From 8228418b7f048fd29af757da6a24c0f43884a5d1 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 4 Aug 2025 16:21:17 +0200 Subject: [PATCH 001/251] update deps --- flake.lock | 96 +++++++++++++++++++++++++++--------------------------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/flake.lock b/flake.lock index 1935971..6bf8015 100644 --- a/flake.lock +++ b/flake.lock @@ -94,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1753944209, - "narHash": "sha256-dcGdqxhRRGoA/S38BsWOrwIiLYEBOqXKauHdFwKR310=", + "lastModified": 1754290399, + "narHash": "sha256-KwYm1/FeLqP9uE4Sbw+j2nI2/ErNbc9Mn+LPcrEOpX0=", "owner": "nix-community", "repo": "fenix", - "rev": "5ef8607d6e8a08cfb3946aaacaa0494792adf4ae", + "rev": "f53ddf7518d85d59b58df6e9955b25b0ac25f569", "type": "github" }, "original": { @@ -114,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1753960679, - "narHash": "sha256-q82/pjksNMev2AJqK1v38BcK29kB2f7yB2GTEsrlR2M=", + "lastModified": 1754311269, + "narHash": "sha256-y84Q8qS5acSxl3QsLLGs4DboPhM/AYUMiTsJJZwmQxY=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "c709bb72ee604949ff54df9519dc6cb0c6040007", + "rev": "5a6856f353975206aec02373c18e8cea3fa6bb75", "type": "github" }, "original": { @@ -432,11 +432,11 @@ ] }, "locked": { - "lastModified": 1753902883, - "narHash": "sha256-F7IUdBe//PDtcztUdu3XYxzJuKbYip6TwIRWLdrftO0=", + "lastModified": 1754075821, + "narHash": "sha256-ihlkNqYsNgJPCDOE2LPpUl/ww3LBKfsxeWs2sivhb10=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "d01709bf0100183045927c03b90db78fb8e40bda", + "rev": "f77821437959ecd67f2fb2b1266e5a644a46d149", "type": "github" }, "original": { @@ -452,11 +452,11 @@ ] }, "locked": { - "lastModified": 1753943136, - "narHash": "sha256-eiEE5SabVcIlGSTRcRyBjmJMaYAV95SJnjy8YSsVeW4=", + "lastModified": 1754263839, + "narHash": "sha256-ck7lILfCNuunsLvExPI4Pw9OOCJksxXwozum24W8b+8=", "owner": "nix-community", "repo": "home-manager", - "rev": "bd82507edd860c453471c46957cbbe3c9fd01b5c", + "rev": "1d7abbd5454db97e0af51416f4960b3fb64a4773", "type": "github" }, "original": { @@ -473,11 +473,11 @@ ] }, "locked": { - "lastModified": 1753938227, - "narHash": "sha256-KzjI9khMC2tOL5FClh3sHq8Gax1O5Rw0bH1hvJ3FU3E=", + "lastModified": 1754110197, + "narHash": "sha256-N7GWK2084EsNdwzwg6FCIgMrSau1WwzxGSNdPHx5Tak=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "8d1f0004594e0eddc00159ad7666e669a6bcb711", + "rev": "04ce5c103eb621220d69102bc0ee27c3abd89204", "type": "github" }, "original": { @@ -492,11 +492,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1753618592, - "narHash": "sha256-9sDACkrSbZOA1srKWQzvbkBFHZeXvHW8EYpWrVZPxDg=", + "lastModified": 1754223384, + "narHash": "sha256-pewBF80b4slivTMSeONyOPceyzUUlBLpVOxlGf0hFEY=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "81b2f78680ca3864bfdc0d4cbc3444af3e1ff271", + "rev": "2d6fee65844e851060a6817984248bcf8358c6b0", "type": "github" }, "original": { @@ -549,11 +549,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1753928630, - "narHash": "sha256-ASqyvmJ2EEUCyDJGMHRQ1ZqWnCd4SiVd7hi7dGBuSvw=", + "lastModified": 1754274768, + "narHash": "sha256-bI+Z15bpec7VEnxkrqOG+JX0bFa9CnVeg/uiaf8iiS0=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "30af81148ee29a4a13c938c25d3e68877b1b27fb", + "rev": "b54894d44fbe4d29c081ade695ffdb07bb21b322", "type": "github" }, "original": { @@ -621,11 +621,11 @@ ] }, "locked": { - "lastModified": 1753704990, - "narHash": "sha256-5E14xuNWy2Un1nFR55k68hgbnD8U2x/rE5DXJtYKusw=", + "lastModified": 1754260137, + "narHash": "sha256-IViMH6Fwj8nwO1nuYCqOTpjm9OK9rQ0w8nmoOwPlo98=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "58c814cc6d4a789191f9c12e18277107144b0c91", + "rev": "57ba096649fa4e12dc564e8e3c529255baf89b35", "type": "github" }, "original": { @@ -652,11 +652,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1753579242, - "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", + "lastModified": 1754184128, + "narHash": "sha256-AjhoyBL4eSyXf01Bmc6DiuaMrJRNdWopmdnMY0Pa/M0=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", + "rev": "02e72200e6d56494f4a7c0da8118760736e41b60", "type": "github" }, "original": { @@ -683,11 +683,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1753948617, - "narHash": "sha256-68ounbeMLJTO/Igq0rEqjldNReb/r2gR9zgLU2qiH7A=", + "lastModified": 1754284898, + "narHash": "sha256-wzM6HN0xxyooekXfl7p5P4Bn0LieOKOfsLg4DqY7XLk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4f1a1d0af135001efc1a58c8f31ede7bb1045874", + "rev": "114484ca7213ac06fa7907e58dd8ef9d801d39f0", "type": "github" }, "original": { @@ -715,11 +715,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1753965693, - "narHash": "sha256-ks84bo0xIjUdRJGqLHQTyXR5OGb+8zUQg+XarbSEtrw=", + "lastModified": 1754315431, + "narHash": "sha256-fnVgd+mIJeR/fsaJB11KcTFjoJzLZNglLjVRtAzwcUI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "113bb8d5ca48dc31c62835b5fafed82092d87a91", + "rev": "66023e4de2495a69792a2b72bd131358b824d2e3", "type": "github" }, "original": { @@ -747,11 +747,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1753694789, - "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=", + "lastModified": 1754214453, + "narHash": "sha256-Q/I2xJn/j1wpkGhWkQnm20nShYnG7TI99foDBpXm1SY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727", + "rev": "5b09dc45f24cf32316283e62aec81ffee3c3e376", "type": "github" }, "original": { @@ -843,11 +843,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1753878721, - "narHash": "sha256-Y+Kr6FTHggnZ31nhaiOhIboIi+dhnLmQ9p0xf0wwnDc=", + "lastModified": 1754137146, + "narHash": "sha256-V2AE32tLNvtYVBuc8ZRbkGjAZGsJchFbNVd6v5JXvg8=", "owner": "notashelf", "repo": "nvf", - "rev": "e35a74c44a35b28fd09f136dd3c0dbe9f300258f", + "rev": "16d396f039ffefabf93b7b3261e2a17e2f84439b", "type": "github" }, "original": { @@ -866,11 +866,11 @@ ] }, "locked": { - "lastModified": 1748196248, - "narHash": "sha256-1iHjsH6/5UOerJEoZKE+Gx1BgAoge/YcnUsOA4wQ/BU=", + "lastModified": 1754241118, + "narHash": "sha256-nsBBqbAFB7lUYIh6S6l7fQ/ALDhCckp7+rqbY2767uE=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "b7697abe89967839b273a863a3805345ea54ab56", + "rev": "968109159b4bbe4386ac281272ddcebeef09ebfc", "type": "github" }, "original": { @@ -905,11 +905,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1753838657, - "narHash": "sha256-4FA7NTmrAqW5yt4A3hhzgDmAFD0LbGRMGKhb1LBSItI=", + "lastModified": 1754218780, + "narHash": "sha256-M+bLCsYRYA7iudlZkeOf+Azm/1TUvihIq51OKia6KJ8=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "8611b714597c89b092f3d4874f14acd3f72f44fd", + "rev": "8d75311400a108d7ffe17dc9c38182c566952e6e", "type": "github" }, "original": { @@ -978,11 +978,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1753919664, - "narHash": "sha256-U7Ts8VbVD4Z6n67gFx00dkpQJu27fMu173IUopX3pNI=", + "lastModified": 1754264048, + "narHash": "sha256-Yg1W0sFhBpnglfhWGlFmxzSmte1F157luHAADp5Hguk=", "owner": "nix-community", "repo": "stylix", - "rev": "30f5022236cf8dd257941cb0f910e198e7e464c7", + "rev": "1b5e1c5642cf96e07daf14ae4c5ddd23d7ed5623", "type": "github" }, "original": { From 3921693f846e05fc86a0f0987ec03eae67db3562 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 4 Aug 2025 16:21:29 +0200 Subject: [PATCH 002/251] yep yep, justfiles are cooooool --- justfile | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 justfile diff --git a/justfile b/justfile new file mode 100644 index 0000000..c7a9326 --- /dev/null +++ b/justfile @@ -0,0 +1,17 @@ +[private] +default: + @just -l + +[doc('Update flake dependencies')] +update: + nix flake update + +[doc('install nixos on a system (uses nix-anywhere) +> profile: Which profile to use +> host: How to reach the target system in the standard format of `user@host` +')] +install profile host: + nix run nixpkgs#nixos-anywhere -- \ + --flake .#{{profile}} \ + --generate-hardware-config nixos-generate-config ./hardware-configuration.nix \ + {{host}} \ No newline at end of file From 98362802d5838de37daf5fa1a17918bf1b4ae562 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 7 Aug 2025 11:02:45 +0200 Subject: [PATCH 003/251] kaas --- .sops.yml | 54 +++++++++++++- README.md | 1 + flake.lock | 21 ++++++ flake.nix | 7 +- justfile | 6 +- modules/nixos/nix/default.nix | 4 +- .../nixos/system/security/sops/default.nix | 3 +- systems/x86_64-linux/manwe/disks.nix | 71 +++++++++++++------ .../x86_64-linux/manwe}/secrets.yaml | 18 ++--- 9 files changed, 147 insertions(+), 38 deletions(-) rename {_secrets => systems/x86_64-linux/manwe}/secrets.yaml (71%) diff --git a/.sops.yml b/.sops.yml index 96e09c3..4b9efc8 100644 --- a/.sops.yml +++ b/.sops.yml @@ -1,8 +1,60 @@ keys: - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + - home: + - &chris age + - system: + - &aule age + - &mandos age + - &manwe age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + - &melkor age + - &orome age + - &tulkas age + - &varda age + - &yavanna age creation_rules: - - path_regex: secrets/secrets.yml$ + - path_regex: secrets/secrets.ya?ml$ key_groups: - age: - *primary + + #=================================================================== + # HOSTS + #=================================================================== + - path_regex: systems/x64_86-linux/aule/secrets.yaml$ + age: *aule + + - path_regex: systems/x64_86-linux/mandos/secrets.yaml$ + age: *mandos + + - path_regex: systems/x64_86-linux/manwe/secrets.yaml$ + age: *manwe + + - path_regex: systems/x64_86-linux/melkor/secrets.yaml$ + age: *melkor + + - path_regex: systems/x64_86-linux/orome/secrets.yaml$ + age: *orome + + - path_regex: systems/x64_86-linux/tulkas/secrets.yaml$ + age: *tulkas + + - path_regex: systems/x64_86-linux/varda/secrets.yaml$ + age: *varda + + - path_regex: systems/x64_86-linux/yavanna/secrets.yaml$ + age: *yavanna + + #=================================================================== + # USERS + #=================================================================== + - path_regex: homes/x64_86-linux/chris@\w+/secrets.ya?ml$ + age: chris + + + + + + + + diff --git a/README.md b/README.md index 2eb75c9..db11887 100644 --- a/README.md +++ b/README.md @@ -18,4 +18,5 @@ nix build .#install-isoConfigurations.minimal - [dafitt/dotfiles](https://github.com/dafitt/dotfiles/) - [khaneliman/khanelinix](https://github.com/khaneliman/khanelinix) +- [alex007sirois/nix-config](https://github.com/alex007sirois/nix-config) (justfile) - [hmajid2301/nixicle](https://gitlab.com/hmajid2301/nixicle) (the GOAT, he did what I am aiming for!) \ No newline at end of file diff --git a/flake.lock b/flake.lock index 6bf8015..ef769ed 100644 --- a/flake.lock +++ b/flake.lock @@ -67,6 +67,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1753140376, + "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", + "owner": "nix-community", + "repo": "disko", + "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "erosanix": { "inputs": { "flake-compat": "flake-compat", @@ -881,6 +901,7 @@ }, "root": { "inputs": { + "disko": "disko", "erosanix": "erosanix", "fenix": "fenix", "firefox": "firefox", diff --git a/flake.nix b/flake.nix index d696f4b..9467815 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -103,7 +108,7 @@ nix-minecraft.overlay flux.overlays.default ]; - + homes.modules = with inputs; [ stylix.homeModules.stylix plasma-manager.homeManagerModules.plasma-manager diff --git a/justfile b/justfile index c7a9326..28330be 100644 --- a/justfile +++ b/justfile @@ -14,4 +14,8 @@ install profile host: nix run nixpkgs#nixos-anywhere -- \ --flake .#{{profile}} \ --generate-hardware-config nixos-generate-config ./hardware-configuration.nix \ - {{host}} \ No newline at end of file + {{host}} + +[doc('builds the configuration for the host')] +build host: + nh os build . -H {{host}} \ No newline at end of file diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 7d1f069..3104ecd 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -15,10 +15,10 @@ in nix = { package = pkgs.nixVersions.latest; - extraOptions = "experimental-features = nix-command flakes"; + extraOptions = "experimental-features = nix-command flakes pipe-operators"; settings = { - experimental-features = [ "nix-command" "flakes" ]; + experimental-features = [ "nix-command" "flakes" "pipe-operators" ]; allowed-users = [ "@wheel" ]; trusted-users = [ "@wheel" ]; diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index a75856d..1383681 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -13,10 +13,11 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { + age.keyFile = "/home/.sops-key.age"; + defaultSopsFile = ../../../../secrets/secrets.yaml; defaultSopsFormat = "yaml"; - age.keyFile = "/home/"; }; }; } \ No newline at end of file diff --git a/systems/x86_64-linux/manwe/disks.nix b/systems/x86_64-linux/manwe/disks.nix index d68db6a..e3e449f 100644 --- a/systems/x86_64-linux/manwe/disks.nix +++ b/systems/x86_64-linux/manwe/disks.nix @@ -1,34 +1,59 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, pkgs, modulesPath, inputs, ... }: let inherit (lib.modules) mkDefault; in { - # TODO :: Implement disko at some point + imports = [ + inputs.disko.nixosModules.disko + ]; - swapDevices = []; + config = { + swapDevices = []; - boot.supportedFilesystems = [ "nfs" ]; - - fileSystems = { - "/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; + boot.supportedFilesystems = [ "nfs" ]; + + disko.devices = { + disk = { + main = { + device = "/dev/nvme0"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "100M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; }; + + fileSystems = { + "/home/chris/media" = { + device = "ulmo:/"; + fsType = "nfs"; + }; - "/boot" = { - device = "/dev/disk/by-label/boot"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - "/home/chris/media" = { - device = "ulmo:/"; - fsType = "nfs"; - }; - - "/home/chris/mandos" = { - device = "mandos:/"; - fsType = "nfs"; + "/home/chris/mandos" = { + device = "mandos:/"; + fsType = "nfs"; + }; }; }; } diff --git a/_secrets/secrets.yaml b/systems/x86_64-linux/manwe/secrets.yaml similarity index 71% rename from _secrets/secrets.yaml rename to systems/x86_64-linux/manwe/secrets.yaml index 78b1a8c..1872dc2 100644 --- a/_secrets/secrets.yaml +++ b/systems/x86_64-linux/manwe/secrets.yaml @@ -11,15 +11,15 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR - ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz - YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB - dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR - Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q== - -----END AGE ENCRYPTED FILE----- + - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR + ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz + YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB + dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR + Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q== + -----END AGE ENCRYPTED FILE----- lastmodified: "2025-03-09T11:37:49Z" mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str] pgp: [] From a1316fdf0e467be51dab227dc795a900662dc6e8 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 4 Aug 2025 16:21:17 +0200 Subject: [PATCH 004/251] update deps --- flake.lock | 96 +++++++++++++++++++++++++++--------------------------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/flake.lock b/flake.lock index 1935971..6bf8015 100644 --- a/flake.lock +++ b/flake.lock @@ -94,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1753944209, - "narHash": "sha256-dcGdqxhRRGoA/S38BsWOrwIiLYEBOqXKauHdFwKR310=", + "lastModified": 1754290399, + "narHash": "sha256-KwYm1/FeLqP9uE4Sbw+j2nI2/ErNbc9Mn+LPcrEOpX0=", "owner": "nix-community", "repo": "fenix", - "rev": "5ef8607d6e8a08cfb3946aaacaa0494792adf4ae", + "rev": "f53ddf7518d85d59b58df6e9955b25b0ac25f569", "type": "github" }, "original": { @@ -114,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1753960679, - "narHash": "sha256-q82/pjksNMev2AJqK1v38BcK29kB2f7yB2GTEsrlR2M=", + "lastModified": 1754311269, + "narHash": "sha256-y84Q8qS5acSxl3QsLLGs4DboPhM/AYUMiTsJJZwmQxY=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "c709bb72ee604949ff54df9519dc6cb0c6040007", + "rev": "5a6856f353975206aec02373c18e8cea3fa6bb75", "type": "github" }, "original": { @@ -432,11 +432,11 @@ ] }, "locked": { - "lastModified": 1753902883, - "narHash": "sha256-F7IUdBe//PDtcztUdu3XYxzJuKbYip6TwIRWLdrftO0=", + "lastModified": 1754075821, + "narHash": "sha256-ihlkNqYsNgJPCDOE2LPpUl/ww3LBKfsxeWs2sivhb10=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "d01709bf0100183045927c03b90db78fb8e40bda", + "rev": "f77821437959ecd67f2fb2b1266e5a644a46d149", "type": "github" }, "original": { @@ -452,11 +452,11 @@ ] }, "locked": { - "lastModified": 1753943136, - "narHash": "sha256-eiEE5SabVcIlGSTRcRyBjmJMaYAV95SJnjy8YSsVeW4=", + "lastModified": 1754263839, + "narHash": "sha256-ck7lILfCNuunsLvExPI4Pw9OOCJksxXwozum24W8b+8=", "owner": "nix-community", "repo": "home-manager", - "rev": "bd82507edd860c453471c46957cbbe3c9fd01b5c", + "rev": "1d7abbd5454db97e0af51416f4960b3fb64a4773", "type": "github" }, "original": { @@ -473,11 +473,11 @@ ] }, "locked": { - "lastModified": 1753938227, - "narHash": "sha256-KzjI9khMC2tOL5FClh3sHq8Gax1O5Rw0bH1hvJ3FU3E=", + "lastModified": 1754110197, + "narHash": "sha256-N7GWK2084EsNdwzwg6FCIgMrSau1WwzxGSNdPHx5Tak=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "8d1f0004594e0eddc00159ad7666e669a6bcb711", + "rev": "04ce5c103eb621220d69102bc0ee27c3abd89204", "type": "github" }, "original": { @@ -492,11 +492,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1753618592, - "narHash": "sha256-9sDACkrSbZOA1srKWQzvbkBFHZeXvHW8EYpWrVZPxDg=", + "lastModified": 1754223384, + "narHash": "sha256-pewBF80b4slivTMSeONyOPceyzUUlBLpVOxlGf0hFEY=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "81b2f78680ca3864bfdc0d4cbc3444af3e1ff271", + "rev": "2d6fee65844e851060a6817984248bcf8358c6b0", "type": "github" }, "original": { @@ -549,11 +549,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1753928630, - "narHash": "sha256-ASqyvmJ2EEUCyDJGMHRQ1ZqWnCd4SiVd7hi7dGBuSvw=", + "lastModified": 1754274768, + "narHash": "sha256-bI+Z15bpec7VEnxkrqOG+JX0bFa9CnVeg/uiaf8iiS0=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "30af81148ee29a4a13c938c25d3e68877b1b27fb", + "rev": "b54894d44fbe4d29c081ade695ffdb07bb21b322", "type": "github" }, "original": { @@ -621,11 +621,11 @@ ] }, "locked": { - "lastModified": 1753704990, - "narHash": "sha256-5E14xuNWy2Un1nFR55k68hgbnD8U2x/rE5DXJtYKusw=", + "lastModified": 1754260137, + "narHash": "sha256-IViMH6Fwj8nwO1nuYCqOTpjm9OK9rQ0w8nmoOwPlo98=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "58c814cc6d4a789191f9c12e18277107144b0c91", + "rev": "57ba096649fa4e12dc564e8e3c529255baf89b35", "type": "github" }, "original": { @@ -652,11 +652,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1753579242, - "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", + "lastModified": 1754184128, + "narHash": "sha256-AjhoyBL4eSyXf01Bmc6DiuaMrJRNdWopmdnMY0Pa/M0=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", + "rev": "02e72200e6d56494f4a7c0da8118760736e41b60", "type": "github" }, "original": { @@ -683,11 +683,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1753948617, - "narHash": "sha256-68ounbeMLJTO/Igq0rEqjldNReb/r2gR9zgLU2qiH7A=", + "lastModified": 1754284898, + "narHash": "sha256-wzM6HN0xxyooekXfl7p5P4Bn0LieOKOfsLg4DqY7XLk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4f1a1d0af135001efc1a58c8f31ede7bb1045874", + "rev": "114484ca7213ac06fa7907e58dd8ef9d801d39f0", "type": "github" }, "original": { @@ -715,11 +715,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1753965693, - "narHash": "sha256-ks84bo0xIjUdRJGqLHQTyXR5OGb+8zUQg+XarbSEtrw=", + "lastModified": 1754315431, + "narHash": "sha256-fnVgd+mIJeR/fsaJB11KcTFjoJzLZNglLjVRtAzwcUI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "113bb8d5ca48dc31c62835b5fafed82092d87a91", + "rev": "66023e4de2495a69792a2b72bd131358b824d2e3", "type": "github" }, "original": { @@ -747,11 +747,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1753694789, - "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=", + "lastModified": 1754214453, + "narHash": "sha256-Q/I2xJn/j1wpkGhWkQnm20nShYnG7TI99foDBpXm1SY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727", + "rev": "5b09dc45f24cf32316283e62aec81ffee3c3e376", "type": "github" }, "original": { @@ -843,11 +843,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1753878721, - "narHash": "sha256-Y+Kr6FTHggnZ31nhaiOhIboIi+dhnLmQ9p0xf0wwnDc=", + "lastModified": 1754137146, + "narHash": "sha256-V2AE32tLNvtYVBuc8ZRbkGjAZGsJchFbNVd6v5JXvg8=", "owner": "notashelf", "repo": "nvf", - "rev": "e35a74c44a35b28fd09f136dd3c0dbe9f300258f", + "rev": "16d396f039ffefabf93b7b3261e2a17e2f84439b", "type": "github" }, "original": { @@ -866,11 +866,11 @@ ] }, "locked": { - "lastModified": 1748196248, - "narHash": "sha256-1iHjsH6/5UOerJEoZKE+Gx1BgAoge/YcnUsOA4wQ/BU=", + "lastModified": 1754241118, + "narHash": "sha256-nsBBqbAFB7lUYIh6S6l7fQ/ALDhCckp7+rqbY2767uE=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "b7697abe89967839b273a863a3805345ea54ab56", + "rev": "968109159b4bbe4386ac281272ddcebeef09ebfc", "type": "github" }, "original": { @@ -905,11 +905,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1753838657, - "narHash": "sha256-4FA7NTmrAqW5yt4A3hhzgDmAFD0LbGRMGKhb1LBSItI=", + "lastModified": 1754218780, + "narHash": "sha256-M+bLCsYRYA7iudlZkeOf+Azm/1TUvihIq51OKia6KJ8=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "8611b714597c89b092f3d4874f14acd3f72f44fd", + "rev": "8d75311400a108d7ffe17dc9c38182c566952e6e", "type": "github" }, "original": { @@ -978,11 +978,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1753919664, - "narHash": "sha256-U7Ts8VbVD4Z6n67gFx00dkpQJu27fMu173IUopX3pNI=", + "lastModified": 1754264048, + "narHash": "sha256-Yg1W0sFhBpnglfhWGlFmxzSmte1F157luHAADp5Hguk=", "owner": "nix-community", "repo": "stylix", - "rev": "30f5022236cf8dd257941cb0f910e198e7e464c7", + "rev": "1b5e1c5642cf96e07daf14ae4c5ddd23d7ed5623", "type": "github" }, "original": { From cfb9d086b866e7e3f8d641cc05e7a73b33309a7f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 4 Aug 2025 16:21:29 +0200 Subject: [PATCH 005/251] yep yep, justfiles are cooooool --- justfile | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 justfile diff --git a/justfile b/justfile new file mode 100644 index 0000000..c7a9326 --- /dev/null +++ b/justfile @@ -0,0 +1,17 @@ +[private] +default: + @just -l + +[doc('Update flake dependencies')] +update: + nix flake update + +[doc('install nixos on a system (uses nix-anywhere) +> profile: Which profile to use +> host: How to reach the target system in the standard format of `user@host` +')] +install profile host: + nix run nixpkgs#nixos-anywhere -- \ + --flake .#{{profile}} \ + --generate-hardware-config nixos-generate-config ./hardware-configuration.nix \ + {{host}} \ No newline at end of file From 7e6beb208dd934a9cf7aef72917aa7028a616d68 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 7 Aug 2025 11:02:45 +0200 Subject: [PATCH 006/251] kaas --- .sops.yml | 54 +++++++++++++- README.md | 1 + flake.lock | 21 ++++++ flake.nix | 7 +- justfile | 6 +- modules/nixos/nix/default.nix | 4 +- .../nixos/system/security/sops/default.nix | 3 +- systems/x86_64-linux/manwe/disks.nix | 71 +++++++++++++------ .../x86_64-linux/manwe}/secrets.yaml | 18 ++--- 9 files changed, 147 insertions(+), 38 deletions(-) rename {_secrets => systems/x86_64-linux/manwe}/secrets.yaml (71%) diff --git a/.sops.yml b/.sops.yml index 96e09c3..4b9efc8 100644 --- a/.sops.yml +++ b/.sops.yml @@ -1,8 +1,60 @@ keys: - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + - home: + - &chris age + - system: + - &aule age + - &mandos age + - &manwe age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + - &melkor age + - &orome age + - &tulkas age + - &varda age + - &yavanna age creation_rules: - - path_regex: secrets/secrets.yml$ + - path_regex: secrets/secrets.ya?ml$ key_groups: - age: - *primary + + #=================================================================== + # HOSTS + #=================================================================== + - path_regex: systems/x64_86-linux/aule/secrets.yaml$ + age: *aule + + - path_regex: systems/x64_86-linux/mandos/secrets.yaml$ + age: *mandos + + - path_regex: systems/x64_86-linux/manwe/secrets.yaml$ + age: *manwe + + - path_regex: systems/x64_86-linux/melkor/secrets.yaml$ + age: *melkor + + - path_regex: systems/x64_86-linux/orome/secrets.yaml$ + age: *orome + + - path_regex: systems/x64_86-linux/tulkas/secrets.yaml$ + age: *tulkas + + - path_regex: systems/x64_86-linux/varda/secrets.yaml$ + age: *varda + + - path_regex: systems/x64_86-linux/yavanna/secrets.yaml$ + age: *yavanna + + #=================================================================== + # USERS + #=================================================================== + - path_regex: homes/x64_86-linux/chris@\w+/secrets.ya?ml$ + age: chris + + + + + + + + diff --git a/README.md b/README.md index 2eb75c9..db11887 100644 --- a/README.md +++ b/README.md @@ -18,4 +18,5 @@ nix build .#install-isoConfigurations.minimal - [dafitt/dotfiles](https://github.com/dafitt/dotfiles/) - [khaneliman/khanelinix](https://github.com/khaneliman/khanelinix) +- [alex007sirois/nix-config](https://github.com/alex007sirois/nix-config) (justfile) - [hmajid2301/nixicle](https://gitlab.com/hmajid2301/nixicle) (the GOAT, he did what I am aiming for!) \ No newline at end of file diff --git a/flake.lock b/flake.lock index 6bf8015..ef769ed 100644 --- a/flake.lock +++ b/flake.lock @@ -67,6 +67,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1753140376, + "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", + "owner": "nix-community", + "repo": "disko", + "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "erosanix": { "inputs": { "flake-compat": "flake-compat", @@ -881,6 +901,7 @@ }, "root": { "inputs": { + "disko": "disko", "erosanix": "erosanix", "fenix": "fenix", "firefox": "firefox", diff --git a/flake.nix b/flake.nix index d696f4b..9467815 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -103,7 +108,7 @@ nix-minecraft.overlay flux.overlays.default ]; - + homes.modules = with inputs; [ stylix.homeModules.stylix plasma-manager.homeManagerModules.plasma-manager diff --git a/justfile b/justfile index c7a9326..28330be 100644 --- a/justfile +++ b/justfile @@ -14,4 +14,8 @@ install profile host: nix run nixpkgs#nixos-anywhere -- \ --flake .#{{profile}} \ --generate-hardware-config nixos-generate-config ./hardware-configuration.nix \ - {{host}} \ No newline at end of file + {{host}} + +[doc('builds the configuration for the host')] +build host: + nh os build . -H {{host}} \ No newline at end of file diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 7d1f069..3104ecd 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -15,10 +15,10 @@ in nix = { package = pkgs.nixVersions.latest; - extraOptions = "experimental-features = nix-command flakes"; + extraOptions = "experimental-features = nix-command flakes pipe-operators"; settings = { - experimental-features = [ "nix-command" "flakes" ]; + experimental-features = [ "nix-command" "flakes" "pipe-operators" ]; allowed-users = [ "@wheel" ]; trusted-users = [ "@wheel" ]; diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index a75856d..1383681 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -13,10 +13,11 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { + age.keyFile = "/home/.sops-key.age"; + defaultSopsFile = ../../../../secrets/secrets.yaml; defaultSopsFormat = "yaml"; - age.keyFile = "/home/"; }; }; } \ No newline at end of file diff --git a/systems/x86_64-linux/manwe/disks.nix b/systems/x86_64-linux/manwe/disks.nix index d68db6a..e3e449f 100644 --- a/systems/x86_64-linux/manwe/disks.nix +++ b/systems/x86_64-linux/manwe/disks.nix @@ -1,34 +1,59 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, pkgs, modulesPath, inputs, ... }: let inherit (lib.modules) mkDefault; in { - # TODO :: Implement disko at some point + imports = [ + inputs.disko.nixosModules.disko + ]; - swapDevices = []; + config = { + swapDevices = []; - boot.supportedFilesystems = [ "nfs" ]; - - fileSystems = { - "/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; + boot.supportedFilesystems = [ "nfs" ]; + + disko.devices = { + disk = { + main = { + device = "/dev/nvme0"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "100M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; }; + + fileSystems = { + "/home/chris/media" = { + device = "ulmo:/"; + fsType = "nfs"; + }; - "/boot" = { - device = "/dev/disk/by-label/boot"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - "/home/chris/media" = { - device = "ulmo:/"; - fsType = "nfs"; - }; - - "/home/chris/mandos" = { - device = "mandos:/"; - fsType = "nfs"; + "/home/chris/mandos" = { + device = "mandos:/"; + fsType = "nfs"; + }; }; }; } diff --git a/_secrets/secrets.yaml b/systems/x86_64-linux/manwe/secrets.yaml similarity index 71% rename from _secrets/secrets.yaml rename to systems/x86_64-linux/manwe/secrets.yaml index 78b1a8c..1872dc2 100644 --- a/_secrets/secrets.yaml +++ b/systems/x86_64-linux/manwe/secrets.yaml @@ -11,15 +11,15 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR - ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz - YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB - dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR - Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q== - -----END AGE ENCRYPTED FILE----- + - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR + ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz + YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB + dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR + Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q== + -----END AGE ENCRYPTED FILE----- lastmodified: "2025-03-09T11:37:49Z" mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str] pgp: [] From de1bc287d50b5f5f6b6626b042ae35b8ef4db4c5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 7 Aug 2025 11:59:22 +0200 Subject: [PATCH 007/251] reorder inputs --- flake.nix | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/flake.nix b/flake.nix index 9467815..fa4895c 100644 --- a/flake.nix +++ b/flake.nix @@ -29,14 +29,14 @@ url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; - - # neovim - nvf.url = "github:notashelf/nvf"; - - # plymouth theme - nixos-boot.url = "github:Melkor333/nixos-boot"; - - firefox.url = "github:nix-community/flake-firefox-nightly"; + + nixos-wsl = { + url = "github:nix-community/nixos-wsl"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-compat.follows = ""; + }; + }; stylix.url = "github:nix-community/stylix"; @@ -46,6 +46,12 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + # neovim + nvf.url = "github:notashelf/nvf"; + + # plymouth theme + nixos-boot.url = "github:Melkor333/nixos-boot"; + zen-browser.url = "github:MarceColl/zen-browser-flake"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; @@ -72,14 +78,6 @@ grub2-themes = { url = "github:vinceliuice/grub2-themes"; }; - - nixos-wsl = { - url = "github:nix-community/nixos-wsl"; - inputs = { - nixpkgs.follows = "nixpkgs"; - flake-compat.follows = ""; - }; - }; }; outputs = inputs: inputs.snowfall-lib.mkFlake { From e011b893e0299c446849f352a048e8252577263e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 7 Aug 2025 14:09:02 +0200 Subject: [PATCH 008/251] add forgejo --- .../services/development/forgejo/default.nix | 44 +++++++++++++++++++ .../{nextcloud.nix => nextcloud/default.nix} | 0 .../media/{nfs.nix => nfs/default.nix} | 0 systems/x86_64-linux/ulmo/default.nix | 7 +++ 4 files changed, 51 insertions(+) create mode 100644 modules/nixos/services/development/forgejo/default.nix rename modules/nixos/services/media/{nextcloud.nix => nextcloud/default.nix} (100%) rename modules/nixos/services/media/{nfs.nix => nfs/default.nix} (100%) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix new file mode 100644 index 0000000..be71064 --- /dev/null +++ b/modules/nixos/services/development/forgejo/default.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.development.forgejo; + svr = cfg.settings.server; +in +{ + options.${namespace}.services.development.forgejo = { + enable = mkEnableOption "Forgejo"; + }; + + config = mkIf cfg.enable { + services = { + forgejo = { + enable = true; + database.type = "postgres"; + + settings = { + server = { + # DOMAIN = ""; + HTTP_PORT = 5002; + }; + + service.DISABLE_REGISTRATION = true; + + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "forgejo"; + }; + }; + }; + + services.caddy = { + enable = true; + virtualHosts = { + "git.kruining.eu".extraConfig = '' + reverse_proxy http://127.0.0.1:5002 + ''; + }; + }; + }; + }; +} diff --git a/modules/nixos/services/media/nextcloud.nix b/modules/nixos/services/media/nextcloud/default.nix similarity index 100% rename from modules/nixos/services/media/nextcloud.nix rename to modules/nixos/services/media/nextcloud/default.nix diff --git a/modules/nixos/services/media/nfs.nix b/modules/nixos/services/media/nfs/default.nix similarity index 100% rename from modules/nixos/services/media/nfs.nix rename to modules/nixos/services/media/nfs/default.nix diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 7a2540f..f47c580 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -7,8 +7,15 @@ sneeuwvlok = { services = { + authentication.authelia.enable = true; + authentication.zitadel.enable = true; + networking.ssh.enable = true; + media.enable = true; + media.nfs.enable = true; + + development.forgejo.enable = true; }; editor = { From 043eded2497049b3592b2efef2f135a9dfa40346 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 7 Aug 2025 14:12:16 +0200 Subject: [PATCH 009/251] fix --- .../services/development/forgejo/default.nix | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index be71064..99b3a28 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -31,7 +31,26 @@ in }; }; - services.caddy = { + gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = "monolith"; + url = "https://git.kruining.eu"; + # Obtaining the path to the runner token file may differ + # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + tokenFile = config.age.secrets.forgejo-runner-token.path; + labels = [ + "ubuntu-latest:docker://node:16-bullseye" + "ubuntu-22.04:docker://node:16-bullseye" + "ubuntu-20.04:docker://node:16-bullseye" + "ubuntu-18.04:docker://node:16-buster" + "native:host" + ]; + }; + }; + + caddy = { enable = true; virtualHosts = { "git.kruining.eu".extraConfig = '' From f289c3663a436230042cfede11adf50f76d5b08d Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 7 Aug 2025 15:04:12 +0200 Subject: [PATCH 010/251] switch flaresolverr to systemd service --- modules/nixos/services/media/default.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 7d76794..3909cd9 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -78,6 +78,7 @@ in sonarr = serviceConf; bazarr = serviceConf; lidarr = serviceConf; + flaresolverr = serviceConf; jellyseerr = { enable = true; @@ -135,11 +136,11 @@ in backend = "podman"; containers = { - flaresolverr = { - image = "flaresolverr/flaresolverr"; - autoStart = true; - ports = [ "127.0.0.1:8191:8191" ]; - }; + # flaresolverr = { + # image = "flaresolverr/flaresolverr"; + # autoStart = true; + # ports = [ "127.0.0.1:8191:8191" ]; + # }; reiverr = { image = "ghcr.io/aleksilassila/reiverr:v2.2.0"; From f1ffa339766de95ebb61e47d074e580993b8dd03 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 11 Aug 2025 09:49:06 +0200 Subject: [PATCH 011/251] kaas --- .../nixos/services/authentication/authelia.nix | 17 +++++++++++++++++ .../services/development/forgejo/default.nix | 12 +++++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/authentication/authelia.nix b/modules/nixos/services/authentication/authelia.nix index e706439..9990003 100644 --- a/modules/nixos/services/authentication/authelia.nix +++ b/modules/nixos/services/authentication/authelia.nix @@ -130,6 +130,23 @@ in scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ]; } + { + client_id = "forgejo"; + client_name = "forgejo"; + # ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F + client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg"; + public = false; + require_pkce = true; + pkce_challenge_method = "S256"; + token_endpoint_auth_method = "client_secret_post"; + authorization_policy = "one_factor"; + userinfo_signed_response_alg = "none"; + consent_mode = "implicit"; + scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; + response_types = [ "code" ]; + grant_types = [ "authorization_code" ]; + redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ]; + } ]; }; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 99b3a28..a773249 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -22,12 +22,20 @@ in HTTP_PORT = 5002; }; - service.DISABLE_REGISTRATION = true; + service = { + DISABLE_REGISTRATION = true; + ALLOW_ONLY_EXTERNAL_REGISTRATION = false; + SHOW_REGISTRATION_BUTTON = false; + }; actions = { ENABLED = true; DEFAULT_ACTIONS_URL = "forgejo"; }; + + session = { + COOKIE_SECURE = true; + }; }; }; @@ -54,6 +62,8 @@ in enable = true; virtualHosts = { "git.kruining.eu".extraConfig = '' + import auth + reverse_proxy http://127.0.0.1:5002 ''; }; From 69c6d857549a6aa46bb374baed82914a91836c46 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 11 Aug 2025 15:22:17 +0200 Subject: [PATCH 012/251] resolve merge artifacts --- systems/x86_64-linux/manwe/README.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/systems/x86_64-linux/manwe/README.md b/systems/x86_64-linux/manwe/README.md index 3bb6746..1da7ab1 100644 --- a/systems/x86_64-linux/manwe/README.md +++ b/systems/x86_64-linux/manwe/README.md @@ -1,8 +1,3 @@ # Description -<<<<<<< HEAD My steambox. -======= -My desktop, reasoning for the name being the following chain of thought: -**Manwe -> the king of the valar -> leader -> desktop is main machine** ->>>>>>> 72b0f6f8fad97a4ade1b54dfada26828a170febf From 3a6672cad99f1c8dd8c6101e07b1f8aa88dc05f0 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 11 Aug 2025 15:22:58 +0200 Subject: [PATCH 013/251] get going with sops agian, not that hard, just need to set up my keys properly... --- .sops.yml | 35 ++++++++--------- homes/x86_64-linux/chris@manwe/secrets.yaml | 21 ++++++++++ justfile | 5 ++- systems/x86_64-linux/manwe/secrets.yaml | 43 +++++++++++---------- 4 files changed, 63 insertions(+), 41 deletions(-) create mode 100644 homes/x86_64-linux/chris@manwe/secrets.yaml diff --git a/.sops.yml b/.sops.yml index 4b9efc8..2d6e291 100644 --- a/.sops.yml +++ b/.sops.yml @@ -1,7 +1,6 @@ keys: - - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - home: - - &chris age + - &chris age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x - system: - &aule age - &mandos age @@ -10,46 +9,44 @@ keys: - &orome age - &tulkas age - &varda age - - &yavanna age + - &yavanna age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x creation_rules: - - path_regex: secrets/secrets.ya?ml$ - key_groups: - - age: - - *primary - #=================================================================== # HOSTS #=================================================================== - - path_regex: systems/x64_86-linux/aule/secrets.yaml$ + - path_regex: systems/x86_64-linux/aule/secrets.yaml$ age: *aule - - path_regex: systems/x64_86-linux/mandos/secrets.yaml$ + - path_regex: systems/x86_64-linux/mandos/secrets.yaml$ age: *mandos - - path_regex: systems/x64_86-linux/manwe/secrets.yaml$ - age: *manwe + - path_regex: systems/x86_64-linux/manwe/secrets.yaml$ + key_groups: + - age: + - *manwe + - *yavanna - - path_regex: systems/x64_86-linux/melkor/secrets.yaml$ + - path_regex: systems/x86_64-linux/melkor/secrets.yaml$ age: *melkor - - path_regex: systems/x64_86-linux/orome/secrets.yaml$ + - path_regex: systems/x86_64-linux/orome/secrets.yaml$ age: *orome - - path_regex: systems/x64_86-linux/tulkas/secrets.yaml$ + - path_regex: systems/x86_64-linux/tulkas/secrets.yaml$ age: *tulkas - - path_regex: systems/x64_86-linux/varda/secrets.yaml$ + - path_regex: systems/x86_64-linux/varda/secrets.yaml$ age: *varda - - path_regex: systems/x64_86-linux/yavanna/secrets.yaml$ + - path_regex: systems/x86_64-linux/yavanna/secrets.yaml$ age: *yavanna #=================================================================== # USERS #=================================================================== - - path_regex: homes/x64_86-linux/chris@\w+/secrets.ya?ml$ - age: chris + - path_regex: homes/x86_64-linux/chris@\w+/secrets.yaml$ + age: *chris diff --git a/homes/x86_64-linux/chris@manwe/secrets.yaml b/homes/x86_64-linux/chris@manwe/secrets.yaml new file mode 100644 index 0000000..0af2506 --- /dev/null +++ b/homes/x86_64-linux/chris@manwe/secrets.yaml @@ -0,0 +1,21 @@ +user_level_secrets: ENC[AES256_GCM,data:TNT+via+r4bpgROz,iv:cVO6/r4Aovr5uJFhU87mE5XwRJ518y4OJdHo4m92ahM=,tag:jYInD+euh7k1zSnMRppI5Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYVRQTEVSMWM3WXY3eTdW + ZkUwSnNidlJwWGVETURpNUJRRUllYXo4WjNvCmxmN21qVzNFV3N4UVR6WEV1am1W + eW1KTk9HVDluek1BUnBmSGI3Y2ZqaDQKLS0tIHlMYldYMTVORVNWbEgrWlBSanRM + bUZiMHlOU3pxYUhQSTREb0l4TmFlOEkKiasV2H481aJzAvEAvyeWqGYDOW+WKRFX + yyocZDo0o1lHz/gNXoC0/ujU+O3rSXdsy6Qdz6Rm+xeFUfe4KoD4bg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-11T13:21:38Z" + mac: ENC[AES256_GCM,data:kfMcZuYuQqxxfqtyfH7DltSkq8YNz+vroB+ZQKTIpCNC/W6vJP1o23/xLRzdnEgnnH5GfgZQFAK8Am00/bUD2BgEPyXxXNf1lG70ocFbRM9htii92BFfHgfi25zlEqCO7yrudm1HEJyYrFbZnT63H6u1OgWSC38CzEZTBsCE0kU=,iv:feWGBau48s2GSvZjnKPfP2z46SBuHbh//4zzcLv+MTY=,tag:D86akwawLxobhEu2AvBFKg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/justfile b/justfile index 28330be..70450dd 100644 --- a/justfile +++ b/justfile @@ -18,4 +18,7 @@ install profile host: [doc('builds the configuration for the host')] build host: - nh os build . -H {{host}} \ No newline at end of file + nh os build . -H {{host}} + +edit-secrets target: + sops --config "{{justfile_directory()}}/.sops.yml" edit "{{justfile_directory()}}/{{ if target =~ ".+@.+" { "homes" } else { "systems" } }}/x86_64-linux/{{target}}/secrets.yaml" \ No newline at end of file diff --git a/systems/x86_64-linux/manwe/secrets.yaml b/systems/x86_64-linux/manwe/secrets.yaml index 1872dc2..6e2a986 100644 --- a/systems/x86_64-linux/manwe/secrets.yaml +++ b/systems/x86_64-linux/manwe/secrets.yaml @@ -1,30 +1,31 @@ -#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment] -example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str] -#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment] -#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment] -example: - my_subdir: - my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str] +zitadel: + masterKey: ENC[AES256_GCM,data:iSeZOloWLrdP8S+ac7ubIcv9TF3Sm8Ni,iv:8v3/ratFQ5vq2rbZOUMKfPhVTA9uQY2eFQU4IR8s3VU=,tag:9y90aDQ2PfFT//X2i2YvvA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR - ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz - YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB - dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR - Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-09T11:37:49Z" - mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str] + - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4R0UyWmx5L3hCbGhQVXI0 + NmpkMThPVlgrRHZZMnFrNTAwbzVTY1F6NEVVCjJaRHdhbHV6R1RJM2JIQzc3dkNu + a01FYlM3b1dXbmxGN2tWU3FMdXMveG8KLS0tIG1SSjNXdXZNN2ZyQ2UyZ0pIZXJJ + NmpMS2oySFE1S1RER3J1RGl4MlRQK00Ks+PcxcHmygYz+a+d0ZrzrdUpTQ50NYkA + aDFbtRtukn9e7i3bGUyD4nisSvs4YjfoQxR/pC8hs4k3f5V2jwDh2w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwaTN4clFoWDNwU2lpaHBn + M2pVeU5oM0JRNmp6NEJjQ3BHeWlzeSs3bTI0CnBocngvbzZQUXBsMG9Oc2J6dlBT + MjdtaFdmOHg5ZmZmSkViWGJFYThQYXcKLS0tIFRNd2JiVlFTREtDMTdzR2V0SlVo + Q0d5ZDVDM05LdFp4UnB4dFRPUm5vU0UKR/MAONEWaT6XXyPB1IrSIKqW5PZNIbuB + n7QX3DJIzlajtmq+82/wPFPTBkLvSSjV5FKL5ErMwTDndcIn+NlOhQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-11T13:11:00Z" + mac: ENC[AES256_GCM,data:P34YsR/Rvc3q4Os5n9hxonJLCXwifMRnKOCM59h5MRMT/aqjl+QlBX+oUADsqDSrhUscQb3N/UlpFeOT6qg+FmJbT/mYMH6v1xK16VD0M7VWydXpmjDu5If+O89lgDHsiEOGDgeR04jkiaY0yzT9U8l9CND5fMvF3I9o5Z1SZQk=,iv:NgUD8gB2bQa5vh0nb0Ngqp5dn0yqskHudWo8xoVjM4Q=,tag:5oTcnailDCHeMvMLz63e1w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 - -zitadel: - masterKey: thisWillBeAnEncryptedValueInTheFuture From 5d8c897b4da88382716758aebbfd276b3069ae33 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 11 Aug 2025 16:18:53 +0200 Subject: [PATCH 014/251] update the path to system secrets, still need to fix the home secrets --- modules/nixos/system/security/sops/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index 1383681..aa64fd4 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -15,7 +15,7 @@ in sops = { age.keyFile = "/home/.sops-key.age"; - defaultSopsFile = ../../../../secrets/secrets.yaml; + defaultSopsFile = ../../../../systems/x86_64-linux/${config.networking.hostName}/secrets.yaml; defaultSopsFormat = "yaml"; }; From 9aaf0f0a2bcf46c871384ec2ac2eb05f53444028 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 13 Aug 2025 07:41:30 +0200 Subject: [PATCH 015/251] asdffasdfa --- modules/nixos/system/security/sops/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index aa64fd4..ebceca3 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -17,7 +17,6 @@ in defaultSopsFile = ../../../../systems/x86_64-linux/${config.networking.hostName}/secrets.yaml; defaultSopsFormat = "yaml"; - }; }; } \ No newline at end of file From 30f17f692c3b58cea67b653a129a0ac246da50b6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 13 Aug 2025 08:50:26 +0200 Subject: [PATCH 016/251] fix various bugs --- .../{authelia.nix => authelia/default.nix} | 0 .../nixos/services/authentication/default.nix | 1 - .../default.nix} | 0 .../{zitadel.nix => zitadel/default.nix} | 3 +- .../services/development/forgejo/default.nix | 51 ++++++++++--------- modules/nixos/services/media/default.nix | 6 ++- .../services/media/nextcloud/default.nix | 4 +- modules/nixos/services/media/nfs/default.nix | 4 +- .../nixos/system/security/sops/default.nix | 2 +- .../nixos/system/security/sudo/default.nix | 5 +- 10 files changed, 40 insertions(+), 36 deletions(-) rename modules/nixos/services/authentication/{authelia.nix => authelia/default.nix} (100%) delete mode 100644 modules/nixos/services/authentication/default.nix rename modules/nixos/services/authentication/{himmelblau.nix => himmelblau/default.nix} (100%) rename modules/nixos/services/authentication/{zitadel.nix => zitadel/default.nix} (93%) diff --git a/modules/nixos/services/authentication/authelia.nix b/modules/nixos/services/authentication/authelia/default.nix similarity index 100% rename from modules/nixos/services/authentication/authelia.nix rename to modules/nixos/services/authentication/authelia/default.nix diff --git a/modules/nixos/services/authentication/default.nix b/modules/nixos/services/authentication/default.nix deleted file mode 100644 index c157af7..0000000 --- a/modules/nixos/services/authentication/default.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: {} diff --git a/modules/nixos/services/authentication/himmelblau.nix b/modules/nixos/services/authentication/himmelblau/default.nix similarity index 100% rename from modules/nixos/services/authentication/himmelblau.nix rename to modules/nixos/services/authentication/himmelblau/default.nix diff --git a/modules/nixos/services/authentication/zitadel.nix b/modules/nixos/services/authentication/zitadel/default.nix similarity index 93% rename from modules/nixos/services/authentication/zitadel.nix rename to modules/nixos/services/authentication/zitadel/default.nix index 6142857..1422b4f 100644 --- a/modules/nixos/services/authentication/zitadel.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -21,7 +21,8 @@ in zitadel = { enable = true; openFirewall = true; - masterKeyFile = config.sops.secrets."zitadel/masterKey".path; + # masterKeyFile = config.sops.secrets."zitadel/masterKey".path; + masterKeyFile = "/var/lib/zitadel/master_key"; tlsMode = "external"; settings = { Port = 9092; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index a773249..baa70cb 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -3,7 +3,7 @@ let inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.development.forgejo; - svr = cfg.settings.server; + domain = "git.kruining.eu"; in { options.${namespace}.services.development.forgejo = { @@ -18,7 +18,8 @@ in settings = { server = { - # DOMAIN = ""; + DOMAIN = domain; + ROOT_URL = "https://${domain}/"; HTTP_PORT = 5002; }; @@ -28,10 +29,10 @@ in SHOW_REGISTRATION_BUTTON = false; }; - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "forgejo"; - }; + # actions = { + # ENABLED = true; + # DEFAULT_ACTIONS_URL = "forgejo"; + # }; session = { COOKIE_SECURE = true; @@ -39,29 +40,29 @@ in }; }; - gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; - instances.default = { - enable = true; - name = "monolith"; - url = "https://git.kruining.eu"; - # Obtaining the path to the runner token file may differ - # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd - tokenFile = config.age.secrets.forgejo-runner-token.path; - labels = [ - "ubuntu-latest:docker://node:16-bullseye" - "ubuntu-22.04:docker://node:16-bullseye" - "ubuntu-20.04:docker://node:16-bullseye" - "ubuntu-18.04:docker://node:16-buster" - "native:host" - ]; - }; - }; + # gitea-actions-runner = { + # package = pkgs.forgejo-actions-runner; + # instances.default = { + # enable = true; + # name = "monolith"; + # url = "https://git.kruining.eu"; + # # Obtaining the path to the runner token file may differ + # # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + # tokenFile = config.age.secrets.forgejo-runner-token.path; + # labels = [ + # "ubuntu-latest:docker://node:16-bullseye" + # "ubuntu-22.04:docker://node:16-bullseye" + # "ubuntu-20.04:docker://node:16-bullseye" + # "ubuntu-18.04:docker://node:16-buster" + # "native:host" + # ]; + # }; + # }; caddy = { enable = true; virtualHosts = { - "git.kruining.eu".extraConfig = '' + ${domain}.extraConfig = '' import auth reverse_proxy http://127.0.0.1:5002 diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 3909cd9..f76e4ae 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -78,7 +78,11 @@ in sonarr = serviceConf; bazarr = serviceConf; lidarr = serviceConf; - flaresolverr = serviceConf; + + flaresolverr = { + enable = true; + openFirewall = true; + }; jellyseerr = { enable = true; diff --git a/modules/nixos/services/media/nextcloud/default.nix b/modules/nixos/services/media/nextcloud/default.nix index 658a5b4..14d6863 100644 --- a/modules/nixos/services/media/nextcloud/default.nix +++ b/modules/nixos/services/media/nextcloud/default.nix @@ -6,7 +6,7 @@ let cfg = config.${namespace}.services.media.nextcloud; in { - options.modules.services.nextcloud = { + options.${namespace}.services.media.nextcloud = { enable = mkEnableOption "Nextcloud"; user = mkOption { @@ -40,7 +40,7 @@ in services.nextcloud = { enable = true; - webserver = "caddy"; + # webserver = "caddy"; package = pkgs.nextcloud31; hostName = "localhost"; diff --git a/modules/nixos/services/media/nfs/default.nix b/modules/nixos/services/media/nfs/default.nix index 7674e69..54b58e7 100644 --- a/modules/nixos/services/media/nfs/default.nix +++ b/modules/nixos/services/media/nfs/default.nix @@ -2,10 +2,10 @@ let inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.media.nfs; + cfg = config.${namespace}.services.media.nfs; in { - options.${namespace}.media.nfs = { + options.${namespace}.services.media.nfs = { enable = mkEnableOption "Enable NFS"; }; diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index a75856d..68ab4ca 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -13,7 +13,7 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { - defaultSopsFile = ../../../../secrets/secrets.yaml; + defaultSopsFile = ../../../../../_secrets/secrets.yaml; defaultSopsFormat = "yaml"; age.keyFile = "/home/"; diff --git a/modules/nixos/system/security/sudo/default.nix b/modules/nixos/system/security/sudo/default.nix index 6dedf50..b79efbc 100644 --- a/modules/nixos/system/security/sudo/default.nix +++ b/modules/nixos/system/security/sudo/default.nix @@ -14,9 +14,8 @@ in sudo-rs = { enable = true; - extraConfig = '' - Defaults env_keep += "EDITOR PATH DISPLAY" - ''; + execWheelOnly = true; + extraConfig = ''Defaults env_keep += "EDITOR PATH DISPLAY"''; }; }; }; From d305bf6cee32904ca24e09ddd27516e12a8118a4 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 14 Aug 2025 08:28:55 +0200 Subject: [PATCH 017/251] more zitadel work --- .../authentication/zitadel/default.nix | 66 +++++++++++++++---- 1 file changed, 53 insertions(+), 13 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 1422b4f..812e819 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, ... }: let - inherit (lib) mkIf mkEnableOption; + inherit (lib) mkIf mkEnableOption mkForce; cfg = config.${namespace}.services.authentication.zitadel; @@ -26,26 +26,59 @@ in tlsMode = "external"; settings = { Port = 9092; - Database = { - Host = "/run/postgresql"; - # Zitadel will report error if port is not set - Port = 5432; - Database = db_name; - User.Username = db_user; - }; - }; - steps = { - TestInstance = { - InstanceName = "Zitadel test"; + ExternalDomain = "kruining.eu"; + ExternalPort = 443; + + DefaultInstance = { + LoginPolicy.AllowRegister = false; Org = { - Name = "Kruining.eu"; + Name = "Zitadel"; Human = { UserName = "admin"; + FirstName = "Ad"; + LastName = "Min"; + Email = { + Address = "admin@kaas.nl"; + Verified = true; + }; Password = "kaas"; }; }; }; + + Database.postgres = { + Host = "localhost"; + # Zitadel will report error if port is not set + Port = 5432; + Database = db_name; + User = { + Username = db_user; + SSL.Mode = "disable"; + }; + Admin = { + Username = "postgres"; + SSL.Mode = "disable"; + }; + }; }; + # steps = { + # FirstInstance = { + # InstanceName = "Zitadel"; + # Org = { + # Name = "Zitadel"; + # Human = { + # UserName = "admin@zitadel.kruining.eu"; + # FirstName = "Ad"; + # LastName = "Min"; + # Email = { + # Address = "admin@kaas.nl"; + # Verified = true; + # }; + # Password = "kaas"; + # }; + # }; + # }; + # }; }; postgresql = { @@ -57,6 +90,13 @@ in ensureDBOwnership = true; } ]; + authentication = mkForce '' + # Generated file, do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; }; caddy = { From 7c6c566798ed878d2d2130aae445b6a89f65b523 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 14 Aug 2025 09:38:43 +0200 Subject: [PATCH 018/251] FINALLY, I'm in! --- .../authentication/zitadel/default.nix | 56 +++++++------------ 1 file changed, 20 insertions(+), 36 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 812e819..94915e1 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -26,25 +26,9 @@ in tlsMode = "external"; settings = { Port = 9092; - ExternalDomain = "kruining.eu"; + ExternalDomain = "auth-z.kruining.eu"; ExternalPort = 443; - - DefaultInstance = { - LoginPolicy.AllowRegister = false; - Org = { - Name = "Zitadel"; - Human = { - UserName = "admin"; - FirstName = "Ad"; - LastName = "Min"; - Email = { - Address = "admin@kaas.nl"; - Verified = true; - }; - Password = "kaas"; - }; - }; - }; + ExternalSecure = true; Database.postgres = { Host = "localhost"; @@ -61,24 +45,24 @@ in }; }; }; - # steps = { - # FirstInstance = { - # InstanceName = "Zitadel"; - # Org = { - # Name = "Zitadel"; - # Human = { - # UserName = "admin@zitadel.kruining.eu"; - # FirstName = "Ad"; - # LastName = "Min"; - # Email = { - # Address = "admin@kaas.nl"; - # Verified = true; - # }; - # Password = "kaas"; - # }; - # }; - # }; - # }; + steps = { + FirstInstance = { + InstanceName = "auth-z.kruining.eu"; + Org = { + Name = "Default"; + Human = { + UserName = "chris"; + FirstName = "Chris"; + LastName = "Kruining"; + Email = { + Address = "chris@kruining.eu"; + Verified = true; + }; + Password = "KaasIsAwesome1!"; + }; + }; + }; + }; }; postgresql = { From 06ad805206e5af2deb0dca62a954902fa76efd63 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 14 Aug 2025 15:33:27 +0200 Subject: [PATCH 019/251] got zitadel and forgejo mostly up and running --- .../authentication/zitadel/default.nix | 16 +++++----- .../services/development/forgejo/default.nix | 31 +++++++++++++++++-- 2 files changed, 37 insertions(+), 10 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 94915e1..aa1a0dd 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -90,14 +90,14 @@ in reverse_proxy h2c://127.0.0.1:9092 ''; }; - # extraConfig = '' - # (auth) { - # forward_auth h2c://127.0.0.1:9092 { - # uri /api/authz/forward-auth - # copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - # } - # } - # ''; + extraConfig = '' + (auth-z) { + forward_auth h2c://127.0.0.1:9092 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + } + ''; }; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index baa70cb..5342b56 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -11,24 +11,47 @@ in }; config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ forgejo ]; + services = { forgejo = { enable = true; + useWizard = false; database.type = "postgres"; settings = { + DEFAULT = { + APP_NAME = "Chris' Forge"; + }; + server = { DOMAIN = domain; ROOT_URL = "https://${domain}/"; HTTP_PORT = 5002; }; + security = { + PASSWORD_HASH_ALGO = "argon2"; + }; + service = { + REQUIRE_SIGNIN_VIEW = true; # must be signed in to see anything DISABLE_REGISTRATION = true; - ALLOW_ONLY_EXTERNAL_REGISTRATION = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; SHOW_REGISTRATION_BUTTON = false; }; + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = true; + WHITELISTED_URIS = "https://auth-z.kruining.eu"; + }; + + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = true; + }; + # actions = { # ENABLED = true; # DEFAULT_ACTIONS_URL = "forgejo"; @@ -63,7 +86,11 @@ in enable = true; virtualHosts = { ${domain}.extraConfig = '' - import auth + # import auth-z + + # stupid dumb way to prevent the login page and go to zitadel instead + # be aware that this does not disable local login at all! + rewrite /user/login /user/oauth2/Zitadel reverse_proxy http://127.0.0.1:5002 ''; From 4320acc0fb8629ee390b4dface0669372beb9b98 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 18 Aug 2025 10:28:12 +0200 Subject: [PATCH 020/251] add test workflow --- .forgejo/workflows/action.