diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml deleted file mode 100644 index 684cfad..0000000 --- a/.forgejo/workflows/action.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: Test action - -on: - workflow_dispatch: - push: - branches: - - main - -jobs: - kaas: - runs-on: nix - steps: - - name: Echo - run: | - nix --version \ No newline at end of file diff --git a/.gitignore b/.gitignore index 3cb44c3..87a3018 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,2 @@ -# ---> Nix -# Ignore build outputs from performing a nix-build or `nix build` command result -result-* - -# Ignore automatically generated direnv output -.direnv - +*.qcow2 diff --git a/.sops.yml b/.sops.yml index 96e09c3..2d6e291 100644 --- a/.sops.yml +++ b/.sops.yml @@ -1,8 +1,57 @@ keys: - - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + - home: + - &chris age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + - system: + - &aule age + - &mandos age + - &manwe age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + - &melkor age + - &orome age + - &tulkas age + - &varda age + - &yavanna age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x creation_rules: - - path_regex: secrets/secrets.yml$ + #=================================================================== + # HOSTS + #=================================================================== + - path_regex: systems/x86_64-linux/aule/secrets.yaml$ + age: *aule + + - path_regex: systems/x86_64-linux/mandos/secrets.yaml$ + age: *mandos + + - path_regex: systems/x86_64-linux/manwe/secrets.yaml$ key_groups: - - age: - - *primary + - age: + - *manwe + - *yavanna + + - path_regex: systems/x86_64-linux/melkor/secrets.yaml$ + age: *melkor + + - path_regex: systems/x86_64-linux/orome/secrets.yaml$ + age: *orome + + - path_regex: systems/x86_64-linux/tulkas/secrets.yaml$ + age: *tulkas + + - path_regex: systems/x86_64-linux/varda/secrets.yaml$ + age: *varda + + - path_regex: systems/x86_64-linux/yavanna/secrets.yaml$ + age: *yavanna + + #=================================================================== + # USERS + #=================================================================== + - path_regex: homes/x86_64-linux/chris@\w+/secrets.yaml$ + age: *chris + + + + + + + + diff --git a/README.md b/README.md index 2eb75c9..db11887 100644 --- a/README.md +++ b/README.md @@ -18,4 +18,5 @@ nix build .#install-isoConfigurations.minimal - [dafitt/dotfiles](https://github.com/dafitt/dotfiles/) - [khaneliman/khanelinix](https://github.com/khaneliman/khanelinix) +- [alex007sirois/nix-config](https://github.com/alex007sirois/nix-config) (justfile) - [hmajid2301/nixicle](https://gitlab.com/hmajid2301/nixicle) (the GOAT, he did what I am aiming for!) \ No newline at end of file diff --git a/_secrets/secrets.yaml b/_secrets/secrets.yaml deleted file mode 100644 index 78b1a8c..0000000 --- a/_secrets/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment] -example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str] -#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment] -#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment] -example: - my_subdir: - my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR - ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz - YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB - dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR - Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-09T11:37:49Z" - mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.4 - -zitadel: - masterKey: thisWillBeAnEncryptedValueInTheFuture diff --git a/flake.lock b/flake.lock index 51907f8..ef769ed 100644 --- a/flake.lock +++ b/flake.lock @@ -67,17 +67,37 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1753140376, + "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", + "owner": "nix-community", + "repo": "disko", + "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "erosanix": { "inputs": { "flake-compat": "flake-compat", "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1756593129, - "narHash": "sha256-xpdGBk57lErbo03ZJS8uDDF5cZjoza7kzr7X+y0wj2g=", + "lastModified": 1753879613, + "narHash": "sha256-oYhCJSAIZiu3maM2q6JBzh0+MYd4KTaq5eNFIstUurE=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "f28776c49ddb4d34abc01092009fba0cd96836bd", + "rev": "0ad38bd182cd737f0f4b878ea04cb3676ecd4000", "type": "github" }, "original": { @@ -94,11 +114,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1756622179, - "narHash": "sha256-K3CimrAcMhdDYkErd3oiWPZNaoyaGZEuvGrFuDPFMZY=", + "lastModified": 1754290399, + "narHash": "sha256-KwYm1/FeLqP9uE4Sbw+j2nI2/ErNbc9Mn+LPcrEOpX0=", "owner": "nix-community", "repo": "fenix", - "rev": "0abcb15ae6279dcb40a8ae7c1ed980705245cb79", + "rev": "f53ddf7518d85d59b58df6e9955b25b0ac25f569", "type": "github" }, "original": { @@ -114,11 +134,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1756643456, - "narHash": "sha256-SbRGlArZnspW/xd/vnMPSyuZGXSVtxyJEoXpvpzDpSE=", + "lastModified": 1754311269, + "narHash": "sha256-y84Q8qS5acSxl3QsLLGs4DboPhM/AYUMiTsJJZwmQxY=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "6772a49573fc08b3e05502cccd90a8f5a82ee42e", + "rev": "5a6856f353975206aec02373c18e8cea3fa6bb75", "type": "github" }, "original": { @@ -230,11 +250,11 @@ ] }, "locked": { - "lastModified": 1754487366, - "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "lastModified": 1753121425, + "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", "type": "github" }, "original": { @@ -411,11 +431,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1756381920, - "narHash": "sha256-h6FZq485lEhkTICK779ZQ2kUWe3BieUqIKuJ2jef7SI=", + "lastModified": 1753279958, + "narHash": "sha256-EJ1udnwKYgWeAJzncAccbLPtbSWiuIANryXTGI9nY6w=", "owner": "vinceliuice", "repo": "grub2-themes", - "rev": "8f30385f556a92ecbcc0c1800521730187da1cd7", + "rev": "6c26f99622cb1c705b3fe2dbe1eb88521096b25a", "type": "github" }, "original": { @@ -432,11 +452,11 @@ ] }, "locked": { - "lastModified": 1756413980, - "narHash": "sha256-pxTwEjWZ1GohJeTEpxoZRHRoLDZjDw9CarGqxE5e908=", + "lastModified": 1754075821, + "narHash": "sha256-ihlkNqYsNgJPCDOE2LPpUl/ww3LBKfsxeWs2sivhb10=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "0c12a2b5862cd673307bbe191c1f7b52cf0f091a", + "rev": "f77821437959ecd67f2fb2b1266e5a644a46d149", "type": "github" }, "original": { @@ -452,32 +472,11 @@ ] }, "locked": { - "lastModified": 1756650373, - "narHash": "sha256-Iz0dNCNvLLxVGjOOF1/TJvZ4iKXE96BTgKDObCs9u+M=", + "lastModified": 1754263839, + "narHash": "sha256-ck7lILfCNuunsLvExPI4Pw9OOCJksxXwozum24W8b+8=", "owner": "nix-community", "repo": "home-manager", - "rev": "e44549074a574d8bda612945a88e4a1fd3c456a8", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { - "inputs": { - "nixpkgs": [ - "zen-browser", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1756842514, - "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382", + "rev": "1d7abbd5454db97e0af51416f4960b3fb64a4773", "type": "github" }, "original": { @@ -494,11 +493,11 @@ ] }, "locked": { - "lastModified": 1756638688, - "narHash": "sha256-ddxbPTnIchM6tgxb6fRrCvytlPE2KLifckTnde/irVQ=", + "lastModified": 1754110197, + "narHash": "sha256-N7GWK2084EsNdwzwg6FCIgMrSau1WwzxGSNdPHx5Tak=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "e7b8679cba79f4167199f018b05c82169249f654", + "rev": "04ce5c103eb621220d69102bc0ee27c3abd89204", "type": "github" }, "original": { @@ -513,11 +512,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1754828166, - "narHash": "sha256-i7c+fpXVsnvj2+63Gl3YfU1hVyxbLeqeFj55ZBZACWI=", + "lastModified": 1754223384, + "narHash": "sha256-pewBF80b4slivTMSeONyOPceyzUUlBLpVOxlGf0hFEY=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "f01c8d121a3100230612be96e4ac668e15eafb77", + "rev": "2d6fee65844e851060a6817984248bcf8358c6b0", "type": "github" }, "original": { @@ -528,11 +527,11 @@ }, "mnw": { "locked": { - "lastModified": 1756580127, - "narHash": "sha256-XK+ZQWjnd96Uko73jY1dc23ksnuWnF/Myc4rT/LQOmc=", + "lastModified": 1748710831, + "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=", "owner": "Gerg-L", "repo": "mnw", - "rev": "ecdb5ba1b08ac198d9e9bfbf9de3b234fb1eb252", + "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d", "type": "github" }, "original": { @@ -570,11 +569,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1756518625, - "narHash": "sha256-Mxh2wumeSsb968dSDksblubQqHTTdRTC5lH0gmhq9jI=", + "lastModified": 1754274768, + "narHash": "sha256-bI+Z15bpec7VEnxkrqOG+JX0bFa9CnVeg/uiaf8iiS0=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "92654796f8f6c3279e4b7d409a3e5b43b0539a19", + "rev": "b54894d44fbe4d29c081ade695ffdb07bb21b322", "type": "github" }, "original": { @@ -642,11 +641,11 @@ ] }, "locked": { - "lastModified": 1755261305, - "narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=", + "lastModified": 1754260137, + "narHash": "sha256-IViMH6Fwj8nwO1nuYCqOTpjm9OK9rQ0w8nmoOwPlo98=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "203a7b463f307c60026136dd1191d9001c43457f", + "rev": "57ba096649fa4e12dc564e8e3c529255baf89b35", "type": "github" }, "original": { @@ -657,11 +656,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1754002724, - "narHash": "sha256-1NBby4k2UU9FR7a9ioXtCOpv8jYO0tZAGarMsxN8sz8=", + "lastModified": 1751186460, + "narHash": "sha256-tSnI50oYaXOi/SFUmJC+gZ2xE9pAhTnV0D2/3JoKL7g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8271ed4b2e366339dd622f329151e45745ade121", + "rev": "dd5540905b1a13176efa13fa2f8dac776bcb275a", "type": "github" }, "original": { @@ -673,11 +672,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", + "lastModified": 1754184128, + "narHash": "sha256-AjhoyBL4eSyXf01Bmc6DiuaMrJRNdWopmdnMY0Pa/M0=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", + "rev": "02e72200e6d56494f4a7c0da8118760736e41b60", "type": "github" }, "original": { @@ -704,11 +703,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1756578978, - "narHash": "sha256-dLgwMLIMyHlSeIDsoT2OcZBkuruIbjhIAv1sGANwtes=", + "lastModified": 1754284898, + "narHash": "sha256-wzM6HN0xxyooekXfl7p5P4Bn0LieOKOfsLg4DqY7XLk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a85a50bef870537a9705f64ed75e54d1f4bf9c23", + "rev": "114484ca7213ac06fa7907e58dd8ef9d801d39f0", "type": "github" }, "original": { @@ -736,11 +735,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1756653691, - "narHash": "sha256-tx6C07uPiAzq57mfb4EWDqPRV4BZVqvrlvDfibzL67U=", + "lastModified": 1754315431, + "narHash": "sha256-fnVgd+mIJeR/fsaJB11KcTFjoJzLZNglLjVRtAzwcUI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7a1057ff3f7636bc71f58671c3a1210742149f3b", + "rev": "66023e4de2495a69792a2b72bd131358b824d2e3", "type": "github" }, "original": { @@ -768,11 +767,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1756542300, - "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=", + "lastModified": 1754214453, + "narHash": "sha256-Q/I2xJn/j1wpkGhWkQnm20nShYnG7TI99foDBpXm1SY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa", + "rev": "5b09dc45f24cf32316283e62aec81ffee3c3e376", "type": "github" }, "original": { @@ -784,11 +783,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1756536218, - "narHash": "sha256-ynQxPVN2FIPheUgTFhv01gYLbaiSOS7NgWJPm9LF9D0=", + "lastModified": 1753432016, + "narHash": "sha256-cnL5WWn/xkZoyH/03NNUS7QgW5vI7D1i74g48qplCvg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a918bb3594dd243c2f8534b3be01b3cb4ed35fd1", + "rev": "6027c30c8e9810896b92429f0092f624f7b1aace", "type": "github" }, "original": { @@ -864,11 +863,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1756646417, - "narHash": "sha256-1dU+BRKjczVnsTznKGaM0xrWzg2+MGQqWlde0Id9JnI=", + "lastModified": 1754137146, + "narHash": "sha256-V2AE32tLNvtYVBuc8ZRbkGjAZGsJchFbNVd6v5JXvg8=", "owner": "notashelf", "repo": "nvf", - "rev": "939fb8cfc630190cd5607526f81693525e3d593b", + "rev": "16d396f039ffefabf93b7b3261e2a17e2f84439b", "type": "github" }, "original": { @@ -887,11 +886,11 @@ ] }, "locked": { - "lastModified": 1756632588, - "narHash": "sha256-ydam6eggXf3ZwRutyCABwSbMAlX+5lW6w1SVZQ+kfSo=", + "lastModified": 1754241118, + "narHash": "sha256-nsBBqbAFB7lUYIh6S6l7fQ/ALDhCckp7+rqbY2767uE=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "d47428e5390d6a5a8f764808a4db15929347cd77", + "rev": "968109159b4bbe4386ac281272ddcebeef09ebfc", "type": "github" }, "original": { @@ -902,6 +901,7 @@ }, "root": { "inputs": { + "disko": "disko", "erosanix": "erosanix", "fenix": "fenix", "firefox": "firefox", @@ -926,11 +926,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1756597274, - "narHash": "sha256-wfaKRKsEVQDB7pQtAt04vRgFphkVscGRpSx3wG1l50E=", + "lastModified": 1754218780, + "narHash": "sha256-M+bLCsYRYA7iudlZkeOf+Azm/1TUvihIq51OKia6KJ8=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "21614ed2d3279a9aa1f15c88d293e65a98991b30", + "rev": "8d75311400a108d7ffe17dc9c38182c566952e6e", "type": "github" }, "original": { @@ -967,11 +967,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1754988908, - "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", + "lastModified": 1752544651, + "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", "owner": "Mic92", "repo": "sops-nix", - "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", + "rev": "2c8def626f54708a9c38a5861866660395bb3461", "type": "github" }, "original": { @@ -999,11 +999,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1755997543, - "narHash": "sha256-/fejmCQ7AWa655YxyPxRDbhdU7c5+wYsFSjmEMXoBCM=", + "lastModified": 1754264048, + "narHash": "sha256-Yg1W0sFhBpnglfhWGlFmxzSmte1F157luHAADp5Hguk=", "owner": "nix-community", "repo": "stylix", - "rev": "f47c0edcf71e802378b1b7725fa57bb44fe85ee8", + "rev": "1b5e1c5642cf96e07daf14ae4c5ddd23d7ed5623", "type": "github" }, "original": { @@ -1185,19 +1185,18 @@ }, "zen-browser": { "inputs": { - "home-manager": "home-manager_2", "nixpkgs": "nixpkgs_10" }, "locked": { - "lastModified": 