diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml new file mode 100644 index 0000000..684cfad --- /dev/null +++ b/.forgejo/workflows/action.yml @@ -0,0 +1,15 @@ +name: Test action + +on: + workflow_dispatch: + push: + branches: + - main + +jobs: + kaas: + runs-on: nix + steps: + - name: Echo + run: | + nix --version \ No newline at end of file diff --git a/.gitignore b/.gitignore index 87a3018..3cb44c3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,8 @@ +# ---> Nix +# Ignore build outputs from performing a nix-build or `nix build` command result -*.qcow2 +result-* + +# Ignore automatically generated direnv output +.direnv + diff --git a/.sops.yml b/.sops.yml index 2d6e291..96e09c3 100644 --- a/.sops.yml +++ b/.sops.yml @@ -1,57 +1,8 @@ keys: - - home: - - &chris age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x - - system: - - &aule age - - &mandos age - - &manwe age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - - &melkor age - - &orome age - - &tulkas age - - &varda age - - &yavanna age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy creation_rules: - #=================================================================== - # HOSTS - #=================================================================== - - path_regex: systems/x86_64-linux/aule/secrets.yaml$ - age: *aule - - - path_regex: systems/x86_64-linux/mandos/secrets.yaml$ - age: *mandos - - - path_regex: systems/x86_64-linux/manwe/secrets.yaml$ + - path_regex: secrets/secrets.yml$ key_groups: - - age: - - *manwe - - *yavanna - - - path_regex: systems/x86_64-linux/melkor/secrets.yaml$ - age: *melkor - - - path_regex: systems/x86_64-linux/orome/secrets.yaml$ - age: *orome - - - path_regex: systems/x86_64-linux/tulkas/secrets.yaml$ - age: *tulkas - - - path_regex: systems/x86_64-linux/varda/secrets.yaml$ - age: *varda - - - path_regex: systems/x86_64-linux/yavanna/secrets.yaml$ - age: *yavanna - - #=================================================================== - # USERS - #=================================================================== - - path_regex: homes/x86_64-linux/chris@\w+/secrets.yaml$ - age: *chris - - - - - - - - + - age: + - *primary diff --git a/README.md b/README.md index db11887..2eb75c9 100644 --- a/README.md +++ b/README.md @@ -18,5 +18,4 @@ nix build .#install-isoConfigurations.minimal - [dafitt/dotfiles](https://github.com/dafitt/dotfiles/) - [khaneliman/khanelinix](https://github.com/khaneliman/khanelinix) -- [alex007sirois/nix-config](https://github.com/alex007sirois/nix-config) (justfile) - [hmajid2301/nixicle](https://gitlab.com/hmajid2301/nixicle) (the GOAT, he did what I am aiming for!) \ No newline at end of file diff --git a/_secrets/secrets.yaml b/_secrets/secrets.yaml new file mode 100644 index 0000000..78b1a8c --- /dev/null +++ b/_secrets/secrets.yaml @@ -0,0 +1,30 @@ +#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment] +example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str] +#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment] +#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment] +example: + my_subdir: + my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR + ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz + YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB + dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR + Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-09T11:37:49Z" + mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 + +zitadel: + masterKey: thisWillBeAnEncryptedValueInTheFuture diff --git a/flake.lock b/flake.lock index ef769ed..51907f8 100644 --- a/flake.lock +++ b/flake.lock @@ -67,37 +67,17 @@ "type": "github" } }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1753140376, - "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", - "owner": "nix-community", - "repo": "disko", - "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, "erosanix": { "inputs": { "flake-compat": "flake-compat", "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1753879613, - "narHash": "sha256-oYhCJSAIZiu3maM2q6JBzh0+MYd4KTaq5eNFIstUurE=", + "lastModified": 1756593129, + "narHash": "sha256-xpdGBk57lErbo03ZJS8uDDF5cZjoza7kzr7X+y0wj2g=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "0ad38bd182cd737f0f4b878ea04cb3676ecd4000", + "rev": "f28776c49ddb4d34abc01092009fba0cd96836bd", "type": "github" }, "original": { @@ -114,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1754290399, - "narHash": "sha256-KwYm1/FeLqP9uE4Sbw+j2nI2/ErNbc9Mn+LPcrEOpX0=", + "lastModified": 1756622179, + "narHash": "sha256-K3CimrAcMhdDYkErd3oiWPZNaoyaGZEuvGrFuDPFMZY=", "owner": "nix-community", "repo": "fenix", - "rev": "f53ddf7518d85d59b58df6e9955b25b0ac25f569", + "rev": "0abcb15ae6279dcb40a8ae7c1ed980705245cb79", "type": "github" }, "original": { @@ -134,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1754311269, - "narHash": "sha256-y84Q8qS5acSxl3QsLLGs4DboPhM/AYUMiTsJJZwmQxY=", + "lastModified": 1756643456, + "narHash": "sha256-SbRGlArZnspW/xd/vnMPSyuZGXSVtxyJEoXpvpzDpSE=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "5a6856f353975206aec02373c18e8cea3fa6bb75", + "rev": "6772a49573fc08b3e05502cccd90a8f5a82ee42e", "type": "github" }, "original": { @@ -250,11 +230,11 @@ ] }, "locked": { - "lastModified": 1753121425, - "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", + "lastModified": 1754487366, + "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", + "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", "type": "github" }, "original": { @@ -431,11 +411,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1753279958, - "narHash": "sha256-EJ1udnwKYgWeAJzncAccbLPtbSWiuIANryXTGI9nY6w=", + "lastModified": 1756381920, + "narHash": "sha256-h6FZq485lEhkTICK779ZQ2kUWe3BieUqIKuJ2jef7SI=", "owner": "vinceliuice", "repo": "grub2-themes", - "rev": "6c26f99622cb1c705b3fe2dbe1eb88521096b25a", + "rev": "8f30385f556a92ecbcc0c1800521730187da1cd7", "type": "github" }, "original": { @@ -452,11 +432,11 @@ ] }, "locked": { - "lastModified": 1754075821, - "narHash": "sha256-ihlkNqYsNgJPCDOE2LPpUl/ww3LBKfsxeWs2sivhb10=", + "lastModified": 1756413980, + "narHash": "sha256-pxTwEjWZ1GohJeTEpxoZRHRoLDZjDw9CarGqxE5e908=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "f77821437959ecd67f2fb2b1266e5a644a46d149", + "rev": "0c12a2b5862cd673307bbe191c1f7b52cf0f091a", "type": "github" }, "original": { @@ -472,11 +452,32 @@ ] }, "locked": { - "lastModified": 1754263839, - "narHash": "sha256-ck7lILfCNuunsLvExPI4Pw9OOCJksxXwozum24W8b+8=", + "lastModified": 1756650373, + "narHash": "sha256-Iz0dNCNvLLxVGjOOF1/TJvZ4iKXE96BTgKDObCs9u+M=", "owner": "nix-community", "repo": "home-manager", - "rev": "1d7abbd5454db97e0af51416f4960b3fb64a4773", + "rev": "e44549074a574d8bda612945a88e4a1fd3c456a8", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "zen-browser", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1756842514, + "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382", "type": "github" }, "original": { @@ -493,11 +494,11 @@ ] }, "locked": { - "lastModified": 1754110197, - "narHash": "sha256-N7GWK2084EsNdwzwg6FCIgMrSau1WwzxGSNdPHx5Tak=", + "lastModified": 1756638688, + "narHash": "sha256-ddxbPTnIchM6tgxb6fRrCvytlPE2KLifckTnde/irVQ=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "04ce5c103eb621220d69102bc0ee27c3abd89204", + "rev": "e7b8679cba79f4167199f018b05c82169249f654", "type": "github" }, "original": { @@ -512,11 +513,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1754223384, - "narHash": "sha256-pewBF80b4slivTMSeONyOPceyzUUlBLpVOxlGf0hFEY=", + "lastModified": 1754828166, + "narHash": "sha256-i7c+fpXVsnvj2+63Gl3YfU1hVyxbLeqeFj55ZBZACWI=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "2d6fee65844e851060a6817984248bcf8358c6b0", + "rev": "f01c8d121a3100230612be96e4ac668e15eafb77", "type": "github" }, "original": { @@ -527,11 +528,11 @@ }, "mnw": { "locked": { - "lastModified": 1748710831, - "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=", + "lastModified": 1756580127, + "narHash": "sha256-XK+ZQWjnd96Uko73jY1dc23ksnuWnF/Myc4rT/LQOmc=", "owner": "Gerg-L", "repo": "mnw", - "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d", + "rev": "ecdb5ba1b08ac198d9e9bfbf9de3b234fb1eb252", "type": "github" }, "original": { @@ -569,11 +570,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1754274768, - "narHash": "sha256-bI+Z15bpec7VEnxkrqOG+JX0bFa9CnVeg/uiaf8iiS0=", + "lastModified": 1756518625, + "narHash": "sha256-Mxh2wumeSsb968dSDksblubQqHTTdRTC5lH0gmhq9jI=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "b54894d44fbe4d29c081ade695ffdb07bb21b322", + "rev": "92654796f8f6c3279e4b7d409a3e5b43b0539a19", "type": "github" }, "original": { @@ -641,11 +642,11 @@ ] }, "locked": { - "lastModified": 1754260137, - "narHash": "sha256-IViMH6Fwj8nwO1nuYCqOTpjm9OK9rQ0w8nmoOwPlo98=", + "lastModified": 1755261305, + "narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "57ba096649fa4e12dc564e8e3c529255baf89b35", + "rev": "203a7b463f307c60026136dd1191d9001c43457f", "type": "github" }, "original": { @@ -656,11 +657,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1751186460, - "narHash": "sha256-tSnI50oYaXOi/SFUmJC+gZ2xE9pAhTnV0D2/3JoKL7g=", + "lastModified": 1754002724, + "narHash": "sha256-1NBby4k2UU9FR7a9ioXtCOpv8jYO0tZAGarMsxN8sz8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dd5540905b1a13176efa13fa2f8dac776bcb275a", + "rev": "8271ed4b2e366339dd622f329151e45745ade121", "type": "github" }, "original": { @@ -672,11 +673,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1754184128, - "narHash": "sha256-AjhoyBL4eSyXf01Bmc6DiuaMrJRNdWopmdnMY0Pa/M0=", + "lastModified": 1754788789, + "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "02e72200e6d56494f4a7c0da8118760736e41b60", + "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", "type": "github" }, "original": { @@ -703,11 +704,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1754284898, - "narHash": "sha256-wzM6HN0xxyooekXfl7p5P4Bn0LieOKOfsLg4DqY7XLk=", + "lastModified": 1756578978, + "narHash": "sha256-dLgwMLIMyHlSeIDsoT2OcZBkuruIbjhIAv1sGANwtes=", "owner": "nixos", "repo": "nixpkgs", - "rev": "114484ca7213ac06fa7907e58dd8ef9d801d39f0", + "rev": "a85a50bef870537a9705f64ed75e54d1f4bf9c23", "type": "github" }, "original": { @@ -735,11 +736,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1754315431, - "narHash": "sha256-fnVgd+mIJeR/fsaJB11KcTFjoJzLZNglLjVRtAzwcUI=", + "lastModified": 1756653691, + "narHash": "sha256-tx6C07uPiAzq57mfb4EWDqPRV4BZVqvrlvDfibzL67U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "66023e4de2495a69792a2b72bd131358b824d2e3", + "rev": "7a1057ff3f7636bc71f58671c3a1210742149f3b", "type": "github" }, "original": { @@ -767,11 +768,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1754214453, - "narHash": "sha256-Q/I2xJn/j1wpkGhWkQnm20nShYnG7TI99foDBpXm1SY=", + "lastModified": 1756542300, + "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5b09dc45f24cf32316283e62aec81ffee3c3e376", + "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa", "type": "github" }, "original": { @@ -783,11 +784,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1753432016, - "narHash": "sha256-cnL5WWn/xkZoyH/03NNUS7QgW5vI7D1i74g48qplCvg=", + "lastModified": 1756536218, + "narHash": "sha256-ynQxPVN2FIPheUgTFhv01gYLbaiSOS7NgWJPm9LF9D0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6027c30c8e9810896b92429f0092f624f7b1aace", + "rev": "a918bb3594dd243c2f8534b3be01b3cb4ed35fd1", "type": "github" }, "original": { @@ -863,11 +864,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1754137146, - "narHash": "sha256-V2AE32tLNvtYVBuc8ZRbkGjAZGsJchFbNVd6v5JXvg8=", + "lastModified": 1756646417, + "narHash": "sha256-1dU+BRKjczVnsTznKGaM0xrWzg2+MGQqWlde0Id9JnI=", "owner": "notashelf", "repo": "nvf", - "rev": "16d396f039ffefabf93b7b3261e2a17e2f84439b", + "rev": "939fb8cfc630190cd5607526f81693525e3d593b", "type": "github" }, "original": { @@ -886,11 +887,11 @@ ] }, "locked": { - "lastModified": 1754241118, - "narHash": "sha256-nsBBqbAFB7lUYIh6S6l7fQ/ALDhCckp7+rqbY2767uE=", + "lastModified": 1756632588, + "narHash": "sha256-ydam6eggXf3ZwRutyCABwSbMAlX+5lW6w1SVZQ+kfSo=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "968109159b4bbe4386ac281272ddcebeef09ebfc", + "rev": "d47428e5390d6a5a8f764808a4db15929347cd77", "type": "github" }, "original": { @@ -901,7 +902,6 @@ }, "root": { "inputs": { - "disko": "disko", "erosanix": "erosanix", "fenix": "fenix", "firefox": "firefox", @@ -926,11 +926,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1754218780, - "narHash": "sha256-M+bLCsYRYA7iudlZkeOf+Azm/1TUvihIq51OKia6KJ8=", + "lastModified": 1756597274, + "narHash": "sha256-wfaKRKsEVQDB7pQtAt04vRgFphkVscGRpSx3wG1l50E=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "8d75311400a108d7ffe17dc9c38182c566952e6e", + "rev": "21614ed2d3279a9aa1f15c88d293e65a98991b30", "type": "github" }, "original": { @@ -967,11 +967,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1752544651, - "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", + "lastModified": 1754988908, + "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", "owner": "Mic92", "repo": "sops-nix", - "rev": "2c8def626f54708a9c38a5861866660395bb3461", + "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", "type": "github" }, "original": { @@ -999,11 +999,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1754264048, - "narHash": "sha256-Yg1W0sFhBpnglfhWGlFmxzSmte1F157luHAADp5Hguk=", + "lastModified": 1755997543, + "narHash": "sha256-/fejmCQ7AWa655YxyPxRDbhdU7c5+wYsFSjmEMXoBCM=", "owner": "nix-community", "repo": "stylix", - "rev": "1b5e1c5642cf96e07daf14ae4c5ddd23d7ed5623", + "rev": "f47c0edcf71e802378b1b7725fa57bb44fe85ee8", "type": "github" }, "original": { @@ -1185,18 +1185,19 @@ }, "zen-browser": { "inputs": { + "home-manager": "home-manager_2", "nixpkgs": "nixpkgs_10" }, "locked": { - "lastModified": 