diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml index 684cfad..4aac00e 100644 --- a/.forgejo/workflows/action.yml +++ b/.forgejo/workflows/action.yml @@ -7,9 +7,10 @@ on: - main jobs: - kaas: - runs-on: nix + hello: + name: Print hello world + runs-on: default steps: - name: Echo run: | - nix --version \ No newline at end of file + echo "Hello, world!" \ No newline at end of file diff --git a/.gitignore b/.gitignore index 3cb44c3..87a3018 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,2 @@ -# ---> Nix -# Ignore build outputs from performing a nix-build or `nix build` command result -result-* - -# Ignore automatically generated direnv output -.direnv - +*.qcow2 diff --git a/flake.lock b/flake.lock index 51907f8..27521bd 100644 --- a/flake.lock +++ b/flake.lock @@ -73,11 +73,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1756593129, - "narHash": "sha256-xpdGBk57lErbo03ZJS8uDDF5cZjoza7kzr7X+y0wj2g=", + "lastModified": 1755108317, + "narHash": "sha256-j7RGK7nyoHuJzQjVFBngpsVowIn4DAtprn66UyAFNRQ=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "f28776c49ddb4d34abc01092009fba0cd96836bd", + "rev": "5aa322a6e586a2b46af65ab6c9a3d6042a95ff2e", "type": "github" }, "original": { @@ -94,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1756622179, - "narHash": "sha256-K3CimrAcMhdDYkErd3oiWPZNaoyaGZEuvGrFuDPFMZY=", + "lastModified": 1755153894, + "narHash": "sha256-DEKeIg3MQy5GMFiFRUzcx1hGGBN2ypUPTo0jrMAdmH4=", "owner": "nix-community", "repo": "fenix", - "rev": "0abcb15ae6279dcb40a8ae7c1ed980705245cb79", + "rev": "f6874c6e512bc69d881d979a45379b988b80a338", "type": "github" }, "original": { @@ -114,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1756643456, - "narHash": "sha256-SbRGlArZnspW/xd/vnMPSyuZGXSVtxyJEoXpvpzDpSE=", + "lastModified": 1755083788, + "narHash": "sha256-CXiS6gfw0NH+luSpNhtRZjy4NqVFrmsYpoetu3N/fMk=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "6772a49573fc08b3e05502cccd90a8f5a82ee42e", + "rev": "523078b104590da5850a61dfe291650a6b49809c", "type": "github" }, "original": { @@ -411,11 +411,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1756381920, - "narHash": "sha256-h6FZq485lEhkTICK779ZQ2kUWe3BieUqIKuJ2jef7SI=", + "lastModified": 1755072091, + "narHash": "sha256-FCkbELHIFXlVREaopW13QFMzwLPr/otjucmyNLQQXeg=", "owner": "vinceliuice", "repo": "grub2-themes", - "rev": "8f30385f556a92ecbcc0c1800521730187da1cd7", + "rev": "03d8c9cf0d1bcf67765ac5fa35263f1b08c584fa", "type": "github" }, "original": { @@ -432,11 +432,11 @@ ] }, "locked": { - "lastModified": 1756413980, - "narHash": "sha256-pxTwEjWZ1GohJeTEpxoZRHRoLDZjDw9CarGqxE5e908=", + "lastModified": 1754593854, + "narHash": "sha256-fiWzQKZP92+2nm9wGBa/UYuEdVJkshHqNpCFfklas8k=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "0c12a2b5862cd673307bbe191c1f7b52cf0f091a", + "rev": "e0b9a3efdcf0c6c59ed3352ffb2b003ab6aa2fed", "type": "github" }, "original": { @@ -452,32 +452,11 @@ ] }, "locked": { - "lastModified": 1756650373, - "narHash": "sha256-Iz0dNCNvLLxVGjOOF1/TJvZ4iKXE96BTgKDObCs9u+M=", + "lastModified": 1755121891, + "narHash": "sha256-UtYkukiGnPRJ5rpd4W/wFVrLMh8fqtNkqHTPgHEtrqU=", "owner": "nix-community", "repo": "home-manager", - "rev": "e44549074a574d8bda612945a88e4a1fd3c456a8", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { - "inputs": { - "nixpkgs": [ - "zen-browser", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1756842514, - "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382", + "rev": "279ca5addcdcfa31ac852b3ecb39fc372684f426", "type": "github" }, "original": { @@ -494,11 +473,11 @@ ] }, "locked": { - "lastModified": 1756638688, - "narHash": "sha256-ddxbPTnIchM6tgxb6fRrCvytlPE2KLifckTnde/irVQ=", + "lastModified": 