIBYG1ycsRkr2glwXdTznEXLddcB5zWC4fFQbrIk8LOYeJ1ZoXz8ocL47IDYN+Yd4BzDUooIYaCocbSIvHj0BULZBz4pwfYm1BwZ2QT6N7ygJDGZOK8jFSc=,iv:dcXCvNhA4ARd9p9RgdL7LbCwduufjxDhFDN4Tk1HEW8=,tag:RNN5rC6luE8xOnbVsmrDWQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 983f1aa7d88d1d7c52298c61e51170490e226a33 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:36:42 +0000 Subject: [PATCH 154/174] chore(secrets): set secret "zitadel/nix/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 04fab75..24e9d30 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,6 +4,8 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] users: ENC[AES256_GCM,data:fj6NCe3hPGewuReJ3jeT4WGy8Q2Yag+CdpK9pQHRIkC0XAM4VjDSn44S3N5n4Vf0IWCoN5AECkQ2gTquwahGkZftKU+exd4+nM1YQrjskmtxjR6VZlpEdwYnzX3nGQ3njzj3q7EO3NCAsINsnEwDdzX0hhzxlnhV4ImRZ8nIt1nGAC6WIFtkagvof4l1IOrgQz4EUBhjvzBI/LWuXsCfXdpmAzV5B6QPpWPwhmg=,iv:mX9bxBFhiXzbj7qOlRbv6vpqVkGUcwEYe2OqWkjhKVM=,tag:Bb+afO3Fc8PC64XCVV7c0Q==,type:str] + nix: + users: ENC[AES256_GCM,data:m8MKmEFUqKnKpGBRZbXycQFsH/eDVELcnbRWR3FDiSUahQhimZUfewRRGkbQHvFhu/b5shf5Yb7QM58G9iWGwFPNoj+ptFofsPFcq0sHbaH5Pe/YtsJNMWJib52R2FAjlbqUeJy3+2zrbHu4IMOwLgfqd6uwQ+RZ22Itt8R2c8EYdRJyKG8coy8Z/OjN6pzCki3OQS670b1IKWdWkfmzjrZMcxfNMRZGI8fJQnc=,iv:IjLbSH73GC8+cKy9pdqcu59vVoeinAlJ2LQohymvqTc=,tag:qx/VSpo8XuWac/A2o3n9bQ==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -29,7 +31,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:31:41Z" - mac: ENC[AES256_GCM,data:86tmpvp690SF1Cfeq3xnXmIgaepieKTKlbZXy4BtWOH0uActMD08kIBYG1ycsRkr2glwXdTznEXLddcB5zWC4fFQbrIk8LOYeJ1ZoXz8ocL47IDYN+Yd4BzDUooIYaCocbSIvHj0BULZBz4pwfYm1BwZ2QT6N7ygJDGZOK8jFSc=,iv:dcXCvNhA4ARd9p9RgdL7LbCwduufjxDhFDN4Tk1HEW8=,tag:RNN5rC6luE8xOnbVsmrDWQ==,type:str] + lastmodified: "2025-11-12T13:36:41Z" + mac: ENC[AES256_GCM,data:ih21F3CkRcW3Rfh3swiz+1z6HhcGrbW1I+XQN/XDlV0F+b7PTt5NZyCrqPAH/X14x1oGJBwfg+Yz16HJ6+ZtZh4BEGDCudTDGJNSN+1Hq6v6FHEFnG4nHj2SPEptpx5uJ8GnnORh4qxe4lQQelAbUdPktqr1PcQMl0bEhWzTxC8=,iv:7IHRdH09/Kgt5eXJyHxfBtCOCfpFnYU+BpaS4+7qJjQ=,tag:A0sJJDvihszvolCANlmZoA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From c5ec450517973d2dd973fb516d25e09c3b55f297 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:36:56 +0000 Subject: [PATCH 155/174] chore(secrets): removed secret "zitadel/users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 24e9d30..173cda3 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,7 +3,6 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] - users: ENC[AES256_GCM,data:fj6NCe3hPGewuReJ3jeT4WGy8Q2Yag+CdpK9pQHRIkC0XAM4VjDSn44S3N5n4Vf0IWCoN5AECkQ2gTquwahGkZftKU+exd4+nM1YQrjskmtxjR6VZlpEdwYnzX3nGQ3njzj3q7EO3NCAsINsnEwDdzX0hhzxlnhV4ImRZ8nIt1nGAC6WIFtkagvof4l1IOrgQz4EUBhjvzBI/LWuXsCfXdpmAzV5B6QPpWPwhmg=,iv:mX9bxBFhiXzbj7qOlRbv6vpqVkGUcwEYe2OqWkjhKVM=,tag:Bb+afO3Fc8PC64XCVV7c0Q==,type:str] nix: users: ENC[AES256_GCM,data:m8MKmEFUqKnKpGBRZbXycQFsH/eDVELcnbRWR3FDiSUahQhimZUfewRRGkbQHvFhu/b5shf5Yb7QM58G9iWGwFPNoj+ptFofsPFcq0sHbaH5Pe/YtsJNMWJib52R2FAjlbqUeJy3+2zrbHu4IMOwLgfqd6uwQ+RZ22Itt8R2c8EYdRJyKG8coy8Z/OjN6pzCki3OQS670b1IKWdWkfmzjrZMcxfNMRZGI8fJQnc=,iv:IjLbSH73GC8+cKy9pdqcu59vVoeinAlJ2LQohymvqTc=,tag:qx/VSpo8XuWac/A2o3n9bQ==,type:str] forgejo: @@ -31,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:36:41Z" - mac: ENC[AES256_GCM,data:ih21F3CkRcW3Rfh3swiz+1z6HhcGrbW1I+XQN/XDlV0F+b7PTt5NZyCrqPAH/X14x1oGJBwfg+Yz16HJ6+ZtZh4BEGDCudTDGJNSN+1Hq6v6FHEFnG4nHj2SPEptpx5uJ8GnnORh4qxe4lQQelAbUdPktqr1PcQMl0bEhWzTxC8=,iv:7IHRdH09/Kgt5eXJyHxfBtCOCfpFnYU+BpaS4+7qJjQ=,tag:A0sJJDvihszvolCANlmZoA==,type:str] + lastmodified: "2025-11-12T13:36:55Z" + mac: ENC[AES256_GCM,data:MZkBh/F6MnQUUp2bSp50ZtrnYusQ0rDWx5stIUWfuXD4hh6RW8qxFGL4/JndiOt7iZNQwdAVHgmRGSmTGza7OZoaDV+Mn0b9WPT/IbHst5MqEGdELeGqUkfBm4SPGkCNt+R+SQ6U8UEioi7EruodnkcF/TAg6wjFf1/XbN+djuc=,iv:i2JM8GPnpmbFsJkqWrZI/YQ11DK5nGXQ5brU4XbK7PQ=,tag:bzpIER1GH/b/LHTNo+apgA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 9a3f154cab488c5ff7e946fd15f0cee71f5103fd Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:40:07 +0000 Subject: [PATCH 156/174] chore(secrets): removed secret "zitadel/nix/users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 173cda3..c26df47 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,8 +3,7 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] - nix: - users: ENC[AES256_GCM,data:m8MKmEFUqKnKpGBRZbXycQFsH/eDVELcnbRWR3FDiSUahQhimZUfewRRGkbQHvFhu/b5shf5Yb7QM58G9iWGwFPNoj+ptFofsPFcq0sHbaH5Pe/YtsJNMWJib52R2FAjlbqUeJy3+2zrbHu4IMOwLgfqd6uwQ+RZ22Itt8R2c8EYdRJyKG8coy8Z/OjN6pzCki3OQS670b1IKWdWkfmzjrZMcxfNMRZGI8fJQnc=,iv:IjLbSH73GC8+cKy9pdqcu59vVoeinAlJ2LQohymvqTc=,tag:qx/VSpo8XuWac/A2o3n9bQ==,type:str] + nix: {} forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -30,7 +29,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:36:55Z" - mac: ENC[AES256_GCM,data:MZkBh/F6MnQUUp2bSp50ZtrnYusQ0rDWx5stIUWfuXD4hh6RW8qxFGL4/JndiOt7iZNQwdAVHgmRGSmTGza7OZoaDV+Mn0b9WPT/IbHst5MqEGdELeGqUkfBm4SPGkCNt+R+SQ6U8UEioi7EruodnkcF/TAg6wjFf1/XbN+djuc=,iv:i2JM8GPnpmbFsJkqWrZI/YQ11DK5nGXQ5brU4XbK7PQ=,tag:bzpIER1GH/b/LHTNo+apgA==,type:str] + lastmodified: "2025-11-12T13:40:06Z" + mac: ENC[AES256_GCM,data:rVAUscmwGDOEr5wpxu4STvYXvgQ7aY/zqna2GhV1Mihpt1LZJLwHRjEGBx/XTSn6LdR9WQFBdb9a1x/fav1UsrPggrMEZY/gjAWfQMlBpSu0EBPMowheiH+7y/kblSwRevbP0b1A2l0b/iegTAsvAt5cMuzpk8WiUAGMDAPw/Vs=,iv:nxSFea50iNefr/UMXS3+ma+1LytAboj6P+bOBWl7/VU=,tag:upvsqn3BcsJtVc2dxgaFCQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 8203f653f968af835f37de07127e27b57c67aaa7 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:40:15 +0000 Subject: [PATCH 157/174] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index c26df47..4a4db7e 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,6 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} + users: ENC[AES256_GCM,data:HtUJ7qgQofPTHDswx/c1K20DX4GCciZmDh5nknOiKSEClHwrmxeXG88yEYjsrWB2VMqnrFwD9cRj6tn0N50ovClL9Qu/QxOhIvqJM+ZN4+rlhbwWO2qukgPt4Lpyqz7uEbmpykJ503nOVAoLRbA5Kl3M6neb66/1oVyptBWbdHEEz+LhZnjFxybwqDi364B1+hn/9Saa5PJYtMVIrAWCwcIvL1+3TsK5I6SfR+s=,iv:9zll4Wqt526wyOcCjBmu9itmNRtCzimwMItG82G9neE=,tag:3BQwKVWvF6Ur5hNGey/8YA==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -29,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:40:06Z" - mac: ENC[AES256_GCM,data:rVAUscmwGDOEr5wpxu4STvYXvgQ7aY/zqna2GhV1Mihpt1LZJLwHRjEGBx/XTSn6LdR9WQFBdb9a1x/fav1UsrPggrMEZY/gjAWfQMlBpSu0EBPMowheiH+7y/kblSwRevbP0b1A2l0b/iegTAsvAt5cMuzpk8WiUAGMDAPw/Vs=,iv:nxSFea50iNefr/UMXS3+ma+1LytAboj6P+bOBWl7/VU=,tag:upvsqn3BcsJtVc2dxgaFCQ==,type:str] + lastmodified: "2025-11-12T13:40:15Z" + mac: ENC[AES256_GCM,data:L2efaWrCNjPXA/nRO78Lq+5vqcs2z2/jOzOz9SDBN5rN/Svt2WxqP7F076eNP9NfFgd7SkTyTekrU0szXkHSMXyAFrg+l8cYV6NLz6KTnwsVm7k7DJNa+i0iWh+GKl8VY+qFFOsDIGQlFNCgxmNmdaqwuldOUgTEBxMltIlpo44=,iv:pZYwaQWKvESvTvI00D/6gHB4On9w2jYeoME6FXrJ+Ak=,tag:s/5oYn3iaDicFDBJroaudg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 9a664b243831962c006152ed765297587e570e68 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:40:34 +0000 Subject: [PATCH 158/174] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4a4db7e..919e826 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} - users: ENC[AES256_GCM,data:HtUJ7qgQofPTHDswx/c1K20DX4GCciZmDh5nknOiKSEClHwrmxeXG88yEYjsrWB2VMqnrFwD9cRj6tn0N50ovClL9Qu/QxOhIvqJM+ZN4+rlhbwWO2qukgPt4Lpyqz7uEbmpykJ503nOVAoLRbA5Kl3M6neb66/1oVyptBWbdHEEz+LhZnjFxybwqDi364B1+hn/9Saa5PJYtMVIrAWCwcIvL1+3TsK5I6SfR+s=,iv:9zll4Wqt526wyOcCjBmu9itmNRtCzimwMItG82G9neE=,tag:3BQwKVWvF6Ur5hNGey/8YA==,type:str] + users: ENC[AES256_GCM,data:48Mp825G0rIl6xYOL7FrMvwLcRZcGLg1tZTN/MSPR4qwlEmOknE5fg3+ZvJKslncmylBHF8x0GkCaZAotBFcOiXz8R15B0AV4r/G7tvgJtU1ZSQH/T09IUbPZsa0Xp8tsijhqo1IzBsq5loR38wHKZINxW73UB/yuX644uLb/F4+R0UJQc5BS6iI/2sd2CVYQovdDUyugSAQa57Uo0HlkSa1JO30iXWgjgSy2YgyxC4ZreKLT7j8/Q==,iv:IvXwZlyi5pH5aPMiPCHfB3NaCjBuSGtU3JW6rCzth2Y=,tag:JnMMKV1djPLo5aTxtD1qEg==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -30,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:40:15Z" - mac: ENC[AES256_GCM,data:L2efaWrCNjPXA/nRO78Lq+5vqcs2z2/jOzOz9SDBN5rN/Svt2WxqP7F076eNP9NfFgd7SkTyTekrU0szXkHSMXyAFrg+l8cYV6NLz6KTnwsVm7k7DJNa+i0iWh+GKl8VY+qFFOsDIGQlFNCgxmNmdaqwuldOUgTEBxMltIlpo44=,iv:pZYwaQWKvESvTvI00D/6gHB4On9w2jYeoME6FXrJ+Ak=,tag:s/5oYn3iaDicFDBJroaudg==,type:str] + lastmodified: "2025-11-12T13:40:34Z" + mac: ENC[AES256_GCM,data:14yuefNArmFzKi1Jn5H3VEqsB5ZXtLkQ3rgVLrv/eILW2Fngyhsq4WecHZM7C900fHN05fdGtDKzR/EDSIp70/ZXDnEKTYRimBAj8HshPh71EMhBOYRzeDrY1dZlYrNbXu9j4hyhY/qe86NsZPdNwSbl8QkKwgxKO9oIaSOLQxU=,iv:Z/ta3aecrnCU9+f99a3vF2JMZyTtR1kJ/W6KIFh49z4=,tag:xU/1rmyXtti4n97lUSc6Cw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 91d8a32239d6ad0e2628d80d68fea5778a220a96 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 16:13:10 +0000 Subject: [PATCH 159/174] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 919e826..f6e918b 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} - users: ENC[AES256_GCM,data:48Mp825G0rIl6xYOL7FrMvwLcRZcGLg1tZTN/MSPR4qwlEmOknE5fg3+ZvJKslncmylBHF8x0GkCaZAotBFcOiXz8R15B0AV4r/G7tvgJtU1ZSQH/T09IUbPZsa0Xp8tsijhqo1IzBsq5loR38wHKZINxW73UB/yuX644uLb/F4+R0UJQc5BS6iI/2sd2CVYQovdDUyugSAQa57Uo0HlkSa1JO30iXWgjgSy2YgyxC4ZreKLT7j8/Q==,iv:IvXwZlyi5pH5aPMiPCHfB3NaCjBuSGtU3JW6rCzth2Y=,tag:JnMMKV1djPLo5aTxtD1qEg==,type:str] + users: ENC[AES256_GCM,data:qsl1uHFMRiO26wgVF5798oSyoO/LHmC/TgHekDQB7OHVmlxvG6ehXw2xeo2RW3ehWf64zHyViO2VtUfA5+RbiuHRYPd4tg7dErmUPdvEo6peC72Sr90U9Uc/cTG7yzeTckdYbnv5vqZwNh8YDF+mB6c7MbUocd18xw3+3Hz4/dkHZyOIXHVpfvtl3vc0RLDh6vyNsb61la51FFHYnUkwNApWgnRZD1JpYGdIiDh5R71f9oxK5hHBkL7+KEZ5bVbVf4nAlNwGZA==,iv:c1AoqPzn5oUFn20dPoX2hqZfBk10fxC7xbMjPiGKb5c=,tag:7NCE1fo9g80iFENvZRv1rA==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -30,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:40:34Z" - mac: ENC[AES256_GCM,data:14yuefNArmFzKi1Jn5H3VEqsB5ZXtLkQ3rgVLrv/eILW2Fngyhsq4WecHZM7C900fHN05fdGtDKzR/EDSIp70/ZXDnEKTYRimBAj8HshPh71EMhBOYRzeDrY1dZlYrNbXu9j4hyhY/qe86NsZPdNwSbl8QkKwgxKO9oIaSOLQxU=,iv:Z/ta3aecrnCU9+f99a3vF2JMZyTtR1kJ/W6KIFh49z4=,tag:xU/1rmyXtti4n97lUSc6Cw==,type:str] + lastmodified: "2025-11-12T16:13:10Z" + mac: ENC[AES256_GCM,data:Ly+IKYbDg16x7XtlvBLL4DL2y3wX79e+OBJzw60+PaITFkEOuhr7KfYCMD/ZMeNa6UVcDcdJc6xb1xcRvNMcnF2N7UvgCfxoMS9SHZXa38OM2f1buuwxuAeoAV7zJQyzCJg0c2fwG8goICHmMXPNKeaEgBod+RkysJtJbH1TG18=,iv:EuKYDmTSYTKS1klO2cIS61eFkz+/FIDHBQ9daGkf/+4=,tag:tKbQrciiLqe9fdHw6BXslw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 4dc24de8eb6e0ea686bef8c0533e9238cd4d6913 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 16:13:37 +0000 Subject: [PATCH 160/174] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index f6e918b..ef9b039 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} - users: ENC[AES256_GCM,data:qsl1uHFMRiO26wgVF5798oSyoO/LHmC/TgHekDQB7OHVmlxvG6ehXw2xeo2RW3ehWf64zHyViO2VtUfA5+RbiuHRYPd4tg7dErmUPdvEo6peC72Sr90U9Uc/cTG7yzeTckdYbnv5vqZwNh8YDF+mB6c7MbUocd18xw3+3Hz4/dkHZyOIXHVpfvtl3vc0RLDh6vyNsb61la51FFHYnUkwNApWgnRZD1JpYGdIiDh5R71f9oxK5hHBkL7+KEZ5bVbVf4nAlNwGZA==,iv:c1AoqPzn5oUFn20dPoX2hqZfBk10fxC7xbMjPiGKb5c=,tag:7NCE1fo9g80iFENvZRv1rA==,type:str] + users: ENC[AES256_GCM,data:xkjm0+PBt6gmZyfi3n3OIEe5b+d4OtN0Y3UfmdcbcJHbJZuiz+60oUjlAN0vjtsi0muufoAqtGJTIpm9nDZzzN7b7LK43TAhcuSlIm5LpbZFp1U3H4laRbTwauAT6wA0aDCfAkwTozxAuEUk1jAu+65ktJNJb7b0PR7s/I/wf7IgW2+K4Jv3LIOZIipUwfuvXuTzsxCElYRvGZXmIuXrYq1EaymksHHggemrKeMWLAae7mzz5v3aBbwxiVjQNkQkS4ApsO/5nZUat0oqXA==,iv:fptZn4NmX3iYKSEPLJAOFpt+KQ6TR1w9KaY9IF4p/Wk=,tag:UKvMOSIT5/mhfZA3usbLhQ==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -30,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T16:13:10Z" - mac: ENC[AES256_GCM,data:Ly+IKYbDg16x7XtlvBLL4DL2y3wX79e+OBJzw60+PaITFkEOuhr7KfYCMD/ZMeNa6UVcDcdJc6xb1xcRvNMcnF2N7UvgCfxoMS9SHZXa38OM2f1buuwxuAeoAV7zJQyzCJg0c2fwG8goICHmMXPNKeaEgBod+RkysJtJbH1TG18=,iv:EuKYDmTSYTKS1klO2cIS61eFkz+/FIDHBQ9daGkf/+4=,tag:tKbQrciiLqe9fdHw6BXslw==,type:str] + lastmodified: "2025-11-12T16:13:36Z" + mac: ENC[AES256_GCM,data:UaUK/qYthw2C2XZeUPeuHV0VZaIKo7dd7EPtaM4PQ6xdJSNNACaMtwd+1u2jGmJysWHI3yjSpz2ZnRTaDX6O99/bLo6ilYPkGTlqjIWh+rzzZjaOP1fsuHwfCRSKkei3niojgcoKku3ohcuWWP1NUe5+EMIb68jGOVogTH2TBjo=,iv:kSLgzJZaef29Uvc/oY9uNQc5CE7iVfQrhE9RMGdmPjE=,tag:1IH/89za43RYLzizoCSb3w==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From df5dfa61a92c58112fdbed96c433f6c537b70710 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 12 Nov 2025 17:20:21 +0100 Subject: [PATCH 161/174] fix(justfile): escape double quotes for inputs --- .just/vars.just | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.just/vars.just b/.just/vars.just index b4d6be2..944d7cf 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -13,7 +13,7 @@ list machine: {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml @set machine key value: - {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' + {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\"/g')\"" git add {{ base_path }}/{{ machine }}/secrets.yml git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null From fa37c3eb503d22403ddd6fde652da30def5a7e12 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 12 Nov 2025 17:23:40 +0100 Subject: [PATCH 162/174] feat(zitadel): add extra users via secrets --- .../authentication/zitadel/default.nix | 59 ++++++++++++++++--- 1 file changed, 50 insertions(+), 9 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 402d59d..c4ceaac 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length literalExpression attrNames; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -336,6 +336,21 @@ in jwt_profile_file = "/var/lib/zitadel/machine-key.json"; }; + locals = { + extra_users = lib.tfRef " + flatten([ for org, users in jsondecode(file(\"${config'.sops.secrets."zitadel/users".path}\")): [ + for name, details in users: { + org = org + name = name + email = details.email + firstName = details.firstName + lastName = details.lastName + } + ] ]) + "; + orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id"); + }; + resource = { # Organizations zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: @@ -384,15 +399,35 @@ in ); # Users - zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: - { - inherit email userName firstName lastName; + zitadel_human_user = + (cfg.organization + |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: + { + inherit email userName firstName lastName; - isEmailVerified = true; - } - |> withRef "org" org - |> toResource "${org}_${name}" - ); + isEmailVerified = true; + } + |> withRef "org" org + |> toResource "${org}_${name}" + )) + + // { + "extra_users" = { + for_each = lib.tfRef ''{ + for user in local.extra_users : + "''${user.org}_''${user.name}" => user + }''; + + org_id = lib.tfRef "local.orgs[each.value.org]"; + user_name = lib.tfRef "each.value.name"; + email = lib.tfRef "each.value.email"; + first_name = lib.tfRef "each.value.firstName"; + last_name = lib.tfRef "each.value.lastName"; + + is_email_verified = true; + }; + } + ; # Global user roles zitadel_instance_member = @@ -648,6 +683,12 @@ in key = "email/chris_kruining_eu"; restartUnits = [ "zitadel.service" ]; }; + + "zitadel/users" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadelApplyTerraform.service" ]; + }; }; }; }; From 4e09252e75c6e53a7f6188dcf97d71a8b53ae44c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 12 Nov 2025 17:26:17 +0100 Subject: [PATCH 163/174] feat(zitadel): add remapping of exported keys --- .../authentication/zitadel/default.nix | 24 ++++++++++++++++--- systems/x86_64-linux/ulmo/default.nix | 10 ++++++++ 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index c4ceaac..bd74ca2 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -140,6 +140,24 @@ in . ''; }; + + exportMap = + let + strOpt = mkOption { type = types.nullOr types.str; default = null; }; + in + mkOption { + type = types.submodule { options = { client_id = strOpt; client_secret = strOpt; }; }; + default = {}; + example = literalExpression '' + { + client_id = "SSO_CLIENT_ID"; + client_secret = "SSO_CLIENT_SECRET"; + } + ''; + description = '' + Remap the outputted variables to another key. + ''; + }; }; }); }; @@ -492,11 +510,11 @@ in }; # Client credentials per app - local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: value: + local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }: nameValuePair "${org}_${project}_${name}" { content = '' - CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} - CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"} + ${if exportMap.client_id != null then exportMap.client_id else "CLIENT_ID"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} + ${if exportMap.client_secret != null then exportMap.client_secret else "CLIENT_SECRET"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"} ''; filename = "/var/lib/zitadel/clients/${org}_${project}_${name}"; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 027dad6..8bb5cea 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -95,6 +95,16 @@ responseTypes = [ "code" ]; }; + vaultwarden = { + redirectUris = [ "https://vault.kruining.eu/identity/connect/oidc-signin" ]; + grantTypes = [ "authorizationCode" ]; + responseTypes = [ "code" ]; + exportMap = { + client_id = "SSO_CLIENT_ID"; + client_secret = "SSO_CLIENT_SECRET"; + }; + }; + matrix = { redirectUris = [ "https://matrix.kruining.eu/_synapse/client/oidc/callback" ]; grantTypes = [ "authorizationCode" ]; From 272f48a9ab000b638a18612343743317370c8536 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 13 Nov 2025 07:50:45 +0000 Subject: [PATCH 164/174] chore(secrets): set secret "kaas" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index ef9b039..4864b00 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -10,6 +10,7 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] +kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -30,7 +31,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T16:13:36Z" - mac: ENC[AES256_GCM,data:UaUK/qYthw2C2XZeUPeuHV0VZaIKo7dd7EPtaM4PQ6xdJSNNACaMtwd+1u2jGmJysWHI3yjSpz2ZnRTaDX6O99/bLo6ilYPkGTlqjIWh+rzzZjaOP1fsuHwfCRSKkei3niojgcoKku3ohcuWWP1NUe5+EMIb68jGOVogTH2TBjo=,iv:kSLgzJZaef29Uvc/oY9uNQc5CE7iVfQrhE9RMGdmPjE=,tag:1IH/89za43RYLzizoCSb3w==,type:str] + lastmodified: "2025-11-13T07:50:40Z" + mac: ENC[AES256_GCM,data:tGOipGrlvIwfocpve9/4MGBtgnGuvI380VdIrSc2pCym4f20DC70/QofPo31cRtkWW3sd8nmEReU7+QQ39iZa9Jrlg+e8O8T5sbckjFvO5KWw5UBShjltrcRmhIHH0vUMkfAul5GRJEjCdpMIuOxxQGUMykeP/y8M6sDfnC73vU=,iv:MF9RP4SI4dWX6Rf6puuck5S0KrKKA8U/uQuJCwMYV30=,tag:lsr85wZVCgXr6n3QPmelaw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 9116361b908fdddd8a91ac137327484e3f107ebc Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:48:56 +0000 Subject: [PATCH 165/174] chore(secrets): set secret "radarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4864b00..8bb18b7 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -11,6 +11,8 @@ synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] +radarr: + apikey: "" sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -31,7 +33,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-13T07:50:40Z" - mac: ENC[AES256_GCM,data:tGOipGrlvIwfocpve9/4MGBtgnGuvI380VdIrSc2pCym4f20DC70/QofPo31cRtkWW3sd8nmEReU7+QQ39iZa9Jrlg+e8O8T5sbckjFvO5KWw5UBShjltrcRmhIHH0vUMkfAul5GRJEjCdpMIuOxxQGUMykeP/y8M6sDfnC73vU=,iv:MF9RP4SI4dWX6Rf6puuck5S0KrKKA8U/uQuJCwMYV30=,tag:lsr85wZVCgXr6n3QPmelaw==,type:str] + lastmodified: "2025-11-19T09:48:55Z" + mac: ENC[AES256_GCM,data:fLLiX6obUBbhtg/XpwUWJmu0jpQraGAOmViQ5SOh82rndcI87fJW0Y2mYN1+VpPdknlsLbuUzFB0styWljmAg3DxRW0OGNz+pL6r4ior0phRRBpGhY9rVHO62f74GZItHgBDzojUQwu7Rhu6jFZMGHLsCgjfRl6QEfakNjT5Py8=,iv:xlZ/q5a0IOiqwjPsD/PQ04URhrX9aGSV6U3suCecqQk=,tag:u4tB8AOJ/jYfiLSbayXpeQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 80e61ec5d8b6fc4f2a370073fa5ef34497739d4c Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:50:35 +0000 Subject: [PATCH 166/174] chore(secrets): set secret "radarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 8bb18b7..0a9d750 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -12,7 +12,7 @@ synapse: oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] radarr: - apikey: "" + apikey: ENC[AES256_GCM,data:G141GW4PyS5pbAV39HcVscMw3s30txOgTZzWaL7o+ccZfnfDLv796O6xKXdqGZ8saLsveghLw9Z6a5luusHyQ3Q5ESL6W7SVeZVTuSqSC3i/4jl75FJxhnsgVsfrnYxzLGpKiw==,iv:sZl/XLh6y3WgSAn6nH3sFB6atBifZdghm+QsCNDbcjY=,tag:Tw+R80nrF0T0yDti0Uf+ig==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -33,7 +33,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:48:55Z" - mac: ENC[AES256_GCM,data:fLLiX6obUBbhtg/XpwUWJmu0jpQraGAOmViQ5SOh82rndcI87fJW0Y2mYN1+VpPdknlsLbuUzFB0styWljmAg3DxRW0OGNz+pL6r4ior0phRRBpGhY9rVHO62f74GZItHgBDzojUQwu7Rhu6jFZMGHLsCgjfRl6QEfakNjT5Py8=,iv:xlZ/q5a0IOiqwjPsD/PQ04URhrX9aGSV6U3suCecqQk=,tag:u4tB8AOJ/jYfiLSbayXpeQ==,type:str] + lastmodified: "2025-11-19T09:50:35Z" + mac: ENC[AES256_GCM,data:FgSL58+AHzqp18RyJ4I7fdIQf/vjFI0chkb8T2qXATRJyK3RKrF7JNMOel3ZFgptQvgamUD5LxGgtSO+ucFMjwJpvDmlzrRJ/BbnywuANAeW0M91myI7/Exj/p4QOeIz0RWViX6NGJO+9oF5BMBPE/9tyA+jMN03I8nGCZFGu6o=,iv:8cIUA8/5EexFxwXpJfoY6/A2ZKesHwBUueaMVZq5LbY=,tag:jUmC4qBEXJXxZQEMlDkadg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 6a0195587d6a444edb333e235afa683935550197 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:50:58 +0000 Subject: [PATCH 167/174] chore(secrets): set secret "sonarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 0a9d750..0a4b541 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -13,6 +13,8 @@ synapse: kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] radarr: apikey: ENC[AES256_GCM,data:G141GW4PyS5pbAV39HcVscMw3s30txOgTZzWaL7o+ccZfnfDLv796O6xKXdqGZ8saLsveghLw9Z6a5luusHyQ3Q5ESL6W7SVeZVTuSqSC3i/4jl75FJxhnsgVsfrnYxzLGpKiw==,iv:sZl/XLh6y3WgSAn6nH3sFB6atBifZdghm+QsCNDbcjY=,tag:Tw+R80nrF0T0yDti0Uf+ig==,type:str] +sonarr: + apikey: ENC[AES256_GCM,data:s8bgDJ+LpIH1Mt3KSiIKB8LnxztOkHdc8J6+50o+HoDUAfIIsZkA2oX/m7UecrTSRi6ay8D9yjhe6ZwSNXhJh6wQqTS7gZWn8f6QfrfI+8DKdc9enh91suQxjkz8Q+wnKK0zBg==,iv:LmAe6v+6ItVnHB6gko6mhiGOuVBksBYP4dXfbxpAIPE=,tag:DZ8kwOwaWwWTGWEGu5S0Kg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -33,7 +35,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:50:35Z" - mac: ENC[AES256_GCM,data:FgSL58+AHzqp18RyJ4I7fdIQf/vjFI0chkb8T2qXATRJyK3RKrF7JNMOel3ZFgptQvgamUD5LxGgtSO+ucFMjwJpvDmlzrRJ/BbnywuANAeW0M91myI7/Exj/p4QOeIz0RWViX6NGJO+9oF5BMBPE/9tyA+jMN03I8nGCZFGu6o=,iv:8cIUA8/5EexFxwXpJfoY6/A2ZKesHwBUueaMVZq5LbY=,tag:jUmC4qBEXJXxZQEMlDkadg==,type:str] + lastmodified: "2025-11-19T09:50:57Z" + mac: ENC[AES256_GCM,data:j2IhWjN08v5xlEw1KBmd0Zc+NriqVDPx06t9oB20S9p2ARe+UhyHxyGah4jZWyHCoanM1sJe4kN3/FcuwI/U+1LmukSQ+YBQT53R4jlOooje06jkJka9xnoS7QiVJmFF8H0XaR1Ye8Xas8mrHgMMOTza96TtvN3YeXpfXUTF4xQ=,iv:X32tNNl2prYbufy4dzubXi5MvX8s+xtGVy2g88gjHns=,tag:yD+fzF8PIWRuxQ28MGTV4Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From d0e374c8bb78aefbbdd9f8158f9ab8a82ac60629 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:51:06 +0000 Subject: [PATCH 168/174] chore(secrets): set secret "lidarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 0a4b541..1e8764c 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -15,6 +15,8 @@ radarr: apikey: ENC[AES256_GCM,data:G141GW4PyS5pbAV39HcVscMw3s30txOgTZzWaL7o+ccZfnfDLv796O6xKXdqGZ8saLsveghLw9Z6a5luusHyQ3Q5ESL6W7SVeZVTuSqSC3i/4jl75FJxhnsgVsfrnYxzLGpKiw==,iv:sZl/XLh6y3WgSAn6nH3sFB6atBifZdghm+QsCNDbcjY=,tag:Tw+R80nrF0T0yDti0Uf+ig==,type:str] sonarr: apikey: ENC[AES256_GCM,data:s8bgDJ+LpIH1Mt3KSiIKB8LnxztOkHdc8J6+50o+HoDUAfIIsZkA2oX/m7UecrTSRi6ay8D9yjhe6ZwSNXhJh6wQqTS7gZWn8f6QfrfI+8DKdc9enh91suQxjkz8Q+wnKK0zBg==,iv:LmAe6v+6ItVnHB6gko6mhiGOuVBksBYP4dXfbxpAIPE=,tag:DZ8kwOwaWwWTGWEGu5S0Kg==,type:str] +lidarr: + apikey: ENC[AES256_GCM,data:I2eKaxidmxem7C7ukmyIfwASNqrkS4vEOiCcU5kSNY6DR0pXsYg0PBdgu8vzK6llbXODLdG5t55BordIWvVRJGAauo0FMvtp59NSNpza7cK68tdKGvNefD6bqhUIR06BY11niQ==,iv:48AD7cd17TlWY5yAagepLOIVwgxhD/d13Pnup6GsWDA=,tag:teOVtW8opE99hqAXQwvlrA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -35,7 +37,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:50:57Z" - mac: ENC[AES256_GCM,data:j2IhWjN08v5xlEw1KBmd0Zc+NriqVDPx06t9oB20S9p2ARe+UhyHxyGah4jZWyHCoanM1sJe4kN3/FcuwI/U+1LmukSQ+YBQT53R4jlOooje06jkJka9xnoS7QiVJmFF8H0XaR1Ye8Xas8mrHgMMOTza96TtvN3YeXpfXUTF4xQ=,iv:X32tNNl2prYbufy4dzubXi5MvX8s+xtGVy2g88gjHns=,tag:yD+fzF8PIWRuxQ28MGTV4Q==,type:str] + lastmodified: "2025-11-19T09:51:06Z" + mac: ENC[AES256_GCM,data:/arD30zm/wheVtSkwkQrdMe7REnwQ/XOKKWTqysIFeA5O9+e93wSWj8dpwfXfZ5q0ISOk5n3v8hsqzls8wi5BMLXPaBRyj5Alr5poFZd3vJ9z6uyDCSPlJhYRl8ussjzj0vK3Lr3hzKczfrGgPF7W6CoqBKk0AYI2fFHWfT/B5A=,iv:aq66boBgI/V/pVPuPf9mg/TqLV/VfJTElRt7My5njCc=,tag:7s/qu/6B/bX/Nqs00BNl8Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From ba246b145fc6187d82723204240db5ef5a29cd5c Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:51:27 +0000 Subject: [PATCH 169/174] chore(secrets): set secret "prowlarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 1e8764c..7a26401 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -17,6 +17,8 @@ sonarr: apikey: ENC[AES256_GCM,data:s8bgDJ+LpIH1Mt3KSiIKB8LnxztOkHdc8J6+50o+HoDUAfIIsZkA2oX/m7UecrTSRi6ay8D9yjhe6ZwSNXhJh6wQqTS7gZWn8f6QfrfI+8DKdc9enh91suQxjkz8Q+wnKK0zBg==,iv:LmAe6v+6ItVnHB6gko6mhiGOuVBksBYP4dXfbxpAIPE=,tag:DZ8kwOwaWwWTGWEGu5S0Kg==,type:str] lidarr: apikey: ENC[AES256_GCM,data:I2eKaxidmxem7C7ukmyIfwASNqrkS4vEOiCcU5kSNY6DR0pXsYg0PBdgu8vzK6llbXODLdG5t55BordIWvVRJGAauo0FMvtp59NSNpza7cK68tdKGvNefD6bqhUIR06BY11niQ==,iv:48AD7cd17TlWY5yAagepLOIVwgxhD/d13Pnup6GsWDA=,tag:teOVtW8opE99hqAXQwvlrA==,type:str] +prowlarr: + apikey: ENC[AES256_GCM,data:pyZ2WGEs/PlIdhDsQq2TPGJbplkd5fLF0ZkBjITqIJlnAzYHb+rl+KOM4rHqQcI6yAJM8X1Y3ymGrD7vG7GiRxB7yoEG13SKhZIWOddTnxIhbkz81RfrL2fUJIydOaP6sS//9Q==,iv:Tr6MWoC6nC7rdVTOjT1T2itT+lVL4GnUiAr5/+IHAs0=,tag:keIJNuGeVht8+xSN3FnBGA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -37,7 +39,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:51:06Z" - mac: ENC[AES256_GCM,data:/arD30zm/wheVtSkwkQrdMe7REnwQ/XOKKWTqysIFeA5O9+e93wSWj8dpwfXfZ5q0ISOk5n3v8hsqzls8wi5BMLXPaBRyj5Alr5poFZd3vJ9z6uyDCSPlJhYRl8ussjzj0vK3Lr3hzKczfrGgPF7W6CoqBKk0AYI2fFHWfT/B5A=,iv:aq66boBgI/V/pVPuPf9mg/TqLV/VfJTElRt7My5njCc=,tag:7s/qu/6B/bX/Nqs00BNl8Q==,type:str] + lastmodified: "2025-11-19T09:51:26Z" + mac: ENC[AES256_GCM,data:pMMkxHPochpI8si/oHhU7MHqC1JjNhMP7HCRNQQEkwBQI489xiC02t+qUwpmG4oIheqi8lEcZPpL4t9HzRN9sZImaI2LrJn3cHFojHzXzo7FPfvfUilZe1+JXLfm+wn+bflAEutIcfDiZc/MjiKOxRHwZy5Pr41Mj6uPIUr62zk=,iv:GwvMVgJ6m1DQcRZMVzshbuMK/Kx8vE8Ym83KbxuvYRg=,tag:wVSol9LDRzoFjQppB8J9gA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 09e4e940bcec8073d9ea9827a4450b566c2e0fd5 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 10:27:29 +0000 Subject: [PATCH 170/174] chore: update dependencies --- flake.lock | 230 +++++++++++++++++++++++++++-------------------------- 1 file changed, 116 insertions(+), 114 deletions(-) diff --git a/flake.lock b/flake.lock index 5ed2f72..9d38839 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1762254206, - "narHash": "sha256-ZyQUrUSuIUZRmMPzeCXI4vDFhHOLNtGUMBaHXCD6nEQ=", - "rev": "43a7652624e76d60a93325c711d01620801d4382", + "lastModified": 1763547157, + "narHash": "sha256-lJcMap2uT+x1R8WUUKKQ6ndynysJ/JOkrMThMGz6DP0=", + "rev": "2cb2134a6ee32d427097077c4fb4c416b52ae988", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/43a7652624e76d60a93325c711d01620801d4382.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/2cb2134a6ee32d427097077c4fb4c416b52ae988.tar.gz" }, "original": { "type": "tarball", @@ -111,11 +111,11 @@ ] }, "locked": { - "lastModified": 1760612273, - "narHash": "sha256-pP/bSqUHubxAOTI7IHD5ZBQ2Qm11Nb4pXXTPv334UEM=", - "rev": "0099739c78be750b215cbdefafc9ba1533609393", + "lastModified": 1762942435, + "narHash": "sha256-zIWGs5FIytTtJN+dhDb8Yx+q4TQI/yczuL539yVcyPE=", + "rev": "0ee328404b12c65e8106bde9e9fab8abf4ecada4", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0099739c78be750b215cbdefafc9ba1533609393.