1727721329, - "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=", - "owner": "MarceColl", + "lastModified": 1756876659, + "narHash": "sha256-B2bpNR7VOoZuKfuNnASfWI/jGveetP2yhG44S3XnI/k=", + "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc", + "rev": "07c14b39cad581d9a8bb2dc8959a59e17d26d529", "type": "github" }, "original": { - "owner": "MarceColl", + "owner": "0xc000022070", "repo": "zen-browser-flake", "type": "github" } diff --git a/flake.nix b/flake.nix index fa4895c..60e9853 100644 --- a/flake.nix +++ b/flake.nix @@ -9,11 +9,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - disko = { - url = "github:nix-community/disko"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -29,14 +24,14 @@ url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; - - nixos-wsl = { - url = "github:nix-community/nixos-wsl"; - inputs = { - nixpkgs.follows = "nixpkgs"; - flake-compat.follows = ""; - }; - }; + + # neovim + nvf.url = "github:notashelf/nvf"; + + # plymouth theme + nixos-boot.url = "github:Melkor333/nixos-boot"; + + firefox.url = "github:nix-community/flake-firefox-nightly"; stylix.url = "github:nix-community/stylix"; @@ -46,13 +41,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - # neovim - nvf.url = "github:notashelf/nvf"; - - # plymouth theme - nixos-boot.url = "github:Melkor333/nixos-boot"; - - zen-browser.url = "github:MarceColl/zen-browser-flake"; + zen-browser.url = "github:0xc000022070/zen-browser-flake"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; @@ -74,10 +63,18 @@ url = "github:Jovian-Experiments/Jovian-NixOS"; inputs.nixpkgs.follows = "nixpkgs"; }; - + grub2-themes = { url = "github:vinceliuice/grub2-themes"; }; + + nixos-wsl = { + url = "github:nix-community/nixos-wsl"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-compat.follows = ""; + }; + }; }; outputs = inputs: inputs.snowfall-lib.mkFlake { @@ -96,8 +93,15 @@ channels-config = { allowUnfree = true; permittedInsecurePackages = [ + # Due to *arr stack "dotnet-sdk-6.0.428" "aspnetcore-runtime-6.0.36" + + # I think this is because of zen + "qtwebengine-5.15.19" + + # For Nheko, the matrix client + "olm-3.2.16" ]; }; @@ -106,10 +110,10 @@ nix-minecraft.overlay flux.overlays.default ]; - + homes.modules = with inputs; [ stylix.homeModules.stylix - plasma-manager.homeManagerModules.plasma-manager + plasma-manager.homeModules.plasma-manager ]; }; } diff --git a/homes/x86_64-linux/chris@manwe/default.nix b/homes/x86_64-linux/chris@manwe/default.nix index cd6fa1a..abeb606 100644 --- a/homes/x86_64-linux/chris@manwe/default.nix +++ b/homes/x86_64-linux/chris@manwe/default.nix @@ -35,6 +35,7 @@ bitwarden.enable = true; discord.enable = true; ladybird.enable = true; + nheko.enable = true; obs.enable = true; onlyoffice.enable = true; signal.enable = true; diff --git a/homes/x86_64-linux/chris@manwe/secrets.yaml b/homes/x86_64-linux/chris@manwe/secrets.yaml deleted file mode 100644 index 0af2506..0000000 --- a/homes/x86_64-linux/chris@manwe/secrets.yaml +++ /dev/null @@ -1,21 +0,0 @@ -user_level_secrets: ENC[AES256_GCM,data:TNT+via+r4bpgROz,iv:cVO6/r4Aovr5uJFhU87mE5XwRJ518y4OJdHo4m92ahM=,tag:jYInD+euh7k1zSnMRppI5Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYVRQTEVSMWM3WXY3eTdW - ZkUwSnNidlJwWGVETURpNUJRRUllYXo4WjNvCmxmN21qVzNFV3N4UVR6WEV1am1W - eW1KTk9HVDluek1BUnBmSGI3Y2ZqaDQKLS0tIHlMYldYMTVORVNWbEgrWlBSanRM - bUZiMHlOU3pxYUhQSTREb0l4TmFlOEkKiasV2H481aJzAvEAvyeWqGYDOW+WKRFX - yyocZDo0o1lHz/gNXoC0/ujU+O3rSXdsy6Qdz6Rm+xeFUfe4KoD4bg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-11T13:21:38Z" - mac: ENC[AES256_GCM,data:kfMcZuYuQqxxfqtyfH7DltSkq8YNz+vroB+ZQKTIpCNC/W6vJP1o23/xLRzdnEgnnH5GfgZQFAK8Am00/bUD2BgEPyXxXNf1lG70ocFbRM9htii92BFfHgfi25zlEqCO7yrudm1HEJyYrFbZnT63H6u1OgWSC38CzEZTBsCE0kU=,iv:feWGBau48s2GSvZjnKPfP2z46SBuHbh//4zzcLv+MTY=,tag:D86akwawLxobhEu2AvBFKg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.4 diff --git a/justfile b/justfile deleted file mode 100644 index 70450dd..0000000 --- a/justfile +++ /dev/null @@ -1,24 +0,0 @@ -[private] -default: - @just -l - -[doc('Update flake dependencies')] -update: - nix flake update - -[doc('install nixos on a system (uses nix-anywhere) -> profile: Which profile to use -> host: How to reach the target system in the standard format of `user@host` -')] -install profile host: - nix run nixpkgs#nixos-anywhere -- \ - --flake .#{{profile}} \ - --generate-hardware-config nixos-generate-config ./hardware-configuration.nix \ - {{host}} - -[doc('builds the configuration for the host')] -build host: - nh os build . -H {{host}} - -edit-secrets target: - sops --config "{{justfile_directory()}}/.sops.yml" edit "{{justfile_directory()}}/{{ if target =~ ".+@.+" { "homes" } else { "systems" } }}/x86_64-linux/{{target}}/secrets.yaml" \ No newline at end of file diff --git a/modules/home/application/nheko/default.nix b/modules/home/application/nheko/default.nix new file mode 100644 index 0000000..b04b375 --- /dev/null +++ b/modules/home/application/nheko/default.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, namespace, osConfig ? {}, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.application.nheko; +in +{ + options.${namespace}.application.nheko = { + enable = mkEnableOption "enable nheko (matrix client)"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ nheko ]; + }; +} diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index ad4cb92..4995216 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -5,13 +5,15 @@ let cfg = config.${namespace}.application.zen; in { + imports = [ + inputs.zen-browser.homeModules.default + ]; + options.${namespace}.application.zen = { enable = mkEnableOption "enable zen"; }; config = mkIf cfg.enable { - home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ]; - home.sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; }; @@ -20,20 +22,42 @@ in policies = { AutofillAddressEnabled = true; AutofillCreditCardEnabled = false; + + AppAutoUpdate = false; DisableAppUpdate = true; + ManualAppUpdateOnly = true; + DisableFeedbackCommands = true; DisableFirefoxStudies = true; DisablePocket = true; DisableTelemetry = true; - # DontCheckDefaultBrowser = false; + + DontCheckDefaultBrowser = false; NoDefaultBookmarks = true; - # OfferToSaveLogins = false; + OfferToSaveLogins = false; EnableTrackingProtection = { Value = true; Locked = true; Cryptomining = true; Fingerprinting = true; }; + + HttpAllowlist = [ + "http://ulmo" + ]; + }; + + policies.ExtensionSettings = let + mkExtension = id: { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi"; + installation_mode = "force_installed"; + }; + in + { + ublock_origin = 4531307; + ghostry = 4562168; + bitwarden = 4562769; + sponsorblock = 4541835; }; }; }; diff --git a/modules/home/home-manager/default.nix b/modules/home/home-manager/default.nix index 93bae2e..5f3be03 100644 --- a/modules/home/home-manager/default.nix +++ b/modules/home/home-manager/default.nix @@ -4,7 +4,9 @@ let in { systemd.user.startServices = "sd-switch"; - programs.home-manager.enable = true; + programs.home-manager = { + enable = true; + }; home.stateVersion = mkDefault (osConfig.system.stateVersion or "25.05"); -} \ No newline at end of file +} diff --git a/modules/nixos/home-manager/default.nix b/modules/nixos/home-manager/default.nix new file mode 100644 index 0000000..1a5a964 --- /dev/null +++ b/modules/nixos/home-manager/default.