1755151620, + "narHash": "sha256-fVMalQZ+tRXR8oue2SdWu4CdlsS2NII+++rI40XQ8rU=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "e7b8679cba79f4167199f018b05c82169249f654", + "rev": "16e12d22754d97064867006acae6e16da7a142a6", "type": "github" }, "original": { @@ -528,11 +507,11 @@ }, "mnw": { "locked": { - "lastModified": 1756580127, - "narHash": "sha256-XK+ZQWjnd96Uko73jY1dc23ksnuWnF/Myc4rT/LQOmc=", + "lastModified": 1748710831, + "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=", "owner": "Gerg-L", "repo": "mnw", - "rev": "ecdb5ba1b08ac198d9e9bfbf9de3b234fb1eb252", + "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d", "type": "github" }, "original": { @@ -570,11 +549,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1756518625, - "narHash": "sha256-Mxh2wumeSsb968dSDksblubQqHTTdRTC5lH0gmhq9jI=", + "lastModified": 1755137329, + "narHash": "sha256-9MxuOLH7jk58IVUUDWwLeqk9U4ATE6X37955Ld+4/zw=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "92654796f8f6c3279e4b7d409a3e5b43b0539a19", + "rev": "d9330bc35048238597880e89fb173799de9db5e9", "type": "github" }, "original": { @@ -642,11 +621,11 @@ ] }, "locked": { - "lastModified": 1755261305, - "narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=", + "lastModified": 1755171343, + "narHash": "sha256-h6bbfhqWcHlx9tcyYa7dhaEiNpusLCcFYkJ/AnltLW8=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "203a7b463f307c60026136dd1191d9001c43457f", + "rev": "e37cfef071466a9ca649f6899aff05226ce17e9e", "type": "github" }, "original": { @@ -704,11 +683,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1756578978, - "narHash": "sha256-dLgwMLIMyHlSeIDsoT2OcZBkuruIbjhIAv1sGANwtes=", + "lastModified": 1755061300, + "narHash": "sha256-eov82CkCrpiECJa3dyQ2da1sPGnAP3HK0UEra5eupaM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a85a50bef870537a9705f64ed75e54d1f4bf9c23", + "rev": "d4df8d6cc1ccfd3e4349a1d54e4fb1171e7ec1f5", "type": "github" }, "original": { @@ -736,11 +715,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1756653691, - "narHash": "sha256-tx6C07uPiAzq57mfb4EWDqPRV4BZVqvrlvDfibzL67U=", + "lastModified": 1755178357, + "narHash": "sha256-rzgUmlO5/pt7uPAlY6E70clNjg9JmrgBxalEj2zKq08=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7a1057ff3f7636bc71f58671c3a1210742149f3b", + "rev": "6eac4364f979ef460fb6ebd17ca65b8dae03cba4", "type": "github" }, "original": { @@ -768,11 +747,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1756542300, - "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=", + "lastModified": 1755027561, + "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa", + "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3", "type": "github" }, "original": { @@ -784,11 +763,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1756536218, - "narHash": "sha256-ynQxPVN2FIPheUgTFhv01gYLbaiSOS7NgWJPm9LF9D0=", + "lastModified": 1755049066, + "narHash": "sha256-ANrc15FSoOAdNbfKHxqEJjZLftIwIsenJGRb/04K41s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a918bb3594dd243c2f8534b3be01b3cb4ed35fd1", + "rev": "e45f8f193029378d0aaee5431ba098dc80054e9a", "type": "github" }, "original": { @@ -864,11 +843,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1756646417, - "narHash": "sha256-1dU+BRKjczVnsTznKGaM0xrWzg2+MGQqWlde0Id9JnI=", + "lastModified": 1755115677, + "narHash": "sha256-98Ad2F5w1xW94KymQiBohNBYpFqMa0K28v9S1SzyTY8=", "owner": "notashelf", "repo": "nvf", - "rev": "939fb8cfc630190cd5607526f81693525e3d593b", + "rev": "c5dc7192496a1fad38134e54f8b4fca8ac51a9fe", "type": "github" }, "original": { @@ -887,11 +866,11 @@ ] }, "locked": { - "lastModified": 