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0ee328404b12c65e8106bde9e9fab8abf4ecada4.tar.gz" }, "original": { "type": "tarball", @@ -130,11 +130,11 @@ ] }, "locked": { - "lastModified": 1761899396, - "narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=", + "lastModified": 1762276996, + "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=", "owner": "nix-community", "repo": "disko", - "rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998", + "rev": "af087d076d3860760b3323f6b583f4d828c1ac17", "type": "github" }, "original": { @@ -149,11 +149,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1759842236, - "narHash": "sha256-JNFyiEDo1wS+mjNAEM8Q2jjvHQzQt+3hnuP1srIdFeM=", + "lastModified": 1762360792, + "narHash": "sha256-YR7vqk+XEvFUQ/miuBAD3+p+97QUN86ya9Aw0K5feJE=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "df8a29239b2459d6ee7373be8133d9aa7d6f6d1a", + "rev": "9075dff5685d3e7269284e53ca496da0beb24596", "type": "github" }, "original": { @@ -170,11 +170,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1760510549, - "narHash": "sha256-NP+kmLMm7zSyv4Fufv+eSJXyqjLMUhUfPT6lXRlg/bU=", + "lastModified": 1763534658, + "narHash": "sha256-i/51/Zi/1pM9hZxxSuA3nVPpyqlGoWwJwajyA/loOpo=", "owner": "nix-community", "repo": "fenix", - "rev": "ef7178cf086f267113b5c48fdeb6e510729c8214", + "rev": "69e40ddf45698d0115a62a7a15d8412f35dd4c09", "type": "github" }, "original": { @@ -190,11 +190,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1760548798, - "narHash": "sha256-LbqqHQklp58hKCO6IMcslsqX0mR32775PG3Z+k2GcwU=", + "lastModified": 1763504432, + "narHash": "sha256-kpmPI67TdoTxiK7LsmgmkKW3iHoyvZJwZeiJhpwPfmw=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "fdd8c18c8d3497d267c0750ef08678d32a2dd753", + "rev": "49d5d8d42a7650e5353f8467c813839290cb7c9f", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "flake-compat_2": { "locked": { - "lastModified": 1746162366, - "narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=", + "lastModified": 1761640442, + "narHash": "sha256-AtrEP6Jmdvrqiv4x2xa5mrtaIp3OEe8uBYCDZDS+hu8=", "owner": "nix-community", "repo": "flake-compat", - "rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b", + "rev": "4a56054d8ffc173222d09dad23adf4ba946c8884", "type": "github" }, "original": { @@ -306,11 +306,11 @@ ] }, "locked": { - "lastModified": 1762040540, - "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=", + "lastModified": 1762980239, + "narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "0010412d62a25d959151790968765a70c436598b", + "rev": "52a2caecc898d0b46b2b905f058ccc5081f842da", "type": "github" }, "original": { @@ -327,11 +327,11 @@ ] }, "locked": { - "lastModified": 1759362264, - "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", + "lastModified": 1760948891, + "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", + "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04", "type": "github" }, "original": { @@ -510,18 +510,20 @@ "gnome-shell": { "flake": false, "locked": { - "lastModified": 1748186689, - "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=", + "host": "gitlab.gnome.org", + "lastModified": 1762869044, + "narHash": "sha256-nwm/GJ2Syigf7VccLAZ66mFC8mZJFqpJmIxSGKl7+Ds=", "owner": "GNOME", "repo": "gnome-shell", - "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0", - "type": "github" + "rev": "680e3d195a92203f28d4bf8c6e8bb537cc3ed4ad", + "type": "gitlab" }, "original": { + "host": "gitlab.gnome.org", "owner": "GNOME", - "ref": "48.2", + "ref": "gnome-49", "repo": "gnome-shell", - "type": "github" + "type": "gitlab" } }, "grub2-themes": { @@ -551,11 +553,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1760546650, - "narHash": "sha256-ByUcM+gMEob6uWpDt6AAg/v4eX9yvpgOPX6KyHd9/BE=", + "lastModified": 1763486183, + "narHash": "sha256-10EvBTF9ELezWg+KoKZJ3bxrPzT1Xz95ifurC6HixLY=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "ba54075737cb9c688cfadde8048f83371dbaba8d", + "rev": "fb27f4bee812e4b4df9df9f78bd5280f0aa2193c", "type": "github" }, "original": { @@ -571,11 +573,11 @@ ] }, "locked": { - "lastModified": 1760500983, - "narHash": "sha256-zfY4F4CpeUjTGgecIJZ+M7vFpwLc0Gm9epM/iMQd4w8=", + "lastModified": 1763416652, + "narHash": "sha256-8EBEEvtzQ11LCxpQHMNEBQAGtQiCu/pqP9zSovDSbNM=", "owner": "nix-community", "repo": "home-manager", - "rev": "c53e65ec92f38d30e3c14f8d628ab55d462947aa", + "rev": "ea164b7c9ccdc2321379c2ff78fd4317b4c41312", "type": "github" }, "original": { @@ -592,11 +594,11 @@ ] }, "locked": { - "lastModified": 1752603129, - "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=", + "lastModified": 1762964643, + "narHash": "sha256-RYHN8O/Aja59XDji6WSJZPkJpYVUfpSkyH+PEupBJqM=", "owner": "nix-community", "repo": "home-manager", - "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b", + "rev": "827f2a23373a774a8805f84ca5344654c31f354b", "type": "github" }, "original": { @@ -613,11 +615,11 @@ ] }, "locked": { - "lastModified": 1760534924, - "narHash": "sha256-OIOCC86DxTxp1VG7xAiM+YABtVqp6vTkYIoAiGQMqso=", + "lastModified": 1763453666, + "narHash": "sha256-Hu8lDUlbMFvcYX30LBXX7Gq5FbU35bERH0pSX5qHf/Q=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "100b4e000032b865563a9754e5bca189bc544764", + "rev": "b843b551415c7aecc97c8b3ab3fff26fd0cd8bbf", "type": "github" }, "original": { @@ -668,11 +670,11 @@ ] }, "locked": { - "lastModified": 1762186368, - "narHash": "sha256-dzLBZKccS0jMefj+WAYwsk7gKDluqavC7I4KfFwVh8k=", + "lastModified": 1763136804, + "narHash": "sha256-6p2ljK42s0S8zS0UU59EsEqupz0GVCaBYRylpUadeBM=", "owner": "nix-darwin", "repo": "nix-darwin", - "rev": "69921864a70b58787abf5ba189095566c3f0ffd3", + "rev": "973db96394513fd90270ea5a1211a82a4a0ba47f", "type": "github" }, "original": { @@ -710,11 +712,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1760493654, - "narHash": "sha256-DRJZnMoBw+p6o0XjaAOfAJjwr4s93d1+eCsCRsAP/jY=", + "lastModified": 1763171892, + "narHash": "sha256-6cg9zSiqKA89yJzVtYhBaBptqq6bX4pr4g7WLAHOD4Y=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "4ca5164f23948b4b5429d8fdcddc142079c6aa6b", + "rev": "316858c27d278b20e776cd4dd8f787812f587ba2", "type": "github" }, "original": { @@ -725,11 +727,11 @@ }, "nix-select": { "locked": { - "lastModified": 1755887746, - "narHash": "sha256-lzWbpHKX0WAn/jJDoCijIDss3rqYIPawe46GDaE6U3g=", - "rev": "92c2574c5e113281591be01e89bb9ddb31d19156", + "lastModified": 1763303120, + "narHash": "sha256-yxcNOha7Cfv2nhVpz9ZXSNKk0R7wt4AiBklJ8D24rVg=", + "rev": "3d1e3860bef36857a01a2ddecba7cdb0a14c35a9", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/92c2574c5e113281591be01e89bb9ddb31d19156.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/3d1e3860bef36857a01a2ddecba7cdb0a14c35a9.tar.gz" }, "original": { "type": "tarball", @@ -768,11 +770,11 @@ }, "nixos-facter-modules": { "locked": { - "lastModified": 1761137276, - "narHash": "sha256-4lDjGnWRBLwqKQ4UWSUq6Mvxu9r8DSqCCydodW/Jsi8=", + "lastModified": 1762264948, + "narHash": "sha256-iaRf6n0KPl9hndnIft3blm1YTAyxSREV1oX0MFZ6Tk4=", "owner": "nix-community", "repo": "nixos-facter-modules", - "rev": "70bcd64225d167c7af9b475c4df7b5abba5c7de8", + "rev": "fa695bff9ec37fd5bbd7ee3181dbeb5f97f53c96", "type": "github" }, "original": { @@ -810,11 +812,11 @@ ] }, "locked": { - "lastModified": 1760536587, - "narHash": "sha256-wfWqt+igns/VazjPLkyb4Z/wpn4v+XIjUeI3xY/1ENg=", + "lastModified": 1763537456, + "narHash": "sha256-/WRqcqeE9C+mxxWgI7jy5blMrvg2lHFSlTFjC8pRWos=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "f98ee1de1fa36eca63c67b600f5d617e184e82ea", + "rev": "cd9eb5225fc91eb67629966844d2ff371824abb1", "type": "github" }, "original": { @@ -825,11 +827,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1759360550, - "narHash": "sha256-feL8xklo97a8o8ISOszUU2tfHskJdu3zKbpcltzSblw=", + "lastModified": 1761828793, + "narHash": "sha256-xjdPwMD4wVuDD85U+3KST62VzFkJueI6oBwIzpzUHLY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "28b8fe20c34f94a537f71950a9b0c1dc7224d036", + "rev": "843859a08e114403f44aaf5b996b44c38094aa46", "type": "github" }, "original": { @@ -856,11 +858,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1760479263, - "narHash": "sha256-eoVGUqcMyDeT/VwjczlZu7rhrE9wkj3ErWjJhB4Zjpg=", + "lastModified": 1763469780, + "narHash": "sha256-IW67Db/wBNQwJ5e0fF9Yk4SmdivMcecrUVDs7QJoC/s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "20158056cdd0dd06bfbd04fd1e686d09fbef3db5", + "rev": "a70b03ca5dc9d46294740f165abdef9f9bea5632", "type": "github" }, "original": { @@ -888,11 +890,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1760548845, - "narHash": "sha256-41gkEmco/WLdEkeCKVRalOpx19e0/VgfS7N9n+DasHs=", + "lastModified": 1763547551, + "narHash": "sha256-YOdXVAqEGmrPUgs71r8ziuu9qqpn3jJEiIxsIls+VQA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "631597d659c37aa267eed8334271d5205244195e", + "rev": "06aa4d5f488875b6af46e10b45b8000ed0906860", "type": "github" }, "original": { @@ -920,11 +922,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1760284886, - "narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", + "lastModified": 1763421233, + "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43", + "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648", "type": "github" }, "original": { @@ -936,11 +938,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1759386674, - "narHash": "sha256-wg1Lz/1FC5Q13R+mM5a2oTV9TA9L/CHHTm3/PiLayfA=", + "lastModified": 1761880412, + "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", "owner": "nixos", "repo": "nixpkgs", - "rev": "625ad6366178f03acd79f9e3822606dd7985b657", + "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386", "type": "github" }, "original": { @@ -952,11 +954,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1760164275, - "narHash": "sha256-gKl2Gtro/LNf8P+4L3S2RsZ0G390ccd5MyXYrTdMCFE=", + "lastModified": 1763191728, + "narHash": "sha256-esRhOS0APE6k40Hs/jjReXg+rx+J5LkWw7cuWFKlwYA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "362791944032cb532aabbeed7887a441496d5e6e", + "rev": "1d4c88323ac36805d09657d13a5273aea1b34f0c", "type": "github" }, "original": { @@ -968,11 +970,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1758690382, - "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", + "lastModified": 1762977756, + "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e643668fd71b949c53f8626614b21ff71a07379d", + "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55", "type": "github" }, "original": { @@ -1016,11 +1018,11 @@ "systems": "systems_5" }, "locked": { - "lastModified": 1760153667, - "narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=", + "lastModified": 1762622004, + "narHash": "sha256-NpzzgaoMK8aRHnndHWbYNKLcZN0r1y6icCoJvGoBsoE=", "owner": "notashelf", "repo": "nvf", - "rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d", + "rev": "09470524a214ed26633ddc2b6ec0c9bf31a8b909", "type": "github" }, "original": { @@ -1039,11 +1041,11 @@ ] }, "locked": { - "lastModified": 1759321049, - "narHash": "sha256-8XkU4gIrLT2DJZWQyvsP5woXGZF5eE/7AnKfwQkiwYU=", + "lastModified": 1762784320, + "narHash": "sha256-odsk96Erywk5hs0dhArF38zb7Oe0q6LZ70gXbxAPKno=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "205dcfd4a30d4a5d1b4f28defee69daa7c7252cd", + "rev": "7911a0f8a44c7e8b29d031be3149ee8943144321", "type": "github" }, "original": { @@ -1080,11 +1082,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1760457219, - "narHash": "sha256-WJOUGx42hrhmvvYcGkwea+BcJuQJLcns849OnewQqX4=", + "lastModified": 1762860488, + "narHash": "sha256-rMfWMCOo/pPefM2We0iMBLi2kLBAnYoB9thi4qS7uk4=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "8747cf81540bd1bbbab9ee2702f12c33aa887b46", + "rev": "2efc80078029894eec0699f62ec8d5c1a56af763", "type": "github" }, "original": { @@ -1102,11 +1104,11 @@ ] }, "locked": { - "lastModified": 1760495781, - "narHash": "sha256-3OGPAQNJswy6L4VJyX3U9/z7fwgPFvK6zQtB2NHBV0Y=", + "lastModified": 1759977258, + "narHash": "sha256-hOxEFSEBoqDmJb7BGX1CzT1gvUPK6r+Qs+n3IxBgfTs=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "11e0852a2aa3a65955db5824262d76933750e299", + "rev": "1d0c6173f57d07db7957b50e799240d4f2d7520f", "type": "github" }, "original": { @@ -1145,11 +1147,11 @@ ] }, "locked": { - "lastModified": 1760998189, - "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", + "lastModified": 1763264763, + "narHash": "sha256-N0BEoJIlJ+M6sWZJ8nnfAjGY9VLvM6MXMitRenmhBkY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", + "rev": "882e56c8293e44d57d882b800a82f8b2ee7a858f", "type": "github" }, "original": { @@ -1163,11 +1165,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1760393368, - "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", + "lastModified": 1763509310, + "narHash": "sha256-s2WzTAD3vJtPACBCZXezNUMTG/wC6SFsU9DxazB9wDI=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", + "rev": "3ee33c0ed7c5aa61b4e10484d2ebdbdc98afb03e", "type": "github" }, "original": { @@ -1195,11 +1197,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1760472212, - "narHash": "sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx+MUkuE+E=", + "lastModified": 1763497248, + "narHash": "sha256-OGP6MYc+lVkLVQOTS6ORszDcCnZm7kDOGpFBdDoLd0k=", "owner": "nix-community", "repo": "stylix", - "rev": "8d008296a1b3be9b57ad570f7acea00dd2fc92db", + "rev": "f19ac46f6aa26188b2020ed40066a5b832be9c53", "type": "github" }, "original": { @@ -1337,11 +1339,11 @@ "systems": "systems_8" }, "locked": { - "lastModified": 1757278723, - "narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=", + "lastModified": 1762472226, + "narHash": "sha256-iVS4sxVgGn+T74rGJjEJbzx+kjsuaP3wdQVXBNJ79A0=", "owner": "terranix", "repo": "terranix", - "rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb", + "rev": "3b5947a48da5694094b301a3b1ef7b22ec8b19fc", "type": "github" }, "original": { @@ -1439,11 +1441,11 @@ ] }, "locked": { - "lastModified": 1761311587, - "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=", + "lastModified": 1762938485, + "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc", + "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4", "type": "github" }, "original": { @@ -1460,11 +1462,11 @@ ] }, "locked": { - "lastModified": 1760466542, - "narHash": "sha256-q2QZhrrjHbvW4eFzoEGkj/wUHNU6bVGPyflurx5ka6U=", + "lastModified": 1763521945, + "narHash": "sha256-Zcrafbe4niRJMbzaVOwg7+iedJhwBFttre2DpyCC6qA=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "3446bcbf5f46ecb18e82244888730c4983c30b22", + "rev": "24d7381b9231c23daceec5d372cc28e877f7785d", "type": "github" }, "original": { From 169b62e6f3dc3cf839004f3da1b781be6e7b640c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 19 Nov 2025 11:49:09 +0100 Subject: [PATCH 171/174] chore: update config after update --- modules/nixos/services/development/forgejo/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index dbcef87..52f026f 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -144,7 +144,7 @@ in openssh.settings.AllowUsers = [ "forgejo" ]; gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; + package = pkgs.forgejo-runner; instances.default = { enable = true; name = "default"; From 2d3da197ee8e549b46a52266af22271a817127fd Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 20 Nov 2025 00:05:34 +0100 Subject: [PATCH 172/174] lets actually commit for once... --- .just/vars.just | 18 +- lib/options/default.nix | 38 ++++ lib/strings/default.nix | 26 ++- modules/home/themes/default.nix | 2 +- .../authentication/zitadel/default.nix | 48 ++-- .../nixos/services/backup/borg/default.nix | 13 +- modules/nixos/services/media/default.nix | 210 ++++++++++++++--- .../nixos/services/media/homer/default.nix | 8 +- .../nixos/services/media/servarr/default.nix | 214 ++++++++++++++++++ .../observability/uptime-kuma/default.nix | 25 ++ .../services/security/vaultwarden/default.nix | 138 ++++++++++- shells/default/default.nix | 2 + systems/x86_64-linux/ulmo/default.nix | 43 +++- 13 files changed, 711 insertions(+), 74 deletions(-) create mode 100644 lib/options/default.nix create mode 100644 modules/nixos/services/media/servarr/default.nix create mode 100644 modules/nixos/services/observability/uptime-kuma/default.nix diff --git a/.just/vars.just b/.just/vars.just index 944d7cf..d8bd181 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,19 +1,23 @@ +set unstable + base_path := invocation_directory() / "systems/x86_64-linux" -sops := "nix shell nixpkgs#sops --command sops" -yq := "nix shell nixpkgs#yq --command yq" +# sops := "nix shell nixpkgs#sops --command sops" +# yq := "nix shell nixpkgs#yq --command yq" +sops := "sops" +yq := "yq" @_default: just --list [doc('list all vars of the target machine')] list machine: - {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml @edit machine: - {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml + sops edit {{ base_path }}/{{ machine }}/secrets.yml @set machine key value: - {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\"/g')\"" + sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" git add {{ base_path }}/{{ machine }}/secrets.yml git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null @@ -21,10 +25,10 @@ list machine: echo "Done" @get machine key: - {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml | {{ yq }} ".$(echo "{{ key }}" | sed -E 's/\//./g')" + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" @remove machine key: - {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" git add {{ base_path }}/{{ machine }}/secrets.yml git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null diff --git a/lib/options/default.nix b/lib/options/default.nix new file mode 100644 index 0000000..72e8621 --- /dev/null +++ b/lib/options/default.nix @@ -0,0 +1,38 @@ +{ lib, ...}: +let + inherit (builtins) isString typeOf; + inherit (lib) mkOption types throwIfNot concatStringsSep splitStringBy toLower map; +in +{ + options = { + mkUrlOptions = + defaults: + { + host = mkOption { + type = types.str; + example = "host.tld"; + description = '' + Hostname + ''; + } // (defaults.host or {}); + + port = mkOption { + type = types.port; + default = 1234; + example = "1234"; + description = '' + Port + ''; + } // (defaults.port or {}); + + protocol = mkOption { + type = types.str; + default = "https"; + example = "https"; + description = '' + Which protocol to use when creating a url string + ''; + } // (defaults.protocol or {}); + }; + }; +} \ No newline at end of file diff --git a/lib/strings/default.nix b/lib/strings/default.nix index 52b05e3..0c15699 100644 --- a/lib/strings/default.nix +++ b/lib/strings/default.nix @@ -1,10 +1,15 @@ { lib, ...}: let - inherit (builtins) isString typeOf; - inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map; + inherit (builtins) isString typeOf match toString head; + inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map concatMapAttrsStringSep; in { strings = { + #======================================================================================== + # Converts a string to snake case + # + # simply replaces any uppercase letter to its lowercase variant preceeded by an underscore + #======================================================================================== toSnakeCase = str: throwIfNot (isString str) "toSnakeCase only accepts string values, but got ${typeOf str}" ( @@ -13,5 +18,22 @@ in |> map (p: toLower p) |> concatStringsSep "_" ); + + #======================================================================================== + # Converts a set of url parts to a string + #======================================================================================== + toUrl = + { protocol ? null, host, port ? null, path ? null, query ? null, hash ? null }: + let + trim_slashes = str: str |> match "^\/*(.+?)\/*$" |> head; + encode_to_str = set: concatMapAttrsStringSep "&" (n: v: "${n}=${v}") set; + + _protocol = if protocol != null then "${protocol}://" else ""; + _port = if port != null then ":${toString port}" else ""; + _path = if path != null then "/${path |> trim_slashes}" else ""; + _query = if query != null then "?