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .forgejo/workflows/action.yml diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml new file mode 100644 index 0000000..1119f37 --- /dev/null +++ b/.forgejo/workflows/action.yml @@ -0,0 +1,16 @@ +name: Test action + +on: + workflow_dispatch: + push: + branches: + - main + +jobs: + hello: + name: Print hello world + runs-on: ubuntu-latest + steps: + - name: Echo + run: | + echo "Hello, world!" \ No newline at end of file From ba05f561e7d5a73998c179f5a070dfb1c99ef40c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 18 Aug 2025 12:42:55 +0200 Subject: [PATCH 021/251] update deps --- flake.lock | 132 ++++++++++++++++++++++++++--------------------------- 1 file changed, 66 insertions(+), 66 deletions(-) diff --git a/flake.lock b/flake.lock index 1935971..27521bd 100644 --- a/flake.lock +++ b/flake.lock @@ -73,11 +73,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1753879613, - "narHash": "sha256-oYhCJSAIZiu3maM2q6JBzh0+MYd4KTaq5eNFIstUurE=", + "lastModified": 1755108317, + "narHash": "sha256-j7RGK7nyoHuJzQjVFBngpsVowIn4DAtprn66UyAFNRQ=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "0ad38bd182cd737f0f4b878ea04cb3676ecd4000", + "rev": "5aa322a6e586a2b46af65ab6c9a3d6042a95ff2e", "type": "github" }, "original": { @@ -94,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1753944209, - "narHash": "sha256-dcGdqxhRRGoA/S38BsWOrwIiLYEBOqXKauHdFwKR310=", + "lastModified": 1755153894, + "narHash": "sha256-DEKeIg3MQy5GMFiFRUzcx1hGGBN2ypUPTo0jrMAdmH4=", "owner": "nix-community", "repo": "fenix", - "rev": "5ef8607d6e8a08cfb3946aaacaa0494792adf4ae", + "rev": "f6874c6e512bc69d881d979a45379b988b80a338", "type": "github" }, "original": { @@ -114,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1753960679, - "narHash": "sha256-q82/pjksNMev2AJqK1v38BcK29kB2f7yB2GTEsrlR2M=", + "lastModified": 1755083788, + "narHash": "sha256-CXiS6gfw0NH+luSpNhtRZjy4NqVFrmsYpoetu3N/fMk=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "c709bb72ee604949ff54df9519dc6cb0c6040007", + "rev": "523078b104590da5850a61dfe291650a6b49809c", "type": "github" }, "original": { @@ -230,11 +230,11 @@ ] }, "locked": { - "lastModified": 1753121425, - "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", + "lastModified": 1754487366, + "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", + "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", "type": "github" }, "original": { @@ -411,11 +411,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1753279958, - "narHash": "sha256-EJ1udnwKYgWeAJzncAccbLPtbSWiuIANryXTGI9nY6w=", + "lastModified": 1755072091, + "narHash": "sha256-FCkbELHIFXlVREaopW13QFMzwLPr/otjucmyNLQQXeg=", "owner": "vinceliuice", "repo": "grub2-themes", - "rev": "6c26f99622cb1c705b3fe2dbe1eb88521096b25a", + "rev": "03d8c9cf0d1bcf67765ac5fa35263f1b08c584fa", "type": "github" }, "original": { @@ -432,11 +432,11 @@ ] }, "locked": { - "lastModified": 1753902883, - "narHash": "sha256-F7IUdBe//PDtcztUdu3XYxzJuKbYip6TwIRWLdrftO0=", + "lastModified": 1754593854, + "narHash": "sha256-fiWzQKZP92+2nm9wGBa/UYuEdVJkshHqNpCFfklas8k=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "d01709bf0100183045927c03b90db78fb8e40bda", + "rev": "e0b9a3efdcf0c6c59ed3352ffb2b003ab6aa2fed", "type": "github" }, "original": { @@ -452,11 +452,11 @@ ] }, "locked": { - "lastModified": 1753943136, - "narHash": "sha256-eiEE5SabVcIlGSTRcRyBjmJMaYAV95SJnjy8YSsVeW4=", + "lastModified": 1755121891, + "narHash": "sha256-UtYkukiGnPRJ5rpd4W/wFVrLMh8fqtNkqHTPgHEtrqU=", "owner": "nix-community", "repo": "home-manager", - "rev": "bd82507edd860c453471c46957cbbe3c9fd01b5c", + "rev": "279ca5addcdcfa31ac852b3ecb39fc372684f426", "type": "github" }, "original": { @@ -473,11 +473,11 @@ ] }, "locked": { - "lastModified": 1753938227, - "narHash": "sha256-KzjI9khMC2tOL5FClh3sHq8Gax1O5Rw0bH1hvJ3FU3E=", + "lastModified": 1755151620, + "narHash": "sha256-fVMalQZ+tRXR8oue2SdWu4CdlsS2NII+++rI40XQ8rU=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "8d1f0004594e0eddc00159ad7666e669a6bcb711", + "rev": "16e12d22754d97064867006acae6e16da7a142a6", "type": "github" }, "original": { @@ -492,11 +492,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1753618592, - "narHash": "sha256-9sDACkrSbZOA1srKWQzvbkBFHZeXvHW8EYpWrVZPxDg=", + "lastModified": 1754828166, + "narHash": "sha256-i7c+fpXVsnvj2+63Gl3YfU1hVyxbLeqeFj55ZBZACWI=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "81b2f78680ca3864bfdc0d4cbc3444af3e1ff271", + "rev": "f01c8d121a3100230612be96e4ac668e15eafb77", "type": "github" }, "original": { @@ -549,11 +549,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1753928630, - "narHash": "sha256-ASqyvmJ2EEUCyDJGMHRQ1ZqWnCd4SiVd7hi7dGBuSvw=", + "lastModified": 1755137329, + "narHash": "sha256-9MxuOLH7jk58IVUUDWwLeqk9U4ATE6X37955Ld+4/zw=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "30af81148ee29a4a13c938c25d3e68877b1b27fb", + "rev": "d9330bc35048238597880e89fb173799de9db5e9", "type": "github" }, "original": { @@ -621,11 +621,11 @@ ] }, "locked": { - "lastModified": 1753704990, - "narHash": "sha256-5E14xuNWy2Un1nFR55k68hgbnD8U2x/rE5DXJtYKusw=", + "lastModified": 1755171343, + "narHash": "sha256-h6bbfhqWcHlx9tcyYa7dhaEiNpusLCcFYkJ/AnltLW8=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "58c814cc6d4a789191f9c12e18277107144b0c91", + "rev": "e37cfef071466a9ca649f6899aff05226ce17e9e", "type": "github" }, "original": { @@ -636,11 +636,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1751186460, - "narHash": "sha256-tSnI50oYaXOi/SFUmJC+gZ2xE9pAhTnV0D2/3JoKL7g=", + "lastModified": 1754002724, + "narHash": "sha256-1NBby4k2UU9FR7a9ioXtCOpv8jYO0tZAGarMsxN8sz8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dd5540905b1a13176efa13fa2f8dac776bcb275a", + "rev": "8271ed4b2e366339dd622f329151e45745ade121", "type": "github" }, "original": { @@ -652,11 +652,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1753579242, - "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", + "lastModified": 1754788789, + "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", + "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", "type": "github" }, "original": { @@ -683,11 +683,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1753948617, - "narHash": "sha256-68ounbeMLJTO/Igq0rEqjldNReb/r2gR9zgLU2qiH7A=", + "lastModified": 1755061300, + "narHash": "sha256-eov82CkCrpiECJa3dyQ2da1sPGnAP3HK0UEra5eupaM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4f1a1d0af135001efc1a58c8f31ede7bb1045874", + "rev": "d4df8d6cc1ccfd3e4349a1d54e4fb1171e7ec1f5", "type": "github" }, "original": { @@ -715,11 +715,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1753965693, - "narHash": "sha256-ks84bo0xIjUdRJGqLHQTyXR5OGb+8zUQg+XarbSEtrw=", + "lastModified": 1755178357, + "narHash": "sha256-rzgUmlO5/pt7uPAlY6E70clNjg9JmrgBxalEj2zKq08=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "113bb8d5ca48dc31c62835b5fafed82092d87a91", + "rev": "6eac4364f979ef460fb6ebd17ca65b8dae03cba4", "type": "github" }, "original": { @@ -747,11 +747,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1753694789, - "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=", + "lastModified": 1755027561, + "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727", + "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3", "type": "github" }, "original": { @@ -763,11 +763,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1753432016, - "narHash": "sha256-cnL5WWn/xkZoyH/03NNUS7QgW5vI7D1i74g48qplCvg=", + "lastModified": 1755049066, + "narHash": "sha256-ANrc15FSoOAdNbfKHxqEJjZLftIwIsenJGRb/04K41s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6027c30c8e9810896b92429f0092f624f7b1aace", + "rev": "e45f8f193029378d0aaee5431ba098dc80054e9a", "type": "github" }, "original": { @@ -843,11 +843,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1753878721, - "narHash": "sha256-Y+Kr6FTHggnZ31nhaiOhIboIi+dhnLmQ9p0xf0wwnDc=", + "lastModified": 1755115677, + "narHash": "sha256-98Ad2F5w1xW94KymQiBohNBYpFqMa0K28v9S1SzyTY8=", "owner": "notashelf", "repo": "nvf", - "rev": "e35a74c44a35b28fd09f136dd3c0dbe9f300258f", + "rev": "c5dc7192496a1fad38134e54f8b4fca8ac51a9fe", "type": "github" }, "original": { @@ -866,11 +866,11 @@ ] }, "locked": { - "lastModified": 1748196248, - "narHash": "sha256-1iHjsH6/5UOerJEoZKE+Gx1BgAoge/YcnUsOA4wQ/BU=", + "lastModified": 1754501628, + "narHash": "sha256-FExJ54tVB5iu7Dh2tLcyCSWpaV+lmUzzWKZUkemwXvo=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "b7697abe89967839b273a863a3805345ea54ab56", + "rev": "cca090f8115c4172b9aef6c5299ae784bdd5e133", "type": "github" }, "original": { @@ -905,11 +905,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1753838657, - "narHash": "sha256-4FA7NTmrAqW5yt4A3hhzgDmAFD0LbGRMGKhb1LBSItI=", + "lastModified": 1755004716, + "narHash": "sha256-TbhPR5Fqw5LjAeI3/FOPhNNFQCF3cieKCJWWupeZmiA=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "8611b714597c89b092f3d4874f14acd3f72f44fd", + "rev": "b2a58b8c6eff3c3a2c8b5c70dbf69ead78284194", "type": "github" }, "original": { @@ -946,11 +946,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1752544651, - "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", + "lastModified": 1754988908, + "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", "owner": "Mic92", "repo": "sops-nix", - "rev": "2c8def626f54708a9c38a5861866660395bb3461", + "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", "type": "github" }, "original": { @@ -978,11 +978,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1753919664, - "narHash": "sha256-U7Ts8VbVD4Z6n67gFx00dkpQJu27fMu173IUopX3pNI=", + "lastModified": 1755027820, + "narHash": "sha256-hBSU7BEhd05y/pC9tliYjkFp8AblkbNEkPei229+0Pg=", "owner": "nix-community", "repo": "stylix", - "rev": "30f5022236cf8dd257941cb0f910e198e7e464c7", + "rev": "c592717e9f713bbae5f718c784013d541346363d", "type": "github" }, "original": { From 3994f1fb98fc1cf44e8349e7e92938fcc2dbb367 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 18 Aug 2025 12:43:21 +0200 Subject: [PATCH 022/251] woot, got actions working! --- .forgejo/workflows/action.yml | 2 +- .../services/development/forgejo/default.nix | 57 ++++++++++++------- 2 files changed, 36 insertions(+), 23 deletions(-) diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml index 1119f37..4aac00e 100644 --- a/.forgejo/workflows/action.yml +++ b/.forgejo/workflows/action.yml @@ -9,7 +9,7 @@ on: jobs: hello: name: Print hello world - runs-on: ubuntu-latest + runs-on: default steps: - name: Echo run: | diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 5342b56..84b8ba6 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -11,6 +11,8 @@ in }; config = mkIf cfg.enable { + ${namespace}.services.virtualisation.podman.enable = true; + environment.systemPackages = with pkgs; [ forgejo ]; services = { @@ -52,35 +54,46 @@ in UPDATE_AVATAR = true; }; - # actions = { - # ENABLED = true; - # DEFAULT_ACTIONS_URL = "forgejo"; - # }; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "https://git.kruining.eu"; + }; session = { COOKIE_SECURE = true; }; + + mailer = { + ENABLED = true; + SMTP_ADDR = "smpts://smtp.black-mail.nl"; + FROM = "noreply@kruining.eu"; + USER = "noreply@kruining.eu"; + }; }; + + mailerPasswordFile = "/var/lib/forgejo/custom/mail_password"; }; - # gitea-actions-runner = { - # package = pkgs.forgejo-actions-runner; - # instances.default = { - # enable = true; - # name = "monolith"; - # url = "https://git.kruining.eu"; - # # Obtaining the path to the runner token file may differ - # # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd - # tokenFile = config.age.secrets.forgejo-runner-token.path; - # labels = [ - # "ubuntu-latest:docker://node:16-bullseye" - # "ubuntu-22.04:docker://node:16-bullseye" - # "ubuntu-20.04:docker://node:16-bullseye" - # "ubuntu-18.04:docker://node:16-buster" - # "native:host" - # ]; - # }; - # }; + openssh.settings.AllowUsers = [ "forgejo" ]; + + gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = "monolith"; + url = "https://git.kruining.eu"; + # Obtaining the path to the runner token file may differ + # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + # tokenFile = config.age.secrets.forgejo-runner-token.path; + token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; + labels = [ + "default:docker://node:22-bullseye" + ]; + settings = { + + }; + }; + }; caddy = { enable = true; From a3cb9796b1d4c2acb45c6b4b6ab084a13120de83 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 19 Aug 2025 11:05:54 +0200 Subject: [PATCH 023/251] expand forgejo setup --- .../services/development/forgejo/default.nix | 53 +++++++++++++++++-- 1 file changed, 49 insertions(+), 4 deletions(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 84b8ba6..9945691 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -30,17 +30,49 @@ in DOMAIN = domain; ROOT_URL = "https://${domain}/"; HTTP_PORT = 5002; + LANDING_PAGE = "explore"; + }; + + cors = { + ENABLED = true; + ALLOW_DOMAIN = "https://*.kruining.eu"; }; security = { + INSTALL_LOCK = true; PASSWORD_HASH_ALGO = "argon2"; + DISABLE_WEBHOOKS = true; + }; + + ui = { + EXPLORE_PAGING_NUM = 50; + ISSUE_PAGING_NUM = 50; + MEMBERS_PAGING_NUM = 50; + }; + + "ui.meta" = { + AUTHOR = "Where code is forged!"; + DESCRIPTION = "Self-hosted solution for git, because FOSS is the anvil of the future"; + }; + + admin = { + USER_DISABLED_FEATURES = "manage_gpg_keys"; + EXTERNAL_USER_DISABLE_FEATURES = "manage_gpg_keys"; }; service = { - REQUIRE_SIGNIN_VIEW = true; # must be signed in to see anything + # Auth + ENABLE_BASIC_AUTHENTICATION = false; DISABLE_REGISTRATION = true; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - SHOW_REGISTRATION_BUTTON = false; + + # Privacy + DEFAULT_KEEP_EMAIL_PRIVATE = true; + DEFAULT_USER_VISIBILITY = "private"; + DEFAULT_ORG_VISIBILITY = "private"; + + # Common sense + VALID_SITE_URL_SCHEMES = "https"; }; openid = { @@ -56,10 +88,23 @@ in actions = { ENABLED = true; - DEFAULT_ACTIONS_URL = "https://git.kruining.eu"; + }; + + other = { + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + + api = { + ENABLE_SWAGGER = false; + }; + + mirror = { + ENABLED = false; }; session = { + PROVIDER = "db"; COOKIE_SECURE = true; }; @@ -80,7 +125,7 @@ in package = pkgs.forgejo-actions-runner; instances.default = { enable = true; - name = "monolith"; + name = "default"; url = "https://git.kruining.eu"; # Obtaining the path to the runner token file may differ # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd From 6511e513a3cd9eef4ff3139cf9b75ae2f7baf1b7 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 19 Aug 2025 15:01:22 +0200 Subject: [PATCH 024/251] initial observability setup --- .../services/development/forgejo/default.nix | 3 +- .../grafana/dashboards/default.json | 7 ++ .../observability/grafana/default.nix | 100 ++++++++++++++++++ .../services/observability/loki/default.nix | 49 +++++++++ .../observability/prometheus/default.nix | 32 ++++++ .../observability/promtail/default.nix | 56 ++++++++++ systems/x86_64-linux/ulmo/default.nix | 9 +- 7 files changed, 253 insertions(+), 3 deletions(-) create mode 100644 modules/nixos/services/observability/grafana/dashboards/default.json create mode 100644 modules/nixos/services/observability/grafana/default.nix create mode 100644 modules/nixos/services/observability/loki/default.nix create mode 100644 modules/nixos/services/observability/prometheus/default.nix create mode 100644 modules/nixos/services/observability/promtail/default.nix diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 9945691..22c3123 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -113,10 +113,9 @@ in SMTP_ADDR = "smpts://smtp.black-mail.nl"; FROM = "noreply@kruining.eu"; USER = "noreply@kruining.eu"; + PASSWD = "/var/lib/forgejo/custom/mail_password"; }; }; - - mailerPasswordFile = "/var/lib/forgejo/custom/mail_password"; }; openssh.settings.AllowUsers = [ "forgejo" ]; diff --git a/modules/nixos/services/observability/grafana/dashboards/default.json b/modules/nixos/services/observability/grafana/dashboards/default.json new file mode 100644 index 0000000..f8ea8dc --- /dev/null +++ b/modules/nixos/services/observability/grafana/dashboards/default.json @@ -0,0 +1,7 @@ +{ + "title": "Default Dash", + "description": "The default dashboard", + "timezone": "browser", + "editable": false, + "panels": [] +} diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix new file mode 100644 index 0000000..1747330 --- /dev/null +++ b/modules/nixos/services/observability/grafana/default.nix @@ -0,0 +1,100 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (lib.modules) mkIf; + inherit (lib.options) mkEnableOption; + + cfg = config.${namespace}.services.observability.grafana; + + db_user = "grafana"; + db_name = "grafana"; +in +{ + options.${namespace}.services.observability.grafana = { + enable = mkEnableOption "enable Grafana"; + }; + + config = mkIf cfg.enable { + services.grafana = { + enable = true; + openFirewall = true; + + settings = { + server = { + http_port = 9001; + http_addr = "0.0.0.0"; + }; + database = { + type = "postgres"; + host = "/var/run/postgresql:5432"; + name = db_name; + user = db_user; + ssl_mode = "disable"; + }; + + users = { + allow_sign_up = false; + allow_org_create = false; + viewers_can_edit = false; + + default_theme = "system"; + }; + + analytics = { + reporting_enabled = false; + check_for_updates = false; + check_for_plugin_updates = false; + feedback_links_enabled = false; + }; + }; + + provision = { + enable = true; + + dashboards.settings = { + apiVersion = 1; + providers = [ + { + name = "Default Dashboard"; + disableDeletion = true; + allowUiUpdates = false; + options = { + path = "/etc/grafana/dashboards"; + foldersFromFilesStructure = true; + }; + } + ]; + }; + + datasources.settings.datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + url = "http://localhost:9002"; + isDefault = true; + editable = false; + } + + { + name = "Loki"; + type = "loki"; + url = "http://localhost:9003"; + editable = false; + } + ]; + }; + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ db_name ]; + ensureUsers = [ + { + name = db_user; + ensureDBOwnership = true; + } + ]; + }; + + environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json; + }; +} diff --git a/modules/nixos/services/observability/loki/default.nix b/modules/nixos/services/observability/loki/default.nix new file mode 100644 index 0000000..8f6e0e3 --- /dev/null +++ b/modules/nixos/services/observability/loki/default.nix @@ -0,0 +1,49 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (lib.modules) mkIf; + inherit (lib.options) mkEnableOption; + + cfg = config.${namespace}.services.observability.loki; +in +{ + options.${namespace}.services.observability.loki = { + enable = mkEnableOption "enable Grafana Loki"; + }; + + config = mkIf cfg.enable { + services.loki = { + enable = true; + configuration = { + auth_enabled = false; + + server = { + http_listen_port = 9003; + }; + + common = { + ring = { + instance_addr = "127.0.0.1"; + kvstore.store = "inmmemory"; + }; + replication_factor = 1; + path_prefix = "/tmp/loki"; + }; + + schema_config.configs = [ + { + from = "2025-01-01"; + store = "tsdb"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; + }; + }; + + networking.firewall.allowedTCPPorts = [ 9003 ]; + }; +} diff --git a/modules/nixos/services/observability/prometheus/default.nix b/modules/nixos/services/observability/prometheus/default.nix new file mode 100644 index 0000000..666a356 --- /dev/null +++ b/modules/nixos/services/observability/prometheus/default.nix @@ -0,0 +1,32 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (lib.modules) mkIf; + inherit (lib.options) mkEnableOption; + + cfg = config.${namespace}.services.observability.prometheus; +in +{ + options.${namespace}.services.observability.prometheus = { + enable = mkEnableOption "enable Prometheus"; + }; + + config = mkIf cfg.enable { + services.prometheus = { + enable = true; + port = 9002; + + globalConfig.scrape_interval = "15s"; + + scrapeConfigs = [ + { + job_name = "prometheus"; + static_configs = [ + { targets = [ "localhost:9002" ]; } + ]; + } + ]; + }; + + networking.firewall.allowedTCPPorts = [ 9002 ]; + }; +} diff --git a/modules/nixos/services/observability/promtail/default.nix b/modules/nixos/services/observability/promtail/default.nix new file mode 100644 index 0000000..1f32adc --- /dev/null +++ b/modules/nixos/services/observability/promtail/default.nix @@ -0,0 +1,56 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (lib.modules) mkIf; + inherit (lib.options) mkEnableOption; + + cfg = config.${namespace}.services.observability.promtail; +in +{ + options.${namespace}.services.observability.promtail = { + enable = mkEnableOption "enable Grafana Promtail"; + }; + + config = mkIf cfg.enable { + services.promtail = { + enable = true; + + # Ensures proper permissions + extraFlags = [ + "-config.expand-env=true" + ]; + + configuration = { + server = { + http_listen_port = 9004; + grpc_listen_port = 0; + }; + + positions = { + filename = "filename"; + }; + + clients = { + url = "http://127.0.0.1:3100/loki/api/v1/push"; + }; + + scrape_configs = [ + { + job_name = "journal"; + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "ulmo"; + }; + }; + relabel_configs = [ + { source_labels = [ "__journal__systemd_unit" ]; target_label = "unit"; } + ]; + } + ]; + }; + }; + + networking.firewall.allowedTCPPorts = [ 9004 ]; + }; +} diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index f47c580..e191367 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -10,12 +10,19 @@ authentication.authelia.enable = true; authentication.zitadel.enable = true; + development.forgejo.enable = true; + networking.ssh.enable = true; media.enable = true; media.nfs.enable = true; - development.forgejo.enable = true; + observability = { + grafana.enable = true; + prometheus.enable = true; + loki.enable = true; + promtail.enable = true; + }; }; editor = { From 995fdaeb1d000332278b51568dfc18f3a98b9d03 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 20 Aug 2025 15:15:03 +0200 Subject: [PATCH 025/251] working on grafana oidc and introduced new domain for hosting --- .../authentication/zitadel/default.nix | 8 +- .../services/development/forgejo/default.nix | 16 +- .../observability/grafana/default.nix | 166 +++++++++++------- .../observability/prometheus/default.nix | 20 ++- 4 files changed, 129 insertions(+), 81 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index aa1a0dd..a8cb4e6 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -26,7 +26,7 @@ in tlsMode = "external"; settings = { Port = 9092; - ExternalDomain = "auth-z.kruining.eu"; + ExternalDomain = "auth.amarth.cloud"; ExternalPort = 443; ExternalSecure = true; @@ -47,9 +47,9 @@ in }; steps = { FirstInstance = { - InstanceName = "auth-z.kruining.eu"; + InstanceName = "auth.amarth.cloud"; Org = { - Name = "Default"; + Name = "Amarth"; Human = { UserName = "chris"; FirstName = "Chris"; @@ -86,7 +86,7 @@ in caddy = { enable = true; virtualHosts = { - "auth-z.kruining.eu".extraConfig = '' + "auth.amarth.cloud".extraConfig = '' reverse_proxy h2c://127.0.0.1:9092 ''; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 22c3123..87882b6 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -3,7 +3,7 @@ let inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.development.forgejo; - domain = "git.kruining.eu"; + domain = "git.amarth.cloud"; in { options.${namespace}.services.development.forgejo = { @@ -35,7 +35,7 @@ in cors = { ENABLED = true; - ALLOW_DOMAIN = "https://*.kruining.eu"; + ALLOW_DOMAIN = "https://*.amarth.cloud"; }; security = { @@ -63,8 +63,9 @@ in service = { # Auth ENABLE_BASIC_AUTHENTICATION = false; - DISABLE_REGISTRATION = true; + DISABLE_REGISTRATION = false; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; # Privacy DEFAULT_KEEP_EMAIL_PRIVATE = true; @@ -78,12 +79,13 @@ in openid = { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = true; - WHITELISTED_URIS = "https://auth-z.kruining.eu"; + WHITELISTED_URIS = "https://auth.amarth.cloud"; }; oauth2_client = { ENABLE_AUTO_REGISTRATION = true; UPDATE_AVATAR = true; + ACCOUNT_LINKING = "auto"; }; actions = { @@ -111,8 +113,8 @@ in mailer = { ENABLED = true; SMTP_ADDR = "smpts://smtp.black-mail.nl"; - FROM = "noreply@kruining.eu"; - USER = "noreply@kruining.eu"; + FROM = "info@amarth.cloud"; + USER = "amarth"; PASSWD = "/var/lib/forgejo/custom/mail_password"; }; }; @@ -125,7 +127,7 @@ in instances.default = { enable = true; name = "default"; - url = "https://git.kruining.eu"; + url = "https://git.amarth.cloud"; # Obtaining the path to the runner token file may differ # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd # tokenFile = config.age.secrets.forgejo-runner-token.path; diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix index 1747330..c399729 100644 --- a/modules/nixos/services/observability/grafana/default.nix +++ b/modules/nixos/services/observability/grafana/default.nix @@ -14,87 +14,117 @@ in }; config = mkIf cfg.enable { - services.grafana = { - enable = true; - openFirewall = true; - - settings = { - server = { - http_port = 9001; - http_addr = "0.0.0.0"; - }; - database = { - type = "postgres"; - host = "/var/run/postgresql:5432"; - name = db_name; - user = db_user; - ssl_mode = "disable"; - }; - - users = { - allow_sign_up = false; - allow_org_create = false; - viewers_can_edit = false; - - default_theme = "system"; - }; - - analytics = { - reporting_enabled = false; - check_for_updates = false; - check_for_plugin_updates = false; - feedback_links_enabled = false; - }; - }; - - provision = { + services = { + grafana = { enable = true; + openFirewall = true; - dashboards.settings = { - apiVersion = 1; - providers = [ + settings = { + server = { + http_port = 9001; + http_addr = "0.0.0.0"; + domain = "ulmo"; + }; + + auth = { + disable_login_form = false; + oauth_auto_login = true; + }; + + "auth.basic".enable = false; + "auth.generic_oauth" = { + enable = true; + name = "Zitadel"; + client_id = "334170712283611395"; + client_secret = "AFjypmURdladmQn1gz2Ke0Ta5LQXapnuKkALVZ43riCL4qWicgV2Z6RlwpoWBZg1"; + scopes = "openid email profile offline_access urn:zitadel:iam:org:project:roles"; + email_attribute_path = "email"; + login_attribute_path = "username"; + name_attribute_path = "full_name"; + role_attribute_path = "contains(urn:zitadel:iam:org:project:roles[*], 'owner') && 'GrafanaAdmin' || contains(urn:zitadel:iam:org:project:roles[*], 'contributer') && 'Editor' || 'Viewer'"; + auth_url = "https://auth.amarth.cloud/oauth/v2/authorize"; + token_url = "https://auth.amarth.cloud/oauth/v2/token"; + api_url = "https://auth.amarth.cloud/oidc/v1/userinfo"; + allow_sign_up = true; + auto_login = true; + use_pkce = true; + usr_refresh_token = true; + allow_assign_grafana_admin = true; + }; + + database = { + type = "postgres"; + host = "/var/run/postgresql:5432"; + name = db_name; + user = db_user; + ssl_mode = "disable"; + }; + + users = { + allow_sign_up = false; + allow_org_create = false; + viewers_can_edit = false; + + default_theme = "system"; + }; + + analytics = { + reporting_enabled = false; + check_for_updates = false; + check_for_plugin_updates = false; + feedback_links_enabled = false; + }; + }; + + provision = { + enable = true; + + dashboards.settings = { + apiVersion = 1; + providers = [ + { + name = "Default Dashboard"; + disableDeletion = true; + allowUiUpdates = false; + options = { + path = "/etc/grafana/dashboards"; + foldersFromFilesStructure = true; + }; + } + ]; + }; + + datasources.settings.datasources = [ { - name = "Default Dashboard"; - disableDeletion = true; - allowUiUpdates = false; - options = { - path = "/etc/grafana/dashboards"; - foldersFromFilesStructure = true; - }; + name = "Prometheus"; + type = "prometheus"; + url = "http://localhost:9005"; + isDefault = true; + editable = false; + } + + { + name = "Loki"; + type = "loki"; + url = "http://localhost:9003"; + editable = false; } ]; }; + }; - datasources.settings.datasources = [ + postgresql = { + enable = true; + ensureDatabases = [ db_name ]; + ensureUsers = [ { - name = "Prometheus"; - type = "prometheus"; - url = "http://localhost:9002"; - isDefault = true; - editable = false; - } - - { - name = "Loki"; - type = "loki"; - url = "http://localhost:9003"; - editable = false; + name = db_user; + ensureDBOwnership = true; } ]; }; }; - services.postgresql = { - enable = true; - ensureDatabases = [ db_name ]; - ensureUsers = [ - { - name = db_user; - ensureDBOwnership = true; - } - ]; - }; - environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json; }; } diff --git a/modules/nixos/services/observability/prometheus/default.nix b/modules/nixos/services/observability/prometheus/default.nix index 666a356..af5ee9d 100644 --- a/modules/nixos/services/observability/prometheus/default.nix +++ b/modules/nixos/services/observability/prometheus/default.nix @@ -1,7 +1,7 @@ { pkgs, config, lib, namespace, ... }: let - inherit (lib.modules) mkIf; - inherit (lib.options) mkEnableOption; + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.observability.prometheus; in @@ -24,7 +24,23 @@ in { targets = [ "localhost:9002" ]; } ]; } + + { + job_name = "node"; + static_configs = [ + { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } + ]; + } ]; + + exporters = { + node = { + enable = true; + port = 9005; + enabledCollectors = [ "systemd" ]; + openFirewall = true; + }; + }; }; networking.firewall.allowedTCPPorts = [ 9002 ]; From f4ff383d283fb5d6cdd669ec252dee66097976ed Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 21 Aug 2025 14:53:28 +0200 Subject: [PATCH 026/251] improve forgejo and zitadel configs --- .../authentication/zitadel/default.nix | 36 +++++++++++++++++++ .../services/development/forgejo/default.nix | 11 +++--- 2 files changed, 43 insertions(+), 4 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index a8cb4e6..a95d849 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -26,10 +26,46 @@ in tlsMode = "external"; settings = { Port = 9092; + ExternalDomain = "auth.amarth.cloud"; ExternalPort = 443; ExternalSecure = true; + Metrics.Type = "otel"; + Tracing.Type = "otel"; + Telemetry.Enabled = true; + + SystemDefaults = { + PasswordHasher.Hasher.Algorithm = "argon2id"; + SecretHasher.Hasher.Algorithm = "argon2id"; + }; + + DefaultInstance = { + PasswordComplexityPolicy = { + MinLength = 20; + HasLowercase = false; + HasUppercase = false; + HasNumber = false; + HasSymbol = false; + }; + LoginPolicy = { + AllowRegister = false; + ForceMFA = true; + }; + LockoutPolicy = { + MaxPasswordAttempts = 5; + MaxOTPAttempts = 10; + }; + SMTPConfiguration = { + SMTP = { + Host = "black-mail.nl:587"; + User = "info@amarth.cloud"; + Password = "__TODO_USE_SOPS__"; + }; + FromName = "Amarth Zitadel"; + }; + }; + Database.postgres = { Host = "localhost"; # Zitadel will report error if port is not set diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 87882b6..bdabbd6 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -23,7 +23,8 @@ in settings = { DEFAULT = { - APP_NAME = "Chris' Forge"; + APP_NAME = "Tamin Amarth"; + APP_SLOGAN = "Where code is forged"; }; server = { @@ -112,10 +113,12 @@ in mailer = { ENABLED = true; - SMTP_ADDR = "smpts://smtp.black-mail.nl"; + PROTOCOL = "smtp+starttls"; + SMTP_ADDR = "black-mail.nl"; + SMTP_PORT = 587; FROM = "info@amarth.cloud"; - USER = "amarth"; - PASSWD = "/var/lib/forgejo/custom/mail_password"; + USER = "info@amarth.cloud"; + PASSWD = "__TODO_USE_SOPS__"; }; }; }; From 9a37316d9e810de22bc69eaf31f8696b048d0ecc Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 27 Aug 2025 15:24:12 +0200 Subject: [PATCH 027/251] add vaultwarden --- .../services/security/vaultwarden/default.nix | 80 ++++++++++++++++--- packages/vaultwarden/default.nix | 29 +++++++ systems/x86_64-linux/ulmo/default.nix | 2 + 3 files changed, 100 insertions(+), 11 deletions(-) create mode 100644 packages/vaultwarden/default.nix diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index 6870606..0bb05f7 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,7 +1,7 @@ { pkgs, config, lib, namespace, ... }: let - inherit (lib.modules) mkIf; - inherit (lib.options) mkEnableOption; + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.security.vaultwarden; in @@ -11,18 +11,76 @@ in }; config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - vaultwarden - vaultwarden-postgresql + systemd.tmpfiles.rules = [ + "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" ]; - services.vaultwarden = { - enable = true; - dbBackend = "postgresql"; + services = { + vaultwarden = { + enable = true; + dbBackend = "postgresql"; - config = { - SIGNUPS_ALLOWED = false; - DOMAIN = "https://passwords.kruining.eu"; + package = pkgs.${namespace}.vaultwarden; + + config = { + SIGNUPS_ALLOWED = false; + DOMAIN = "https://vault.kruining.eu"; + + ADMIN_TOKEN = ""; + + DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable"; + + WEB_VAULT_ENABLED = true; + + SSO_ENABLED = true; + SSO_ONLY = true; + SSO_PKCE = true; + SSO_AUTH_ONLY_NOT_SESSION = false; + SSO_ROLES_ENABLED = true; + SSO_ORGANIZATIONS_ENABLED = true; + SSO_ORGANIZATIONS_REVOCATION = true; + SSO_AUTHORITY = "https://auth.amarth.cloud/"; + SSO_SCOPES = "email profile offline_access"; + SSO_AUDIENCE_TRUSTED = "^333297815511892227$"; + SSO_CLIENT_ID = "335178854421299459"; + SSO_CLIENT_SECRET = ""; + + ROCKET_ADDRESS = "::1"; + ROCKET_PORT = 8222; + ROCKET_LOG = "critical"; + + SMTP_HOST = "black-mail.nl"; + SMTP_PORT = 587; + SMTP_SECURITY = "starttls"; + SMTP_USERNAME = "info@amarth.cloud"; + SMTP_PASSWORD = ""; + SMTP_FROM = "info@amarth.cloud"; + SMTP_FROM_NAME = "Chris' Vaultwarden"; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ "vaultwarden" ]; + ensureUsers = [ + { + name = "vaultwarden"; + ensureDBOwnership = true; + } + ]; + }; + + caddy = { + enable = true; + virtualHosts = { + "vault.kruining.eu".extraConfig = '' + encode zstd gzip + + reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { + header_up X-Real-IP {remote_host} + } + ''; + }; }; }; }; diff --git a/packages/vaultwarden/default.nix b/packages/vaultwarden/default.nix new file mode 100644 index 0000000..243288b --- /dev/null +++ b/packages/vaultwarden/default.nix @@ -0,0 +1,29 @@ +{ lib, stdenv, rustPlatform, fetchFromGitHub, openssl, pkg-config, postgresql, dbBackend ? "postgresql", ... }: +rustPlatform.buildRustPackage rec { + pname = "vaultwarden"; + version = "1.34.3"; + + src = fetchFromGitHub { + owner = "Timshel"; + repo = "vaultwarden"; + rev = "1.34.3"; + hash = "sha256-Dj0ySVRvBZ/57+UHas3VI8bi/0JBRqn0IW1Dq+405J0="; + }; + + cargoHash = "sha256-4sDagd2XGamBz1XvDj4ycRVJ0F+4iwHOPlj/RglNDqE="; + + # used for "Server Installed" version in admin panel + env.VW_VERSION = version; + + nativeBuildInputs = [ pkg-config ]; + buildInputs = + [ openssl ] + ++ lib.optional (dbBackend == "postgresql") postgresql; + + buildFeatures = dbBackend; + + meta = with lib; { + license = licenses.agpl3Only; + mainProgram = "vaultwarden"; + }; +} \ No newline at end of file diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index e191367..9876768 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -23,6 +23,8 @@ loki.enable = true; promtail.enable = true; }; + + security.vaultwarden.enable = true; }; editor = { From 39253ca0803ba43f0ced8035a218da70c71093e2 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 31 Aug 2025 17:30:45 +0200 Subject: [PATCH 028/251] update deps --- flake.lock | 108 ++++++++++++++++++++++++++--------------------------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/flake.lock b/flake.lock index 27521bd..d422094 100644 --- a/flake.lock +++ b/flake.lock @@ -73,11 +73,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1755108317, - "narHash": "sha256-j7RGK7nyoHuJzQjVFBngpsVowIn4DAtprn66UyAFNRQ=", + "lastModified": 1756593129, + "narHash": "sha256-xpdGBk57lErbo03ZJS8uDDF5cZjoza7kzr7X+y0wj2g=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "5aa322a6e586a2b46af65ab6c9a3d6042a95ff2e", + "rev": "f28776c49ddb4d34abc01092009fba0cd96836bd", "type": "github" }, "original": { @@ -94,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1755153894, - "narHash": "sha256-DEKeIg3MQy5GMFiFRUzcx1hGGBN2ypUPTo0jrMAdmH4=", + "lastModified": 1756622179, + "narHash": "sha256-K3CimrAcMhdDYkErd3oiWPZNaoyaGZEuvGrFuDPFMZY=", "owner": "nix-community", "repo": "fenix", - "rev": "f6874c6e512bc69d881d979a45379b988b80a338", + "rev": "0abcb15ae6279dcb40a8ae7c1ed980705245cb79", "type": "github" }, "original": { @@ -114,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1755083788, - "narHash": "sha256-CXiS6gfw0NH+luSpNhtRZjy4NqVFrmsYpoetu3N/fMk=", + "lastModified": 1756643456, + "narHash": "sha256-SbRGlArZnspW/xd/vnMPSyuZGXSVtxyJEoXpvpzDpSE=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "523078b104590da5850a61dfe291650a6b49809c", + "rev": "6772a49573fc08b3e05502cccd90a8f5a82ee42e", "type": "github" }, "original": { @@ -411,11 +411,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1755072091, - "narHash": "sha256-FCkbELHIFXlVREaopW13QFMzwLPr/otjucmyNLQQXeg=", + "lastModified": 1756381920, + "narHash": "sha256-h6FZq485lEhkTICK779ZQ2kUWe3BieUqIKuJ2jef7SI=", "owner": "vinceliuice", "repo": "grub2-themes", - "rev": "03d8c9cf0d1bcf67765ac5fa35263f1b08c584fa", + "rev": "8f30385f556a92ecbcc0c1800521730187da1cd7", "type": "github" }, "original": { @@ -432,11 +432,11 @@ ] }, "locked": { - "lastModified": 1754593854, - "narHash": "sha256-fiWzQKZP92+2nm9wGBa/UYuEdVJkshHqNpCFfklas8k=", + "lastModified": 1756413980, + "narHash": "sha256-pxTwEjWZ1GohJeTEpxoZRHRoLDZjDw9CarGqxE5e908=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "e0b9a3efdcf0c6c59ed3352ffb2b003ab6aa2fed", + "rev": "0c12a2b5862cd673307bbe191c1f7b52cf0f091a", "type": "github" }, "original": { @@ -452,11 +452,11 @@ ] }, "locked": { - "lastModified": 1755121891, - "narHash": "sha256-UtYkukiGnPRJ5rpd4W/wFVrLMh8fqtNkqHTPgHEtrqU=", + "lastModified": 1756650373, + "narHash": "sha256-Iz0dNCNvLLxVGjOOF1/TJvZ4iKXE96BTgKDObCs9u+M=", "owner": "nix-community", "repo": "home-manager", - "rev": "279ca5addcdcfa31ac852b3ecb39fc372684f426", + "rev": "e44549074a574d8bda612945a88e4a1fd3c456a8", "type": "github" }, "original": { @@ -473,11 +473,11 @@ ] }, "locked": { - "lastModified": 1755151620, - "narHash": "sha256-fVMalQZ+tRXR8oue2SdWu4CdlsS2NII+++rI40XQ8rU=", + "lastModified": 1756638688, + "narHash": "sha256-ddxbPTnIchM6tgxb6fRrCvytlPE2KLifckTnde/irVQ=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "16e12d22754d97064867006acae6e16da7a142a6", + "rev": "e7b8679cba79f4167199f018b05c82169249f654", "type": "github" }, "original": { @@ -507,11 +507,11 @@ }, "mnw": { "locked": { - "lastModified": 1748710831, - "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=", + "lastModified": 1756580127, + "narHash": "sha256-XK+ZQWjnd96Uko73jY1dc23ksnuWnF/Myc4rT/LQOmc=", "owner": "Gerg-L", "repo": "mnw", - "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d", + "rev": "ecdb5ba1b08ac198d9e9bfbf9de3b234fb1eb252", "type": "github" }, "original": { @@ -549,11 +549,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1755137329, - "narHash": "sha256-9MxuOLH7jk58IVUUDWwLeqk9U4ATE6X37955Ld+4/zw=", + "lastModified": 1756518625, + "narHash": "sha256-Mxh2wumeSsb968dSDksblubQqHTTdRTC5lH0gmhq9jI=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "d9330bc35048238597880e89fb173799de9db5e9", + "rev": "92654796f8f6c3279e4b7d409a3e5b43b0539a19", "type": "github" }, "original": { @@ -621,11 +621,11 @@ ] }, "locked": { - "lastModified": 1755171343, - "narHash": "sha256-h6bbfhqWcHlx9tcyYa7dhaEiNpusLCcFYkJ/AnltLW8=", + "lastModified": 1755261305, + "narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "e37cfef071466a9ca649f6899aff05226ce17e9e", + "rev": "203a7b463f307c60026136dd1191d9001c43457f", "type": "github" }, "original": { @@ -683,11 +683,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1755061300, - "narHash": "sha256-eov82CkCrpiECJa3dyQ2da1sPGnAP3HK0UEra5eupaM=", + "lastModified": 1756578978, + "narHash": "sha256-dLgwMLIMyHlSeIDsoT2OcZBkuruIbjhIAv1sGANwtes=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d4df8d6cc1ccfd3e4349a1d54e4fb1171e7ec1f5", + "rev": "a85a50bef870537a9705f64ed75e54d1f4bf9c23", "type": "github" }, "original": { @@ -715,11 +715,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1755178357, - "narHash": "sha256-rzgUmlO5/pt7uPAlY6E70clNjg9JmrgBxalEj2zKq08=", + "lastModified": 1756653691, + "narHash": "sha256-tx6C07uPiAzq57mfb4EWDqPRV4BZVqvrlvDfibzL67U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6eac4364f979ef460fb6ebd17ca65b8dae03cba4", + "rev": "7a1057ff3f7636bc71f58671c3a1210742149f3b", "type": "github" }, "original": { @@ -747,11 +747,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1755027561, - "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=", + "lastModified": 1756542300, + "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3", + "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa", "type": "github" }, "original": { @@ -763,11 +763,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1755049066, - "narHash": "sha256-ANrc15FSoOAdNbfKHxqEJjZLftIwIsenJGRb/04K41s=", + "lastModified": 1756536218, + "narHash": "sha256-ynQxPVN2FIPheUgTFhv01gYLbaiSOS7NgWJPm9LF9D0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e45f8f193029378d0aaee5431ba098dc80054e9a", + "rev": "a918bb3594dd243c2f8534b3be01b3cb4ed35fd1", "type": "github" }, "original": { @@ -843,11 +843,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1755115677, - "narHash": "sha256-98Ad2F5w1xW94KymQiBohNBYpFqMa0K28v9S1SzyTY8=", + "lastModified": 1756646417, + "narHash": "sha256-1dU+BRKjczVnsTznKGaM0xrWzg2+MGQqWlde0Id9JnI=", "owner": "notashelf", "repo": "nvf", - "rev": "c5dc7192496a1fad38134e54f8b4fca8ac51a9fe", + "rev": "939fb8cfc630190cd5607526f81693525e3d593b", "type": "github" }, "original": { @@ -866,11 +866,11 @@ ] }, "locked": { - "lastModified": 1754501628, - "narHash": "sha256-FExJ54tVB5iu7Dh2tLcyCSWpaV+lmUzzWKZUkemwXvo=", + "lastModified": 1756632588, + "narHash": "sha256-ydam6eggXf3ZwRutyCABwSbMAlX+5lW6w1SVZQ+kfSo=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "cca090f8115c4172b9aef6c5299ae784bdd5e133", + "rev": "d47428e5390d6a5a8f764808a4db15929347cd77", "type": "github" }, "original": { @@ -905,11 +905,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1755004716, - "narHash": "sha256-TbhPR5Fqw5LjAeI3/FOPhNNFQCF3cieKCJWWupeZmiA=", + "lastModified": 1756597274, + "narHash": "sha256-wfaKRKsEVQDB7pQtAt04vRgFphkVscGRpSx3wG1l50E=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "b2a58b8c6eff3c3a2c8b5c70dbf69ead78284194", + "rev": "21614ed2d3279a9aa1f15c88d293e65a98991b30", "type": "github" }, "original": { @@ -978,11 +978,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1755027820, - "narHash": "sha256-hBSU7BEhd05y/pC9tliYjkFp8AblkbNEkPei229+0Pg=", + "lastModified": 1755997543, + "narHash": "sha256-/fejmCQ7AWa655YxyPxRDbhdU7c5+wYsFSjmEMXoBCM=", "owner": "nix-community", "repo": "stylix", - "rev": "c592717e9f713bbae5f718c784013d541346363d", + "rev": "f47c0edcf71e802378b1b7725fa57bb44fe85ee8", "type": "github" }, "original": { From 5ddcaf35f638be39ecf9ecf96b3304d98e65036d Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 10:32:38 +0200 Subject: [PATCH 029/251] fix zen --- flake.lock | 32 ++++++++++++++++++++---- flake.nix | 6 +++-- modules/home/application/zen/default.nix | 28 ++++++++++++++++++--- 3 files changed, 55 insertions(+), 11 deletions(-) diff --git a/flake.lock b/flake.lock index d422094..51907f8 100644 --- a/flake.lock +++ b/flake.lock @@ -465,6 +465,27 @@ "type": "github" } }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "zen-browser", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1756842514, + "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "jovian": { "inputs": { "nix-github-actions": "nix-github-actions", @@ -1164,18 +1185,19 @@ }, "zen-browser": { "inputs": { + "home-manager": "home-manager_2", "nixpkgs": "nixpkgs_10" }, "locked": { - "lastModified": 1727721329, - "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=", - "owner": "MarceColl", + "lastModified": 1756876659, + "narHash": "sha256-B2bpNR7VOoZuKfuNnASfWI/jGveetP2yhG44S3XnI/k=", + "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc", + "rev": "07c14b39cad581d9a8bb2dc8959a59e17d26d529", "type": "github" }, "original": { - "owner": "MarceColl", + "owner": "0xc000022070", "repo": "zen-browser-flake", "type": "github" } diff --git a/flake.nix b/flake.nix index d696f4b..0712e81 100644 --- a/flake.nix +++ b/flake.nix @@ -41,7 +41,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - zen-browser.url = "github:MarceColl/zen-browser-flake"; + zen-browser.url = "github:0xc000022070/zen-browser-flake"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; @@ -95,6 +95,7 @@ permittedInsecurePackages = [ "dotnet-sdk-6.0.428" "aspnetcore-runtime-6.0.36" + "qtwebengine-5.15.19" ]; }; @@ -106,7 +107,8 @@ homes.modules = with inputs; [ stylix.homeModules.stylix - plasma-manager.homeManagerModules.plasma-manager + zen-browser.homeModules.default + plasma-manager.homeModules.plasma-manager ]; }; } diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index ad4cb92..86fc3b6 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -10,8 +10,6 @@ in }; config = mkIf cfg.enable { - home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ]; - home.sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; }; @@ -20,20 +18,42 @@ in policies = { AutofillAddressEnabled = true; AutofillCreditCardEnabled = false; + + AppAutoUpdate = false; DisableAppUpdate = true; + ManualAppUpdateOnly = true; + DisableFeedbackCommands = true; DisableFirefoxStudies = true; DisablePocket = true; DisableTelemetry = true; - # DontCheckDefaultBrowser = false; + + DontCheckDefaultBrowser = false; NoDefaultBookmarks = true; - # OfferToSaveLogins = false; + OfferToSaveLogins = false; EnableTrackingProtection = { Value = true; Locked = true; Cryptomining = true; Fingerprinting = true; }; + + HttpAllowlist = [ + "http://ulmo" + ]; + }; + + policies.ExtensionSettings = let + mkExtension = id: { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi"; + installation_mode = "force_installed"; + }; + in + { + ublock_origin = 4531307; + ghostry = 4562168; + bitwarden = 4562769; + sponsorblock = 4541835; }; }; }; From a29b75753016bbe5132d8d00192337c954261348 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 15:12:30 +0200 Subject: [PATCH 030/251] restructure media services --- modules/nixos/services/media/default.nix | 137 +++++++++++++++-------- 1 file changed, 88 insertions(+), 49 deletions(-) diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index f76e4ae..bc41fb4 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -66,38 +66,73 @@ in # Services #========================================================================= services = let - serviceConf = { + arrService = { + enable = true; + openFirewall = true; + + settings = { + auth.AuthenticationMethod = "External"; + + # postgres = { + # PostgresHost = "localhost"; + # PostgresPort = "5432"; + # PostgresUser = "media"; + # }; + }; + }; + + withPort = port: service: service // { settings.server.Port = builtins.toString port; }; + + withUserAndGroup = service: service // { + user = cfg.user; + group = cfg.group; + }; + in { + radarr = + arrService + |> withPort 2001 + |> withUserAndGroup; + + sonarr = + arrService + |> withPort 2002 + |> withUserAndGroup; + + lidarr = + arrService + |> withPort 2003 + |> withUserAndGroup; + + prowlarr = + arrService + |> withPort 2004; + + bazarr = { + enable = true; + openFirewall = true; + user = cfg.user; + group = cfg.group; + listenPort = 2005; + }; + + # port is harcoded in nixpkgs module + jellyfin = { enable = true; openFirewall = true; user = cfg.user; group = cfg.group; }; - in { - jellyfin = serviceConf; - radarr = serviceConf; - sonarr = serviceConf; - bazarr = serviceConf; - lidarr = serviceConf; flaresolverr = { enable = true; openFirewall = true; - }; - - jellyseerr = { - enable = true; - openFirewall = true; - }; - - prowlarr = { - enable = true; - openFirewall = true; + port = 2007; }; qbittorrent = { enable = true; openFirewall = true; - webuiPort = 5000; + webuiPort = 2008; serverConfig = { LegalNotice.Accepted = true; @@ -107,6 +142,7 @@ in group = cfg.group; }; + # port is harcoded in nixpkgs module sabnzbd = { enable = true; openFirewall = true; @@ -116,46 +152,49 @@ in group = cfg.group; }; + # postgresql = { + # enable = true; + # ensureDatabases = [ + # "radarr-main" "radarr-log" + # "sonarr-main" "sonarr-log" + # "lidarr-main" "lidarr-log" + # "prowlarr-main" "prowlarr-log" + # ]; + # identMap = '' + # media media radarr-main + # media media radarr-log + # media media sonarr-main + # media media sonarr-log + # media media lidarr-main + # media media lidarr-log + # media media prowlarr-main + # media media prowlarr-log + # ''; + # ensureUsers = [ + # { name = "radarr-main"; ensureDBOwnership = true; } + # { name = "radarr-log"; ensureDBOwnership = true; } + + # { name = "sonarr-main"; ensureDBOwnership = true; } + # { name = "sonarr-log"; ensureDBOwnership = true; } + + # { name = "lidarr-main"; ensureDBOwnership = true; } + # { name = "lidarr-log"; ensureDBOwnership = true; } + + # { name = "prowlarr-main"; ensureDBOwnership = true; } + # { name = "prowlarr-log"; ensureDBOwnership = true; } + # ]; + # }; + caddy = { enable = true; virtualHosts = { - "media.kruining.eu".extraConfig = '' - import auth - - reverse_proxy http://127.0.0.1:9494 - ''; "jellyfin.kruining.eu".extraConfig = '' - reverse_proxy http://127.0.0.1:8096 + reverse_proxy http://[::1]:8096 ''; }; }; }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; - - ${namespace}.services.virtualisation.podman.enable = true; - - virtualisation = { - oci-containers = { - backend = "podman"; - - containers = { - # flaresolverr = { - # image = "flaresolverr/flaresolverr"; - # autoStart = true; - # ports = [ "127.0.0.1:8191:8191" ]; - # }; - - reiverr = { - image = "ghcr.io/aleksilassila/reiverr:v2.2.0"; - autoStart = true; - ports = [ "127.0.0.1:9494:9494" ]; - volumes = [ "${cfg.path}/reiverr/config:/config" ]; - }; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 6969 ]; }; } From 77588062829c85f58e9cff7d383adc1fcd7b4b0b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 15:12:41 +0200 Subject: [PATCH 031/251] add homer dashboard --- .../nixos/services/media/homer/default.nix | 73 +++++++++++++++++++ systems/x86_64-linux/ulmo/default.nix | 1 + 2 files changed, 74 insertions(+) create mode 100644 modules/nixos/services/media/homer/default.nix diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix new file mode 100644 index 0000000..263af83 --- /dev/null +++ b/modules/nixos/services/media/homer/default.nix @@ -0,0 +1,73 @@ +{ config, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.media.homer; +in +{ + options.${namespace}.services.media.homer = { + enable = mkEnableOption "Enable homer"; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 2000 ]; + + services = { + homer = { + enable = true; + + virtualHost = { + caddy.enable = true; + domain = "http://:2000"; + }; + + settings = { + title = "Ulmo dashboard"; + + columns = 4; + connectivityCheck = true; + + links = [ + { + name = "Git"; + icon = "fab fa-forgejo"; + url = "https://git.amarth.cloud"; + + } + ]; + + services = [ + { + name = "Services"; + items = [ + { + name = "Zitadel"; + tag = "authentication"; + keywords = "auth"; + url = "https://auth.amarth.cloud"; + } + ]; + } + + { + name = "Media"; + items = [ + { + name = "Radarr"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; + } + + { + name = "Sonarr"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; + } + ]; + } + ]; + }; + }; + }; + }; +} diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 9876768..4108dc9 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -15,6 +15,7 @@ networking.ssh.enable = true; media.enable = true; + media.homer.enable = true; media.nfs.enable = true; observability = { From 6379b5e2de250d8203750727ecb9fe7934bca62b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 16:45:20 +0200 Subject: [PATCH 032/251] improve zen config --- flake.nix | 4 +++- modules/home/application/zen/default.nix | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 0712e81..07479a7 100644 --- a/flake.nix +++ b/flake.nix @@ -93,8 +93,11 @@ channels-config = { allowUnfree = true; permittedInsecurePackages = [ + # Due to *arr stack "dotnet-sdk-6.0.428" "aspnetcore-runtime-6.0.36" + + # I think this is because of zen "qtwebengine-5.15.19" ]; }; @@ -107,7 +110,6 @@ homes.modules = with inputs; [ stylix.homeModules.stylix - zen-browser.homeModules.default plasma-manager.homeModules.plasma-manager ]; }; diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index 86fc3b6..4995216 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -5,6 +5,10 @@ let cfg = config.${namespace}.application.zen; in { + imports = [ + inputs.zen-browser.homeModules.default + ]; + options.${namespace}.application.zen = { enable = mkEnableOption "enable zen"; }; From 44e7a6fa0fd33ad37905a882149c9a39cdebf370 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 16:45:32 +0200 Subject: [PATCH 033/251] harden vaultwarden --- modules/nixos/services/security/vaultwarden/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index 0bb05f7..db8e162 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -76,6 +76,12 @@ in "vault.kruining.eu".extraConfig = '' encode zstd gzip + handle_path /admin { + respond 401 { + close + } + } + reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { header_up X-Real-IP {remote_host} } From 7c75cab11b86e33fd72f934bfffaa5bed864faa7 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:24:27 +0200 Subject: [PATCH 034/251] improve podman config --- modules/nixos/services/virtualisation/podman/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/nixos/services/virtualisation/podman/default.nix b/modules/nixos/services/virtualisation/podman/default.nix index 9b9dc89..0faf8ce 100644 --- a/modules/nixos/services/virtualisation/podman/default.nix +++ b/modules/nixos/services/virtualisation/podman/default.nix @@ -12,6 +12,7 @@ in config = mkIf cfg.enable { virtualisation = { containers.enable = true; + oci-containers.backend = "podman"; podman = { enable = true; From 6d7867b45c24ed8b41ae1061f318af673bb393e6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:24:43 +0200 Subject: [PATCH 035/251] update fogejo runner image --- modules/nixos/services/development/forgejo/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index bdabbd6..4b98b9c 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -136,10 +136,10 @@ in # tokenFile = config.age.secrets.forgejo-runner-token.path; token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; labels = [ - "default:docker://node:22-bullseye" + "default:docker://node:24-bookworm" ]; settings = { - + log.level = "info"; }; }; }; From a91afd3b0a90db865ced5116fab0ece99e1acd1f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:44:01 +0200 Subject: [PATCH 036/251] expand homer --- .../nixos/services/media/homer/default.nix | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index 263af83..c683e8b 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -52,6 +52,12 @@ in { name = "Media"; items = [ + { + name = "Jellyfin"; + tag = "app"; + url = "http://${config.networking.hostName}:8096"; + } + { name = "Radarr"; tag = "app"; @@ -63,6 +69,25 @@ in tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; } + + { + name = "Lidarr"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; + } + + { + name = "qBitTorrent"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; + } + + { + name = "SabNZB"; + tag = "app"; + url = "http://${config.networking.hostName}:8080"; + } + ]; } ]; From b8b8e015c5e601654fbd9075cf95ea429d8c5efd Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:44:19 +0200 Subject: [PATCH 037/251] add pipe-operator nix feature --- modules/nixos/nix/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 7d1f069..14060bf 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -15,10 +15,10 @@ in nix = { package = pkgs.nixVersions.latest; - extraOptions = "experimental-features = nix-command flakes"; + extraOptions = "experimental-features = nix-command flakes pipe-operator"; settings = { - experimental-features = [ "nix-command" "flakes" ]; + experimental-features = [ "nix-command" "flakes" "pipe-operator" ]; allowed-users = [ "@wheel" ]; trusted-users = [ "@wheel" ]; From fa81dbdcf6fdd19b634c25791de96125c67eb92c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:47:38 +0200 Subject: [PATCH 038/251] even more homer --- .../nixos/services/media/homer/default.nix | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index c683e8b..dd5e13b 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -42,10 +42,32 @@ in items = [ { name = "Zitadel"; - tag = "authentication"; - keywords = "auth"; + tag = "app"; url = "https://auth.amarth.cloud"; } + + { + name = "Forgejo"; + tag = "app"; + url = "https://git.amarth.cloud"; + } + + { + name = "Vaultwarden"; + tag = "app"; + url = "https://vault.kruining.eu"; + } + ]; + } + + { + name = "Observability"; + items = [ + { + name = "Grafana"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; + } ]; } From 41a4fde9f21fd5b606f7a13628a60f462e7aeeec Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:08:59 +0200 Subject: [PATCH 039/251] first attempt to push an image --- .forgejo/workflows/runner-image.yml | 34 +++++++++++++++++++ .../development/forgejo/Dockerfile.default | 5 +++ .../services/development/forgejo/default.nix | 4 ++- 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 .forgejo/workflows/runner-image.yml create mode 100644 modules/nixos/services/development/forgejo/Dockerfile.default diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml new file mode 100644 index 0000000..ed38be2 --- /dev/null +++ b/.forgejo/workflows/runner-image.yml @@ -0,0 +1,34 @@ +name: Test action + +on: + workflow_dispatch: + push: + branches: + - main + +env: + registry: git.amarth.cloud + owner: chris + image: default + tag: latest + +jobs: + hello: + name: Print hello world + runs-on: default + steps: + - name: Pull dependencies + run: >- + git clone https://${{ registry }}/${{ owner }}/sneeuwvlok.git + && cd sneeuwvlok + + - name: Log into registry + run: docker login ${{ registry }} + + - name: Build image + run: >- + docker build + -t ${{registry}}/${{ owner }}/${{ image }}:${{ tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default + + - name: Push image + run: docker push ${{registry}}/${{ owner }}/${{ image }}:${{ tag }} \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default new file mode 100644 index 0000000..799cd67 --- /dev/null +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -0,0 +1,5 @@ +FROM nixos/nix:latest + +RUN nix-env -iA nixpkgs.nodejs_24 + +CMD ["/bin/bash"] \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 4b98b9c..d7f170e 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -91,6 +91,7 @@ in actions = { ENABLED = true; + # DEFAULT_ACTIONS_URL = "https://data.forgejo.org"; }; other = { @@ -136,7 +137,8 @@ in # tokenFile = config.age.secrets.forgejo-runner-token.path; token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; labels = [ - "default:docker://node:24-bookworm" + "default:docker://nixos/nix:latest" + "ubuntu:docker://ubuntu:24-bookworm" ]; settings = { log.level = "info"; From 9ed5cbded0902b9e7e4ca5d81ad7e82058b8d70e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:09:08 +0200 Subject: [PATCH 040/251] update homer --- .../nixos/services/media/homer/default.nix | 65 +++++++++++++++---- 1 file changed, 53 insertions(+), 12 deletions(-) diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index dd5e13b..8fd0ac6 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -27,14 +27,7 @@ in columns = 4; connectivityCheck = true; - links = [ - { - name = "Git"; - icon = "fab fa-forgejo"; - url = "https://git.amarth.cloud"; - - } - ]; + links = []; services = [ { @@ -42,20 +35,28 @@ in items = [ { name = "Zitadel"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg"; tag = "app"; url = "https://auth.amarth.cloud"; + target = "_blank"; } { name = "Forgejo"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg"; tag = "app"; + type = "Gitea"; url = "https://git.amarth.cloud"; + target = "_blank"; } { name = "Vaultwarden"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg"; + type = "Vaultwarden"; tag = "app"; url = "https://vault.kruining.eu"; + target = "_blank"; } ]; } @@ -65,8 +66,20 @@ in items = [ { name = "Grafana"; + type = "Grafana"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; + target = "_blank"; + } + + { + name = "Prometheus"; + type = "Prometheus"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}"; + target = "_blank"; } ]; } @@ -75,41 +88,69 @@ in name = "Media"; items = [ { - name = "Jellyfin"; + name = "Jellyfin (Movies)"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg"; tag = "app"; + type = "Emby"; url = "http://${config.networking.hostName}:8096"; + apikey = "e3ceed943eeb409ba8342738db7cc1f5"; + libraryType = "movies"; + target = "_blank"; } { name = "Radarr"; + type = "Radarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; + target = "_blank"; } { name = "Sonarr"; + type = "Sonarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; + target = "_blank"; } { name = "Lidarr"; + type = "Lidarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; + target = "_blank"; } { - name = "qBitTorrent"; + name = "Prowlarr"; + type = "Prowlarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}"; + target = "_blank"; + } + + { + name = "qBittorrent"; + type = "qBittorrent"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; + target = "_blank"; } { - name = "SabNZB"; + name = "SABnzbd"; + type = "SABnzbd"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg"; tag = "app"; url = "http://${config.networking.hostName}:8080"; + target = "_blank"; } - ]; } ]; From 0b23548559a3dfb84ec54187421e7a77029b8728 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:11:59 +0200 Subject: [PATCH 041/251] whoopsie --- .forgejo/workflows/runner-image.