1756632588, - "narHash": "sha256-ydam6eggXf3ZwRutyCABwSbMAlX+5lW6w1SVZQ+kfSo=", + "lastModified": 1754501628, + "narHash": "sha256-FExJ54tVB5iu7Dh2tLcyCSWpaV+lmUzzWKZUkemwXvo=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "d47428e5390d6a5a8f764808a4db15929347cd77", + "rev": "cca090f8115c4172b9aef6c5299ae784bdd5e133", "type": "github" }, "original": { @@ -926,11 +905,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1756597274, - "narHash": "sha256-wfaKRKsEVQDB7pQtAt04vRgFphkVscGRpSx3wG1l50E=", + "lastModified": 1755004716, + "narHash": "sha256-TbhPR5Fqw5LjAeI3/FOPhNNFQCF3cieKCJWWupeZmiA=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "21614ed2d3279a9aa1f15c88d293e65a98991b30", + "rev": "b2a58b8c6eff3c3a2c8b5c70dbf69ead78284194", "type": "github" }, "original": { @@ -999,11 +978,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1755997543, - "narHash": "sha256-/fejmCQ7AWa655YxyPxRDbhdU7c5+wYsFSjmEMXoBCM=", + "lastModified": 1755027820, + "narHash": "sha256-hBSU7BEhd05y/pC9tliYjkFp8AblkbNEkPei229+0Pg=", "owner": "nix-community", "repo": "stylix", - "rev": "f47c0edcf71e802378b1b7725fa57bb44fe85ee8", + "rev": "c592717e9f713bbae5f718c784013d541346363d", "type": "github" }, "original": { @@ -1185,19 +1164,18 @@ }, "zen-browser": { "inputs": { - "home-manager": "home-manager_2", "nixpkgs": "nixpkgs_10" }, "locked": { - "lastModified": 1756876659, - "narHash": "sha256-B2bpNR7VOoZuKfuNnASfWI/jGveetP2yhG44S3XnI/k=", - "owner": "0xc000022070", + "lastModified": 1727721329, + "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=", + "owner": "MarceColl", "repo": "zen-browser-flake", - "rev": "07c14b39cad581d9a8bb2dc8959a59e17d26d529", + "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc", "type": "github" }, "original": { - "owner": "0xc000022070", + "owner": "MarceColl", "repo": "zen-browser-flake", "type": "github" } diff --git a/flake.nix b/flake.nix index 60e9853..d696f4b 100644 --- a/flake.nix +++ b/flake.nix @@ -41,7 +41,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - zen-browser.url = "github:0xc000022070/zen-browser-flake"; + zen-browser.url = "github:MarceColl/zen-browser-flake"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; @@ -63,11 +63,11 @@ url = "github:Jovian-Experiments/Jovian-NixOS"; inputs.nixpkgs.follows = "nixpkgs"; }; - + grub2-themes = { url = "github:vinceliuice/grub2-themes"; }; - + nixos-wsl = { url = "github:nix-community/nixos-wsl"; inputs = { @@ -93,15 +93,8 @@ channels-config = { allowUnfree = true; permittedInsecurePackages = [ - # Due to *arr stack "dotnet-sdk-6.0.428" "aspnetcore-runtime-6.0.36" - - # I think this is because of zen - "qtwebengine-5.15.19" - - # For Nheko, the matrix client - "olm-3.2.16" ]; }; @@ -113,7 +106,7 @@ homes.modules = with inputs; [ stylix.homeModules.stylix - plasma-manager.homeModules.plasma-manager + plasma-manager.homeManagerModules.plasma-manager ]; }; } diff --git a/homes/x86_64-linux/chris@manwe/default.nix b/homes/x86_64-linux/chris@manwe/default.nix index abeb606..cd6fa1a 100644 --- a/homes/x86_64-linux/chris@manwe/default.nix +++ b/homes/x86_64-linux/chris@manwe/default.nix @@ -35,7 +35,6 @@ bitwarden.enable = true; discord.enable = true; ladybird.enable = true; - nheko.enable = true; obs.enable = true; onlyoffice.enable = true; signal.enable = true; diff --git a/modules/home/application/nheko/default.nix b/modules/home/application/nheko/default.nix deleted file mode 100644 index b04b375..0000000 --- a/modules/home/application/nheko/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, namespace, osConfig ? {}, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.application.nheko; -in -{ - options.