${query |> encode_to_str}" else ""; + _hash = if hash != null then "#${hash |> encode_to_str}" else ""; + in + "${_protocol}${host}${_port}${_path}${_query}${_hash}"; }; } \ No newline at end of file diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index 3fa74b9..3fb8f15 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -52,7 +52,7 @@ in { }; emoji = { - package = pkgs.noto-fonts-emoji; + package = pkgs.noto-fonts-color-emoji; name = "Noto Color Emoji"; }; }; diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index bd74ca2..9a02f01 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length literalExpression attrNames; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs mapAttrs' concatMapAttrs concatMapStringsSep filterAttrsRecursive listToAttrs imap0 head drop length literalExpression attrNames; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -334,6 +334,16 @@ in concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set ; + append = attrList: set: set // (listToAttrs attrList); + forEach = src: key: set: + let + _key = concatMapStringsSep "_" (k: "\${item.${k}}") key; + in + { + forEach = "{ for item in ${src} : \"${_key}\" => item }"; + } + // set; + config' = config; # this is a nix package, the generated json file to be exact @@ -418,7 +428,7 @@ in # Users zitadel_human_user = - (cfg.organization + cfg.organization |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: { inherit email userName firstName lastName; @@ -427,24 +437,20 @@ in } |> withRef "org" org |> toResource "${org}_${name}" - )) - - // { - "extra_users" = { - for_each = lib.tfRef ''{ - for user in local.extra_users : - "''${user.org}_''${user.name}" => user - }''; - - org_id = lib.tfRef "local.orgs[each.value.org]"; - user_name = lib.tfRef "each.value.name"; + ) + |> append + [ + (forEach "local.extra_users" [ "org" "name" ] { + orgId = lib.tfRef "local.orgs[each.value.org]"; + userName = lib.tfRef "each.value.name"; email = lib.tfRef "each.value.email"; - first_name = lib.tfRef "each.value.firstName"; - last_name = lib.tfRef "each.value.lastName"; + firstName = lib.tfRef "each.value.firstName"; + lastName = lib.tfRef "each.value.lastName"; - is_email_verified = true; - }; - } + isEmailVerified = true; + } + |> toResource "extraUsers") + ] ; # Global user roles @@ -708,6 +714,12 @@ in restartUnits = [ "zitadelApplyTerraform.service" ]; }; }; + + templates = { + "users.yml" = { + + }; + }; }; }; } diff --git a/modules/nixos/services/backup/borg/default.nix b/modules/nixos/services/backup/borg/default.nix index e200505..9cbbea0 100644 --- a/modules/nixos/services/backup/borg/default.nix +++ b/modules/nixos/services/backup/borg/default.nix @@ -10,13 +10,22 @@ in }; config = mkIf cfg.enable { + programs.ssh.extraConfig = '' + Host beheer.hazelhof.nl + Port 222 + User chris + AddressFamily inet + IdentityFile /home/chris/.ssh/id_ed25519 + ''; + services = { borgbackup.jobs = { media = { paths = "/var/media/test"; encryption.mode = "none"; - environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4"; - repo = "ssh://chris@beheer.hazelhof.nl:222/media"; + # environment.BORG_SSH = "ssh -4 -i /home/chris/.ssh/id_ed25519"; + environment.BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; + repo = "ssh://beheer.hazelhof.nl//media"; compression = "auto,zstd"; startAt = "daily"; }; diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 9d915da..1950bf0 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -1,9 +1,11 @@ -{ pkgs, lib, namespace, config, ... }: +{ pkgs, lib, namespace, config, inputs, system, ... }: let inherit (lib) mkIf mkEnableOption mkOption; inherit (lib.types) str; cfg = config.${namespace}.services.media; + + arr = ["radarr" ]; in { options.${namespace}.services.media = { @@ -60,47 +62,48 @@ in "d '${cfg.path}/reiverr/config' 0700 ${cfg.user} ${cfg.group} - -" "d '${cfg.path}/downloads/incomplete' 0700 ${cfg.user} ${cfg.group} - -" "d '${cfg.path}/downloads/done' 0700 ${cfg.user} ${cfg.group} - -" + "d /var/lib/radarrApplyTerraform 0755 ${cfg.user} ${cfg.group} -" ]; #========================================================================= # Services #========================================================================= services = let - arrService = { - enable = true; - openFirewall = true; + arr-services = + arr + |> lib.imap (i: service: { + name = service; + value = { + enable = true; + openFirewall = true; - settings = { - auth.AuthenticationMethod = "External"; - }; - }; + environmentFiles = [ + config.sops.templates."${service}/config.env".path + ]; - withPort = port: service: service // { settings.server.Port = builtins.toString port; }; + settings = { + auth.authenticationMethod = "External"; - withUserAndGroup = service: service // { - user = cfg.user; - group = cfg.group; - }; - in { - radarr = - arrService - |> withPort 2001 - |> withUserAndGroup; - - sonarr = - arrService - |> withPort 2002 - |> withUserAndGroup; - - lidarr = - arrService - |> withPort 2003 - |> withUserAndGroup; - - prowlarr = - arrService - |> withPort 2004; + server = { + bindaddress = "0.0.0.0"; + port = 2000 + i; + }; + postgres = { + host = "localhost"; + port = "5432"; + user = service; + maindb = service; + logdb = service; + }; + }; + } + // (if service != "prowlarr" then { user = cfg.user; group = cfg.group; } else {}); + }) + |> lib.listToAttrs + ; + in + arr-services // { bazarr = { enable = true; openFirewall = true; @@ -146,6 +149,19 @@ in group = cfg.group; }; + postgresql = + let + databases = arr |> lib.concatMap (s: [ s "${s}-log" ]); + in + { + enable = true; + ensureDatabases = arr; + ensureUsers = arr |> lib.map (service: { + name = service; + ensureDBOwnership = true; + }); + }; + caddy = { enable = true; virtualHosts = { @@ -156,6 +172,136 @@ in }; }; + systemd.services.radarrApplyTerraform = + let + # this is a nix package, the generated json file to be exact + terraformConfiguration = inputs.terranix.lib.terranixConfiguration { + inherit system; + + modules = [ + ({ config, lib, ... }: { + config = { + variable = { + api_key = { + type = "string"; + description = "Radarr api key"; + }; + }; + + terraform.required_providers.radarr = { + source = "devopsarr/radarr"; + version = "2.2.0"; + }; + + provider.radarr = { + url = "http://127.0.0.1:2001"; + api_key = lib.tfRef "var.api_key"; + }; + + resource = { + radarr_root_folder.local = { + path = "/var/media/movies"; + }; + }; + }; + }) + ]; + }; + in + { + description = "Radarr terraform apply"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "radarr.service" ]; + + script = '' + #!/usr/bin/env bash + + if [ "$(systemctl is-active radarr)" != "active" ]; then + echo "Radarr is not running" + exit 1 + fi + + # Sleep for a bit to give radarr the chance to start up + sleep 5s + + # Print the path to the source for easier debugging + echo "config location: ${terraformConfiguration}" + + # Copy infra code into workspace + cp -f ${terraformConfiguration} config.tf.json + + # Initialize OpenTofu + ${lib.getExe pkgs.opentofu} init + + # Run the infrastructure code + # ${lib.getExe pkgs.opentofu} plan -var-file='${config.sops.templates."radarr/config.tfvars".path}' + ${lib.getExe pkgs.opentofu} apply -auto-approve -var-file='${config.sops.templates."radarr/config.tfvars".path}' + ''; + + serviceConfig = { + Type = "oneshot"; + User = cfg.user; + Group = cfg.group; + + WorkingDirectory = "/var/lib/radarrApplyTerraform"; + + EnvironmentFile = [ + config.sops.templates."radarr/config.env".path + ]; + }; + }; + systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; + + sops = { + secrets = + arr + |> lib.map (service: { + name = "${service}/apikey"; + value = { + owner = cfg.user; + group = cfg.group; + restartUnits = [ "${service}.service" ]; + }; + }) + |> lib.listToAttrs + ; + + templates = + let + apikeys = + arr + |> lib.map (service: { + name = "${service}/config.env"; + value = { + owner = cfg.user; + group = cfg.group; + restartUnits = [ "${service}.service" ]; + content = '' + ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" + ''; + }; + }) + |> lib.listToAttrs; + + tfvars = + arr + |> lib.map(service: { + name = "${service}/config.tfvars"; + value = { + owner = cfg.user; + group = cfg.group; + restartUnits = [ "${service}ApplyTerraform.service" ]; + content = '' + api_key = "${config.sops.placeholder."${service}/apikey"}" + ''; + }; + }) + |> lib.listToAttrs; + in + apikeys // tfvars + ; + }; }; } diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index 41535cd..79633ab 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -103,7 +103,7 @@ in type = "Radarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; + url = "http://${config.networking.hostName}:2001"; target = "_blank"; } @@ -112,7 +112,7 @@ in type = "Sonarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; + url = "http://${config.networking.hostName}:2002"; target = "_blank"; } @@ -121,7 +121,7 @@ in type = "Lidarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; + url = "http://${config.networking.hostName}:2003"; target = "_blank"; } @@ -130,7 +130,7 @@ in type = "Prowlarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}"; + url = "http://${config.networking.hostName}:2004"; target = "_blank"; } diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix new file mode 100644 index 0000000..097a36b --- /dev/null +++ b/modules/nixos/services/media/servarr/default.nix @@ -0,0 +1,214 @@ +{ pkgs, config, lib, namespace, inputs, system, ... }: +let + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption mkOption types; + + cfg = config.${namespace}.services.media.servarr; +in +{ + options.${namespace}.services.media = { + servarr = mkOption { + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + enable = mkEnableOption "Enable ${name}"; + debug = mkEnableOption "Use tofu plan instead of tofu apply for ${name} "; + + port = mkOption { + type = types.port; + }; + + rootFolders = mkOption { + type = types.listOf types.str; + default = []; + }; + }; + })); + default = {}; + }; + }; + + config = { + services = + cfg + |> lib.mapAttrsToList (service: { enable, port, ... }: (mkIf enable { + "${service}" = { + enable = true; + openFirewall = true; + + environmentFiles = [ + config.sops.templates."