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index ed38be2..e41a197 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -19,16 +19,16 @@ jobs: steps: - name: Pull dependencies run: >- - git clone https://${{ registry }}/${{ owner }}/sneeuwvlok.git + git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git && cd sneeuwvlok - name: Log into registry - run: docker login ${{ registry }} + run: docker login ${{ env.registry }} - name: Build image run: >- docker build - -t ${{registry}}/${{ owner }}/${{ image }}:${{ tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default + -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default - name: Push image - run: docker push ${{registry}}/${{ owner }}/${{ image }}:${{ tag }} \ No newline at end of file + run: docker push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 2b887f188c1a3fdecd429c79016c06fea64e0dcf Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:14:06 +0200 Subject: [PATCH 042/251] aaaaaiiii --- .forgejo/workflows/runner-image.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index e41a197..879ec36 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -22,6 +22,12 @@ jobs: git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git && cd sneeuwvlok + - name: Install docker + run: nix-env -iA nixos.podman + + - name: __DEBUG__ + run: which podman + - name: Log into registry run: docker login ${{ env.registry }} From 95f6b2b8d3d7c19ebbe8b264f5ea2e69ebfce743 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:14:44 +0200 Subject: [PATCH 043/251] nixpkgs instead???? --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 879ec36..a0a26ac 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -23,7 +23,7 @@ jobs: && cd sneeuwvlok - name: Install docker - run: nix-env -iA nixos.podman + run: nix-env -iA nixpkgs.podman - name: __DEBUG__ run: which podman From 863956c38b33a38c1fb9940cb4e58ae1b7576f8e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:17:08 +0200 Subject: [PATCH 044/251] oooooh, closer --- .forgejo/workflows/runner-image.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index a0a26ac..33889dd 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -28,13 +28,16 @@ jobs: - name: __DEBUG__ run: which podman + - name: __DEBUG__ + run: podman --version + - name: Log into registry - run: docker login ${{ env.registry }} + run: podman login ${{ env.registry }} - name: Build image run: >- - docker build + podman build -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default - name: Push image - run: docker push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file + run: podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From e048ada01ff0dcd0bdd3a4041b819098089c1fbc Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:38:46 +0200 Subject: [PATCH 045/251] whoops --- modules/nixos/nix/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 14060bf..3104ecd 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -15,10 +15,10 @@ in nix = { package = pkgs.nixVersions.latest; - extraOptions = "experimental-features = nix-command flakes pipe-operator"; + extraOptions = "experimental-features = nix-command flakes pipe-operators"; settings = { - experimental-features = [ "nix-command" "flakes" "pipe-operator" ]; + experimental-features = [ "nix-command" "flakes" "pipe-operators" ]; allowed-users = [ "@wheel" ]; trusted-users = [ "@wheel" ]; From 0d6fb5aab6b0ea7021ad9468ae06fa2d5746dc46 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:39:31 +0200 Subject: [PATCH 046/251] update default runner dockerfile --- modules/nixos/services/development/forgejo/Dockerfile.default | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index 799cd67..b252554 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,5 +1,6 @@ FROM nixos/nix:latest RUN nix-env -iA nixpkgs.nodejs_24 +RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf CMD ["/bin/bash"] \ No newline at end of file From fa0a4917a212227c95d63f38e29ec2be391150b5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:04:13 +0200 Subject: [PATCH 047/251] cool shizzle --- .forgejo/workflows/runner-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 33889dd..2603866 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -7,7 +7,7 @@ on: - main env: - registry: git.amarth.cloud + registry: ${{ forge.server_url }} owner: chris image: default tag: latest @@ -32,7 +32,7 @@ jobs: run: podman --version - name: Log into registry - run: podman login ${{ env.registry }} + run: podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image run: >- From 4762d4189e471f496cdeffbbb08533b7cd66d27b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:06:57 +0200 Subject: [PATCH 048/251] right. obviously... --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 2603866..3cc9a79 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -7,7 +7,7 @@ on: - main env: - registry: ${{ forge.server_url }} + registry: git.amarth.cloud owner: chris image: default tag: latest From da1a4d42eddc50d5c7b2a2599e8e251dde913cf9 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:07:58 +0200 Subject: [PATCH 049/251] woooot, more success!!! --- .forgejo/workflows/runner-image.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 3cc9a79..7a7e41d 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -26,10 +26,7 @@ jobs: run: nix-env -iA nixpkgs.podman - name: __DEBUG__ - run: which podman - - - name: __DEBUG__ - run: podman --version + run: ls -al - name: Log into registry run: podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} From fdf1bc34e834fc9ee2808a51b8b0076537f44ab5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:11:06 +0200 Subject: [PATCH 050/251] . --- .forgejo/workflows/runner-image.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 7a7e41d..89427fd 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -18,9 +18,10 @@ jobs: runs-on: default steps: - name: Pull dependencies - run: >- + run: | git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git - && cd sneeuwvlok + cd sneeuwvlok + ls -al - name: Install docker run: nix-env -iA nixpkgs.podman From 4a26a4ad11dd3f2fc367743eaa41739237a7b846 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:13:15 +0200 Subject: [PATCH 051/251] . --- .forgejo/workflows/runner-image.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 89427fd..a70dd09 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -18,24 +18,18 @@ jobs: runs-on: default steps: - name: Pull dependencies - run: | - git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git - cd sneeuwvlok - ls -al + run: git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git - name: Install docker run: nix-env -iA nixpkgs.podman - - name: __DEBUG__ - run: ls -al - - name: Log into registry run: podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image run: >- podman build - -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default + -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} sneeuwvlok/modules/nixos/services/development/forgejo/Dockerfile.default - name: Push image run: podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 8b07f55593f09c526bbbd58b0ff9756b2d491228 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:14:41 +0200 Subject: [PATCH 052/251] . --- .forgejo/workflows/runner-image.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index a70dd09..526550f 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -18,7 +18,10 @@ jobs: runs-on: default steps: - name: Pull dependencies - run: git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git + run: | + ls -al + git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . + ls -al - name: Install docker run: nix-env -iA nixpkgs.podman @@ -29,7 +32,7 @@ jobs: - name: Build image run: >- podman build - -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} sneeuwvlok/modules/nixos/services/development/forgejo/Dockerfile.default + -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} modules/nixos/services/development/forgejo/Dockerfile.default - name: Push image run: podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From b3a9ea605761f5cd53fea1afd3468d92c1ec8e2f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:19:43 +0200 Subject: [PATCH 053/251] . --- .forgejo/workflows/runner-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 526550f..b09ac1d 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -21,6 +21,7 @@ jobs: run: | ls -al git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . + echo "$PWD" ls -al - name: Install docker From f9328cd72eeaf57fc229693c6d535c3eee04919f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:22:59 +0200 Subject: [PATCH 054/251] I am an idiot, as proven once more... --- .forgejo/workflows/runner-image.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index b09ac1d..c07ca95 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -19,21 +19,23 @@ jobs: steps: - name: Pull dependencies run: | - ls -al git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . - echo "$PWD" - ls -al - name: Install docker - run: nix-env -iA nixpkgs.podman + run: | + nix-env -iA nixpkgs.podman - name: Log into registry - run: podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} + run: | + podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image run: >- podman build - -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} modules/nixos/services/development/forgejo/Dockerfile.default + -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} + -f Dockerfile.default + modules/nixos/services/development/forgejo - name: Push image - run: podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file + run: | + podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 4d4f4e67e032139115d43ef07f6e71be2572242e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:23:50 +0200 Subject: [PATCH 055/251] add registry? --- modules/nixos/services/development/forgejo/Dockerfile.default | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index b252554..ce4bbac 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,4 +1,4 @@ -FROM nixos/nix:latest +FROM docker.io/nixos/nix:latest RUN nix-env -iA nixpkgs.nodejs_24 RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf From a42446985c2eafa3b8ef92f5a1344d20652535e4 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:02:40 +0200 Subject: [PATCH 056/251] another attempt --- .forgejo/workflows/runner-image.yml | 3 +++ modules/nixos/services/development/forgejo/Dockerfile.default | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index c07ca95..285c5ac 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,6 +24,7 @@ jobs: - name: Install docker run: | nix-env -iA nixpkgs.podman + echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > /etc/containers/policy.json - name: Log into registry run: | @@ -35,6 +36,8 @@ jobs: -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} -f Dockerfile.default modules/nixos/services/development/forgejo + env: + DOCKER_BUILDKIT: 1 - name: Push image run: | diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index ce4bbac..d26212c 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,6 +1,8 @@ FROM docker.io/nixos/nix:latest -RUN nix-env -iA nixpkgs.nodejs_24 +RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman + RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf +RUN echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json CMD ["/bin/bash"] \ No newline at end of file From 68f662038399e6c74d38029411ef4dfc3990cfd7 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:03:26 +0200 Subject: [PATCH 057/251] right --- .forgejo/workflows/runner-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 285c5ac..f0b89ee 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,6 +24,7 @@ jobs: - name: Install docker run: | nix-env -iA nixpkgs.podman + mkdir -p /etc/containers echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > /etc/containers/policy.json - name: Log into registry From 9ea18b18d554d102c95480fbc334a35697e3985c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:04:28 +0200 Subject: [PATCH 058/251] . --- .forgejo/workflows/runner-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index f0b89ee..361f842 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,8 +24,8 @@ jobs: - name: Install docker run: | nix-env -iA nixpkgs.podman - mkdir -p /etc/containers - echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > /etc/containers/policy.json + mkdir -p ~/.config/containers + echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - name: Log into registry run: | From efd98d4b44e44316c64773dd65ea15070ae85a34 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:05:12 +0200 Subject: [PATCH 059/251] gotta love the typos... --- .forgejo/workflows/runner-image.yml | 2 +- modules/nixos/services/development/forgejo/Dockerfile.default | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 361f842..f37b598 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -25,7 +25,7 @@ jobs: run: | nix-env -iA nixpkgs.podman mkdir -p ~/.config/containers - echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json + echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - name: Log into registry run: | diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index d26212c..d9ff5f8 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -3,6 +3,6 @@ FROM docker.io/nixos/nix:latest RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf -RUN echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json +RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json CMD ["/bin/bash"] \ No newline at end of file From 55d5ea483940d8e81c8dda9185e3cd6915a50597 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:08:38 +0200 Subject: [PATCH 060/251] is it a missing dep???? --- .forgejo/workflows/runner-image.yml | 2 +- modules/nixos/services/development/forgejo/Dockerfile.default | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index f37b598..5ce46d8 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -23,7 +23,7 @@ jobs: - name: Install docker run: | - nix-env -iA nixpkgs.podman + nix-env -iA nixpkgs.podman nixpkgs.libfuse mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index d9ff5f8..15a65a4 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,6 +1,6 @@ FROM docker.io/nixos/nix:latest -RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman +RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman nixpkgs.libfuse RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json From 833f4ce5e692d60be619b3d745ab8983b8d9da9c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:09:44 +0200 Subject: [PATCH 061/251] just fuse, got it --- .forgejo/workflows/runner-image.yml | 2 +- modules/nixos/services/development/forgejo/Dockerfile.default | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 5ce46d8..8893fd5 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -23,7 +23,7 @@ jobs: - name: Install docker run: | - nix-env -iA nixpkgs.podman nixpkgs.libfuse + nix-env -iA nixpkgs.podman nixpkgs.fuse mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index 15a65a4..d632617 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,6 +1,6 @@ FROM docker.io/nixos/nix:latest -RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman nixpkgs.libfuse +RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman nixpkgs.fuse RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json From 25ae5ea1accd0f79c19e561bac3ac981c006f694 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:09:31 +0200 Subject: [PATCH 062/251] next round --- .forgejo/workflows/runner-image.yml | 18 ++++++++++++++++-- .../development/forgejo/Dockerfile.default | 2 +- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 8893fd5..1490afa 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -21,11 +21,24 @@ jobs: run: | git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . - - name: Install docker + - name: Prepare podman run: | - nix-env -iA nixpkgs.podman nixpkgs.fuse + # configure container policy to accept insecure registry + nix-env -iA nixpkgs.podman + + # configure container policy to accept insecure registry mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json + + # ensure all required directories exist with proper permissions + mkdir -p /tmp/podman /var/tmp ~/.local/share/containers + chmod 755 /tmp/podman /var/tmp || true + + # set multiple environment variables for skopeo temporary directories + export TMPDIR=/tmp/podman + export TMP=/tmp/podman + export TEMP=/tmp/podman + export XDG_RUNTIME_DIR=/tmp/podman - name: Log into registry run: | @@ -34,6 +47,7 @@ jobs: - name: Build image run: >- podman build + --privileged -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} -f Dockerfile.default modules/nixos/services/development/forgejo diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index d632617..d9ff5f8 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,6 +1,6 @@ FROM docker.io/nixos/nix:latest -RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman nixpkgs.fuse +RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json From b2cb74657ef0f1addb520f6bda09997b138a92b6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:11:35 +0200 Subject: [PATCH 063/251] ahhh shit, here we go again --- .forgejo/workflows/runner-image.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 1490afa..e24ef25 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -46,8 +46,7 @@ jobs: - name: Build image run: >- - podman build - --privileged + sudo podman build -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} -f Dockerfile.default modules/nixos/services/development/forgejo From c7f3ed7cd667ea96ca7b78e5d99a8378d7e75ca0 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:21:05 +0200 Subject: [PATCH 064/251] . --- .forgejo/workflows/runner-image.yml | 4 +- .../nixos/services/development/forgejo/temp | 80 +++++++++++++++++++ 2 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 modules/nixos/services/development/forgejo/temp diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index e24ef25..4b94a2f 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -40,13 +40,15 @@ jobs: export TEMP=/tmp/podman export XDG_RUNTIME_DIR=/tmp/podman + modprobe fuse + - name: Log into registry run: | podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image run: >- - sudo podman build + podman build -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} -f Dockerfile.default modules/nixos/services/development/forgejo diff --git a/modules/nixos/services/development/forgejo/temp b/modules/nixos/services/development/forgejo/temp new file mode 100644 index 0000000..33a7313 --- /dev/null +++ b/modules/nixos/services/development/forgejo/temp @@ -0,0 +1,80 @@ +Error: mounting new container: + mounting build container "a1c1da9d2422b5d6571a79559039f60ba8771e4a05b9b2f8cae814a8f64bb8e3": + creating overlay mount to /var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/merged, + mount_data=" + lowerdir=/var/lib/containers/storage/overlay/l/XSOABRIRTTFZPQI37OU77T3XP6 + :/var/lib/containers/storage/overlay/l/F3M2D6K25OPTUC4ID73P2NIJ3A + :/var/lib/containers/storage/overlay/l/Q53OUMURARX52AYNVQGFGNVUMQ + :/var/lib/containers/storage/overlay/l/NHNXRY3S7TPPYSGNG6BFA7756K + :/var/lib/containers/storage/overlay/l/XWANZP5SNP5QFXQ7RPR2SN3GND + :/var/lib/containers/storage/overlay/l/QUS3NWAGIVW5KOT7EBHCH2THSP + :/var/lib/containers/storage/overlay/l/P24JFYKBFJWRZF4QCI65JNYDSH + :/var/lib/containers/storage/overlay/l/5U53LA6AULMQOF5JAVLNDQMETC + :/var/lib/containers/storage/overlay/l/SWCKHLKQYKOUWBHWGJ5VPBJ7RH + :/var/lib/containers/storage/overlay/l/KLPPEZB6CRL3I6R6LBCJWMKWPC + :/var/lib/containers/storage/overlay/l/RAI54LOZXCFNWNF54D5YLSZJZO + :/var/lib/containers/storage/overlay/l/NLXXIPBMH7EAMNSOZBGBYXWGV5 + :/var/lib/containers/storage/overlay/l/HP5E2J4HRMO6XYJANMEB4KT7F5 + :/var/lib/containers/storage/overlay/l/JZ3QIR7Y7HTWYCCZRNFZCMQSHH + :/var/lib/containers/storage/overlay/l/IYGILU3HMTXZLIKNELEPBOZXWS + :/var/lib/containers/storage/overlay/l/K52NCFVUIEMQALGI4CTKSORFQ6 + :/var/lib/containers/storage/overlay/l/DM5R63KXPSUHMGXMXGHV2Z7L6O + :/var/lib/containers/storage/overlay/l/3BJ5A4CHITM36J3WL7DUJN7HI5 + :/var/lib/containers/storage/overlay/l/3KY56KPCGUTAOCABRQOPB5E7KI + :/var/lib/containers/storage/overlay/l/4ISDZ7Y23WWZAZ6TISWAVXAKTA + :/var/lib/containers/storage/overlay/l/7WFY6347EYETD2DSHOWWGORMY7 + :/var/lib/containers/storage/overlay/l/RBDQUQQAQ4M3DNDP7JQDSTFPDC + :/var/lib/containers/storage/overlay/l/CZPS35AEHSSOCX2SETGG5RWAWK + :/var/lib/containers/storage/overlay/l/VTV4IYIPIMV7HUVW3YUCEZGVIF + :/var/lib/containers/storage/overlay/l/LOGNN4O7UYRJDINC3EU6MCK2JQ + :/var/lib/containers/storage/overlay/l/XCTPWOKP4A3NITB5YJEGDOYP53 + :/var/lib/containers/storage/overlay/l/57WPQF43V53AQIH5AJAFS2ZJLN + :/var/lib/containers/storage/overlay/l/BURD55A3XF6AHWWN5NFYVKHLFR + :/var/lib/containers/storage/overlay/l/SJBWDEB4R6KHHUWYVWHVFXZUML + :/var/lib/containers/storage/overlay/l/EFH5DWZ6VD7XHRBJI3MSGCSL5C + :/var/lib/containers/storage/overlay/l/LNJD656RHN73JQIOG5QP72XH6D + :/var/lib/containers/storage/overlay/l/BYKGR5QA32CNM3PNW7OJZGL7PI + :/var/lib/containers/storage/overlay/l/KEBZ34OPOPZSF56MMUIYJC62VQ + :/var/lib/containers/storage/overlay/l/AXUJ2DTXCFUNLLHVBNZT7HOOHV + :/var/lib/containers/storage/overlay/l/W2GQPDXQWNE4PJ2FK242CNBP3G + :/var/lib/containers/storage/overlay/l/HSHTMFX2BNZ6MN3YKZNP5GACK3 + :/var/lib/containers/storage/overlay/l/5EV6E33HXQTMDYA55D2KVDQN6O + :/var/lib/containers/storage/overlay/l/5YXUGLZ3U5V2GABHAGMOQQLZYD + :/var/lib/containers/storage/overlay/l/WNM6BFUABXRYMF3QXGOWIMSFGS + :/var/lib/containers/storage/overlay/l/EM6L4BR3WMU427KN3WHNXLPXLK + :/var/lib/containers/storage/overlay/l/WKG62FRJYJHG4PIYLUWPOIGIFR + :/var/lib/containers/storage/overlay/l/EIT5DRSEKJFGSXHNDISGIBHEET + :/var/lib/containers/storage/overlay/l/PW2HEYGQKHNXSSQFCTQ3RTW3RU + :/var/lib/containers/storage/overlay/l/LYCJF4GBFFSP5MCC6TGBDGWXLY + :/var/lib/containers/storage/overlay/l/3YXKKFLTDRPWC6Y3VW3A5HCHPC + :/var/lib/containers/storage/overlay/l/RJTCZEVFZ4GZ4WT36ZHWVQPHBE + :/var/lib/containers/storage/overlay/l/AT3GLGCW22SPL4FDEMUHM7SEC3 + :/var/lib/containers/storage/overlay/l/VPT2VRWXG6F5UOROWNVZJUYIXS + :/var/lib/containers/storage/overlay/l/IHIXWAURUCUAYZEWBQU6N37UL5 + :/var/lib/containers/storage/overlay/l/IGMNOUI3RRH3KFAOSHZUJJAYA6 + :/var/lib/containers/storage/overlay/l/KQTWTENKAQ7WIMPQO5HY4SQKSL + :/var/lib/containers/storage/overlay/l/7GQIS3UWTUQESKJI6NQ5A63FMB + :/var/lib/containers/storage/overlay/l/MXGQVTYACLV4M7PRZRGGXNOLCY + :/var/lib/containers/storage/overlay/l/6T6MXUMJ74EIDYDFZJU6642WDR + :/var/lib/containers/storage/overlay/l/QG53GGUJAUZLLCRGHLDVNBIG5M + :/var/lib/containers/storage/overlay/l/CWKPW6SM2HIEROK4XOFGURSEYZ + :/var/lib/containers/storage/overlay/l/EFAHS5T2ZS5ZVCY4WGZ4WW45WC + :/var/lib/containers/storage/overlay/l/CRT42BUU43KSCBUDTOB55WVML2 + :/var/lib/containers/storage/overlay/l/KA53IG4NUWMJM5GBFUKDSUP7WM + :/var/lib/containers/storage/overlay/l/DELTO3DZAGCCUKFOKYU5POUVO5 + :/var/lib/containers/storage/overlay/l/KM7KLUMSMCIUGMOUZHCCJVNY3S + :/var/lib/containers/storage/overlay/l/IAXMV7ZFALQU4XFQFLLXXUKBX7 + :/var/lib/containers/storage/overlay/l/6VVTPVXHDYPHOT42CWJXOL6SMB + :/var/lib/containers/storage/overlay/l/OHO5IA7AJ2EOGAFUPT3MPJMZSY + :/var/lib/containers/storage/overlay/l/Q3ZXKGFN6Q2APXQKRXMNE6YR4M + :/var/lib/containers/storage/overlay/l/FSGYM4J5NR6AY3LUWZ2WTBQG3N + :/var/lib/containers/storage/overlay/l/M44HLHAQGLWFYVTS4J55CDEDLY + :/var/lib/containers/storage/overlay/l/36CIGRUHNNFDCBWSEN3KXUQAZR + :/var/lib/containers/storage/overlay/l/5QE5JTSJB23BDSXCGYPXTTJUSS + :/var/lib/containers/storage/overlay/l/DREIPLSBGAK4XBL57M3NJAT5XA, + upperdir=/var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/diff, + workdir=/var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/work, + volatile": using mount program /nix/store/mr0jx11v1z2sfjlndisw7v3jrk57x7l3-fuse-overlayfs-1.14/bin/fuse-overlayfs: unknown argument ignored: lazytime + +fuse: device not found, try 'modprobe fuse' first +fuse-overlayfs: cannot mount: No such file or directory \ No newline at end of file From 7d7c3aa53ada12f5155337aa0339b2a3ccc60c3b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:22:43 +0200 Subject: [PATCH 065/251] . --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 4b94a2f..8979d94 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,7 +24,7 @@ jobs: - name: Prepare podman run: | # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman + nix-env -iA nixpkgs.podman nixpkgs.u-root-cmds # configure container policy to accept insecure registry mkdir -p ~/.config/containers From 33f9a7fbd8c741a331ddb122039e9d61c88c5482 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:24:37 +0200 Subject: [PATCH 066/251] fix package conflict? --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 8979d94..61200dd 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,7 +24,7 @@ jobs: - name: Prepare podman run: | # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman nixpkgs.u-root-cmds + nix-env -iA nixpkgs.podman nixpkgs.kmod # configure container policy to accept insecure registry mkdir -p ~/.config/containers From b8e43fedba72b129d8d94b535a13abea7f63f0cc Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:47:02 +0200 Subject: [PATCH 067/251] lets try another avenue... --- .forgejo/workflows/runner-image.yml | 32 +++++++------------ .../development/forgejo/Dockerfile.default | 8 ----- .../development/forgejo/runners/default.nix | 11 +++++++ 3 files changed, 23 insertions(+), 28 deletions(-) delete mode 100644 modules/nixos/services/development/forgejo/Dockerfile.default create mode 100644 modules/nixos/services/development/forgejo/runners/default.nix diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 61200dd..47737cc 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,36 +24,28 @@ jobs: - name: Prepare podman run: | # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman nixpkgs.kmod + nix-env -iA nixpkgs.podman # configure container policy to accept insecure registry mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - - # ensure all required directories exist with proper permissions - mkdir -p /tmp/podman /var/tmp ~/.local/share/containers - chmod 755 /tmp/podman /var/tmp || true - - # set multiple environment variables for skopeo temporary directories - export TMPDIR=/tmp/podman - export TMP=/tmp/podman - export TEMP=/tmp/podman - export XDG_RUNTIME_DIR=/tmp/podman - - modprobe fuse - name: Log into registry run: | podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image - run: >- - podman build - -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} - -f Dockerfile.default - modules/nixos/services/development/forgejo - env: - DOCKER_BUILDKIT: 1 + run: nix-build modules/nixos/services/development/forgejo/runners/default.nix + # run: >- + # podman build + # -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} + # -f Dockerfile.default + # modules/nixos/services/development/forgejo + + - name: __DEBUG__ + run: | + ls -al result + podman load < result - name: Push image run: | diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default deleted file mode 100644 index d9ff5f8..0000000 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ /dev/null @@ -1,8 +0,0 @@ -FROM docker.io/nixos/nix:latest - -RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman - -RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf -RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json - -CMD ["/bin/bash"] \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix new file mode 100644 index 0000000..af44418 --- /dev/null +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -0,0 +1,11 @@ +{ + pkgs ? import {}, + pkgs_linux ? import { system = "x86_64-linux"; }, +}: + +pkgs.dockerTools.buildImage { + name = "default"; + config = { + Cmd = [ "${pkgs_linux.hello}/bin/hello" ]; + }; +} \ No newline at end of file From d917f93a9f1242b0beb308e3de6724b13b74bae5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:55:13 +0200 Subject: [PATCH 068/251] finally some more success????? --- .forgejo/workflows/runner-image.yml | 4 ++-- .../nixos/services/development/forgejo/runners/default.nix | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 47737cc..2a4311a 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -45,8 +45,8 @@ jobs: - name: __DEBUG__ run: | ls -al result - podman load < result - name: Push image run: | - podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file + podman load < result + podman push localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index af44418..8b9355e 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -5,6 +5,8 @@ pkgs.dockerTools.buildImage { name = "default"; + tag = "latest"; + config = { Cmd = [ "${pkgs_linux.hello}/bin/hello" ]; }; From 9c048aca0577b00324270433a1f5a777e0d27d48 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:56:16 +0200 Subject: [PATCH 069/251] hmmmm --- .forgejo/workflows/runner-image.yml | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 2a4311a..507e2a1 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -30,23 +30,11 @@ jobs: mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - - name: Log into registry - run: | - podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - - name: Build image run: nix-build modules/nixos/services/development/forgejo/runners/default.nix - # run: >- - # podman build - # -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} - # -f Dockerfile.default - # modules/nixos/services/development/forgejo - - - name: __DEBUG__ - run: | - ls -al result - name: Push image run: | + podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} podman load < result podman push localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From e4843997ea7fe2aa07bcb8b70609eeb8e3ad4ff7 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:58:51 +0200 Subject: [PATCH 070/251] add credentials, but then why do I need to log in???? --- .forgejo/workflows/runner-image.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 507e2a1..a72601d 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -30,11 +30,18 @@ jobs: mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - - name: Build image - run: nix-build modules/nixos/services/development/forgejo/runners/default.nix - - - name: Push image + - name: Log into registry run: | podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} + + - name: Create image + run: | + nix-build modules/nixos/services/development/forgejo/runners/default.nix podman load < result - podman push localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file + + - name: Push image + run: >- + podman push + --creds="${{ forge.actor }}:${{ forge.token }}" + localhost/default:latest + ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 716342d556fb524b0998aa11aeebf9cc86ae8725 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:02:34 +0200 Subject: [PATCH 071/251] . --- .forgejo/workflows/runner-image.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index a72601d..1694cd8 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -39,6 +39,11 @@ jobs: nix-build modules/nixos/services/development/forgejo/runners/default.nix podman load < result + - name: __DEBUG__ + run: | + cat ${XDG_RUNTIME_DIR}/containers/auth.json + cat ~/.docker/config.json + - name: Push image run: >- podman push From b158df262e8e53f99585e210ef43c2a9b1315260 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:07:06 +0200 Subject: [PATCH 072/251] ugh --- .forgejo/workflows/runner-image.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 1694cd8..3aaa967 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -30,6 +30,18 @@ jobs: mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json + # Create authentication file for podman + mkdir -p ~/.docker + cat > ~/.docker/config.json <- From 09a5df6253e3dd5556800388e34f64b9ae234ba3 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:53:50 +0200 Subject: [PATCH 073/251] fix? --- .forgejo/workflows/runner-image.yml | 1 + .../development/forgejo/runners/default.nix | 28 +++++++++++++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 3aaa967..724b8f1 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -59,6 +59,7 @@ jobs: - name: Push image run: >- podman push + --auth-file=${XDG_RUNTIME_DIR}/containers/auth.json& --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 8b9355e..1308408 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -3,11 +3,35 @@ pkgs_linux ? import { system = "x86_64-linux"; }, }: -pkgs.dockerTools.buildImage { +with pkgs; +dockerTools.buildImage { name = "default"; tag = "latest"; + contents = [ + coreutils + u-root-cmds + bash + nix + nodejs + podman + ]; + + runAsRoot = '' + #!${stdenv.shell} + ${dockerTools.shadowSetup} + groupadd -r runner + useradd -r -g runner -d /data -M runner + mkdir /data + chown runner:runner /data + ''; + config = { - Cmd = [ "${pkgs_linux.hello}/bin/hello" ]; + # User = "root"; + Cmd = [ "${lib.getExe bashInteractive}" ]; + WorkingDir = "/data"; + Volumes = { + "/data" = {}; + }; }; } \ No newline at end of file From 101bf129093e46ff49651c5fa96b7f716c16ebd4 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:55:37 +0200 Subject: [PATCH 074/251] fix warning --- .../development/forgejo/runners/default.nix | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 1308408..4dcdbc6 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -8,14 +8,18 @@ dockerTools.buildImage { name = "default"; tag = "latest"; - contents = [ - coreutils - u-root-cmds - bash - nix - nodejs - podman - ]; + copyToRoot = buildEnv { + name = "image-root"; + pathsToLink = [ "/bin" ]; + paths = [ + coreutils + u-root-cmds + bash + nix + nodejs + podman + ]; + }; runAsRoot = '' #!${stdenv.shell} From 40cd9d3745c9f1c101ec21543d4a22735cacfba1 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:56:44 +0200 Subject: [PATCH 075/251] is it podman that needs the kvm? --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 4dcdbc6..f2faae5 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -17,7 +17,7 @@ dockerTools.buildImage { bash nix nodejs - podman + # podman ]; }; From 22333b143bb4b70de6d5994287e455e29e564887 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:58:31 +0200 Subject: [PATCH 076/251] hmmmmm --- .../services/development/forgejo/runners/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index f2faae5..5046b4d 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -13,10 +13,10 @@ dockerTools.buildImage { pathsToLink = [ "/bin" ]; paths = [ coreutils - u-root-cmds + # u-root-cmds bash - nix - nodejs + # nix + # nodejs # podman ]; }; @@ -31,7 +31,7 @@ dockerTools.buildImage { ''; config = { - # User = "root"; + User = "runner"; Cmd = [ "${lib.getExe bashInteractive}" ]; WorkingDir = "/data"; Volumes = { From e0002d7254399adc5a47872c7137f4247069d571 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:00:37 +0200 Subject: [PATCH 077/251] shadowSetup than??? --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 5046b4d..dd71c4e 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -23,7 +23,7 @@ dockerTools.buildImage { runAsRoot = '' #!${stdenv.shell} - ${dockerTools.shadowSetup} + # ${dockerTools.shadowSetup} groupadd -r runner useradd -r -g runner -d /data -M runner mkdir /data From 2653f3fc93108a67dc9802f4fcc39321be79327c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:05:40 +0200 Subject: [PATCH 078/251] sooooo lost right now.... --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 724b8f1..31bb238 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,7 +24,7 @@ jobs: - name: Prepare podman run: | # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman + nix-env -iA nixpkgs.podman nixpkgs.kvmtool # configure container policy to accept insecure registry mkdir -p ~/.config/containers From e0c37a10a59f4527d576f78222863560412f8d1e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:08:48 +0200 Subject: [PATCH 079/251] another attempt --- .../services/development/forgejo/runners/default.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index dd71c4e..2db69fc 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -4,9 +4,16 @@ }: with pkgs; +let + debian = dockerTools.pullImage { + imageName = "debian"; + sha256 = "1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; + }; +in dockerTools.buildImage { name = "default"; tag = "latest"; + # fromImage = debian; copyToRoot = buildEnv { name = "image-root"; @@ -23,7 +30,6 @@ dockerTools.buildImage { runAsRoot = '' #!${stdenv.shell} - # ${dockerTools.shadowSetup} groupadd -r runner useradd -r -g runner -d /data -M runner mkdir /data From 61505943f95d21b76f091bd175c090091c81236f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:09:34 +0200 Subject: [PATCH 080/251] add base image --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 2db69fc..74660aa 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -13,7 +13,7 @@ in dockerTools.buildImage { name = "default"; tag = "latest"; - # fromImage = debian; + fromImage = debian; copyToRoot = buildEnv { name = "image-root"; From 66e400e7c0d3753af0dc5fd205c5d72699c4b036 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:11:32 +0200 Subject: [PATCH 081/251] uuuuuugh --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 74660aa..718e168 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -7,7 +7,7 @@ with pkgs; let debian = dockerTools.pullImage { imageName = "debian"; - sha256 = "1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; + imageDigest = "sha256:1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; }; in dockerTools.buildImage { From 898cb6c5129fff1c0bf896c6d31abd19560a6294 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:17:49 +0200 Subject: [PATCH 082/251] local builds again --- modules/nixos/services/development/forgejo/runners/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 718e168..f959621 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -8,6 +8,8 @@ let debian = dockerTools.pullImage { imageName = "debian"; imageDigest = "sha256:1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; + # hash = lib.fakeSha256; + sha256 = "sha256-GDxa0yegZDaagKfl3tS6prhQI0ECXduWrdPgr8uLClU="; }; in dockerTools.buildImage { @@ -30,6 +32,7 @@ dockerTools.buildImage { runAsRoot = '' #!${stdenv.shell} + ${dockerTools.shadowSetup} groupadd -r runner useradd -r -g runner -d /data -M runner mkdir /data From a39cb0cf532863c9915b07e5d7851b48e78ca790 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:19:14 +0200 Subject: [PATCH 083/251] ? --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index f959621..5862f12 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -15,7 +15,7 @@ in dockerTools.buildImage { name = "default"; tag = "latest"; - fromImage = debian; + # fromImage = debian; copyToRoot = buildEnv { name = "image-root"; From 3d02de9c6c7035b745939fd2e3ff5ab271defbe5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:20:38 +0200 Subject: [PATCH 084/251] I really don't get it anymore... --- .../development/forgejo/runners/default.nix | 35 +++++++------------ 1 file changed, 13 insertions(+), 22 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 5862f12..2f0332d 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -3,41 +3,32 @@ pkgs_linux ? import { system = "x86_64-linux"; }, }: -with pkgs; -let - debian = dockerTools.pullImage { - imageName = "debian"; - imageDigest = "sha256:1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; - # hash = lib.fakeSha256; - sha256 = "sha256-GDxa0yegZDaagKfl3tS6prhQI0ECXduWrdPgr8uLClU="; - }; -in +with pkgs; dockerTools.buildImage { name = "default"; tag = "latest"; - # fromImage = debian; copyToRoot = buildEnv { name = "image-root"; pathsToLink = [ "/bin" ]; paths = [ coreutils - # u-root-cmds + u-root-cmds bash - # nix - # nodejs - # podman + nix + nodejs + podman ]; }; - runAsRoot = '' - #!${stdenv.shell} - ${dockerTools.shadowSetup} - groupadd -r runner - useradd -r -g runner -d /data -M runner - mkdir /data - chown runner:runner /data - ''; + # runAsRoot = '' + # #!${stdenv.shell} + # ${dockerTools.shadowSetup} + # groupadd -r runner + # useradd -r -g runner -d /data -M runner + # mkdir /data + # chown runner:runner /data + # ''; config = { User = "runner"; From 3aaad47c2bdb1a32b708657b04e429783149f075 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:23:23 +0200 Subject: [PATCH 085/251] whoops --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 31bb238..b472489 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -59,7 +59,7 @@ jobs: - name: Push image run: >- podman push - --auth-file=${XDG_RUNTIME_DIR}/containers/auth.json& + --auth-file=${XDG_RUNTIME_DIR}/containers/auth.json --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From a114f0a7f8b435d4f922ca98abefb8de42745088 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:26:18 +0200 Subject: [PATCH 086/251] . --- .forgejo/workflows/runner-image.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index b472489..1d56b4e 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -55,11 +55,12 @@ jobs: run: | [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json [ -r ~/.docker/config.json ] && cat ~/.docker/config.json + podman run localhost/default:latest 'nix --version' - name: Push image run: >- podman push - --auth-file=${XDG_RUNTIME_DIR}/containers/auth.json + --authfile=${XDG_RUNTIME_DIR}/containers/auth.json --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 237d208e930abaa5b419d8270ca78cc4bc056ad6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:28:59 +0200 Subject: [PATCH 087/251] siiiiigh --- .../development/forgejo/runners/default.nix | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 2f0332d..eb0759b 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -21,14 +21,13 @@ dockerTools.buildImage { ]; }; - # runAsRoot = '' - # #!${stdenv.shell} - # ${dockerTools.shadowSetup} - # groupadd -r runner - # useradd -r -g runner -d /data -M runner - # mkdir /data - # chown runner:runner /data - # ''; + runAsRoot = '' + #!${lib.getExe bashInteractive} + groupadd -r runner + useradd -r -g runner -d /data -M runner + mkdir /data + chown runner:runner /data + ''; config = { User = "runner"; From 1cbfb6b5c0c89e381e799825579745bbe45fe8f8 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:34:40 +0200 Subject: [PATCH 088/251] . --- .../nixos/services/development/forgejo/runners/default.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index eb0759b..e656e2d 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -22,11 +22,7 @@ dockerTools.buildImage { }; runAsRoot = '' - #!${lib.getExe bashInteractive} - groupadd -r runner - useradd -r -g runner -d /data -M runner - mkdir /data - chown runner:runner /data + echo "je moeder!"; ''; config = { From 7070382596163aa7062a412e0c39f169da74339b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:43:18 +0200 Subject: [PATCH 089/251] runAsRoot requires kvm... --- .../services/development/forgejo/runners/default.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index e656e2d..c4c9a92 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -21,16 +21,8 @@ dockerTools.buildImage { ]; }; - runAsRoot = '' - echo "je moeder!"; - ''; - config = { User = "runner"; Cmd = [ "${lib.getExe bashInteractive}" ]; - WorkingDir = "/data"; - Volumes = { - "/data" = {}; - }; }; } \ No newline at end of file From a0e2d8db7100f41812a4c61e27b559556628ed93 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:46:25 +0200 Subject: [PATCH 090/251] . --- .forgejo/workflows/runner-image.yml | 2 +- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 1d56b4e..1b742b0 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -55,7 +55,7 @@ jobs: run: | [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json [ -r ~/.docker/config.json ] && cat ~/.docker/config.json - podman run localhost/default:latest 'nix --version' + # podman run localhost/default:latest 'nix --version' - name: Push image run: >- diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index c4c9a92..a7bc883 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -11,7 +11,7 @@ dockerTools.buildImage { copyToRoot = buildEnv { name = "image-root"; pathsToLink = [ "/bin" ]; - paths = [ + paths = with pkgs_linux [ coreutils u-root-cmds bash From 8b9e1a14a8ad45f518e3b19941b188ec8b20bd79 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:47:10 +0200 Subject: [PATCH 091/251] ,... --- .forgejo/workflows/runner-image.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 1b742b0..f30be6e 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -55,7 +55,6 @@ jobs: run: | [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json [ -r ~/.docker/config.json ] && cat ~/.docker/config.json - # podman run localhost/default:latest 'nix --version' - name: Push image run: >- From 522041cbaed64b9cc9699e7feb82c2eceea81e6f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:47:37 +0200 Subject: [PATCH 092/251] waaaaaaggh --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index a7bc883..608cc69 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -11,7 +11,7 @@ dockerTools.buildImage { copyToRoot = buildEnv { name = "image-root"; pathsToLink = [ "/bin" ]; - paths = with pkgs_linux [ + paths = with pkgs_linux; [ coreutils u-root-cmds bash From cd53e4c008478a58d09121e73b9ed2df8f8e9244 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:50:38 +0200 Subject: [PATCH 093/251] sdfasdfg --- .forgejo/workflows/runner-image.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index f30be6e..9a1c7a9 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -53,7 +53,10 @@ jobs: - name: __DEBUG__ run: | + echo "${XDG_RUNTIME_DIR}/containers/auth.json" [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json + + echo "~/.docker/config.json" [ -r ~/.docker/config.json ] && cat ~/.docker/config.json - name: Push image From f31317304e076e43425fdb7978a2c42c86120262 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:53:35 +0200 Subject: [PATCH 094/251] riiight, should've seen that one coming.... --- .forgejo/workflows/runner-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 9a1c7a9..d8b7ebb 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -55,14 +55,14 @@ jobs: run: | echo "${XDG_RUNTIME_DIR}/containers/auth.json" [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json - + echo "~/.docker/config.json" [ -r ~/.docker/config.json ] && cat ~/.docker/config.json - name: Push image run: >- podman push - --authfile=${XDG_RUNTIME_DIR}/containers/auth.json + --authfile=~/.docker/config.json --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 7ac547bd815a460017ba87bf4aecfa43a8ab87a3 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:55:38 +0200 Subject: [PATCH 095/251] parameterize git clone --- .forgejo/workflows/runner-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index d8b7ebb..e2bc6fb 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -17,9 +17,9 @@ jobs: name: Print hello world runs-on: default steps: - - name: Pull dependencies + - name: Checkout run: | - git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . + git clone ${{ forge.server_url }}/${{ forge.repository }}.git . - name: Prepare podman run: | From d3e7de5f5a7f76050bc630015bf625b3569be4d2 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:57:29 +0200 Subject: [PATCH 096/251] asdf --- .forgejo/workflows/runner-image.yml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index e2bc6fb..ac05b21 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -30,18 +30,6 @@ jobs: mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - # Create authentication file for podman - mkdir -p ~/.docker - cat > ~/.docker/config.json <- podman push - --authfile=~/.docker/config.json --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 98c9424db58bf94b9f0ee60a22ed5ba19575d0e5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 17:30:46 +0200 Subject: [PATCH 097/251] aaha, there is the code I forgot to commit... --- .../authentication/zitadel/default.nix | 11 +++----- .../services/development/forgejo/default.nix | 3 ++- .../persistance/postgesql/default.nix | 26 +++++++++++++++++++ 3 files changed, 31 insertions(+), 9 deletions(-) create mode 100644 modules/nixos/services/persistance/postgesql/default.nix diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index a95d849..2f65f6f 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, ... }: let - inherit (lib) mkIf mkEnableOption mkForce; + inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.authentication.zitadel; @@ -13,6 +13,8 @@ in }; config = mkIf cfg.enable { + ${namespace}.services.persistance.postgresql.enable = true; + environment.systemPackages = with pkgs; [ zitadel ]; @@ -110,13 +112,6 @@ in ensureDBOwnership = true; } ]; - authentication = mkForce '' - # Generated file, do not edit! - # TYPE DATABASE USER ADDRESS METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - ''; }; caddy = { diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index d7f170e..5c7d7aa 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -12,6 +12,7 @@ in config = mkIf cfg.enable { ${namespace}.services.virtualisation.podman.enable = true; + ${namespace}.services.persistance.postgresql.enable = true; environment.systemPackages = with pkgs; [ forgejo ]; @@ -154,7 +155,7 @@ in # stupid dumb way to prevent the login page and go to zitadel instead # be aware that this does not disable local login at all! - rewrite /user/login /user/oauth2/Zitadel + # rewrite /user/login /user/oauth2/Zitadel reverse_proxy http://127.0.0.1:5002 ''; diff --git a/modules/nixos/services/persistance/postgesql/default.nix b/modules/nixos/services/persistance/postgesql/default.nix new file mode 100644 index 0000000..ce198a8 --- /dev/null +++ b/modules/nixos/services/persistance/postgesql/default.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.peristance.postgresql; +in +{ + options.${namespace}.services.peristance.postgresql = { + enable = mkEnableOption "Postgresql"; + }; + + config = mkIf cfg.enable { + services = { + postgresql = { + enable = true; + authentication = '' + # Generated file, do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; + }; + }; + }; +} From 2ca6339fe60844664cfbe738158f4daf2846b4a8 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 18:11:36 +0200 Subject: [PATCH 098/251] fix typo --- modules/nixos/services/persistance/postgesql/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/persistance/postgesql/default.nix b/modules/nixos/services/persistance/postgesql/default.nix index ce198a8..dbd6604 100644 --- a/modules/nixos/services/persistance/postgesql/default.nix +++ b/modules/nixos/services/persistance/postgesql/default.nix @@ -2,10 +2,10 @@ let inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.services.peristance.postgresql; + cfg = config.${namespace}.services.persistance.postgresql; in { - options.${namespace}.services.peristance.postgresql = { + options.${namespace}.services.persistance.postgresql = { enable = mkEnableOption "Postgresql"; }; From 0689c338ac44bebdac34dbbcfb5c99bb4fcd4321 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 18:12:08 +0200 Subject: [PATCH 099/251] solve compilation errors --- modules/nixos/services/development/forgejo/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 5c7d7aa..f143b12 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -11,8 +11,10 @@ in }; config = mkIf cfg.enable { - ${namespace}.services.virtualisation.podman.enable = true; - ${namespace}.services.persistance.postgresql.enable = true; + ${namespace}.services = { + persistance.postgresql.enable = true; + virtualisation.podman.enable = true; + }; environment.systemPackages = with pkgs; [ forgejo ]; From 288e354edf03cfa0f4ba4b89f154748893d7e85c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 20:06:56 +0200 Subject: [PATCH 100/251] add nheko --- flake.nix | 7 +++++-- homes/x86_64-linux/chris@manwe/default.nix | 1 + modules/home/application/nheko/default.nix | 15 +++++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 modules/home/application/nheko/default.nix diff --git a/flake.nix b/flake.nix index 07479a7..60e9853 100644 --- a/flake.nix +++ b/flake.nix @@ -63,11 +63,11 @@ url = "github:Jovian-Experiments/Jovian-NixOS"; inputs.nixpkgs.follows = "nixpkgs"; }; - + grub2-themes = { url = "github:vinceliuice/grub2-themes"; }; - + nixos-wsl = { url = "github:nix-community/nixos-wsl"; inputs = { @@ -99,6 +99,9 @@ # I think this is because of zen "qtwebengine-5.15.19" + + # For Nheko, the matrix client + "olm-3.2.16" ]; }; diff --git a/homes/x86_64-linux/chris@manwe/default.nix b/homes/x86_64-linux/chris@manwe/default.nix index cd6fa1a..abeb606 100644 --- a/homes/x86_64-linux/chris@manwe/default.nix +++ b/homes/x86_64-linux/chris@manwe/default.nix @@ -35,6 +35,7 @@ bitwarden.enable = true; discord.enable = true; ladybird.enable = true; + nheko.enable = true; obs.enable = true; onlyoffice.enable = true; signal.enable = true; diff --git a/modules/home/application/nheko/default.nix b/modules/home/application/nheko/default.nix new file mode 100644 index 0000000..b04b375 --- /dev/null +++ b/modules/home/application/nheko/default.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, namespace, osConfig ? {}, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.application.nheko; +in +{ + options.${namespace}.application.nheko = { + enable = mkEnableOption "enable nheko (matrix client)"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ nheko ]; + }; +} From 7f6f1166a4a6a7d18cf67776c9527b039fddd800 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 20:34:37 +0200 Subject: [PATCH 101/251] add backup extension for home manager --- modules/home/home-manager/default.nix | 6 ++++-- modules/nixos/home-manager/default.nix | 6 ++++++ 2 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 modules/nixos/home-manager/default.nix diff --git a/modules/home/home-manager/default.nix b/modules/home/home-manager/default.nix index 93bae2e..5f3be03 100644 --- a/modules/home/home-manager/default.nix +++ b/modules/home/home-manager/default.nix @@ -4,7 +4,9 @@ let in { systemd.user.startServices = "sd-switch"; - programs.home-manager.enable = true; + programs.home-manager = { + enable = true; + }; home.stateVersion = mkDefault (osConfig.system.stateVersion or "25.05"); -} \ No newline at end of file +} diff --git a/modules/nixos/home-manager/default.nix b/modules/nixos/home-manager/default.nix new file mode 100644 index 0000000..1a5a964 --- /dev/null +++ b/modules/nixos/home-manager/default.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + config = { + home-manager.backupFileExtension = "back"; + }; +} From ce7b147d0496f3ce80211197449df0cd62595756 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 20:47:45 +0200 Subject: [PATCH 102/251] move runner --- .../services/development/forgejo/runners => runners}/default.nix | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {modules/nixos/services/development/forgejo/runners => runners}/default.nix (100%) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/runners/default.nix similarity index 100% rename from modules/nixos/services/development/forgejo/runners/default.nix rename to runners/default.nix From fe5cce0946fa4b2f65f9cfcbe5e7b0065b53d2a0 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 22:26:09 +0200 Subject: [PATCH 103/251] initial conduit setup --- .../communication/conduit/default.nix | 56 +++++++++++++++++++ systems/x86_64-linux/ulmo/default.nix | 2 + 2 files changed, 58 insertions(+) create mode 100644 modules/nixos/services/communication/conduit/default.nix diff --git a/modules/nixos/services/communication/conduit/default.nix b/modules/nixos/services/communication/conduit/default.nix new file mode 100644 index 0000000..aa4d5c1 --- /dev/null +++ b/modules/nixos/services/communication/conduit/default.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.communication.conduit; + domain = "matrix.kruining.eu"; +in +{ + options.