1756876659, - "narHash": "sha256-B2bpNR7VOoZuKfuNnASfWI/jGveetP2yhG44S3XnI/k=", - "owner": "0xc000022070", + "lastModified": 1727721329, + "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=", + "owner": "MarceColl", "repo": "zen-browser-flake", - "rev": "07c14b39cad581d9a8bb2dc8959a59e17d26d529", + "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc", "type": "github" }, "original": { - "owner": "0xc000022070", + "owner": "MarceColl", "repo": "zen-browser-flake", "type": "github" } diff --git a/flake.nix b/flake.nix index 60e9853..fa4895c 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -24,14 +29,14 @@ url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; - - # neovim - nvf.url = "github:notashelf/nvf"; - - # plymouth theme - nixos-boot.url = "github:Melkor333/nixos-boot"; - - firefox.url = "github:nix-community/flake-firefox-nightly"; + + nixos-wsl = { + url = "github:nix-community/nixos-wsl"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-compat.follows = ""; + }; + }; stylix.url = "github:nix-community/stylix"; @@ -41,7 +46,13 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - zen-browser.url = "github:0xc000022070/zen-browser-flake"; + # neovim + nvf.url = "github:notashelf/nvf"; + + # plymouth theme + nixos-boot.url = "github:Melkor333/nixos-boot"; + + zen-browser.url = "github:MarceColl/zen-browser-flake"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; @@ -63,18 +74,10 @@ url = "github:Jovian-Experiments/Jovian-NixOS"; inputs.nixpkgs.follows = "nixpkgs"; }; - + grub2-themes = { url = "github:vinceliuice/grub2-themes"; }; - - nixos-wsl = { - url = "github:nix-community/nixos-wsl"; - inputs = { - nixpkgs.follows = "nixpkgs"; - flake-compat.follows = ""; - }; - }; }; outputs = inputs: inputs.snowfall-lib.mkFlake { @@ -93,15 +96,8 @@ channels-config = { allowUnfree = true; permittedInsecurePackages = [ - # Due to *arr stack "dotnet-sdk-6.0.428" "aspnetcore-runtime-6.0.36" - - # I think this is because of zen - "qtwebengine-5.15.19" - - # For Nheko, the matrix client - "olm-3.2.16" ]; }; @@ -110,10 +106,10 @@ nix-minecraft.overlay flux.overlays.default ]; - + homes.modules = with inputs; [ stylix.homeModules.stylix - plasma-manager.homeModules.plasma-manager + plasma-manager.homeManagerModules.plasma-manager ]; }; } diff --git a/homes/x86_64-linux/chris@manwe/default.nix b/homes/x86_64-linux/chris@manwe/default.nix index abeb606..cd6fa1a 100644 --- a/homes/x86_64-linux/chris@manwe/default.nix +++ b/homes/x86_64-linux/chris@manwe/default.nix @@ -35,7 +35,6 @@ bitwarden.enable = true; discord.enable = true; ladybird.enable = true; - nheko.enable = true; obs.enable = true; onlyoffice.enable = true; signal.enable = true; diff --git a/homes/x86_64-linux/chris@manwe/secrets.yaml b/homes/x86_64-linux/chris@manwe/secrets.yaml new file mode 100644 index 0000000..0af2506 --- /dev/null +++ b/homes/x86_64-linux/chris@manwe/secrets.yaml @@ -0,0 +1,21 @@ +user_level_secrets: ENC[AES256_GCM,data:TNT+via+r4bpgROz,iv:cVO6/r4Aovr5uJFhU87mE5XwRJ518y4OJdHo4m92ahM=,tag:jYInD+euh7k1zSnMRppI5Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYVRQTEVSMWM3WXY3eTdW + ZkUwSnNidlJwWGVETURpNUJRRUllYXo4WjNvCmxmN21qVzNFV3N4UVR6WEV1am1W + eW1KTk9HVDluek1BUnBmSGI3Y2ZqaDQKLS0tIHlMYldYMTVORVNWbEgrWlBSanRM + bUZiMHlOU3pxYUhQSTREb0l4TmFlOEkKiasV2H481aJzAvEAvyeWqGYDOW+WKRFX + yyocZDo0o1lHz/gNXoC0/ujU+O3rSXdsy6Qdz6Rm+xeFUfe4KoD4bg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-11T13:21:38Z" + mac: ENC[AES256_GCM,data:kfMcZuYuQqxxfqtyfH7DltSkq8YNz+vroB+ZQKTIpCNC/W6vJP1o23/xLRzdnEgnnH5GfgZQFAK8Am00/bUD2BgEPyXxXNf1lG70ocFbRM9htii92BFfHgfi25zlEqCO7yrudm1HEJyYrFbZnT63H6u1OgWSC38CzEZTBsCE0kU=,iv:feWGBau48s2GSvZjnKPfP2z46SBuHbh//4zzcLv+MTY=,tag:D86akwawLxobhEu2AvBFKg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/justfile b/justfile new file mode 100644 index 0000000..70450dd --- /dev/null +++ b/justfile @@ -0,0 +1,24 @@ +[private] +default: + @just -l + +[doc('Update flake dependencies')] +update: + nix flake update + +[doc('install nixos on a system (uses nix-anywhere) +> profile: Which profile to use +> host: How to reach the target system in the standard format of `user@host` +')] +install profile host: + nix run nixpkgs#nixos-anywhere -- \ + --flake .#{{profile}} \ + --generate-hardware-config nixos-generate-config ./hardware-configuration.nix \ + {{host}} + +[doc('builds the configuration for the host')] +build host: + nh os build . -H {{host}} + +edit-secrets target: + sops --config "{{justfile_directory()}}/.sops.yml" edit "{{justfile_directory()}}/{{ if target =~ ".+@.+" { "homes" } else { "systems" } }}/x86_64-linux/{{target}}/secrets.yaml" \ No newline at end of file diff --git a/modules/home/application/nheko/default.nix b/modules/home/application/nheko/default.nix deleted file mode 100644 index b04b375..0000000 --- a/modules/home/application/nheko/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, namespace, osConfig ? {}, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.application.nheko; -in -{ - options.${namespace}.application.nheko = { - enable = mkEnableOption "enable nheko (matrix client)"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ nheko ]; - }; -} diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index 4995216..ad4cb92 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -5,15 +5,13 @@ let cfg = config.${namespace}.application.zen; in { - imports = [ - inputs.zen-browser.homeModules.default - ]; - options.${namespace}.application.zen = { enable = mkEnableOption "enable zen"; }; config = mkIf cfg.enable { + home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ]; + home.sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; }; @@ -22,42 +20,20 @@ in policies = { AutofillAddressEnabled = true; AutofillCreditCardEnabled = false; - - AppAutoUpdate = false; DisableAppUpdate = true; - ManualAppUpdateOnly = true; - DisableFeedbackCommands = true; DisableFirefoxStudies = true; DisablePocket = true; DisableTelemetry = true; - - DontCheckDefaultBrowser = false; + # DontCheckDefaultBrowser = false; NoDefaultBookmarks = true; - OfferToSaveLogins = false; + # OfferToSaveLogins = false; EnableTrackingProtection = { Value = true; Locked = true; Cryptomining = true; Fingerprinting = true; }; - - HttpAllowlist = [ - "http://ulmo" - ]; - }; - - policies.ExtensionSettings = let - mkExtension = id: { - install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi"; - installation_mode = "force_installed"; - }; - in - { - ublock_origin = 4531307; - ghostry = 4562168; - bitwarden = 4562769; - sponsorblock = 4541835; }; }; }; diff --git a/modules/home/home-manager/default.nix b/modules/home/home-manager/default.nix index 5f3be03..93bae2e 100644 --- a/modules/home/home-manager/default.nix +++ b/modules/home/home-manager/default.nix @@ -4,9 +4,7 @@ let in { systemd.user.startServices = "sd-switch"; - programs.home-manager = { - enable = true; - }; + programs.home-manager.enable = true; home.stateVersion = mkDefault (osConfig.system.stateVersion or "25.05"); -} +} \ No newline at end of file diff --git a/modules/nixos/home-manager/default.nix b/modules/nixos/home-manager/default.nix deleted file mode 100644 index 1a5a964..0000000 --- a/modules/nixos/home-manager/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - config = { - home-manager.backupFileExtension = "back"; - }; -} diff --git a/modules/nixos/services/authentication/authelia/default.nix b/modules/nixos/services/authentication/authelia.nix similarity index 90% rename from modules/nixos/services/authentication/authelia/default.nix rename to modules/nixos/services/authentication/authelia.nix index 9990003..e706439 100644 --- a/modules/nixos/services/authentication/authelia/default.nix +++ b/modules/nixos/services/authentication/authelia.nix @@ -130,23 +130,6 @@ in scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ]; } - { - client_id = "forgejo"; - client_name = "forgejo"; - # ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F - client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg"; - public = false; - require_pkce = true; - pkce_challenge_method = "S256"; - token_endpoint_auth_method = "client_secret_post"; - authorization_policy = "one_factor"; - userinfo_signed_response_alg = "none"; - consent_mode = "implicit"; - scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; - response_types = [ "code" ]; - grant_types = [ "authorization_code" ]; - redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ]; - } ]; }; }; diff --git a/modules/nixos/services/authentication/default.nix b/modules/nixos/services/authentication/default.nix new file mode 100644 index 0000000..c157af7 --- /dev/null +++ b/modules/nixos/services/authentication/default.nix @@ -0,0 +1 @@ +{ ... }: {} diff --git a/modules/nixos/services/authentication/himmelblau/default.nix b/modules/nixos/services/authentication/himmelblau.nix similarity index 100% rename from modules/nixos/services/authentication/himmelblau/default.nix rename to modules/nixos/services/authentication/himmelblau.nix diff --git a/modules/nixos/services/authentication/zitadel.nix b/modules/nixos/services/authentication/zitadel.nix new file mode 100644 index 0000000..6142857 --- /dev/null +++ b/modules/nixos/services/authentication/zitadel.nix @@ -0,0 +1,86 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.authentication.zitadel; + + db_name = "zitadel"; + db_user = "zitadel"; +in +{ + options.${namespace}.services.authentication.zitadel = { + enable = mkEnableOption "Zitadel"; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + zitadel + ]; + + services = { + zitadel = { + enable = true; + openFirewall = true; + masterKeyFile = config.sops.secrets."zitadel/masterKey".path; + tlsMode = "external"; + settings = { + Port = 9092; + Database = { + Host = "/run/postgresql"; + # Zitadel will report error if port is not set + Port = 5432; + Database = db_name; + User.Username = db_user; + }; + }; + steps = { + TestInstance = { + InstanceName = "Zitadel test"; + Org = { + Name = "Kruining.eu"; + Human = { + UserName = "admin"; + Password = "kaas"; + }; + }; + }; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ db_name ]; + ensureUsers = [ + { + name = db_user; + ensureDBOwnership = true; + } + ]; + }; + + caddy = { + enable = true; + virtualHosts = { + "auth-z.kruining.eu".extraConfig = '' + reverse_proxy h2c://127.0.0.1:9092 + ''; + }; + # extraConfig = '' + # (auth) { + # forward_auth h2c://127.0.0.1:9092 { + # uri /api/authz/forward-auth + # copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + # } + # } + # ''; + }; + }; + + # Secrets + sops.secrets."zitadel/masterKey" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; + }; + }; +} diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix deleted file mode 100644 index 2f65f6f..0000000 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ /dev/null @@ -1,142 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.authentication.zitadel; - - db_name = "zitadel"; - db_user = "zitadel"; -in -{ - options.${namespace}.services.authentication.zitadel = { - enable = mkEnableOption "Zitadel"; - }; - - config = mkIf cfg.enable { - ${namespace}.services.persistance.postgresql.enable = true; - - environment.systemPackages = with pkgs; [ - zitadel - ]; - - services = { - zitadel = { - enable = true; - openFirewall = true; - # masterKeyFile = config.sops.secrets."zitadel/masterKey".path; - masterKeyFile = "/var/lib/zitadel/master_key"; - tlsMode = "external"; - settings = { - Port = 9092; - - ExternalDomain = "auth.amarth.cloud"; - ExternalPort = 443; - ExternalSecure = true; - - Metrics.Type = "otel"; - Tracing.Type = "otel"; - Telemetry.Enabled = true; - - SystemDefaults = { - PasswordHasher.Hasher.Algorithm = "argon2id"; - SecretHasher.Hasher.Algorithm = "argon2id"; - }; - - DefaultInstance = { - PasswordComplexityPolicy = { - MinLength = 20; - HasLowercase = false; - HasUppercase = false; - HasNumber = false; - HasSymbol = false; - }; - LoginPolicy = { - AllowRegister = false; - ForceMFA = true; - }; - LockoutPolicy = { - MaxPasswordAttempts = 5; - MaxOTPAttempts = 10; - }; - SMTPConfiguration = { - SMTP = { - Host = "black-mail.nl:587"; - User = "info@amarth.cloud"; - Password = "__TODO_USE_SOPS__"; - }; - FromName = "Amarth Zitadel"; - }; - }; - - Database.postgres = { - Host = "localhost"; - # Zitadel will report error if port is not set - Port = 5432; - Database = db_name; - User = { - Username = db_user; - SSL.Mode = "disable"; - }; - Admin = { - Username = "postgres"; - SSL.Mode = "disable"; - }; - }; - }; - steps = { - FirstInstance = { - InstanceName = "auth.amarth.cloud"; - Org = { - Name = "Amarth"; - Human = { - UserName = "chris"; - FirstName = "Chris"; - LastName = "Kruining"; - Email = { - Address = "chris@kruining.eu"; - Verified = true; - }; - Password = "KaasIsAwesome1!"; - }; - }; - }; - }; - }; - - postgresql = { - enable = true; - ensureDatabases = [ db_name ]; - ensureUsers = [ - { - name = db_user; - ensureDBOwnership = true; - } - ]; - }; - - caddy = { - enable = true; - virtualHosts = { - "auth.amarth.cloud".extraConfig = '' - reverse_proxy h2c://127.0.0.1:9092 - ''; - }; - extraConfig = '' - (auth-z) { - forward_auth h2c://127.0.0.1:9092 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - } - ''; - }; - }; - - # Secrets - sops.secrets."zitadel/masterKey" = { - owner = "zitadel"; - group = "zitadel"; - restartUnits = [ "zitadel.service" ]; - }; - }; -} diff --git a/modules/nixos/services/communication/conduit/default.nix b/modules/nixos/services/communication/conduit/default.nix deleted file mode 100644 index aa4d5c1..0000000 --- a/modules/nixos/services/communication/conduit/default.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.communication.conduit; - domain = "matrix.kruining.eu"; -in -{ - options.