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + config = { + home-manager.backupFileExtension = "back"; + }; +} diff --git a/modules/nixos/services/authentication/authelia.nix b/modules/nixos/services/authentication/authelia/default.nix similarity index 90% rename from modules/nixos/services/authentication/authelia.nix rename to modules/nixos/services/authentication/authelia/default.nix index e706439..9990003 100644 --- a/modules/nixos/services/authentication/authelia.nix +++ b/modules/nixos/services/authentication/authelia/default.nix @@ -130,6 +130,23 @@ in scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ]; } + { + client_id = "forgejo"; + client_name = "forgejo"; + # ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F + client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg"; + public = false; + require_pkce = true; + pkce_challenge_method = "S256"; + token_endpoint_auth_method = "client_secret_post"; + authorization_policy = "one_factor"; + userinfo_signed_response_alg = "none"; + consent_mode = "implicit"; + scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; + response_types = [ "code" ]; + grant_types = [ "authorization_code" ]; + redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ]; + } ]; }; }; diff --git a/modules/nixos/services/authentication/default.nix b/modules/nixos/services/authentication/default.nix deleted file mode 100644 index c157af7..0000000 --- a/modules/nixos/services/authentication/default.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: {} diff --git a/modules/nixos/services/authentication/himmelblau.nix b/modules/nixos/services/authentication/himmelblau/default.nix similarity index 100% rename from modules/nixos/services/authentication/himmelblau.nix rename to modules/nixos/services/authentication/himmelblau/default.nix diff --git a/modules/nixos/services/authentication/zitadel.nix b/modules/nixos/services/authentication/zitadel.nix deleted file mode 100644 index 6142857..0000000 --- a/modules/nixos/services/authentication/zitadel.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.authentication.zitadel; - - db_name = "zitadel"; - db_user = "zitadel"; -in -{ - options.${namespace}.services.authentication.zitadel = { - enable = mkEnableOption "Zitadel"; - }; - - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - zitadel - ]; - - services = { - zitadel = { - enable = true; - openFirewall = true; - masterKeyFile = config.sops.secrets."zitadel/masterKey".path; - tlsMode = "external"; - settings = { - Port = 9092; - Database = { - Host = "/run/postgresql"; - # Zitadel will report error if port is not set - Port = 5432; - Database = db_name; - User.Username = db_user; - }; - }; - steps = { - TestInstance = { - InstanceName = "Zitadel test"; - Org = { - Name = "Kruining.eu"; - Human = { - UserName = "admin"; - Password = "kaas"; - }; - }; - }; - }; - }; - - postgresql = { - enable = true; - ensureDatabases = [ db_name ]; - ensureUsers = [ - { - name = db_user; - ensureDBOwnership = true; - } - ]; - }; - - caddy = { - enable = true; - virtualHosts = { - "auth-z.kruining.eu".extraConfig = '' - reverse_proxy h2c://127.0.0.1:9092 - ''; - }; - # extraConfig = '' - # (auth) { - # forward_auth h2c://127.0.0.1:9092 { - # uri /api/authz/forward-auth - # copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - # } - # } - # ''; - }; - }; - - # Secrets - sops.secrets."zitadel/masterKey" = { - owner = "zitadel"; - group = "zitadel"; - restartUnits = [ "zitadel.service" ]; - }; - }; -} diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix new file mode 100644 index 0000000..2f65f6f --- /dev/null +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -0,0 +1,142 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.authentication.zitadel; + + db_name = "zitadel"; + db_user = "zitadel"; +in +{ + options.${namespace}.services.authentication.zitadel = { + enable = mkEnableOption "Zitadel"; + }; + + config = mkIf cfg.enable { + ${namespace}.services.persistance.postgresql.enable = true; + + environment.systemPackages = with pkgs; [ + zitadel + ]; + + services = { + zitadel = { + enable = true; + openFirewall = true; + # masterKeyFile = config.sops.secrets."zitadel/masterKey".path; + masterKeyFile = "/var/lib/zitadel/master_key"; + tlsMode = "external"; + settings = { + Port = 9092; + + ExternalDomain = "auth.amarth.cloud"; + ExternalPort = 443; + ExternalSecure = true; + + Metrics.Type = "otel"; + Tracing.Type = "otel"; + Telemetry.Enabled = true; + + SystemDefaults = { + PasswordHasher.Hasher.Algorithm = "argon2id"; + SecretHasher.Hasher.Algorithm = "argon2id"; + }; + + DefaultInstance = { + PasswordComplexityPolicy = { + MinLength = 20; + HasLowercase = false; + HasUppercase = false; + HasNumber = false; + HasSymbol = false; + }; + LoginPolicy = { + AllowRegister = false; + ForceMFA = true; + }; + LockoutPolicy = { + MaxPasswordAttempts = 5; + MaxOTPAttempts = 10; + }; + SMTPConfiguration = { + SMTP = { + Host = "black-mail.nl:587"; + User = "info@amarth.cloud"; + Password = "__TODO_USE_SOPS__"; + }; + FromName = "Amarth Zitadel"; + }; + }; + + Database.postgres = { + Host = "localhost"; + # Zitadel will report error if port is not set + Port = 5432; + Database = db_name; + User = { + Username = db_user; + SSL.Mode = "disable"; + }; + Admin = { + Username = "postgres"; + SSL.Mode = "disable"; + }; + }; + }; + steps = { + FirstInstance = { + InstanceName = "auth.amarth.cloud"; + Org = { + Name = "Amarth"; + Human = { + UserName = "chris"; + FirstName = "Chris"; + LastName = "Kruining"; + Email = { + Address = "chris@kruining.eu"; + Verified = true; + }; + Password = "KaasIsAwesome1!"; + }; + }; + }; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ db_name ]; + ensureUsers = [ + { + name = db_user; + ensureDBOwnership = true; + } + ]; + }; + + caddy = { + enable = true; + virtualHosts = { + "auth.amarth.cloud".extraConfig = '' + reverse_proxy h2c://127.0.0.1:9092 + ''; + }; + extraConfig = '' + (auth-z) { + forward_auth h2c://127.0.0.1:9092 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + } + ''; + }; + }; + + # Secrets + sops.secrets."zitadel/masterKey" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; + }; + }; +} diff --git a/modules/nixos/services/communication/conduit/default.nix b/modules/nixos/services/communication/conduit/default.nix new file mode 100644 index 0000000..aa4d5c1 --- /dev/null +++ b/modules/nixos/services/communication/conduit/default.