${namespace}.services.communication.conduit = { + enable = mkEnableOption "conduit (Matrix server)"; + }; + + config = mkIf cfg.enable { + # ${namespace}.services = { + # persistance.postgresql.enable = true; + # virtualisation.podman.enable = true; + # }; + + services = { + matrix-conduit = { + enable = true; + + settings.global = { + address = "::1"; + port = 4001; + + database_backend = "rocksdb"; + + server_name = "chris-matrix"; + }; + }; + + # postgresql = { + # enable = true; + # ensureDatabases = [ "conduit" ]; + # ensureUsers = [ + # { + # name = "conduit"; + # ensureDBOwnership = true; + # } + # ]; + # }; + + caddy = { + enable = true; + virtualHosts = { + ${domain}.extraConfig = '' + # import auth-z + + # reverse_proxy http://127.0.0.1:5002 + ''; + }; + }; + }; + }; +} diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 4108dc9..3b35750 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -10,6 +10,8 @@ authentication.authelia.enable = true; authentication.zitadel.enable = true; + communication.conduit.enable = true; + development.forgejo.enable = true; networking.ssh.enable = true; From ec827c4187adc39d10525b904e2ecc6e9a7af962 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Sep 2025 07:53:05 +0200 Subject: [PATCH 104/251] update pipeline --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index ac05b21..19ba8ae 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -36,7 +36,7 @@ jobs: - name: Create image run: | - nix-build modules/nixos/services/development/forgejo/runners/default.nix + nix-build runners/default.nix podman load < result - name: Push image From 1d6f488ebd68f5f315e4c2077857b3b4cc8047ea Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Sep 2025 16:14:15 +0200 Subject: [PATCH 105/251] . --- runners/default.nix | 54 ++++++++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/runners/default.nix b/runners/default.nix index 608cc69..9493d52 100644 --- a/runners/default.nix +++ b/runners/default.nix @@ -1,28 +1,28 @@ -{ - pkgs ? import {}, - pkgs_linux ? import { system = "x86_64-linux"; }, -}: - -with pkgs; -dockerTools.buildImage { - name = "default"; - tag = "latest"; - - copyToRoot = buildEnv { - name = "image-root"; - pathsToLink = [ "/bin" ]; - paths = with pkgs_linux; [ - coreutils - u-root-cmds - bash - nix - nodejs - podman - ]; - }; - - config = { - User = "runner"; - Cmd = [ "${lib.getExe bashInteractive}" ]; - }; +{ + pkgs ? import {}, + pkgs_linux ? import { system = "x86_64-linux"; }, +}: + +with pkgs; +dockerTools.buildImage { + name = "default"; + tag = "latest"; + + copyToRoot = buildEnv { + name = "image-root"; + pathsToLink = [ "/bin" ]; + paths = with pkgs_linux; [ + coreutils + u-root-cmds + bash + nix + nodejs + podman + ]; + }; + + config = { + User = "runner"; + Cmd = [ "${lib.getExe bashInteractive}" ]; + }; } \ No newline at end of file From 2a79a4eb63bd5e7010d88df2d9a803f287fc6967 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Sep 2025 16:18:02 +0200 Subject: [PATCH 106/251] next iteration for forgejo runners --- .forgejo/workflows/runner-image.yml | 47 ----------- .gitignore | 8 +- .../services/development/forgejo/default.nix | 1 + .../nixos/services/development/forgejo/temp | 80 ------------------- runners/default.nix | 28 ------- 5 files changed, 8 insertions(+), 156 deletions(-) delete mode 100644 .forgejo/workflows/runner-image.yml delete mode 100644 modules/nixos/services/development/forgejo/temp delete mode 100644 runners/default.nix diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml deleted file mode 100644 index 19ba8ae..0000000 --- a/.forgejo/workflows/runner-image.yml +++ /dev/null @@ -1,47 +0,0 @@ -name: Test action - -on: - workflow_dispatch: - push: - branches: - - main - -env: - registry: git.amarth.cloud - owner: chris - image: default - tag: latest - -jobs: - hello: - name: Print hello world - runs-on: default - steps: - - name: Checkout - run: | - git clone ${{ forge.server_url }}/${{ forge.repository }}.git . - - - name: Prepare podman - run: | - # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman nixpkgs.kvmtool - - # configure container policy to accept insecure registry - mkdir -p ~/.config/containers - echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - - - name: Log into registry - run: | - podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - - - name: Create image - run: | - nix-build runners/default.nix - podman load < result - - - name: Push image - run: >- - podman push - --creds="${{ forge.actor }}:${{ forge.token }}" - localhost/default:latest - ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file diff --git a/.gitignore b/.gitignore index 87a3018..3cb44c3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,8 @@ +# ---> Nix +# Ignore build outputs from performing a nix-build or `nix build` command result -*.qcow2 +result-* + +# Ignore automatically generated direnv output +.direnv + diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index f143b12..46e0995 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -142,6 +142,7 @@ in labels = [ "default:docker://nixos/nix:latest" "ubuntu:docker://ubuntu:24-bookworm" + "nix:docker://git.amarth.cloud/amarth/runners/default:latest" ]; settings = { log.level = "info"; diff --git a/modules/nixos/services/development/forgejo/temp b/modules/nixos/services/development/forgejo/temp deleted file mode 100644 index 33a7313..0000000 --- a/modules/nixos/services/development/forgejo/temp +++ /dev/null @@ -1,80 +0,0 @@ -Error: mounting new container: - mounting build container "a1c1da9d2422b5d6571a79559039f60ba8771e4a05b9b2f8cae814a8f64bb8e3": - creating overlay mount to /var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/merged, - mount_data=" - lowerdir=/var/lib/containers/storage/overlay/l/XSOABRIRTTFZPQI37OU77T3XP6 - :/var/lib/containers/storage/overlay/l/F3M2D6K25OPTUC4ID73P2NIJ3A - :/var/lib/containers/storage/overlay/l/Q53OUMURARX52AYNVQGFGNVUMQ - :/var/lib/containers/storage/overlay/l/NHNXRY3S7TPPYSGNG6BFA7756K - :/var/lib/containers/storage/overlay/l/XWANZP5SNP5QFXQ7RPR2SN3GND - :/var/lib/containers/storage/overlay/l/QUS3NWAGIVW5KOT7EBHCH2THSP - :/var/lib/containers/storage/overlay/l/P24JFYKBFJWRZF4QCI65JNYDSH - :/var/lib/containers/storage/overlay/l/5U53LA6AULMQOF5JAVLNDQMETC - :/var/lib/containers/storage/overlay/l/SWCKHLKQYKOUWBHWGJ5VPBJ7RH - :/var/lib/containers/storage/overlay/l/KLPPEZB6CRL3I6R6LBCJWMKWPC - :/var/lib/containers/storage/overlay/l/RAI54LOZXCFNWNF54D5YLSZJZO - :/var/lib/containers/storage/overlay/l/NLXXIPBMH7EAMNSOZBGBYXWGV5 - :/var/lib/containers/storage/overlay/l/HP5E2J4HRMO6XYJANMEB4KT7F5 - :/var/lib/containers/storage/overlay/l/JZ3QIR7Y7HTWYCCZRNFZCMQSHH - :/var/lib/containers/storage/overlay/l/IYGILU3HMTXZLIKNELEPBOZXWS - :/var/lib/containers/storage/overlay/l/K52NCFVUIEMQALGI4CTKSORFQ6 - :/var/lib/containers/storage/overlay/l/DM5R63KXPSUHMGXMXGHV2Z7L6O - :/var/lib/containers/storage/overlay/l/3BJ5A4CHITM36J3WL7DUJN7HI5 - :/var/lib/containers/storage/overlay/l/3KY56KPCGUTAOCABRQOPB5E7KI - :/var/lib/containers/storage/overlay/l/4ISDZ7Y23WWZAZ6TISWAVXAKTA - :/var/lib/containers/storage/overlay/l/7WFY6347EYETD2DSHOWWGORMY7 - :/var/lib/containers/storage/overlay/l/RBDQUQQAQ4M3DNDP7JQDSTFPDC - :/var/lib/containers/storage/overlay/l/CZPS35AEHSSOCX2SETGG5RWAWK - :/var/lib/containers/storage/overlay/l/VTV4IYIPIMV7HUVW3YUCEZGVIF - :/var/lib/containers/storage/overlay/l/LOGNN4O7UYRJDINC3EU6MCK2JQ - :/var/lib/containers/storage/overlay/l/XCTPWOKP4A3NITB5YJEGDOYP53 - :/var/lib/containers/storage/overlay/l/57WPQF43V53AQIH5AJAFS2ZJLN - :/var/lib/containers/storage/overlay/l/BURD55A3XF6AHWWN5NFYVKHLFR - :/var/lib/containers/storage/overlay/l/SJBWDEB4R6KHHUWYVWHVFXZUML - :/var/lib/containers/storage/overlay/l/EFH5DWZ6VD7XHRBJI3MSGCSL5C - :/var/lib/containers/storage/overlay/l/LNJD656RHN73JQIOG5QP72XH6D - :/var/lib/containers/storage/overlay/l/BYKGR5QA32CNM3PNW7OJZGL7PI - :/var/lib/containers/storage/overlay/l/KEBZ34OPOPZSF56MMUIYJC62VQ - :/var/lib/containers/storage/overlay/l/AXUJ2DTXCFUNLLHVBNZT7HOOHV - :/var/lib/containers/storage/overlay/l/W2GQPDXQWNE4PJ2FK242CNBP3G - :/var/lib/containers/storage/overlay/l/HSHTMFX2BNZ6MN3YKZNP5GACK3 - :/var/lib/containers/storage/overlay/l/5EV6E33HXQTMDYA55D2KVDQN6O - :/var/lib/containers/storage/overlay/l/5YXUGLZ3U5V2GABHAGMOQQLZYD - :/var/lib/containers/storage/overlay/l/WNM6BFUABXRYMF3QXGOWIMSFGS - :/var/lib/containers/storage/overlay/l/EM6L4BR3WMU427KN3WHNXLPXLK - :/var/lib/containers/storage/overlay/l/WKG62FRJYJHG4PIYLUWPOIGIFR - :/var/lib/containers/storage/overlay/l/EIT5DRSEKJFGSXHNDISGIBHEET - :/var/lib/containers/storage/overlay/l/PW2HEYGQKHNXSSQFCTQ3RTW3RU - :/var/lib/containers/storage/overlay/l/LYCJF4GBFFSP5MCC6TGBDGWXLY - :/var/lib/containers/storage/overlay/l/3YXKKFLTDRPWC6Y3VW3A5HCHPC - :/var/lib/containers/storage/overlay/l/RJTCZEVFZ4GZ4WT36ZHWVQPHBE - :/var/lib/containers/storage/overlay/l/AT3GLGCW22SPL4FDEMUHM7SEC3 - :/var/lib/containers/storage/overlay/l/VPT2VRWXG6F5UOROWNVZJUYIXS - :/var/lib/containers/storage/overlay/l/IHIXWAURUCUAYZEWBQU6N37UL5 - :/var/lib/containers/storage/overlay/l/IGMNOUI3RRH3KFAOSHZUJJAYA6 - :/var/lib/containers/storage/overlay/l/KQTWTENKAQ7WIMPQO5HY4SQKSL - :/var/lib/containers/storage/overlay/l/7GQIS3UWTUQESKJI6NQ5A63FMB - :/var/lib/containers/storage/overlay/l/MXGQVTYACLV4M7PRZRGGXNOLCY - :/var/lib/containers/storage/overlay/l/6T6MXUMJ74EIDYDFZJU6642WDR - :/var/lib/containers/storage/overlay/l/QG53GGUJAUZLLCRGHLDVNBIG5M - :/var/lib/containers/storage/overlay/l/CWKPW6SM2HIEROK4XOFGURSEYZ - :/var/lib/containers/storage/overlay/l/EFAHS5T2ZS5ZVCY4WGZ4WW45WC - :/var/lib/containers/storage/overlay/l/CRT42BUU43KSCBUDTOB55WVML2 - :/var/lib/containers/storage/overlay/l/KA53IG4NUWMJM5GBFUKDSUP7WM - :/var/lib/containers/storage/overlay/l/DELTO3DZAGCCUKFOKYU5POUVO5 - :/var/lib/containers/storage/overlay/l/KM7KLUMSMCIUGMOUZHCCJVNY3S - :/var/lib/containers/storage/overlay/l/IAXMV7ZFALQU4XFQFLLXXUKBX7 - :/var/lib/containers/storage/overlay/l/6VVTPVXHDYPHOT42CWJXOL6SMB - :/var/lib/containers/storage/overlay/l/OHO5IA7AJ2EOGAFUPT3MPJMZSY - :/var/lib/containers/storage/overlay/l/Q3ZXKGFN6Q2APXQKRXMNE6YR4M - :/var/lib/containers/storage/overlay/l/FSGYM4J5NR6AY3LUWZ2WTBQG3N - :/var/lib/containers/storage/overlay/l/M44HLHAQGLWFYVTS4J55CDEDLY - :/var/lib/containers/storage/overlay/l/36CIGRUHNNFDCBWSEN3KXUQAZR - :/var/lib/containers/storage/overlay/l/5QE5JTSJB23BDSXCGYPXTTJUSS - :/var/lib/containers/storage/overlay/l/DREIPLSBGAK4XBL57M3NJAT5XA, - upperdir=/var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/diff, - workdir=/var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/work, - volatile": using mount program /nix/store/mr0jx11v1z2sfjlndisw7v3jrk57x7l3-fuse-overlayfs-1.14/bin/fuse-overlayfs: unknown argument ignored: lazytime - -fuse: device not found, try 'modprobe fuse' first -fuse-overlayfs: cannot mount: No such file or directory \ No newline at end of file diff --git a/runners/default.nix b/runners/default.nix deleted file mode 100644 index 9493d52..0000000 --- a/runners/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - pkgs ? import {}, - pkgs_linux ? import { system = "x86_64-linux"; }, -}: - -with pkgs; -dockerTools.buildImage { - name = "default"; - tag = "latest"; - - copyToRoot = buildEnv { - name = "image-root"; - pathsToLink = [ "/bin" ]; - paths = with pkgs_linux; [ - coreutils - u-root-cmds - bash - nix - nodejs - podman - ]; - }; - - config = { - User = "runner"; - Cmd = [ "${lib.getExe bashInteractive}" ]; - }; -} \ No newline at end of file From 9ebe4fd4e706c30babeb32df1abb6e2ad0d071fe Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Sep 2025 16:24:36 +0200 Subject: [PATCH 107/251] alright, time to try it --- .forgejo/workflows/action.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml index 4aac00e..684cfad 100644 --- a/.forgejo/workflows/action.yml +++ b/.forgejo/workflows/action.yml @@ -7,10 +7,9 @@ on: - main jobs: - hello: - name: Print hello world - runs-on: default + kaas: + runs-on: nix steps: - name: Echo run: | - echo "Hello, world!" \ No newline at end of file + nix --version \ No newline at end of file From cc2f7bbea403b06f52ec1bd261a8bd5eb8fca687 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Sep 2025 10:53:10 +0200 Subject: [PATCH 108/251] replace nheko with fractal --- homes/x86_64-linux/chris@manwe/default.nix | 2 +- modules/home/application/matrix/default.nix | 15 +++++++++++++++ modules/home/application/nheko/default.nix | 15 --------------- 3 files changed, 16 insertions(+), 16 deletions(-) create mode 100644 modules/home/application/matrix/default.nix delete mode 100644 modules/home/application/nheko/default.nix diff --git a/homes/x86_64-linux/chris@manwe/default.nix b/homes/x86_64-linux/chris@manwe/default.nix index abeb606..9abe613 100644 --- a/homes/x86_64-linux/chris@manwe/default.nix +++ b/homes/x86_64-linux/chris@manwe/default.nix @@ -35,7 +35,7 @@ bitwarden.enable = true; discord.enable = true; ladybird.enable = true; - nheko.enable = true; + matrix.enable = true; obs.enable = true; onlyoffice.enable = true; signal.enable = true; diff --git a/modules/home/application/matrix/default.nix b/modules/home/application/matrix/default.nix new file mode 100644 index 0000000..1a33a0c --- /dev/null +++ b/modules/home/application/matrix/default.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, namespace, osConfig ? {}, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.application.matrix; +in +{ + options.${namespace}.application.matrix = { + enable = mkEnableOption "enable Matrix client (Fractal)"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ fractal ]; + }; +} diff --git a/modules/home/application/nheko/default.nix b/modules/home/application/nheko/default.nix deleted file mode 100644 index b04b375..0000000 --- a/modules/home/application/nheko/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, namespace, osConfig ? {}, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.application.nheko; -in -{ - options.${namespace}.application.nheko = { - enable = mkEnableOption "enable nheko (matrix client)"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ nheko ]; - }; -} From d4eff470499f55c490c7dda2775dda5b53f338ff Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Sep 2025 10:53:17 +0200 Subject: [PATCH 109/251] finally have a working matrix set up --- .../communication/conduit/default.nix | 36 +++++++++++++++---- 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/modules/nixos/services/communication/conduit/default.nix b/modules/nixos/services/communication/conduit/default.nix index aa4d5c1..13a2cbc 100644 --- a/modules/nixos/services/communication/conduit/default.nix +++ b/modules/nixos/services/communication/conduit/default.nix @@ -16,17 +16,25 @@ in # virtualisation.podman.enable = true; # }; + networking.firewall.allowedTCPPorts = [ 4001 8448 ]; + services = { matrix-conduit = { enable = true; settings.global = { - address = "::1"; + address = "::"; port = 4001; - database_backend = "rocksdb"; + server_name = "matrix.kruining.eu"; - server_name = "chris-matrix"; + database_backend = "rocksdb"; + # database_path = "/var/lib/matrix-conduit/"; + + allow_check_for_updates = false; + allow_registration = false; + + enable_lightning_bolt = false; }; }; @@ -43,11 +51,25 @@ in caddy = { enable = true; - virtualHosts = { - ${domain}.extraConfig = '' - # import auth-z + virtualHosts = let + inherit (builtins) toJSON; - # reverse_proxy http://127.0.0.1:5002 + server = { + "m.server" = "${domain}:443"; + }; + client = { + "m.homeserver".base_url = "https://${domain}"; + "m.identity_server".base_url = "https://auth.amarth.cloud"; + }; + in { + "${domain}".extraConfig = '' + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + respond /.well-known/matrix/server `${toJSON server}` + respond /.well-known/matrix/client `${toJSON client}` + + reverse_proxy /_matrix/* http://::1:4001 + # reverse_proxy /_synapse/client/* http://::1:4001 ''; }; }; From d74f67e4fbb4f98f94be0111808d834619ca941b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Sep 2025 16:43:54 +0200 Subject: [PATCH 110/251] switch to synapse away from conduit --- .../authentication/zitadel/default.nix | 11 +- .../communication/conduit/default.nix | 135 +++++++++++++++--- 2 files changed, 120 insertions(+), 26 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 2f65f6f..7edccc1 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -4,8 +4,7 @@ let cfg = config.${namespace}.services.authentication.zitadel; - db_name = "zitadel"; - db_user = "zitadel"; + database = "zitadel"; in { options.${namespace}.services.authentication.zitadel = { @@ -72,9 +71,9 @@ in Host = "localhost"; # Zitadel will report error if port is not set Port = 5432; - Database = db_name; + Database = database; User = { - Username = db_user; + Username = database; SSL.Mode = "disable"; }; Admin = { @@ -105,10 +104,10 @@ in postgresql = { enable = true; - ensureDatabases = [ db_name ]; + ensureDatabases = [ database ]; ensureUsers = [ { - name = db_user; + name = database; ensureDBOwnership = true; } ]; diff --git a/modules/nixos/services/communication/conduit/default.nix b/modules/nixos/services/communication/conduit/default.nix index 13a2cbc..3e909ff 100644 --- a/modules/nixos/services/communication/conduit/default.nix +++ b/modules/nixos/services/communication/conduit/default.nix @@ -1,9 +1,15 @@ { config, lib, pkgs, namespace, ... }: let + inherit (builtins) toString toJSON; inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.communication.conduit; - domain = "matrix.kruining.eu"; + + domain = "kruining.eu"; + fqn = "matrix.${domain}"; + port = 4001; + + database = "synapse"; in { options.${namespace}.services.communication.conduit = { @@ -20,13 +26,13 @@ in services = { matrix-conduit = { - enable = true; + enable = false; settings.global = { address = "::"; - port = 4001; + port = port; - server_name = "matrix.kruining.eu"; + server_name = domain; database_backend = "rocksdb"; # database_path = "/var/lib/matrix-conduit/"; @@ -38,27 +44,115 @@ in }; }; - # postgresql = { - # enable = true; - # ensureDatabases = [ "conduit" ]; - # ensureUsers = [ - # { - # name = "conduit"; - # ensureDBOwnership = true; - # } - # ]; - # }; + matrix-synapse = { + enable = true; + + extras = [ "oidc" ]; + plugins = with config.services.matrix-synapse.package.plugins; []; + + settings = { + server_name = domain; + public_baseurl = "https://${fqn}"; + + enable_registration = false; + registration_shared_secret = "tZtBnlhEmLbMwF0lQ112VH1Rl5MkZzYH9suI4pEoPXzk6nWUB8FJF4eEnwLkbstz"; + + url_preview_enabled = true; + precence.enabled = true; + + database = { + # this is postgresql (also the default, but I prefer to be explicit) + name = "psycopg2"; + args = { + database = database; + user = database; + }; + }; + + listeners = [ + { + bind_addresses = ["::"]; + port = port; + type = "http"; + tls = false; + x_forwarded = true; + + resources = [ + { + names = [ "client" "federation" ]; + compress = true; + } + ]; + } + ]; + }; + }; + + mautrix-signal = { + enable = true; + registerToSynapse = true; + + settings = { + appservice = { + provisioning.enabled = false; + port = 40011; + }; + + homeserver = { + address = "http://[::1]:${toString port}"; + domain = domain; + }; + + bridge = { + permissions = { + "@chris:${domain}" = "admin"; + }; + }; + }; + }; + + mautrix-whatsapp = { + enable = true; + registerToSynapse = true; + + settings = { + appservice = { + provisioning.enabled = false; + port = 40012; + }; + + homeserver = { + address = "http://[::1]:${toString port}"; + domain = domain; + }; + + bridge = { + permissions = { + "@chris:${domain}" = "admin"; + }; + }; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ database ]; + ensureUsers = [ + { + name = database; + ensureDBOwnership = true; + } + ]; + }; caddy = { enable = true; virtualHosts = let - inherit (builtins) toJSON; - server = { - "m.server" = "${domain}:443"; + "m.server" = "${fqn}:443"; }; client = { - "m.homeserver".base_url = "https://${domain}"; + "m.homeserver".base_url = "https://${fqn}"; "m.identity_server".base_url = "https://auth.amarth.cloud"; }; in { @@ -67,9 +161,10 @@ in header /.well-known/matrix/* Access-Control-Allow-Origin * respond /.well-known/matrix/server `${toJSON server}` respond /.well-known/matrix/client `${toJSON client}` - + ''; + "${fqn}".extraConfig = '' reverse_proxy /_matrix/* http://::1:4001 - # reverse_proxy /_synapse/client/* http://::1:4001 + reverse_proxy /_synapse/client/* http://::1:4001 ''; }; }; From 953c238a47cf95ee874eaefca9f710a8c899fd87 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Sep 2025 22:03:10 +0200 Subject: [PATCH 111/251] fix nix config --- modules/nixos/nix/default.nix | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 3104ecd..bf96f59 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -1,15 +1,11 @@ { pkgs, lib, namespace, config, ... }: let - inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.nix; in { - options.${namespace}.nix = { - enable = mkEnableOption "Enable nix command"; - }; + options.${namespace}.nix = {}; - config = mkIf cfg.enable { + config = { programs.git.enable = true; nix = { From 992ddba373757578ccc8c06350ebf285a8accad3 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Sep 2025 22:09:47 +0200 Subject: [PATCH 112/251] rename matrix module --- .../{conduit => matrix}/default.nix | 37 +++++-------------- systems/x86_64-linux/ulmo/default.nix | 2 +- 2 files changed, 10 insertions(+), 29 deletions(-) rename modules/nixos/services/communication/{conduit => matrix}/default.nix (81%) diff --git a/modules/nixos/services/communication/conduit/default.nix b/modules/nixos/services/communication/matrix/default.nix similarity index 81% rename from modules/nixos/services/communication/conduit/default.nix rename to modules/nixos/services/communication/matrix/default.nix index 3e909ff..b339b82 100644 --- a/modules/nixos/services/communication/conduit/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -3,7 +3,7 @@ let inherit (builtins) toString toJSON; inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.services.communication.conduit; + cfg = config.${namespace}.services.communication.matrix; domain = "kruining.eu"; fqn = "matrix.${domain}"; @@ -12,38 +12,19 @@ let database = "synapse"; in { - options.${namespace}.services.communication.conduit = { - enable = mkEnableOption "conduit (Matrix server)"; + options.${namespace}.services.communication.matrix = { + enable = mkEnableOption "Matrix server (Synapse)"; }; config = mkIf cfg.enable { - # ${namespace}.services = { - # persistance.postgresql.enable = true; - # virtualisation.podman.enable = true; - # }; + ${namespace}.services = { + persistance.postgresql.enable = true; + # virtualisation.podman.enable = true; + }; - networking.firewall.allowedTCPPorts = [ 4001 8448 ]; + networking.firewall.allowedTCPPorts = [ 4001 ]; services = { - matrix-conduit = { - enable = false; - - settings.global = { - address = "::"; - port = port; - - server_name = domain; - - database_backend = "rocksdb"; - # database_path = "/var/lib/matrix-conduit/"; - - allow_check_for_updates = false; - allow_registration = false; - - enable_lightning_bolt = false; - }; - }; - matrix-synapse = { enable = true; @@ -56,7 +37,7 @@ in enable_registration = false; registration_shared_secret = "tZtBnlhEmLbMwF0lQ112VH1Rl5MkZzYH9suI4pEoPXzk6nWUB8FJF4eEnwLkbstz"; - + url_preview_enabled = true; precence.enabled = true; diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 3b35750..4d1c4ab 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -10,7 +10,7 @@ authentication.authelia.enable = true; authentication.zitadel.enable = true; - communication.conduit.enable = true; + communication.matrix.enable = true; development.forgejo.enable = true; From 3816942600ebc21d01fb790f2d18bec17559c656 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 14 Sep 2025 22:00:53 +0200 Subject: [PATCH 113/251] finally have the matrix bridges working! --- modules/nixos/services/communication/matrix/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index b339b82..6a75f43 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -29,7 +29,7 @@ in enable = true; extras = [ "oidc" ]; - plugins = with config.services.matrix-synapse.package.plugins; []; + # plugins = with config.services.matrix-synapse.package.plugins; []; settings = { server_name = domain; @@ -76,7 +76,7 @@ in settings = { appservice = { provisioning.enabled = false; - port = 40011; + # port = 40011; }; homeserver = { @@ -99,7 +99,7 @@ in settings = { appservice = { provisioning.enabled = false; - port = 40012; + # port = 40012; }; homeserver = { From d35165ebc0ab1927aca8675e88ef4ee28ce3149c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 14 Sep 2025 22:01:09 +0200 Subject: [PATCH 114/251] add sso support for matrix server --- .../services/communication/matrix/default.nix | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index 6a75f43..a93d7c8 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -41,6 +41,28 @@ in url_preview_enabled = true; precence.enabled = true; + sso = { + client_whitelist = [ "http://[::1]:9092" ]; + update_profile_information = true; + }; + + oidc_providers = [ + { + discover = true; + + idp_id = "zitadel"; + idp_name = "Zitadel"; + issuer = "https://auth.amarth.cloud"; + client_id = "337858153251143939"; + client_secret = "ePkf5n8BxGD5DF7t1eNThTL0g6PVBO5A1RC0EqPp61S7VsiyXvDs8aJeczrpCpsH"; + scopes = [ "openid" "profile" ]; + # user_mapping_provider.config = { + # localpart_template = "{{ user.prefered_username }}"; + # display_name_template = "{{ user.name }}"; + # }; + } + ]; + database = { # this is postgresql (also the default, but I prefer to be explicit) name = "psycopg2"; From 1a4746819b166eb57ad0a24a03f1260abba4cf1a Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 14 Sep 2025 22:03:21 +0200 Subject: [PATCH 115/251] - fix matrix clients - fix zen - uuuugh, stupid home-manager... --- flake.lock | 20 +++----------------- flake.nix | 5 ++++- modules/home/application/matrix/default.nix | 6 +++++- modules/home/application/zen/default.nix | 2 ++ modules/home/desktop/plasma/default.nix | 2 +- modules/nixos/home-manager/default.nix | 2 +- 6 files changed, 16 insertions(+), 21 deletions(-) diff --git a/flake.lock b/flake.lock index 51907f8..e10acab 100644 --- a/flake.lock +++ b/flake.lock @@ -686,22 +686,6 @@ "type": "github" } }, - "nixpkgs_10": { - "locked": { - "lastModified": 1727348695, - "narHash": "sha256-J+PeFKSDV+pHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "1925c603f17fc89f4c8f6bf6f631a802ad85d784", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_2": { "locked": { "lastModified": 1756578978, @@ -1186,7 +1170,9 @@ "zen-browser": { "inputs": { "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs_10" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1756876659, diff --git a/flake.nix b/flake.nix index 60e9853..c659d4f 100644 --- a/flake.nix +++ b/flake.nix @@ -41,7 +41,10 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - zen-browser.url = "github:0xc000022070/zen-browser-flake"; + zen-browser = { + url = "github:0xc000022070/zen-browser-flake"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; diff --git a/modules/home/application/matrix/default.nix b/modules/home/application/matrix/default.nix index 1a33a0c..867a94f 100644 --- a/modules/home/application/matrix/default.nix +++ b/modules/home/application/matrix/default.nix @@ -10,6 +10,10 @@ in }; config = mkIf cfg.enable { - home.packages = with pkgs; [ fractal ]; + home.packages = with pkgs; [ fractal element-desktop ]; + + programs.element-desktop = { + enable = true; + }; }; } diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index 4995216..b7cec03 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -19,6 +19,8 @@ in }; programs.zen-browser = { + enable = true; + policies = { AutofillAddressEnabled = true; AutofillCreditCardEnabled = false; diff --git a/modules/home/desktop/plasma/default.nix b/modules/home/desktop/plasma/default.nix index 13476fb..0b679a0 100644 --- a/modules/home/desktop/plasma/default.nix +++ b/modules/home/desktop/plasma/default.nix @@ -64,7 +64,7 @@ in }; kwalletrc = { - Wallet.Enabled = false; + Wallet.Enabled = true; }; plasmarc = { diff --git a/modules/nixos/home-manager/default.nix b/modules/nixos/home-manager/default.nix index 1a5a964..d147d46 100644 --- a/modules/nixos/home-manager/default.nix +++ b/modules/nixos/home-manager/default.nix @@ -1,6 +1,6 @@ { ... }: { config = { - home-manager.backupFileExtension = "back"; + home-manager.backupFileExtension = "homeManagerBackup"; }; } From 6ed8bd861b5074084a67d3bf150cdf732476bf31 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 14 Sep 2025 22:03:45 +0200 Subject: [PATCH 116/251] start borg backups --- .../nixos/services/backup/borg/default.nix | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 modules/nixos/services/backup/borg/default.nix diff --git a/modules/nixos/services/backup/borg/default.nix b/modules/nixos/services/backup/borg/default.nix new file mode 100644 index 0000000..fbe5235 --- /dev/null +++ b/modules/nixos/services/backup/borg/default.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.backup.borg; +in +{ + options.${namespace}.services.backup.borg = { + enable = mkEnableOption "Borg Backup"; + }; + + config = mkIf cfg.enable { + services = { + borgbackup.jobs = { + media = { + paths = "/var/media/test"; + encryption.mode = "none"; + environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4"; + repo = "ssh://chris@beheer.hazelhof.nl:222/home/chris/backups/media"; + compression = "auto,zstd"; + startAt = "daily"; + }; + }; + }; + }; +} From 188988f930e35dc9daac6e373a737fe867207706 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 14 Sep 2025 22:13:19 +0200 Subject: [PATCH 117/251] disable password auth for matrix --- modules/nixos/services/communication/matrix/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index a93d7c8..d0c6e45 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -35,12 +35,15 @@ in server_name = domain; public_baseurl = "https://${fqn}"; - enable_registration = false; registration_shared_secret = "tZtBnlhEmLbMwF0lQ112VH1Rl5MkZzYH9suI4pEoPXzk6nWUB8FJF4eEnwLkbstz"; url_preview_enabled = true; precence.enabled = true; + # Since we'll be using OIDC for auth disable all local options + enable_registration = false; + password_config.enabled = false; + sso = { client_whitelist = [ "http://[::1]:9092" ]; update_profile_information = true; From e55ec9c32380fe872ed977aa065e6d69e3c6d74b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 17 Sep 2025 23:02:17 +0200 Subject: [PATCH 118/251] Update flake.lock --- flake.lock | 210 +++++++++++++++++++++++++++++------------------------ 1 file changed, 116 insertions(+), 94 deletions(-) diff --git a/flake.lock b/flake.lock index e10acab..528d3cd 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "fromYaml": "fromYaml" }, "locked": { - "lastModified": 1746562888, - "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=", + "lastModified": 1755819240, + "narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=", "owner": "SenchoPens", "repo": "base16.nix", - "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89", + "rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6", "type": "github" }, "original": { @@ -73,11 +73,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1756593129, - "narHash": "sha256-xpdGBk57lErbo03ZJS8uDDF5cZjoza7kzr7X+y0wj2g=", + "lastModified": 1757697130, + "narHash": "sha256-xEL7Ou/TQ1gYz4EXTwWOuMbySDNak9aTZHggjgWIh3E=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "f28776c49ddb4d34abc01092009fba0cd96836bd", + "rev": "e15b6c60f9d93ef0dcfdd7d333b234fbe225288d", "type": "github" }, "original": { @@ -94,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1756622179, - "narHash": "sha256-K3CimrAcMhdDYkErd3oiWPZNaoyaGZEuvGrFuDPFMZY=", + "lastModified": 1758091097, + "narHash": "sha256-p2FIwAaUCoKY9mZSPAMQYQ7CwwhfvGC4VIfLapAdfOE=", "owner": "nix-community", "repo": "fenix", - "rev": "0abcb15ae6279dcb40a8ae7c1ed980705245cb79", + "rev": "b60fe116b9495df516f57837bb04a4f89f3aa7ed", "type": "github" }, "original": { @@ -114,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1756643456, - "narHash": "sha256-SbRGlArZnspW/xd/vnMPSyuZGXSVtxyJEoXpvpzDpSE=", + "lastModified": 1758026061, + "narHash": "sha256-C9k9zXbQrXCA4mgaEwpV8YyOWz/hLEc+Yu0GGWf3SVs=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "6772a49573fc08b3e05502cccd90a8f5a82ee42e", + "rev": "3ec1499fdac54c0d3e14d6a69470cfe267b364a9", "type": "github" }, "original": { @@ -130,11 +130,11 @@ "firefox-gnome-theme": { "flake": false, "locked": { - "lastModified": 1748383148, - "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=", + "lastModified": 1756083905, + "narHash": "sha256-UqYGTBgI5ypGh0Kf6zZjom/vABg7HQocB4gmxzl12uo=", "owner": "rafaelmardojai", "repo": "firefox-gnome-theme", - "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf", + "rev": "b655eaf16d4cbec9c3472f62eee285d4b419a808", "type": "github" }, "original": { @@ -230,11 +230,11 @@ ] }, "locked": { - "lastModified": 1754487366, - "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", + "lastModified": 1756770412, + "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", + "rev": "4524271976b625a4a605beefd893f270620fd751", "type": "github" }, "original": { @@ -251,11 +251,11 @@ ] }, "locked": { - "lastModified": 1751413152, - "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", + "lastModified": 1756770412, + "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", + "rev": "4524271976b625a4a605beefd893f270620fd751", "type": "github" }, "original": { @@ -411,11 +411,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1756381920, - "narHash": "sha256-h6FZq485lEhkTICK779ZQ2kUWe3BieUqIKuJ2jef7SI=", + "lastModified": 1757136219, + "narHash": "sha256-tKU+vq34KHu/A2wD7WdgP5A4/RCmSD8hB0TyQAUlixA=", "owner": "vinceliuice", "repo": "grub2-themes", - "rev": "8f30385f556a92ecbcc0c1800521730187da1cd7", + "rev": "80dd04ddf3ba7b284a7b1a5df2b1e95ee2aad606", "type": "github" }, "original": { @@ -429,14 +429,15 @@ "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" - ] + ], + "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1756413980, - "narHash": "sha256-pxTwEjWZ1GohJeTEpxoZRHRoLDZjDw9CarGqxE5e908=", + "lastModified": 1758132240, + "narHash": "sha256-Pie3Hfqc9MMUmzSj17ikYsF+DWbJt0TWcmROaQkyliw=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "0c12a2b5862cd673307bbe191c1f7b52cf0f091a", + "rev": "aee341588eb2cd23ba0ca2c8c4e36a74c81e9676", "type": "github" }, "original": { @@ -452,11 +453,11 @@ ] }, "locked": { - "lastModified": 1756650373, - "narHash": "sha256-Iz0dNCNvLLxVGjOOF1/TJvZ4iKXE96BTgKDObCs9u+M=", + "lastModified": 1758119172, + "narHash": "sha256-LnVuGLf0PJHqqIHroxEzwXS57mjAdHSrXi0iODKbbiU=", "owner": "nix-community", "repo": "home-manager", - "rev": "e44549074a574d8bda612945a88e4a1fd3c456a8", + "rev": "9f408dc51c8e8216a94379e6356bdadbe8b4fef9", "type": "github" }, "original": { @@ -473,11 +474,11 @@ ] }, "locked": { - "lastModified": 1756842514, - "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=", + "lastModified": 1752603129, + "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=", "owner": "nix-community", "repo": "home-manager", - "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382", + "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b", "type": "github" }, "original": { @@ -494,11 +495,11 @@ ] }, "locked": { - "lastModified": 1756638688, - "narHash": "sha256-ddxbPTnIchM6tgxb6fRrCvytlPE2KLifckTnde/irVQ=", + "lastModified": 1757230583, + "narHash": "sha256-4uqu7sFPOaVTCogsxaGMgbzZ2vK40GVGMfUmrvK3/LY=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "e7b8679cba79f4167199f018b05c82169249f654", + "rev": "fc3960e6c32c9d4f95fff2ef84444284d24d3bea", "type": "github" }, "original": { @@ -528,11 +529,11 @@ }, "mnw": { "locked": { - "lastModified": 1756580127, - "narHash": "sha256-XK+ZQWjnd96Uko73jY1dc23ksnuWnF/Myc4rT/LQOmc=", + "lastModified": 1756659871, + "narHash": "sha256-v6Rh4aQ6RKjM2N02kK9Usn0Ix7+OY66vNpeklc1MnGE=", "owner": "Gerg-L", "repo": "mnw", - "rev": "ecdb5ba1b08ac198d9e9bfbf9de3b234fb1eb252", + "rev": "ed6cc3e48557ba18266e598a5ebb6602499ada16", "type": "github" }, "original": { @@ -570,11 +571,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1756518625, - "narHash": "sha256-Mxh2wumeSsb968dSDksblubQqHTTdRTC5lH0gmhq9jI=", + "lastModified": 1758073856, + "narHash": "sha256-2KU4Sb2WynjwKQ/+MkKjc6mpCiGfuRRQozR267cK8WI=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "92654796f8f6c3279e4b7d409a3e5b43b0539a19", + "rev": "e8c58a920fb430a70498b3c517fd91c768423c4b", "type": "github" }, "original": { @@ -642,11 +643,11 @@ ] }, "locked": { - "lastModified": 1755261305, - "narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=", + "lastModified": 1758123407, + "narHash": "sha256-4qwMlR0Q4Zr2rjUFauYIldfjzffYt3G5tZ1uPFPPYGU=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "203a7b463f307c60026136dd1191d9001c43457f", + "rev": "ba2b3b6c0bc42442559a3b090f032bc8d501f5e3", "type": "github" }, "original": { @@ -657,11 +658,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1754002724, - "narHash": "sha256-1NBby4k2UU9FR7a9ioXtCOpv8jYO0tZAGarMsxN8sz8=", + "lastModified": 1756686622, + "narHash": "sha256-7RIjltx7tQAr/pDmcb/zNNgRtUDlXh+EppSEqD4IIa8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8271ed4b2e366339dd622f329151e45745ade121", + "rev": "23da0aa9ec413ed894af3fdc6313e6b8ff623833", "type": "github" }, "original": { @@ -688,11 +689,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1756578978, - "narHash": "sha256-dLgwMLIMyHlSeIDsoT2OcZBkuruIbjhIAv1sGANwtes=", + "lastModified": 1758012326, + "narHash": "sha256-5xX26DjtxxFAw4IyZATzUs2UYghdmcpyZ93whojp828=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a85a50bef870537a9705f64ed75e54d1f4bf9c23", + "rev": "1bc4de0728f2eb1602fc5cce4122f2e999bc9d35", "type": "github" }, "original": { @@ -720,11 +721,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1756653691, - "narHash": "sha256-tx6C07uPiAzq57mfb4EWDqPRV4BZVqvrlvDfibzL67U=", + "lastModified": 1758141327, + "narHash": "sha256-s21soW4Y0C+unFk4zfQc33npYfW9dV5GOE6zjofn2vc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7a1057ff3f7636bc71f58671c3a1210742149f3b", + "rev": "f6bf53c73226d0809b9f1e5bcf9a58ba00234738", "type": "github" }, "original": { @@ -752,11 +753,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1756542300, - "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=", + "lastModified": 1757745802, + "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa", + "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1", "type": "github" }, "original": { @@ -768,11 +769,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1756536218, - "narHash": "sha256-ynQxPVN2FIPheUgTFhv01gYLbaiSOS7NgWJPm9LF9D0=", + "lastModified": 1756696532, + "narHash": "sha256-6FWagzm0b7I/IGigOv9pr6LL7NQ86mextfE8g8Q6HBg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a918bb3594dd243c2f8534b3be01b3cb4ed35fd1", + "rev": "58dcbf1ec551914c3756c267b8b9c8c86baa1b2f", "type": "github" }, "original": { @@ -784,11 +785,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1744868846, - "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", + "lastModified": 1757746433, + "narHash": "sha256-fEvTiU4s9lWgW7mYEU/1QUPirgkn+odUBTaindgiziY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "rev": "6d7ec06d6868ac6d94c371458fc2391ded9ff13d", "type": "github" }, "original": { @@ -800,11 +801,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1751792365, - "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", + "lastModified": 1756819007, + "narHash": "sha256-12V64nKG/O/guxSYnr5/nq1EfqwJCdD2+cIGmhz3nrE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", + "rev": "aaff8c16d7fc04991cac6245bee1baa31f72b1e1", "type": "github" }, "original": { @@ -826,11 +827,11 @@ ] }, "locked": { - "lastModified": 1751906969, - "narHash": "sha256-BSQAOdPnzdpOuCdAGSJmefSDlqmStFNScEnrWzSqKPw=", + "lastModified": 1756961635, + "narHash": "sha256-hETvQcILTg5kChjYNns1fD5ELdsYB/VVgVmBtqKQj9A=", "owner": "nix-community", "repo": "NUR", - "rev": "ddb679f4131e819efe3bbc6457ba19d7ad116f25", + "rev": "6ca27b2654ac55e3f6e0ca434c1b4589ae22b370", "type": "github" }, "original": { @@ -848,11 +849,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1756646417, - "narHash": "sha256-1dU+BRKjczVnsTznKGaM0xrWzg2+MGQqWlde0Id9JnI=", + "lastModified": 1757955071, + "narHash": "sha256-owSpkt551cIqDDk5iHesdEus9REFeOIY3rY4C5ZPm/Y=", "owner": "notashelf", "repo": "nvf", - "rev": "939fb8cfc630190cd5607526f81693525e3d593b", + "rev": "1bd9fc116420db4c1156819d61df5d5312e1bbea", "type": "github" }, "original": { @@ -910,11 +911,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1756597274, - "narHash": "sha256-wfaKRKsEVQDB7pQtAt04vRgFphkVscGRpSx3wG1l50E=", + "lastModified": 1757362324, + "narHash": "sha256-/PAhxheUq4WBrW5i/JHzcCqK5fGWwLKdH6/Lu1tyS18=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "21614ed2d3279a9aa1f15c88d293e65a98991b30", + "rev": "9edc9cbe5d8e832b5864e09854fa94861697d2fd", "type": "github" }, "original": { @@ -924,6 +925,27 @@ "type": "github" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "himmelblau", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1758076341, + "narHash": "sha256-ZKi6pyRDw2/3xU7qxd+2+lneQXUOe92TiF+10DflolM=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "562fb6f14678eb9b8a36829140f6a4d0737776d2", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "snowfall-lib": { "inputs": { "flake-compat": "flake-compat_5", @@ -951,11 +973,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1754988908, - "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", + "lastModified": 1758007585, + "narHash": "sha256-HYnwlbY6RE5xVd5rh0bYw77pnD8lOgbT4mlrfjgNZ0c=", "owner": "Mic92", "repo": "sops-nix", - "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", + "rev": "f77d4cfa075c3de66fc9976b80e0c4fc69e2c139", "type": "github" }, "original": { @@ -983,11 +1005,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1755997543, - "narHash": "sha256-/fejmCQ7AWa655YxyPxRDbhdU7c5+wYsFSjmEMXoBCM=", + "lastModified": 1757956156, + "narHash": "sha256-f0W7qbsCqpi6swQ5w8H+0YrAbNwsHgCFDkNRMTJjqrE=", "owner": "nix-community", "repo": "stylix", - "rev": "f47c0edcf71e802378b1b7725fa57bb44fe85ee8", + "rev": "0ce0103b498bb22f899ed8862d8d7f9503ed9cdb", "type": "github" }, "original": { @@ -1122,11 +1144,11 @@ "tinted-schemes": { "flake": false, "locked": { - "lastModified": 1750770351, - "narHash": "sha256-LI+BnRoFNRa2ffbe3dcuIRYAUcGklBx0+EcFxlHj0SY=", + "lastModified": 1754779259, + "narHash": "sha256-8KG2lXGaXLUE0F/JVwLQe7kOVm21IDfNEo0gfga5P4M=", "owner": "tinted-theming", "repo": "schemes", - "rev": "5a775c6ffd6e6125947b393872cde95867d85a2a", + "rev": "097d751b9e3c8b97ce158e7d141e5a292545b502", "type": "github" }, "original": { @@ -1138,11 +1160,11 @@ "tinted-tmux": { "flake": false, "locked": { - "lastModified": 1751159871, - "narHash": "sha256-UOHBN1fgHIEzvPmdNMHaDvdRMgLmEJh2hNmDrp3d3LE=", + "lastModified": 1754788770, + "narHash": "sha256-LAu5nBr7pM/jD9jwFc6/kyFY4h7Us4bZz7dvVvehuwo=", "owner": "tinted-theming", "repo": "tinted-tmux", - "rev": "bded5e24407cec9d01bd47a317d15b9223a1546c", + "rev": "fb2175accef8935f6955503ec9dd3c973eec385c", "type": "github" }, "original": { @@ -1154,11 +1176,11 @@ "tinted-zed": { "flake": false, "locked": { - "lastModified": 1751158968, - "narHash": "sha256-ksOyv7D3SRRtebpXxgpG4TK8gZSKFc4TIZpR+C98jX8=", + "lastModified": 1755613540, + "narHash": "sha256-zBFrrTxHLDMDX/OYxkCwGGbAhPXLi8FrnLhYLsSOKeY=", "owner": "tinted-theming", "repo": "base16-zed", - "rev": "86a470d94204f7652b906ab0d378e4231a5b3384", + "rev": "937bada16cd3200bdbd3a2f5776fc3b686d5cba0", "type": "github" }, "original": { @@ -1175,11 +1197,11 @@ ] }, "locked": { - "lastModified": 1756876659, - "narHash": "sha256-B2bpNR7VOoZuKfuNnASfWI/jGveetP2yhG44S3XnI/k=", + "lastModified": 1758140427, + "narHash": "sha256-c23dzaQm2s57MN1kB3P5wORzIy0Ux0HMizBCQSPU8Fg=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "07c14b39cad581d9a8bb2dc8959a59e17d26d529", + "rev": "a22c92d3424bacc159e7fbd1fb679e52396f0022", "type": "github" }, "original": { From 0fd9b0264f0b6d8745741cf7cd08185c29d5aaa5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 8 Oct 2025 07:45:27 +0200 Subject: [PATCH 119/251] add static ip's --- systems/x86_64-linux/ulmo/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 4d1c4ab..0f3ac1c 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -5,6 +5,16 @@ ./hardware.nix ]; + networking.interfaces.enp2s0 = { + ipv6.addresses = [ + { address = "2a0d:6e00:1dc9:0::dead:beef"; prefixLength = 64; } + ]; + + ipv4.addresses = [ + { address = "192.168.1.3"; prefixLength = 16; } + ]; + }; + sneeuwvlok = { services = { authentication.authelia.enable = true; From 8c6fe96e598a115c42e37d7d694cd977e13472a8 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 8 Oct 2025 20:17:20 +0200 Subject: [PATCH 120/251] kaas --- justfile | 4 ++++ modules/home/themes/default.nix | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 justfile diff --git a/justfile b/justfile new file mode 100644 index 0000000..ab466bb --- /dev/null +++ b/justfile @@ -0,0 +1,4 @@ + +try-again: + nix flake update amarth-customer-portal + nix flake check --all-systems --show-trace \ No newline at end of file diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index 276e850..f69e2bb 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -31,7 +31,7 @@ in { base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml"; image = ./${cfg.theme}.jpg; polarity = cfg.polarity; - targets.qt.platform = mkDefault "kde6"; + targets.qt.platform = mkDefault "kde"; fonts = { serif = { From 96dc1d47e6525a403d6112bdd40a9327186086ed Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 8 Oct 2025 20:21:38 +0200 Subject: [PATCH 121/251] update deps --- flake.lock | 174 ++++++++++++++++++++++++++--------------------------- 1 file changed, 87 insertions(+), 87 deletions(-) diff --git a/flake.lock b/flake.lock index 528d3cd..97e955b 100644 --- a/flake.lock +++ b/flake.lock @@ -73,11 +73,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1757697130, - "narHash": "sha256-xEL7Ou/TQ1gYz4EXTwWOuMbySDNak9aTZHggjgWIh3E=", + "lastModified": 1759842236, + "narHash": "sha256-JNFyiEDo1wS+mjNAEM8Q2jjvHQzQt+3hnuP1srIdFeM=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "e15b6c60f9d93ef0dcfdd7d333b234fbe225288d", + "rev": "df8a29239b2459d6ee7373be8133d9aa7d6f6d1a", "type": "github" }, "original": { @@ -94,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1758091097, - "narHash": "sha256-p2FIwAaUCoKY9mZSPAMQYQ7CwwhfvGC4VIfLapAdfOE=", + "lastModified": 1759732757, + "narHash": "sha256-RUR2yXYbKSoDvI/JdH0AvojFjhCfxBXOA/BtGUpaoR0=", "owner": "nix-community", "repo": "fenix", - "rev": "b60fe116b9495df516f57837bb04a4f89f3aa7ed", + "rev": "1d3600dda5c27ddbc9c424bb4edae744bdb9b14d", "type": "github" }, "original": { @@ -114,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1758026061, - "narHash": "sha256-C9k9zXbQrXCA4mgaEwpV8YyOWz/hLEc+Yu0GGWf3SVs=", + "lastModified": 1759927047, + "narHash": "sha256-B+uj2hquUMs+TND/8Q18oPBMZuROZXSOmebw6KxczhU=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "3ec1499fdac54c0d3e14d6a69470cfe267b364a9", + "rev": "b609976b0eee8b774b97a75cb4e85b4625b6669a", "type": "github" }, "original": { @@ -130,11 +130,11 @@ "firefox-gnome-theme": { "flake": false, "locked": { - "lastModified": 1756083905, - "narHash": "sha256-UqYGTBgI5ypGh0Kf6zZjom/vABg7HQocB4gmxzl12uo=", + "lastModified": 1758112371, + "narHash": "sha256-lizRM2pj6PHrR25yimjyFn04OS4wcdbc38DCdBVa2rk=", "owner": "rafaelmardojai", "repo": "firefox-gnome-theme", - "rev": "b655eaf16d4cbec9c3472f62eee285d4b419a808", + "rev": "0909cfe4a2af8d358ad13b20246a350e14c2473d", "type": "github" }, "original": { @@ -230,11 +230,11 @@ ] }, "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", + "lastModified": 1759362264, + "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", + "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", "type": "github" }, "original": { @@ -433,11 +433,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1758132240, - "narHash": "sha256-Pie3Hfqc9MMUmzSj17ikYsF+DWbJt0TWcmROaQkyliw=", + "lastModified": 1759784366, + "narHash": "sha256-q+V22+67JYhsplUaimsDDX+oPaYke5f0UGewDiB9Vgc=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "aee341588eb2cd23ba0ca2c8c4e36a74c81e9676", + "rev": "e7d38a60b679a556201a29b94a60d996369f996d", "type": "github" }, "original": { @@ -453,11 +453,11 @@ ] }, "locked": { - "lastModified": 1758119172, - "narHash": "sha256-LnVuGLf0PJHqqIHroxEzwXS57mjAdHSrXi0iODKbbiU=", + "lastModified": 1759853171, + "narHash": "sha256-uqbhyXtqMbYIiMqVqUhNdSuh9AEEkiasoK3mIPIVRhk=", "owner": "nix-community", "repo": "home-manager", - "rev": "9f408dc51c8e8216a94379e6356bdadbe8b4fef9", + "rev": "1a09eb84fa9e33748432a5253102d01251f72d6d", "type": "github" }, "original": { @@ -495,11 +495,11 @@ ] }, "locked": { - "lastModified": 1757230583, - "narHash": "sha256-4uqu7sFPOaVTCogsxaGMgbzZ2vK40GVGMfUmrvK3/LY=", + "lastModified": 1759815224, + "narHash": "sha256-HbdOyjqHm38j6o5mV24i0bn+r5ykS+VJBnWJuZ0fE+A=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "fc3960e6c32c9d4f95fff2ef84444284d24d3bea", + "rev": "ee974f496a080c61b3164992c850f43741edcc52", "type": "github" }, "original": { @@ -529,11 +529,11 @@ }, "mnw": { "locked": { - "lastModified": 1756659871, - "narHash": "sha256-v6Rh4aQ6RKjM2N02kK9Usn0Ix7+OY66vNpeklc1MnGE=", + "lastModified": 1758834834, + "narHash": "sha256-Y7IvY4F8vajZyp3WGf+KaiIVwondEkMFkt92Cr9NZmg=", "owner": "Gerg-L", "repo": "mnw", - "rev": "ed6cc3e48557ba18266e598a5ebb6602499ada16", + "rev": "cfbc7d1cc832e318d0863a5fc91d940a96034001", "type": "github" }, "original": { @@ -571,11 +571,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1758073856, - "narHash": "sha256-2KU4Sb2WynjwKQ/+MkKjc6mpCiGfuRRQozR267cK8WI=", + "lastModified": 1758765258, + "narHash": "sha256-orU21BYUJn/7zMhIYbY7T5EDqZ8NtRMSH/f8Qtu047Q=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "e8c58a920fb430a70498b3c517fd91c768423c4b", + "rev": "5a6c66b90ab4519b7578b54300abc308008c544e", "type": "github" }, "original": { @@ -643,11 +643,11 @@ ] }, "locked": { - "lastModified": 1758123407, - "narHash": "sha256-4qwMlR0Q4Zr2rjUFauYIldfjzffYt3G5tZ1uPFPPYGU=", + "lastModified": 1759833546, + "narHash": "sha256-rOfkgIiiZNPUbf61OqEym60wXEODeDG8XH+gV/SUoUc=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "ba2b3b6c0bc42442559a3b090f032bc8d501f5e3", + "rev": "7c0c0f4c3a51761434f18209fa9499b8579ff730", "type": "github" }, "original": { @@ -658,11 +658,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1756686622, - "narHash": "sha256-7RIjltx7tQAr/pDmcb/zNNgRtUDlXh+EppSEqD4IIa8=", + "lastModified": 1759360550, + "narHash": "sha256-feL8xklo97a8o8ISOszUU2tfHskJdu3zKbpcltzSblw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "23da0aa9ec413ed894af3fdc6313e6b8ff623833", + "rev": "28b8fe20c34f94a537f71950a9b0c1dc7224d036", "type": "github" }, "original": { @@ -689,11 +689,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1758012326, - "narHash": "sha256-5xX26DjtxxFAw4IyZATzUs2UYghdmcpyZ93whojp828=", + "lastModified": 1759860509, + "narHash": "sha256-c7eJvqAlWLhwNc9raHkQ7mvoFbHLUO/cLMrww1ds4Zg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1bc4de0728f2eb1602fc5cce4122f2e999bc9d35", + "rev": "b574dcadf3fb578dee8d104b565bd745a5a9edc0", "type": "github" }, "original": { @@ -721,11 +721,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1758141327, - "narHash": "sha256-s21soW4Y0C+unFk4zfQc33npYfW9dV5GOE6zjofn2vc=", + "lastModified": 1759946387, + "narHash": "sha256-osFkgEOTMn7OkodiJWsW2gBoG6SUYEeTjnJ0w3xhTUE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f6bf53c73226d0809b9f1e5bcf9a58ba00234738", + "rev": "5515ead7186c905b21b9858706b4d8e965df507f", "type": "github" }, "original": { @@ -753,11 +753,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1757745802, - "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=", + "lastModified": 1759831965, + "narHash": "sha256-vgPm2xjOmKdZ0xKA6yLXPJpjOtQPHfaZDRtH+47XEBo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1", + "rev": "c9b6fb798541223bbb396d287d16f43520250518", "type": "github" }, "original": { @@ -769,11 +769,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1756696532, - "narHash": "sha256-6FWagzm0b7I/IGigOv9pr6LL7NQ86mextfE8g8Q6HBg=", + "lastModified": 1759386674, + "narHash": "sha256-wg1Lz/1FC5Q13R+mM5a2oTV9TA9L/CHHTm3/PiLayfA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "58dcbf1ec551914c3756c267b8b9c8c86baa1b2f", + "rev": "625ad6366178f03acd79f9e3822606dd7985b657", "type": "github" }, "original": { @@ -785,11 +785,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1757746433, - "narHash": "sha256-fEvTiU4s9lWgW7mYEU/1QUPirgkn+odUBTaindgiziY=", + "lastModified": 1759570798, + "narHash": "sha256-kbkzsUKYzKhuvMOuxt/aTwWU2mnrwoY964yN3Y4dE98=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6d7ec06d6868ac6d94c371458fc2391ded9ff13d", + "rev": "0d4f673a88f8405ae14484e6a1ea870e0ba4ca26", "type": "github" }, "original": { @@ -801,11 +801,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1756819007, - "narHash": "sha256-12V64nKG/O/guxSYnr5/nq1EfqwJCdD2+cIGmhz3nrE=", + "lastModified": 1758690382, + "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "aaff8c16d7fc04991cac6245bee1baa31f72b1e1", + "rev": "e643668fd71b949c53f8626614b21ff71a07379d", "type": "github" }, "original": { @@ -827,11 +827,11 @@ ] }, "locked": { - "lastModified": 1756961635, - "narHash": "sha256-hETvQcILTg5kChjYNns1fD5ELdsYB/VVgVmBtqKQj9A=", + "lastModified": 1758998580, + "narHash": "sha256-VLx0z396gDCGSiowLMFz5XRO/XuNV+4EnDYjdJhHvUk=", "owner": "nix-community", "repo": "NUR", - "rev": "6ca27b2654ac55e3f6e0ca434c1b4589ae22b370", + "rev": "ba8d9c98f5f4630bcb0e815ab456afd90c930728", "type": "github" }, "original": { @@ -849,11 +849,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1757955071, - "narHash": "sha256-owSpkt551cIqDDk5iHesdEus9REFeOIY3rY4C5ZPm/Y=", + "lastModified": 1759942631, + "narHash": "sha256-guXaJ4ktb5DW2RrtRhThX6PyH5A2wW+XTJ4Qu1AEXhA=", "owner": "notashelf", "repo": "nvf", - "rev": "1bd9fc116420db4c1156819d61df5d5312e1bbea", + "rev": "314962bcb4d4da82c53ab343da1b09cffaa68c61", "type": "github" }, "original": { @@ -872,11 +872,11 @@ ] }, "locked": { - "lastModified": 1756632588, - "narHash": "sha256-ydam6eggXf3ZwRutyCABwSbMAlX+5lW6w1SVZQ+kfSo=", + "lastModified": 1759321049, + "narHash": "sha256-8XkU4gIrLT2DJZWQyvsP5woXGZF5eE/7AnKfwQkiwYU=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "d47428e5390d6a5a8f764808a4db15929347cd77", + "rev": "205dcfd4a30d4a5d1b4f28defee69daa7c7252cd", "type": "github" }, "original": { @@ -911,11 +911,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1757362324, - "narHash": "sha256-/PAhxheUq4WBrW5i/JHzcCqK5fGWwLKdH6/Lu1tyS18=", + "lastModified": 1759691178, + "narHash": "sha256-O11yp/in47Ef1jLsEgNACXuziuRSSV4RAuxIWTdKI9w=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "9edc9cbe5d8e832b5864e09854fa94861697d2fd", + "rev": "f0b496cbc774f589de0d46bb9c291ff7ff0329da", "type": "github" }, "original": { @@ -933,11 +933,11 @@ ] }, "locked": { - "lastModified": 1758076341, - "narHash": "sha256-ZKi6pyRDw2/3xU7qxd+2+lneQXUOe92TiF+10DflolM=", + "lastModified": 1759890791, + "narHash": "sha256-KN1xkrQ4x6u8plgg43ZiYbQmESxeCKKOzALKjqbn4LM=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "562fb6f14678eb9b8a36829140f6a4d0737776d2", + "rev": "74fcbc183aa6685f86008606bb7824bf2f40adbd", "type": "github" }, "original": { @@ -973,11 +973,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1758007585, - "narHash": "sha256-HYnwlbY6RE5xVd5rh0bYw77pnD8lOgbT4mlrfjgNZ0c=", + "lastModified": 1759635238, + "narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=", "owner": "Mic92", "repo": "sops-nix", - "rev": "f77d4cfa075c3de66fc9976b80e0c4fc69e2c139", + "rev": "6e5a38e08a2c31ae687504196a230ae00ea95133", "type": "github" }, "original": { @@ -1005,11 +1005,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1757956156, - "narHash": "sha256-f0W7qbsCqpi6swQ5w8H+0YrAbNwsHgCFDkNRMTJjqrE=", + "lastModified": 1759690047, + "narHash": "sha256-Vlpa0d1xOgPO9waHwxJNi6LcD2PYqB3EjwLRtSxXlHc=", "owner": "nix-community", "repo": "stylix", - "rev": "0ce0103b498bb22f899ed8862d8d7f9503ed9cdb", + "rev": "09022804b2bcd217f3a41a644d26b23d30375d12", "type": "github" }, "original": { @@ -1144,11 +1144,11 @@ "tinted-schemes": { "flake": false, "locked": { - "lastModified": 1754779259, - "narHash": "sha256-8KG2lXGaXLUE0F/JVwLQe7kOVm21IDfNEo0gfga5P4M=", + "lastModified": 1757716333, + "narHash": "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=", "owner": "tinted-theming", "repo": "schemes", - "rev": "097d751b9e3c8b97ce158e7d141e5a292545b502", + "rev": "317a5e10c35825a6c905d912e480dfe8e71c7559", "type": "github" }, "original": { @@ -1160,11 +1160,11 @@ "tinted-tmux": { "flake": false, "locked": { - "lastModified": 1754788770, - "narHash": "sha256-LAu5nBr7pM/jD9jwFc6/kyFY4h7Us4bZz7dvVvehuwo=", + "lastModified": 1757811970, + "narHash": "sha256-n5ZJgmzGZXOD9pZdAl1OnBu3PIqD+X3vEBUGbTi4JiI=", "owner": "tinted-theming", "repo": "tinted-tmux", - "rev": "fb2175accef8935f6955503ec9dd3c973eec385c", + "rev": "d217ba31c846006e9e0ae70775b0ee0f00aa6b1e", "type": "github" }, "original": { @@ -1176,11 +1176,11 @@ "tinted-zed": { "flake": false, "locked": { - "lastModified": 1755613540, - "narHash": "sha256-zBFrrTxHLDMDX/OYxkCwGGbAhPXLi8FrnLhYLsSOKeY=", + "lastModified": 1757811247, + "narHash": "sha256-4EFOUyLj85NRL3OacHoLGEo0wjiRJzfsXtR4CZWAn6w=", "owner": "tinted-theming", "repo": "base16-zed", - "rev": "937bada16cd3200bdbd3a2f5776fc3b686d5cba0", + "rev": "824fe0aacf82b3c26690d14e8d2cedd56e18404e", "type": "github" }, "original": { @@ -1197,11 +1197,11 @@ ] }, "locked": { - "lastModified": 1758140427, - "narHash": "sha256-c23dzaQm2s57MN1kB3P5wORzIy0Ux0HMizBCQSPU8Fg=", + "lastModified": 1759900726, + "narHash": "sha256-DXgznNT8CA50WUIlQkI5BsEqNcbPDFF+26PPRYeB3sA=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "a22c92d3424bacc159e7fbd1fb679e52396f0022", + "rev": "8ce7d926dbec820ab5686d599bc6a1bd19ed1273", "type": "github" }, "original": { From ce2002884e751465fa5a13160a49823a6a8f0dea Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 8 Oct 2025 20:25:39 +0200 Subject: [PATCH 122/251] fix updated option --- modules/nixos/hardware/gpu/amd/default.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/nixos/hardware/gpu/amd/default.nix b/modules/nixos/hardware/gpu/amd/default.nix index 68db574..cdc9d1e 100644 --- a/modules/nixos/hardware/gpu/amd/default.nix +++ b/modules/nixos/hardware/gpu/amd/default.nix @@ -17,11 +17,6 @@ in }; amdgpu = { - amdvlk = { - enable = true; - support32Bit.enable = true; - }; - initrd.enable = true; }; }; From 22383b005a224fecadc1b8f6432a2f9d74f87064 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 8 Oct 2025 20:35:16 +0200 Subject: [PATCH 123/251] renamed options --- modules/home/shell/toolset/git/default.