${service}/config.env".path + ]; + + settings = { + auth.authenticationMethod = "External"; + + server = { + bindaddress = "0.0.0.0"; + port = port; + }; + + postgres = { + host = "localhost"; + port = "5432"; + user = service; + maindb = service; + logdb = service; + }; + }; + }; + })) + |> lib.mergeAttrsList + |> (set: set // { + postgres = { + ensureDatabases = cfg |> lib.attrNames; + ensureUsers = cfg |> lib.attrNames |> lib.map (service: { + name = service; + ensureDBOwnership = true; + }); + }; + }) + ; + + systemd = + cfg + |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { + tmpfiles.rules = [ + "d /var/lib/${service}ApplyTerraform 0755 ${service} ${service} -" + ]; + + services."${service}ApplyTerraform" = + let + terraformConfiguration = inputs.terranix.lib.terranixConfiguration { + inherit system; + + modules = [ + ({ config, lib, ... }: { + config = { + variable = { + api_key = { + type = "string"; + description = "${service} api key"; + }; + }; + + terraform.required_providers.${service} = { + source = "devopsarr/${service}"; + version = "2.2.0"; + }; + + provider.${service} = { + url = "http://127.0.0.1:${toString port}"; + api_key = lib.tfRef "var.api_key"; + }; + + resource = { + "${service}_root_folder" = + rootFolders + |> lib.imap (i: f: lib.nameValuePair "local${toString i}" { path = f; }) + |> lib.listToAttrs + ; + }; + }; + }) + ]; + }; + in + { + description = "${service} terraform apply"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "${service}.service" ]; + + script = '' + #!/usr/bin/env bash + + # Sleep for a bit to give the service a chance to start up + sleep 5s + + if [ "$(systemctl is-active ${service})" != "active" ]; then + echo "${service} is not running" + exit 1 + fi + + # Print the path to the source for easier debugging + echo "config location: ${terraformConfiguration}" + + # Copy infra code into workspace + cp -f ${terraformConfiguration} config.tf.json + + # Initialize OpenTofu + ${lib.getExe pkgs.opentofu} init + + # Run the infrastructure code + ${lib.getExe pkgs.opentofu} \ + ${if debug then "plan" else "apply -auto-approve"} \ + -var-file='${config.sops.templates."${service}/config.tfvars".path}' + ''; + + serviceConfig = { + Type = "oneshot"; + User = service; + Group = service; + + WorkingDirectory = "/var/lib/${service}ApplyTerraform"; + + EnvironmentFile = [ + config.sops.templates."${service}/config.env".path + ]; + }; + }; + })) + |> lib.mergeAttrsList + ; + + users.users = + cfg + |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { + "${service}".extraGroups = [ "media" ]; + })) + |> lib.mergeAttrsList + ; + + sops = + cfg + |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { + secrets."${service}/apikey" = { + owner = service; + group = service; + restartUnits = [ "${service}.service" ]; + }; + + templates = { + "${service}/config.env" = { + owner = service; + group = service; + restartUnits = [ "${service}.service" ]; + content = '' + ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" + ''; + }; + + "${service}/config.tfvars" = { + owner = service; + group = service; + restartUnits = [ "${service}.service" ]; + content = '' + api_key = "${config.sops.placeholder."${service}/apikey"}" + ''; + }; + }; + })) + |> lib.mergeAttrsList + ; + }; + + + # cfg + # |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { + + # # sops = { + # # }; + # })) + # |> lib.mergeAttrsList + # ; +} diff --git a/modules/nixos/services/observability/uptime-kuma/default.nix b/modules/nixos/services/observability/uptime-kuma/default.nix new file mode 100644 index 0000000..c23977b --- /dev/null +++ b/modules/nixos/services/observability/uptime-kuma/default.nix @@ -0,0 +1,25 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.observability.uptime-kuma; +in +{ + options.${namespace}.services.observability.uptime-kuma = { + enable = mkEnableOption "enable uptime kuma"; + }; + + config = mkIf cfg.enable { + services.uptime-kuma = { + enable = true; + + settings = { + PORT = toString 9006; + HOST = "0.0.0.0"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 9006 ]; + }; +} diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index de50be7..abab566 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,13 +1,87 @@ { pkgs, config, lib, namespace, ... }: let inherit (builtins) toString; - inherit (lib) mkIf mkEnableOption; + inherit (lib) mkIf mkEnableOption mkOption types getAttrs toUpper concatMapAttrsStringSep; cfg = config.${namespace}.services.security.vaultwarden; + + databaseProviderSqlite = types.submodule ({ ... }: { + options = { + type = mkOption { + type = types.enum [ "sqlite" ]; + }; + + file = mkOption { + type = types.str; + description = ''''; + }; + }; + }); + + databaseProviderPostgresql = types.submodule ({ ... }: + let + urlOptions = lib.${namespace}.options.mkUrlOptions { + host = { + description = '' + Hostname of the postgresql server + ''; + }; + + port = { + default = 5432; + example = "5432"; + description = '' + Port of the postgresql server + ''; + }; + + protocol = mkOption { + default = "postgres"; + example = "postgres"; + }; + }; + in + { + options = { + type = mkOption { + type = types.enum [ "postgresql" ]; + }; + + sslMode = mkOption { + type = types.enum [ "verify-ca" "verify-full" "require" "prefer" "allow" "disabled" ]; + default = "verify-full"; + example = "verify-ca"; + description = '' + How to verify the server's ssl + + | mode | eavesdropping protection | MITM protection | Statement | + |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| + | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | + | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | + | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | + | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | + | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | + | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | + + [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) + ''; + }; + } // (urlOptions |> getAttrs [ "protocol" "host" "port" ]); + }); in { options.${namespace}.services.security.vaultwarden = { enable = mkEnableOption "enable vaultwarden"; + + database = mkOption { + type = types.oneOf [ + (types.addCheck databaseProviderSqlite (x: x ? type && x.type == "sqlite")) + (types.addCheck databaseProviderPostgresql (x: x ? type && x.type == "postgresql")) + null + ]; + default = null; + description = ''''; + }; }; config = mkIf cfg.enable { @@ -15,6 +89,8 @@ in "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" ]; + # systemd.services.vaultwarden.wants = [ "zitadelApplyTerraform.service" ]; + services = { vaultwarden = { enable = true; @@ -26,8 +102,6 @@ in SIGNUPS_ALLOWED = false; DOMAIN = "https://vault.kruining.eu"; - ADMIN_TOKEN = ""; - DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable"; WEB_VAULT_ENABLED = true; @@ -41,9 +115,6 @@ in SSO_ORGANIZATIONS_REVOCATION = true; SSO_AUTHORITY = "https://auth.kruining.eu/"; SSO_SCOPES = "email profile offline_access"; - SSO_AUDIENCE_TRUSTED = "^333297815511892227$"; - SSO_CLIENT_ID = "335178854421299459"; - SSO_CLIENT_SECRET = ""; ROCKET_ADDRESS = "::1"; ROCKET_PORT = 8222; @@ -53,10 +124,14 @@ in SMTP_PORT = 587; SMTP_SECURITY = "starttls"; SMTP_USERNAME = "chris@kruining.eu"; - SMTP_PASSWORD = ""; SMTP_FROM = "chris@kruining.eu"; SMTP_FROM_NAME = "Chris' Vaultwarden"; }; + + environmentFile = [ + "/var/lib/zitadel/clients/nix_ulmo_vaultwarden" + config.sops.templates."vaultwarden/config.env".path + ]; }; postgresql = { @@ -89,5 +164,54 @@ in }; }; }; + + sops = { + secrets = { + "vaultwarden/email" = { + owner = config.users.users.vaultwarden.name; + group = config.users.users.vaultwarden.name; + key = "email/chris_kruining_eu"; + restartUnits = [ "vaultwarden.service" ]; + }; + }; + + templates = { + "vaultwarden/config.env" = { + content = '' + SMTP_PASSWORD='${config.sops.placeholder."vaultwarden/email"}'; + ''; + owner = config.users.users.vaultwarden.name; + group = config.users.groups.vaultwarden.name; + }; + temp-db-output.content = + let + config = + cfg.database + |> ({ type, ... }@db: + if type == "sqlite" then + { inherit (db) type file; } + else if type == "postgresql" then + { + inherit (db) type; + url = lib.${namespace}.strings.toUrl { + inherit (db) protocol host port; + path = "vaultwarden"; + query = { + sslmode = db.sslMode; + }; + }; + } + else + {} + ) + |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}") + ; + in + '' + # GENERATED VALUES + ${config} + ''; + }; + }; }; } diff --git a/shells/default/default.nix b/shells/default/default.nix index 0361f88..1749c48 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -5,6 +5,8 @@ mkShell { bash sops just + yq + pwgen inputs.clan-core.packages.x86_64-linux.clan-cli ]; } \ No newline at end of file diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 8bb5cea..0310818 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -147,15 +147,56 @@ media.enable = true; media.homer.enable = true; media.nfs.enable = true; + media.servarr = { + # radarr = { + # port = 2001; + # }; + + sonarr = { + enable = true; + # debug = true; + port = 2002; + rootFolders = [ + "/var/media/series" + ]; + }; + + lidarr = { + enable = true; + debug = true; + port = 2003; + rootFolders = [ + "/var/media/music" + ]; + }; + + prowlarr = { + enable = true; + debug = true; + port = 2004; + }; + }; observability = { grafana.enable = true; prometheus.enable = true; loki.enable = true; promtail.enable = true; + # uptime-kuma.enable = true; }; - security.vaultwarden.enable = true; + security.vaultwarden = { + enable = true; + database = { + # type = "sqlite"; + # file = "/var/lib/vaultwarden/state.db"; + + type = "postgresql"; + host = "localhost"; + port = 5432; + sslMode = "disabled"; + }; + }; }; editor = { From 8da8f78ea4150561865a757d86c89d6a9defe226 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 27 Nov 2025 11:15:49 +0100 Subject: [PATCH 173/174] trying some stuff --- .../services/persistance/convex/default.nix | 21 +++ .../services/persistance/convex/source.nix | 149 ++++++++++++++++++ packages/convex/default.nix | 59 +++++++ systems/x86_64-linux/ulmo/default.nix | 2 + 4 files changed, 231 insertions(+) create mode 100644 modules/nixos/services/persistance/convex/default.nix create mode 100644 modules/nixos/services/persistance/convex/source.nix create mode 100644 packages/convex/default.nix diff --git a/modules/nixos/services/persistance/convex/default.nix b/modules/nixos/services/persistance/convex/default.nix new file mode 100644 index 0000000..3e01c59 --- /dev/null +++ b/modules/nixos/services/persistance/convex/default.nix @@ -0,0 +1,21 @@ +{ config, pkgs, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.persistance.convex; +in +{ + imports = [ ./source.nix ]; + + options.