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.communication.conduit; + domain = "matrix.kruining.eu"; +in +{ + options.${namespace}.services.communication.conduit = { + enable = mkEnableOption "conduit (Matrix server)"; + }; + + config = mkIf cfg.enable { + # ${namespace}.services = { + # persistance.postgresql.enable = true; + # virtualisation.podman.enable = true; + # }; + + services = { + matrix-conduit = { + enable = true; + + settings.global = { + address = "::1"; + port = 4001; + + database_backend = "rocksdb"; + + server_name = "chris-matrix"; + }; + }; + + # postgresql = { + # enable = true; + # ensureDatabases = [ "conduit" ]; + # ensureUsers = [ + # { + # name = "conduit"; + # ensureDBOwnership = true; + # } + # ]; + # }; + + caddy = { + enable = true; + virtualHosts = { + ${domain}.extraConfig = '' + # import auth-z + + # reverse_proxy http://127.0.0.1:5002 + ''; + }; + }; + }; + }; +} diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix new file mode 100644 index 0000000..46e0995 --- /dev/null +++ b/modules/nixos/services/development/forgejo/default.nix @@ -0,0 +1,169 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.development.forgejo; + domain = "git.amarth.cloud"; +in +{ + options.${namespace}.services.development.forgejo = { + enable = mkEnableOption "Forgejo"; + }; + + config = mkIf cfg.enable { + ${namespace}.services = { + persistance.postgresql.enable = true; + virtualisation.podman.enable = true; + }; + + environment.systemPackages = with pkgs; [ forgejo ]; + + services = { + forgejo = { + enable = true; + useWizard = false; + database.type = "postgres"; + + settings = { + DEFAULT = { + APP_NAME = "Tamin Amarth"; + APP_SLOGAN = "Where code is forged"; + }; + + server = { + DOMAIN = domain; + ROOT_URL = "https://${domain}/"; + HTTP_PORT = 5002; + LANDING_PAGE = "explore"; + }; + + cors = { + ENABLED = true; + ALLOW_DOMAIN = "https://*.amarth.cloud"; + }; + + security = { + INSTALL_LOCK = true; + PASSWORD_HASH_ALGO = "argon2"; + DISABLE_WEBHOOKS = true; + }; + + ui = { + EXPLORE_PAGING_NUM = 50; + ISSUE_PAGING_NUM = 50; + MEMBERS_PAGING_NUM = 50; + }; + + "ui.meta" = { + AUTHOR = "Where code is forged!"; + DESCRIPTION = "Self-hosted solution for git, because FOSS is the anvil of the future"; + }; + + admin = { + USER_DISABLED_FEATURES = "manage_gpg_keys"; + EXTERNAL_USER_DISABLE_FEATURES = "manage_gpg_keys"; + }; + + service = { + # Auth + ENABLE_BASIC_AUTHENTICATION = false; + DISABLE_REGISTRATION = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + + # Privacy + DEFAULT_KEEP_EMAIL_PRIVATE = true; + DEFAULT_USER_VISIBILITY = "private"; + DEFAULT_ORG_VISIBILITY = "private"; + + # Common sense + VALID_SITE_URL_SCHEMES = "https"; + }; + + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = true; + WHITELISTED_URIS = "https://auth.amarth.cloud"; + }; + + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = true; + ACCOUNT_LINKING = "auto"; + }; + + actions = { + ENABLED = true; + # DEFAULT_ACTIONS_URL = "https://data.forgejo.org"; + }; + + other = { + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + + api = { + ENABLE_SWAGGER = false; + }; + + mirror = { + ENABLED = false; + }; + + session = { + PROVIDER = "db"; + COOKIE_SECURE = true; + }; + + mailer = { + ENABLED = true; + PROTOCOL = "smtp+starttls"; + SMTP_ADDR = "black-mail.nl"; + SMTP_PORT = 587; + FROM = "info@amarth.cloud"; + USER = "info@amarth.cloud"; + PASSWD = "__TODO_USE_SOPS__"; + }; + }; + }; + + openssh.settings.AllowUsers = [ "forgejo" ]; + + gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = "default"; + url = "https://git.amarth.cloud"; + # Obtaining the path to the runner token file may differ + # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + # tokenFile = config.age.secrets.forgejo-runner-token.path; + token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; + labels = [ + "default:docker://nixos/nix:latest" + "ubuntu:docker://ubuntu:24-bookworm" + "nix:docker://git.amarth.cloud/amarth/runners/default:latest" + ]; + settings = { + log.level = "info"; + }; + }; + }; + + caddy = { + enable = true; + virtualHosts = { + ${domain}.extraConfig = '' + # import auth-z + + # stupid dumb way to prevent the login page and go to zitadel instead + # be aware that this does not disable local login at all! + # rewrite /user/login /user/oauth2/Zitadel + + reverse_proxy http://127.0.0.1:5002 + ''; + }; + }; + }; + }; +} diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 7d76794..bc41fb4 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -66,33 +66,73 @@ in # Services #========================================================================= services = let - serviceConf = { + arrService = { + enable = true; + openFirewall = true; + + settings = { + auth.AuthenticationMethod = "External"; + + # postgres = { + # PostgresHost = "localhost"; + # PostgresPort = "5432"; + # PostgresUser = "media"; + # }; + }; + }; + + withPort = port: service: service // { settings.server.Port = builtins.toString port; }; + + withUserAndGroup = service: service // { + user = cfg.user; + group = cfg.group; + }; + in { + radarr = + arrService + |> withPort 2001 + |> withUserAndGroup; + + sonarr = + arrService + |> withPort 2002 + |> withUserAndGroup; + + lidarr = + arrService + |> withPort 2003 + |> withUserAndGroup; + + prowlarr = + arrService + |> withPort 2004; + + bazarr = { + enable = true; + openFirewall = true; + user = cfg.user; + group = cfg.group; + listenPort = 2005; + }; + + # port is harcoded in nixpkgs module + jellyfin = { enable = true; openFirewall = true; user = cfg.user; group = cfg.group; }; - in { - jellyfin = serviceConf; - radarr = serviceConf; - sonarr = serviceConf; - bazarr = serviceConf; - lidarr = serviceConf; - jellyseerr = { - enable = true; - openFirewall = true; - }; - - prowlarr = { + flaresolverr = { enable = true; openFirewall = true; + port = 2007; }; qbittorrent = { enable = true; openFirewall = true; - webuiPort = 5000; + webuiPort = 2008; serverConfig = { LegalNotice.Accepted = true; @@ -102,6 +142,7 @@ in group = cfg.group; }; + # port is harcoded in nixpkgs module sabnzbd = { enable = true; openFirewall = true; @@ -111,46 +152,49 @@ in group = cfg.group; }; + # postgresql = { + # enable = true; + # ensureDatabases = [ + # "radarr-main" "radarr-log" + # "sonarr-main" "sonarr-log" + # "lidarr-main" "lidarr-log" + # "prowlarr-main" "prowlarr-log" + # ]; + # identMap = '' + # media media radarr-main + # media media radarr-log + # media media sonarr-main + # media media sonarr-log + # media media lidarr-main + # media media lidarr-log + # media media prowlarr-main + # media media prowlarr-log + # ''; + # ensureUsers = [ + # { name = "radarr-main"; ensureDBOwnership = true; } + # { name = "radarr-log"; ensureDBOwnership = true; } + + # { name = "sonarr-main"; ensureDBOwnership = true; } + # { name = "sonarr-log"; ensureDBOwnership = true; } + + # { name = "lidarr-main"; ensureDBOwnership = true; } + # { name = "lidarr-log"; ensureDBOwnership = true; } + + # { name = "prowlarr-main"; ensureDBOwnership = true; } + # { name = "prowlarr-log"; ensureDBOwnership = true; } + # ]; + # }; + caddy = { enable = true; virtualHosts = { - "media.kruining.eu".extraConfig = '' - import auth - - reverse_proxy http://127.0.0.1:9494 - ''; "jellyfin.kruining.eu".extraConfig = '' - reverse_proxy http://127.0.0.1:8096 + reverse_proxy http://[::1]:8096 ''; }; }; }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; - - ${namespace}.services.virtualisation.podman.enable = true; - - virtualisation = { - oci-containers = { - backend = "podman"; - - containers = { - flaresolverr = { - image = "flaresolverr/flaresolverr"; - autoStart = true; - ports = [ "127.0.0.1:8191:8191" ]; - }; - - reiverr = { - image = "ghcr.io/aleksilassila/reiverr:v2.2.0"; - autoStart = true; - ports = [ "127.0.0.1:9494:9494" ]; - volumes = [ "${cfg.path}/reiverr/config:/config" ]; - }; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 6969 ]; }; } diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix new file mode 100644 index 0000000..8fd0ac6 --- /dev/null +++ b/modules/nixos/services/media/homer/default.nix @@ -0,0 +1,161 @@ +{ config, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.media.homer; +in +{ + options.${namespace}.services.media.homer = { + enable = mkEnableOption "Enable homer"; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 2000 ]; + + services = { + homer = { + enable = true; + + virtualHost = { + caddy.enable = true; + domain = "http://:2000"; + }; + + settings = { + title = "Ulmo dashboard"; + + columns = 4; + connectivityCheck = true; + + links = []; + + services = [ + { + name = "Services"; + items = [ + { + name = "Zitadel"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg"; + tag = "app"; + url = "https://auth.amarth.cloud"; + target = "_blank"; + } + + { + name = "Forgejo"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg"; + tag = "app"; + type = "Gitea"; + url = "https://git.amarth.cloud"; + target = "_blank"; + } + + { + name = "Vaultwarden"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg"; + type = "Vaultwarden"; + tag = "app"; + url = "https://vault.kruining.eu"; + target = "_blank"; + } + ]; + } + + { + name = "Observability"; + items = [ + { + name = "Grafana"; + type = "Grafana"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; + target = "_blank"; + } + + { + name = "Prometheus"; + type = "Prometheus"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}"; + target = "_blank"; + } + ]; + } + + { + name = "Media"; + items = [ + { + name = "Jellyfin (Movies)"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg"; + tag = "app"; + type = "Emby"; + url = "http://${config.networking.hostName}:8096"; + apikey = "e3ceed943eeb409ba8342738db7cc1f5"; + libraryType = "movies"; + target = "_blank"; + } + + { + name = "Radarr"; + type = "Radarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; + target = "_blank"; + } + + { + name = "Sonarr"; + type = "Sonarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; + target = "_blank"; + } + + { + name = "Lidarr"; + type = "Lidarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; + target = "_blank"; + } + + { + name = "Prowlarr"; + type = "Prowlarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}"; + target = "_blank"; + } + + { + name = "qBittorrent"; + type = "qBittorrent"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; + target = "_blank"; + } + + { + name = "SABnzbd"; + type = "SABnzbd"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:8080"; + target = "_blank"; + } + ]; + } + ]; + }; + }; + }; + }; +} diff --git a/modules/nixos/services/media/nextcloud.nix b/modules/nixos/services/media/nextcloud/default.nix similarity index 96% rename from modules/nixos/services/media/nextcloud.nix rename to modules/nixos/services/media/nextcloud/default.nix index 658a5b4..14d6863 100644 --- a/modules/nixos/services/media/nextcloud.nix +++ b/modules/nixos/services/media/nextcloud/default.nix @@ -6,7 +6,7 @@ let cfg = config.${namespace}.services.media.nextcloud; in { - options.modules.services.nextcloud = { + options.${namespace}.services.media.nextcloud = { enable = mkEnableOption "Nextcloud"; user = mkOption { @@ -40,7 +40,7 @@ in services.nextcloud = { enable = true; - webserver = "caddy"; + # webserver = "caddy"; package = pkgs.nextcloud31; hostName = "localhost"; diff --git a/modules/nixos/services/media/nfs.nix b/modules/nixos/services/media/nfs/default.nix similarity index 79% rename from modules/nixos/services/media/nfs.nix rename to modules/nixos/services/media/nfs/default.nix index 7674e69..54b58e7 100644 --- a/modules/nixos/services/media/nfs.nix +++ b/modules/nixos/services/media/nfs/default.nix @@ -2,10 +2,10 @@ let inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.media.nfs; + cfg = config.${namespace}.services.media.nfs; in { - options.${namespace}.media.nfs = { + options.${namespace}.services.media.nfs = { enable = mkEnableOption "Enable NFS"; }; diff --git a/modules/nixos/services/observability/grafana/dashboards/default.json b/modules/nixos/services/observability/grafana/dashboards/default.json new file mode 100644 index 0000000..f8ea8dc --- /dev/null +++ b/modules/nixos/services/observability/grafana/dashboards/default.json @@ -0,0 +1,7 @@ +{ + "title": "Default Dash", + "description": "The default dashboard", + "timezone": "browser", + "editable": false, + "panels": [] +} diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix new file mode 100644 index 0000000..c399729 --- /dev/null +++ b/modules/nixos/services/observability/grafana/default.nix @@ -0,0 +1,130 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (lib.modules) mkIf; + inherit (lib.options) mkEnableOption; + + cfg = config.${namespace}.services.observability.grafana; + + db_user = "grafana"; + db_name = "grafana"; +in +{ + options.