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/home/shell/toolset/git/default.nix b/modules/home/shell/toolset/git/default.nix index 3edfb60..299b2a6 100644 --- a/modules/home/shell/toolset/git/default.nix +++ b/modules/home/shell/toolset/git/default.nix @@ -31,9 +31,11 @@ in package = pkgs.gitFull; difftastic = { enable = true; - background = "dark"; - color = "always"; - display = "inline"; + options = { + background = "dark"; + color = "always"; + display = "inline"; + }; }; ignores = [ From d7dc0c1428bd8c2751bde7a0abea937a437c258f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 14 Oct 2025 18:33:28 +0200 Subject: [PATCH 124/251] update deps --- flake.lock | 109 +++++++++++++++++++++++++++-------------------------- 1 file changed, 55 insertions(+), 54 deletions(-) diff --git a/flake.lock b/flake.lock index 97e955b..0f6b5fd 100644 --- a/flake.lock +++ b/flake.lock @@ -21,16 +21,17 @@ "base16-fish": { "flake": false, "locked": { - "lastModified": 1622559957, - "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", + "lastModified": 1754405784, + "narHash": "sha256-l9xHIy+85FN+bEo6yquq2IjD1rSg9fjfjpyGP1W8YXo=", "owner": "tomyun", "repo": "base16-fish", - "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", + "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561", "type": "github" }, "original": { "owner": "tomyun", "repo": "base16-fish", + "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561", "type": "github" } }, @@ -94,11 +95,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1759732757, - "narHash": "sha256-RUR2yXYbKSoDvI/JdH0AvojFjhCfxBXOA/BtGUpaoR0=", + "lastModified": 1760424233, + "narHash": "sha256-8jLfVik1ccwmacVW5BlprmsuK534rT5HjdPhkSaew44=", "owner": "nix-community", "repo": "fenix", - "rev": "1d3600dda5c27ddbc9c424bb4edae744bdb9b14d", + "rev": "48a763cdc0b2d07199a021de99c2ca50af76e49f", "type": "github" }, "original": { @@ -114,11 +115,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1759927047, - "narHash": "sha256-B+uj2hquUMs+TND/8Q18oPBMZuROZXSOmebw6KxczhU=", + "lastModified": 1760448784, + "narHash": "sha256-C3Q8dUspgTLyCgo+WbmuPjOqRyToj/RyOKgoYdVaWCk=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "b609976b0eee8b774b97a75cb4e85b4625b6669a", + "rev": "7fc4743ff124f7eef21cfbaf92ced47e997a19ca", "type": "github" }, "original": { @@ -433,11 +434,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1759784366, - "narHash": "sha256-q+V22+67JYhsplUaimsDDX+oPaYke5f0UGewDiB9Vgc=", + "lastModified": 1760385966, + "narHash": "sha256-Wy6uaCERp2Hvh+lFkdg9Z1z5j8/asZ5zbhI1q2eYv98=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "e7d38a60b679a556201a29b94a60d996369f996d", + "rev": "4361431c4c69af34f75aa74cdb18625c4dbc3f7e", "type": "github" }, "original": { @@ -453,11 +454,11 @@ ] }, "locked": { - "lastModified": 1759853171, - "narHash": "sha256-uqbhyXtqMbYIiMqVqUhNdSuh9AEEkiasoK3mIPIVRhk=", + "lastModified": 1760312644, + "narHash": "sha256-U9SkK45314urw9P7MmjhEgiQwwD/BTj+T3HTuz1JU1Q=", "owner": "nix-community", "repo": "home-manager", - "rev": "1a09eb84fa9e33748432a5253102d01251f72d6d", + "rev": "e121f3773fa596ecaba5b22e518936a632d72a90", "type": "github" }, "original": { @@ -495,11 +496,11 @@ ] }, "locked": { - "lastModified": 1759815224, - "narHash": "sha256-HbdOyjqHm38j6o5mV24i0bn+r5ykS+VJBnWJuZ0fE+A=", + "lastModified": 1760266702, + "narHash": "sha256-TP19RpzIyo1JeYAhKii13seYwmhkv7IOD+dCnQOrcgQ=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "ee974f496a080c61b3164992c850f43741edcc52", + "rev": "3d7e970d4cac5d3ee3fe7cafa17cc9868fa21fed", "type": "github" }, "original": { @@ -571,11 +572,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1758765258, - "narHash": "sha256-orU21BYUJn/7zMhIYbY7T5EDqZ8NtRMSH/f8Qtu047Q=", + "lastModified": 1760406860, + "narHash": "sha256-f8BSmC/juCHkptH7MCI/6rAbgFjnvuNpZFaM79Cz7gI=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "5a6c66b90ab4519b7578b54300abc308008c544e", + "rev": "d7faac42b9378fb328c075d0009bf5360c3b70a3", "type": "github" }, "original": { @@ -643,11 +644,11 @@ ] }, "locked": { - "lastModified": 1759833546, - "narHash": "sha256-rOfkgIiiZNPUbf61OqEym60wXEODeDG8XH+gV/SUoUc=", + "lastModified": 1760454217, + "narHash": "sha256-qG4cQaYRKrAMj4OjISYYoWqJc+xcoJnLx2jsws7EdGg=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "7c0c0f4c3a51761434f18209fa9499b8579ff730", + "rev": "a8209ae46721f2a70214d0a70388a812ec7740da", "type": "github" }, "original": { @@ -689,11 +690,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1759860509, - "narHash": "sha256-c7eJvqAlWLhwNc9raHkQ7mvoFbHLUO/cLMrww1ds4Zg=", + "lastModified": 1760435515, + "narHash": "sha256-E9D5sWHmPCmWsrCB3Jogvr/7ODiVaKynDrOpG4ba2tI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b574dcadf3fb578dee8d104b565bd745a5a9edc0", + "rev": "db25466bd95abdbe3012be2900a5562fcfb95d51", "type": "github" }, "original": { @@ -721,11 +722,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1759946387, - "narHash": "sha256-osFkgEOTMn7OkodiJWsW2gBoG6SUYEeTjnJ0w3xhTUE=", + "lastModified": 1760459309, + "narHash": "sha256-jEf6CyFUeKxnivJegy4z1AfJplv+PR3+2SpLfAiV0sc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5515ead7186c905b21b9858706b4d8e965df507f", + "rev": "e657b896620d59da27648042cbe13a29e688ef8a", "type": "github" }, "original": { @@ -753,11 +754,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1759831965, - "narHash": "sha256-vgPm2xjOmKdZ0xKA6yLXPJpjOtQPHfaZDRtH+47XEBo=", + "lastModified": 1760284886, + "narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c9b6fb798541223bbb396d287d16f43520250518", + "rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43", "type": "github" }, "original": { @@ -785,11 +786,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1759570798, - "narHash": "sha256-kbkzsUKYzKhuvMOuxt/aTwWU2mnrwoY964yN3Y4dE98=", + "lastModified": 1760164275, + "narHash": "sha256-gKl2Gtro/LNf8P+4L3S2RsZ0G390ccd5MyXYrTdMCFE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0d4f673a88f8405ae14484e6a1ea870e0ba4ca26", + "rev": "362791944032cb532aabbeed7887a441496d5e6e", "type": "github" }, "original": { @@ -849,11 +850,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1759942631, - "narHash": "sha256-guXaJ4ktb5DW2RrtRhThX6PyH5A2wW+XTJ4Qu1AEXhA=", + "lastModified": 1760153667, + "narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=", "owner": "notashelf", "repo": "nvf", - "rev": "314962bcb4d4da82c53ab343da1b09cffaa68c61", + "rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d", "type": "github" }, "original": { @@ -911,11 +912,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1759691178, - "narHash": "sha256-O11yp/in47Ef1jLsEgNACXuziuRSSV4RAuxIWTdKI9w=", + "lastModified": 1760260966, + "narHash": "sha256-pOVvZz/aa+laeaUKyE6PtBevdo4rywMwjhWdSZE/O1c=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "f0b496cbc774f589de0d46bb9c291ff7ff0329da", + "rev": "c5181dbbe33af6f21b9d83e02fdb6fda298a3b65", "type": "github" }, "original": { @@ -933,11 +934,11 @@ ] }, "locked": { - "lastModified": 1759890791, - "narHash": "sha256-KN1xkrQ4x6u8plgg43ZiYbQmESxeCKKOzALKjqbn4LM=", + "lastModified": 1760409263, + "narHash": "sha256-GvcdHmY3nZnU6GnUkEG1a7pDZPgFcuN+zGv3OgvfPH0=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "74fcbc183aa6685f86008606bb7824bf2f40adbd", + "rev": "5694018463c2134e2369996b38deed41b1b9afc1", "type": "github" }, "original": { @@ -973,11 +974,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1759635238, - "narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=", + "lastModified": 1760393368, + "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", "owner": "Mic92", "repo": "sops-nix", - "rev": "6e5a38e08a2c31ae687504196a230ae00ea95133", + "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", "type": "github" }, "original": { @@ -1005,11 +1006,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1759690047, - "narHash": "sha256-Vlpa0d1xOgPO9waHwxJNi6LcD2PYqB3EjwLRtSxXlHc=", + "lastModified": 1760350849, + "narHash": "sha256-JqcM5Pkm5q1c9D5zpINJsN1yCB4Vq1cL12ZuFyo32T4=", "owner": "nix-community", "repo": "stylix", - "rev": "09022804b2bcd217f3a41a644d26b23d30375d12", + "rev": "7b4957d716f4fb615bf0e37d3b23c112579b1408", "type": "github" }, "original": { @@ -1197,11 +1198,11 @@ ] }, "locked": { - "lastModified": 1759900726, - "narHash": "sha256-DXgznNT8CA50WUIlQkI5BsEqNcbPDFF+26PPRYeB3sA=", + "lastModified": 1760426393, + "narHash": "sha256-wKiqhDgXwicdVNSJGwJPeTxnNPhzKcy9RqptzFcdFe4=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "8ce7d926dbec820ab5686d599bc6a1bd19ed1273", + "rev": "0618a22e6fb6f13181807f0e14087192d459b2a0", "type": "github" }, "original": { From ac0a2d523e7965d0cced677a16cec5ea7c15c8d3 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 15 Oct 2025 21:18:12 +0200 Subject: [PATCH 125/251] . --- justfile => .justfile | 0 flake.lock | 78 ++++++++++----------- modules/home/shell/default.nix | 1 + modules/home/shell/toolset/just/default.nix | 15 ++++ modules/home/themes/default.nix | 2 +- modules/nixos/desktop/plasma/default.nix | 13 +++- systems/x86_64-linux/manwe/default.nix | 2 + systems/x86_64-linux/manwe/disks.nix | 10 +-- 8 files changed, 75 insertions(+), 46 deletions(-) rename justfile => .justfile (100%) create mode 100644 modules/home/shell/toolset/just/default.nix diff --git a/justfile b/.justfile similarity index 100% rename from justfile rename to .justfile diff --git a/flake.lock b/flake.lock index 0f6b5fd..2bc7385 100644 --- a/flake.lock +++ b/flake.lock @@ -95,11 +95,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1760424233, - "narHash": "sha256-8jLfVik1ccwmacVW5BlprmsuK534rT5HjdPhkSaew44=", + "lastModified": 1760510549, + "narHash": "sha256-NP+kmLMm7zSyv4Fufv+eSJXyqjLMUhUfPT6lXRlg/bU=", "owner": "nix-community", "repo": "fenix", - "rev": "48a763cdc0b2d07199a021de99c2ca50af76e49f", + "rev": "ef7178cf086f267113b5c48fdeb6e510729c8214", "type": "github" }, "original": { @@ -115,11 +115,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1760448784, - "narHash": "sha256-C3Q8dUspgTLyCgo+WbmuPjOqRyToj/RyOKgoYdVaWCk=", + "lastModified": 1760548798, + "narHash": "sha256-LbqqHQklp58hKCO6IMcslsqX0mR32775PG3Z+k2GcwU=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "7fc4743ff124f7eef21cfbaf92ced47e997a19ca", + "rev": "fdd8c18c8d3497d267c0750ef08678d32a2dd753", "type": "github" }, "original": { @@ -434,11 +434,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1760385966, - "narHash": "sha256-Wy6uaCERp2Hvh+lFkdg9Z1z5j8/asZ5zbhI1q2eYv98=", + "lastModified": 1760546650, + "narHash": "sha256-ByUcM+gMEob6uWpDt6AAg/v4eX9yvpgOPX6KyHd9/BE=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "4361431c4c69af34f75aa74cdb18625c4dbc3f7e", + "rev": "ba54075737cb9c688cfadde8048f83371dbaba8d", "type": "github" }, "original": { @@ -454,11 +454,11 @@ ] }, "locked": { - "lastModified": 1760312644, - "narHash": "sha256-U9SkK45314urw9P7MmjhEgiQwwD/BTj+T3HTuz1JU1Q=", + "lastModified": 1760500983, + "narHash": "sha256-zfY4F4CpeUjTGgecIJZ+M7vFpwLc0Gm9epM/iMQd4w8=", "owner": "nix-community", "repo": "home-manager", - "rev": "e121f3773fa596ecaba5b22e518936a632d72a90", + "rev": "c53e65ec92f38d30e3c14f8d628ab55d462947aa", "type": "github" }, "original": { @@ -496,11 +496,11 @@ ] }, "locked": { - "lastModified": 1760266702, - "narHash": "sha256-TP19RpzIyo1JeYAhKii13seYwmhkv7IOD+dCnQOrcgQ=", + "lastModified": 1760534924, + "narHash": "sha256-OIOCC86DxTxp1VG7xAiM+YABtVqp6vTkYIoAiGQMqso=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "3d7e970d4cac5d3ee3fe7cafa17cc9868fa21fed", + "rev": "100b4e000032b865563a9754e5bca189bc544764", "type": "github" }, "original": { @@ -572,11 +572,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1760406860, - "narHash": "sha256-f8BSmC/juCHkptH7MCI/6rAbgFjnvuNpZFaM79Cz7gI=", + "lastModified": 1760493654, + "narHash": "sha256-DRJZnMoBw+p6o0XjaAOfAJjwr4s93d1+eCsCRsAP/jY=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "d7faac42b9378fb328c075d0009bf5360c3b70a3", + "rev": "4ca5164f23948b4b5429d8fdcddc142079c6aa6b", "type": "github" }, "original": { @@ -644,11 +644,11 @@ ] }, "locked": { - "lastModified": 1760454217, - "narHash": "sha256-qG4cQaYRKrAMj4OjISYYoWqJc+xcoJnLx2jsws7EdGg=", + "lastModified": 1760536587, + "narHash": "sha256-wfWqt+igns/VazjPLkyb4Z/wpn4v+XIjUeI3xY/1ENg=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "a8209ae46721f2a70214d0a70388a812ec7740da", + "rev": "f98ee1de1fa36eca63c67b600f5d617e184e82ea", "type": "github" }, "original": { @@ -690,11 +690,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1760435515, - "narHash": "sha256-E9D5sWHmPCmWsrCB3Jogvr/7ODiVaKynDrOpG4ba2tI=", + "lastModified": 1760479263, + "narHash": "sha256-eoVGUqcMyDeT/VwjczlZu7rhrE9wkj3ErWjJhB4Zjpg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "db25466bd95abdbe3012be2900a5562fcfb95d51", + "rev": "20158056cdd0dd06bfbd04fd1e686d09fbef3db5", "type": "github" }, "original": { @@ -722,11 +722,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1760459309, - "narHash": "sha256-jEf6CyFUeKxnivJegy4z1AfJplv+PR3+2SpLfAiV0sc=", + "lastModified": 1760548845, + "narHash": "sha256-41gkEmco/WLdEkeCKVRalOpx19e0/VgfS7N9n+DasHs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e657b896620d59da27648042cbe13a29e688ef8a", + "rev": "631597d659c37aa267eed8334271d5205244195e", "type": "github" }, "original": { @@ -912,11 +912,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1760260966, - "narHash": "sha256-pOVvZz/aa+laeaUKyE6PtBevdo4rywMwjhWdSZE/O1c=", + "lastModified": 1760457219, + "narHash": "sha256-WJOUGx42hrhmvvYcGkwea+BcJuQJLcns849OnewQqX4=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "c5181dbbe33af6f21b9d83e02fdb6fda298a3b65", + "rev": "8747cf81540bd1bbbab9ee2702f12c33aa887b46", "type": "github" }, "original": { @@ -934,11 +934,11 @@ ] }, "locked": { - "lastModified": 1760409263, - "narHash": "sha256-GvcdHmY3nZnU6GnUkEG1a7pDZPgFcuN+zGv3OgvfPH0=", + "lastModified": 1760495781, + "narHash": "sha256-3OGPAQNJswy6L4VJyX3U9/z7fwgPFvK6zQtB2NHBV0Y=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "5694018463c2134e2369996b38deed41b1b9afc1", + "rev": "11e0852a2aa3a65955db5824262d76933750e299", "type": "github" }, "original": { @@ -1006,11 +1006,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1760350849, - "narHash": "sha256-JqcM5Pkm5q1c9D5zpINJsN1yCB4Vq1cL12ZuFyo32T4=", + "lastModified": 1760472212, + "narHash": "sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx+MUkuE+E=", "owner": "nix-community", "repo": "stylix", - "rev": "7b4957d716f4fb615bf0e37d3b23c112579b1408", + "rev": "8d008296a1b3be9b57ad570f7acea00dd2fc92db", "type": "github" }, "original": { @@ -1198,11 +1198,11 @@ ] }, "locked": { - "lastModified": 1760426393, - "narHash": "sha256-wKiqhDgXwicdVNSJGwJPeTxnNPhzKcy9RqptzFcdFe4=", + "lastModified": 1760466542, + "narHash": "sha256-q2QZhrrjHbvW4eFzoEGkj/wUHNU6bVGPyflurx5ka6U=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "0618a22e6fb6f13181807f0e14087192d459b2a0", + "rev": "3446bcbf5f46ecb18e82244888730c4983c30b22", "type": "github" }, "original": { diff --git a/modules/home/shell/default.nix b/modules/home/shell/default.nix index d1df4cb..9968e54 100644 --- a/modules/home/shell/default.nix +++ b/modules/home/shell/default.nix @@ -17,6 +17,7 @@ in eza.enable = true; fzf.enable = true; git.enable = true; + just.enable = true; starship.enable = true; tmux.enable = true; yazi.enable = true; diff --git a/modules/home/shell/toolset/just/default.nix b/modules/home/shell/toolset/just/default.nix new file mode 100644 index 0000000..e956b2a --- /dev/null +++ b/modules/home/shell/toolset/just/default.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkEnableOption mkIf; + + cfg = config.${namespace}.shell.toolset.just; +in +{ + options.${namespace}.shell.toolset.just = { + enable = mkEnableOption "version-control system"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ just gum ]; + }; +} diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index f69e2bb..ede7c53 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -31,7 +31,7 @@ in { base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml"; image = ./${cfg.theme}.jpg; polarity = cfg.polarity; - targets.qt.platform = mkDefault "kde"; +# targets.qt.platform = mkDefault "kde"; fonts = { serif = { diff --git a/modules/nixos/desktop/plasma/default.nix b/modules/nixos/desktop/plasma/default.nix index 11c0cd9..d1e2a28 100644 --- a/modules/nixos/desktop/plasma/default.nix +++ b/modules/nixos/desktop/plasma/default.nix @@ -12,7 +12,18 @@ in }; config = mkIf cfg.enable { - environment.plasma6.excludePackages = with pkgs.kdePackages; [ konsole kate ghostwriter oxygen ]; + environment.plasma6.excludePackages = with pkgs.kdePackages; [ + elisa + kmahjongg + kmines + konversation + kpat + ksudoku + konsole + kate + ghostwriter + oxygen + ]; environment.sessionVariables.NIXOS_OZONE_WL = "1"; services = { diff --git a/systems/x86_64-linux/manwe/default.nix b/systems/x86_64-linux/manwe/default.nix index 76d4e6d..c2d9978 100644 --- a/systems/x86_64-linux/manwe/default.nix +++ b/systems/x86_64-linux/manwe/default.nix @@ -5,6 +5,8 @@ ./hardware.nix ]; + system.activationScripts.remove-gtkrc.text = "rm -f /home/chris/.gtkrc-2.0"; + sneeuwvlok = { hardware.has = { gpu.amd = true; diff --git a/systems/x86_64-linux/manwe/disks.nix b/systems/x86_64-linux/manwe/disks.nix index d68db6a..f33ec71 100644 --- a/systems/x86_64-linux/manwe/disks.nix +++ b/systems/x86_64-linux/manwe/disks.nix @@ -8,7 +8,7 @@ in swapDevices = []; boot.supportedFilesystems = [ "nfs" ]; - + fileSystems = { "/" = { device = "/dev/disk/by-label/nixos"; @@ -26,9 +26,9 @@ in fsType = "nfs"; }; - "/home/chris/mandos" = { - device = "mandos:/"; - fsType = "nfs"; - }; + # "/home/chris/mandos" = { + # device = "mandos:/"; + # fsType = "nfs"; + # }; }; } From 09a004ad9aec34c31b3f206ecdfe670691cdc633 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 9 Oct 2025 10:45:32 +0200 Subject: [PATCH 126/251] fix some ulmo config --- systems/x86_64-linux/ulmo/default.nix | 24 +++++++++++++++++------- systems/x86_64-linux/ulmo/disks.nix | 4 +--- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 0f3ac1c..a601960 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -5,14 +5,24 @@ ./hardware.nix ]; - networking.interfaces.enp2s0 = { - ipv6.addresses = [ - { address = "2a0d:6e00:1dc9:0::dead:beef"; prefixLength = 64; } - ]; + networking = { + interfaces.enp2s0 = { + ipv6.addresses = [ + { address = "2a0d:6e00:1dc9:0::dead:beef"; prefixLength = 64; } + ]; - ipv4.addresses = [ - { address = "192.168.1.3"; prefixLength = 16; } - ]; + useDHCP = true; + }; + + defaultGateway = { + address = "192.168.1.1"; + interface = "enp2s0"; + }; + + defaultGateway6 = { + address = "fe80::1"; + interface = "enp2s0"; + }; }; sneeuwvlok = { diff --git a/systems/x86_64-linux/ulmo/disks.nix b/systems/x86_64-linux/ulmo/disks.nix index a4033f7..0b272f4 100644 --- a/systems/x86_64-linux/ulmo/disks.nix +++ b/systems/x86_64-linux/ulmo/disks.nix @@ -5,9 +5,7 @@ in { # TODO :: Implement disko at some point - swapDevices = [ - { device = "/dev/disk/by-uuid/0ddf001a-5679-482e-b254-04a1b9094794"; } - ]; + swapDevices = []; boot.supportedFilesystems = [ "nfs" ]; From 6111ec165b69580cd0e6deffb8ec95a25eef722d Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 16 Oct 2025 14:53:29 +0200 Subject: [PATCH 127/251] move zitadel back to kruining.eu --- modules/nixos/services/authentication/zitadel/default.nix | 8 ++++---- modules/nixos/services/communication/matrix/default.nix | 4 ++-- modules/nixos/services/media/homer/default.nix | 2 +- modules/nixos/services/observability/grafana/default.nix | 6 +++--- modules/nixos/services/security/vaultwarden/default.nix | 6 +++--- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 7edccc1..3b2a4a3 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -28,7 +28,7 @@ in settings = { Port = 9092; - ExternalDomain = "auth.amarth.cloud"; + ExternalDomain = "auth.kruining.eu"; ExternalPort = 443; ExternalSecure = true; @@ -60,7 +60,7 @@ in SMTPConfiguration = { SMTP = { Host = "black-mail.nl:587"; - User = "info@amarth.cloud"; + User = "chris@kruining.eu"; Password = "__TODO_USE_SOPS__"; }; FromName = "Amarth Zitadel"; @@ -84,7 +84,7 @@ in }; steps = { FirstInstance = { - InstanceName = "auth.amarth.cloud"; + InstanceName = "auth.kruining.eu"; Org = { Name = "Amarth"; Human = { @@ -116,7 +116,7 @@ in caddy = { enable = true; virtualHosts = { - "auth.amarth.cloud".extraConfig = '' + "auth.kruining.eu".extraConfig = '' reverse_proxy h2c://127.0.0.1:9092 ''; }; diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index d0c6e45..38dfe0c 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -55,7 +55,7 @@ in idp_id = "zitadel"; idp_name = "Zitadel"; - issuer = "https://auth.amarth.cloud"; + issuer = "https://auth.kruining.eu"; client_id = "337858153251143939"; client_secret = "ePkf5n8BxGD5DF7t1eNThTL0g6PVBO5A1RC0EqPp61S7VsiyXvDs8aJeczrpCpsH"; scopes = [ "openid" "profile" ]; @@ -159,7 +159,7 @@ in }; client = { "m.homeserver".base_url = "https://${fqn}"; - "m.identity_server".base_url = "https://auth.amarth.cloud"; + "m.identity_server".base_url = "https://auth.kruining.eu"; }; in { "${domain}".extraConfig = '' diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index 8fd0ac6..41535cd 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -37,7 +37,7 @@ in name = "Zitadel"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg"; tag = "app"; - url = "https://auth.amarth.cloud"; + url = "https://auth.kruining.eu"; target = "_blank"; } diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix index c399729..6503493 100644 --- a/modules/nixos/services/observability/grafana/default.nix +++ b/modules/nixos/services/observability/grafana/default.nix @@ -42,9 +42,9 @@ in login_attribute_path = "username"; name_attribute_path = "full_name"; role_attribute_path = "contains(urn:zitadel:iam:org:project:roles[*], 'owner') && 'GrafanaAdmin' || contains(urn:zitadel:iam:org:project:roles[*], 'contributer') && 'Editor' || 'Viewer'"; - auth_url = "https://auth.amarth.cloud/oauth/v2/authorize"; - token_url = "https://auth.amarth.cloud/oauth/v2/token"; - api_url = "https://auth.amarth.cloud/oidc/v1/userinfo"; + auth_url = "https://auth.kruining.eu/oauth/v2/authorize"; + token_url = "https://auth.kruining.eu/oauth/v2/token"; + api_url = "https://auth.kruining.eu/oidc/v1/userinfo"; allow_sign_up = true; auto_login = true; use_pkce = true; diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index db8e162..de50be7 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -39,7 +39,7 @@ in SSO_ROLES_ENABLED = true; SSO_ORGANIZATIONS_ENABLED = true; SSO_ORGANIZATIONS_REVOCATION = true; - SSO_AUTHORITY = "https://auth.amarth.cloud/"; + SSO_AUTHORITY = "https://auth.kruining.eu/"; SSO_SCOPES = "email profile offline_access"; SSO_AUDIENCE_TRUSTED = "^333297815511892227$"; SSO_CLIENT_ID = "335178854421299459"; @@ -52,9 +52,9 @@ in SMTP_HOST = "black-mail.nl"; SMTP_PORT = 587; SMTP_SECURITY = "starttls"; - SMTP_USERNAME = "info@amarth.cloud"; + SMTP_USERNAME = "chris@kruining.eu"; SMTP_PASSWORD = ""; - SMTP_FROM = "info@amarth.cloud"; + SMTP_FROM = "chris@kruining.eu"; SMTP_FROM_NAME = "Chris' Vaultwarden"; }; }; From f62fa502db83408678f7ced236db4f745bd13416 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 20 Oct 2025 10:28:23 +0200 Subject: [PATCH 128/251] fix zitadel --- .justfile | 5 ++++- modules/nixos/services/authentication/zitadel/default.nix | 2 +- systems/x86_64-linux/ulmo/default.nix | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.justfile b/.justfile index ab466bb..67ac3a4 100644 --- a/.justfile +++ b/.justfile @@ -1,4 +1,7 @@ try-again: nix flake update amarth-customer-portal - nix flake check --all-systems --show-trace \ No newline at end of file + nix flake check --all-systems --show-trace + +update machine: + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 3b2a4a3..2693ed5 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -121,7 +121,7 @@ in ''; }; extraConfig = '' - (auth-z) { + (auth) { forward_auth h2c://127.0.0.1:9092 { uri /api/authz/forward-auth copy_headers Remote-User Remote-Groups Remote-Email Remote-Name diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index a601960..f93d7d1 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -27,7 +27,7 @@ sneeuwvlok = { services = { - authentication.authelia.enable = true; + # authentication.authelia.enable = true; authentication.zitadel.enable = true; communication.matrix.enable = true; From 81e1574023c457f20a7cb40524355164988f1b0c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 21 Oct 2025 09:01:22 +0200 Subject: [PATCH 129/251] some fixes --- .../nixos/services/authentication/zitadel/default.nix | 6 ++++-- modules/nixos/services/observability/loki/default.nix | 2 +- .../nixos/services/observability/promtail/default.nix | 8 +++++--- systems/x86_64-linux/ulmo/default.nix | 11 +++++++++++ 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 2693ed5..e0e4a59 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -117,12 +117,12 @@ in enable = true; virtualHosts = { "auth.kruining.eu".extraConfig = '' - reverse_proxy h2c://127.0.0.1:9092 + reverse_proxy h2c://::1:9092 ''; }; extraConfig = '' (auth) { - forward_auth h2c://127.0.0.1:9092 { + forward_auth h2c://::1:9092 { uri /api/authz/forward-auth copy_headers Remote-User Remote-Groups Remote-Email Remote-Name } @@ -130,6 +130,8 @@ in ''; }; }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; # Secrets sops.secrets."zitadel/masterKey" = { diff --git a/modules/nixos/services/observability/loki/default.nix b/modules/nixos/services/observability/loki/default.nix index 8f6e0e3..d4774ac 100644 --- a/modules/nixos/services/observability/loki/default.nix +++ b/modules/nixos/services/observability/loki/default.nix @@ -23,7 +23,7 @@ in common = { ring = { instance_addr = "127.0.0.1"; - kvstore.store = "inmmemory"; + kvstore.store = "inmemory"; }; replication_factor = 1; path_prefix = "/tmp/loki"; diff --git a/modules/nixos/services/observability/promtail/default.nix b/modules/nixos/services/observability/promtail/default.nix index 1f32adc..25aabbd 100644 --- a/modules/nixos/services/observability/promtail/default.nix +++ b/modules/nixos/services/observability/promtail/default.nix @@ -29,9 +29,11 @@ in filename = "filename"; }; - clients = { - url = "http://127.0.0.1:3100/loki/api/v1/push"; - }; + clients = [ + { + url = "http://::1:9003/loki/api/v1/push"; + } + ]; scrape_configs = [ { diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index f93d7d1..0794585 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -25,6 +25,17 @@ }; }; + # Expose amarht cloud stuff like this until I have a proper solution + services.caddy.virtualHosts = { + "auth.amarth.cloud".extraConfig = '' + reverse_proxy http://192.168.1.223:9092 + ''; + + "amarth.cloud".extraConfig = '' + reverse_proxy http://192.168.1.223:8080 + ''; + }; + sneeuwvlok = { services = { # authentication.authelia.enable = true; From 1873bb717054809bafbab3a48975b540081e75e1 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 22 Oct 2025 23:26:47 +0200 Subject: [PATCH 130/251] initial implementation of terranix for zitadel. SUPER HAPPY, SUPER COOL!!! --- flake.lock | 59 ++++ flake.nix | 5 + lib/strings/default.nix | 17 + .../authentication/zitadel/default.nix | 290 ++++++++++++++++-- systems/x86_64-linux/ulmo/default.nix | 28 +- 5 files changed, 368 insertions(+), 31 deletions(-) create mode 100644 lib/strings/default.nix diff --git a/flake.lock b/flake.lock index 2bc7385..935fbaf 100644 --- a/flake.lock +++ b/flake.lock @@ -265,6 +265,27 @@ "type": "github" } }, + "flake-parts_3": { + "inputs": { + "nixpkgs-lib": [ + "terranix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -906,6 +927,7 @@ "snowfall-lib": "snowfall-lib", "sops-nix": "sops-nix", "stylix": "stylix", + "terranix": "terranix", "zen-browser": "zen-browser" } }, @@ -1109,6 +1131,43 @@ "type": "github" } }, + "systems_7": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "terranix": { + "inputs": { + "flake-parts": "flake-parts_3", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems_7" + }, + "locked": { + "lastModified": 1757278723, + "narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=", + "owner": "terranix", + "repo": "terranix", + "rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb", + "type": "github" + }, + "original": { + "owner": "terranix", + "repo": "terranix", + "type": "github" + } + }, "tinted-foot": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index c659d4f..8ea1571 100644 --- a/flake.nix +++ b/flake.nix @@ -78,6 +78,11 @@ flake-compat.follows = ""; }; }; + + terranix = { + url = "github:terranix/terranix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs: inputs.snowfall-lib.mkFlake { diff --git a/lib/strings/default.nix b/lib/strings/default.nix new file mode 100644 index 0000000..52b05e3 --- /dev/null +++ b/lib/strings/default.nix @@ -0,0 +1,17 @@ +{ lib, ...}: +let + inherit (builtins) isString typeOf; + inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map; +in +{ + strings = { + toSnakeCase = + str: + throwIfNot (isString str) "toSnakeCase only accepts string values, but got ${typeOf str}" ( + str + |> splitStringBy (prev: curr: builtins.match "[a-z]" prev != null && builtins.match "[A-Z]" curr != null) true + |> map (p: toLower p) + |> concatStringsSep "_" + ); + }; +} \ No newline at end of file diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index e0e4a59..66f5fc0 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,7 @@ -{ config, lib, pkgs, namespace, ... }: +{ config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption; + inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair; + inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -9,15 +10,223 @@ in { options.${namespace}.services.authentication.zitadel = { enable = mkEnableOption "Zitadel"; + + organization = mkOption { + type = types.attrsOf (types.submodule { + options = { + isDefault = mkOption { + type = types.bool; + default = false; + example = "true"; + description = '' + True sets the org as default org for the instance. Only one org can be default org. + Nothing happens if you set it to false until you set another org as default org. + ''; + }; + + project = mkOption { + default = {}; + type = types.attrsOf (types.submodule { + options = { + hasProjectCheck = mkOption { + type = types.bool; + default = false; + example = "true"; + description = '' + ZITADEL checks if the org of the user has permission to this project. + ''; + }; + + privateLabelingSetting = mkOption { + type = types.nullOr (types.enum [ "unspecified" "enforceProjectResourceOwnerPolicy" "allowLoginUserResourceOwnerPolicy" ]); + default = null; + example = "enforceProjectResourceOwnerPolicy"; + description = '' + Defines from where the private labeling should be triggered, + + supported values: + - unspecified + - enforceProjectResourceOwnerPolicy + - allowLoginUserResourceOwnerPolicy + ''; + }; + + projectRoleAssertion = mkOption { + type = types.bool; + default = false; + example = "true"; + description = '' + Describes if roles of user should be added in token. + ''; + }; + + projectRoleCheck = mkOption { + type = types.bool; + default = false; + example = "true"; + description = '' + ZITADEL checks if the user has at least one on this project. + ''; + }; + + application = mkOption { + default = {}; + type = types.attrsOf (types.submodule { + options = { + redirectUris = mkOption { + type = types.nonEmptyListOf types.str; + example = '' + [ "https://example.com/redirect/url" ] + ''; + description = '' + . + ''; + }; + + grantTypes = mkOption { + type = types.nonEmptyListOf (types.enum [ "authorizationCode" "implicit" "refreshToken" "deviceCode" "tokenExchange" ]); + example = '' + [ "authorizationCode" ] + ''; + description = '' + . + ''; + }; + + responseTypes = mkOption { + type = types.nonEmptyListOf (types.enum [ "code" "idToken" "idTokenToken" ]); + example = '' + [ "code" ] + ''; + description = '' + . + ''; + }; + }; + }); + }; + }; + }); + }; + }; + }); + }; }; - config = mkIf cfg.enable { + config = let + mapRef = type: name: { "${type}Id" = "\${ resource.zitadel_${type}.${toSnakeCase name}.id }"; }; + mapEnum = prefix: value: "${prefix}_${value |> toSnakeCase |> toUpper}"; + + mapValue = type: value: ({ + grantTypes = map (t: mapEnum "OIDC_GRANT_TYPE" t) value; + responseTypes = map (t: mapEnum "OIDC_RESPONSE_TYPE" t) value; + }."${type}" or value); + + toResource = name: value: nameValuePair + (toSnakeCase name) + (lib.mapAttrs' (k: v: nameValuePair (toSnakeCase k) (mapValue k v)) value); + + withName = name: attrs: attrs // { inherit name; }; + withRef = type: name: attrs: attrs // (mapRef type name); + + # this is a nix package, the generated json file to be exact + terraformConfiguration = inputs.terranix.lib.terranixConfiguration { + inherit system; + + modules = + let + inherit (lib) mapAttrs' concatMapAttrs nameValuePair getAttrs getAttr hasAttr typeOf head drop length; + + select = keys: callback: set: + if (length keys) == 0 then + mapAttrs' callback set + else let key = head keys; in + concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; + in + [ + ({ config, lib, ... }: { + config = { + terraform.required_providers.zitadel = { + source = "zitadel/zitadel"; + version = "2.2.0"; + }; + + provider.zitadel = { + domain = "auth.kruining.eu"; + insecure = "false"; + jwt_profile_file = "/var/lib/zitadel/machine-key.json"; + }; + + resource = { + zitadel_org = cfg.organization |> select [] (name: value: + value + |> getAttrs [ "isDefault" ] + |> withName name + |> toResource name + ); + + zitadel_project = cfg.organization |> select [ "project" ] (org: name: value: + value + |> getAttrs [ "hasProjectCheck" "privateLabelingSetting" "projectRoleAssertion" "projectRoleCheck" ] + |> withName name + |> withRef "org" org + |> toResource name + ); + + zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: value: + value + |> getAttrs [ "redirectUris" "grantTypes" "responseTypes" ] + |> withName name + |> withRef "org" org + |> withRef "project" project + |> toResource name + ); + }; + }; + }) + ]; + }; + in + mkIf cfg.enable { ${namespace}.services.persistance.postgresql.enable = true; environment.systemPackages = with pkgs; [ zitadel ]; + systemd.tmpfiles.rules = [ + "d /tmp/zitadelApplyTerraform 0755 zitadel zitadel -" + ]; + + systemd.services.zitadelApplyTerraform = { + description = "Zitadel terraform apply"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "zitadel.service" ]; + + script = '' + #!/usr/bin/env bash + + # Copy infra code into workspace + cp -f ${terraformConfiguration} config.tf.json + + # Initialize OpenTofu + ${lib.getExe pkgs.opentofu} init + + # Run the infrastructure code + # ${lib.getExe pkgs.opentofu} plan + ${lib.getExe pkgs.opentofu} apply -auto-approve + ''; + + serviceConfig = { + Type = "oneshot"; + User = "zitadel"; + Group = "zitadel"; + + WorkingDirectory = "/tmp/zitadelApplyTerraform"; + }; + }; + services = { zitadel = { enable = true; @@ -41,31 +250,31 @@ in SecretHasher.Hasher.Algorithm = "argon2id"; }; - DefaultInstance = { - PasswordComplexityPolicy = { - MinLength = 20; - HasLowercase = false; - HasUppercase = false; - HasNumber = false; - HasSymbol = false; - }; - LoginPolicy = { - AllowRegister = false; - ForceMFA = true; - }; - LockoutPolicy = { - MaxPasswordAttempts = 5; - MaxOTPAttempts = 10; - }; - SMTPConfiguration = { - SMTP = { - Host = "black-mail.nl:587"; - User = "chris@kruining.eu"; - Password = "__TODO_USE_SOPS__"; - }; - FromName = "Amarth Zitadel"; - }; - }; + # DefaultInstance = { + # # PasswordComplexityPolicy = { + # # MinLength = 0; + # # HasLowercase = false; + # # HasUppercase = false; + # # HasNumber = false; + # # HasSymbol = false; + # # }; + # LoginPolicy = { + # AllowRegister = false; + # ForceMFA = true; + # }; + # LockoutPolicy = { + # MaxPasswordAttempts = 5; + # MaxOTPAttempts = 10; + # }; + # # SMTPConfiguration = { + # # SMTP = { + # # Host = "black-mail.nl:587"; + # # User = "chris@kruining.eu"; + # # Password = "__TODO_USE_SOPS__"; + # # }; + # # FromName = "Amarth Zitadel"; + # # }; + # }; Database.postgres = { Host = "localhost"; @@ -84,9 +293,16 @@ in }; steps = { FirstInstance = { - InstanceName = "auth.kruining.eu"; + # Not sure, this option seems to be mostly irrelevant + InstanceName = "eu"; + + MachineKeyPath = "/var/lib/zitadel/machine-key.json"; + # PatPath = "/var/lib/zitadel/machine-key.pat"; + # LoginClientPatPath = "/var/lib/zitadel/machine-key.json"; + Org = { - Name = "Amarth"; + Name = "kruining"; + Human = { UserName = "chris"; FirstName = "Chris"; @@ -97,6 +313,20 @@ in }; Password = "KaasIsAwesome1!"; }; + + Machine = { + Machine = { + Username = "terraform-service-user"; + Name = "Terraform"; + }; + MachineKey = { ExpirationDate = "2026-01-01T00:00:00Z"; Type = 1; }; + # Pat = { ExpirationDate = "2026-01-01T00:00:00Z"; }; + }; + + # LoginClient.Machine = { + # Username = "terraform-service-user"; + # Name = "Terraform"; + # }; }; }; }; diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 0794585..4845e73 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -39,7 +39,33 @@ sneeuwvlok = { services = { # authentication.authelia.enable = true; - authentication.zitadel.enable = true; + authentication.zitadel = { + enable = true; + + organization = { + thisIsMyAwesomeOrg = {}; + + nix = { + project = { + ulmo = { + application = { + jellyfin = { + redirectUris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/zitadel" ]; + grantTypes = [ "authorizationCode" ]; + responseTypes = [ "code" ]; + }; + + forgejo = { + redirectUris = [ "https://git.amarth.cloud/user/oauth2/zitadel/callback" ]; + grantTypes = [ "authorizationCode" ]; + responseTypes = [ "code" ]; + }; + }; + }; + }; + }; + }; + }; communication.matrix.enable = true; From b11a33de6e3986e30ee3ad1d0519100dc57225d2 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:43:51 +0000 Subject: [PATCH 131/251] ops(secrets): removed secret "je_moeder" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 29 +++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 systems/x86_64-linux/ulmo/secrets.yml diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml new file mode 100644 index 0000000..a4847e5 --- /dev/null +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -0,0 +1,29 @@ +email: + chris@kruining.eu: ENC[AES256_GCM,data:uS85B/xn2a+c6Cys66pyfth2Bm4zZx4=,iv:vo8VKON3B9/Yau6PqAHI0xyCpqpU2UuU/WEH1Z7SMos=,tag:jVIHPxRI/0IpUxoKzO9GAA==,type:str] + info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] +zitadel: + masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] +sops: + age: + - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdDZyZkxvNU4zM3NHb2gx + ZlhLZk5JWUFGMWZGeUVHNkFFU1NtZlBQVVhjCmZGai9NdmdUeU5VcW9ROVZKTW5q + cmZaQ2JlaldaTWduQklocUZLT2FUcGcKLS0tIHlqVU0wdXJ0dTE4dlZSVEczd2Yv + RVFxVHFxbkVNbEZsaVcwYXZCdUc5R1kKQdAN6LEKmGLCSkKhNuEr0YK2zl9Aw1kK + 6C25lN532mG55zIRectZda1Fmi1GMZ/2v3b5qz7x+TDMA9m/47OjmA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoK3lqRDhEMXEvaUp3OWdV + eFlZSGpJcGs0RTdRbllWdmdZTzl3RTlDNlIwCm92R290NjNyK2NNbWpINTBhazNS + NTJYWEw0SGc1TUtrd0NZSmowakMvSlEKLS0tIG5uUEIrZGVORkRNVnBVOHgyMXZG + TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb + Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-23T12:43:51Z" + mac: ENC[AES256_GCM,data:3pYyKM07BQ3xB866YsKhqIyuuk0x1fNW5i5DmZ7C9wPV7sM/4Xh1kItA71pf8Jh4Us7ztNt/td1KgH1Aux2RTgi8rSooKlqjoMOQP75q0BjHqyCPJdLCmXe95C7YvwCFYBadbcsJsOJKRpOldwxHz8mwpsDs9hLwiFQFeBc7orY=,iv:VjrNJw3JFeSavSjrQ/x45LJ1Xqq7TnGu68aFl0bkIjw=,tag:oqyr2XxwY6gNniDnDBYPlQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 From a8dbf792e32b5b557c23e8aed3a26cf8ffb7d93b Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:44:08 +0000 Subject: [PATCH 132/251] ops(secrets): removed secret "je_moeder/0/awesome/2" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index a4847e5..4eb461f 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,6 +3,9 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] zitadel: masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] +je_moeder: + - awesome: + - ENC[AES256_GCM,data:3htXBQ==,iv:f8LZSfHxkQ+RJlaFgq4lUjjtNisjwJZJtFqm1l/HC0o=,tag:BK0gx2gxrNPdfqOn/01KWg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +26,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:43:51Z" - mac: ENC[AES256_GCM,data:3pYyKM07BQ3xB866YsKhqIyuuk0x1fNW5i5DmZ7C9wPV7sM/4Xh1kItA71pf8Jh4Us7ztNt/td1KgH1Aux2RTgi8rSooKlqjoMOQP75q0BjHqyCPJdLCmXe95C7YvwCFYBadbcsJsOJKRpOldwxHz8mwpsDs9hLwiFQFeBc7orY=,iv:VjrNJw3JFeSavSjrQ/x45LJ1Xqq7TnGu68aFl0bkIjw=,tag:oqyr2XxwY6gNniDnDBYPlQ==,type:str] + lastmodified: "2025-10-23T12:44:07Z" + mac: ENC[AES256_GCM,data:ns/UoRJG/czGOy4cztz/ynuvf29z+K0Tx7ck6/G5hFyZ+r2fqLoK/Kqn/qjjB69knA8EbarIcrGiFRmXeRXydK3VRFhVNAbl15baIBMXTiUxG+rzEEPr/9upobRTIZNgOiNJDnsBm5A//MTLro2KIMepW/pJ1QfTjOnbSg0vH7E=,iv:r7Y6mkujSWxYf6N/edJRjKb/hkIf/q11P0b3+jpdeLU=,tag:RUshke1gKAnfB0UHrYSrkQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From e17b144c9f361901b304a5a41ae1e7c690173254 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:45:25 +0000 Subject: [PATCH 133/251] ops(secrets): removed secret "je_moeder" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4eb461f..2fdce33 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,9 +3,6 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] zitadel: masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] -je_moeder: - - awesome: - - ENC[AES256_GCM,data:3htXBQ==,iv:f8LZSfHxkQ+RJlaFgq4lUjjtNisjwJZJtFqm1l/HC0o=,tag:BK0gx2gxrNPdfqOn/01KWg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -26,7 +23,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:44:07Z" - mac: ENC[AES256_GCM,data:ns/UoRJG/czGOy4cztz/ynuvf29z+K0Tx7ck6/G5hFyZ+r2fqLoK/Kqn/qjjB69knA8EbarIcrGiFRmXeRXydK3VRFhVNAbl15baIBMXTiUxG+rzEEPr/9upobRTIZNgOiNJDnsBm5A//MTLro2KIMepW/pJ1QfTjOnbSg0vH7E=,iv:r7Y6mkujSWxYf6N/edJRjKb/hkIf/q11P0b3+jpdeLU=,tag:RUshke1gKAnfB0UHrYSrkQ==,type:str] + lastmodified: "2025-10-23T12:45:24Z" + mac: ENC[AES256_GCM,data:hfTa17ELKJQIATXrDupWHv83mOaKAx6s0kpTfiLpBW6BjG0Ae5/oRF8b3oeP6Yp263PFT0uINFz5MjBsoPk9lCJu6zJDdWLliRrjM73Ob/y/EXG07rzEup5kFHblSWsRNteF9Xhd7C+OgOebxWzgr/AoE6FldhTLOyiKfNuaR6U=,iv:gElzOo9HZlcjfBJQbUeJc7v3hwJavn0cE7rbtFkLFTg=,tag:TVGLZSHIM/kZZ6CKXS77JA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 40da937ee0a8737bc4f39e135eedff4cd884f09b Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:45:28 +0000 Subject: [PATCH 134/251] ops(secrets): set secret "je_moeder/0/awesome/2" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 2fdce33..293e901 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,6 +3,9 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] zitadel: masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] +je_moeder: + - awesome: + - ENC[AES256_GCM,data:VftBLg==,iv:Rtfi+AlMB7bhsTS8d1IT8l358F2QQP+952Mxzpk5JMA=,tag:rDyanvogMKPbLRyyGHAUVw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +26,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:45:24Z" - mac: ENC[AES256_GCM,data:hfTa17ELKJQIATXrDupWHv83mOaKAx6s0kpTfiLpBW6BjG0Ae5/oRF8b3oeP6Yp263PFT0uINFz5MjBsoPk9lCJu6zJDdWLliRrjM73Ob/y/EXG07rzEup5kFHblSWsRNteF9Xhd7C+OgOebxWzgr/AoE6FldhTLOyiKfNuaR6U=,iv:gElzOo9HZlcjfBJQbUeJc7v3hwJavn0cE7rbtFkLFTg=,tag:TVGLZSHIM/kZZ6CKXS77JA==,type:str] + lastmodified: "2025-10-23T12:45:27Z" + mac: ENC[AES256_GCM,data:QtQAU1vxUvlK/XrN5bxwMY+KC7yOMKqGkHIB6y3KE/eiRKZAGXNNyG81Z4aGhhFwQj3lmIeU2/Qw3ZeLJz8evRDeJ7JNZH/ZDFNyeUyRqGMldtqKHKAQDJDC5OVAFxf/6owgiYbr4og2J7PFqfoiG0ODM9+bPN4V7axmtd5KFkg=,iv:nFdTrIe+eEhG1H4VeAshuvI3ELpxe54CVP2LSdPj1fE=,tag:JvGKgiDvepytiKVuwxN8cQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From e9fef516ecbc90f56d33e7ff2e18313a642f2292 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 14:47:53 +0200 Subject: [PATCH 135/251] feat(sops): finally somewhat properly set up with sops --- .just/machine.just | 9 +++++++++ .just/vars.just | 28 ++++++++++++++++++++++++++++ .justfile | 15 ++++++++++----- .sops.yaml | 11 +++++++++++ .sops.yml | 8 -------- _secrets/secrets.yaml | 30 ------------------------------ 6 files changed, 58 insertions(+), 43 deletions(-) create mode 100644 .just/machine.just create mode 100644 .just/vars.just create mode 100644 .sops.yaml delete mode 100644 .sops.yml delete mode 100644 _secrets/secrets.yaml diff --git a/.just/machine.just b/.just/machine.just new file mode 100644 index 0000000..65d1a7b --- /dev/null +++ b/.just/machine.just @@ -0,0 +1,9 @@ +@_default: list + +[doc('List machines')] +@list: + ls -1 ../systems/x86_64-linux/ + +[doc('Update the target machine')] +update machine: + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file diff --git a/.just/vars.just b/.just/vars.just new file mode 100644 index 0000000..78b7cb5 --- /dev/null +++ b/.just/vars.just @@ -0,0 +1,28 @@ +base_path := invocation_directory() / "systems/x86_64-linux" +sops := "nix shell nixpkgs#sops --command sops" + +@_default: + just --list + +[doc('list all vars of the target machine')] +list machine: + {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml + +@edit machine: + {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml + +@set machine key value: + {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" \"{{ value }}\" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml + + echo "Done" + +@remove machine key: + {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml + + echo "Done" \ No newline at end of file diff --git a/.justfile b/.justfile index 67ac3a4..4e8a323 100644 --- a/.justfile +++ b/.justfile @@ -1,7 +1,12 @@ +@_default: + just --list --list-submodules -try-again: - nix flake update amarth-customer-portal - nix flake check --all-systems --show-trace +[doc('Manage vars')] +mod vars '.just/vars.just' -update machine: - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file +[doc('Manage machines')] +mod machine '.just/machine.just' + +[doc('Show information about project')] +@show: + echo "show" \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..9e7956c --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +keys: + - &ulmo_1 age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq + - &ulmo_2 age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + +creation_rules: + # All Machine secrets + - path_regex: systems/[^/]+/[^/]+/[^/]+\.(yml|yaml)$ + key_groups: + - age: + - *ulmo_1 + - *ulmo_2 \ No newline at end of file diff --git a/.sops.yml b/.sops.yml deleted file mode 100644 index 96e09c3..0000000 --- a/.sops.yml +++ /dev/null @@ -1,8 +0,0 @@ -keys: - - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - -creation_rules: - - path_regex: secrets/secrets.yml$ - key_groups: - - age: - - *primary diff --git a/_secrets/secrets.yaml b/_secrets/secrets.yaml deleted file mode 100644 index 78b1a8c..0000000 --- a/_secrets/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment] -example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str] -#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment] -#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment] -example: - my_subdir: - my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR - ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz - YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB - dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR - Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-09T11:37:49Z" - mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.4 - -zitadel: - masterKey: thisWillBeAnEncryptedValueInTheFuture From e3ae7220d3b468561a122e5f9a983ddc19c97a9b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 14:49:47 +0200 Subject: [PATCH 136/251] fix(stylix): add zen-browser profile --- modules/home/themes/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index ede7c53..3fa74b9 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -31,7 +31,9 @@ in { base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml"; image = ./${cfg.theme}.jpg; polarity = cfg.polarity; + # targets.qt.platform = mkDefault "kde"; + targets.zen-browser.profileNames = [ "Chris" ]; fonts = { serif = { From 352c05765222b1cefdfddf5b8ac6f6b96c48c10a Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 14:50:42 +0200 Subject: [PATCH 137/251] refactor: tidy up zitadel service module --- .../authentication/zitadel/default.nix | 21 +++++++------------ 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 66f5fc0..75b1bf2 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair; + inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair mapAttrs' concatMapAttrs getAttrs getAttr hasAttr typeOf head drop length; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -129,21 +129,17 @@ in withName = name: attrs: attrs // { inherit name; }; withRef = type: name: attrs: attrs // (mapRef type name); + select = keys: callback: set: + if (length keys) == 0 then + mapAttrs' callback set + else let key = head keys; in + concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; + # this is a nix package, the generated json file to be exact terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; - modules = - let - inherit (lib) mapAttrs' concatMapAttrs nameValuePair getAttrs getAttr hasAttr typeOf head drop length; - - select = keys: callback: set: - if (length keys) == 0 then - mapAttrs' callback set - else let key = head keys; in - concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; - in - [ + modules = [ ({ config, lib, ... }: { config = { terraform.required_providers.zitadel = { @@ -214,7 +210,6 @@ in ${lib.getExe pkgs.opentofu} init # Run the infrastructure code - # ${lib.getExe pkgs.opentofu} plan ${lib.getExe pkgs.opentofu} apply -auto-approve ''; From dd9e79b8890a420b2c8c527a7055eabafb22d630 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:53:40 +0000 Subject: [PATCH 138/251] ops(secrets): removed secret "je_moeder" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 293e901..1bd3967 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,9 +3,6 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] zitadel: masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] -je_moeder: - - awesome: - - ENC[AES256_GCM,data:VftBLg==,iv:Rtfi+AlMB7bhsTS8d1IT8l358F2QQP+952Mxzpk5JMA=,tag:rDyanvogMKPbLRyyGHAUVw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -26,7 +23,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:45:27Z" - mac: ENC[AES256_GCM,data:QtQAU1vxUvlK/XrN5bxwMY+KC7yOMKqGkHIB6y3KE/eiRKZAGXNNyG81Z4aGhhFwQj3lmIeU2/Qw3ZeLJz8evRDeJ7JNZH/ZDFNyeUyRqGMldtqKHKAQDJDC5OVAFxf/6owgiYbr4og2J7PFqfoiG0ODM9+bPN4V7axmtd5KFkg=,iv:nFdTrIe+eEhG1H4VeAshuvI3ELpxe54CVP2LSdPj1fE=,tag:JvGKgiDvepytiKVuwxN8cQ==,type:str] + lastmodified: "2025-10-23T12:53:39Z" + mac: ENC[AES256_GCM,data:d4caeqSPWSaRNHcGKrxTCarX3OWJVf7uDx4pd5ldjdvHxUZu8xThDLpq850/jzCoX3T6bCes52o4TSSBYQCX+blPLdWetqJ/GulOvlsmudQJArZIcg4ZY96nVSv+sIJnP/1YEw0g6QxYxLa7IeEs6ZxNlBIaF/bff7AEHbtRNGs=,iv:DN/vvD2smUt+SFEfm08IpW+H7QtCChXYYKVLwE7SXPU=,tag:Uua+KE5+V6OT1O0aNrm6+g==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From fe628075d984b5fa68db5e40d468b4f20f8bb855 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 13:58:11 +0000 Subject: [PATCH 139/251] ops(secrets): removed secret "zitadel/masterkey" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 1bd3967..6f7ded0 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,8 +1,7 @@ email: chris@kruining.eu: ENC[AES256_GCM,data:uS85B/xn2a+c6Cys66pyfth2Bm4zZx4=,iv:vo8VKON3B9/Yau6PqAHI0xyCpqpU2UuU/WEH1Z7SMos=,tag:jVIHPxRI/0IpUxoKzO9GAA==,type:str] info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] -zitadel: - masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] +zitadel: {} sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +22,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:53:39Z" - mac: ENC[AES256_GCM,data:d4caeqSPWSaRNHcGKrxTCarX3OWJVf7uDx4pd5ldjdvHxUZu8xThDLpq850/jzCoX3T6bCes52o4TSSBYQCX+blPLdWetqJ/GulOvlsmudQJArZIcg4ZY96nVSv+sIJnP/1YEw0g6QxYxLa7IeEs6ZxNlBIaF/bff7AEHbtRNGs=,iv:DN/vvD2smUt+SFEfm08IpW+H7QtCChXYYKVLwE7SXPU=,tag:Uua+KE5+V6OT1O0aNrm6+g==,type:str] + lastmodified: "2025-10-23T13:58:10Z" + mac: ENC[AES256_GCM,data:ZiK2BIND4a7cCh0HaYzqU4oicnrG9o83D9q63GiCNU6RSj8JKDeVdZ6zu+Nj0rzFgk7k42pv5LGaDf9F/G4vYwlvYYDah2aZOFVMFuE1lvUgZNKkWwIRd+Oe4Fo1yghhCkQOv6Ctcym9/2ALTKbgF8+ZkaxIkwV2o8w/VWnr4HM=,iv:SxA5sdPXo4ALAFTiD/6jYRICsXyjcBake5QPP7mmqn8=,tag:wEI2pVcNz9Ypyi3vt+cg+g==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 5f0f986c598c994d3ea3a41b0686ee89e0dd03b9 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 14:23:22 +0000 Subject: [PATCH 140/251] ops(secrets): set secret "email/chris_kruining_eu" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 6f7ded0..1eeb402 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,7 +1,9 @@ email: chris@kruining.eu: ENC[AES256_GCM,data:uS85B/xn2a+c6Cys66pyfth2Bm4zZx4=,iv:vo8VKON3B9/Yau6PqAHI0xyCpqpU2UuU/WEH1Z7SMos=,tag:jVIHPxRI/0IpUxoKzO9GAA==,type:str] info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] -zitadel: {} + chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] +zitadel: + masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -22,7 +24,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T13:58:10Z" - mac: ENC[AES256_GCM,data:ZiK2BIND4a7cCh0HaYzqU4oicnrG9o83D9q63GiCNU6RSj8JKDeVdZ6zu+Nj0rzFgk7k42pv5LGaDf9F/G4vYwlvYYDah2aZOFVMFuE1lvUgZNKkWwIRd+Oe4Fo1yghhCkQOv6Ctcym9/2ALTKbgF8+ZkaxIkwV2o8w/VWnr4HM=,iv:SxA5sdPXo4ALAFTiD/6jYRICsXyjcBake5QPP7mmqn8=,tag:wEI2pVcNz9Ypyi3vt+cg+g==,type:str] + lastmodified: "2025-10-23T14:23:21Z" + mac: ENC[AES256_GCM,data:BVxgNIS+o5TW3XdTFJPd5BwsYPB5/iLPRLC72KV4zLALxO+ZzgZni1ADlDKpNf0W1pB67brguQvT0Jk/3jl/mSGAUS0AC+d2fBAl4m1I8KgRkhFTlzKJBaHn39iNJBkgM0ILNqdxNjFF6r472Ib3p/UNe1EPJgCQzqq5WVSumoo=,iv:aEBuJcjVaEYdCOAW3AiwVoskhH/+P3uSwZScssLi3OQ=,tag:kzJg99OjRsLaL7/hKHzs9Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 34fd079fb7ed77f71a89b314786f5ccb8bf23860 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 14:23:40 +0000 Subject: [PATCH 141/251] ops(secrets): removed secret "email/chris@kruining.eu" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 1eeb402..1fb64b9 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,5 +1,4 @@ email: - chris@kruining.eu: ENC[AES256_GCM,data:uS85B/xn2a+c6Cys66pyfth2Bm4zZx4=,iv:vo8VKON3B9/Yau6PqAHI0xyCpqpU2UuU/WEH1Z7SMos=,tag:jVIHPxRI/0IpUxoKzO9GAA==,type:str] info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] zitadel: @@ -24,7 +23,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T14:23:21Z" - mac: ENC[AES256_GCM,data:BVxgNIS+o5TW3XdTFJPd5BwsYPB5/iLPRLC72KV4zLALxO+ZzgZni1ADlDKpNf0W1pB67brguQvT0Jk/3jl/mSGAUS0AC+d2fBAl4m1I8KgRkhFTlzKJBaHn39iNJBkgM0ILNqdxNjFF6r472Ib3p/UNe1EPJgCQzqq5WVSumoo=,iv:aEBuJcjVaEYdCOAW3AiwVoskhH/+P3uSwZScssLi3OQ=,tag:kzJg99OjRsLaL7/hKHzs9Q==,type:str] + lastmodified: "2025-10-23T14:23:39Z" + mac: ENC[AES256_GCM,data:FoQYZwmra35BdYu/5RO4P9KdfKDZ1DPYN1q0fUFJ95eowK+rCXHAO9Bftjk1rEYTWO1bdKS7lYCLPgAh0sQHhovQoMXC5wlCkKpgMoi47Ji/qCbXXmDiayMpMxosKcrCMEV4wPvcLEVXgS5MlPUOT4xhm7tCa+h9d7WBZmU2ho8=,iv:P0s+TcMlnxToPl6roU8ZE9l8x4vOsfu/4BzrbcPSIec=,tag:ZO5yFyoCA/8RBdLQIOhsgw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 47df6b544a46c35e2e88ef9320be0eae55ccd4f0 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 14:26:00 +0000 Subject: [PATCH 142/251] ops(secrets): set secret "email/info_amarth_cloud" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 1fb64b9..6add209 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,6 +1,7 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] + info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str] sops: @@ -23,7 +24,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T14:23:39Z" - mac: ENC[AES256_GCM,data:FoQYZwmra35BdYu/5RO4P9KdfKDZ1DPYN1q0fUFJ95eowK+rCXHAO9Bftjk1rEYTWO1bdKS7lYCLPgAh0sQHhovQoMXC5wlCkKpgMoi47Ji/qCbXXmDiayMpMxosKcrCMEV4wPvcLEVXgS5MlPUOT4xhm7tCa+h9d7WBZmU2ho8=,iv:P0s+TcMlnxToPl6roU8ZE9l8x4vOsfu/4BzrbcPSIec=,tag:ZO5yFyoCA/8RBdLQIOhsgw==,type:str] + lastmodified: "2025-10-23T14:25:59Z" + mac: ENC[AES256_GCM,data:p3A1ZSr6S21SUjEZbL4V0uh3HVqcRhFi1N93IeUKs2yVbBYAXzWJ+2ejSxfM+W9MSCAYxx27i0ZoBPjQJu/xQzwmW8HWn4rRfCsa2TGqOw25PLvkHgnBUc70X759cKxvR0Pm7ha22JCnzJVrzvUMlBVs61wxHT57x0El9Gan8eY=,iv:SKN+R4wsN/L2pZW/s5ocEtCXXZB5wK4tgFIYWGWtRPA=,tag:CNLl4lVO06gAcsSCfU2KjA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 4f0d0f7f0e0454b305e08415ce64f601a46fa6c5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 16:31:19 +0200 Subject: [PATCH 143/251] fix: various fixes to just commands --- .just/vars.just | 6 +++--- .justfile | 8 +++++++- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.just/vars.just b/.just/vars.just index 78b7cb5..46bb5fd 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -12,10 +12,10 @@ list machine: {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml @set machine key value: - {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" \"{{ value }}\" + {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" @@ -23,6 +23,6 @@ list machine: {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" \ No newline at end of file diff --git a/.justfile b/.justfile index 4e8a323..1c9fc03 100644 --- a/.justfile +++ b/.justfile @@ -9,4 +9,10 @@ mod machine '.just/machine.just' [doc('Show information about project')] @show: - echo "show" \ No newline at end of file + echo "show" + +[doc('update the flake dependencies')] +@update: + nix flake update + git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null + echo "Done" \ No newline at end of file From f390d4195562e69aa43fc326ca6efb33167cc6ad Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 16:31:56 +0200 Subject: [PATCH 144/251] WIP: trying to get smtp configured for zitadel --- .../authentication/zitadel/default.nix | 98 +++++++++++++------ .../nixos/system/security/sops/default.nix | 10 +- 2 files changed, 76 insertions(+), 32 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 75b1bf2..59abcf3 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -135,6 +135,8 @@ in else let key = head keys; in concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; + config' = config; + # this is a nix package, the generated json file to be exact terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; @@ -177,6 +179,15 @@ in |> withRef "project" project |> toResource name ); + + zitadel_smtp_config.default = { + sender_address = "chris@kruining.eu"; + sender_name = "no-reply (Zitadel)"; + tls = true; + host = "black-mail.nl"; + user = "chris@kruining.eu"; + password = "\${file(\"${config'.sops.templates."kaas".path}\")}"; + }; }; }; }) @@ -245,31 +256,30 @@ in SecretHasher.Hasher.Algorithm = "argon2id"; }; - # DefaultInstance = { - # # PasswordComplexityPolicy = { - # # MinLength = 0; - # # HasLowercase = false; - # # HasUppercase = false; - # # HasNumber = false; - # # HasSymbol = false; - # # }; - # LoginPolicy = { - # AllowRegister = false; - # ForceMFA = true; - # }; - # LockoutPolicy = { - # MaxPasswordAttempts = 5; - # MaxOTPAttempts = 10; - # }; - # # SMTPConfiguration = { - # # SMTP = { - # # Host = "black-mail.nl:587"; - # # User = "chris@kruining.eu"; - # # Password = "__TODO_USE_SOPS__"; - # # }; - # # FromName = "Amarth Zitadel"; - # # }; - # }; + DefaultInstance = { + # PasswordComplexityPolicy = { + # MinLength = 0; + # HasLowercase = false; + # HasUppercase = false; + # HasNumber = false; + # HasSymbol = false; + # }; + # LoginPolicy = { + # AllowRegister = false; + # ForceMFA = true; + # }; + # LockoutPolicy = { + # MaxPasswordAttempts = 5; + # MaxOTPAttempts = 10; + # }; + SMTPConfiguration = { + SMTP = { + Host = "black-mail.nl:587"; + User = "chris@kruining.eu"; + }; + FromName = "Amarth Zitadel"; + }; + }; Database.postgres = { Host = "localhost"; @@ -325,6 +335,9 @@ in }; }; }; + extraStepsPaths = [ + config.sops.templates."secrets.yaml".path + ]; }; postgresql = { @@ -359,10 +372,37 @@ in networking.firewall.allowedTCPPorts = [ 80 443 ]; # Secrets - sops.secrets."zitadel/masterKey" = { - owner = "zitadel"; - group = "zitadel"; - restartUnits = [ "zitadel.service" ]; + sops = { + secrets = { + "zitadel/masterKey" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; #EMGDB#6O$8qpGoLI1XjhUhnng1san@0 + }; + + "email/chris_kruining_eu" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; + }; + }; + + templates."secrets.yaml" = { + owner = "zitadel"; + group = "zitadel"; + content = '' + DefaultInstance: + SMTPConfiguration: + SMTP: + Password: ${config.sops.placeholder."email/chris_kruining_eu"} + ''; + }; + + templates."kaas" = { + owner = "zitadel"; + group = "zitadel"; + content = config.sops.placeholder."email/chris_kruining_eu"; + }; }; }; } diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index 68ab4ca..bee7b3c 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -1,4 +1,4 @@ -{ pkgs, config, namespace, inputs, ... }: +{ pkgs, config, namespace, inputs, system, ... }: let cfg = config.${namespace}.system.security.sops; in @@ -13,10 +13,14 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { - defaultSopsFile = ../../../../../_secrets/secrets.yaml; defaultSopsFormat = "yaml"; + defaultSopsFile = inputs.self + "/systems/${system}/${config.networking.hostName}/secrets.yml"; - age.keyFile = "/home/"; + age = { + # keyFile = "~/.config/sops/age/keys.txt"; + # sshKeyPaths = [ "~/.ssh/id_ed25519" ]; + # generateKey = true; + }; }; }; } \ No newline at end of file From 334c0b54cc4d13dd5f8b3902cecc28e9e37a67fd Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 27 Oct 2025 07:41:12 +0000 Subject: [PATCH 145/251] ops(secrets): removed secret "email/info@amarth.cloud" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 6add209..3fa58fa 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,5 +1,4 @@ email: - info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: @@ -24,7 +23,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T14:25:59Z" - mac: ENC[AES256_GCM,data:p3A1ZSr6S21SUjEZbL4V0uh3HVqcRhFi1N93IeUKs2yVbBYAXzWJ+2ejSxfM+W9MSCAYxx27i0ZoBPjQJu/xQzwmW8HWn4rRfCsa2TGqOw25PLvkHgnBUc70X759cKxvR0Pm7ha22JCnzJVrzvUMlBVs61wxHT57x0El9Gan8eY=,iv:SKN+R4wsN/L2pZW/s5ocEtCXXZB5wK4tgFIYWGWtRPA=,tag:CNLl4lVO06gAcsSCfU2KjA==,type:str] + lastmodified: "2025-10-27T07:41:09Z" + mac: ENC[AES256_GCM,data:jc/hbXqdsLHkOldzmk68Uj9FnToLgfbF4YDzLv5SqPEBt1lihkOjeBD8tGq1w0LIJnWZTHv4yC1IEsJkB3r1a5E9OtukdNpdpDKfo5mf9+tACJ/d27RyYrLfmo/HUfAuk2WEbhQ3pqP8z+JhZ2R32+tfUi0hrmBlgtSJ7w53vpM=,iv:C/5HpoyVO9lDJBmBTROVGux74c0ZIP6N93urzk+kZ2E=,tag:LwTWbBToKkKEPyzBKvtr3A==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From e92f2cf82c7a4bb662cdcc15cc85d38c8b8af3d9 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 27 Oct 2025 11:34:11 +0100 Subject: [PATCH 146/251] add some commands to read secret values --- .just/vars.just | 4 ++++ .justfile | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.just/vars.just b/.just/vars.just index 46bb5fd..167144a 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,5 +1,6 @@ base_path := invocation_directory() / "systems/x86_64-linux" sops := "nix shell nixpkgs#sops --command sops" +yq := "nix shell nixpkgs#yq --command yq" @_default: just --list @@ -19,6 +20,9 @@ list machine: echo "Done" +@get machine key: + {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml | {{ yq }} ".$(echo "{{ key }}" | sed -E 's/\//./g')" + @remove machine key: {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" diff --git a/.justfile b/.justfile index 1c9fc03..2788376 100644 --- a/.justfile +++ b/.justfile @@ -15,4 +15,8 @@ mod machine '.just/machine.just' @update: nix flake update git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null - echo "Done" \ No newline at end of file + echo "Done" + +[doc('Introspection on flake output')] +@select key: + nix eval --json .