${namespace}.application.nheko = { - enable = mkEnableOption "enable nheko (matrix client)"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ nheko ]; - }; -} diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index 4995216..ad4cb92 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -5,15 +5,13 @@ let cfg = config.${namespace}.application.zen; in { - imports = [ - inputs.zen-browser.homeModules.default - ]; - options.${namespace}.application.zen = { enable = mkEnableOption "enable zen"; }; config = mkIf cfg.enable { + home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ]; + home.sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; }; @@ -22,42 +20,20 @@ in policies = { AutofillAddressEnabled = true; AutofillCreditCardEnabled = false; - - AppAutoUpdate = false; DisableAppUpdate = true; - ManualAppUpdateOnly = true; - DisableFeedbackCommands = true; DisableFirefoxStudies = true; DisablePocket = true; DisableTelemetry = true; - - DontCheckDefaultBrowser = false; + # DontCheckDefaultBrowser = false; NoDefaultBookmarks = true; - OfferToSaveLogins = false; + # OfferToSaveLogins = false; EnableTrackingProtection = { Value = true; Locked = true; Cryptomining = true; Fingerprinting = true; }; - - HttpAllowlist = [ - "http://ulmo" - ]; - }; - - policies.ExtensionSettings = let - mkExtension = id: { - install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi"; - installation_mode = "force_installed"; - }; - in - { - ublock_origin = 4531307; - ghostry = 4562168; - bitwarden = 4562769; - sponsorblock = 4541835; }; }; }; diff --git a/modules/home/home-manager/default.nix b/modules/home/home-manager/default.nix index 5f3be03..93bae2e 100644 --- a/modules/home/home-manager/default.nix +++ b/modules/home/home-manager/default.nix @@ -4,9 +4,7 @@ let in { systemd.user.startServices = "sd-switch"; - programs.home-manager = { - enable = true; - }; + programs.home-manager.enable = true; home.stateVersion = mkDefault (osConfig.system.stateVersion or "25.05"); -} +} \ No newline at end of file diff --git a/modules/nixos/home-manager/default.nix b/modules/nixos/home-manager/default.nix deleted file mode 100644 index 1a5a964..0000000 --- a/modules/nixos/home-manager/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - config = { - home-manager.backupFileExtension = "back"; - }; -} diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 3104ecd..7d1f069 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -15,10 +15,10 @@ in nix = { package = pkgs.nixVersions.latest; - extraOptions = "experimental-features = nix-command flakes pipe-operators"; + extraOptions = "experimental-features = nix-command flakes"; settings = { - experimental-features = [ "nix-command" "flakes" "pipe-operators" ]; + experimental-features = [ "nix-command" "flakes" ]; allowed-users = [ "@wheel" ]; trusted-users = [ "@wheel" ]; diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 2f65f6f..a95d849 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, ... }: let - inherit (lib) mkIf mkEnableOption; + inherit (lib) mkIf mkEnableOption mkForce; cfg = config.${namespace}.services.authentication.zitadel; @@ -13,8 +13,6 @@ in }; config = mkIf cfg.enable { - ${namespace}.services.persistance.postgresql.enable = true; - environment.systemPackages = with pkgs; [ zitadel ]; @@ -112,6 +110,13 @@ in ensureDBOwnership = true; } ]; + authentication = mkForce '' + # Generated file, do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; }; caddy = { diff --git a/modules/nixos/services/communication/conduit/default.nix b/modules/nixos/services/communication/conduit/default.nix deleted file mode 100644 index aa4d5c1..0000000 --- a/modules/nixos/services/communication/conduit/default.