${namespace}.services.observability.grafana = { + enable = mkEnableOption "enable Grafana"; + }; + + config = mkIf cfg.enable { + services = { + grafana = { + enable = true; + openFirewall = true; + + settings = { + server = { + http_port = 9001; + http_addr = "0.0.0.0"; + domain = "ulmo"; + }; + + auth = { + disable_login_form = false; + oauth_auto_login = true; + }; + + "auth.basic".enable = false; + "auth.generic_oauth" = { + enable = true; + name = "Zitadel"; + client_id = "334170712283611395"; + client_secret = "AFjypmURdladmQn1gz2Ke0Ta5LQXapnuKkALVZ43riCL4qWicgV2Z6RlwpoWBZg1"; + scopes = "openid email profile offline_access urn:zitadel:iam:org:project:roles"; + email_attribute_path = "email"; + login_attribute_path = "username"; + name_attribute_path = "full_name"; + role_attribute_path = "contains(urn:zitadel:iam:org:project:roles[*], 'owner') && 'GrafanaAdmin' || contains(urn:zitadel:iam:org:project:roles[*], 'contributer') && 'Editor' || 'Viewer'"; + auth_url = "https://auth.amarth.cloud/oauth/v2/authorize"; + token_url = "https://auth.amarth.cloud/oauth/v2/token"; + api_url = "https://auth.amarth.cloud/oidc/v1/userinfo"; + allow_sign_up = true; + auto_login = true; + use_pkce = true; + usr_refresh_token = true; + allow_assign_grafana_admin = true; + }; + + database = { + type = "postgres"; + host = "/var/run/postgresql:5432"; + name = db_name; + user = db_user; + ssl_mode = "disable"; + }; + + users = { + allow_sign_up = false; + allow_org_create = false; + viewers_can_edit = false; + + default_theme = "system"; + }; + + analytics = { + reporting_enabled = false; + check_for_updates = false; + check_for_plugin_updates = false; + feedback_links_enabled = false; + }; + }; + + provision = { + enable = true; + + dashboards.settings = { + apiVersion = 1; + providers = [ + { + name = "Default Dashboard"; + disableDeletion = true; + allowUiUpdates = false; + options = { + path = "/etc/grafana/dashboards"; + foldersFromFilesStructure = true; + }; + } + ]; + }; + + datasources.settings.datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + url = "http://localhost:9005"; + isDefault = true; + editable = false; + } + + { + name = "Loki"; + type = "loki"; + url = "http://localhost:9003"; + editable = false; + } + ]; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ db_name ]; + ensureUsers = [ + { + name = db_user; + ensureDBOwnership = true; + } + ]; + }; + }; + + environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json; + }; +} diff --git a/modules/nixos/services/observability/loki/default.nix b/modules/nixos/services/observability/loki/default.nix new file mode 100644 index 0000000..8f6e0e3 --- /dev/null +++ b/modules/nixos/services/observability/loki/default.nix @@ -0,0 +1,49 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (lib.modules) mkIf; + inherit (lib.options) mkEnableOption; + + cfg = config.${namespace}.services.observability.loki; +in +{ + options.${namespace}.services.observability.loki = { + enable = mkEnableOption "enable Grafana Loki"; + }; + + config = mkIf cfg.enable { + services.loki = { + enable = true; + configuration = { + auth_enabled = false; + + server = { + http_listen_port = 9003; + }; + + common = { + ring = { + instance_addr = "127.0.0.1"; + kvstore.store = "inmmemory"; + }; + replication_factor = 1; + path_prefix = "/tmp/loki"; + }; + + schema_config.configs = [ + { + from = "2025-01-01"; + store = "tsdb"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; + }; + }; + + networking.firewall.allowedTCPPorts = [ 9003 ]; + }; +} diff --git a/modules/nixos/services/observability/prometheus/default.nix b/modules/nixos/services/observability/prometheus/default.nix new file mode 100644 index 0000000..af5ee9d --- /dev/null +++ b/modules/nixos/services/observability/prometheus/default.nix @@ -0,0 +1,48 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.observability.prometheus; +in +{ + options.${namespace}.services.observability.prometheus = { + enable = mkEnableOption "enable Prometheus"; + }; + + config = mkIf cfg.enable { + services.prometheus = { + enable = true; + port = 9002; + + globalConfig.scrape_interval = "15s"; + + scrapeConfigs = [ + { + job_name = "prometheus"; + static_configs = [ + { targets = [ "localhost:9002" ]; } + ]; + } + + { + job_name = "node"; + static_configs = [ + { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } + ]; + } + ]; + + exporters = { + node = { + enable = true; + port = 9005; + enabledCollectors = [ "systemd" ]; + openFirewall = true; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 9002 ]; + }; +} diff --git a/modules/nixos/services/observability/promtail/default.nix b/modules/nixos/services/observability/promtail/default.nix new file mode 100644 index 0000000..1f32adc --- /dev/null +++ b/modules/nixos/services/observability/promtail/default.nix @@ -0,0 +1,56 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (lib.modules) mkIf; + inherit (lib.options) mkEnableOption; + + cfg = config.${namespace}.services.observability.promtail; +in +{ + options.${namespace}.services.observability.promtail = { + enable = mkEnableOption "enable Grafana Promtail"; + }; + + config = mkIf cfg.enable { + services.promtail = { + enable = true; + + # Ensures proper permissions + extraFlags = [ + "-config.expand-env=true" + ]; + + configuration = { + server = { + http_listen_port = 9004; + grpc_listen_port = 0; + }; + + positions = { + filename = "filename"; + }; + + clients = { + url = "http://127.0.0.1:3100/loki/api/v1/push"; + }; + + scrape_configs = [ + { + job_name = "journal"; + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "ulmo"; + }; + }; + relabel_configs = [ + { source_labels = [ "__journal__systemd_unit" ]; target_label = "unit"; } + ]; + } + ]; + }; + }; + + networking.firewall.allowedTCPPorts = [ 9004 ]; + }; +} diff --git a/modules/nixos/services/persistance/postgesql/default.nix b/modules/nixos/services/persistance/postgesql/default.nix new file mode 100644 index 0000000..dbd6604 --- /dev/null +++ b/modules/nixos/services/persistance/postgesql/default.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.persistance.postgresql; +in +{ + options.${namespace}.services.persistance.postgresql = { + enable = mkEnableOption "Postgresql"; + }; + + config = mkIf cfg.enable { + services = { + postgresql = { + enable = true; + authentication = '' + # Generated file, do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; + }; + }; + }; +} diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index 6870606..db8e162 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,7 +1,7 @@ { pkgs, config, lib, namespace, ... }: let - inherit (lib.modules) mkIf; - inherit (lib.options) mkEnableOption; + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.security.vaultwarden; in @@ -11,18 +11,82 @@ in }; config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - vaultwarden - vaultwarden-postgresql + systemd.tmpfiles.rules = [ + "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" ]; - services.vaultwarden = { - enable = true; - dbBackend = "postgresql"; + services = { + vaultwarden = { + enable = true; + dbBackend = "postgresql"; - config = { - SIGNUPS_ALLOWED = false; - DOMAIN = "https://passwords.kruining.eu"; + package = pkgs.