#{{ key }} | jq . \ No newline at end of file From 6c9667831a54f5097ef276a8317d3fb5f3ebe43a Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 27 Oct 2025 13:11:42 +0000 Subject: [PATCH 147/251] ops(secrets): set secret "zitadel/masterKey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 3fa58fa..f9e4a82 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -2,7 +2,7 @@ email: chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: - masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str] + masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +23,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-27T07:41:09Z" - mac: ENC[AES256_GCM,data:jc/hbXqdsLHkOldzmk68Uj9FnToLgfbF4YDzLv5SqPEBt1lihkOjeBD8tGq1w0LIJnWZTHv4yC1IEsJkB3r1a5E9OtukdNpdpDKfo5mf9+tACJ/d27RyYrLfmo/HUfAuk2WEbhQ3pqP8z+JhZ2R32+tfUi0hrmBlgtSJ7w53vpM=,iv:C/5HpoyVO9lDJBmBTROVGux74c0ZIP6N93urzk+kZ2E=,tag:LwTWbBToKkKEPyzBKvtr3A==,type:str] + lastmodified: "2025-10-27T13:11:41Z" + mac: ENC[AES256_GCM,data:0LS7xQlkfIZRVwAZPE33KmPA19CpnXj/t4hpDrVW+BbESpnBku2oxPB/Cvp0dY5MGnDFgU4Htp0JoppHCgKvkaSBhvjxjW2DT1Nkk5PBmAtuzZLW4qc25ZVlqiKgzj1LE3XPTbqUJyp+X3U23BnU1ViTGgHuBcdEV7TFNHjmnwk=,iv:HpVIDAU1FbrUKXW8klWq0Kn9ZtKcgwR1jKXLkGtDd5A=,tag:50P0UZtj77npD92zxCaZHw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 84cc5ff5c4586136e091c3c087b787c9326fd869 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 27 Oct 2025 17:07:51 +0100 Subject: [PATCH 148/251] feat(zitadel): expand terranix resources WOOP WOOP, it all works! now the next, big, huge, giant, hurdle to overcome is the chicken and egg problem of needing zitadel to generate values that I need inside the nix config of synapse, forgejo, and jellyfin --- .just/machine.just | 2 +- .../authentication/zitadel/default.nix | 184 +++++++++++++----- systems/x86_64-linux/ulmo/default.nix | 19 +- 3 files changed, 149 insertions(+), 56 deletions(-) diff --git a/.just/machine.just b/.just/machine.just index 65d1a7b..6dabbc0 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -6,4 +6,4 @@ [doc('Update the target machine')] update machine: - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} \ No newline at end of file diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 59abcf3..eaa3c60 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -12,8 +12,12 @@ in enable = mkEnableOption "Zitadel"; organization = mkOption { - type = types.attrsOf (types.submodule { - options = { + type = types.attrsOf (types.submodule ({ name, ... }: { + options = + let + org = name; + in + { isDefault = mkOption { type = types.bool; default = false; @@ -108,13 +112,82 @@ in }; }); }; + + user = mkOption { + default = {}; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = + let + username = name; + in + { + email = mkOption { + type = types.str; + example = "someone@some.domain"; + description = '' + Username. + ''; + }; + + userName = mkOption { + type = types.nullOr types.str; + default = cfg.organization.${org}.user.${username}.email; + example = "someone@some.domain"; + description = '' + Username. Default value is the user's email, you can overwrite that by setting this option + ''; + }; + + firstName = mkOption { + type = types.str; + example = "John"; + description = '' + First name of the user. + ''; + }; + + lastName = mkOption { + type = types.str; + example = "Doe"; + description = '' + Last name of the user. + ''; + }; + + roles = mkOption { + type = types.listOf types.str; + default = []; + example = "[ \"ORG_OWNER\" ]"; + description = '' + List of roles granted to organisation. + ''; + }; + + instanceRoles = mkOption { + type = types.listOf types.str; + default = []; + example = "[ \"IAM_OWNER\" ]"; + description = '' + List of roles granted to instance. + ''; + }; + }; + })); + }; }; - }); + })); }; }; config = let - mapRef = type: name: { "${type}Id" = "\${ resource.zitadel_${type}.${toSnakeCase name}.id }"; }; + _refTypeMap = { + org = { type = "org"; }; + project = { type = "project"; }; + user = { type = "user"; tfType = "human_user"; }; + }; + + mapRef' = { type, tfType ? type }: name: { "${type}Id" = "\${ resource.zitadel_${tfType}.${toSnakeCase name}.id }"; }; + mapRef = type: name: mapRef' (_refTypeMap.${type}) name; mapEnum = prefix: value: "${prefix}_${value |> toSnakeCase |> toUpper}"; mapValue = type: value: ({ @@ -128,6 +201,7 @@ in withName = name: attrs: attrs // { inherit name; }; withRef = type: name: attrs: attrs // (mapRef type name); + withDefaults = defaults: attrs: defaults // attrs; select = keys: callback: set: if (length keys) == 0 then @@ -156,6 +230,7 @@ in }; resource = { + # Organizations zitadel_org = cfg.organization |> select [] (name: value: value |> getAttrs [ "isDefault" ] @@ -163,6 +238,7 @@ in |> toResource name ); + # Projects per organization zitadel_project = cfg.organization |> select [ "project" ] (org: name: value: value |> getAttrs [ "hasProjectCheck" "privateLabelingSetting" "projectRoleAssertion" "projectRoleCheck" ] @@ -171,6 +247,7 @@ in |> toResource name ); + # Each OIDC app per project zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: value: value |> getAttrs [ "redirectUris" "grantTypes" "responseTypes" ] @@ -180,14 +257,52 @@ in |> toResource name ); + # Users + zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: value: + value + |> getAttrs [ "email" "userName" "firstName" "lastName" ] + |> withRef "org" org + |> withDefaults { isEmailVerified = true; } + |> toResource name + ); + + # Global user roles + zitadel_instance_member = cfg.organization |> select [ "user" ] (org: name: value: + { roles = value.instanceRoles; } + |> withRef "user" name + |> toResource name + ); + + # Organazation specific roles + zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: value: + value + |> getAttrs [ "roles" ] + |> withRef "org" org + |> withRef "user" name + |> toResource name + ); + + # SMTP config zitadel_smtp_config.default = { sender_address = "chris@kruining.eu"; sender_name = "no-reply (Zitadel)"; tls = true; - host = "black-mail.nl"; + host = "black-mail.nl:587"; user = "chris@kruining.eu"; - password = "\${file(\"${config'.sops.templates."kaas".path}\")}"; + password = lib.tfRef "file(\"${config'.sops.secrets."email/chris_kruining_eu".path}\")"; + set_active = true; }; + + # Client credentials per app + local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: value: + nameValuePair name { + content = '' + CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${name}.client_id"} + CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${name}.client_secret"} + ''; + filename = "/var/lib/zitadel/clients/${name}"; + } + ); }; }; }) @@ -203,6 +318,7 @@ in systemd.tmpfiles.rules = [ "d /tmp/zitadelApplyTerraform 0755 zitadel zitadel -" + "d /var/lib/zitadel/clients 0755 zitadel zitadel -" ]; systemd.services.zitadelApplyTerraform = { @@ -214,6 +330,11 @@ in script = '' #!/usr/bin/env bash + if [ "$(systemctl is-active zitadel)" != "active" ]; then + echo "Zitadel is not running" + exit 1 + fi + # Copy infra code into workspace cp -f ${terraformConfiguration} config.tf.json @@ -237,8 +358,7 @@ in zitadel = { enable = true; openFirewall = true; - # masterKeyFile = config.sops.secrets."zitadel/masterKey".path; - masterKeyFile = "/var/lib/zitadel/master_key"; + masterKeyFile = config.sops.secrets."zitadel/masterKey".path; tlsMode = "external"; settings = { Port = 9092; @@ -256,31 +376,6 @@ in SecretHasher.Hasher.Algorithm = "argon2id"; }; - DefaultInstance = { - # PasswordComplexityPolicy = { - # MinLength = 0; - # HasLowercase = false; - # HasUppercase = false; - # HasNumber = false; - # HasSymbol = false; - # }; - # LoginPolicy = { - # AllowRegister = false; - # ForceMFA = true; - # }; - # LockoutPolicy = { - # MaxPasswordAttempts = 5; - # MaxOTPAttempts = 10; - # }; - SMTPConfiguration = { - SMTP = { - Host = "black-mail.nl:587"; - User = "chris@kruining.eu"; - }; - FromName = "Amarth Zitadel"; - }; - }; - Database.postgres = { Host = "localhost"; # Zitadel will report error if port is not set @@ -335,9 +430,9 @@ in }; }; }; - extraStepsPaths = [ - config.sops.templates."secrets.yaml".path - ]; + # extraStepsPaths = [ + # config.sops.templates."secrets.yaml".path + # ]; }; postgresql = { @@ -386,23 +481,6 @@ in restartUnits = [ "zitadel.service" ]; }; }; - - templates."secrets.yaml" = { - owner = "zitadel"; - group = "zitadel"; - content = '' - DefaultInstance: - SMTPConfiguration: - SMTP: - Password: ${config.sops.placeholder."email/chris_kruining_eu"} - ''; - }; - - templates."kaas" = { - owner = "zitadel"; - group = "zitadel"; - content = config.sops.placeholder."email/chris_kruining_eu"; - }; }; }; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 4845e73..e776927 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -43,9 +43,18 @@ enable = true; organization = { - thisIsMyAwesomeOrg = {}; - nix = { + user = { + chris = { + email = "chris@kruining.eu"; + firstName = "Chris"; + lastName = "Kruining"; + + roles = [ "ORG_OWNER" ]; + instanceRoles = [ "IAM_OWNER" ]; + }; + }; + project = { ulmo = { application = { @@ -60,6 +69,12 @@ grantTypes = [ "authorizationCode" ]; responseTypes = [ "code" ]; }; + + matrix = { + redirectUris = [ "https://matrix.kruining.eu/_synapse/client/oidc/callback" ]; + grantTypes = [ "authorizationCode" ]; + responseTypes = [ "code" ]; + }; }; }; }; From 5157a57f32bc736e151903438a284bad4a16b31a Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 27 Oct 2025 21:11:08 +0100 Subject: [PATCH 149/251] feat(zed): add just language server plugin --- modules/home/editor/zed/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/home/editor/zed/default.nix b/modules/home/editor/zed/default.nix index b35acba..f0fe7fa 100644 --- a/modules/home/editor/zed/default.nix +++ b/modules/home/editor/zed/default.nix @@ -15,7 +15,7 @@ in { programs.zed-editor = { enable = true; - extensions = [ "nix" "toml" "html" ]; + extensions = [ "nix" "toml" "html" "just-ls" ]; userSettings = { assistant.enabled = false; From 7b9e07ee4b338c5ffbe29ff26a934163d42ca42d Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 14:07:04 +0000 Subject: [PATCH 150/251] ops(secrets): set secret "forgejo/action_runner_token" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index f9e4a82..7ff94ef 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,6 +3,8 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] +forgejo: + action_runner_token: ENC[AES256_GCM,data:9rnVy+qIpfdXPxLV2yh09VrVWUzwoy5XwShctSqPeQM=,iv:0Bydo8Bs9TQ2LSjU/zDfGYk/aCq2OH0U8I+linkQcA4=,tag:Sw4cx48EmpvsjF0cZxcAvg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +25,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-27T13:11:41Z" - mac: ENC[AES256_GCM,data:0LS7xQlkfIZRVwAZPE33KmPA19CpnXj/t4hpDrVW+BbESpnBku2oxPB/Cvp0dY5MGnDFgU4Htp0JoppHCgKvkaSBhvjxjW2DT1Nkk5PBmAtuzZLW4qc25ZVlqiKgzj1LE3XPTbqUJyp+X3U23BnU1ViTGgHuBcdEV7TFNHjmnwk=,iv:HpVIDAU1FbrUKXW8klWq0Kn9ZtKcgwR1jKXLkGtDd5A=,tag:50P0UZtj77npD92zxCaZHw==,type:str] + lastmodified: "2025-10-30T14:07:03Z" + mac: ENC[AES256_GCM,data:81HSgWBj+piT5LvvFHcJVTSoyKNFHteo0yLRPp/lJ4st25JyachSIC0s6ApJiFSzoMH12C2LumcjrVafpvLQXITxhkEAkt0fm9uK1isrWNGpQcLnLAlcbrPZuf5TB8FWjAyHoisafHYzO9XhNYHT9vhxGKGIXf6pOJG8LGebqNM=,iv:y8ty2BAvQvMOpCw2HSC82OEaOv59VERdM09JBCwqlHk=,tag:0ZjSUKT5KJgNjJr07hVabg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 7edfdf92e096d5695b80aa276f25d4c171ffa765 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 14:07:56 +0000 Subject: [PATCH 151/251] ops(secrets): set secret "forgejo/action_runner_token" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 7ff94ef..4f2f8ae 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] forgejo: - action_runner_token: ENC[AES256_GCM,data:9rnVy+qIpfdXPxLV2yh09VrVWUzwoy5XwShctSqPeQM=,iv:0Bydo8Bs9TQ2LSjU/zDfGYk/aCq2OH0U8I+linkQcA4=,tag:Sw4cx48EmpvsjF0cZxcAvg==,type:str] + action_runner_token: ENC[AES256_GCM,data:ve7im4kIWyfFSVVXq5TNIdhT95TcJ2o8iNy829juImQCVHt9wU8=,iv:5uOm5W6srD+dCu2ElnEzuI7BlsDa0PfqaMoyJrnIqqU=,tag:fFpWwgs6UPjvVlx6AXmrCw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -25,7 +25,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T14:07:03Z" - mac: ENC[AES256_GCM,data:81HSgWBj+piT5LvvFHcJVTSoyKNFHteo0yLRPp/lJ4st25JyachSIC0s6ApJiFSzoMH12C2LumcjrVafpvLQXITxhkEAkt0fm9uK1isrWNGpQcLnLAlcbrPZuf5TB8FWjAyHoisafHYzO9XhNYHT9vhxGKGIXf6pOJG8LGebqNM=,iv:y8ty2BAvQvMOpCw2HSC82OEaOv59VERdM09JBCwqlHk=,tag:0ZjSUKT5KJgNjJr07hVabg==,type:str] + lastmodified: "2025-10-30T14:07:55Z" + mac: ENC[AES256_GCM,data:YX60ajX1LFjVkmMTYAVRj28N6IMMwHrFerq7EJ8DHMaQ75pCRrH1EbX0YTIRnSA7aYo0gGpPiHTbMKkMA6Dq6XOVxXFtqYaFC9jwVjVoXg58zdd2Yvtf7m9yrFX9ohEScQPLHwwZfWJFSqdOY0iSHotW0/duMm65zzC5MgcYoeE=,iv:61m1hBVZ+ASIykvVqC7XaPpOSWuEbTBo9NRpo6MQbeg=,tag:SNyqhMQ/BwWo49kCHwBoBQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From eac33f7cef4192decb15dff7530cb3b7ca559ce9 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 14:12:56 +0000 Subject: [PATCH 152/251] ops(secrets): set secret "forgejo/action_runner_token" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4f2f8ae..dd7b2a7 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] forgejo: - action_runner_token: ENC[AES256_GCM,data:ve7im4kIWyfFSVVXq5TNIdhT95TcJ2o8iNy829juImQCVHt9wU8=,iv:5uOm5W6srD+dCu2ElnEzuI7BlsDa0PfqaMoyJrnIqqU=,tag:fFpWwgs6UPjvVlx6AXmrCw==,type:str] + action_runner_token: ENC[AES256_GCM,data:V6V6Lt2XhV9NiSEKjS57vf5IgGUHLvmmG+uUcdNT4tvgezVhPOK/h5F4hxmCKg==,iv:UlHIFDsKeg4hFyXKyhYE3h/77xXeW+/kBJigDU5dP90=,tag:ES0z0bHv1uomsyYWyjsLfw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -25,7 +25,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T14:07:55Z" - mac: ENC[AES256_GCM,data:YX60ajX1LFjVkmMTYAVRj28N6IMMwHrFerq7EJ8DHMaQ75pCRrH1EbX0YTIRnSA7aYo0gGpPiHTbMKkMA6Dq6XOVxXFtqYaFC9jwVjVoXg58zdd2Yvtf7m9yrFX9ohEScQPLHwwZfWJFSqdOY0iSHotW0/duMm65zzC5MgcYoeE=,iv:61m1hBVZ+ASIykvVqC7XaPpOSWuEbTBo9NRpo6MQbeg=,tag:SNyqhMQ/BwWo49kCHwBoBQ==,type:str] + lastmodified: "2025-10-30T14:12:56Z" + mac: ENC[AES256_GCM,data:G+aGa5bbZsHjsIEOF7/bHPddasbaVTK+WUj25byqyoKSfTqeru25fZoBHP/6dnVkTmHHuktHTcRtSubBhz+kKjBSovKk3fUL14W4og7+ULcWtmgcuF2usAMywi2/N0vkpp/IuU/qj62R1fGqpHLxxjDZJGjX+a5mkl+DV2yJmCE=,iv:X5o0hrBOE3hbNH2OxPHGpKXAUOUhRVZ5NEsdE2SxLbM=,tag:/qTqy/d6N2CoeegkDo2Yfg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From b11ca6bd05615d8bd808c56d18ae5c9519c71422 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 14:24:06 +0000 Subject: [PATCH 153/251] ops(secrets): set secret "forgejo/action_runner_token" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index dd7b2a7..adace84 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] forgejo: - action_runner_token: ENC[AES256_GCM,data:V6V6Lt2XhV9NiSEKjS57vf5IgGUHLvmmG+uUcdNT4tvgezVhPOK/h5F4hxmCKg==,iv:UlHIFDsKeg4hFyXKyhYE3h/77xXeW+/kBJigDU5dP90=,tag:ES0z0bHv1uomsyYWyjsLfw==,type:str] + action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -25,7 +25,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T14:12:56Z" - mac: ENC[AES256_GCM,data:G+aGa5bbZsHjsIEOF7/bHPddasbaVTK+WUj25byqyoKSfTqeru25fZoBHP/6dnVkTmHHuktHTcRtSubBhz+kKjBSovKk3fUL14W4og7+ULcWtmgcuF2usAMywi2/N0vkpp/IuU/qj62R1fGqpHLxxjDZJGjX+a5mkl+DV2yJmCE=,iv:X5o0hrBOE3hbNH2OxPHGpKXAUOUhRVZ5NEsdE2SxLbM=,tag:/qTqy/d6N2CoeegkDo2Yfg==,type:str] + lastmodified: "2025-10-30T14:24:06Z" + mac: ENC[AES256_GCM,data:nZA2oHESh/NCHhAG5u7xAMRdd6J7Pvocc9jg5gFSAcSxrrjaAX4xK/MX5LEG3YTbIHD+/b7CxpalJ6IEJi2X5cr4p0trQmes8Eu6+VXs14bOk7Mfa1Yu5jfzwOwlZcmP/0k+rB8RzuOUlzgILL1OKqyJ/Xi5tItDAaKl9jGzczM=,iv:/Z9hU+o3SNBZU+jL3+fk7nzB69ownTHhT2Iq3VnyYU4=,tag:EapUHp+jMosjiGcR2FGVyQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 138bb67ffb1530330105056e2db70e44fa425564 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 30 Oct 2025 21:26:18 +0100 Subject: [PATCH 154/251] feat(just): add assert utility function/recipe --- .just/machine.just | 3 ++- .justfile | 13 ++++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.just/machine.just b/.just/machine.just index 6dabbc0..1ce791f 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -5,5 +5,6 @@ ls -1 ../systems/x86_64-linux/ [doc('Update the target machine')] -update machine: +@update machine: + just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} \ No newline at end of file diff --git a/.justfile b/.justfile index 2788376..3a15d20 100644 --- a/.justfile +++ b/.justfile @@ -19,4 +19,15 @@ mod machine '.just/machine.just' [doc('Introspection on flake output')] @select key: - nix eval --json .#{{ key }} | jq . \ No newline at end of file + nix eval --json .#{{ key }} | jq . + + + +#=============================================================================================== +# Utils +#=============================================================================================== +[no-exit-message] +[no-cd] +[private] +@assert condition message: + [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; } \ No newline at end of file From 15103b16baaa0333ef585050a0b4f78f8ab99c3e Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 20:57:39 +0000 Subject: [PATCH 155/251] ops(secrets): set secret "synapse/oidc_id" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index adace84..bc92d4e 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -5,6 +5,8 @@ zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] +synapse: + oidc_id: ENC[AES256_GCM,data:GPc4XBmIqWKbisN8patC0MNR,iv:wKCZ7PWn1WZOboc9I3JQXaxn4NiqMckCgC4d001F7jk=,tag:CBKcW4luhrJ+BOGH+UBmog==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -25,7 +27,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T14:24:06Z" - mac: ENC[AES256_GCM,data:nZA2oHESh/NCHhAG5u7xAMRdd6J7Pvocc9jg5gFSAcSxrrjaAX4xK/MX5LEG3YTbIHD+/b7CxpalJ6IEJi2X5cr4p0trQmes8Eu6+VXs14bOk7Mfa1Yu5jfzwOwlZcmP/0k+rB8RzuOUlzgILL1OKqyJ/Xi5tItDAaKl9jGzczM=,iv:/Z9hU+o3SNBZU+jL3+fk7nzB69ownTHhT2Iq3VnyYU4=,tag:EapUHp+jMosjiGcR2FGVyQ==,type:str] + lastmodified: "2025-10-30T20:57:37Z" + mac: ENC[AES256_GCM,data:Al8mN4HtSaTjlSBjYEgdcuR0YmqRNNhvW1tGRzQvQgXpC1tkM4HWpVuYQdpHXqtyz2DYMFRhTX4VqVJFvgh/MD1wN+6KGj05uJOlcr4yGr7DBlO2xX2aF0q+4w/mNnBbyFF7QwRMFWH3YBW3PDq+eDAQ5aqquucT+1HeDxcwWFI=,iv:PhNv0Pa/Wuxn4plzExeLBHHYGtE54IKj7AuuPJ3VPlU=,tag:fQz/DUp54isRUjSmnUnuZA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 01f9340cfb83907ab64de6807431b3452d092aca Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 30 Oct 2025 20:58:02 +0000 Subject: [PATCH 156/251] ops(secrets): set secret "synapse/oidc_secret" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index bc92d4e..250b1af 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -7,6 +7,7 @@ forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: oidc_id: ENC[AES256_GCM,data:GPc4XBmIqWKbisN8patC0MNR,iv:wKCZ7PWn1WZOboc9I3JQXaxn4NiqMckCgC4d001F7jk=,tag:CBKcW4luhrJ+BOGH+UBmog==,type:str] + oidc_secret: ENC[AES256_GCM,data:3Z8XwAPBHUG7Z09uTkd0ZH80lRVPF2a8tt0cFvrFA9s5R6G2ULkbHZM5V2VZBZ7FNhv7JINilGdRaibvF3U3Tg==,iv:U5Z3VcuWxwX5kNTvmG7YFiPJSl8Xg2nRDPdz0tekric=,tag:o2s67WjB7mXJlyo8jlcUzw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -27,7 +28,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T20:57:37Z" - mac: ENC[AES256_GCM,data:Al8mN4HtSaTjlSBjYEgdcuR0YmqRNNhvW1tGRzQvQgXpC1tkM4HWpVuYQdpHXqtyz2DYMFRhTX4VqVJFvgh/MD1wN+6KGj05uJOlcr4yGr7DBlO2xX2aF0q+4w/mNnBbyFF7QwRMFWH3YBW3PDq+eDAQ5aqquucT+1HeDxcwWFI=,iv:PhNv0Pa/Wuxn4plzExeLBHHYGtE54IKj7AuuPJ3VPlU=,tag:fQz/DUp54isRUjSmnUnuZA==,type:str] + lastmodified: "2025-10-30T20:58:01Z" + mac: ENC[AES256_GCM,data:7vQ5wV58UNUH5bOgyUxaifAbU3GTqZi2gH+rpAR+d/31rx8yeKVNMj0aWA5ianpUvVt2kbaap6Aj+Sxl3M8wI9jtg2o/3FmR+xEHEWgQ/jw1q9zvKIAUV6SeM1Hg639iV3xcC8F8U+Xy50H85f4B3XQWGJMnUamqH9LYrUjv8nY=,iv:vOGvilRSrPZW3uir1nwlxzhg+hXE5yw6r8vCr5Cxmt0=,tag:X9OYdCPuDz3o5kYLUKHmXg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From f33f05a5b64e1e7a16245f69d50ab4d60c4b1254 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 3 Nov 2025 15:18:53 +0100 Subject: [PATCH 157/251] feat(zitadel): implement and use even more of the zitadel API --- .../authentication/zitadel/default.nix | 236 +++++++++++++++--- .../services/communication/matrix/default.nix | 55 ++-- systems/x86_64-linux/ulmo/default.nix | 38 +++ 3 files changed, 271 insertions(+), 58 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index eaa3c60..917bde4 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair mapAttrs' concatMapAttrs getAttrs getAttr hasAttr typeOf head drop length; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs concatMap listToAttrs imap0 getAttrs getAttr hasAttr typeOf head drop length; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -73,6 +73,40 @@ in ''; }; + role = mkOption { + default = {}; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = + let + roleName = name; + in + { + displayName = mkOption { + type = types.str; + default = toSentenceCase name; + example = "RoleName"; + description = '' + Name used for project role. + ''; + }; + + group = mkOption { + type = types.nullOr types.str; + default = null; + example = "some_group"; + description = '' + Group used for project role. + ''; + }; + }; + })); + }; + + assign = mkOption { + default = {}; + type = types.attrsOf (types.listOf types.str); + }; + application = mkOption { default = {}; type = types.attrsOf (types.submodule { @@ -174,6 +208,74 @@ in }; })); }; + + action = mkOption { + default = {}; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + script = mkOption { + type = types.str; + example = '' + (ctx, api) => { + api.v1.claims.setClaim('some_claim', 'some_value'); + }; + ''; + description = '' + The script to run. This must be a function that receives 2 parameters, and returns void. During the creation of the action's script this module simly does `const {{name}} = {{script}}`. + ''; + }; + + timeout = mkOption { + type = (types.ints.between 0 20); + default = 10; + example = "10"; + description = '' + After which time the action will be terminated if not finished. + ''; + }; + + allowedToFail = mkOption { + type = types.bool; + default = true; + example = "true"; + description = '' + Allowed to fail. + ''; + }; + }; + })); + }; + + triggers = mkOption { + default = []; + type = types.listOf (types.submodule { + options = { + flowType = mkOption { + type = types.enum [ "authentication" "customiseToken" "internalAuthentication" "samlResponse" ]; + example = "customiseToken"; + description = '' + Type of the flow to which the action triggers belong. + ''; + }; + + triggerType = mkOption { + type = types.enum [ "postAuthentication" "preCreation" "postCreation" "preUserinfoCreation" "preAccessTokenCreation" "preSamlResponse" ]; + example = "postAuthentication"; + description = '' + Trigger type on when the actions get triggered. + ''; + }; + + actions = mkOption { + type = types.nonEmptyListOf types.str; + example = ''[ "action_name" ]''; + description = '' + Names of actions to trigger + ''; + }; + }; + }); + }; }; })); }; @@ -191,23 +293,28 @@ in mapEnum = prefix: value: "${prefix}_${value |> toSnakeCase |> toUpper}"; mapValue = type: value: ({ + appType = mapEnum "OIDC_APP_TYPE" value; grantTypes = map (t: mapEnum "OIDC_GRANT_TYPE" t) value; responseTypes = map (t: mapEnum "OIDC_RESPONSE_TYPE" t) value; + authMethodType = mapEnum "OIDC_AUTH_METHOD_TYPE" value; + + flowType = mapEnum "FLOW_TYPE" value; + triggerType = mapEnum "TRIGGER_TYPE" value; + accessTokenType = mapEnum "OIDC_TOKEN_TYPE" value; }."${type}" or value); toResource = name: value: nameValuePair (toSnakeCase name) (lib.mapAttrs' (k: v: nameValuePair (toSnakeCase k) (mapValue k v)) value); - withName = name: attrs: attrs // { inherit name; }; withRef = type: name: attrs: attrs // (mapRef type name); - withDefaults = defaults: attrs: defaults // attrs; select = keys: callback: set: if (length keys) == 0 then mapAttrs' callback set else let key = head keys; in - concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; + concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set + ; config' = config; @@ -231,57 +338,105 @@ in resource = { # Organizations - zitadel_org = cfg.organization |> select [] (name: value: - value - |> getAttrs [ "isDefault" ] - |> withName name + zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: + { inherit name isDefault; } |> toResource name ); # Projects per organization - zitadel_project = cfg.organization |> select [ "project" ] (org: name: value: - value - |> getAttrs [ "hasProjectCheck" "privateLabelingSetting" "projectRoleAssertion" "projectRoleCheck" ] - |> withName name - |> withRef "org" org - |> toResource name + zitadel_project = cfg.organization |> select [ "project" ] (org: name: { hasProjectCheck, privateLabelingSetting, projectRoleAssertion, projectRoleCheck, ... }: + { + inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck; + } + |> withRef "org" org + |> toResource "${org}_${name}" ); # Each OIDC app per project - zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: value: - value - |> getAttrs [ "redirectUris" "grantTypes" "responseTypes" ] - |> withName name + zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: { redirectUris, grantTypes, responseTypes, ...}: + { + inherit name redirectUris grantTypes responseTypes; + + accessTokenRoleAssertion = true; + idTokenRoleAssertion = true; + accessTokenType = "JWT"; + } |> withRef "org" org - |> withRef "project" project - |> toResource name + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" + ); + + # Each project role + zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: + { inherit (value) displayName group; roleKey = name; } + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" + ); + + # Each project role assignment + zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles: + { roleKeys = roles; } + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> withRef "user" "${org}_${user}" + |> toResource "${org}_${project}_${user}" ); # Users - zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: value: - value - |> getAttrs [ "email" "userName" "firstName" "lastName" ] + zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: + { + inherit email userName firstName lastName; + + isEmailVerified = true; + } |> withRef "org" org - |> withDefaults { isEmailVerified = true; } - |> toResource name + |> toResource "${org}_${name}" ); # Global user roles zitadel_instance_member = cfg.organization |> select [ "user" ] (org: name: value: { roles = value.instanceRoles; } - |> withRef "user" name - |> toResource name + |> withRef "user" "${org}_${name}" + |> toResource "${org}_${name}" ); # Organazation specific roles - zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: value: - value - |> getAttrs [ "roles" ] + zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: { roles, ... }: + { inherit roles; } |> withRef "org" org - |> withRef "user" name - |> toResource name + |> withRef "user" "${org}_${name}" + |> toResource "${org}_${name}" ); + # Organazation's actions + zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: + { + inherit allowedToFail name; + timeout = "${toString timeout}s"; + script = "const ${name} = ${script}"; + } + |> withRef "org" org + |> toResource "${org}_${name}" + ); + + # Organazation's action assignments + zitadel_trigger_actions = cfg.organization + |> concatMapAttrs (org: { triggers, ... }: + triggers + |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in + { + inherit flowType triggerType; + + actionIds = actions + |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); + } + |> withRef "org" org + |> toResource "${org}_${name}" + )) + |> listToAttrs + ); + # SMTP config zitadel_smtp_config.default = { sender_address = "chris@kruining.eu"; @@ -289,18 +444,18 @@ in tls = true; host = "black-mail.nl:587"; user = "chris@kruining.eu"; - password = lib.tfRef "file(\"${config'.sops.secrets."email/chris_kruining_eu".path}\")"; + password = lib.tfRef "file(\"${config'.sops.secrets."zitadel/email".path}\")"; set_active = true; }; # Client credentials per app local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: value: - nameValuePair name { + nameValuePair "${org}_${project}_${name}" { content = '' - CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${name}.client_id"} - CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${name}.client_secret"} + CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} + CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"} ''; - filename = "/var/lib/zitadel/clients/${name}"; + filename = "/var/lib/zitadel/clients/${org}_${project}_${name}"; } ); }; @@ -335,6 +490,9 @@ in exit 1 fi + # Print the path to the source for easier debugging + echo "config location: ${terraformConfiguration}" + # Copy infra code into workspace cp -f ${terraformConfiguration} config.tf.json @@ -342,6 +500,7 @@ in ${lib.getExe pkgs.opentofu} init # Run the infrastructure code + # ${lib.getExe pkgs.opentofu} plan ${lib.getExe pkgs.opentofu} apply -auto-approve ''; @@ -475,9 +634,10 @@ in restartUnits = [ "zitadel.service" ]; #EMGDB#6O$8qpGoLI1XjhUhnng1san@0 }; - "email/chris_kruining_eu" = { + "zitadel/email" = { owner = "zitadel"; group = "zitadel"; + key = "email/chris_kruining_eu"; restartUnits = [ "zitadel.service" ]; }; }; diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index 38dfe0c..2d9ecd5 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -29,43 +29,33 @@ in enable = true; extras = [ "oidc" ]; - # plugins = with config.services.matrix-synapse.package.plugins; []; + + extraConfigFiles = [ + config.sops.templates."synapse-oidc.yaml".path + ]; settings = { server_name = domain; public_baseurl = "https://${fqn}"; + enable_metrics = true; + registration_shared_secret = "tZtBnlhEmLbMwF0lQ112VH1Rl5MkZzYH9suI4pEoPXzk6nWUB8FJF4eEnwLkbstz"; url_preview_enabled = true; precence.enabled = true; # Since we'll be using OIDC for auth disable all local options - enable_registration = false; + enable_registration = true; + enable_registration_without_verification = true; password_config.enabled = false; + backchannel_logout_enabled = true; sso = { client_whitelist = [ "http://[::1]:9092" ]; update_profile_information = true; }; - oidc_providers = [ - { - discover = true; - - idp_id = "zitadel"; - idp_name = "Zitadel"; - issuer = "https://auth.kruining.eu"; - client_id = "337858153251143939"; - client_secret = "ePkf5n8BxGD5DF7t1eNThTL0g6PVBO5A1RC0EqPp61S7VsiyXvDs8aJeczrpCpsH"; - scopes = [ "openid" "profile" ]; - # user_mapping_provider.config = { - # localpart_template = "{{ user.prefered_username }}"; - # display_name_template = "{{ user.name }}"; - # }; - } - ]; - database = { # this is postgresql (also the default, but I prefer to be explicit) name = "psycopg2"; @@ -85,7 +75,7 @@ in resources = [ { - names = [ "client" "federation" ]; + names = [ "client" "federation" "openid" "metrics" "media" "health" ]; compress = true; } ]; @@ -175,5 +165,30 @@ in }; }; }; + + sops = { + secrets = { + "synapse/oidc_id" = {}; + "synapse/oidc_secret" = {}; + }; + + templates = { + "synapse-oidc.yaml" = { + owner = "matrix-synapse"; + content = '' + oidc_providers: + - discover: true + idp_id: zitadel + idp_name: Zitadel + issuer: "https://auth.kruining.eu" + scopes: + - openid + - profile + client_id: '${config.sops.placeholder."synapse/oidc_id"}' + client_secret: '${config.sops.placeholder."synapse/oidc_secret"}' + ''; + }; + }; + }; }; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index e776927..0c8a67b 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -57,6 +57,23 @@ project = { ulmo = { + projectRoleCheck = true; + projectRoleAssertion = true; + hasProjectCheck = true; + + role = { + jellyfin = { + group = "jellyfin"; + }; + jellyfin_admin = { + group = "jellyfin"; + }; + }; + + assign = { + chris = [ "jellyfin" "jellyfin_admin" ]; + }; + application = { jellyfin = { redirectUris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/zitadel" ]; @@ -78,6 +95,27 @@ }; }; }; + + action = { + flattenRoles = { + script = '' + (ctx, api) => { + if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) { + return; + } + + const roles = ctx.v1.user.grants.grants.flatMap(({ roles, projectId }) => roles.map(role => projectId + ':' + role)); + + api.v1.claims.setClaim('nix:zitadel:custom', JSON.stringify({ roles })); + }; + ''; + }; + }; + + triggers = [ + { flowType = "customiseToken"; triggerType = "preUserinfoCreation"; actions = [ "flattenRoles" ]; } + { flowType = "customiseToken"; triggerType = "preAccessTokenCreation"; actions = [ "flattenRoles" ]; } + ]; }; }; }; From 9b819a2a58397bee38aa1d25d1fedf093d18dab6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 3 Nov 2025 15:19:41 +0100 Subject: [PATCH 158/251] feat(forgejo): update config to use secrets --- .../services/development/forgejo/default.nix | 51 +++++++++++++++---- 1 file changed, 40 insertions(+), 11 deletions(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 46e0995..39e8215 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, namespace, ... }: let - inherit (lib) mkIf mkEnableOption; + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption mkOption; cfg = config.${namespace}.services.development.forgejo; domain = "git.amarth.cloud"; @@ -8,6 +9,15 @@ in { options.${namespace}.services.development.forgejo = { enable = mkEnableOption "Forgejo"; + + port = mkOption { + type = lib.types.port; + default = 5002; + example = "1234"; + description = '' + Which port to bind forgejo to + ''; + }; }; config = mkIf cfg.enable { @@ -33,7 +43,7 @@ in server = { DOMAIN = domain; ROOT_URL = "https://${domain}/"; - HTTP_PORT = 5002; + HTTP_PORT = cfg.port; LANDING_PAGE = "explore"; }; @@ -83,7 +93,7 @@ in openid = { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = true; - WHITELISTED_URIS = "https://auth.amarth.cloud"; + WHITELISTED_URIS = "https://auth.kruining.eu"; }; oauth2_client = { @@ -102,6 +112,10 @@ in SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; }; + metrics = { + ENABLED = true; + }; + api = { ENABLE_SWAGGER = false; }; @@ -120,9 +134,9 @@ in PROTOCOL = "smtp+starttls"; SMTP_ADDR = "black-mail.nl"; SMTP_PORT = 587; - FROM = "info@amarth.cloud"; - USER = "info@amarth.cloud"; - PASSWD = "__TODO_USE_SOPS__"; + FROM = "chris@kruining.eu"; + USER = "chris@kruining.eu"; + PASSWD_URI = "file:${config.sops.secrets."forgejo/email".path}"; }; }; }; @@ -137,8 +151,8 @@ in url = "https://git.amarth.cloud"; # Obtaining the path to the runner token file may differ # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd - # tokenFile = config.age.secrets.forgejo-runner-token.path; - token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; + tokenFile = config.sops.secrets."forgejo/action_runner_token".path; + # token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; labels = [ "default:docker://nixos/nix:latest" "ubuntu:docker://ubuntu:24-bookworm" @@ -153,17 +167,32 @@ in caddy = { enable = true; virtualHosts = { - ${domain}.extraConfig = '' - # import auth-z + "${domain}".extraConfig = '' + # import auth # stupid dumb way to prevent the login page and go to zitadel instead # be aware that this does not disable local login at all! # rewrite /user/login /user/oauth2/Zitadel - reverse_proxy http://127.0.0.1:5002 + reverse_proxy http://127.0.0.1:${toString cfg.port} ''; }; }; }; + + sops.secrets = { + "forgejo/action_runner_token" = { + owner = "gitea-runner"; + group = "gitea-runner"; + restartUnits = [ "gitea-runner-default.service" ]; + }; + + "forgejo/email" = { + owner = "forgejo"; + group = "forgejo"; + key = "email/chris_kruining_eu"; + restartUnits = [ "forgejo.service" ]; + }; + }; }; } From 13697bfc51a80ae4aa5fd055a87eaba1da797feb Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 3 Nov 2025 15:22:55 +0000 Subject: [PATCH 159/251] ops(secrets): set secret "synapse/oidc_id" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 250b1af..b241d67 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -6,7 +6,7 @@ zitadel: forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: - oidc_id: ENC[AES256_GCM,data:GPc4XBmIqWKbisN8patC0MNR,iv:wKCZ7PWn1WZOboc9I3JQXaxn4NiqMckCgC4d001F7jk=,tag:CBKcW4luhrJ+BOGH+UBmog==,type:str] + oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:3Z8XwAPBHUG7Z09uTkd0ZH80lRVPF2a8tt0cFvrFA9s5R6G2ULkbHZM5V2VZBZ7FNhv7JINilGdRaibvF3U3Tg==,iv:U5Z3VcuWxwX5kNTvmG7YFiPJSl8Xg2nRDPdz0tekric=,tag:o2s67WjB7mXJlyo8jlcUzw==,type:str] sops: age: @@ -28,7 +28,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-30T20:58:01Z" - mac: ENC[AES256_GCM,data:7vQ5wV58UNUH5bOgyUxaifAbU3GTqZi2gH+rpAR+d/31rx8yeKVNMj0aWA5ianpUvVt2kbaap6Aj+Sxl3M8wI9jtg2o/3FmR+xEHEWgQ/jw1q9zvKIAUV6SeM1Hg639iV3xcC8F8U+Xy50H85f4B3XQWGJMnUamqH9LYrUjv8nY=,iv:vOGvilRSrPZW3uir1nwlxzhg+hXE5yw6r8vCr5Cxmt0=,tag:X9OYdCPuDz3o5kYLUKHmXg==,type:str] + lastmodified: "2025-11-03T15:22:54Z" + mac: ENC[AES256_GCM,data:VCZ394QncfeahWhVb08LUUIyGP0XdRkuH+uXij1SF3r9yiNZPS97oDCacoqZ7qZZ0/0jvcPBWp0HuYqLobIT0ACuhndN7nKHo5xZqlVa/nXqclvXU4iXWoqfhFs8vO5eAX+8gOhtTzJxfJF8CXzG4k2NG/wAgoyPWlJP8McnXkk=,iv:/Bkid1GN9o43eEyLokY3TeXOgG05GHKkcVu7D+dXX2g=,tag:4b3U+vTSexPuQHuqNVHACA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 7125d8d375f542cb5acd0ec4b6d4ff8c06c3f558 Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 3 Nov 2025 15:23:12 +0000 Subject: [PATCH 160/251] ops(secrets): set secret "synapse/oidc_secret" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index b241d67..0222f74 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -7,7 +7,7 @@ forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] - oidc_secret: ENC[AES256_GCM,data:3Z8XwAPBHUG7Z09uTkd0ZH80lRVPF2a8tt0cFvrFA9s5R6G2ULkbHZM5V2VZBZ7FNhv7JINilGdRaibvF3U3Tg==,iv:U5Z3VcuWxwX5kNTvmG7YFiPJSl8Xg2nRDPdz0tekric=,tag:o2s67WjB7mXJlyo8jlcUzw==,type:str] + oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -28,7 +28,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-03T15:22:54Z" - mac: ENC[AES256_GCM,data:VCZ394QncfeahWhVb08LUUIyGP0XdRkuH+uXij1SF3r9yiNZPS97oDCacoqZ7qZZ0/0jvcPBWp0HuYqLobIT0ACuhndN7nKHo5xZqlVa/nXqclvXU4iXWoqfhFs8vO5eAX+8gOhtTzJxfJF8CXzG4k2NG/wAgoyPWlJP8McnXkk=,iv:/Bkid1GN9o43eEyLokY3TeXOgG05GHKkcVu7D+dXX2g=,tag:4b3U+vTSexPuQHuqNVHACA==,type:str] + lastmodified: "2025-11-03T15:23:12Z" + mac: ENC[AES256_GCM,data:XJW6H5FTjkGhbXtiGvscfm5W+04OqtUmYPrrzfZ5brNRviYiikwKR4OB2yFFNmRpMxseWOy+3a4Nk+/oTqJ4ycBIlatzoL3GxwfysLi6f5+Qtdjr+EG4MzZRaQobJ9NXjB6pAYGBe5OxDMvHHOuhv5lMI9SFsNzdIHzFRLQv0QQ=,iv:UUZzsyqnJG/eZktkRrnPhC5DYB3MeACh7ldx/k9+ZDk=,tag:42cI9dvQowQzeqkqFvzUGQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 7100d1c59c1b73dca6d6e0f67ef205c79fe0fb2c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 3 Nov 2025 16:33:08 +0100 Subject: [PATCH 161/251] restart synapse when secrets change --- modules/nixos/services/communication/matrix/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index 2d9ecd5..f84c002 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -187,6 +187,7 @@ in client_id: '${config.sops.placeholder."synapse/oidc_id"}' client_secret: '${config.sops.placeholder."synapse/oidc_secret"}' ''; + restartUnits = [ "matrix-synapse.service" ]; }; }; }; From 8104ba7e932d028a0a3beba6047cc4fecf8bb451 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 3 Nov 2025 16:36:19 +0100 Subject: [PATCH 162/251] feat(zitadel): change the default value of the username to the key instead of the email. This should ensure that binding to the apps goes more smoothly --- modules/nixos/services/authentication/zitadel/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 917bde4..7540e2f 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -165,10 +165,10 @@ in userName = mkOption { type = types.nullOr types.str; - default = cfg.organization.${org}.user.${username}.email; - example = "someone@some.domain"; + default = username; + example = "some_user_name"; description = '' - Username. Default value is the user's email, you can overwrite that by setting this option + Username. Default value is the key of the config object you created, you can overwrite that by setting this option ''; }; From 5668e1048da9153d17336616c8bcc93fe4ad1911 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 3 Nov 2025 16:47:09 +0100 Subject: [PATCH 163/251] chore: create temporary extra user in zitadel --- systems/x86_64-linux/ulmo/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 0c8a67b..7657eac 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -53,6 +53,12 @@ roles = [ "ORG_OWNER" ]; instanceRoles = [ "IAM_OWNER" ]; }; + + kaas = { + email = "chris+kaas@kruining.eu"; + firstName = "Kaas"; + lastName = "Kruining"; + }; }; project = { @@ -72,6 +78,7 @@ assign = { chris = [ "jellyfin" "jellyfin_admin" ]; + kaas = [ "jellyfin" ]; }; application = { From 2402ec0761117dc0e1b3727368fd6834136a5367 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 4 Nov 2025 09:46:19 +0100 Subject: [PATCH 164/251] fix(synapse): add user mapping to fix login via sso --- modules/nixos/services/communication/matrix/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index f84c002..c9dd26a 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -186,6 +186,11 @@ in - profile client_id: '${config.sops.placeholder."synapse/oidc_id"}' client_secret: '${config.sops.placeholder."synapse/oidc_secret"}' + backchannel_logout_enabled: true + user_mapping_provider: + config: + localpart_template: "{{ user.preferred_username }}" + display_name_template: "{{ user.name }}" ''; restartUnits = [ "matrix-synapse.service" ]; }; From c98b3eefe1f5e65202da31f587a8d2fcb616bdfb Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 4 Nov 2025 13:30:34 +0100 Subject: [PATCH 165/251] feat: set up clan cli --- .envrc | 2 + flake.lock | 229 ++++++++++++++++++++++++++++++++++--- flake.nix | 9 ++ shells/default/default.nix | 10 ++ 4 files changed, 237 insertions(+), 13 deletions(-) create mode 100644 .envrc create mode 100644 shells/default/default.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..0f94eed --- /dev/null +++ b/.envrc @@ -0,0 +1,2 @@ +# shellcheck shell=bash +use flake diff --git a/flake.lock b/flake.lock index 935fbaf..5ed2f72 100644 --- a/flake.lock +++ b/flake.lock @@ -68,6 +68,81 @@ "type": "github" } }, + "clan-core": { + "inputs": { + "data-mesher": "data-mesher", + "disko": "disko", + "flake-parts": "flake-parts", + "nix-darwin": "nix-darwin", + "nix-select": "nix-select", + "nixos-facter-modules": "nixos-facter-modules", + "nixpkgs": [ + "nixpkgs" + ], + "sops-nix": "sops-nix", + "systems": "systems", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1762254206, + "narHash": "sha256-ZyQUrUSuIUZRmMPzeCXI4vDFhHOLNtGUMBaHXCD6nEQ=", + "rev": "43a7652624e76d60a93325c711d01620801d4382", + "type": "tarball", + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/43a7652624e76d60a93325c711d01620801d4382.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://git.clan.lol/clan/clan-core/archive/main.tar.gz" + } + }, + "data-mesher": { + "inputs": { + "flake-parts": [ + "clan-core", + "flake-parts" + ], + "nixpkgs": [ + "clan-core", + "nixpkgs" + ], + "treefmt-nix": [ + "clan-core", + "treefmt-nix" + ] + }, + "locked": { + "lastModified": 1760612273, + "narHash": "sha256-pP/bSqUHubxAOTI7IHD5ZBQ2Qm11Nb4pXXTPv334UEM=", + "rev": "0099739c78be750b215cbdefafc9ba1533609393", + "type": "tarball", + "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0099739c78be750b215cbdefafc9ba1533609393.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://git.clan.lol/clan/data-mesher/archive/main.tar.gz" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1761899396, + "narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=", + "owner": "nix-community", + "repo": "disko", + "rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "erosanix": { "inputs": { "flake-compat": "flake-compat", @@ -224,6 +299,27 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1762040540, + "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "0010412d62a25d959151790968765a70c436598b", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nvf", @@ -244,7 +340,7 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -265,7 +361,7 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "terranix", @@ -288,7 +384,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -325,7 +421,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -343,7 +439,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1731533236, @@ -361,7 +457,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_5" + "systems": "systems_6" }, "locked": { "lastModified": 1694529238, @@ -564,6 +660,27 @@ "type": "github" } }, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1762186368, + "narHash": "sha256-dzLBZKccS0jMefj+WAYwsk7gKDluqavC7I4KfFwVh8k=", + "owner": "nix-darwin", + "repo": "nix-darwin", + "rev": "69921864a70b58787abf5ba189095566c3f0ffd3", + "type": "github" + }, + "original": { + "owner": "nix-darwin", + "repo": "nix-darwin", + "type": "github" + } + }, "nix-github-actions": { "inputs": { "nixpkgs": [ @@ -606,6 +723,19 @@ "type": "github" } }, + "nix-select": { + "locked": { + "lastModified": 1755887746, + "narHash": "sha256-lzWbpHKX0WAn/jJDoCijIDss3rqYIPawe46GDaE6U3g=", + "rev": "92c2574c5e113281591be01e89bb9ddb31d19156", + "type": "tarball", + "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/92c2574c5e113281591be01e89bb9ddb31d19156.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://git.clan.lol/clan/nix-select/archive/main.tar.gz" + } + }, "nixlib": { "locked": { "lastModified": 1736643958, @@ -636,6 +766,21 @@ "type": "github" } }, + "nixos-facter-modules": { + "locked": { + "lastModified": 1761137276, + "narHash": "sha256-4lDjGnWRBLwqKQ4UWSUq6Mvxu9r8DSqCCydodW/Jsi8=", + "owner": "nix-community", + "repo": "nixos-facter-modules", + "rev": "70bcd64225d167c7af9b475c4df7b5abba5c7de8", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-facter-modules", + "type": "github" + } + }, "nixos-generators": { "inputs": { "nixlib": "nixlib", @@ -865,10 +1010,10 @@ "nvf": { "inputs": { "flake-compat": "flake-compat_4", - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "mnw": "mnw", "nixpkgs": "nixpkgs_7", - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1760153667, @@ -909,6 +1054,7 @@ }, "root": { "inputs": { + "clan-core": "clan-core", "erosanix": "erosanix", "fenix": "fenix", "firefox": "firefox", @@ -925,7 +1071,7 @@ "nvf": "nvf", "plasma-manager": "plasma-manager", "snowfall-lib": "snowfall-lib", - "sops-nix": "sops-nix", + "sops-nix": "sops-nix_2", "stylix": "stylix", "terranix": "terranix", "zen-browser": "zen-browser" @@ -992,6 +1138,27 @@ } }, "sops-nix": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1760998189, + "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "sops-nix_2": { "inputs": { "nixpkgs": "nixpkgs_8" }, @@ -1016,11 +1183,11 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "gnome-shell": "gnome-shell", "nixpkgs": "nixpkgs_9", "nur": "nur", - "systems": "systems_6", + "systems": "systems_7", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -1146,13 +1313,28 @@ "type": "github" } }, + "systems_8": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "terranix": { "inputs": { - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_4", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_7" + "systems": "systems_8" }, "locked": { "lastModified": 1757278723, @@ -1249,6 +1431,27 @@ "type": "github" } }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "clan-core", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1761311587, + "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "zen-browser": { "inputs": { "home-manager": "home-manager_2", diff --git a/flake.nix b/flake.nix index 8ea1571..d7a7508 100644 --- a/flake.nix +++ b/flake.nix @@ -83,6 +83,11 @@ url = "github:terranix/terranix"; inputs.nixpkgs.follows = "nixpkgs"; }; + + clan-core = { + url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs: inputs.snowfall-lib.mkFlake { @@ -119,6 +124,10 @@ flux.overlays.default ]; + systems.modules = with inputs; [ + clan-core.nixosModules.default + ]; + homes.modules = with inputs; [ stylix.homeModules.stylix plasma-manager.homeModules.plasma-manager diff --git a/shells/default/default.nix b/shells/default/default.nix new file mode 100644 index 0000000..0361f88 --- /dev/null +++ b/shells/default/default.nix @@ -0,0 +1,10 @@ +{ mkShell, inputs, pkgs, ... }: + +mkShell { + packages = with pkgs; [ + bash + sops + just + inputs.clan-core.packages.x86_64-linux.clan-cli + ]; +} \ No newline at end of file From fab1df76c783a87587d961718e8411ec68413f72 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 4 Nov 2025 13:31:15 +0100 Subject: [PATCH 166/251] chore: update commit message in just recipes --- .just/vars.just | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.just/vars.just b/.just/vars.just index 167144a..b4d6be2 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -16,7 +16,7 @@ list machine: {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" @@ -27,6 +27,6 @@ list machine: {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" \ No newline at end of file From e7cedfb6393a0f824713737782c531dc174c1902 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 4 Nov 2025 15:08:54 +0100 Subject: [PATCH 167/251] fix(Zitadel): filter out empty roles --- .../authentication/zitadel/default.nix | 78 ++++++++++--------- 1 file changed, 43 insertions(+), 35 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 7540e2f..402d59d 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs concatMap listToAttrs imap0 getAttrs getAttr hasAttr typeOf head drop length; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -340,7 +340,7 @@ in # Organizations zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: { inherit name isDefault; } - |> toResource name + |> toResource name ); # Projects per organization @@ -348,8 +348,8 @@ in { inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck; } - |> withRef "org" org - |> toResource "${org}_${name}" + |> withRef "org" org + |> toResource "${org}_${name}" ); # Each OIDC app per project @@ -361,26 +361,26 @@ in idTokenRoleAssertion = true; accessTokenType = "JWT"; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> toResource "${org}_${project}_${name}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" ); # Each project role zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: { inherit (value) displayName group; roleKey = name; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> toResource "${org}_${project}_${name}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" ); # Each project role assignment zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles: { roleKeys = roles; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> withRef "user" "${org}_${user}" - |> toResource "${org}_${project}_${user}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> withRef "user" "${org}_${user}" + |> toResource "${org}_${project}_${user}" ); # Users @@ -390,24 +390,30 @@ in isEmailVerified = true; } - |> withRef "org" org - |> toResource "${org}_${name}" + |> withRef "org" org + |> toResource "${org}_${name}" ); # Global user roles - zitadel_instance_member = cfg.organization |> select [ "user" ] (org: name: value: - { roles = value.instanceRoles; } + zitadel_instance_member = + cfg.organization + |> filterAttrsRecursive (n: v: !(v ? "instanceRoles" && (length v.instanceRoles) == 0)) + |> select [ "user" ] (org: name: { instanceRoles, ... }: + { roles = instanceRoles; } |> withRef "user" "${org}_${name}" |> toResource "${org}_${name}" - ); + ); # Organazation specific roles - zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: { roles, ... }: - { inherit roles; } + zitadel_org_member = + cfg.organization + |> filterAttrsRecursive (n: v: !(v ? "roles" && (length v.roles) == 0)) + |> select [ "user" ] (org: name: { roles, ... }: + { inherit roles; } |> withRef "org" org |> withRef "user" "${org}_${name}" |> toResource "${org}_${name}" - ); + ); # Organazation's actions zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: @@ -416,25 +422,27 @@ in timeout = "${toString timeout}s"; script = "const ${name} = ${script}"; } - |> withRef "org" org - |> toResource "${org}_${name}" + |> withRef "org" org + |> toResource "${org}_${name}" ); # Organazation's action assignments - zitadel_trigger_actions = cfg.organization + zitadel_trigger_actions = + cfg.organization |> concatMapAttrs (org: { triggers, ... }: triggers - |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in - { - inherit flowType triggerType; + |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in + { + inherit flowType triggerType; - actionIds = actions - |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); - } - |> withRef "org" org - |> toResource "${org}_${name}" - )) - |> listToAttrs + actionIds = + actions + |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); + } + |> withRef "org" org + |> toResource "${org}_${name}" + )) + |> listToAttrs ); # SMTP config From 2e81d16f24fcb70422021321c7290a1890127cc3 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 4 Nov 2025 15:09:41 +0100 Subject: [PATCH 168/251] chore: suppress error messages They dirty the output too much when nix fails --- .just/machine.just | 1 + 1 file changed, 1 insertion(+) diff --git a/.just/machine.just b/.just/machine.just index 1ce791f..cbdf345 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -4,6 +4,7 @@ @list: ls -1 ../systems/x86_64-linux/ +[no-exit-message] [doc('Update the target machine')] @update machine: just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" From 5f92a379966dd24ec2872f59c128597df3ab0b78 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 4 Nov 2025 15:10:02 +0100 Subject: [PATCH 169/251] feat(Forgejo): enable mirroring --- modules/nixos/services/development/forgejo/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 39e8215..dbcef87 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -121,7 +121,7 @@ in }; mirror = { - ENABLED = false; + ENABLED = true; }; session = { From c64e98e0c0902e1841e170bdc8581196ad0cd0ac Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 5 Nov 2025 09:32:18 +0100 Subject: [PATCH 170/251] chore: clean up code --- .../nixos/services/backup/borg/default.nix | 2 +- modules/nixos/services/media/default.nix | 39 ------------------- systems/x86_64-linux/ulmo/default.nix | 3 +- 3 files changed, 3 insertions(+), 41 deletions(-) diff --git a/modules/nixos/services/backup/borg/default.nix b/modules/nixos/services/backup/borg/default.nix index fbe5235..e200505 100644 --- a/modules/nixos/services/backup/borg/default.nix +++ b/modules/nixos/services/backup/borg/default.nix @@ -16,7 +16,7 @@ in paths = "/var/media/test"; encryption.mode = "none"; environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4"; - repo = "ssh://chris@beheer.hazelhof.nl:222/home/chris/backups/media"; + repo = "ssh://chris@beheer.hazelhof.nl:222/media"; compression = "auto,zstd"; startAt = "daily"; }; diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index bc41fb4..9d915da 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -72,12 +72,6 @@ in settings = { auth.AuthenticationMethod = "External"; - - # postgres = { - # PostgresHost = "localhost"; - # PostgresPort = "5432"; - # PostgresUser = "media"; - # }; }; }; @@ -152,39 +146,6 @@ in group = cfg.group; }; - # postgresql = { - # enable = true; - # ensureDatabases = [ - # "radarr-main" "radarr-log" - # "sonarr-main" "sonarr-log" - # "lidarr-main" "lidarr-log" - # "prowlarr-main" "prowlarr-log" - # ]; - # identMap = '' - # media media radarr-main - # media media radarr-log - # media media sonarr-main - # media media sonarr-log - # media media lidarr-main - # media media lidarr-log - # media media prowlarr-main - # media media prowlarr-log - # ''; - # ensureUsers = [ - # { name = "radarr-main"; ensureDBOwnership = true; } - # { name = "radarr-log"; ensureDBOwnership = true; } - - # { name = "sonarr-main"; ensureDBOwnership = true; } - # { name = "sonarr-log"; ensureDBOwnership = true; } - - # { name = "lidarr-main"; ensureDBOwnership = true; } - # { name = "lidarr-log"; ensureDBOwnership = true; } - - # { name = "prowlarr-main"; ensureDBOwnership = true; } - # { name = "prowlarr-log"; ensureDBOwnership = true; } - # ]; - # }; - caddy = { enable = true; virtualHosts = { diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 7657eac..027dad6 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -38,7 +38,8 @@ sneeuwvlok = { services = { - # authentication.authelia.enable = true; + backup.borg.enable = true; + authentication.zitadel = { enable = true; From e3238aa60cfa9440249fcdb2ab1b0d4485251fe2 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 5 Nov 2025 09:34:08 +0100 Subject: [PATCH 171/251] chore: re-harden matrix server --- modules/nixos/services/communication/matrix/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index c9dd26a..ce92df4 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -46,8 +46,8 @@ in precence.enabled = true; # Since we'll be using OIDC for auth disable all local options - enable_registration = true; - enable_registration_without_verification = true; + enable_registration = false; + enable_registration_without_verification = false; password_config.enabled = false; backchannel_logout_enabled = true; From 5ff60d46c75c9a9633fe598f5a854a4af5f4c16f Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:09:40 +0000 Subject: [PATCH 172/251] chore(secrets): set secret "test.users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 0222f74..c9133c2 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -8,6 +8,15 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] +test.users: + je_moeder: + email: ENC[AES256_GCM,data:oBY+8lUZby+MU2RPNdCx9A==,iv:MAxRGLLrhgsvPAuJua3sR+wmfELo7DLXxICye+BuoCg=,tag:qpEu2ga8rFOU6YoZNizOqQ==,type:str] + firstName: ENC[AES256_GCM,data:RlU=,iv:OK91Ql1em+05YkM6OtGQjfe0P3OexS460EBDm7sJOAo=,tag:Dlg/BZbQFTaSLl4l9/GGrw==,type:str] + lastName: ENC[AES256_GCM,data:1FMBOVqD,iv:Hyl5pQYp2Pr1HHDpwKzVZ5DzaG7Lnm9GG4BDL66im+E=,tag:KwOCbIaTYo8J3iGnFBYuBQ==,type:str] + je_vader: + email: ENC[AES256_GCM,data:wjRm8mWD/9E4LjyEpPfD,iv:vKAjMUO81zyYZ9PdGsUkCk1MhTcpat86jVcYv5lhpUc=,tag:pDrI+8JulE9WGhb7brrEAA==,type:str] + firstName: ENC[AES256_GCM,data:KmU=,iv:M4KKh/DlJt3+CGoJu7faF6AUJXPf7ukCOMdvy1zEsow=,tag:wVPFHmHuzlg9Ib8qTZlaIg==,type:str] + lastName: ENC[AES256_GCM,data:PmkNwlc=,iv:B7IZ6+WTA9eRZizt73/iam1QXMf0kp0BWwPqpn+LHvA=,tag:SK8WMCIvAGoZn5b+wHLmKQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -28,7 +37,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-03T15:23:12Z" - mac: ENC[AES256_GCM,data:XJW6H5FTjkGhbXtiGvscfm5W+04OqtUmYPrrzfZ5brNRviYiikwKR4OB2yFFNmRpMxseWOy+3a4Nk+/oTqJ4ycBIlatzoL3GxwfysLi6f5+Qtdjr+EG4MzZRaQobJ9NXjB6pAYGBe5OxDMvHHOuhv5lMI9SFsNzdIHzFRLQv0QQ=,iv:UUZzsyqnJG/eZktkRrnPhC5DYB3MeACh7ldx/k9+ZDk=,tag:42cI9dvQowQzeqkqFvzUGQ==,type:str] + lastmodified: "2025-11-12T13:09:38Z" + mac: ENC[AES256_GCM,data:2+QMYauDL/A9yk7wQ+37yxr2FBZ0EAaYlVtCsZ0gb4CZjolapL8EdHWvD7OuqwA57xpOOyXazUjpw0yOxuqwpvSoBAOwMf/qDTLaAfRAHNoAqcUeuCO1SdX2Yhgy/XMXPAP32LpjOsejQIIcYSmq4xQ8W0bVjUGtSdWRpFOfJJw=,iv:IVI7u2iqLPbthXCa8k7jAX/SK8bPfzSK5CrsYoU4BBA=,tag:6u2BDG+7SZPE3WFVZtIhgg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 61deef854f9ab8c00fe154c8e924382b51be0865 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:11:05 +0000 Subject: [PATCH 173/251] chore(secrets): set secret "test/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index c9133c2..5715896 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -17,6 +17,16 @@ test.users: email: ENC[AES256_GCM,data:wjRm8mWD/9E4LjyEpPfD,iv:vKAjMUO81zyYZ9PdGsUkCk1MhTcpat86jVcYv5lhpUc=,tag:pDrI+8JulE9WGhb7brrEAA==,type:str] firstName: ENC[AES256_GCM,data:KmU=,iv:M4KKh/DlJt3+CGoJu7faF6AUJXPf7ukCOMdvy1zEsow=,tag:wVPFHmHuzlg9Ib8qTZlaIg==,type:str] lastName: ENC[AES256_GCM,data:PmkNwlc=,iv:B7IZ6+WTA9eRZizt73/iam1QXMf0kp0BWwPqpn+LHvA=,tag:SK8WMCIvAGoZn5b+wHLmKQ==,type:str] +test: + users: + je_moeder: + email: ENC[AES256_GCM,data:fqwAh0RW2BbOMblczBl85A==,iv:HGrrFtdVpzv3jxnXcTTB46YzYnG4pd+Rrv0qS7gVg3o=,tag:4vZfHzEffvatg8kF5ASrAQ==,type:str] + firstName: ENC[AES256_GCM,data:hPo=,iv:49TQZVxzOq7cx9FL6mI+c9yzjMQKHgee3BeI0M2uBSY=,tag:hilJ5tkNIVi8UqJ2K2lGPA==,type:str] + lastName: ENC[AES256_GCM,data:m6F+qILM,iv:nzt6ALx5rPzcO7OXJl9r8+BNJ6gy3bwpI5EzjfVCpy4=,tag:giSOQfl6LZvr8Ii/RIJfZg==,type:str] + je_vader: + email: ENC[AES256_GCM,data:UIAQTCfDDtZSGB+R1W2M,iv:5jN7z5ExMHLxdNxJZgGiDCNlKIwYfF/q9r2GlYVONAs=,tag:4JZIk2CMhHt3uERXHCW7JA==,type:str] + firstName: ENC[AES256_GCM,data:yRs=,iv:ktZnOiXLV13xa6Y8jnyCETKwONTmAPtc3jeFoq6TLwA=,tag:LCTRmB3MfgHIAYLh5mlPTg==,type:str] + lastName: ENC[AES256_GCM,data:7F0ebJ0=,iv:iKkexa0DVk40IdMHP9ZtGVHQ+JuwdaUr37ql9ImhMUo=,tag:7VfUTtbdQTyIrgWqhydxog==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -37,7 +47,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:09:38Z" - mac: ENC[AES256_GCM,data:2+QMYauDL/A9yk7wQ+37yxr2FBZ0EAaYlVtCsZ0gb4CZjolapL8EdHWvD7OuqwA57xpOOyXazUjpw0yOxuqwpvSoBAOwMf/qDTLaAfRAHNoAqcUeuCO1SdX2Yhgy/XMXPAP32LpjOsejQIIcYSmq4xQ8W0bVjUGtSdWRpFOfJJw=,iv:IVI7u2iqLPbthXCa8k7jAX/SK8bPfzSK5CrsYoU4BBA=,tag:6u2BDG+7SZPE3WFVZtIhgg==,type:str] + lastmodified: "2025-11-12T13:11:04Z" + mac: ENC[AES256_GCM,data:Wjp8M3j/nhtb6rBTwodkZ3F7oZjLs/iHzBoQha+rI7yFLpOHs1CLju68FDEueD7viP6hO3gvdGOBydsk+DZXD6PoGzFYaY3Q2dSH5Rohh7hOtKbJ65Zf9b8Rsg2zj05moqeB8HU8NwTCOcwlIYiZs/Afs50NQlxD6vdt35ppCCE=,iv:od/nSPOluh7RdM9Rxq6ktXozNEQM5KWa/ROAc2OrN/0=,tag:+oYWtfHHSMXxzeXGDcYQUw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 6fd6b74a745d7b3f0ad752705c02a984b13ce6ce Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:11:36 +0000 Subject: [PATCH 174/251] chore(secrets): removed secret "test.users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 5715896..883e406 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -8,15 +8,6 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] -test.users: - je_moeder: - email: ENC[AES256_GCM,data:oBY+8lUZby+MU2RPNdCx9A==,iv:MAxRGLLrhgsvPAuJua3sR+wmfELo7DLXxICye+BuoCg=,tag:qpEu2ga8rFOU6YoZNizOqQ==,type:str] - firstName: ENC[AES256_GCM,data:RlU=,iv:OK91Ql1em+05YkM6OtGQjfe0P3OexS460EBDm7sJOAo=,tag:Dlg/BZbQFTaSLl4l9/GGrw==,type:str] - lastName: ENC[AES256_GCM,data:1FMBOVqD,iv:Hyl5pQYp2Pr1HHDpwKzVZ5DzaG7Lnm9GG4BDL66im+E=,tag:KwOCbIaTYo8J3iGnFBYuBQ==,type:str] - je_vader: - email: ENC[AES256_GCM,data:wjRm8mWD/9E4LjyEpPfD,iv:vKAjMUO81zyYZ9PdGsUkCk1MhTcpat86jVcYv5lhpUc=,tag:pDrI+8JulE9WGhb7brrEAA==,type:str] - firstName: ENC[AES256_GCM,data:KmU=,iv:M4KKh/DlJt3+CGoJu7faF6AUJXPf7ukCOMdvy1zEsow=,tag:wVPFHmHuzlg9Ib8qTZlaIg==,type:str] - lastName: ENC[AES256_GCM,data:PmkNwlc=,iv:B7IZ6+WTA9eRZizt73/iam1QXMf0kp0BWwPqpn+LHvA=,tag:SK8WMCIvAGoZn5b+wHLmKQ==,type:str] test: users: je_moeder: @@ -47,7 +38,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:11:04Z" - mac: ENC[AES256_GCM,data:Wjp8M3j/nhtb6rBTwodkZ3F7oZjLs/iHzBoQha+rI7yFLpOHs1CLju68FDEueD7viP6hO3gvdGOBydsk+DZXD6PoGzFYaY3Q2dSH5Rohh7hOtKbJ65Zf9b8Rsg2zj05moqeB8HU8NwTCOcwlIYiZs/Afs50NQlxD6vdt35ppCCE=,iv:od/nSPOluh7RdM9Rxq6ktXozNEQM5KWa/ROAc2OrN/0=,tag:+oYWtfHHSMXxzeXGDcYQUw==,type:str] + lastmodified: "2025-11-12T13:11:35Z" + mac: ENC[AES256_GCM,data:L1I7DPNxfUclb75KrArcgLF74jzH0LsNYYxqRUqBtJuhBA/4X/VOhfj6qkE2FsRass7ReRhmzWjXq+MygCcBcwo3ixk5vnqm33+NfjISpdHl8aAyJQXcfIlTofyWMXDemxfxSMpqrOmGejOser3xL5NIxPQ9OpEE853wQh4PYgE=,iv:ocUZbPytKP6cNe2UrVD7B/VKElwEoxcMKxntT+ec8QE=,tag:5I8H8O7CNQlAJzLOABpqBQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From c6f1e93f7ebe7965bc75b6bfb65c0425360f8dc3 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:12:15 +0000 Subject: [PATCH 175/251] chore(secrets): removed secret "test/users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 883e406..fc959c4 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -8,16 +8,7 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] -test: - users: - je_moeder: - email: ENC[AES256_GCM,data:fqwAh0RW2BbOMblczBl85A==,iv:HGrrFtdVpzv3jxnXcTTB46YzYnG4pd+Rrv0qS7gVg3o=,tag:4vZfHzEffvatg8kF5ASrAQ==,type:str] - firstName: ENC[AES256_GCM,data:hPo=,iv:49TQZVxzOq7cx9FL6mI+c9yzjMQKHgee3BeI0M2uBSY=,tag:hilJ5tkNIVi8UqJ2K2lGPA==,type:str] - lastName: ENC[AES256_GCM,data:m6F+qILM,iv:nzt6ALx5rPzcO7OXJl9r8+BNJ6gy3bwpI5EzjfVCpy4=,tag:giSOQfl6LZvr8Ii/RIJfZg==,type:str] - je_vader: - email: ENC[AES256_GCM,data:UIAQTCfDDtZSGB+R1W2M,iv:5jN7z5ExMHLxdNxJZgGiDCNlKIwYfF/q9r2GlYVONAs=,tag:4JZIk2CMhHt3uERXHCW7JA==,type:str] - firstName: ENC[AES256_GCM,data:yRs=,iv:ktZnOiXLV13xa6Y8jnyCETKwONTmAPtc3jeFoq6TLwA=,tag:LCTRmB3MfgHIAYLh5mlPTg==,type:str] - lastName: ENC[AES256_GCM,data:7F0ebJ0=,iv:iKkexa0DVk40IdMHP9ZtGVHQ+JuwdaUr37ql9ImhMUo=,tag:7VfUTtbdQTyIrgWqhydxog==,type:str] +test: {} sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -38,7 +29,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:11:35Z" - mac: ENC[AES256_GCM,data:L1I7DPNxfUclb75KrArcgLF74jzH0LsNYYxqRUqBtJuhBA/4X/VOhfj6qkE2FsRass7ReRhmzWjXq+MygCcBcwo3ixk5vnqm33+NfjISpdHl8aAyJQXcfIlTofyWMXDemxfxSMpqrOmGejOser3xL5NIxPQ9OpEE853wQh4PYgE=,iv:ocUZbPytKP6cNe2UrVD7B/VKElwEoxcMKxntT+ec8QE=,tag:5I8H8O7CNQlAJzLOABpqBQ==,type:str] + lastmodified: "2025-11-12T13:12:14Z" + mac: ENC[AES256_GCM,data:DMRV+I9fJ+WzNyrU/vz5ZYkEchDhfQ1tx6eG5key+FMudorZj2hi8rnVhDeEn4PMqoJacpPYL+8JuBjJR/J13yK1UvtBiobbASzcB821ZTd8qDykAQmrFeXdJIaK1mtSI/nWMhb5CHz8UBPJ+buUnz2XFP4r7MPLGuOddQrkivI=,iv:sUE7on2vNUJWCpdnNOhYfvAPUYRSOnnGAEkHYJzSOIA=,tag:xi9dbQn982Ja/Km+l/XOhw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From d02f5fc4ee2a9b61e9886026e68de7418b899fca Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:12:27 +0000 Subject: [PATCH 176/251] chore(secrets): set secret "users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index fc959c4..b9b8adb 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -9,6 +9,15 @@ synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] test: {} +users: + je_moeder: + email: ENC[AES256_GCM,data:cufs2y9YJkdmMah+DKAokw==,iv:jtmcvA/CIIbTuXnCoI2qnz+gjPyCXsarIEGioPo+fo0=,tag:Nb9nBA+8ulfVaxj6axvcdA==,type:str] + firstName: ENC[AES256_GCM,data:ZsI=,iv:7kUjaEaZfJk11YpyTjd898iUmOKJuKP8U8E2yMVy3i0=,tag:0IGJ1NmAiKrSy8s0xUwPdA==,type:str] + lastName: ENC[AES256_GCM,data:sCBUiXxq,iv:ulK4iEGmzryR0X9K4mYS9Byx1lvQiw+6jKa4rFJaXBI=,tag:Gp8Qb3Aoha+jdPmRTGUS6w==,type:str] + je_vader: + email: ENC[AES256_GCM,data:rN68Hmi1FUPKKpwUhiKq,iv:1vN2ng0VpgjZYPd+UnjbAOEowTCPZzcp/adeWSzFJf4=,tag:qaPblcuIX7r2O8DD2vo/Vg==,type:str] + firstName: ENC[AES256_GCM,data:P3U=,iv:/Hwr3uYxlSAZhoTstPiKviYNWWQiQkmnK0LLnJbzaGc=,tag:0PMGs0eAnWKwr5CxnZGP3g==,type:str] + lastName: ENC[AES256_GCM,data:b1lV0eA=,iv:yHJkXwmobOKENCJ/C/ywhZw0jbRC9QPOMuERbxOYuSk=,tag:l64ky+AoVMleZHLv3HSQGQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -29,7 +38,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:12:14Z" - mac: ENC[AES256_GCM,data:DMRV+I9fJ+WzNyrU/vz5ZYkEchDhfQ1tx6eG5key+FMudorZj2hi8rnVhDeEn4PMqoJacpPYL+8JuBjJR/J13yK1UvtBiobbASzcB821ZTd8qDykAQmrFeXdJIaK1mtSI/nWMhb5CHz8UBPJ+buUnz2XFP4r7MPLGuOddQrkivI=,iv:sUE7on2vNUJWCpdnNOhYfvAPUYRSOnnGAEkHYJzSOIA=,tag:xi9dbQn982Ja/Km+l/XOhw==,type:str] + lastmodified: "2025-11-12T13:12:26Z" + mac: ENC[AES256_GCM,data:NwqAfh//TKzJaMYMU2awH8Z5IYfQZ/vZVedRSjy6KF9TSvxd8WeJiGoF1i4i7dGiGtEfvIEVmskDSDRq4sHNrBffg1Hc3j5cprmpayMYz5zCr1H+gbFNyqigzsyVRw12PEY5JhX/3yBcr+aqPvE/9D9Ti3hmh1RVuS9YqdnccaQ=,iv:PhZ/XRDjpWLeD0S+uhIDSn+jitMeghnIyWHx3eOIRjU=,tag:RG+Y1r8O7ck7Jbjb0OuBtA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 95f115f04c8ea52d06520a8526a088666bdd240d Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:12:57 +0000 Subject: [PATCH 177/251] chore(secrets): removed secret "users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index b9b8adb..a66b270 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -9,15 +9,6 @@ synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] test: {} -users: - je_moeder: - email: ENC[AES256_GCM,data:cufs2y9YJkdmMah+DKAokw==,iv:jtmcvA/CIIbTuXnCoI2qnz+gjPyCXsarIEGioPo+fo0=,tag:Nb9nBA+8ulfVaxj6axvcdA==,type:str] - firstName: ENC[AES256_GCM,data:ZsI=,iv:7kUjaEaZfJk11YpyTjd898iUmOKJuKP8U8E2yMVy3i0=,tag:0IGJ1NmAiKrSy8s0xUwPdA==,type:str] - lastName: ENC[AES256_GCM,data:sCBUiXxq,iv:ulK4iEGmzryR0X9K4mYS9Byx1lvQiw+6jKa4rFJaXBI=,tag:Gp8Qb3Aoha+jdPmRTGUS6w==,type:str] - je_vader: - email: ENC[AES256_GCM,data:rN68Hmi1FUPKKpwUhiKq,iv:1vN2ng0VpgjZYPd+UnjbAOEowTCPZzcp/adeWSzFJf4=,tag:qaPblcuIX7r2O8DD2vo/Vg==,type:str] - firstName: ENC[AES256_GCM,data:P3U=,iv:/Hwr3uYxlSAZhoTstPiKviYNWWQiQkmnK0LLnJbzaGc=,tag:0PMGs0eAnWKwr5CxnZGP3g==,type:str] - lastName: ENC[AES256_GCM,data:b1lV0eA=,iv:yHJkXwmobOKENCJ/C/ywhZw0jbRC9QPOMuERbxOYuSk=,tag:l64ky+AoVMleZHLv3HSQGQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -38,7 +29,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:12:26Z" - mac: ENC[AES256_GCM,data:NwqAfh//TKzJaMYMU2awH8Z5IYfQZ/vZVedRSjy6KF9TSvxd8WeJiGoF1i4i7dGiGtEfvIEVmskDSDRq4sHNrBffg1Hc3j5cprmpayMYz5zCr1H+gbFNyqigzsyVRw12PEY5JhX/3yBcr+aqPvE/9D9Ti3hmh1RVuS9YqdnccaQ=,iv:PhZ/XRDjpWLeD0S+uhIDSn+jitMeghnIyWHx3eOIRjU=,tag:RG+Y1r8O7ck7Jbjb0OuBtA==,type:str] + lastmodified: "2025-11-12T13:12:56Z" + mac: ENC[AES256_GCM,data:yIDCoYdcBAvwuU/JLxGEiRo5NJQRtC25RzUFHpq6FY6fEg3IsnfL9iJcSZIkKA6MVx1bB7xvRyOxh6AFePznJlOzht/Mr5quP2zX+ARsEvjSgxsz21bbdBTAsz5lorac1zFJp1/eg1ny9YYg2+1yfhXDjH557mCPgqa2MptWI1c=,iv:wrY1OHZSEtHSj7ehWRg5hRq5GBpsY35yYEifjvMXuRg=,tag:TI+viHQqQKMCHLJN1HGvyg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From d61e9e19ca57cc9c525bf97b3a8e68bbd7050eec Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:13:06 +0000 Subject: [PATCH 178/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index a66b270..60fcd7c 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,6 +3,15 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] + users: + je_moeder: + email: ENC[AES256_GCM,data:K8pZBUCIDUlGmjjF9S+OCg==,iv:o0Sruyj1JVOg9LcaOVV8WFV9F2F8E5yB+RlunUJt0ak=,tag:JJ1+rYl2i0O5Jw5Yq7PLEw==,type:str] + firstName: ENC[AES256_GCM,data:e5o=,iv:oE7fdhPArt3yCOgVFS+2POn9kYV5xd35CRaQiqVqRLE=,tag:T/rZoZvx+ehuMQXD9mLI/g==,type:str] + lastName: ENC[AES256_GCM,data:HSBa6CbV,iv:5vjdeJNjnvAu2fez4YLKc6FC3KEgn4FSA8oOaCpO2Mo=,tag:bCuE+JelyHk0Kh7Svq3t0A==,type:str] + je_vader: + email: ENC[AES256_GCM,data:Q1ecbn8liNRvuRZa8EOU,iv:+dd6E2BV4+coGtS84myqgW+eTB9i8rnjPhYTMGeK/gs=,tag:owE2iHUFboUvC0nFpMdG4w==,type:str] + firstName: ENC[AES256_GCM,data:KRE=,iv:tHDfQ8pMnO4J1Yu1SgPNQjMtVr26tVTtivyTxGGF1Kc=,tag:N3djEu5AAi8hHAbNq23Czg==,type:str] + lastName: ENC[AES256_GCM,data:rjd/IRM=,iv:inrY04n3XWYhPMPiXKcdaQJr4rjV1zSuCCintc+i7DM=,tag:f72ELx2K6UypllMUFdJ3fA==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -29,7 +38,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:12:56Z" - mac: ENC[AES256_GCM,data:yIDCoYdcBAvwuU/JLxGEiRo5NJQRtC25RzUFHpq6FY6fEg3IsnfL9iJcSZIkKA6MVx1bB7xvRyOxh6AFePznJlOzht/Mr5quP2zX+ARsEvjSgxsz21bbdBTAsz5lorac1zFJp1/eg1ny9YYg2+1yfhXDjH557mCPgqa2MptWI1c=,iv:wrY1OHZSEtHSj7ehWRg5hRq5GBpsY35yYEifjvMXuRg=,tag:TI+viHQqQKMCHLJN1HGvyg==,type:str] + lastmodified: "2025-11-12T13:13:05Z" + mac: ENC[AES256_GCM,data:9cYUu7cuPLg80b+wxRwKQkHIdrc+y4C/XFO42f0hJ8o1uK+syzDFOeP7L5eaeZxAlRGpGtJAdd/LKMwOJ016GgGafF8PAQc6k43I6ZFfc/k/3FqQvvI8inRKJu7ptg6ISPfC5WfAtOIc/rg/uwB0vvfxCd/epEGuKO9Dw7TmaXY=,iv:uMamMMCmHPzNG/JfEZeGHvo30uNpcYYbmuLRv8EMePc=,tag:ioDShXxVb6VM0OaSu2KLiA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 4c3adb782c2d887b7deda0f087c5e0d276acb3dc Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:31:01 +0000 Subject: [PATCH 179/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 60fcd7c..0844135 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,15 +3,7 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] - users: - je_moeder: - email: ENC[AES256_GCM,data:K8pZBUCIDUlGmjjF9S+OCg==,iv:o0Sruyj1JVOg9LcaOVV8WFV9F2F8E5yB+RlunUJt0ak=,tag:JJ1+rYl2i0O5Jw5Yq7PLEw==,type:str] - firstName: ENC[AES256_GCM,data:e5o=,iv:oE7fdhPArt3yCOgVFS+2POn9kYV5xd35CRaQiqVqRLE=,tag:T/rZoZvx+ehuMQXD9mLI/g==,type:str] - lastName: ENC[AES256_GCM,data:HSBa6CbV,iv:5vjdeJNjnvAu2fez4YLKc6FC3KEgn4FSA8oOaCpO2Mo=,tag:bCuE+JelyHk0Kh7Svq3t0A==,type:str] - je_vader: - email: ENC[AES256_GCM,data:Q1ecbn8liNRvuRZa8EOU,iv:+dd6E2BV4+coGtS84myqgW+eTB9i8rnjPhYTMGeK/gs=,tag:owE2iHUFboUvC0nFpMdG4w==,type:str] - firstName: ENC[AES256_GCM,data:KRE=,iv:tHDfQ8pMnO4J1Yu1SgPNQjMtVr26tVTtivyTxGGF1Kc=,tag:N3djEu5AAi8hHAbNq23Czg==,type:str] - lastName: ENC[AES256_GCM,data:rjd/IRM=,iv:inrY04n3XWYhPMPiXKcdaQJr4rjV1zSuCCintc+i7DM=,tag:f72ELx2K6UypllMUFdJ3fA==,type:str] + users: ENC[AES256_GCM,data:fj6NCe3hPGewuReJ3jeT4WGy8Q2Yag+CdpK9pQHRIkC0XAM4VjDSn44S3N5n4Vf0IWCoN5AECkQ2gTquwahGkZftKU+exd4+nM1YQrjskmtxjR6VZlpEdwYnzX3nGQ3njzj3q7EO3NCAsINsnEwDdzX0hhzxlnhV4ImRZ8nIt1nGAC6WIFtkagvof4l1IOrgQz4EUBhjvzBI/LWuXsCfXdpmAzV5B6QPpWPwhmg=,iv:mX9bxBFhiXzbj7qOlRbv6vpqVkGUcwEYe2OqWkjhKVM=,tag:Bb+afO3Fc8PC64XCVV7c0Q==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -38,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:13:05Z" - mac: ENC[AES256_GCM,data:9cYUu7cuPLg80b+wxRwKQkHIdrc+y4C/XFO42f0hJ8o1uK+syzDFOeP7L5eaeZxAlRGpGtJAdd/LKMwOJ016GgGafF8PAQc6k43I6ZFfc/k/3FqQvvI8inRKJu7ptg6ISPfC5WfAtOIc/rg/uwB0vvfxCd/epEGuKO9Dw7TmaXY=,iv:uMamMMCmHPzNG/JfEZeGHvo30uNpcYYbmuLRv8EMePc=,tag:ioDShXxVb6VM0OaSu2KLiA==,type:str] + lastmodified: "2025-11-12T13:31:00Z" + mac: ENC[AES256_GCM,data:L+Y6kxveMKadtFSZA7nWa7QEBOvtq5eZDfFfq6UzsHhLsqsMskvzj1UopMYFAjvGT9dXd0Z5rwUQcSaqEAv8DEaPkFLAODY4zMgY563dsSkqEdQfpa6lx1g4h3BlvXu446oKt14q5I4lUDB4QWH2mb+wv2rJQjVbSwYgh3g8vP8=,iv:bbKweYmFwEpzlevRig9JTj1/BvjYuKLo2B8grSuHchs=,tag:VBPskgd5Kaki0aFlVWZ64g==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From cebc2ec0403699b8349f61729a360845e3333d67 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:31:42 +0000 Subject: [PATCH 180/251] chore(secrets): removed secret "test" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 0844135..04fab75 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -9,7 +9,6 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] -test: {} sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -30,7 +29,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:31:00Z" - mac: ENC[AES256_GCM,data:L+Y6kxveMKadtFSZA7nWa7QEBOvtq5eZDfFfq6UzsHhLsqsMskvzj1UopMYFAjvGT9dXd0Z5rwUQcSaqEAv8DEaPkFLAODY4zMgY563dsSkqEdQfpa6lx1g4h3BlvXu446oKt14q5I4lUDB4QWH2mb+wv2rJQjVbSwYgh3g8vP8=,iv:bbKweYmFwEpzlevRig9JTj1/BvjYuKLo2B8grSuHchs=,tag:VBPskgd5Kaki0aFlVWZ64g==,type:str] + lastmodified: "2025-11-12T13:31:41Z" + mac: ENC[AES256_GCM,data:86tmpvp690SF1Cfeq3xnXmIgaepieKTKlbZXy4BtWOH0uActMD08kIBYG1ycsRkr2glwXdTznEXLddcB5zWC4fFQbrIk8LOYeJ1ZoXz8ocL47IDYN+Yd4BzDUooIYaCocbSIvHj0BULZBz4pwfYm1BwZ2QT6N7ygJDGZOK8jFSc=,iv:dcXCvNhA4ARd9p9RgdL7LbCwduufjxDhFDN4Tk1HEW8=,tag:RNN5rC6luE8xOnbVsmrDWQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 983f1aa7d88d1d7c52298c61e51170490e226a33 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:36:42 +0000 Subject: [PATCH 181/251] chore(secrets): set secret "zitadel/nix/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 04fab75..24e9d30 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,6 +4,8 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] users: ENC[AES256_GCM,data:fj6NCe3hPGewuReJ3jeT4WGy8Q2Yag+CdpK9pQHRIkC0XAM4VjDSn44S3N5n4Vf0IWCoN5AECkQ2gTquwahGkZftKU+exd4+nM1YQrjskmtxjR6VZlpEdwYnzX3nGQ3njzj3q7EO3NCAsINsnEwDdzX0hhzxlnhV4ImRZ8nIt1nGAC6WIFtkagvof4l1IOrgQz4EUBhjvzBI/LWuXsCfXdpmAzV5B6QPpWPwhmg=,iv:mX9bxBFhiXzbj7qOlRbv6vpqVkGUcwEYe2OqWkjhKVM=,tag:Bb+afO3Fc8PC64XCVV7c0Q==,type:str] + nix: + users: ENC[AES256_GCM,data:m8MKmEFUqKnKpGBRZbXycQFsH/eDVELcnbRWR3FDiSUahQhimZUfewRRGkbQHvFhu/b5shf5Yb7QM58G9iWGwFPNoj+ptFofsPFcq0sHbaH5Pe/YtsJNMWJib52R2FAjlbqUeJy3+2zrbHu4IMOwLgfqd6uwQ+RZ22Itt8R2c8EYdRJyKG8coy8Z/OjN6pzCki3OQS670b1IKWdWkfmzjrZMcxfNMRZGI8fJQnc=,iv:IjLbSH73GC8+cKy9pdqcu59vVoeinAlJ2LQohymvqTc=,tag:qx/VSpo8XuWac/A2o3n9bQ==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -29,7 +31,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:31:41Z" - mac: ENC[AES256_GCM,data:86tmpvp690SF1Cfeq3xnXmIgaepieKTKlbZXy4BtWOH0uActMD08kIBYG1ycsRkr2glwXdTznEXLddcB5zWC4fFQbrIk8LOYeJ1ZoXz8ocL47IDYN+Yd4BzDUooIYaCocbSIvHj0BULZBz4pwfYm1BwZ2QT6N7ygJDGZOK8jFSc=,iv:dcXCvNhA4ARd9p9RgdL7LbCwduufjxDhFDN4Tk1HEW8=,tag:RNN5rC6luE8xOnbVsmrDWQ==,type:str] + lastmodified: "2025-11-12T13:36:41Z" + mac: ENC[AES256_GCM,data:ih21F3CkRcW3Rfh3swiz+1z6HhcGrbW1I+XQN/XDlV0F+b7PTt5NZyCrqPAH/X14x1oGJBwfg+Yz16HJ6+ZtZh4BEGDCudTDGJNSN+1Hq6v6FHEFnG4nHj2SPEptpx5uJ8GnnORh4qxe4lQQelAbUdPktqr1PcQMl0bEhWzTxC8=,iv:7IHRdH09/Kgt5eXJyHxfBtCOCfpFnYU+BpaS4+7qJjQ=,tag:A0sJJDvihszvolCANlmZoA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From c5ec450517973d2dd973fb516d25e09c3b55f297 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:36:56 +0000 Subject: [PATCH 182/251] chore(secrets): removed secret "zitadel/users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 24e9d30..173cda3 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,7 +3,6 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] - users: ENC[AES256_GCM,data:fj6NCe3hPGewuReJ3jeT4WGy8Q2Yag+CdpK9pQHRIkC0XAM4VjDSn44S3N5n4Vf0IWCoN5AECkQ2gTquwahGkZftKU+exd4+nM1YQrjskmtxjR6VZlpEdwYnzX3nGQ3njzj3q7EO3NCAsINsnEwDdzX0hhzxlnhV4ImRZ8nIt1nGAC6WIFtkagvof4l1IOrgQz4EUBhjvzBI/LWuXsCfXdpmAzV5B6QPpWPwhmg=,iv:mX9bxBFhiXzbj7qOlRbv6vpqVkGUcwEYe2OqWkjhKVM=,tag:Bb+afO3Fc8PC64XCVV7c0Q==,type:str] nix: users: ENC[AES256_GCM,data:m8MKmEFUqKnKpGBRZbXycQFsH/eDVELcnbRWR3FDiSUahQhimZUfewRRGkbQHvFhu/b5shf5Yb7QM58G9iWGwFPNoj+ptFofsPFcq0sHbaH5Pe/YtsJNMWJib52R2FAjlbqUeJy3+2zrbHu4IMOwLgfqd6uwQ+RZ22Itt8R2c8EYdRJyKG8coy8Z/OjN6pzCki3OQS670b1IKWdWkfmzjrZMcxfNMRZGI8fJQnc=,iv:IjLbSH73GC8+cKy9pdqcu59vVoeinAlJ2LQohymvqTc=,tag:qx/VSpo8XuWac/A2o3n9bQ==,type:str] forgejo: @@ -31,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:36:41Z" - mac: ENC[AES256_GCM,data:ih21F3CkRcW3Rfh3swiz+1z6HhcGrbW1I+XQN/XDlV0F+b7PTt5NZyCrqPAH/X14x1oGJBwfg+Yz16HJ6+ZtZh4BEGDCudTDGJNSN+1Hq6v6FHEFnG4nHj2SPEptpx5uJ8GnnORh4qxe4lQQelAbUdPktqr1PcQMl0bEhWzTxC8=,iv:7IHRdH09/Kgt5eXJyHxfBtCOCfpFnYU+BpaS4+7qJjQ=,tag:A0sJJDvihszvolCANlmZoA==,type:str] + lastmodified: "2025-11-12T13:36:55Z" + mac: ENC[AES256_GCM,data:MZkBh/F6MnQUUp2bSp50ZtrnYusQ0rDWx5stIUWfuXD4hh6RW8qxFGL4/JndiOt7iZNQwdAVHgmRGSmTGza7OZoaDV+Mn0b9WPT/IbHst5MqEGdELeGqUkfBm4SPGkCNt+R+SQ6U8UEioi7EruodnkcF/TAg6wjFf1/XbN+djuc=,iv:i2JM8GPnpmbFsJkqWrZI/YQ11DK5nGXQ5brU4XbK7PQ=,tag:bzpIER1GH/b/LHTNo+apgA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 9a3f154cab488c5ff7e946fd15f0cee71f5103fd Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:40:07 +0000 Subject: [PATCH 183/251] chore(secrets): removed secret "zitadel/nix/users" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 173cda3..c26df47 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,8 +3,7 @@ email: info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] - nix: - users: ENC[AES256_GCM,data:m8MKmEFUqKnKpGBRZbXycQFsH/eDVELcnbRWR3FDiSUahQhimZUfewRRGkbQHvFhu/b5shf5Yb7QM58G9iWGwFPNoj+ptFofsPFcq0sHbaH5Pe/YtsJNMWJib52R2FAjlbqUeJy3+2zrbHu4IMOwLgfqd6uwQ+RZ22Itt8R2c8EYdRJyKG8coy8Z/OjN6pzCki3OQS670b1IKWdWkfmzjrZMcxfNMRZGI8fJQnc=,iv:IjLbSH73GC8+cKy9pdqcu59vVoeinAlJ2LQohymvqTc=,tag:qx/VSpo8XuWac/A2o3n9bQ==,type:str] + nix: {} forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -30,7 +29,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:36:55Z" - mac: ENC[AES256_GCM,data:MZkBh/F6MnQUUp2bSp50ZtrnYusQ0rDWx5stIUWfuXD4hh6RW8qxFGL4/JndiOt7iZNQwdAVHgmRGSmTGza7OZoaDV+Mn0b9WPT/IbHst5MqEGdELeGqUkfBm4SPGkCNt+R+SQ6U8UEioi7EruodnkcF/TAg6wjFf1/XbN+djuc=,iv:i2JM8GPnpmbFsJkqWrZI/YQ11DK5nGXQ5brU4XbK7PQ=,tag:bzpIER1GH/b/LHTNo+apgA==,type:str] + lastmodified: "2025-11-12T13:40:06Z" + mac: ENC[AES256_GCM,data:rVAUscmwGDOEr5wpxu4STvYXvgQ7aY/zqna2GhV1Mihpt1LZJLwHRjEGBx/XTSn6LdR9WQFBdb9a1x/fav1UsrPggrMEZY/gjAWfQMlBpSu0EBPMowheiH+7y/kblSwRevbP0b1A2l0b/iegTAsvAt5cMuzpk8WiUAGMDAPw/Vs=,iv:nxSFea50iNefr/UMXS3+ma+1LytAboj6P+bOBWl7/VU=,tag:upvsqn3BcsJtVc2dxgaFCQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 8203f653f968af835f37de07127e27b57c67aaa7 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:40:15 +0000 Subject: [PATCH 184/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index c26df47..4a4db7e 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,6 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} + users: ENC[AES256_GCM,data:HtUJ7qgQofPTHDswx/c1K20DX4GCciZmDh5nknOiKSEClHwrmxeXG88yEYjsrWB2VMqnrFwD9cRj6tn0N50ovClL9Qu/QxOhIvqJM+ZN4+rlhbwWO2qukgPt4Lpyqz7uEbmpykJ503nOVAoLRbA5Kl3M6neb66/1oVyptBWbdHEEz+LhZnjFxybwqDi364B1+hn/9Saa5PJYtMVIrAWCwcIvL1+3TsK5I6SfR+s=,iv:9zll4Wqt526wyOcCjBmu9itmNRtCzimwMItG82G9neE=,tag:3BQwKVWvF6Ur5hNGey/8YA==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -29,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:40:06Z" - mac: ENC[AES256_GCM,data:rVAUscmwGDOEr5wpxu4STvYXvgQ7aY/zqna2GhV1Mihpt1LZJLwHRjEGBx/XTSn6LdR9WQFBdb9a1x/fav1UsrPggrMEZY/gjAWfQMlBpSu0EBPMowheiH+7y/kblSwRevbP0b1A2l0b/iegTAsvAt5cMuzpk8WiUAGMDAPw/Vs=,iv:nxSFea50iNefr/UMXS3+ma+1LytAboj6P+bOBWl7/VU=,tag:upvsqn3BcsJtVc2dxgaFCQ==,type:str] + lastmodified: "2025-11-12T13:40:15Z" + mac: ENC[AES256_GCM,data:L2efaWrCNjPXA/nRO78Lq+5vqcs2z2/jOzOz9SDBN5rN/Svt2WxqP7F076eNP9NfFgd7SkTyTekrU0szXkHSMXyAFrg+l8cYV6NLz6KTnwsVm7k7DJNa+i0iWh+GKl8VY+qFFOsDIGQlFNCgxmNmdaqwuldOUgTEBxMltIlpo44=,iv:pZYwaQWKvESvTvI00D/6gHB4On9w2jYeoME6FXrJ+Ak=,tag:s/5oYn3iaDicFDBJroaudg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 9a664b243831962c006152ed765297587e570e68 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 13:40:34 +0000 Subject: [PATCH 185/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4a4db7e..919e826 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} - users: ENC[AES256_GCM,data:HtUJ7qgQofPTHDswx/c1K20DX4GCciZmDh5nknOiKSEClHwrmxeXG88yEYjsrWB2VMqnrFwD9cRj6tn0N50ovClL9Qu/QxOhIvqJM+ZN4+rlhbwWO2qukgPt4Lpyqz7uEbmpykJ503nOVAoLRbA5Kl3M6neb66/1oVyptBWbdHEEz+LhZnjFxybwqDi364B1+hn/9Saa5PJYtMVIrAWCwcIvL1+3TsK5I6SfR+s=,iv:9zll4Wqt526wyOcCjBmu9itmNRtCzimwMItG82G9neE=,tag:3BQwKVWvF6Ur5hNGey/8YA==,type:str] + users: ENC[AES256_GCM,data:48Mp825G0rIl6xYOL7FrMvwLcRZcGLg1tZTN/MSPR4qwlEmOknE5fg3+ZvJKslncmylBHF8x0GkCaZAotBFcOiXz8R15B0AV4r/G7tvgJtU1ZSQH/T09IUbPZsa0Xp8tsijhqo1IzBsq5loR38wHKZINxW73UB/yuX644uLb/F4+R0UJQc5BS6iI/2sd2CVYQovdDUyugSAQa57Uo0HlkSa1JO30iXWgjgSy2YgyxC4ZreKLT7j8/Q==,iv:IvXwZlyi5pH5aPMiPCHfB3NaCjBuSGtU3JW6rCzth2Y=,tag:JnMMKV1djPLo5aTxtD1qEg==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -30,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:40:15Z" - mac: ENC[AES256_GCM,data:L2efaWrCNjPXA/nRO78Lq+5vqcs2z2/jOzOz9SDBN5rN/Svt2WxqP7F076eNP9NfFgd7SkTyTekrU0szXkHSMXyAFrg+l8cYV6NLz6KTnwsVm7k7DJNa+i0iWh+GKl8VY+qFFOsDIGQlFNCgxmNmdaqwuldOUgTEBxMltIlpo44=,iv:pZYwaQWKvESvTvI00D/6gHB4On9w2jYeoME6FXrJ+Ak=,tag:s/5oYn3iaDicFDBJroaudg==,type:str] + lastmodified: "2025-11-12T13:40:34Z" + mac: ENC[AES256_GCM,data:14yuefNArmFzKi1Jn5H3VEqsB5ZXtLkQ3rgVLrv/eILW2Fngyhsq4WecHZM7C900fHN05fdGtDKzR/EDSIp70/ZXDnEKTYRimBAj8HshPh71EMhBOYRzeDrY1dZlYrNbXu9j4hyhY/qe86NsZPdNwSbl8QkKwgxKO9oIaSOLQxU=,iv:Z/ta3aecrnCU9+f99a3vF2JMZyTtR1kJ/W6KIFh49z4=,tag:xU/1rmyXtti4n97lUSc6Cw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 91d8a32239d6ad0e2628d80d68fea5778a220a96 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 16:13:10 +0000 Subject: [PATCH 186/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 919e826..f6e918b 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} - users: ENC[AES256_GCM,data:48Mp825G0rIl6xYOL7FrMvwLcRZcGLg1tZTN/MSPR4qwlEmOknE5fg3+ZvJKslncmylBHF8x0GkCaZAotBFcOiXz8R15B0AV4r/G7tvgJtU1ZSQH/T09IUbPZsa0Xp8tsijhqo1IzBsq5loR38wHKZINxW73UB/yuX644uLb/F4+R0UJQc5BS6iI/2sd2CVYQovdDUyugSAQa57Uo0HlkSa1JO30iXWgjgSy2YgyxC4ZreKLT7j8/Q==,iv:IvXwZlyi5pH5aPMiPCHfB3NaCjBuSGtU3JW6rCzth2Y=,tag:JnMMKV1djPLo5aTxtD1qEg==,type:str] + users: ENC[AES256_GCM,data:qsl1uHFMRiO26wgVF5798oSyoO/LHmC/TgHekDQB7OHVmlxvG6ehXw2xeo2RW3ehWf64zHyViO2VtUfA5+RbiuHRYPd4tg7dErmUPdvEo6peC72Sr90U9Uc/cTG7yzeTckdYbnv5vqZwNh8YDF+mB6c7MbUocd18xw3+3Hz4/dkHZyOIXHVpfvtl3vc0RLDh6vyNsb61la51FFHYnUkwNApWgnRZD1JpYGdIiDh5R71f9oxK5hHBkL7+KEZ5bVbVf4nAlNwGZA==,iv:c1AoqPzn5oUFn20dPoX2hqZfBk10fxC7xbMjPiGKb5c=,tag:7NCE1fo9g80iFENvZRv1rA==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -30,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T13:40:34Z" - mac: ENC[AES256_GCM,data:14yuefNArmFzKi1Jn5H3VEqsB5ZXtLkQ3rgVLrv/eILW2Fngyhsq4WecHZM7C900fHN05fdGtDKzR/EDSIp70/ZXDnEKTYRimBAj8HshPh71EMhBOYRzeDrY1dZlYrNbXu9j4hyhY/qe86NsZPdNwSbl8QkKwgxKO9oIaSOLQxU=,iv:Z/ta3aecrnCU9+f99a3vF2JMZyTtR1kJ/W6KIFh49z4=,tag:xU/1rmyXtti4n97lUSc6Cw==,type:str] + lastmodified: "2025-11-12T16:13:10Z" + mac: ENC[AES256_GCM,data:Ly+IKYbDg16x7XtlvBLL4DL2y3wX79e+OBJzw60+PaITFkEOuhr7KfYCMD/ZMeNa6UVcDcdJc6xb1xcRvNMcnF2N7UvgCfxoMS9SHZXa38OM2f1buuwxuAeoAV7zJQyzCJg0c2fwG8goICHmMXPNKeaEgBod+RkysJtJbH1TG18=,iv:EuKYDmTSYTKS1klO2cIS61eFkz+/FIDHBQ9daGkf/+4=,tag:tKbQrciiLqe9fdHw6BXslw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 4dc24de8eb6e0ea686bef8c0533e9238cd4d6913 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 12 Nov 2025 16:13:37 +0000 Subject: [PATCH 187/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index f6e918b..ef9b039 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} - users: ENC[AES256_GCM,data:qsl1uHFMRiO26wgVF5798oSyoO/LHmC/TgHekDQB7OHVmlxvG6ehXw2xeo2RW3ehWf64zHyViO2VtUfA5+RbiuHRYPd4tg7dErmUPdvEo6peC72Sr90U9Uc/cTG7yzeTckdYbnv5vqZwNh8YDF+mB6c7MbUocd18xw3+3Hz4/dkHZyOIXHVpfvtl3vc0RLDh6vyNsb61la51FFHYnUkwNApWgnRZD1JpYGdIiDh5R71f9oxK5hHBkL7+KEZ5bVbVf4nAlNwGZA==,iv:c1AoqPzn5oUFn20dPoX2hqZfBk10fxC7xbMjPiGKb5c=,tag:7NCE1fo9g80iFENvZRv1rA==,type:str] + users: ENC[AES256_GCM,data:xkjm0+PBt6gmZyfi3n3OIEe5b+d4OtN0Y3UfmdcbcJHbJZuiz+60oUjlAN0vjtsi0muufoAqtGJTIpm9nDZzzN7b7LK43TAhcuSlIm5LpbZFp1U3H4laRbTwauAT6wA0aDCfAkwTozxAuEUk1jAu+65ktJNJb7b0PR7s/I/wf7IgW2+K4Jv3LIOZIipUwfuvXuTzsxCElYRvGZXmIuXrYq1EaymksHHggemrKeMWLAae7mzz5v3aBbwxiVjQNkQkS4ApsO/5nZUat0oqXA==,iv:fptZn4NmX3iYKSEPLJAOFpt+KQ6TR1w9KaY9IF4p/Wk=,tag:UKvMOSIT5/mhfZA3usbLhQ==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -30,7 +30,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T16:13:10Z" - mac: ENC[AES256_GCM,data:Ly+IKYbDg16x7XtlvBLL4DL2y3wX79e+OBJzw60+PaITFkEOuhr7KfYCMD/ZMeNa6UVcDcdJc6xb1xcRvNMcnF2N7UvgCfxoMS9SHZXa38OM2f1buuwxuAeoAV7zJQyzCJg0c2fwG8goICHmMXPNKeaEgBod+RkysJtJbH1TG18=,iv:EuKYDmTSYTKS1klO2cIS61eFkz+/FIDHBQ9daGkf/+4=,tag:tKbQrciiLqe9fdHw6BXslw==,type:str] + lastmodified: "2025-11-12T16:13:36Z" + mac: ENC[AES256_GCM,data:UaUK/qYthw2C2XZeUPeuHV0VZaIKo7dd7EPtaM4PQ6xdJSNNACaMtwd+1u2jGmJysWHI3yjSpz2ZnRTaDX6O99/bLo6ilYPkGTlqjIWh+rzzZjaOP1fsuHwfCRSKkei3niojgcoKku3ohcuWWP1NUe5+EMIb68jGOVogTH2TBjo=,iv:kSLgzJZaef29Uvc/oY9uNQc5CE7iVfQrhE9RMGdmPjE=,tag:1IH/89za43RYLzizoCSb3w==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From df5dfa61a92c58112fdbed96c433f6c537b70710 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 12 Nov 2025 17:20:21 +0100 Subject: [PATCH 188/251] fix(justfile): escape double quotes for inputs --- .just/vars.just | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.just/vars.just b/.just/vars.just index b4d6be2..944d7cf 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -13,7 +13,7 @@ list machine: {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml @set machine key value: - {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' + {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\"/g')\"" git add {{ base_path }}/{{ machine }}/secrets.yml git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null From fa37c3eb503d22403ddd6fde652da30def5a7e12 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 12 Nov 2025 17:23:40 +0100 Subject: [PATCH 189/251] feat(zitadel): add extra users via secrets --- .../authentication/zitadel/default.nix | 59 ++++++++++++++++--- 1 file changed, 50 insertions(+), 9 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 402d59d..c4ceaac 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length literalExpression attrNames; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -336,6 +336,21 @@ in jwt_profile_file = "/var/lib/zitadel/machine-key.json"; }; + locals = { + extra_users = lib.tfRef " + flatten([ for org, users in jsondecode(file(\"${config'.sops.secrets."zitadel/users".path}\")): [ + for name, details in users: { + org = org + name = name + email = details.email + firstName = details.firstName + lastName = details.lastName + } + ] ]) + "; + orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id"); + }; + resource = { # Organizations zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: @@ -384,15 +399,35 @@ in ); # Users - zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: - { - inherit email userName firstName lastName; + zitadel_human_user = + (cfg.organization + |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: + { + inherit email userName firstName lastName; - isEmailVerified = true; - } - |> withRef "org" org - |> toResource "${org}_${name}" - ); + isEmailVerified = true; + } + |> withRef "org" org + |> toResource "${org}_${name}" + )) + + // { + "extra_users" = { + for_each = lib.tfRef ''{ + for user in local.extra_users : + "''${user.org}_''${user.name}" => user + }''; + + org_id = lib.tfRef "local.orgs[each.value.org]"; + user_name = lib.tfRef "each.value.name"; + email = lib.tfRef "each.value.email"; + first_name = lib.tfRef "each.value.firstName"; + last_name = lib.tfRef "each.value.lastName"; + + is_email_verified = true; + }; + } + ; # Global user roles zitadel_instance_member = @@ -648,6 +683,12 @@ in key = "email/chris_kruining_eu"; restartUnits = [ "zitadel.service" ]; }; + + "zitadel/users" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadelApplyTerraform.service" ]; + }; }; }; }; From 4e09252e75c6e53a7f6188dcf97d71a8b53ae44c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 12 Nov 2025 17:26:17 +0100 Subject: [PATCH 190/251] feat(zitadel): add remapping of exported keys --- .../authentication/zitadel/default.nix | 24 ++++++++++++++++--- systems/x86_64-linux/ulmo/default.nix | 10 ++++++++ 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index c4ceaac..bd74ca2 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -140,6 +140,24 @@ in . ''; }; + + exportMap = + let + strOpt = mkOption { type = types.nullOr types.str; default = null; }; + in + mkOption { + type = types.submodule { options = { client_id = strOpt; client_secret = strOpt; }; }; + default = {}; + example = literalExpression '' + { + client_id = "SSO_CLIENT_ID"; + client_secret = "SSO_CLIENT_SECRET"; + } + ''; + description = '' + Remap the outputted variables to another key. + ''; + }; }; }); }; @@ -492,11 +510,11 @@ in }; # Client credentials per app - local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: value: + local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }: nameValuePair "${org}_${project}_${name}" { content = '' - CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} - CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"} + ${if exportMap.client_id != null then exportMap.client_id else "CLIENT_ID"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} + ${if exportMap.client_secret != null then exportMap.client_secret else "CLIENT_SECRET"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"} ''; filename = "/var/lib/zitadel/clients/${org}_${project}_${name}"; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 027dad6..8bb5cea 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -95,6 +95,16 @@ responseTypes = [ "code" ]; }; + vaultwarden = { + redirectUris = [ "https://vault.kruining.eu/identity/connect/oidc-signin" ]; + grantTypes = [ "authorizationCode" ]; + responseTypes = [ "code" ]; + exportMap = { + client_id = "SSO_CLIENT_ID"; + client_secret = "SSO_CLIENT_SECRET"; + }; + }; + matrix = { redirectUris = [ "https://matrix.kruining.eu/_synapse/client/oidc/callback" ]; grantTypes = [ "authorizationCode" ]; From 272f48a9ab000b638a18612343743317370c8536 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 13 Nov 2025 07:50:45 +0000 Subject: [PATCH 191/251] chore(secrets): set secret "kaas" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index ef9b039..4864b00 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -10,6 +10,7 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] +kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -30,7 +31,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-12T16:13:36Z" - mac: ENC[AES256_GCM,data:UaUK/qYthw2C2XZeUPeuHV0VZaIKo7dd7EPtaM4PQ6xdJSNNACaMtwd+1u2jGmJysWHI3yjSpz2ZnRTaDX6O99/bLo6ilYPkGTlqjIWh+rzzZjaOP1fsuHwfCRSKkei3niojgcoKku3ohcuWWP1NUe5+EMIb68jGOVogTH2TBjo=,iv:kSLgzJZaef29Uvc/oY9uNQc5CE7iVfQrhE9RMGdmPjE=,tag:1IH/89za43RYLzizoCSb3w==,type:str] + lastmodified: "2025-11-13T07:50:40Z" + mac: ENC[AES256_GCM,data:tGOipGrlvIwfocpve9/4MGBtgnGuvI380VdIrSc2pCym4f20DC70/QofPo31cRtkWW3sd8nmEReU7+QQ39iZa9Jrlg+e8O8T5sbckjFvO5KWw5UBShjltrcRmhIHH0vUMkfAul5GRJEjCdpMIuOxxQGUMykeP/y8M6sDfnC73vU=,iv:MF9RP4SI4dWX6Rf6puuck5S0KrKKA8U/uQuJCwMYV30=,tag:lsr85wZVCgXr6n3QPmelaw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 9116361b908fdddd8a91ac137327484e3f107ebc Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:48:56 +0000 Subject: [PATCH 192/251] chore(secrets): set secret "radarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4864b00..8bb18b7 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -11,6 +11,8 @@ synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] +radarr: + apikey: "" sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -31,7 +33,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-13T07:50:40Z" - mac: ENC[AES256_GCM,data:tGOipGrlvIwfocpve9/4MGBtgnGuvI380VdIrSc2pCym4f20DC70/QofPo31cRtkWW3sd8nmEReU7+QQ39iZa9Jrlg+e8O8T5sbckjFvO5KWw5UBShjltrcRmhIHH0vUMkfAul5GRJEjCdpMIuOxxQGUMykeP/y8M6sDfnC73vU=,iv:MF9RP4SI4dWX6Rf6puuck5S0KrKKA8U/uQuJCwMYV30=,tag:lsr85wZVCgXr6n3QPmelaw==,type:str] + lastmodified: "2025-11-19T09:48:55Z" + mac: ENC[AES256_GCM,data:fLLiX6obUBbhtg/XpwUWJmu0jpQraGAOmViQ5SOh82rndcI87fJW0Y2mYN1+VpPdknlsLbuUzFB0styWljmAg3DxRW0OGNz+pL6r4ior0phRRBpGhY9rVHO62f74GZItHgBDzojUQwu7Rhu6jFZMGHLsCgjfRl6QEfakNjT5Py8=,iv:xlZ/q5a0IOiqwjPsD/PQ04URhrX9aGSV6U3suCecqQk=,tag:u4tB8AOJ/jYfiLSbayXpeQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 80e61ec5d8b6fc4f2a370073fa5ef34497739d4c Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:50:35 +0000 Subject: [PATCH 193/251] chore(secrets): set secret "radarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 8bb18b7..0a9d750 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -12,7 +12,7 @@ synapse: oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] radarr: - apikey: "" + apikey: ENC[AES256_GCM,data:G141GW4PyS5pbAV39HcVscMw3s30txOgTZzWaL7o+ccZfnfDLv796O6xKXdqGZ8saLsveghLw9Z6a5luusHyQ3Q5ESL6W7SVeZVTuSqSC3i/4jl75FJxhnsgVsfrnYxzLGpKiw==,iv:sZl/XLh6y3WgSAn6nH3sFB6atBifZdghm+QsCNDbcjY=,tag:Tw+R80nrF0T0yDti0Uf+ig==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -33,7 +33,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:48:55Z" - mac: ENC[AES256_GCM,data:fLLiX6obUBbhtg/XpwUWJmu0jpQraGAOmViQ5SOh82rndcI87fJW0Y2mYN1+VpPdknlsLbuUzFB0styWljmAg3DxRW0OGNz+pL6r4ior0phRRBpGhY9rVHO62f74GZItHgBDzojUQwu7Rhu6jFZMGHLsCgjfRl6QEfakNjT5Py8=,iv:xlZ/q5a0IOiqwjPsD/PQ04URhrX9aGSV6U3suCecqQk=,tag:u4tB8AOJ/jYfiLSbayXpeQ==,type:str] + lastmodified: "2025-11-19T09:50:35Z" + mac: ENC[AES256_GCM,data:FgSL58+AHzqp18RyJ4I7fdIQf/vjFI0chkb8T2qXATRJyK3RKrF7JNMOel3ZFgptQvgamUD5LxGgtSO+ucFMjwJpvDmlzrRJ/BbnywuANAeW0M91myI7/Exj/p4QOeIz0RWViX6NGJO+9oF5BMBPE/9tyA+jMN03I8nGCZFGu6o=,iv:8cIUA8/5EexFxwXpJfoY6/A2ZKesHwBUueaMVZq5LbY=,tag:jUmC4qBEXJXxZQEMlDkadg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 6a0195587d6a444edb333e235afa683935550197 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:50:58 +0000 Subject: [PATCH 194/251] chore(secrets): set secret "sonarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 0a9d750..0a4b541 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -13,6 +13,8 @@ synapse: kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] radarr: apikey: ENC[AES256_GCM,data:G141GW4PyS5pbAV39HcVscMw3s30txOgTZzWaL7o+ccZfnfDLv796O6xKXdqGZ8saLsveghLw9Z6a5luusHyQ3Q5ESL6W7SVeZVTuSqSC3i/4jl75FJxhnsgVsfrnYxzLGpKiw==,iv:sZl/XLh6y3WgSAn6nH3sFB6atBifZdghm+QsCNDbcjY=,tag:Tw+R80nrF0T0yDti0Uf+ig==,type:str] +sonarr: + apikey: ENC[AES256_GCM,data:s8bgDJ+LpIH1Mt3KSiIKB8LnxztOkHdc8J6+50o+HoDUAfIIsZkA2oX/m7UecrTSRi6ay8D9yjhe6ZwSNXhJh6wQqTS7gZWn8f6QfrfI+8DKdc9enh91suQxjkz8Q+wnKK0zBg==,iv:LmAe6v+6ItVnHB6gko6mhiGOuVBksBYP4dXfbxpAIPE=,tag:DZ8kwOwaWwWTGWEGu5S0Kg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -33,7 +35,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:50:35Z" - mac: ENC[AES256_GCM,data:FgSL58+AHzqp18RyJ4I7fdIQf/vjFI0chkb8T2qXATRJyK3RKrF7JNMOel3ZFgptQvgamUD5LxGgtSO+ucFMjwJpvDmlzrRJ/BbnywuANAeW0M91myI7/Exj/p4QOeIz0RWViX6NGJO+9oF5BMBPE/9tyA+jMN03I8nGCZFGu6o=,iv:8cIUA8/5EexFxwXpJfoY6/A2ZKesHwBUueaMVZq5LbY=,tag:jUmC4qBEXJXxZQEMlDkadg==,type:str] + lastmodified: "2025-11-19T09:50:57Z" + mac: ENC[AES256_GCM,data:j2IhWjN08v5xlEw1KBmd0Zc+NriqVDPx06t9oB20S9p2ARe+UhyHxyGah4jZWyHCoanM1sJe4kN3/FcuwI/U+1LmukSQ+YBQT53R4jlOooje06jkJka9xnoS7QiVJmFF8H0XaR1Ye8Xas8mrHgMMOTza96TtvN3YeXpfXUTF4xQ=,iv:X32tNNl2prYbufy4dzubXi5MvX8s+xtGVy2g88gjHns=,tag:yD+fzF8PIWRuxQ28MGTV4Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From d0e374c8bb78aefbbdd9f8158f9ab8a82ac60629 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:51:06 +0000 Subject: [PATCH 195/251] chore(secrets): set secret "lidarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 0a4b541..1e8764c 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -15,6 +15,8 @@ radarr: apikey: ENC[AES256_GCM,data:G141GW4PyS5pbAV39HcVscMw3s30txOgTZzWaL7o+ccZfnfDLv796O6xKXdqGZ8saLsveghLw9Z6a5luusHyQ3Q5ESL6W7SVeZVTuSqSC3i/4jl75FJxhnsgVsfrnYxzLGpKiw==,iv:sZl/XLh6y3WgSAn6nH3sFB6atBifZdghm+QsCNDbcjY=,tag:Tw+R80nrF0T0yDti0Uf+ig==,type:str] sonarr: apikey: ENC[AES256_GCM,data:s8bgDJ+LpIH1Mt3KSiIKB8LnxztOkHdc8J6+50o+HoDUAfIIsZkA2oX/m7UecrTSRi6ay8D9yjhe6ZwSNXhJh6wQqTS7gZWn8f6QfrfI+8DKdc9enh91suQxjkz8Q+wnKK0zBg==,iv:LmAe6v+6ItVnHB6gko6mhiGOuVBksBYP4dXfbxpAIPE=,tag:DZ8kwOwaWwWTGWEGu5S0Kg==,type:str] +lidarr: + apikey: ENC[AES256_GCM,data:I2eKaxidmxem7C7ukmyIfwASNqrkS4vEOiCcU5kSNY6DR0pXsYg0PBdgu8vzK6llbXODLdG5t55BordIWvVRJGAauo0FMvtp59NSNpza7cK68tdKGvNefD6bqhUIR06BY11niQ==,iv:48AD7cd17TlWY5yAagepLOIVwgxhD/d13Pnup6GsWDA=,tag:teOVtW8opE99hqAXQwvlrA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -35,7 +37,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:50:57Z" - mac: ENC[AES256_GCM,data:j2IhWjN08v5xlEw1KBmd0Zc+NriqVDPx06t9oB20S9p2ARe+UhyHxyGah4jZWyHCoanM1sJe4kN3/FcuwI/U+1LmukSQ+YBQT53R4jlOooje06jkJka9xnoS7QiVJmFF8H0XaR1Ye8Xas8mrHgMMOTza96TtvN3YeXpfXUTF4xQ=,iv:X32tNNl2prYbufy4dzubXi5MvX8s+xtGVy2g88gjHns=,tag:yD+fzF8PIWRuxQ28MGTV4Q==,type:str] + lastmodified: "2025-11-19T09:51:06Z" + mac: ENC[AES256_GCM,data:/arD30zm/wheVtSkwkQrdMe7REnwQ/XOKKWTqysIFeA5O9+e93wSWj8dpwfXfZ5q0ISOk5n3v8hsqzls8wi5BMLXPaBRyj5Alr5poFZd3vJ9z6uyDCSPlJhYRl8ussjzj0vK3Lr3hzKczfrGgPF7W6CoqBKk0AYI2fFHWfT/B5A=,iv:aq66boBgI/V/pVPuPf9mg/TqLV/VfJTElRt7My5njCc=,tag:7s/qu/6B/bX/Nqs00BNl8Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From ba246b145fc6187d82723204240db5ef5a29cd5c Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 09:51:27 +0000 Subject: [PATCH 196/251] chore(secrets): set secret "prowlarr/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 1e8764c..7a26401 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -17,6 +17,8 @@ sonarr: apikey: ENC[AES256_GCM,data:s8bgDJ+LpIH1Mt3KSiIKB8LnxztOkHdc8J6+50o+HoDUAfIIsZkA2oX/m7UecrTSRi6ay8D9yjhe6ZwSNXhJh6wQqTS7gZWn8f6QfrfI+8DKdc9enh91suQxjkz8Q+wnKK0zBg==,iv:LmAe6v+6ItVnHB6gko6mhiGOuVBksBYP4dXfbxpAIPE=,tag:DZ8kwOwaWwWTGWEGu5S0Kg==,type:str] lidarr: apikey: ENC[AES256_GCM,data:I2eKaxidmxem7C7ukmyIfwASNqrkS4vEOiCcU5kSNY6DR0pXsYg0PBdgu8vzK6llbXODLdG5t55BordIWvVRJGAauo0FMvtp59NSNpza7cK68tdKGvNefD6bqhUIR06BY11niQ==,iv:48AD7cd17TlWY5yAagepLOIVwgxhD/d13Pnup6GsWDA=,tag:teOVtW8opE99hqAXQwvlrA==,type:str] +prowlarr: + apikey: ENC[AES256_GCM,data:pyZ2WGEs/PlIdhDsQq2TPGJbplkd5fLF0ZkBjITqIJlnAzYHb+rl+KOM4rHqQcI6yAJM8X1Y3ymGrD7vG7GiRxB7yoEG13SKhZIWOddTnxIhbkz81RfrL2fUJIydOaP6sS//9Q==,iv:Tr6MWoC6nC7rdVTOjT1T2itT+lVL4GnUiAr5/+IHAs0=,tag:keIJNuGeVht8+xSN3FnBGA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -37,7 +39,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:51:06Z" - mac: ENC[AES256_GCM,data:/arD30zm/wheVtSkwkQrdMe7REnwQ/XOKKWTqysIFeA5O9+e93wSWj8dpwfXfZ5q0ISOk5n3v8hsqzls8wi5BMLXPaBRyj5Alr5poFZd3vJ9z6uyDCSPlJhYRl8ussjzj0vK3Lr3hzKczfrGgPF7W6CoqBKk0AYI2fFHWfT/B5A=,iv:aq66boBgI/V/pVPuPf9mg/TqLV/VfJTElRt7My5njCc=,tag:7s/qu/6B/bX/Nqs00BNl8Q==,type:str] + lastmodified: "2025-11-19T09:51:26Z" + mac: ENC[AES256_GCM,data:pMMkxHPochpI8si/oHhU7MHqC1JjNhMP7HCRNQQEkwBQI489xiC02t+qUwpmG4oIheqi8lEcZPpL4t9HzRN9sZImaI2LrJn3cHFojHzXzo7FPfvfUilZe1+JXLfm+wn+bflAEutIcfDiZc/MjiKOxRHwZy5Pr41Mj6uPIUr62zk=,iv:GwvMVgJ6m1DQcRZMVzshbuMK/Kx8vE8Ym83KbxuvYRg=,tag:wVSol9LDRzoFjQppB8J9gA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 09e4e940bcec8073d9ea9827a4450b566c2e0fd5 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 19 Nov 2025 10:27:29 +0000 Subject: [PATCH 197/251] chore: update dependencies --- flake.lock | 230 +++++++++++++++++++++++++++-------------------------- 1 file changed, 116 insertions(+), 114 deletions(-) diff --git a/flake.lock b/flake.lock index 5ed2f72..9d38839 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1762254206, - "narHash": "sha256-ZyQUrUSuIUZRmMPzeCXI4vDFhHOLNtGUMBaHXCD6nEQ=", - "rev": "43a7652624e76d60a93325c711d01620801d4382", + "lastModified": 1763547157, + "narHash": "sha256-lJcMap2uT+x1R8WUUKKQ6ndynysJ/JOkrMThMGz6DP0=", + "rev": "2cb2134a6ee32d427097077c4fb4c416b52ae988", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/43a7652624e76d60a93325c711d01620801d4382.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/2cb2134a6ee32d427097077c4fb4c416b52ae988.tar.gz" }, "original": { "type": "tarball", @@ -111,11 +111,11 @@ ] }, "locked": { - "lastModified": 1760612273, - "narHash": "sha256-pP/bSqUHubxAOTI7IHD5ZBQ2Qm11Nb4pXXTPv334UEM=", - "rev": "0099739c78be750b215cbdefafc9ba1533609393", + "lastModified": 1762942435, + "narHash": "sha256-zIWGs5FIytTtJN+dhDb8Yx+q4TQI/yczuL539yVcyPE=", + "rev": "0ee328404b12c65e8106bde9e9fab8abf4ecada4", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0099739c78be750b215cbdefafc9ba1533609393.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0ee328404b12c65e8106bde9e9fab8abf4ecada4.tar.gz" }, "original": { "type": "tarball", @@ -130,11 +130,11 @@ ] }, "locked": { - "lastModified": 1761899396, - "narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=", + "lastModified": 1762276996, + "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=", "owner": "nix-community", "repo": "disko", - "rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998", + "rev": "af087d076d3860760b3323f6b583f4d828c1ac17", "type": "github" }, "original": { @@ -149,11 +149,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1759842236, - "narHash": "sha256-JNFyiEDo1wS+mjNAEM8Q2jjvHQzQt+3hnuP1srIdFeM=", + "lastModified": 1762360792, + "narHash": "sha256-YR7vqk+XEvFUQ/miuBAD3+p+97QUN86ya9Aw0K5feJE=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "df8a29239b2459d6ee7373be8133d9aa7d6f6d1a", + "rev": "9075dff5685d3e7269284e53ca496da0beb24596", "type": "github" }, "original": { @@ -170,11 +170,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1760510549, - "narHash": "sha256-NP+kmLMm7zSyv4Fufv+eSJXyqjLMUhUfPT6lXRlg/bU=", + "lastModified": 1763534658, + "narHash": "sha256-i/51/Zi/1pM9hZxxSuA3nVPpyqlGoWwJwajyA/loOpo=", "owner": "nix-community", "repo": "fenix", - "rev": "ef7178cf086f267113b5c48fdeb6e510729c8214", + "rev": "69e40ddf45698d0115a62a7a15d8412f35dd4c09", "type": "github" }, "original": { @@ -190,11 +190,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1760548798, - "narHash": "sha256-LbqqHQklp58hKCO6IMcslsqX0mR32775PG3Z+k2GcwU=", + "lastModified": 1763504432, + "narHash": "sha256-kpmPI67TdoTxiK7LsmgmkKW3iHoyvZJwZeiJhpwPfmw=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "fdd8c18c8d3497d267c0750ef08678d32a2dd753", + "rev": "49d5d8d42a7650e5353f8467c813839290cb7c9f", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "flake-compat_2": { "locked": { - "lastModified": 1746162366, - "narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=", + "lastModified": 1761640442, + "narHash": "sha256-AtrEP6Jmdvrqiv4x2xa5mrtaIp3OEe8uBYCDZDS+hu8=", "owner": "nix-community", "repo": "flake-compat", - "rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b", + "rev": "4a56054d8ffc173222d09dad23adf4ba946c8884", "type": "github" }, "original": { @@ -306,11 +306,11 @@ ] }, "locked": { - "lastModified": 1762040540, - "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=", + "lastModified": 1762980239, + "narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "0010412d62a25d959151790968765a70c436598b", + "rev": "52a2caecc898d0b46b2b905f058ccc5081f842da", "type": "github" }, "original": { @@ -327,11 +327,11 @@ ] }, "locked": { - "lastModified": 1759362264, - "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", + "lastModified": 1760948891, + "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", + "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04", "type": "github" }, "original": { @@ -510,18 +510,20 @@ "gnome-shell": { "flake": false, "locked": { - "lastModified": 1748186689, - "narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=", + "host": "gitlab.gnome.org", + "lastModified": 1762869044, + "narHash": "sha256-nwm/GJ2Syigf7VccLAZ66mFC8mZJFqpJmIxSGKl7+Ds=", "owner": "GNOME", "repo": "gnome-shell", - "rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0", - "type": "github" + "rev": "680e3d195a92203f28d4bf8c6e8bb537cc3ed4ad", + "type": "gitlab" }, "original": { + "host": "gitlab.gnome.org", "owner": "GNOME", - "ref": "48.2", + "ref": "gnome-49", "repo": "gnome-shell", - "type": "github" + "type": "gitlab" } }, "grub2-themes": { @@ -551,11 +553,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1760546650, - "narHash": "sha256-ByUcM+gMEob6uWpDt6AAg/v4eX9yvpgOPX6KyHd9/BE=", + "lastModified": 1763486183, + "narHash": "sha256-10EvBTF9ELezWg+KoKZJ3bxrPzT1Xz95ifurC6HixLY=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "ba54075737cb9c688cfadde8048f83371dbaba8d", + "rev": "fb27f4bee812e4b4df9df9f78bd5280f0aa2193c", "type": "github" }, "original": { @@ -571,11 +573,11 @@ ] }, "locked": { - "lastModified": 1760500983, - "narHash": "sha256-zfY4F4CpeUjTGgecIJZ+M7vFpwLc0Gm9epM/iMQd4w8=", + "lastModified": 1763416652, + "narHash": "sha256-8EBEEvtzQ11LCxpQHMNEBQAGtQiCu/pqP9zSovDSbNM=", "owner": "nix-community", "repo": "home-manager", - "rev": "c53e65ec92f38d30e3c14f8d628ab55d462947aa", + "rev": "ea164b7c9ccdc2321379c2ff78fd4317b4c41312", "type": "github" }, "original": { @@ -592,11 +594,11 @@ ] }, "locked": { - "lastModified": 1752603129, - "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=", + "lastModified": 1762964643, + "narHash": "sha256-RYHN8O/Aja59XDji6WSJZPkJpYVUfpSkyH+PEupBJqM=", "owner": "nix-community", "repo": "home-manager", - "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b", + "rev": "827f2a23373a774a8805f84ca5344654c31f354b", "type": "github" }, "original": { @@ -613,11 +615,11 @@ ] }, "locked": { - "lastModified": 1760534924, - "narHash": "sha256-OIOCC86DxTxp1VG7xAiM+YABtVqp6vTkYIoAiGQMqso=", + "lastModified": 1763453666, + "narHash": "sha256-Hu8lDUlbMFvcYX30LBXX7Gq5FbU35bERH0pSX5qHf/Q=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "100b4e000032b865563a9754e5bca189bc544764", + "rev": "b843b551415c7aecc97c8b3ab3fff26fd0cd8bbf", "type": "github" }, "original": { @@ -668,11 +670,11 @@ ] }, "locked": { - "lastModified": 1762186368, - "narHash": "sha256-dzLBZKccS0jMefj+WAYwsk7gKDluqavC7I4KfFwVh8k=", + "lastModified": 1763136804, + "narHash": "sha256-6p2ljK42s0S8zS0UU59EsEqupz0GVCaBYRylpUadeBM=", "owner": "nix-darwin", "repo": "nix-darwin", - "rev": "69921864a70b58787abf5ba189095566c3f0ffd3", + "rev": "973db96394513fd90270ea5a1211a82a4a0ba47f", "type": "github" }, "original": { @@ -710,11 +712,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1760493654, - "narHash": "sha256-DRJZnMoBw+p6o0XjaAOfAJjwr4s93d1+eCsCRsAP/jY=", + "lastModified": 1763171892, + "narHash": "sha256-6cg9zSiqKA89yJzVtYhBaBptqq6bX4pr4g7WLAHOD4Y=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "4ca5164f23948b4b5429d8fdcddc142079c6aa6b", + "rev": "316858c27d278b20e776cd4dd8f787812f587ba2", "type": "github" }, "original": { @@ -725,11 +727,11 @@ }, "nix-select": { "locked": { - "lastModified": 1755887746, - "narHash": "sha256-lzWbpHKX0WAn/jJDoCijIDss3rqYIPawe46GDaE6U3g=", - "rev": "92c2574c5e113281591be01e89bb9ddb31d19156", + "lastModified": 1763303120, + "narHash": "sha256-yxcNOha7Cfv2nhVpz9ZXSNKk0R7wt4AiBklJ8D24rVg=", + "rev": "3d1e3860bef36857a01a2ddecba7cdb0a14c35a9", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/92c2574c5e113281591be01e89bb9ddb31d19156.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/3d1e3860bef36857a01a2ddecba7cdb0a14c35a9.tar.gz" }, "original": { "type": "tarball", @@ -768,11 +770,11 @@ }, "nixos-facter-modules": { "locked": { - "lastModified": 1761137276, - "narHash": "sha256-4lDjGnWRBLwqKQ4UWSUq6Mvxu9r8DSqCCydodW/Jsi8=", + "lastModified": 1762264948, + "narHash": "sha256-iaRf6n0KPl9hndnIft3blm1YTAyxSREV1oX0MFZ6Tk4=", "owner": "nix-community", "repo": "nixos-facter-modules", - "rev": "70bcd64225d167c7af9b475c4df7b5abba5c7de8", + "rev": "fa695bff9ec37fd5bbd7ee3181dbeb5f97f53c96", "type": "github" }, "original": { @@ -810,11 +812,11 @@ ] }, "locked": { - "lastModified": 1760536587, - "narHash": "sha256-wfWqt+igns/VazjPLkyb4Z/wpn4v+XIjUeI3xY/1ENg=", + "lastModified": 1763537456, + "narHash": "sha256-/WRqcqeE9C+mxxWgI7jy5blMrvg2lHFSlTFjC8pRWos=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "f98ee1de1fa36eca63c67b600f5d617e184e82ea", + "rev": "cd9eb5225fc91eb67629966844d2ff371824abb1", "type": "github" }, "original": { @@ -825,11 +827,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1759360550, - "narHash": "sha256-feL8xklo97a8o8ISOszUU2tfHskJdu3zKbpcltzSblw=", + "lastModified": 1761828793, + "narHash": "sha256-xjdPwMD4wVuDD85U+3KST62VzFkJueI6oBwIzpzUHLY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "28b8fe20c34f94a537f71950a9b0c1dc7224d036", + "rev": "843859a08e114403f44aaf5b996b44c38094aa46", "type": "github" }, "original": { @@ -856,11 +858,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1760479263, - "narHash": "sha256-eoVGUqcMyDeT/VwjczlZu7rhrE9wkj3ErWjJhB4Zjpg=", + "lastModified": 1763469780, + "narHash": "sha256-IW67Db/wBNQwJ5e0fF9Yk4SmdivMcecrUVDs7QJoC/s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "20158056cdd0dd06bfbd04fd1e686d09fbef3db5", + "rev": "a70b03ca5dc9d46294740f165abdef9f9bea5632", "type": "github" }, "original": { @@ -888,11 +890,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1760548845, - "narHash": "sha256-41gkEmco/WLdEkeCKVRalOpx19e0/VgfS7N9n+DasHs=", + "lastModified": 1763547551, + "narHash": "sha256-YOdXVAqEGmrPUgs71r8ziuu9qqpn3jJEiIxsIls+VQA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "631597d659c37aa267eed8334271d5205244195e", + "rev": "06aa4d5f488875b6af46e10b45b8000ed0906860", "type": "github" }, "original": { @@ -920,11 +922,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1760284886, - "narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", + "lastModified": 1763421233, + "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43", + "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648", "type": "github" }, "original": { @@ -936,11 +938,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1759386674, - "narHash": "sha256-wg1Lz/1FC5Q13R+mM5a2oTV9TA9L/CHHTm3/PiLayfA=", + "lastModified": 1761880412, + "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", "owner": "nixos", "repo": "nixpkgs", - "rev": "625ad6366178f03acd79f9e3822606dd7985b657", + "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386", "type": "github" }, "original": { @@ -952,11 +954,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1760164275, - "narHash": "sha256-gKl2Gtro/LNf8P+4L3S2RsZ0G390ccd5MyXYrTdMCFE=", + "lastModified": 1763191728, + "narHash": "sha256-esRhOS0APE6k40Hs/jjReXg+rx+J5LkWw7cuWFKlwYA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "362791944032cb532aabbeed7887a441496d5e6e", + "rev": "1d4c88323ac36805d09657d13a5273aea1b34f0c", "type": "github" }, "original": { @@ -968,11 +970,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1758690382, - "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", + "lastModified": 1762977756, + "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e643668fd71b949c53f8626614b21ff71a07379d", + "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55", "type": "github" }, "original": { @@ -1016,11 +1018,11 @@ "systems": "systems_5" }, "locked": { - "lastModified": 1760153667, - "narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=", + "lastModified": 1762622004, + "narHash": "sha256-NpzzgaoMK8aRHnndHWbYNKLcZN0r1y6icCoJvGoBsoE=", "owner": "notashelf", "repo": "nvf", - "rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d", + "rev": "09470524a214ed26633ddc2b6ec0c9bf31a8b909", "type": "github" }, "original": { @@ -1039,11 +1041,11 @@ ] }, "locked": { - "lastModified": 1759321049, - "narHash": "sha256-8XkU4gIrLT2DJZWQyvsP5woXGZF5eE/7AnKfwQkiwYU=", + "lastModified": 1762784320, + "narHash": "sha256-odsk96Erywk5hs0dhArF38zb7Oe0q6LZ70gXbxAPKno=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "205dcfd4a30d4a5d1b4f28defee69daa7c7252cd", + "rev": "7911a0f8a44c7e8b29d031be3149ee8943144321", "type": "github" }, "original": { @@ -1080,11 +1082,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1760457219, - "narHash": "sha256-WJOUGx42hrhmvvYcGkwea+BcJuQJLcns849OnewQqX4=", + "lastModified": 1762860488, + "narHash": "sha256-rMfWMCOo/pPefM2We0iMBLi2kLBAnYoB9thi4qS7uk4=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "8747cf81540bd1bbbab9ee2702f12c33aa887b46", + "rev": "2efc80078029894eec0699f62ec8d5c1a56af763", "type": "github" }, "original": { @@ -1102,11 +1104,11 @@ ] }, "locked": { - "lastModified": 1760495781, - "narHash": "sha256-3OGPAQNJswy6L4VJyX3U9/z7fwgPFvK6zQtB2NHBV0Y=", + "lastModified": 1759977258, + "narHash": "sha256-hOxEFSEBoqDmJb7BGX1CzT1gvUPK6r+Qs+n3IxBgfTs=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "11e0852a2aa3a65955db5824262d76933750e299", + "rev": "1d0c6173f57d07db7957b50e799240d4f2d7520f", "type": "github" }, "original": { @@ -1145,11 +1147,11 @@ ] }, "locked": { - "lastModified": 1760998189, - "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", + "lastModified": 1763264763, + "narHash": "sha256-N0BEoJIlJ+M6sWZJ8nnfAjGY9VLvM6MXMitRenmhBkY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", + "rev": "882e56c8293e44d57d882b800a82f8b2ee7a858f", "type": "github" }, "original": { @@ -1163,11 +1165,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1760393368, - "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", + "lastModified": 1763509310, + "narHash": "sha256-s2WzTAD3vJtPACBCZXezNUMTG/wC6SFsU9DxazB9wDI=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", + "rev": "3ee33c0ed7c5aa61b4e10484d2ebdbdc98afb03e", "type": "github" }, "original": { @@ -1195,11 +1197,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1760472212, - "narHash": "sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx+MUkuE+E=", + "lastModified": 1763497248, + "narHash": "sha256-OGP6MYc+lVkLVQOTS6ORszDcCnZm7kDOGpFBdDoLd0k=", "owner": "nix-community", "repo": "stylix", - "rev": "8d008296a1b3be9b57ad570f7acea00dd2fc92db", + "rev": "f19ac46f6aa26188b2020ed40066a5b832be9c53", "type": "github" }, "original": { @@ -1337,11 +1339,11 @@ "systems": "systems_8" }, "locked": { - "lastModified": 1757278723, - "narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=", + "lastModified": 1762472226, + "narHash": "sha256-iVS4sxVgGn+T74rGJjEJbzx+kjsuaP3wdQVXBNJ79A0=", "owner": "terranix", "repo": "terranix", - "rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb", + "rev": "3b5947a48da5694094b301a3b1ef7b22ec8b19fc", "type": "github" }, "original": { @@ -1439,11 +1441,11 @@ ] }, "locked": { - "lastModified": 1761311587, - "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=", + "lastModified": 1762938485, + "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc", + "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4", "type": "github" }, "original": { @@ -1460,11 +1462,11 @@ ] }, "locked": { - "lastModified": 1760466542, - "narHash": "sha256-q2QZhrrjHbvW4eFzoEGkj/wUHNU6bVGPyflurx5ka6U=", + "lastModified": 1763521945, + "narHash": "sha256-Zcrafbe4niRJMbzaVOwg7+iedJhwBFttre2DpyCC6qA=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "3446bcbf5f46ecb18e82244888730c4983c30b22", + "rev": "24d7381b9231c23daceec5d372cc28e877f7785d", "type": "github" }, "original": { From 169b62e6f3dc3cf839004f3da1b781be6e7b640c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 19 Nov 2025 11:49:09 +0100 Subject: [PATCH 198/251] chore: update config after update --- modules/nixos/services/development/forgejo/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index dbcef87..52f026f 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -144,7 +144,7 @@ in openssh.settings.AllowUsers = [ "forgejo" ]; gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; + package = pkgs.forgejo-runner; instances.default = { enable = true; name = "default"; From 2d3da197ee8e549b46a52266af22271a817127fd Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 20 Nov 2025 00:05:34 +0100 Subject: [PATCH 199/251] lets actually commit for once... --- .just/vars.just | 18 +- lib/options/default.nix | 38 ++++ lib/strings/default.nix | 26 ++- modules/home/themes/default.nix | 2 +- .../authentication/zitadel/default.nix | 48 ++-- .../nixos/services/backup/borg/default.nix | 13 +- modules/nixos/services/media/default.nix | 210 ++++++++++++++--- .../nixos/services/media/homer/default.nix | 8 +- .../nixos/services/media/servarr/default.nix | 214 ++++++++++++++++++ .../observability/uptime-kuma/default.nix | 25 ++ .../services/security/vaultwarden/default.nix | 138 ++++++++++- shells/default/default.nix | 2 + systems/x86_64-linux/ulmo/default.nix | 43 +++- 13 files changed, 711 insertions(+), 74 deletions(-) create mode 100644 lib/options/default.nix create mode 100644 modules/nixos/services/media/servarr/default.nix create mode 100644 modules/nixos/services/observability/uptime-kuma/default.nix diff --git a/.just/vars.just b/.just/vars.just index 944d7cf..d8bd181 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,19 +1,23 @@ +set unstable + base_path := invocation_directory() / "systems/x86_64-linux" -sops := "nix shell nixpkgs#sops --command sops" -yq := "nix shell nixpkgs#yq --command yq" +# sops := "nix shell nixpkgs#sops --command sops" +# yq := "nix shell nixpkgs#yq --command yq" +sops := "sops" +yq := "yq" @_default: just --list [doc('list all vars of the target machine')] list machine: - {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml @edit machine: - {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml + sops edit {{ base_path }}/{{ machine }}/secrets.yml @set machine key value: - {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\"/g')\"" + sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" git add {{ base_path }}/{{ machine }}/secrets.yml git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null @@ -21,10 +25,10 @@ list machine: echo "Done" @get machine key: - {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml | {{ yq }} ".$(echo "{{ key }}" | sed -E 's/\//./g')" + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" @remove machine key: - {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" git add {{ base_path }}/{{ machine }}/secrets.yml git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null diff --git a/lib/options/default.nix b/lib/options/default.nix new file mode 100644 index 0000000..72e8621 --- /dev/null +++ b/lib/options/default.nix @@ -0,0 +1,38 @@ +{ lib, ...}: +let + inherit (builtins) isString typeOf; + inherit (lib) mkOption types throwIfNot concatStringsSep splitStringBy toLower map; +in +{ + options = { + mkUrlOptions = + defaults: + { + host = mkOption { + type = types.str; + example = "host.tld"; + description = '' + Hostname + ''; + } // (defaults.host or {}); + + port = mkOption { + type = types.port; + default = 1234; + example = "1234"; + description = '' + Port + ''; + } // (defaults.port or {}); + + protocol = mkOption { + type = types.str; + default = "https"; + example = "https"; + description = '' + Which protocol to use when creating a url string + ''; + } // (defaults.protocol or {}); + }; + }; +} \ No newline at end of file diff --git a/lib/strings/default.nix b/lib/strings/default.nix index 52b05e3..0c15699 100644 --- a/lib/strings/default.nix +++ b/lib/strings/default.nix @@ -1,10 +1,15 @@ { lib, ...