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.communication.conduit; - domain = "matrix.kruining.eu"; -in -{ - options.${namespace}.services.communication.conduit = { - enable = mkEnableOption "conduit (Matrix server)"; - }; - - config = mkIf cfg.enable { - # ${namespace}.services = { - # persistance.postgresql.enable = true; - # virtualisation.podman.enable = true; - # }; - - services = { - matrix-conduit = { - enable = true; - - settings.global = { - address = "::1"; - port = 4001; - - database_backend = "rocksdb"; - - server_name = "chris-matrix"; - }; - }; - - # postgresql = { - # enable = true; - # ensureDatabases = [ "conduit" ]; - # ensureUsers = [ - # { - # name = "conduit"; - # ensureDBOwnership = true; - # } - # ]; - # }; - - caddy = { - enable = true; - virtualHosts = { - ${domain}.extraConfig = '' - # import auth-z - - # reverse_proxy http://127.0.0.1:5002 - ''; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 46e0995..bdabbd6 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -11,10 +11,7 @@ in }; config = mkIf cfg.enable { - ${namespace}.services = { - persistance.postgresql.enable = true; - virtualisation.podman.enable = true; - }; + ${namespace}.services.virtualisation.podman.enable = true; environment.systemPackages = with pkgs; [ forgejo ]; @@ -94,7 +91,6 @@ in actions = { ENABLED = true; - # DEFAULT_ACTIONS_URL = "https://data.forgejo.org"; }; other = { @@ -140,12 +136,10 @@ in # tokenFile = config.age.secrets.forgejo-runner-token.path; token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; labels = [ - "default:docker://nixos/nix:latest" - "ubuntu:docker://ubuntu:24-bookworm" - "nix:docker://git.amarth.cloud/amarth/runners/default:latest" + "default:docker://node:22-bullseye" ]; settings = { - log.level = "info"; + }; }; }; @@ -158,7 +152,7 @@ in # stupid dumb way to prevent the login page and go to zitadel instead # be aware that this does not disable local login at all! - # rewrite /user/login /user/oauth2/Zitadel + rewrite /user/login /user/oauth2/Zitadel reverse_proxy http://127.0.0.1:5002 ''; diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index bc41fb4..f76e4ae 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -66,73 +66,38 @@ in # Services #========================================================================= services = let - arrService = { + serviceConf = { enable = true; openFirewall = true; - - settings = { - auth.AuthenticationMethod = "External"; - - # postgres = { - # PostgresHost = "localhost"; - # PostgresPort = "5432"; - # PostgresUser = "media"; - # }; - }; - }; - - withPort = port: service: service // { settings.server.Port = builtins.toString port; }; - - withUserAndGroup = service: service // { user = cfg.user; group = cfg.group; }; in { - radarr = - arrService - |> withPort 2001 - |> withUserAndGroup; - - sonarr = - arrService - |> withPort 2002 - |> withUserAndGroup; - - lidarr = - arrService - |> withPort 2003 - |> withUserAndGroup; - - prowlarr = - arrService - |> withPort 2004; - - bazarr = { - enable = true; - openFirewall = true; - user = cfg.user; - group = cfg.group; - listenPort = 2005; - }; - - # port is harcoded in nixpkgs module - jellyfin = { - enable = true; - openFirewall = true; - user = cfg.user; - group = cfg.group; - }; + jellyfin = serviceConf; + radarr = serviceConf; + sonarr = serviceConf; + bazarr = serviceConf; + lidarr = serviceConf; flaresolverr = { enable = true; openFirewall = true; - port = 2007; + }; + + jellyseerr = { + enable = true; + openFirewall = true; + }; + + prowlarr = { + enable = true; + openFirewall = true; }; qbittorrent = { enable = true; openFirewall = true; - webuiPort = 2008; + webuiPort = 5000; serverConfig = { LegalNotice.Accepted = true; @@ -142,7 +107,6 @@ in group = cfg.group; }; - # port is harcoded in nixpkgs module sabnzbd = { enable = true; openFirewall = true; @@ -152,49 +116,46 @@ in group = cfg.group; }; - # postgresql = { - # enable = true; - # ensureDatabases = [ - # "radarr-main" "radarr-log" - # "sonarr-main" "sonarr-log" - # "lidarr-main" "lidarr-log" - # "prowlarr-main" "prowlarr-log" - # ]; - # identMap = '' - # media media radarr-main - # media media radarr-log - # media media sonarr-main - # media media sonarr-log - # media media lidarr-main - # media media lidarr-log - # media media prowlarr-main - # media media prowlarr-log - # ''; - # ensureUsers = [ - # { name = "radarr-main"; ensureDBOwnership = true; } - # { name = "radarr-log"; ensureDBOwnership = true; } - - # { name = "sonarr-main"; ensureDBOwnership = true; } - # { name = "sonarr-log"; ensureDBOwnership = true; } - - # { name = "lidarr-main"; ensureDBOwnership = true; } - # { name = "lidarr-log"; ensureDBOwnership = true; } - - # { name = "prowlarr-main"; ensureDBOwnership = true; } - # { name = "prowlarr-log"; ensureDBOwnership = true; } - # ]; - # }; - caddy = { enable = true; virtualHosts = { + "media.kruining.eu".extraConfig = '' + import auth + + reverse_proxy http://127.0.0.1:9494 + ''; "jellyfin.kruining.eu".extraConfig = '' - reverse_proxy http://[::1]:8096 + reverse_proxy http://127.0.0.1:8096 ''; }; }; }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; + + ${namespace}.services.virtualisation.podman.enable = true; + + virtualisation = { + oci-containers = { + backend = "podman"; + + containers = { + # flaresolverr = { + # image = "flaresolverr/flaresolverr"; + # autoStart = true; + # ports = [ "127.0.0.1:8191:8191" ]; + # }; + + reiverr = { + image = "ghcr.io/aleksilassila/reiverr:v2.2.0"; + autoStart = true; + ports = [ "127.0.0.1:9494:9494" ]; + volumes = [ "${cfg.path}/reiverr/config:/config" ]; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 6969 ]; }; } diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix deleted file mode 100644 index 8fd0ac6..0000000 --- a/modules/nixos/services/media/homer/default.nix +++ /dev/null @@ -1,161 +0,0 @@ -{ config, lib, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.media.homer; -in -{ - options.${namespace}.services.media.homer = { - enable = mkEnableOption "Enable homer"; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ 2000 ]; - - services = { - homer = { - enable = true; - - virtualHost = { - caddy.enable = true; - domain = "http://:2000"; - }; - - settings = { - title = "Ulmo dashboard"; - - columns = 4; - connectivityCheck = true; - - links = []; - - services = [ - { - name = "Services"; - items = [ - { - name = "Zitadel"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg"; - tag = "app"; - url = "https://auth.amarth.cloud"; - target = "_blank"; - } - - { - name = "Forgejo"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg"; - tag = "app"; - type = "Gitea"; - url = "https://git.amarth.cloud"; - target = "_blank"; - } - - { - name = "Vaultwarden"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg"; - type = "Vaultwarden"; - tag = "app"; - url = "https://vault.kruining.eu"; - target = "_blank"; - } - ]; - } - - { - name = "Observability"; - items = [ - { - name = "Grafana"; - type = "Grafana"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; - target = "_blank"; - } - - { - name = "Prometheus"; - type = "Prometheus"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}"; - target = "_blank"; - } - ]; - } - - { - name = "Media"; - items = [ - { - name = "Jellyfin (Movies)"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg"; - tag = "app"; - type = "Emby"; - url = "http://${config.networking.hostName}:8096"; - apikey = "e3ceed943eeb409ba8342738db7cc1f5"; - libraryType = "movies"; - target = "_blank"; - } - - { - name = "Radarr"; - type = "Radarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "Sonarr"; - type = "Sonarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "Lidarr"; - type = "Lidarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "Prowlarr"; - type = "Prowlarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "qBittorrent"; - type = "qBittorrent"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; - target = "_blank"; - } - - { - name = "SABnzbd"; - type = "SABnzbd"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:8080"; - target = "_blank"; - } - ]; - } - ]; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/persistance/convex/default.nix b/modules/nixos/services/persistance/convex/default.nix new file mode 100644 index 0000000..3e01c59 --- /dev/null +++ b/modules/nixos/services/persistance/convex/default.nix @@ -0,0 +1,21 @@ +{ config, pkgs, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.persistance.convex; +in +{ + imports = [ ./source.nix ]; + + options.${namespace}.services.persistance.convex = { + enable = mkEnableOption "enable Convex"; + }; + + config = mkIf cfg.enable { + services.convex = { + enable = true; + package = pkgs.${namespace}.convex; + secret = "ThisIsMyAwesomeSecret"; + }; + }; +} diff --git a/modules/nixos/services/persistance/convex/source.nix b/modules/nixos/services/persistance/convex/source.nix new file mode 100644 index 0000000..c56e3ab --- /dev/null +++ b/modules/nixos/services/persistance/convex/source.nix @@ -0,0 +1,149 @@ +{ config, pkgs, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption mkPackageOption mkOption optional types; + + cfg = config.services.convex; + + default_user = "convex"; + default_group = "convex"; +in +{ + options.services.convex = { + enable = mkEnableOption "enable Convex (backend only for now)"; + + package = mkPackageOption pkgs "convex" {}; + + name = lib.mkOption { + type = types.str; + default = "convex"; + description = '' + Name for the instance. + ''; + }; + + secret = lib.mkOption { + type = types.str; + default = ""; + description = '' + Secret for the instance. + ''; + }; + + apiPort = mkOption { + type = types.port; + default = 3210; + description = '' + The TCP port to use for the API. + ''; + }; + + actionsPort = mkOption { + type = types.port; + default = 3211; + description = '' + The TCP port to use for the HTTP actions. + ''; + }; + + dashboardPort = mkOption { + type = types.port; + default = 6791; + description = '' + The TCP port to use for the Dashboard. + ''; + }; + + openFirewall = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to open ports in the firewall for the server. + ''; + }; + + user = lib.mkOption { + type = types.str; + default = default_user; + description = '' + As which user to run the service. + ''; + }; + + group = lib.mkOption { + type = types.str; + default = default_group; + description = '' + As which group to run the service. + ''; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.secret != ""; + message = '' + No secret provided for convex + ''; + } + ]; + + users = { + users.${cfg.user} = { + description = "System user for convex service"; + isSystemUser = true; + group = cfg.group; + }; + + groups.