${namespace}.services.communication.conduit = { - enable = mkEnableOption "conduit (Matrix server)"; - }; - - config = mkIf cfg.enable { - # ${namespace}.services = { - # persistance.postgresql.enable = true; - # virtualisation.podman.enable = true; - # }; - - services = { - matrix-conduit = { - enable = true; - - settings.global = { - address = "::1"; - port = 4001; - - database_backend = "rocksdb"; - - server_name = "chris-matrix"; - }; - }; - - # postgresql = { - # enable = true; - # ensureDatabases = [ "conduit" ]; - # ensureUsers = [ - # { - # name = "conduit"; - # ensureDBOwnership = true; - # } - # ]; - # }; - - caddy = { - enable = true; - virtualHosts = { - ${domain}.extraConfig = '' - # import auth-z - - # reverse_proxy http://127.0.0.1:5002 - ''; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix deleted file mode 100644 index 46e0995..0000000 --- a/modules/nixos/services/development/forgejo/default.nix +++ /dev/null @@ -1,169 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.development.forgejo; - domain = "git.amarth.cloud"; -in -{ - options.${namespace}.services.development.forgejo = { - enable = mkEnableOption "Forgejo"; - }; - - config = mkIf cfg.enable { - ${namespace}.services = { - persistance.postgresql.enable = true; - virtualisation.podman.enable = true; - }; - - environment.systemPackages = with pkgs; [ forgejo ]; - - services = { - forgejo = { - enable = true; - useWizard = false; - database.type = "postgres"; - - settings = { - DEFAULT = { - APP_NAME = "Tamin Amarth"; - APP_SLOGAN = "Where code is forged"; - }; - - server = { - DOMAIN = domain; - ROOT_URL = "https://${domain}/"; - HTTP_PORT = 5002; - LANDING_PAGE = "explore"; - }; - - cors = { - ENABLED = true; - ALLOW_DOMAIN = "https://*.amarth.cloud"; - }; - - security = { - INSTALL_LOCK = true; - PASSWORD_HASH_ALGO = "argon2"; - DISABLE_WEBHOOKS = true; - }; - - ui = { - EXPLORE_PAGING_NUM = 50; - ISSUE_PAGING_NUM = 50; - MEMBERS_PAGING_NUM = 50; - }; - - "ui.meta" = { - AUTHOR = "Where code is forged!"; - DESCRIPTION = "Self-hosted solution for git, because FOSS is the anvil of the future"; - }; - - admin = { - USER_DISABLED_FEATURES = "manage_gpg_keys"; - EXTERNAL_USER_DISABLE_FEATURES = "manage_gpg_keys"; - }; - - service = { - # Auth - ENABLE_BASIC_AUTHENTICATION = false; - DISABLE_REGISTRATION = false; - ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - SHOW_REGISTRATION_BUTTON = false; - - # Privacy - DEFAULT_KEEP_EMAIL_PRIVATE = true; - DEFAULT_USER_VISIBILITY = "private"; - DEFAULT_ORG_VISIBILITY = "private"; - - # Common sense - VALID_SITE_URL_SCHEMES = "https"; - }; - - openid = { - ENABLE_OPENID_SIGNIN = true; - ENABLE_OPENID_SIGNUP = true; - WHITELISTED_URIS = "https://auth.amarth.cloud"; - }; - - oauth2_client = { - ENABLE_AUTO_REGISTRATION = true; - UPDATE_AVATAR = true; - ACCOUNT_LINKING = "auto"; - }; - - actions = { - ENABLED = true; - # DEFAULT_ACTIONS_URL = "https://data.forgejo.org"; - }; - - other = { - SHOW_FOOTER_VERSION = false; - SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; - }; - - api = { - ENABLE_SWAGGER = false; - }; - - mirror = { - ENABLED = false; - }; - - session = { - PROVIDER = "db"; - COOKIE_SECURE = true; - }; - - mailer = { - ENABLED = true; - PROTOCOL = "smtp+starttls"; - SMTP_ADDR = "black-mail.nl"; - SMTP_PORT = 587; - FROM = "info@amarth.cloud"; - USER = "info@amarth.cloud"; - PASSWD = "__TODO_USE_SOPS__"; - }; - }; - }; - - openssh.settings.AllowUsers = [ "forgejo" ]; - - gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; - instances.default = { - enable = true; - name = "default"; - url = "https://git.amarth.cloud"; - # Obtaining the path to the runner token file may differ - # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd - # tokenFile = config.age.secrets.forgejo-runner-token.path; - token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; - labels = [ - "default:docker://nixos/nix:latest" - "ubuntu:docker://ubuntu:24-bookworm" - "nix:docker://git.amarth.cloud/amarth/runners/default:latest" - ]; - settings = { - log.level = "info"; - }; - }; - }; - - caddy = { - enable = true; - virtualHosts = { - ${domain}.extraConfig = '' - # import auth-z - - # stupid dumb way to prevent the login page and go to zitadel instead - # be aware that this does not disable local login at all! - # rewrite /user/login /user/oauth2/Zitadel - - reverse_proxy http://127.0.0.1:5002 - ''; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index bc41fb4..7d76794 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -66,73 +66,33 @@ in # Services #========================================================================= services = let - arrService = { + serviceConf = { enable = true; openFirewall = true; - - settings = { - auth.AuthenticationMethod = "External"; - - # postgres = { - # PostgresHost = "localhost"; - # PostgresPort = "5432"; - # PostgresUser = "media"; - # }; - }; - }; - - withPort = port: service: service // { settings.server.Port = builtins.toString port; }; - - withUserAndGroup = service: service // { user = cfg.user; group = cfg.group; }; in { - radarr = - arrService - |> withPort 2001 - |> withUserAndGroup; + jellyfin = serviceConf; + radarr = serviceConf; + sonarr = serviceConf; + bazarr = serviceConf; + lidarr = serviceConf; - sonarr = - arrService - |> withPort 2002 - |> withUserAndGroup; - - lidarr = - arrService - |> withPort 2003 - |> withUserAndGroup; - - prowlarr = - arrService - |> withPort 2004; - - bazarr = { + jellyseerr = { enable = true; openFirewall = true; - user = cfg.user; - group = cfg.group; - listenPort = 2005; }; - # port is harcoded in nixpkgs module - jellyfin = { + prowlarr = { enable = true; openFirewall = true; - user = cfg.user; - group = cfg.group; - }; - - flaresolverr = { - enable = true; - openFirewall = true; - port = 2007; }; qbittorrent = { enable = true; openFirewall = true; - webuiPort = 2008; + webuiPort = 5000; serverConfig = { LegalNotice.Accepted = true; @@ -142,7 +102,6 @@ in group = cfg.group; }; - # port is harcoded in nixpkgs module sabnzbd = { enable = true; openFirewall = true; @@ -152,49 +111,46 @@ in group = cfg.group; }; - # postgresql = { - # enable = true; - # ensureDatabases = [ - # "radarr-main" "radarr-log" - # "sonarr-main" "sonarr-log" - # "lidarr-main" "lidarr-log" - # "prowlarr-main" "prowlarr-log" - # ]; - # identMap = '' - # media media radarr-main - # media media radarr-log - # media media sonarr-main - # media media sonarr-log - # media media lidarr-main - # media media lidarr-log - # media media prowlarr-main - # media media prowlarr-log - # ''; - # ensureUsers = [ - # { name = "radarr-main"; ensureDBOwnership = true; } - # { name = "radarr-log"; ensureDBOwnership = true; } - - # { name = "sonarr-main"; ensureDBOwnership = true; } - # { name = "sonarr-log"; ensureDBOwnership = true; } - - # { name = "lidarr-main"; ensureDBOwnership = true; } - # { name = "lidarr-log"; ensureDBOwnership = true; } - - # { name = "prowlarr-main"; ensureDBOwnership = true; } - # { name = "prowlarr-log"; ensureDBOwnership = true; } - # ]; - # }; - caddy = { enable = true; virtualHosts = { + "media.kruining.eu".extraConfig = '' + import auth + + reverse_proxy http://127.0.0.1:9494 + ''; "jellyfin.kruining.eu".extraConfig = '' - reverse_proxy http://[::1]:8096 + reverse_proxy http://127.0.0.1:8096 ''; }; }; }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; + + ${namespace}.services.virtualisation.podman.enable = true; + + virtualisation = { + oci-containers = { + backend = "podman"; + + containers = { + flaresolverr = { + image = "flaresolverr/flaresolverr"; + autoStart = true; + ports = [ "127.0.0.1:8191:8191" ]; + }; + + reiverr = { + image = "ghcr.io/aleksilassila/reiverr:v2.2.0"; + autoStart = true; + ports = [ "127.0.0.1:9494:9494" ]; + volumes = [ "${cfg.path}/reiverr/config:/config" ]; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 6969 ]; }; } diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix deleted file mode 100644 index 8fd0ac6..0000000 --- a/modules/nixos/services/media/homer/default.nix +++ /dev/null @@ -1,161 +0,0 @@ -{ config, lib, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.media.homer; -in -{ - options.${namespace}.services.media.homer = { - enable = mkEnableOption "Enable homer"; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ 2000 ]; - - services = { - homer = { - enable = true; - - virtualHost = { - caddy.enable = true; - domain = "http://:2000"; - }; - - settings = { - title = "Ulmo dashboard"; - - columns = 4; - connectivityCheck = true; - - links = []; - - services = [ - { - name = "Services"; - items = [ - { - name = "Zitadel"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg"; - tag = "app"; - url = "https://auth.amarth.cloud"; - target = "_blank"; - } - - { - name = "Forgejo"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg"; - tag = "app"; - type = "Gitea"; - url = "https://git.amarth.cloud"; - target = "_blank"; - } - - { - name = "Vaultwarden"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg"; - type = "Vaultwarden"; - tag = "app"; - url = "https://vault.kruining.eu"; - target = "_blank"; - } - ]; - } - - { - name = "Observability"; - items = [ - { - name = "Grafana"; - type = "Grafana"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; - target = "_blank"; - } - - { - name = "Prometheus"; - type = "Prometheus"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}"; - target = "_blank"; - } - ]; - } - - { - name = "Media"; - items = [ - { - name = "Jellyfin (Movies)"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg"; - tag = "app"; - type = "Emby"; - url = "http://${config.networking.hostName}:8096"; - apikey = "e3ceed943eeb409ba8342738db7cc1f5"; - libraryType = "movies"; - target = "_blank"; - } - - { - name = "Radarr"; - type = "Radarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "Sonarr"; - type = "Sonarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "Lidarr"; - type = "Lidarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "Prowlarr"; - type = "Prowlarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "qBittorrent"; - type = "qBittorrent"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; - target = "_blank"; - } - - { - name = "SABnzbd"; - type = "SABnzbd"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:8080"; - target = "_blank"; - } - ]; - } - ]; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/media/nextcloud/default.nix b/modules/nixos/services/media/nextcloud.nix similarity index 96% rename from modules/nixos/services/media/nextcloud/default.nix rename to modules/nixos/services/media/nextcloud.nix index 14d6863..658a5b4 100644 --- a/modules/nixos/services/media/nextcloud/default.nix +++ b/modules/nixos/services/media/nextcloud.nix @@ -6,7 +6,7 @@ let cfg = config.${namespace}.services.media.nextcloud; in { - options.${namespace}.services.media.nextcloud = { + options.modules.services.nextcloud = { enable = mkEnableOption "Nextcloud"; user = mkOption { @@ -40,7 +40,7 @@ in services.nextcloud = { enable = true; - # webserver = "caddy"; + webserver = "caddy"; package = pkgs.nextcloud31; hostName = "localhost"; diff --git a/modules/nixos/services/media/nfs/default.nix b/modules/nixos/services/media/nfs.nix similarity index 79% rename from modules/nixos/services/media/nfs/default.nix rename to modules/nixos/services/media/nfs.nix index 54b58e7..7674e69 100644 --- a/modules/nixos/services/media/nfs/default.nix +++ b/modules/nixos/services/media/nfs.nix @@ -2,10 +2,10 @@ let inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.services.media.nfs; + cfg = config.${namespace}.media.nfs; in { - options.${namespace}.services.media.nfs = { + options.${namespace}.media.nfs = { enable = mkEnableOption "Enable NFS"; }; diff --git a/modules/nixos/services/observability/grafana/dashboards/default.json b/modules/nixos/services/observability/grafana/dashboards/default.json deleted file mode 100644 index f8ea8dc..0000000 --- a/modules/nixos/services/observability/grafana/dashboards/default.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "title": "Default Dash", - "description": "The default dashboard", - "timezone": "browser", - "editable": false, - "panels": [] -} diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix deleted file mode 100644 index c399729..0000000 --- a/modules/nixos/services/observability/grafana/default.nix +++ /dev/null @@ -1,130 +0,0 @@ -{ pkgs, config, lib, namespace, ... }: -let - inherit (lib.modules) mkIf; - inherit (lib.options) mkEnableOption; - - cfg = config.${namespace}.services.observability.grafana; - - db_user = "grafana"; - db_name = "grafana"; -in -{ - options.${namespace}.services.observability.grafana = { - enable = mkEnableOption "enable Grafana"; - }; - - config = mkIf cfg.enable { - services = { - grafana = { - enable = true; - openFirewall = true; - - settings = { - server = { - http_port = 9001; - http_addr = "0.0.0.0"; - domain = "ulmo"; - }; - - auth = { - disable_login_form = false; - oauth_auto_login = true; - }; - - "auth.basic".enable = false; - "auth.generic_oauth" = { - enable = true; - name = "Zitadel"; - client_id = "334170712283611395"; - client_secret = "AFjypmURdladmQn1gz2Ke0Ta5LQXapnuKkALVZ43riCL4qWicgV2Z6RlwpoWBZg1"; - scopes = "openid email profile offline_access urn:zitadel:iam:org:project:roles"; - email_attribute_path = "email"; - login_attribute_path = "username"; - name_attribute_path = "full_name"; - role_attribute_path = "contains(urn:zitadel:iam:org:project:roles[*], 'owner') && 'GrafanaAdmin' || contains(urn:zitadel:iam:org:project:roles[*], 'contributer') && 'Editor' || 'Viewer'"; - auth_url = "https://auth.amarth.cloud/oauth/v2/authorize"; - token_url = "https://auth.amarth.cloud/oauth/v2/token"; - api_url = "https://auth.amarth.cloud/oidc/v1/userinfo"; - allow_sign_up = true; - auto_login = true; - use_pkce = true; - usr_refresh_token = true; - allow_assign_grafana_admin = true; - }; - - database = { - type = "postgres"; - host = "/var/run/postgresql:5432"; - name = db_name; - user = db_user; - ssl_mode = "disable"; - }; - - users = { - allow_sign_up = false; - allow_org_create = false; - viewers_can_edit = false; - - default_theme = "system"; - }; - - analytics = { - reporting_enabled = false; - check_for_updates = false; - check_for_plugin_updates = false; - feedback_links_enabled = false; - }; - }; - - provision = { - enable = true; - - dashboards.settings = { - apiVersion = 1; - providers = [ - { - name = "Default Dashboard"; - disableDeletion = true; - allowUiUpdates = false; - options = { - path = "/etc/grafana/dashboards"; - foldersFromFilesStructure = true; - }; - } - ]; - }; - - datasources.settings.datasources = [ - { - name = "Prometheus"; - type = "prometheus"; - url = "http://localhost:9005"; - isDefault = true; - editable = false; - } - - { - name = "Loki"; - type = "loki"; - url = "http://localhost:9003"; - editable = false; - } - ]; - }; - }; - - postgresql = { - enable = true; - ensureDatabases = [ db_name ]; - ensureUsers = [ - { - name = db_user; - ensureDBOwnership = true; - } - ]; - }; - }; - - environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json; - }; -} diff --git a/modules/nixos/services/observability/loki/default.nix b/modules/nixos/services/observability/loki/default.nix deleted file mode 100644 index 8f6e0e3..0000000 --- a/modules/nixos/services/observability/loki/default.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ pkgs, config, lib, namespace, ... }: -let - inherit (lib.modules) mkIf; - inherit (lib.options) mkEnableOption; - - cfg = config.${namespace}.services.observability.loki; -in -{ - options.${namespace}.services.observability.loki = { - enable = mkEnableOption "enable Grafana Loki"; - }; - - config = mkIf cfg.enable { - services.loki = { - enable = true; - configuration = { - auth_enabled = false; - - server = { - http_listen_port = 9003; - }; - - common = { - ring = { - instance_addr = "127.0.0.1"; - kvstore.store = "inmmemory"; - }; - replication_factor = 1; - path_prefix = "/tmp/loki"; - }; - - schema_config.configs = [ - { - from = "2025-01-01"; - store = "tsdb"; - object_store = "filesystem"; - schema = "v13"; - index = { - prefix = "index_"; - period = "24h"; - }; - } - ]; - }; - }; - - networking.firewall.allowedTCPPorts = [ 9003 ]; - }; -} diff --git a/modules/nixos/services/observability/prometheus/default.nix b/modules/nixos/services/observability/prometheus/default.nix deleted file mode 100644 index af5ee9d..0000000 --- a/modules/nixos/services/observability/prometheus/default.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ pkgs, config, lib, namespace, ... }: -let - inherit (builtins) toString; - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.observability.prometheus; -in -{ - options.${namespace}.services.observability.prometheus = { - enable = mkEnableOption "enable Prometheus"; - }; - - config = mkIf cfg.enable { - services.prometheus = { - enable = true; - port = 9002; - - globalConfig.scrape_interval = "15s"; - - scrapeConfigs = [ - { - job_name = "prometheus"; - static_configs = [ - { targets = [ "localhost:9002" ]; } - ]; - } - - { - job_name = "node"; - static_configs = [ - { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } - ]; - } - ]; - - exporters = { - node = { - enable = true; - port = 9005; - enabledCollectors = [ "systemd" ]; - openFirewall = true; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 9002 ]; - }; -} diff --git a/modules/nixos/services/observability/promtail/default.nix b/modules/nixos/services/observability/promtail/default.nix deleted file mode 100644 index 1f32adc..0000000 --- a/modules/nixos/services/observability/promtail/default.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ pkgs, config, lib, namespace, ... }: -let - inherit (lib.modules) mkIf; - inherit (lib.options) mkEnableOption; - - cfg = config.${namespace}.services.observability.promtail; -in -{ - options.${namespace}.services.observability.promtail = { - enable = mkEnableOption "enable Grafana Promtail"; - }; - - config = mkIf cfg.enable { - services.promtail = { - enable = true; - - # Ensures proper permissions - extraFlags = [ - "-config.expand-env=true" - ]; - - configuration = { - server = { - http_listen_port = 9004; - grpc_listen_port = 0; - }; - - positions = { - filename = "filename"; - }; - - clients = { - url = "http://127.0.0.1:3100/loki/api/v1/push"; - }; - - scrape_configs = [ - { - job_name = "journal"; - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = "ulmo"; - }; - }; - relabel_configs = [ - { source_labels = [ "__journal__systemd_unit" ]; target_label = "unit"; } - ]; - } - ]; - }; - }; - - networking.firewall.allowedTCPPorts = [ 9004 ]; - }; -} diff --git a/modules/nixos/services/persistance/postgesql/default.nix b/modules/nixos/services/persistance/postgesql/default.nix deleted file mode 100644 index dbd6604..0000000 --- a/modules/nixos/services/persistance/postgesql/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.persistance.postgresql; -in -{ - options.${namespace}.services.persistance.postgresql = { - enable = mkEnableOption "Postgresql"; - }; - - config = mkIf cfg.enable { - services = { - postgresql = { - enable = true; - authentication = '' - # Generated file, do not edit! - # TYPE DATABASE USER ADDRESS METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - ''; - }; - }; - }; -} diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index db8e162..6870606 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,7 +1,7 @@ { pkgs, config, lib, namespace, ... }: let - inherit (builtins) toString; - inherit (lib) mkIf mkEnableOption; + inherit (lib.modules) mkIf; + inherit (lib.options) mkEnableOption; cfg = config.${namespace}.services.security.vaultwarden; in @@ -11,82 +11,18 @@ in }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" + environment.systemPackages = with pkgs; [ + vaultwarden + vaultwarden-postgresql ]; - services = { - vaultwarden = { - enable = true; - dbBackend = "postgresql"; + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; - package = pkgs.