${namespace}.services.persistance.convex = { + enable = mkEnableOption "enable Convex"; + }; + + config = mkIf cfg.enable { + services.convex = { + enable = true; + package = pkgs.${namespace}.convex; + secret = "ThisIsMyAwesomeSecret"; + }; + }; +} diff --git a/modules/nixos/services/persistance/convex/source.nix b/modules/nixos/services/persistance/convex/source.nix new file mode 100644 index 0000000..c56e3ab --- /dev/null +++ b/modules/nixos/services/persistance/convex/source.nix @@ -0,0 +1,149 @@ +{ config, pkgs, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption mkPackageOption mkOption optional types; + + cfg = config.services.convex; + + default_user = "convex"; + default_group = "convex"; +in +{ + options.services.convex = { + enable = mkEnableOption "enable Convex (backend only for now)"; + + package = mkPackageOption pkgs "convex" {}; + + name = lib.mkOption { + type = types.str; + default = "convex"; + description = '' + Name for the instance. + ''; + }; + + secret = lib.mkOption { + type = types.str; + default = ""; + description = '' + Secret for the instance. + ''; + }; + + apiPort = mkOption { + type = types.port; + default = 3210; + description = '' + The TCP port to use for the API. + ''; + }; + + actionsPort = mkOption { + type = types.port; + default = 3211; + description = '' + The TCP port to use for the HTTP actions. + ''; + }; + + dashboardPort = mkOption { + type = types.port; + default = 6791; + description = '' + The TCP port to use for the Dashboard. + ''; + }; + + openFirewall = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to open ports in the firewall for the server. + ''; + }; + + user = lib.mkOption { + type = types.str; + default = default_user; + description = '' + As which user to run the service. + ''; + }; + + group = lib.mkOption { + type = types.str; + default = default_group; + description = '' + As which group to run the service. + ''; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.secret != ""; + message = '' + No secret provided for convex + ''; + } + ]; + + users = { + users.${cfg.user} = { + description = "System user for convex service"; + isSystemUser = true; + group = cfg.group; + }; + + groups.${cfg.group} = {}; + }; + + networking.firewall.allowedTCPPorts = optional cfg.openFirewall [ cfg.apiPort cfg.actionsPort cfg.dashboardPort ]; + + environment.systemPackages = [ cfg.package ]; + + systemd.services.convex = { + description = "Convex Backend server"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${cfg.package}/bin --instance-name ${cfg.name} --instance-secret ${cfg.secret}"; + Type = "notify"; + + User = cfg.user; + Group = cfg.group; + + RuntimeDirectory = "convex"; + RuntimeDirectoryMode = "0775"; + StateDirectory = "convex"; + StateDirectoryMode = "0775"; + Umask = "0077"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + LockPersonality = true; + }; + }; + }; +} diff --git a/packages/convex/default.nix b/packages/convex/default.nix new file mode 100644 index 0000000..9dab056 --- /dev/null +++ b/packages/convex/default.nix @@ -0,0 +1,59 @@ +{ + lib, + stdenv, + rustPlatform, + fetchFromGitHub, + + # dependencies + openssl, + pkg-config, + cmake, + llvmPackages, + postgresql, + sqlite, + + #options + dbBackend ? "postgresql", + + ... +}: +rustPlatform.buildRustPackage rec { + pname = "convex"; + version = "2025-08-20-c9b561e"; + + src = fetchFromGitHub { + owner = "get-convex"; + repo = "convex-backend"; + rev = "c9b561e1b365c85ef28af35d742cb7dd174b5555"; + hash = "sha256-4h4AQt+rQ+nTw6eTbbB5vqFt9MFjKYw3Z7bGXdXijJ0="; + }; + + cargoHash = "sha256-pcDNWGrk9D0qcF479QAglPLFDZp27f8RueP5/lq9jho="; + + cargoBuildFlags = [ + "-p" "local_backend" + "--bin" "convex-local-backend" + ]; + + env = { + LIBCLANG_PATH = "${llvmPackages.libclang}/lib"; + }; + + strictDeps = true; + + # Build-time dependencies + nativeBuildInputs = [ pkg-config cmake rustPlatform.bindgenHook ]; + + # Run-time dependencies + buildInputs = + [ openssl ] + ++ lib.optional (dbBackend == "sqlite") sqlite + ++ lib.optional (dbBackend == "postgresql") postgresql; + + buildFeatures = ""; + + meta = with lib; { + license = licenses.fsl11Asl20; + mainProgram = "convex"; + }; +} \ No newline at end of file diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 0310818..cb8f9cc 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -185,6 +185,8 @@ # uptime-kuma.enable = true; }; + persistance.convex.enable = true; + security.vaultwarden = { enable = true; database = { From ccef5caba0e9c199408b93a16bbc9cf4e7bbb56e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 27 Nov 2025 11:44:18 +0100 Subject: [PATCH 174/174] feat: improve justfiles --- .just/machine.just | 17 ++++++++++------- .just/vars.just | 47 ++++++++++++++++++++++------------------------ .justfile | 45 +++++++++++++++++++++++++------------------- 3 files changed, 58 insertions(+), 51 deletions(-) diff --git a/.just/machine.just b/.just/machine.just index cbdf345..3e3ba14 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -1,11 +1,14 @@ -@_default: list +set unstable := true +set quiet := true + +_default: list [doc('List machines')] -@list: - ls -1 ../systems/x86_64-linux/ +list: + ls -1 ../systems/x86_64-linux/ -[no-exit-message] [doc('Update the target machine')] -@update machine: - just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} \ No newline at end of file +[no-exit-message] +update machine: + just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} diff --git a/.just/vars.just b/.just/vars.just index d8bd181..230f00c 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,36 +1,33 @@ -set unstable +set unstable := true +set quiet := true base_path := invocation_directory() / "systems/x86_64-linux" -# sops := "nix shell nixpkgs#sops --command sops" -# yq := "nix shell nixpkgs#yq --command yq" -sops := "sops" -yq := "yq" -@_default: - just --list +_default: + just --list [doc('list all vars of the target machine')] list machine: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml - -@edit machine: - sops edit {{ base_path }}/{{ machine }}/secrets.yml - + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml + +edit machine: + sops edit {{ base_path }}/{{ machine }}/secrets.yml + @set machine key value: - sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" + sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine }}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - echo "Done" - -@get machine key: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" - -@remove machine key: - sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + echo "Done" - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null +get machine key: + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" - echo "Done" \ No newline at end of file +remove machine key: + sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine }}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + + echo "Done" diff --git a/.justfile b/.justfile index 3a15d20..1937f04 100644 --- a/.justfile +++ b/.justfile @@ -1,33 +1,40 @@ -@_default: - just --list --list-submodules +_default: + just --list --list-submodules + +set unstable +set quiet -[doc('Manage vars')] mod vars '.just/vars.just' - -[doc('Manage machines')] mod machine '.just/machine.just' [doc('Show information about project')] -@show: - echo "show" +show: + echo "show" [doc('update the flake dependencies')] -@update: - nix flake update - git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null - echo "Done" +update: + nix flake update + git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null + echo "Done" + +[doc('Rebase branch on main')] +rebase: + git stash -q \ + && git fetch \ + && git rebase origin/main \ + && git stash pop -q + + echo "Done" [doc('Introspection on flake output')] -@select key: - nix eval --json .#{{ key }} | jq . - - +select key: + nix eval --json .#{{ key }} | jq . #=============================================================================================== # Utils -#=============================================================================================== -[no-exit-message] +# =============================================================================================== [no-cd] +[no-exit-message] [private] -@assert condition message: - [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; } \ No newline at end of file +assert condition message: + [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; }