${cfg.group} = {}; + }; + + networking.firewall.allowedTCPPorts = optional cfg.openFirewall [ cfg.apiPort cfg.actionsPort cfg.dashboardPort ]; + + environment.systemPackages = [ cfg.package ]; + + systemd.services.convex = { + description = "Convex Backend server"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${cfg.package}/bin --instance-name ${cfg.name} --instance-secret ${cfg.secret}"; + Type = "notify"; + + User = cfg.user; + Group = cfg.group; + + RuntimeDirectory = "convex"; + RuntimeDirectoryMode = "0775"; + StateDirectory = "convex"; + StateDirectoryMode = "0775"; + Umask = "0077"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + LockPersonality = true; + }; + }; + }; +} diff --git a/modules/nixos/services/persistance/postgesql/default.nix b/modules/nixos/services/persistance/postgesql/default.nix deleted file mode 100644 index dbd6604..0000000 --- a/modules/nixos/services/persistance/postgesql/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.persistance.postgresql; -in -{ - options.${namespace}.services.persistance.postgresql = { - enable = mkEnableOption "Postgresql"; - }; - - config = mkIf cfg.enable { - services = { - postgresql = { - enable = true; - authentication = '' - # Generated file, do not edit! - # TYPE DATABASE USER ADDRESS METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - ''; - }; - }; - }; -} diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index db8e162..0bb05f7 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -76,12 +76,6 @@ in "vault.kruining.eu".extraConfig = '' encode zstd gzip - handle_path /admin { - respond 401 { - close - } - } - reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { header_up X-Real-IP {remote_host} } diff --git a/modules/nixos/services/virtualisation/podman/default.nix b/modules/nixos/services/virtualisation/podman/default.nix index 0faf8ce..9b9dc89 100644 --- a/modules/nixos/services/virtualisation/podman/default.nix +++ b/modules/nixos/services/virtualisation/podman/default.nix @@ -12,7 +12,6 @@ in config = mkIf cfg.enable { virtualisation = { containers.enable = true; - oci-containers.backend = "podman"; podman = { enable = true; diff --git a/packages/convex/default.nix b/packages/convex/default.nix new file mode 100644 index 0000000..9dab056 --- /dev/null +++ b/packages/convex/default.nix @@ -0,0 +1,59 @@ +{ + lib, + stdenv, + rustPlatform, + fetchFromGitHub, + + # dependencies + openssl, + pkg-config, + cmake, + llvmPackages, + postgresql, + sqlite, + + #options + dbBackend ? "postgresql", + + ... +}: +rustPlatform.buildRustPackage rec { + pname = "convex"; + version = "2025-08-20-c9b561e"; + + src = fetchFromGitHub { + owner = "get-convex"; + repo = "convex-backend"; + rev = "c9b561e1b365c85ef28af35d742cb7dd174b5555"; + hash = "sha256-4h4AQt+rQ+nTw6eTbbB5vqFt9MFjKYw3Z7bGXdXijJ0="; + }; + + cargoHash = "sha256-pcDNWGrk9D0qcF479QAglPLFDZp27f8RueP5/lq9jho="; + + cargoBuildFlags = [ + "-p" "local_backend" + "--bin" "convex-local-backend" + ]; + + env = { + LIBCLANG_PATH = "${llvmPackages.libclang}/lib"; + }; + + strictDeps = true; + + # Build-time dependencies + nativeBuildInputs = [ pkg-config cmake rustPlatform.bindgenHook ]; + + # Run-time dependencies + buildInputs = + [ openssl ] + ++ lib.optional (dbBackend == "sqlite") sqlite + ++ lib.optional (dbBackend == "postgresql") postgresql; + + buildFeatures = ""; + + meta = with lib; { + license = licenses.fsl11Asl20; + mainProgram = "convex"; + }; +} \ No newline at end of file diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 3b35750..13b0f33 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -10,14 +10,11 @@ authentication.authelia.enable = true; authentication.zitadel.enable = true; - communication.conduit.enable = true; - development.forgejo.enable = true; networking.ssh.enable = true; media.enable = true; - media.homer.enable = true; media.nfs.enable = true; observability = { @@ -27,6 +24,8 @@ promtail.enable = true; }; + persistance.convex.enable = true; + security.vaultwarden.enable = true; };