${namespace}.vaultwarden; + + config = { + SIGNUPS_ALLOWED = false; + DOMAIN = "https://vault.kruining.eu"; + + ADMIN_TOKEN = ""; + + DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable"; + + WEB_VAULT_ENABLED = true; + + SSO_ENABLED = true; + SSO_ONLY = true; + SSO_PKCE = true; + SSO_AUTH_ONLY_NOT_SESSION = false; + SSO_ROLES_ENABLED = true; + SSO_ORGANIZATIONS_ENABLED = true; + SSO_ORGANIZATIONS_REVOCATION = true; + SSO_AUTHORITY = "https://auth.amarth.cloud/"; + SSO_SCOPES = "email profile offline_access"; + SSO_AUDIENCE_TRUSTED = "^333297815511892227$"; + SSO_CLIENT_ID = "335178854421299459"; + SSO_CLIENT_SECRET = ""; + + ROCKET_ADDRESS = "::1"; + ROCKET_PORT = 8222; + ROCKET_LOG = "critical"; + + SMTP_HOST = "black-mail.nl"; + SMTP_PORT = 587; + SMTP_SECURITY = "starttls"; + SMTP_USERNAME = "info@amarth.cloud"; + SMTP_PASSWORD = ""; + SMTP_FROM = "info@amarth.cloud"; + SMTP_FROM_NAME = "Chris' Vaultwarden"; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ "vaultwarden" ]; + ensureUsers = [ + { + name = "vaultwarden"; + ensureDBOwnership = true; + } + ]; + }; + + caddy = { + enable = true; + virtualHosts = { + "vault.kruining.eu".extraConfig = '' + encode zstd gzip + + handle_path /admin { + respond 401 { + close + } + } + + reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { + header_up X-Real-IP {remote_host} + } + ''; + }; }; }; }; diff --git a/modules/nixos/services/virtualisation/podman/default.nix b/modules/nixos/services/virtualisation/podman/default.nix index 9b9dc89..0faf8ce 100644 --- a/modules/nixos/services/virtualisation/podman/default.nix +++ b/modules/nixos/services/virtualisation/podman/default.nix @@ -12,6 +12,7 @@ in config = mkIf cfg.enable { virtualisation = { containers.enable = true; + oci-containers.backend = "podman"; podman = { enable = true; diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index ebceca3..68ab4ca 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -13,10 +13,10 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { - age.keyFile = "/home/.sops-key.age"; - - defaultSopsFile = ../../../../systems/x86_64-linux/${config.networking.hostName}/secrets.yaml; + defaultSopsFile = ../../../../../_secrets/secrets.yaml; defaultSopsFormat = "yaml"; + + age.keyFile = "/home/"; }; }; } \ No newline at end of file diff --git a/modules/nixos/system/security/sudo/default.nix b/modules/nixos/system/security/sudo/default.nix index 6dedf50..b79efbc 100644 --- a/modules/nixos/system/security/sudo/default.nix +++ b/modules/nixos/system/security/sudo/default.nix @@ -14,9 +14,8 @@ in sudo-rs = { enable = true; - extraConfig = '' - Defaults env_keep += "EDITOR PATH DISPLAY" - ''; + execWheelOnly = true; + extraConfig = ''Defaults env_keep += "EDITOR PATH DISPLAY"''; }; }; }; diff --git a/packages/vaultwarden/default.nix b/packages/vaultwarden/default.nix new file mode 100644 index 0000000..243288b --- /dev/null +++ b/packages/vaultwarden/default.nix @@ -0,0 +1,29 @@ +{ lib, stdenv, rustPlatform, fetchFromGitHub, openssl, pkg-config, postgresql, dbBackend ? "postgresql", ... }: +rustPlatform.buildRustPackage rec { + pname = "vaultwarden"; + version = "1.34.3"; + + src = fetchFromGitHub { + owner = "Timshel"; + repo = "vaultwarden"; + rev = "1.34.3"; + hash = "sha256-Dj0ySVRvBZ/57+UHas3VI8bi/0JBRqn0IW1Dq+405J0="; + }; + + cargoHash = "sha256-4sDagd2XGamBz1XvDj4ycRVJ0F+4iwHOPlj/RglNDqE="; + + # used for "Server Installed" version in admin panel + env.VW_VERSION = version; + + nativeBuildInputs = [ pkg-config ]; + buildInputs = + [ openssl ] + ++ lib.optional (dbBackend == "postgresql") postgresql; + + buildFeatures = dbBackend; + + meta = with lib; { + license = licenses.agpl3Only; + mainProgram = "vaultwarden"; + }; +} \ No newline at end of file diff --git a/systems/x86_64-linux/manwe/README.md b/systems/x86_64-linux/manwe/README.md index 1da7ab1..3bb6746 100644 --- a/systems/x86_64-linux/manwe/README.md +++ b/systems/x86_64-linux/manwe/README.md @@ -1,3 +1,8 @@ # Description +<<<<<<< HEAD My steambox. +======= +My desktop, reasoning for the name being the following chain of thought: +**Manwe -> the king of the valar -> leader -> desktop is main machine** +>>>>>>> 72b0f6f8fad97a4ade1b54dfada26828a170febf diff --git a/systems/x86_64-linux/manwe/disks.nix b/systems/x86_64-linux/manwe/disks.nix index e3e449f..d68db6a 100644 --- a/systems/x86_64-linux/manwe/disks.nix +++ b/systems/x86_64-linux/manwe/disks.nix @@ -1,59 +1,34 @@ -{ config, lib, pkgs, modulesPath, inputs, ... }: +{ config, lib, pkgs, modulesPath, ... }: let inherit (lib.modules) mkDefault; in { - imports = [ - inputs.disko.nixosModules.disko - ]; + # TODO :: Implement disko at some point - config = { - swapDevices = []; + swapDevices = []; - boot.supportedFilesystems = [ "nfs" ]; - - disko.devices = { - disk = { - main = { - device = "/dev/nvme0"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "100M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - root = { - size = "100%"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - }; - }; - }; - }; - }; - }; + boot.supportedFilesystems = [ "nfs" ]; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; }; - - fileSystems = { - "/home/chris/media" = { - device = "ulmo:/"; - fsType = "nfs"; - }; - "/home/chris/mandos" = { - device = "mandos:/"; - fsType = "nfs"; - }; + "/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + "/home/chris/media" = { + device = "ulmo:/"; + fsType = "nfs"; + }; + + "/home/chris/mandos" = { + device = "mandos:/"; + fsType = "nfs"; }; }; } diff --git a/systems/x86_64-linux/manwe/secrets.yaml b/systems/x86_64-linux/manwe/secrets.yaml deleted file mode 100644 index 6e2a986..0000000 --- a/systems/x86_64-linux/manwe/secrets.yaml +++ /dev/null @@ -1,31 +0,0 @@ -zitadel: - masterKey: ENC[AES256_GCM,data:iSeZOloWLrdP8S+ac7ubIcv9TF3Sm8Ni,iv:8v3/ratFQ5vq2rbZOUMKfPhVTA9uQY2eFQU4IR8s3VU=,tag:9y90aDQ2PfFT//X2i2YvvA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4R0UyWmx5L3hCbGhQVXI0 - NmpkMThPVlgrRHZZMnFrNTAwbzVTY1F6NEVVCjJaRHdhbHV6R1RJM2JIQzc3dkNu - a01FYlM3b1dXbmxGN2tWU3FMdXMveG8KLS0tIG1SSjNXdXZNN2ZyQ2UyZ0pIZXJJ - NmpMS2oySFE1S1RER3J1RGl4MlRQK00Ks+PcxcHmygYz+a+d0ZrzrdUpTQ50NYkA - aDFbtRtukn9e7i3bGUyD4nisSvs4YjfoQxR/pC8hs4k3f5V2jwDh2w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwaTN4clFoWDNwU2lpaHBn - M2pVeU5oM0JRNmp6NEJjQ3BHeWlzeSs3bTI0CnBocngvbzZQUXBsMG9Oc2J6dlBT - MjdtaFdmOHg5ZmZmSkViWGJFYThQYXcKLS0tIFRNd2JiVlFTREtDMTdzR2V0SlVo - Q0d5ZDVDM05LdFp4UnB4dFRPUm5vU0UKR/MAONEWaT6XXyPB1IrSIKqW5PZNIbuB - n7QX3DJIzlajtmq+82/wPFPTBkLvSSjV5FKL5ErMwTDndcIn+NlOhQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-11T13:11:00Z" - mac: ENC[AES256_GCM,data:P34YsR/Rvc3q4Os5n9hxonJLCXwifMRnKOCM59h5MRMT/aqjl+QlBX+oUADsqDSrhUscQb3N/UlpFeOT6qg+FmJbT/mYMH6v1xK16VD0M7VWydXpmjDu5If+O89lgDHsiEOGDgeR04jkiaY0yzT9U8l9CND5fMvF3I9o5Z1SZQk=,iv:NgUD8gB2bQa5vh0nb0Ngqp5dn0yqskHudWo8xoVjM4Q=,tag:5oTcnailDCHeMvMLz63e1w==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.4 diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 7a2540f..3b35750 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -7,8 +7,27 @@ sneeuwvlok = { services = { + authentication.authelia.enable = true; + authentication.zitadel.enable = true; + + communication.conduit.enable = true; + + development.forgejo.enable = true; + networking.ssh.enable = true; + media.enable = true; + media.homer.enable = true; + media.nfs.enable = true; + + observability = { + grafana.enable = true; + prometheus.enable = true; + loki.enable = true; + promtail.enable = true; + }; + + security.vaultwarden.enable = true; }; editor = {