${namespace}.vaultwarden; - - config = { - SIGNUPS_ALLOWED = false; - DOMAIN = "https://vault.kruining.eu"; - - ADMIN_TOKEN = ""; - - DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable"; - - WEB_VAULT_ENABLED = true; - - SSO_ENABLED = true; - SSO_ONLY = true; - SSO_PKCE = true; - SSO_AUTH_ONLY_NOT_SESSION = false; - SSO_ROLES_ENABLED = true; - SSO_ORGANIZATIONS_ENABLED = true; - SSO_ORGANIZATIONS_REVOCATION = true; - SSO_AUTHORITY = "https://auth.amarth.cloud/"; - SSO_SCOPES = "email profile offline_access"; - SSO_AUDIENCE_TRUSTED = "^333297815511892227$"; - SSO_CLIENT_ID = "335178854421299459"; - SSO_CLIENT_SECRET = ""; - - ROCKET_ADDRESS = "::1"; - ROCKET_PORT = 8222; - ROCKET_LOG = "critical"; - - SMTP_HOST = "black-mail.nl"; - SMTP_PORT = 587; - SMTP_SECURITY = "starttls"; - SMTP_USERNAME = "info@amarth.cloud"; - SMTP_PASSWORD = ""; - SMTP_FROM = "info@amarth.cloud"; - SMTP_FROM_NAME = "Chris' Vaultwarden"; - }; - }; - - postgresql = { - enable = true; - ensureDatabases = [ "vaultwarden" ]; - ensureUsers = [ - { - name = "vaultwarden"; - ensureDBOwnership = true; - } - ]; - }; - - caddy = { - enable = true; - virtualHosts = { - "vault.kruining.eu".extraConfig = '' - encode zstd gzip - - handle_path /admin { - respond 401 { - close - } - } - - reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { - header_up X-Real-IP {remote_host} - } - ''; - }; + config = { + SIGNUPS_ALLOWED = false; + DOMAIN = "https://passwords.kruining.eu"; }; }; }; diff --git a/modules/nixos/services/virtualisation/podman/default.nix b/modules/nixos/services/virtualisation/podman/default.nix index 0faf8ce..9b9dc89 100644 --- a/modules/nixos/services/virtualisation/podman/default.nix +++ b/modules/nixos/services/virtualisation/podman/default.nix @@ -12,7 +12,6 @@ in config = mkIf cfg.enable { virtualisation = { containers.enable = true; - oci-containers.backend = "podman"; podman = { enable = true; diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index 68ab4ca..ebceca3 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -13,10 +13,10 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { - defaultSopsFile = ../../../../../_secrets/secrets.yaml; - defaultSopsFormat = "yaml"; + age.keyFile = "/home/.sops-key.age"; - age.keyFile = "/home/"; + defaultSopsFile = ../../../../systems/x86_64-linux/${config.networking.hostName}/secrets.yaml; + defaultSopsFormat = "yaml"; }; }; } \ No newline at end of file diff --git a/modules/nixos/system/security/sudo/default.nix b/modules/nixos/system/security/sudo/default.nix index b79efbc..6dedf50 100644 --- a/modules/nixos/system/security/sudo/default.nix +++ b/modules/nixos/system/security/sudo/default.nix @@ -14,8 +14,9 @@ in sudo-rs = { enable = true; - execWheelOnly = true; - extraConfig = ''Defaults env_keep += "EDITOR PATH DISPLAY"''; + extraConfig = '' + Defaults env_keep += "EDITOR PATH DISPLAY" + ''; }; }; }; diff --git a/packages/vaultwarden/default.nix b/packages/vaultwarden/default.nix deleted file mode 100644 index 243288b..0000000 --- a/packages/vaultwarden/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ lib, stdenv, rustPlatform, fetchFromGitHub, openssl, pkg-config, postgresql, dbBackend ? "postgresql", ... }: -rustPlatform.buildRustPackage rec { - pname = "vaultwarden"; - version = "1.34.3"; - - src = fetchFromGitHub { - owner = "Timshel"; - repo = "vaultwarden"; - rev = "1.34.3"; - hash = "sha256-Dj0ySVRvBZ/57+UHas3VI8bi/0JBRqn0IW1Dq+405J0="; - }; - - cargoHash = "sha256-4sDagd2XGamBz1XvDj4ycRVJ0F+4iwHOPlj/RglNDqE="; - - # used for "Server Installed" version in admin panel - env.VW_VERSION = version; - - nativeBuildInputs = [ pkg-config ]; - buildInputs = - [ openssl ] - ++ lib.optional (dbBackend == "postgresql") postgresql; - - buildFeatures = dbBackend; - - meta = with lib; { - license = licenses.agpl3Only; - mainProgram = "vaultwarden"; - }; -} \ No newline at end of file diff --git a/systems/x86_64-linux/manwe/README.md b/systems/x86_64-linux/manwe/README.md index 3bb6746..1da7ab1 100644 --- a/systems/x86_64-linux/manwe/README.md +++ b/systems/x86_64-linux/manwe/README.md @@ -1,8 +1,3 @@ # Description -<<<<<<< HEAD My steambox. -======= -My desktop, reasoning for the name being the following chain of thought: -**Manwe -> the king of the valar -> leader -> desktop is main machine** ->>>>>>> 72b0f6f8fad97a4ade1b54dfada26828a170febf diff --git a/systems/x86_64-linux/manwe/disks.nix b/systems/x86_64-linux/manwe/disks.nix index d68db6a..e3e449f 100644 --- a/systems/x86_64-linux/manwe/disks.nix +++ b/systems/x86_64-linux/manwe/disks.nix @@ -1,34 +1,59 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, pkgs, modulesPath, inputs, ... }: let inherit (lib.modules) mkDefault; in { - # TODO :: Implement disko at some point + imports = [ + inputs.disko.nixosModules.disko + ]; - swapDevices = []; + config = { + swapDevices = []; - boot.supportedFilesystems = [ "nfs" ]; - - fileSystems = { - "/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; + boot.supportedFilesystems = [ "nfs" ]; + + disko.devices = { + disk = { + main = { + device = "/dev/nvme0"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "100M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; }; + + fileSystems = { + "/home/chris/media" = { + device = "ulmo:/"; + fsType = "nfs"; + }; - "/boot" = { - device = "/dev/disk/by-label/boot"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - "/home/chris/media" = { - device = "ulmo:/"; - fsType = "nfs"; - }; - - "/home/chris/mandos" = { - device = "mandos:/"; - fsType = "nfs"; + "/home/chris/mandos" = { + device = "mandos:/"; + fsType = "nfs"; + }; }; }; } diff --git a/systems/x86_64-linux/manwe/secrets.yaml b/systems/x86_64-linux/manwe/secrets.yaml new file mode 100644 index 0000000..6e2a986 --- /dev/null +++ b/systems/x86_64-linux/manwe/secrets.yaml @@ -0,0 +1,31 @@ +zitadel: + masterKey: ENC[AES256_GCM,data:iSeZOloWLrdP8S+ac7ubIcv9TF3Sm8Ni,iv:8v3/ratFQ5vq2rbZOUMKfPhVTA9uQY2eFQU4IR8s3VU=,tag:9y90aDQ2PfFT//X2i2YvvA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4R0UyWmx5L3hCbGhQVXI0 + NmpkMThPVlgrRHZZMnFrNTAwbzVTY1F6NEVVCjJaRHdhbHV6R1RJM2JIQzc3dkNu + a01FYlM3b1dXbmxGN2tWU3FMdXMveG8KLS0tIG1SSjNXdXZNN2ZyQ2UyZ0pIZXJJ + NmpMS2oySFE1S1RER3J1RGl4MlRQK00Ks+PcxcHmygYz+a+d0ZrzrdUpTQ50NYkA + aDFbtRtukn9e7i3bGUyD4nisSvs4YjfoQxR/pC8hs4k3f5V2jwDh2w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwaTN4clFoWDNwU2lpaHBn + M2pVeU5oM0JRNmp6NEJjQ3BHeWlzeSs3bTI0CnBocngvbzZQUXBsMG9Oc2J6dlBT + MjdtaFdmOHg5ZmZmSkViWGJFYThQYXcKLS0tIFRNd2JiVlFTREtDMTdzR2V0SlVo + Q0d5ZDVDM05LdFp4UnB4dFRPUm5vU0UKR/MAONEWaT6XXyPB1IrSIKqW5PZNIbuB + n7QX3DJIzlajtmq+82/wPFPTBkLvSSjV5FKL5ErMwTDndcIn+NlOhQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-11T13:11:00Z" + mac: ENC[AES256_GCM,data:P34YsR/Rvc3q4Os5n9hxonJLCXwifMRnKOCM59h5MRMT/aqjl+QlBX+oUADsqDSrhUscQb3N/UlpFeOT6qg+FmJbT/mYMH6v1xK16VD0M7VWydXpmjDu5If+O89lgDHsiEOGDgeR04jkiaY0yzT9U8l9CND5fMvF3I9o5Z1SZQk=,iv:NgUD8gB2bQa5vh0nb0Ngqp5dn0yqskHudWo8xoVjM4Q=,tag:5oTcnailDCHeMvMLz63e1w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 3b35750..7a2540f 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -7,27 +7,8 @@ sneeuwvlok = { services = { - authentication.authelia.enable = true; - authentication.zitadel.enable = true; - - communication.conduit.enable = true; - - development.forgejo.enable = true; - networking.ssh.enable = true; - media.enable = true; - media.homer.enable = true; - media.nfs.enable = true; - - observability = { - grafana.enable = true; - prometheus.enable = true; - loki.enable = true; - promtail.enable = true; - }; - - security.vaultwarden.enable = true; }; editor = {