}: let - inherit (builtins) isString typeOf; - inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map; + inherit (builtins) isString typeOf match toString head; + inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map concatMapAttrsStringSep; in { strings = { + #======================================================================================== + # Converts a string to snake case + # + # simply replaces any uppercase letter to its lowercase variant preceeded by an underscore + #======================================================================================== toSnakeCase = str: throwIfNot (isString str) "toSnakeCase only accepts string values, but got ${typeOf str}" ( @@ -13,5 +18,22 @@ in |> map (p: toLower p) |> concatStringsSep "_" ); + + #======================================================================================== + # Converts a set of url parts to a string + #======================================================================================== + toUrl = + { protocol ? null, host, port ? null, path ? null, query ? null, hash ? null }: + let + trim_slashes = str: str |> match "^\/*(.+?)\/*$" |> head; + encode_to_str = set: concatMapAttrsStringSep "&" (n: v: "${n}=${v}") set; + + _protocol = if protocol != null then "${protocol}://" else ""; + _port = if port != null then ":${toString port}" else ""; + _path = if path != null then "/${path |> trim_slashes}" else ""; + _query = if query != null then "?${query |> encode_to_str}" else ""; + _hash = if hash != null then "#${hash |> encode_to_str}" else ""; + in + "${_protocol}${host}${_port}${_path}${_query}${_hash}"; }; } \ No newline at end of file diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index 3fa74b9..3fb8f15 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -52,7 +52,7 @@ in { }; emoji = { - package = pkgs.noto-fonts-emoji; + package = pkgs.noto-fonts-color-emoji; name = "Noto Color Emoji"; }; }; diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index bd74ca2..9a02f01 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length literalExpression attrNames; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs mapAttrs' concatMapAttrs concatMapStringsSep filterAttrsRecursive listToAttrs imap0 head drop length literalExpression attrNames; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -334,6 +334,16 @@ in concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set ; + append = attrList: set: set // (listToAttrs attrList); + forEach = src: key: set: + let + _key = concatMapStringsSep "_" (k: "\${item.${k}}") key; + in + { + forEach = "{ for item in ${src} : \"${_key}\" => item }"; + } + // set; + config' = config; # this is a nix package, the generated json file to be exact @@ -418,7 +428,7 @@ in # Users zitadel_human_user = - (cfg.organization + cfg.organization |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: { inherit email userName firstName lastName; @@ -427,24 +437,20 @@ in } |> withRef "org" org |> toResource "${org}_${name}" - )) - - // { - "extra_users" = { - for_each = lib.tfRef ''{ - for user in local.extra_users : - "''${user.org}_''${user.name}" => user - }''; - - org_id = lib.tfRef "local.orgs[each.value.org]"; - user_name = lib.tfRef "each.value.name"; + ) + |> append + [ + (forEach "local.extra_users" [ "org" "name" ] { + orgId = lib.tfRef "local.orgs[each.value.org]"; + userName = lib.tfRef "each.value.name"; email = lib.tfRef "each.value.email"; - first_name = lib.tfRef "each.value.firstName"; - last_name = lib.tfRef "each.value.lastName"; + firstName = lib.tfRef "each.value.firstName"; + lastName = lib.tfRef "each.value.lastName"; - is_email_verified = true; - }; - } + isEmailVerified = true; + } + |> toResource "extraUsers") + ] ; # Global user roles @@ -708,6 +714,12 @@ in restartUnits = [ "zitadelApplyTerraform.service" ]; }; }; + + templates = { + "users.yml" = { + + }; + }; }; }; } diff --git a/modules/nixos/services/backup/borg/default.nix b/modules/nixos/services/backup/borg/default.nix index e200505..9cbbea0 100644 --- a/modules/nixos/services/backup/borg/default.nix +++ b/modules/nixos/services/backup/borg/default.nix @@ -10,13 +10,22 @@ in }; config = mkIf cfg.enable { + programs.ssh.extraConfig = '' + Host beheer.hazelhof.nl + Port 222 + User chris + AddressFamily inet + IdentityFile /home/chris/.ssh/id_ed25519 + ''; + services = { borgbackup.jobs = { media = { paths = "/var/media/test"; encryption.mode = "none"; - environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4"; - repo = "ssh://chris@beheer.hazelhof.nl:222/media"; + # environment.BORG_SSH = "ssh -4 -i /home/chris/.ssh/id_ed25519"; + environment.BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; + repo = "ssh://beheer.hazelhof.nl//media"; compression = "auto,zstd"; startAt = "daily"; }; diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 9d915da..1950bf0 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -1,9 +1,11 @@ -{ pkgs, lib, namespace, config, ... }: +{ pkgs, lib, namespace, config, inputs, system, ... }: let inherit (lib) mkIf mkEnableOption mkOption; inherit (lib.types) str; cfg = config.${namespace}.services.media; + + arr = ["radarr" ]; in { options.${namespace}.services.media = { @@ -60,47 +62,48 @@ in "d '${cfg.path}/reiverr/config' 0700 ${cfg.user} ${cfg.group} - -" "d '${cfg.path}/downloads/incomplete' 0700 ${cfg.user} ${cfg.group} - -" "d '${cfg.path}/downloads/done' 0700 ${cfg.user} ${cfg.group} - -" + "d /var/lib/radarrApplyTerraform 0755 ${cfg.user} ${cfg.group} -" ]; #========================================================================= # Services #========================================================================= services = let - arrService = { - enable = true; - openFirewall = true; + arr-services = + arr + |> lib.imap (i: service: { + name = service; + value = { + enable = true; + openFirewall = true; - settings = { - auth.AuthenticationMethod = "External"; - }; - }; + environmentFiles = [ + config.sops.templates."${service}/config.env".path + ]; - withPort = port: service: service // { settings.server.Port = builtins.toString port; }; + settings = { + auth.authenticationMethod = "External"; - withUserAndGroup = service: service // { - user = cfg.user; - group = cfg.group; - }; - in { - radarr = - arrService - |> withPort 2001 - |> withUserAndGroup; - - sonarr = - arrService - |> withPort 2002 - |> withUserAndGroup; - - lidarr = - arrService - |> withPort 2003 - |> withUserAndGroup; - - prowlarr = - arrService - |> withPort 2004; + server = { + bindaddress = "0.0.0.0"; + port = 2000 + i; + }; + postgres = { + host = "localhost"; + port = "5432"; + user = service; + maindb = service; + logdb = service; + }; + }; + } + // (if service != "prowlarr" then { user = cfg.user; group = cfg.group; } else {}); + }) + |> lib.listToAttrs + ; + in + arr-services // { bazarr = { enable = true; openFirewall = true; @@ -146,6 +149,19 @@ in group = cfg.group; }; + postgresql = + let + databases = arr |> lib.concatMap (s: [ s "${s}-log" ]); + in + { + enable = true; + ensureDatabases = arr; + ensureUsers = arr |> lib.map (service: { + name = service; + ensureDBOwnership = true; + }); + }; + caddy = { enable = true; virtualHosts = { @@ -156,6 +172,136 @@ in }; }; + systemd.services.radarrApplyTerraform = + let + # this is a nix package, the generated json file to be exact + terraformConfiguration = inputs.terranix.lib.terranixConfiguration { + inherit system; + + modules = [ + ({ config, lib, ... }: { + config = { + variable = { + api_key = { + type = "string"; + description = "Radarr api key"; + }; + }; + + terraform.required_providers.radarr = { + source = "devopsarr/radarr"; + version = "2.2.0"; + }; + + provider.radarr = { + url = "http://127.0.0.1:2001"; + api_key = lib.tfRef "var.api_key"; + }; + + resource = { + radarr_root_folder.local = { + path = "/var/media/movies"; + }; + }; + }; + }) + ]; + }; + in + { + description = "Radarr terraform apply"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "radarr.service" ]; + + script = '' + #!/usr/bin/env bash + + if [ "$(systemctl is-active radarr)" != "active" ]; then + echo "Radarr is not running" + exit 1 + fi + + # Sleep for a bit to give radarr the chance to start up + sleep 5s + + # Print the path to the source for easier debugging + echo "config location: ${terraformConfiguration}" + + # Copy infra code into workspace + cp -f ${terraformConfiguration} config.tf.json + + # Initialize OpenTofu + ${lib.getExe pkgs.opentofu} init + + # Run the infrastructure code + # ${lib.getExe pkgs.opentofu} plan -var-file='${config.sops.templates."radarr/config.tfvars".path}' + ${lib.getExe pkgs.opentofu} apply -auto-approve -var-file='${config.sops.templates."radarr/config.tfvars".path}' + ''; + + serviceConfig = { + Type = "oneshot"; + User = cfg.user; + Group = cfg.group; + + WorkingDirectory = "/var/lib/radarrApplyTerraform"; + + EnvironmentFile = [ + config.sops.templates."radarr/config.env".path + ]; + }; + }; + systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; + + sops = { + secrets = + arr + |> lib.map (service: { + name = "${service}/apikey"; + value = { + owner = cfg.user; + group = cfg.group; + restartUnits = [ "${service}.service" ]; + }; + }) + |> lib.listToAttrs + ; + + templates = + let + apikeys = + arr + |> lib.map (service: { + name = "${service}/config.env"; + value = { + owner = cfg.user; + group = cfg.group; + restartUnits = [ "${service}.service" ]; + content = '' + ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" + ''; + }; + }) + |> lib.listToAttrs; + + tfvars = + arr + |> lib.map(service: { + name = "${service}/config.tfvars"; + value = { + owner = cfg.user; + group = cfg.group; + restartUnits = [ "${service}ApplyTerraform.service" ]; + content = '' + api_key = "${config.sops.placeholder."${service}/apikey"}" + ''; + }; + }) + |> lib.listToAttrs; + in + apikeys // tfvars + ; + }; }; } diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index 41535cd..79633ab 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -103,7 +103,7 @@ in type = "Radarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; + url = "http://${config.networking.hostName}:2001"; target = "_blank"; } @@ -112,7 +112,7 @@ in type = "Sonarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; + url = "http://${config.networking.hostName}:2002"; target = "_blank"; } @@ -121,7 +121,7 @@ in type = "Lidarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; + url = "http://${config.networking.hostName}:2003"; target = "_blank"; } @@ -130,7 +130,7 @@ in type = "Prowlarr"; logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}"; + url = "http://${config.networking.hostName}:2004"; target = "_blank"; } diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix new file mode 100644 index 0000000..097a36b --- /dev/null +++ b/modules/nixos/services/media/servarr/default.nix @@ -0,0 +1,214 @@ +{ pkgs, config, lib, namespace, inputs, system, ... }: +let + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption mkOption types; + + cfg = config.${namespace}.services.media.servarr; +in +{ + options.${namespace}.services.media = { + servarr = mkOption { + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + enable = mkEnableOption "Enable ${name}"; + debug = mkEnableOption "Use tofu plan instead of tofu apply for ${name} "; + + port = mkOption { + type = types.port; + }; + + rootFolders = mkOption { + type = types.listOf types.str; + default = []; + }; + }; + })); + default = {}; + }; + }; + + config = { + services = + cfg + |> lib.mapAttrsToList (service: { enable, port, ... }: (mkIf enable { + "${service}" = { + enable = true; + openFirewall = true; + + environmentFiles = [ + config.sops.templates."${service}/config.env".path + ]; + + settings = { + auth.authenticationMethod = "External"; + + server = { + bindaddress = "0.0.0.0"; + port = port; + }; + + postgres = { + host = "localhost"; + port = "5432"; + user = service; + maindb = service; + logdb = service; + }; + }; + }; + })) + |> lib.mergeAttrsList + |> (set: set // { + postgres = { + ensureDatabases = cfg |> lib.attrNames; + ensureUsers = cfg |> lib.attrNames |> lib.map (service: { + name = service; + ensureDBOwnership = true; + }); + }; + }) + ; + + systemd = + cfg + |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { + tmpfiles.rules = [ + "d /var/lib/${service}ApplyTerraform 0755 ${service} ${service} -" + ]; + + services."${service}ApplyTerraform" = + let + terraformConfiguration = inputs.terranix.lib.terranixConfiguration { + inherit system; + + modules = [ + ({ config, lib, ... }: { + config = { + variable = { + api_key = { + type = "string"; + description = "${service} api key"; + }; + }; + + terraform.required_providers.${service} = { + source = "devopsarr/${service}"; + version = "2.2.0"; + }; + + provider.${service} = { + url = "http://127.0.0.1:${toString port}"; + api_key = lib.tfRef "var.api_key"; + }; + + resource = { + "${service}_root_folder" = + rootFolders + |> lib.imap (i: f: lib.nameValuePair "local${toString i}" { path = f; }) + |> lib.listToAttrs + ; + }; + }; + }) + ]; + }; + in + { + description = "${service} terraform apply"; + + wantedBy = [ "multi-user.target" ]; + wants = [ "${service}.service" ]; + + script = '' + #!/usr/bin/env bash + + # Sleep for a bit to give the service a chance to start up + sleep 5s + + if [ "$(systemctl is-active ${service})" != "active" ]; then + echo "${service} is not running" + exit 1 + fi + + # Print the path to the source for easier debugging + echo "config location: ${terraformConfiguration}" + + # Copy infra code into workspace + cp -f ${terraformConfiguration} config.tf.json + + # Initialize OpenTofu + ${lib.getExe pkgs.opentofu} init + + # Run the infrastructure code + ${lib.getExe pkgs.opentofu} \ + ${if debug then "plan" else "apply -auto-approve"} \ + -var-file='${config.sops.templates."${service}/config.tfvars".path}' + ''; + + serviceConfig = { + Type = "oneshot"; + User = service; + Group = service; + + WorkingDirectory = "/var/lib/${service}ApplyTerraform"; + + EnvironmentFile = [ + config.sops.templates."${service}/config.env".path + ]; + }; + }; + })) + |> lib.mergeAttrsList + ; + + users.users = + cfg + |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { + "${service}".extraGroups = [ "media" ]; + })) + |> lib.mergeAttrsList + ; + + sops = + cfg + |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { + secrets."${service}/apikey" = { + owner = service; + group = service; + restartUnits = [ "${service}.service" ]; + }; + + templates = { + "${service}/config.env" = { + owner = service; + group = service; + restartUnits = [ "${service}.service" ]; + content = '' + ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" + ''; + }; + + "${service}/config.tfvars" = { + owner = service; + group = service; + restartUnits = [ "${service}.service" ]; + content = '' + api_key = "${config.sops.placeholder."${service}/apikey"}" + ''; + }; + }; + })) + |> lib.mergeAttrsList + ; + }; + + + # cfg + # |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { + + # # sops = { + # # }; + # })) + # |> lib.mergeAttrsList + # ; +} diff --git a/modules/nixos/services/observability/uptime-kuma/default.nix b/modules/nixos/services/observability/uptime-kuma/default.nix new file mode 100644 index 0000000..c23977b --- /dev/null +++ b/modules/nixos/services/observability/uptime-kuma/default.nix @@ -0,0 +1,25 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.observability.uptime-kuma; +in +{ + options.${namespace}.services.observability.uptime-kuma = { + enable = mkEnableOption "enable uptime kuma"; + }; + + config = mkIf cfg.enable { + services.uptime-kuma = { + enable = true; + + settings = { + PORT = toString 9006; + HOST = "0.0.0.0"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 9006 ]; + }; +} diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index de50be7..abab566 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,13 +1,87 @@ { pkgs, config, lib, namespace, ... }: let inherit (builtins) toString; - inherit (lib) mkIf mkEnableOption; + inherit (lib) mkIf mkEnableOption mkOption types getAttrs toUpper concatMapAttrsStringSep; cfg = config.${namespace}.services.security.vaultwarden; + + databaseProviderSqlite = types.submodule ({ ... }: { + options = { + type = mkOption { + type = types.enum [ "sqlite" ]; + }; + + file = mkOption { + type = types.str; + description = ''''; + }; + }; + }); + + databaseProviderPostgresql = types.submodule ({ ... }: + let + urlOptions = lib.${namespace}.options.mkUrlOptions { + host = { + description = '' + Hostname of the postgresql server + ''; + }; + + port = { + default = 5432; + example = "5432"; + description = '' + Port of the postgresql server + ''; + }; + + protocol = mkOption { + default = "postgres"; + example = "postgres"; + }; + }; + in + { + options = { + type = mkOption { + type = types.enum [ "postgresql" ]; + }; + + sslMode = mkOption { + type = types.enum [ "verify-ca" "verify-full" "require" "prefer" "allow" "disabled" ]; + default = "verify-full"; + example = "verify-ca"; + description = '' + How to verify the server's ssl + + | mode | eavesdropping protection | MITM protection | Statement | + |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| + | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | + | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | + | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | + | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | + | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | + | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | + + [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) + ''; + }; + } // (urlOptions |> getAttrs [ "protocol" "host" "port" ]); + }); in { options.${namespace}.services.security.vaultwarden = { enable = mkEnableOption "enable vaultwarden"; + + database = mkOption { + type = types.oneOf [ + (types.addCheck databaseProviderSqlite (x: x ? type && x.type == "sqlite")) + (types.addCheck databaseProviderPostgresql (x: x ? type && x.type == "postgresql")) + null + ]; + default = null; + description = ''''; + }; }; config = mkIf cfg.enable { @@ -15,6 +89,8 @@ in "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" ]; + # systemd.services.vaultwarden.wants = [ "zitadelApplyTerraform.service" ]; + services = { vaultwarden = { enable = true; @@ -26,8 +102,6 @@ in SIGNUPS_ALLOWED = false; DOMAIN = "https://vault.kruining.eu"; - ADMIN_TOKEN = ""; - DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable"; WEB_VAULT_ENABLED = true; @@ -41,9 +115,6 @@ in SSO_ORGANIZATIONS_REVOCATION = true; SSO_AUTHORITY = "https://auth.kruining.eu/"; SSO_SCOPES = "email profile offline_access"; - SSO_AUDIENCE_TRUSTED = "^333297815511892227$"; - SSO_CLIENT_ID = "335178854421299459"; - SSO_CLIENT_SECRET = ""; ROCKET_ADDRESS = "::1"; ROCKET_PORT = 8222; @@ -53,10 +124,14 @@ in SMTP_PORT = 587; SMTP_SECURITY = "starttls"; SMTP_USERNAME = "chris@kruining.eu"; - SMTP_PASSWORD = ""; SMTP_FROM = "chris@kruining.eu"; SMTP_FROM_NAME = "Chris' Vaultwarden"; }; + + environmentFile = [ + "/var/lib/zitadel/clients/nix_ulmo_vaultwarden" + config.sops.templates."vaultwarden/config.env".path + ]; }; postgresql = { @@ -89,5 +164,54 @@ in }; }; }; + + sops = { + secrets = { + "vaultwarden/email" = { + owner = config.users.users.vaultwarden.name; + group = config.users.users.vaultwarden.name; + key = "email/chris_kruining_eu"; + restartUnits = [ "vaultwarden.service" ]; + }; + }; + + templates = { + "vaultwarden/config.env" = { + content = '' + SMTP_PASSWORD='${config.sops.placeholder."vaultwarden/email"}'; + ''; + owner = config.users.users.vaultwarden.name; + group = config.users.groups.vaultwarden.name; + }; + temp-db-output.content = + let + config = + cfg.database + |> ({ type, ... }@db: + if type == "sqlite" then + { inherit (db) type file; } + else if type == "postgresql" then + { + inherit (db) type; + url = lib.${namespace}.strings.toUrl { + inherit (db) protocol host port; + path = "vaultwarden"; + query = { + sslmode = db.sslMode; + }; + }; + } + else + {} + ) + |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}") + ; + in + '' + # GENERATED VALUES + ${config} + ''; + }; + }; }; } diff --git a/shells/default/default.nix b/shells/default/default.nix index 0361f88..1749c48 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -5,6 +5,8 @@ mkShell { bash sops just + yq + pwgen inputs.clan-core.packages.x86_64-linux.clan-cli ]; } \ No newline at end of file diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 8bb5cea..0310818 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -147,15 +147,56 @@ media.enable = true; media.homer.enable = true; media.nfs.enable = true; + media.servarr = { + # radarr = { + # port = 2001; + # }; + + sonarr = { + enable = true; + # debug = true; + port = 2002; + rootFolders = [ + "/var/media/series" + ]; + }; + + lidarr = { + enable = true; + debug = true; + port = 2003; + rootFolders = [ + "/var/media/music" + ]; + }; + + prowlarr = { + enable = true; + debug = true; + port = 2004; + }; + }; observability = { grafana.enable = true; prometheus.enable = true; loki.enable = true; promtail.enable = true; + # uptime-kuma.enable = true; }; - security.vaultwarden.enable = true; + security.vaultwarden = { + enable = true; + database = { + # type = "sqlite"; + # file = "/var/lib/vaultwarden/state.db"; + + type = "postgresql"; + host = "localhost"; + port = 5432; + sslMode = "disabled"; + }; + }; }; editor = { From c3a2d6ef7f78a4371fa161c5cc2e71a3a709053d Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 1 Dec 2025 19:59:16 +0000 Subject: [PATCH 200/251] chore: update dependencies --- flake.lock | 164 ++++++++++++++++++++++++++--------------------------- 1 file changed, 82 insertions(+), 82 deletions(-) diff --git a/flake.lock b/flake.lock index 9d38839..3f5967e 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1763547157, - "narHash": "sha256-lJcMap2uT+x1R8WUUKKQ6ndynysJ/JOkrMThMGz6DP0=", - "rev": "2cb2134a6ee32d427097077c4fb4c416b52ae988", + "lastModified": 1764601856, + "narHash": "sha256-AWohz0cJ5J1keDnUkuWeX2QbWDa62yGSSeMNfdstx10=", + "rev": "a61aac8bf2c97cf142b70d344a7174811c62b1a4", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/2cb2134a6ee32d427097077c4fb4c416b52ae988.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/a61aac8bf2c97cf142b70d344a7174811c62b1a4.tar.gz" }, "original": { "type": "tarball", @@ -130,11 +130,11 @@ ] }, "locked": { - "lastModified": 1762276996, - "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=", + "lastModified": 1764350888, + "narHash": "sha256-6Rp18zavTlnlZzcoLoBTJMBahL2FycVkw2rAEs3cQvo=", "owner": "nix-community", "repo": "disko", - "rev": "af087d076d3860760b3323f6b583f4d828c1ac17", + "rev": "2055a08fd0e2fd41318279a5355eb8a161accf26", "type": "github" }, "original": { @@ -149,11 +149,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1762360792, - "narHash": "sha256-YR7vqk+XEvFUQ/miuBAD3+p+97QUN86ya9Aw0K5feJE=", + "lastModified": 1764542190, + "narHash": "sha256-einnpQaGZ4OoinhfKWm8mfatrBeYNnc3K4TYoKmVOSw=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "9075dff5685d3e7269284e53ca496da0beb24596", + "rev": "eef0ab9b05d3d27f320226daaffb18d9dcc41c06", "type": "github" }, "original": { @@ -170,11 +170,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1763534658, - "narHash": "sha256-i/51/Zi/1pM9hZxxSuA3nVPpyqlGoWwJwajyA/loOpo=", + "lastModified": 1764571808, + "narHash": "sha256-+oo9W5rz03TjfpNqDSLEQwgKiuBbjrHdORyTHli2RuM=", "owner": "nix-community", "repo": "fenix", - "rev": "69e40ddf45698d0115a62a7a15d8412f35dd4c09", + "rev": "df3c2e78ec13418f85c1f26e77a50f865ec57d38", "type": "github" }, "original": { @@ -190,11 +190,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1763504432, - "narHash": "sha256-kpmPI67TdoTxiK7LsmgmkKW3iHoyvZJwZeiJhpwPfmw=", + "lastModified": 1764592856, + "narHash": "sha256-ODwJzh/AiFyhFtmJoAGP5Gbp38ARsUiesBVMXXd1x/s=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "49d5d8d42a7650e5353f8467c813839290cb7c9f", + "rev": "5aadac137f2c49991cea2bc367dddbb905ffe645", "type": "github" }, "original": { @@ -306,11 +306,11 @@ ] }, "locked": { - "lastModified": 1762980239, - "narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=", + "lastModified": 1763759067, + "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "52a2caecc898d0b46b2b905f058ccc5081f842da", + "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0", "type": "github" }, "original": { @@ -553,11 +553,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1763486183, - "narHash": "sha256-10EvBTF9ELezWg+KoKZJ3bxrPzT1Xz95ifurC6HixLY=", + "lastModified": 1764617621, + "narHash": "sha256-Eq0TvWs6xhKZs5HXH1hlrNasrHD7AOEdeLkTis//X7w=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "fb27f4bee812e4b4df9df9f78bd5280f0aa2193c", + "rev": "c19494250d8c15e7c75e9301bdc271579a6dc77a", "type": "github" }, "original": { @@ -573,11 +573,11 @@ ] }, "locked": { - "lastModified": 1763416652, - "narHash": "sha256-8EBEEvtzQ11LCxpQHMNEBQAGtQiCu/pqP9zSovDSbNM=", + "lastModified": 1764603455, + "narHash": "sha256-Q70rxlbrxPcTtqWIb9+71rkJESxIOou5isZBvyOieXw=", "owner": "nix-community", "repo": "home-manager", - "rev": "ea164b7c9ccdc2321379c2ff78fd4317b4c41312", + "rev": "effe4c007d6243d9e69ce2242d76a2471c1b8d5c", "type": "github" }, "original": { @@ -615,11 +615,11 @@ ] }, "locked": { - "lastModified": 1763453666, - "narHash": "sha256-Hu8lDUlbMFvcYX30LBXX7Gq5FbU35bERH0pSX5qHf/Q=", + "lastModified": 1764612577, + "narHash": "sha256-sHI+7m/ryVYf7agWkutYbvzUS07aAd8g2NVWgUqhxLg=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "b843b551415c7aecc97c8b3ab3fff26fd0cd8bbf", + "rev": "bcb22e208cf8883004fcec3a33f2500e7dc319a5", "type": "github" }, "original": { @@ -634,11 +634,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1754828166, - "narHash": "sha256-i7c+fpXVsnvj2+63Gl3YfU1hVyxbLeqeFj55ZBZACWI=", + "lastModified": 1764506612, + "narHash": "sha256-47a2OvGsq1AfffWQqKAGlB9GjmoVa1yXVyfZP3f3kog=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "f01c8d121a3100230612be96e4ac668e15eafb77", + "rev": "f7208cc4a3200a2573fc566066ef4d3c041bc924", "type": "github" }, "original": { @@ -670,11 +670,11 @@ ] }, "locked": { - "lastModified": 1763136804, - "narHash": "sha256-6p2ljK42s0S8zS0UU59EsEqupz0GVCaBYRylpUadeBM=", + "lastModified": 1764161084, + "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=", "owner": "nix-darwin", "repo": "nix-darwin", - "rev": "973db96394513fd90270ea5a1211a82a4a0ba47f", + "rev": "e95de00a471d07435e0527ff4db092c84998698e", "type": "github" }, "original": { @@ -712,11 +712,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1763171892, - "narHash": "sha256-6cg9zSiqKA89yJzVtYhBaBptqq6bX4pr4g7WLAHOD4Y=", + "lastModified": 1764556167, + "narHash": "sha256-/b+oEls56HDRzsSp60tsRfPFRjFebBPHq6k1I+hfPqw=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "316858c27d278b20e776cd4dd8f787812f587ba2", + "rev": "849d1b2b1adddfc7bddbd3be6bffd218a3f5a6fe", "type": "github" }, "original": { @@ -770,11 +770,11 @@ }, "nixos-facter-modules": { "locked": { - "lastModified": 1762264948, - "narHash": "sha256-iaRf6n0KPl9hndnIft3blm1YTAyxSREV1oX0MFZ6Tk4=", + "lastModified": 1764252389, + "narHash": "sha256-3bbuneTKZBkYXlm0bE36kUjiDsasoIC1GWBw/UEJ9T4=", "owner": "nix-community", "repo": "nixos-facter-modules", - "rev": "fa695bff9ec37fd5bbd7ee3181dbeb5f97f53c96", + "rev": "5ea68886d95218646d11d3551a476d458df00778", "type": "github" }, "original": { @@ -791,11 +791,11 @@ ] }, "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", + "lastModified": 1764234087, + "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", + "rev": "032a1878682fafe829edfcf5fdfad635a2efe748", "type": "github" }, "original": { @@ -812,11 +812,11 @@ ] }, "locked": { - "lastModified": 1763537456, - "narHash": "sha256-/WRqcqeE9C+mxxWgI7jy5blMrvg2lHFSlTFjC8pRWos=", + "lastModified": 1764591717, + "narHash": "sha256-T/HMA0Bb/O6UnlGQ0Xt+wGe1j8m7eyyQ5+vVcCJslsM=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "cd9eb5225fc91eb67629966844d2ff371824abb1", + "rev": "84d1dab290feb4865d0cfcffc7aa0cf9bc65c3b7", "type": "github" }, "original": { @@ -827,11 +827,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1761828793, - "narHash": "sha256-xjdPwMD4wVuDD85U+3KST62VzFkJueI6oBwIzpzUHLY=", + "lastModified": 1764255304, + "narHash": "sha256-oQPux8afXmkbb88ceRtz1lgSGqL9auOgdYnBSqpVgSA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "843859a08e114403f44aaf5b996b44c38094aa46", + "rev": "6e86c955fc372d12face4a9c0d932a6e0f7bff4d", "type": "github" }, "original": { @@ -843,11 +843,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", + "lastModified": 1764465291, + "narHash": "sha256-jJ/E4B9Hp7U2ZmT3E0tD1LtAfATw/xjVf8sueNyeYmc=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", + "rev": "e9537535ae8f4a2f78dbef0aaa0cbb6af4abd047", "type": "github" }, "original": { @@ -858,11 +858,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1763469780, - "narHash": "sha256-IW67Db/wBNQwJ5e0fF9Yk4SmdivMcecrUVDs7QJoC/s=", + "lastModified": 1764547213, + "narHash": "sha256-pGXM6frMKLRJmeMcQ228O1QQBuNEUjzmWx9uBd+CbXM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a70b03ca5dc9d46294740f165abdef9f9bea5632", + "rev": "64de27c1c985895c1a9f92aaeaab4e6a4c0960f5", "type": "github" }, "original": { @@ -890,11 +890,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1763547551, - "narHash": "sha256-YOdXVAqEGmrPUgs71r8ziuu9qqpn3jJEiIxsIls+VQA=", + "lastModified": 1764618760, + "narHash": "sha256-QTUgygkdUq4sq7mXoO2Q2IPpvkKOZtTAJkbTaTjMi0A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "06aa4d5f488875b6af46e10b45b8000ed0906860", + "rev": "29a7d6eec7e1177020f62f7599e5021317219c37", "type": "github" }, "original": { @@ -922,11 +922,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1763421233, - "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=", + "lastModified": 1764517877, + "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648", + "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c", "type": "github" }, "original": { @@ -954,11 +954,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1763191728, - "narHash": "sha256-esRhOS0APE6k40Hs/jjReXg+rx+J5LkWw7cuWFKlwYA=", + "lastModified": 1764445028, + "narHash": "sha256-ik6H/0Zl+qHYDKTXFPpzuVHSZE+uvVz2XQuQd1IVXzo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1d4c88323ac36805d09657d13a5273aea1b34f0c", + "rev": "a09378c0108815dbf3961a0e085936f4146ec415", "type": "github" }, "original": { @@ -1041,11 +1041,11 @@ ] }, "locked": { - "lastModified": 1762784320, - "narHash": "sha256-odsk96Erywk5hs0dhArF38zb7Oe0q6LZ70gXbxAPKno=", + "lastModified": 1763909441, + "narHash": "sha256-56LwV51TX/FhgX+5LCG6akQ5KrOWuKgcJa+eUsRMxsc=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "7911a0f8a44c7e8b29d031be3149ee8943144321", + "rev": "b24ed4b272256dfc1cc2291f89a9821d5f9e14b4", "type": "github" }, "original": { @@ -1082,11 +1082,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1762860488, - "narHash": "sha256-rMfWMCOo/pPefM2We0iMBLi2kLBAnYoB9thi4qS7uk4=", + "lastModified": 1764525349, + "narHash": "sha256-vR3vU9AwzMsBvjNeeG2inA5W/2MwseFk5NIIrLFEMHk=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "2efc80078029894eec0699f62ec8d5c1a56af763", + "rev": "d646b23f000d099d845f999c2c1e05b15d9cdc78", "type": "github" }, "original": { @@ -1147,11 +1147,11 @@ ] }, "locked": { - "lastModified": 1763264763, - "narHash": "sha256-N0BEoJIlJ+M6sWZJ8nnfAjGY9VLvM6MXMitRenmhBkY=", + "lastModified": 1764483358, + "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "882e56c8293e44d57d882b800a82f8b2ee7a858f", + "rev": "5aca6ff67264321d47856a2ed183729271107c9c", "type": "github" }, "original": { @@ -1165,11 +1165,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1763509310, - "narHash": "sha256-s2WzTAD3vJtPACBCZXezNUMTG/wC6SFsU9DxazB9wDI=", + "lastModified": 1764483358, + "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "3ee33c0ed7c5aa61b4e10484d2ebdbdc98afb03e", + "rev": "5aca6ff67264321d47856a2ed183729271107c9c", "type": "github" }, "original": { @@ -1197,11 +1197,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1763497248, - "narHash": "sha256-OGP6MYc+lVkLVQOTS6ORszDcCnZm7kDOGpFBdDoLd0k=", + "lastModified": 1764550443, + "narHash": "sha256-ArO2V1YEHmEILilTj4KPtqF4gqc1q2HBrrrmygQ/UyU=", "owner": "nix-community", "repo": "stylix", - "rev": "f19ac46f6aa26188b2020ed40066a5b832be9c53", + "rev": "794b6e1fa75177ebfeb32967f135858a1ab1ba15", "type": "github" }, "original": { @@ -1462,11 +1462,11 @@ ] }, "locked": { - "lastModified": 1763521945, - "narHash": "sha256-Zcrafbe4niRJMbzaVOwg7+iedJhwBFttre2DpyCC6qA=", + "lastModified": 1764598958, + "narHash": "sha256-sJQHRL8trBoG/ArR+mUlyp5cyKU0pgQY+qDQzZGnVgM=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "24d7381b9231c23daceec5d372cc28e877f7785d", + "rev": "8cded25e10b13e2999241f1c73a7d4e5e5d6f69e", "type": "github" }, "original": { From cb1401fe47ee100837deab80890149320b1864ac Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sat, 6 Dec 2025 17:40:46 +0100 Subject: [PATCH 201/251] feat: start implementation of package for mydia --- flake.lock | 128 ++++- flake.nix | 5 + modules/home/application/steam/default.nix | 2 +- .../home/application/teamspeak/default.nix | 2 +- .../nixos/services/media/servarr/default.nix | 2 +- packages/mydia/bun.lock | 99 ++++ packages/mydia/bun.nix | 148 +++++ packages/mydia/default.nix | 170 ++++++ packages/mydia/package-lock.json | 543 ++++++++++++++++++ packages/mydia/package.json | 37 ++ shells/default/default.nix | 5 +- 11 files changed, 1119 insertions(+), 22 deletions(-) create mode 100644 packages/mydia/bun.lock create mode 100644 packages/mydia/bun.nix create mode 100644 packages/mydia/default.nix create mode 100644 packages/mydia/package-lock.json create mode 100644 packages/mydia/package.json diff --git a/flake.lock b/flake.lock index 3f5967e..d121781 100644 --- a/flake.lock +++ b/flake.lock @@ -68,11 +68,35 @@ "type": "github" } }, + "bun2nix": { + "inputs": { + "flake-parts": "flake-parts", + "import-tree": "import-tree", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1763731225, + "narHash": "sha256-YxPBXh8/ZSH6sqDpc4kstfv+9QR6vIb0mB2n5oJGPy8=", + "owner": "baileyluTCD", + "repo": "bun2nix", + "rev": "21f2aed3b1f1d4af93df1a6d34cb3e3f703ac6f9", + "type": "github" + }, + "original": { + "owner": "baileyluTCD", + "repo": "bun2nix", + "type": "github" + } + }, "clan-core": { "inputs": { "data-mesher": "data-mesher", "disko": "disko", - "flake-parts": "flake-parts", + "flake-parts": "flake-parts_2", "nix-darwin": "nix-darwin", "nix-select": "nix-select", "nixos-facter-modules": "nixos-facter-modules", @@ -80,8 +104,8 @@ "nixpkgs" ], "sops-nix": "sops-nix", - "systems": "systems", - "treefmt-nix": "treefmt-nix" + "systems": "systems_2", + "treefmt-nix": "treefmt-nix_2" }, "locked": { "lastModified": 1764601856, @@ -299,6 +323,24 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1762980239, + "narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "52a2caecc898d0b46b2b905f058ccc5081f842da", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "clan-core", @@ -319,7 +361,7 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "nvf", @@ -340,7 +382,7 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -361,7 +403,7 @@ "type": "github" } }, - "flake-parts_4": { + "flake-parts_5": { "inputs": { "nixpkgs-lib": [ "terranix", @@ -384,7 +426,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -421,7 +463,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1731533236, @@ -439,7 +481,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1731533236, @@ -457,7 +499,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_6" + "systems": "systems_7" }, "locked": { "lastModified": 1694529238, @@ -607,6 +649,21 @@ "type": "github" } }, + "import-tree": { + "locked": { + "lastModified": 1763695721, + "narHash": "sha256-tMfN/JkwWJ129cXDW+lK2gUcjklJ+LpTHj9LlneJRXg=", + "owner": "vic", + "repo": "import-tree", + "rev": "ca69d64711265c68cf71f6c029ab9f1a55a767f8", + "type": "github" + }, + "original": { + "owner": "vic", + "repo": "import-tree", + "type": "github" + } + }, "jovian": { "inputs": { "nix-github-actions": "nix-github-actions", @@ -631,7 +688,7 @@ "lib-aggregate": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs-lib": "nixpkgs-lib" + "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { "lastModified": 1764506612, @@ -1012,10 +1069,10 @@ "nvf": { "inputs": { "flake-compat": "flake-compat_4", - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "mnw": "mnw", "nixpkgs": "nixpkgs_7", - "systems": "systems_5" + "systems": "systems_6" }, "locked": { "lastModified": 1762622004, @@ -1056,6 +1113,7 @@ }, "root": { "inputs": { + "bun2nix": "bun2nix", "clan-core": "clan-core", "erosanix": "erosanix", "fenix": "fenix", @@ -1185,11 +1243,11 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_4", "gnome-shell": "gnome-shell", "nixpkgs": "nixpkgs_9", "nur": "nur", - "systems": "systems_7", + "systems": "systems_8", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -1330,13 +1388,28 @@ "type": "github" } }, + "systems_9": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "terranix": { "inputs": { - "flake-parts": "flake-parts_4", + "flake-parts": "flake-parts_5", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_8" + "systems": "systems_9" }, "locked": { "lastModified": 1762472226, @@ -1434,6 +1507,27 @@ } }, "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "bun2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1762938485, + "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { "inputs": { "nixpkgs": [ "clan-core", diff --git a/flake.nix b/flake.nix index d7a7508..ce29d92 100644 --- a/flake.nix +++ b/flake.nix @@ -88,6 +88,11 @@ url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; + + bun2nix = { + url = "github:baileyluTCD/bun2nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs: inputs.snowfall-lib.mkFlake { diff --git a/modules/home/application/steam/default.nix b/modules/home/application/steam/default.nix index 4e62c41..8c87b40 100644 --- a/modules/home/application/steam/default.nix +++ b/modules/home/application/steam/default.nix @@ -10,7 +10,7 @@ in }; config = mkIf cfg.enable { - home.packages = with pkgs; [ protonup ]; + home.packages = with pkgs; [ protonup-ng ]; home.sessionVariables = { STEAM_EXTRA_COMPAT_TOOLS_PATHS = "\${HOME}/.steam/root/compatibilitytools.d"; diff --git a/modules/home/application/teamspeak/default.nix b/modules/home/application/teamspeak/default.nix index e15bd96..d234e9a 100644 --- a/modules/home/application/teamspeak/default.nix +++ b/modules/home/application/teamspeak/default.nix @@ -10,6 +10,6 @@ in }; config = mkIf cfg.enable { - home.packages = with pkgs; [ teamspeak_client ]; + home.packages = with pkgs; [ teamspeak3 teamspeak6-client ]; }; } diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix index 097a36b..c67e52d 100644 --- a/modules/nixos/services/media/servarr/default.nix +++ b/modules/nixos/services/media/servarr/default.nix @@ -59,7 +59,7 @@ in })) |> lib.mergeAttrsList |> (set: set // { - postgres = { + postgresql = { ensureDatabases = cfg |> lib.attrNames; ensureUsers = cfg |> lib.attrNames |> lib.map (service: { name = service; diff --git a/packages/mydia/bun.lock b/packages/mydia/bun.lock new file mode 100644 index 0000000..94ef66d --- /dev/null +++ b/packages/mydia/bun.lock @@ -0,0 +1,99 @@ +{ + "lockfileVersion": 1, + "workspaces": { + "": { + "name": "mydia-assets", + "dependencies": { + "alpinejs": "^3.15.1", + "hls.js": "^1.5.15", + "phoenix": "file:../deps/phoenix", + "phoenix_html": "file:../deps/phoenix_html", + "phoenix_live_view": "file:../deps/phoenix_live_view", + }, + "devDependencies": { + "@catppuccin/daisyui": "^2.1.1", + "@playwright/test": "^1.56.1", + "@tailwindcss/forms": "^0.5.7", + "@types/node": "^24.10.1", + "autoprefixer": "^10.4.16", + "daisyui": "^5.4.3", + "postcss": "^8.4.32", + "tailwindcss": "^4.0.0", + "typescript": "^5.9.3", + }, + }, + }, + "packages": { + "@catppuccin/daisyui": ["@catppuccin/daisyui@2.1.1", "", { "dependencies": { "@catppuccin/palette": "^1.7.1" }, "peerDependencies": { "tailwindcss": "^4.0.17" } }, "sha512-PrZttjj8kwfDBJ34sR+DN25Xtjvxx4T5p8uu/iiGYZR8UOsNwzMlO/alYDBwwTOLzP1NKLNRax09kCT39+QM+A=="], + + "@catppuccin/palette": ["@catppuccin/palette@1.7.1", "", {}, "sha512-aRc1tbzrevOTV7nFTT9SRdF26w/MIwT4Jwt4fDMc9itRZUDXCuEDBLyz4TQMlqO9ZP8mf5Hu4Jr6D03NLFc6Gw=="], + + "@playwright/test": ["@playwright/test@1.56.1", "", { "dependencies": { "playwright": "1.56.1" }, "bin": { "playwright": "cli.js" } }, "sha512-vSMYtL/zOcFpvJCW71Q/OEGQb7KYBPAdKh35WNSkaZA75JlAO8ED8UN6GUNTm3drWomcbcqRPFqQbLae8yBTdg=="], + + "@tailwindcss/forms": ["@tailwindcss/forms@0.5.10", "", { "dependencies": { "mini-svg-data-uri": "^1.2.3" }, "peerDependencies": { "tailwindcss": ">=3.0.0 || >= 3.0.0-alpha.1 || >= 4.0.0-alpha.20 || >= 4.0.0-beta.1" } }, "sha512-utI1ONF6uf/pPNO68kmN1b8rEwNXv3czukalo8VtJH8ksIkZXr3Q3VYudZLkCsDd4Wku120uF02hYK25XGPorw=="], + + "@types/node": ["@types/node@24.10.1", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ=="], + + "@vue/reactivity": ["@vue/reactivity@3.1.5", "", { "dependencies": { "@vue/shared": "3.1.5" } }, "sha512-1tdfLmNjWG6t/CsPldh+foumYFo3cpyCHgBYQ34ylaMsJ+SNHQ1kApMIa8jN+i593zQuaw3AdWH0nJTARzCFhg=="], + + "@vue/shared": ["@vue/shared@3.1.5", "", {}, "sha512-oJ4F3TnvpXaQwZJNF3ZK+kLPHKarDmJjJ6jyzVNDKH9md1dptjC7lWR//jrGuLdek/U6iltWxqAnYOu8gCiOvA=="], + + "alpinejs": ["alpinejs@3.15.1", "", { "dependencies": { "@vue/reactivity": "~3.1.1" } }, "sha512-HLO1TtiE92VajFHtLLPK8BWaK1YepV/uj31UrfoGnQ00lyFOJZ+oVY3F0DghPAwvg8sLU79pmjGQSytERa2gEg=="], + + "autoprefixer": ["autoprefixer@10.4.21", "", { "dependencies": { "browserslist": "^4.24.4", "caniuse-lite": "^1.0.30001702", "fraction.js": "^4.3.7", "normalize-range": "^0.1.2", "picocolors": "^1.1.1", "postcss-value-parser": "^4.2.0" }, "peerDependencies": { "postcss": "^8.1.0" }, "bin": "bin/autoprefixer" }, "sha512-O+A6LWV5LDHSJD3LjHYoNi4VLsj/Whi7k6zG12xTYaU4cQ8oxQGckXNX8cRHK5yOZ/ppVHe0ZBXGzSV9jXdVbQ=="], + + "baseline-browser-mapping": ["baseline-browser-mapping@2.8.23", "", { "bin": "dist/cli.js" }, "sha512-616V5YX4bepJFzNyOfce5Fa8fDJMfoxzOIzDCZwaGL8MKVpFrXqfNUoIpRn9YMI5pXf/VKgzjB4htFMsFKKdiQ=="], + + "browserslist": ["browserslist@4.27.0", "", { "dependencies": { "baseline-browser-mapping": "^2.8.19", "caniuse-lite": "^1.0.30001751", "electron-to-chromium": "^1.5.238", "node-releases": "^2.0.26", "update-browserslist-db": "^1.1.4" }, "bin": "cli.js" }, "sha512-AXVQwdhot1eqLihwasPElhX2tAZiBjWdJ9i/Zcj2S6QYIjkx62OKSfnobkriB81C3l4w0rVy3Nt4jaTBltYEpw=="], + + "caniuse-lite": ["caniuse-lite@1.0.30001753", "", {}, "sha512-Bj5H35MD/ebaOV4iDLqPEtiliTN29qkGtEHCwawWn4cYm+bPJM2NsaP30vtZcnERClMzp52J4+aw2UNbK4o+zw=="], + + "daisyui": ["daisyui@5.4.3", "", {}, "sha512-dfDCJnN4utErGoWfElgdEE252FtfHV9Mxj5Dq1+JzUq3nVkluWdF3JYykP0Xy/y/yArnPXYztO1tLNCow3kjmg=="], + + "electron-to-chromium": ["electron-to-chromium@1.5.244", "", {}, "sha512-OszpBN7xZX4vWMPJwB9illkN/znA8M36GQqQxi6MNy9axWxhOfJyZZJtSLQCpEFLHP2xK33BiWx9aIuIEXVCcw=="], + + "escalade": ["escalade@3.2.0", "", {}, "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA=="], + + "fraction.js": ["fraction.js@4.3.7", "", {}, "sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew=="], + + "fsevents": ["fsevents@2.3.2", "", { "os": "darwin" }, "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA=="], + + "hls.js": ["hls.js@1.6.14", "", {}, "sha512-CSpT2aXsv71HST8C5ETeVo+6YybqCpHBiYrCRQSn3U5QUZuLTSsvtq/bj+zuvjLVADeKxoebzo16OkH8m1+65Q=="], + + "mini-svg-data-uri": ["mini-svg-data-uri@1.4.4", "", { "bin": "cli.js" }, "sha512-r9deDe9p5FJUPZAk3A59wGH7Ii9YrjjWw0jmw/liSbHl2CHiyXj6FcDXDu2K3TjVAXqiJdaw3xxwlZZr9E6nHg=="], + + "nanoid": ["nanoid@3.3.11", "", { "bin": "bin/nanoid.cjs" }, "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w=="], + + "node-releases": ["node-releases@2.0.27", "", {}, "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA=="], + + "normalize-range": ["normalize-range@0.1.2", "", {}, "sha512-bdok/XvKII3nUpklnV6P2hxtMNrCboOjAcyBuQnWEhO665FwrSNRxU+AqpsyvO6LgGYPspN+lu5CLtw4jPRKNA=="], + + "phoenix": ["/phoenix@file:../deps/phoenix", {}], + + "phoenix_html": ["/phoenix_html@file:../deps/phoenix_html", {}], + + "phoenix_live_view": ["/phoenix_live_view@file:../deps/phoenix_live_view", { "devDependencies": { "@playwright/test": "^1.56.1", "phoenix": "1.7.21", "typescript": "^5.8.3" } }], + + "picocolors": ["picocolors@1.1.1", "", {}, "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA=="], + + "playwright": ["playwright@1.56.1", "", { "dependencies": { "playwright-core": "1.56.1" }, "optionalDependencies": { "fsevents": "2.3.2" }, "bin": "cli.js" }, "sha512-aFi5B0WovBHTEvpM3DzXTUaeN6eN0qWnTkKx4NQaH4Wvcmc153PdaY2UBdSYKaGYw+UyWXSVyxDUg5DoPEttjw=="], + + "playwright-core": ["playwright-core@1.56.1", "", { "bin": "cli.js" }, "sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ=="], + + "postcss": ["postcss@8.5.6", "", { "dependencies": { "nanoid": "^3.3.11", "picocolors": "^1.1.1", "source-map-js": "^1.2.1" } }, "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg=="], + + "postcss-value-parser": ["postcss-value-parser@4.2.0", "", {}, "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ=="], + + "source-map-js": ["source-map-js@1.2.1", "", {}, "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA=="], + + "tailwindcss": ["tailwindcss@4.1.16", "", {}, "sha512-pONL5awpaQX4LN5eiv7moSiSPd/DLDzKVRJz8Q9PgzmAdd1R4307GQS2ZpfiN7ZmekdQrfhZZiSE5jkLR4WNaA=="], + + "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="], + + "undici-types": ["undici-types@7.16.0", "", {}, "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw=="], + + "update-browserslist-db": ["update-browserslist-db@1.1.4", "", { "dependencies": { "escalade": "^3.2.0", "picocolors": "^1.1.1" }, "peerDependencies": { "browserslist": ">= 4.21.0" }, "bin": "cli.js" }, "sha512-q0SPT4xyU84saUX+tomz1WLkxUbuaJnR1xWt17M7fJtEJigJeWUNGUqrauFXsHnqev9y9JTRGwk13tFBuKby4A=="], + + "phoenix_live_view/phoenix": ["/phoenix@file:../deps/phoenix", {}], + } +} diff --git a/packages/mydia/bun.nix b/packages/mydia/bun.nix new file mode 100644 index 0000000..95a45a5 --- /dev/null +++ b/packages/mydia/bun.nix @@ -0,0 +1,148 @@ +# Autogenerated by `bun2nix`, editing manually is not recommended +# +# Set of Bun packages to install +# +# Consume this with `fetchBunDeps` (recommended) +# or `pkgs.callPackage` if you wish to handle +# it manually. +{ + copyPathToStore, + fetchFromGitHub, + fetchgit, + fetchurl, + ... +}: +{ + "@catppuccin/daisyui@2.1.1" = fetchurl { + url = "https://registry.npmjs.org/@catppuccin/daisyui/-/daisyui-2.1.1.tgz"; + hash = "sha512-PrZttjj8kwfDBJ34sR+DN25Xtjvxx4T5p8uu/iiGYZR8UOsNwzMlO/alYDBwwTOLzP1NKLNRax09kCT39+QM+A=="; + }; + "@catppuccin/palette@1.7.1" = fetchurl { + url = "https://registry.npmjs.org/@catppuccin/palette/-/palette-1.7.1.tgz"; + hash = "sha512-aRc1tbzrevOTV7nFTT9SRdF26w/MIwT4Jwt4fDMc9itRZUDXCuEDBLyz4TQMlqO9ZP8mf5Hu4Jr6D03NLFc6Gw=="; + }; + "@playwright/test@1.56.1" = fetchurl { + url = "https://registry.npmjs.org/@playwright/test/-/test-1.56.1.tgz"; + hash = "sha512-vSMYtL/zOcFpvJCW71Q/OEGQb7KYBPAdKh35WNSkaZA75JlAO8ED8UN6GUNTm3drWomcbcqRPFqQbLae8yBTdg=="; + }; + "@tailwindcss/forms@0.5.10" = fetchurl { + url = "https://registry.npmjs.org/@tailwindcss/forms/-/forms-0.5.10.tgz"; + hash = "sha512-utI1ONF6uf/pPNO68kmN1b8rEwNXv3czukalo8VtJH8ksIkZXr3Q3VYudZLkCsDd4Wku120uF02hYK25XGPorw=="; + }; + "@types/node@24.10.1" = fetchurl { + url = "https://registry.npmjs.org/@types/node/-/node-24.10.1.tgz"; + hash = "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ=="; + }; + "@vue/reactivity@3.1.5" = fetchurl { + url = "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.1.5.tgz"; + hash = "sha512-1tdfLmNjWG6t/CsPldh+foumYFo3cpyCHgBYQ34ylaMsJ+SNHQ1kApMIa8jN+i593zQuaw3AdWH0nJTARzCFhg=="; + }; + "@vue/shared@3.1.5" = fetchurl { + url = "https://registry.npmjs.org/@vue/shared/-/shared-3.1.5.tgz"; + hash = "sha512-oJ4F3TnvpXaQwZJNF3ZK+kLPHKarDmJjJ6jyzVNDKH9md1dptjC7lWR//jrGuLdek/U6iltWxqAnYOu8gCiOvA=="; + }; + "alpinejs@3.15.1" = fetchurl { + url = "https://registry.npmjs.org/alpinejs/-/alpinejs-3.15.1.tgz"; + hash = "sha512-HLO1TtiE92VajFHtLLPK8BWaK1YepV/uj31UrfoGnQ00lyFOJZ+oVY3F0DghPAwvg8sLU79pmjGQSytERa2gEg=="; + }; + "autoprefixer@10.4.21" = fetchurl { + url = "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.21.tgz"; + hash = "sha512-O+A6LWV5LDHSJD3LjHYoNi4VLsj/Whi7k6zG12xTYaU4cQ8oxQGckXNX8cRHK5yOZ/ppVHe0ZBXGzSV9jXdVbQ=="; + }; + "baseline-browser-mapping@2.8.23" = fetchurl { + url = "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.8.23.tgz"; + hash = "sha512-616V5YX4bepJFzNyOfce5Fa8fDJMfoxzOIzDCZwaGL8MKVpFrXqfNUoIpRn9YMI5pXf/VKgzjB4htFMsFKKdiQ=="; + }; + "browserslist@4.27.0" = fetchurl { + url = "https://registry.npmjs.org/browserslist/-/browserslist-4.27.0.tgz"; + hash = "sha512-AXVQwdhot1eqLihwasPElhX2tAZiBjWdJ9i/Zcj2S6QYIjkx62OKSfnobkriB81C3l4w0rVy3Nt4jaTBltYEpw=="; + }; + "caniuse-lite@1.0.30001753" = fetchurl { + url = "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001753.tgz"; + hash = "sha512-Bj5H35MD/ebaOV4iDLqPEtiliTN29qkGtEHCwawWn4cYm+bPJM2NsaP30vtZcnERClMzp52J4+aw2UNbK4o+zw=="; + }; + "daisyui@5.4.3" = fetchurl { + url = "https://registry.npmjs.org/daisyui/-/daisyui-5.4.3.tgz"; + hash = "sha512-dfDCJnN4utErGoWfElgdEE252FtfHV9Mxj5Dq1+JzUq3nVkluWdF3JYykP0Xy/y/yArnPXYztO1tLNCow3kjmg=="; + }; + "electron-to-chromium@1.5.244" = fetchurl { + url = "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.244.tgz"; + hash = "sha512-OszpBN7xZX4vWMPJwB9illkN/znA8M36GQqQxi6MNy9axWxhOfJyZZJtSLQCpEFLHP2xK33BiWx9aIuIEXVCcw=="; + }; + "escalade@3.2.0" = fetchurl { + url = "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz"; + hash = "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA=="; + }; + "fraction.js@4.3.7" = fetchurl { + url = "https://registry.npmjs.org/fraction.js/-/fraction.js-4.3.7.tgz"; + hash = "sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew=="; + }; + "fsevents@2.3.2" = fetchurl { + url = "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz"; + hash = "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA=="; + }; + "hls.js@1.6.14" = fetchurl { + url = "https://registry.npmjs.org/hls.js/-/hls.js-1.6.14.tgz"; + hash = "sha512-CSpT2aXsv71HST8C5ETeVo+6YybqCpHBiYrCRQSn3U5QUZuLTSsvtq/bj+zuvjLVADeKxoebzo16OkH8m1+65Q=="; + }; + "mini-svg-data-uri@1.4.4" = fetchurl { + url = "https://registry.npmjs.org/mini-svg-data-uri/-/mini-svg-data-uri-1.4.4.tgz"; + hash = "sha512-r9deDe9p5FJUPZAk3A59wGH7Ii9YrjjWw0jmw/liSbHl2CHiyXj6FcDXDu2K3TjVAXqiJdaw3xxwlZZr9E6nHg=="; + }; + "nanoid@3.3.11" = fetchurl { + url = "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz"; + hash = "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w=="; + }; + "node-releases@2.0.27" = fetchurl { + url = "https://registry.npmjs.org/node-releases/-/node-releases-2.0.27.tgz"; + hash = "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA=="; + }; + "normalize-range@0.1.2" = fetchurl { + url = "https://registry.npmjs.org/normalize-range/-/normalize-range-0.1.2.tgz"; + hash = "sha512-bdok/XvKII3nUpklnV6P2hxtMNrCboOjAcyBuQnWEhO665FwrSNRxU+AqpsyvO6LgGYPspN+lu5CLtw4jPRKNA=="; + }; + "phoenix" = "/nix/store/phoenix"; #copyPathToStore "./file:../deps/phoenix"; + "phoenix_html" = "/nix/store/phoenix_html"; #copyPathToStore "./file:../deps/phoenix_html"; + "phoenix_live_view" = "/nix/store/phoenix_live_view"; #copyPathToStore "./file:../deps/phoenix_live_view"; + "phoenix_live_view/phoenix" = "/nix/store/phoenix_live_view__phoenix"; #copyPathToStore "./file:../deps/phoenix"; + "picocolors@1.1.1" = fetchurl { + url = "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz"; + hash = "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA=="; + }; + "playwright-core@1.56.1" = fetchurl { + url = "https://registry.npmjs.org/playwright-core/-/playwright-core-1.56.1.tgz"; + hash = "sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ=="; + }; + "playwright@1.56.1" = fetchurl { + url = "https://registry.npmjs.org/playwright/-/playwright-1.56.1.tgz"; + hash = "sha512-aFi5B0WovBHTEvpM3DzXTUaeN6eN0qWnTkKx4NQaH4Wvcmc153PdaY2UBdSYKaGYw+UyWXSVyxDUg5DoPEttjw=="; + }; + "postcss-value-parser@4.2.0" = fetchurl { + url = "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz"; + hash = "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ=="; + }; + "postcss@8.5.6" = fetchurl { + url = "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz"; + hash = "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg=="; + }; + "source-map-js@1.2.1" = fetchurl { + url = "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz"; + hash = "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA=="; + }; + "tailwindcss@4.1.16" = fetchurl { + url = "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.1.16.tgz"; + hash = "sha512-pONL5awpaQX4LN5eiv7moSiSPd/DLDzKVRJz8Q9PgzmAdd1R4307GQS2ZpfiN7ZmekdQrfhZZiSE5jkLR4WNaA=="; + }; + "typescript@5.9.3" = fetchurl { + url = "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz"; + hash = "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="; + }; + "undici-types@7.16.0" = fetchurl { + url = "https://registry.npmjs.org/undici-types/-/undici-types-7.16.0.tgz"; + hash = "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw=="; + }; + "update-browserslist-db@1.1.4" = fetchurl { + url = "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.1.4.tgz"; + hash = "sha512-q0SPT4xyU84saUX+tomz1WLkxUbuaJnR1xWt17M7fJtEJigJeWUNGUqrauFXsHnqev9y9JTRGwk13tFBuKby4A=="; + }; +} \ No newline at end of file diff --git a/packages/mydia/default.nix b/packages/mydia/default.nix new file mode 100644 index 0000000..57fdd4c --- /dev/null +++ b/packages/mydia/default.nix @@ -0,0 +1,170 @@ +{ lib, inputs, fetchFromGitHub, pkgs, stdenv, ... }: +let + erl = pkgs.beam.interpreters.erlang_28; + erlangPackages = pkgs.beam.packagesWith erl; + + elixir = erlangPackages.elixir; + mix = "${elixir}/bin/mix"; + rebar = erlangPackages.rebar; + hex = erlangPackages.hex; + + bun = pkgs.bun; + bun2nix = inputs.bun2nix.packages.${stdenv.hostPlatform.system}.default; + + translatedPlatform = + { + aarch64-darwin = "macos-arm64"; + aarch64-linux = "linux-arm64"; + armv7l-linux = "linux-armv7"; + x86_64-darwin = "macos-x64"; + x86_64-linux = "linux-x64"; + } + .${stdenv.hostPlatform.system}; + + version = "v0.6.0"; + pname = "mydia"; + src = fetchFromGitHub { + owner = "getmydia"; + repo = "mydia"; + rev = version; + hash = "sha256-JGT52ulnqcx8o+3e0l50TLAwLIWXEI8nwFGUsA95vH0="; + }; + mixFodDeps = erlangPackages.fetchMixDeps { + inherit version src; + pname = "${pname}-mix-deps"; + hash = "sha256-19q56IZe8YjuUBXirFGgmBsewJ0cmdOoO1yfiMaWGWk="; + }; + bunDeps = bun2nix.fetchBunDeps { + bunNix = ./bun.nix; + overrides = { + "phoenix" = pkg: pkgs.runCommandLocal "override-phoenix" {} '' + mkdir $out + echo "je moeder!" > $out/kaas.txt + ''; + "phoenix_html" = pkg: pkgs.runCommandLocal "override-phoenix_html" {} '' + mkdir $out + echo "je moeder!" > $out/kaas.txt + ''; + "phoenix_live_view" = pkg: pkgs.runCommandLocal "override-phoenix_live_view" {} '' + mkdir $out + echo "je moeder!" > $out/kaas.txt + ''; + "phoenix_live_view/phoenix" = pkg: pkgs.runCommandLocal "override-phoenix_live_view__phoenix" {} '' + mkdir $out + echo "je moeder!" > $out/kaas.txt + ''; + }; + }; +in +erlangPackages.mixRelease { + inherit pname version src mixFodDeps bunDeps; + + nativeBuildInputs = with pkgs; [ ffmpeg_7-headless pkg-config bun2nix.hook ]; + + dontUseBunPatch = true; + dontUseBunBuild = true; + + preInstall = '' + ln -s ${pkgs.tailwindcss}/bin/tailwind _build/tailwind-${translatedPlatform} + ln -s ${pkgs.esbuild}/bin/esbuild _build/esbuild-${translatedPlatform} + ln -s ${bunDeps}/node_modules assets/node_modules + + ${mix} assets.deploy + ''; + + # nativeBuildInputs = with pkgs; [ + # elixir + # rebar + # hex + # git + # bun + # postgresql + # curl + # ffmpeg_7-headless + # fdk_aac + # pkg-config + # ]; + + # buildPhase = '' + # runHook preBuild + + # # Prepare environment + # DATABASE_TYPE="postgres" + + # # I don't think this is needed, but lets copy the dockerfile for now + # mkdir -p ./app + # cp mix.exs ./app + # cp mix.lock ./app + # cd ./app + + # # Install dependencies + # ${mix} deps.get --only prod && ${mix} deps.compile + # pwd + # ls -al + + # # Copy source + # echo "Copy source" + # cp -r ../config ./config + # cp -r ../priv ./priv + # cp -r ../lib ./lib + # cp -r ../assets ./assets + + # # Compile app + # echo "Compile app" + # ${mix} compile + + # # Build assets + # echo "Build assets" + # $(cd ./assets && bun i --silent --production --frozen-lockfile) + # ${mix} assets.deploy + + # # Build executabe + # echo "Build executabe" + # ${mix} release + + # bun run build --bun + + # runHook postBuild + # ''; + + # installPhase = '' + # runHook preInstall + + # mkdir -p $out + # cp -r ./.output/* $out + + # makeWrapper ${lib.getExe pkgs.bun} $out/bin/${pname} \ + # --chdir $out \ + # --append-flags "server/index.mjs" + + # runHook postInstall + # ''; + + meta = { + description = "Your personal media companion, built with Phoenix LiveView"; + longDescription = '' + A modern, self-hosted media management platform for tracking, organizing, and monitoring your media library. + + # ✨ Features + + - 📺 Unified Media Management – Track both movies and TV shows with rich metadata from TMDB/TVDB + - 🤖 Automated Downloads – Background search and download with quality profiles and smart release ranking + - ⬇️ Download Clients – qBittorrent, Transmission, SABnzbd, and NZBGet support + - 🔎 Indexer Integration – Search via Prowlarr and Jackett for finding releases + - 📚 Built-in Indexer Library – Native Cardigann support (experimental, limited testing) + - 👥 Multi-User System – Built-in admin/guest roles with request approval workflow + - 🔐 SSO Support – Local authentication plus OIDC/OpenID Connect integration + - 🔔 Release Calendar – Track upcoming releases and monitor episodes + - 🎨 Modern Real-Time UI – Phoenix LiveView with instant updates and responsive design + ''; + + homepage = "https://github.com/getmydia/mydia"; + changelog = "https://github.com/getmydia/mydia/releases"; + license = lib.licenses.agpl3Only; + + maintainers = []; + + platforms = lib.platforms.all; + mainProgram = pname; + }; +} \ No newline at end of file diff --git a/packages/mydia/package-lock.json b/packages/mydia/package-lock.json new file mode 100644 index 0000000..ad53f59 --- /dev/null +++ b/packages/mydia/package-lock.json @@ -0,0 +1,543 @@ +{ + "name": "mydia-assets", + "version": "0.1.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "mydia-assets", + "version": "0.1.0", + "license": "MIT", + "dependencies": { + "alpinejs": "^3.15.1", + "hls.js": "^1.5.15", + "phoenix": "file:../deps/phoenix", + "phoenix_html": "file:../deps/phoenix_html", + "phoenix_live_view": "file:../deps/phoenix_live_view" + }, + "devDependencies": { + "@catppuccin/daisyui": "^2.1.1", + "@playwright/test": "^1.56.1", + "@tailwindcss/forms": "^0.5.7", + "@types/node": "^24.10.1", + "autoprefixer": "^10.4.16", + "daisyui": "^5.4.3", + "postcss": "^8.4.32", + "tailwindcss": "^4.0.0", + "typescript": "^5.9.3" + } + }, + "../deps/phoenix": { + "version": "1.8.1", + "license": "MIT", + "devDependencies": { + "@babel/cli": "7.28.3", + "@babel/core": "7.28.3", + "@babel/preset-env": "7.28.3", + "@eslint/js": "^9.28.0", + "@stylistic/eslint-plugin": "^5.0.0", + "documentation": "^14.0.3", + "eslint": "9.34.0", + "eslint-plugin-jest": "29.0.1", + "jest": "^30.0.0", + "jest-environment-jsdom": "^30.0.0", + "jsdom": "^26.1.0", + "mock-socket": "^9.3.1" + } + }, + "../deps/phoenix_html": { + "version": "4.3.0" + }, + "../deps/phoenix_live_view": { + "version": "1.1.16", + "license": "MIT", + "dependencies": { + "morphdom": "2.7.7" + }, + "devDependencies": { + "@babel/cli": "7.27.2", + "@babel/core": "7.27.4", + "@babel/preset-env": "7.27.2", + "@babel/preset-typescript": "^7.27.1", + "@eslint/js": "^9.29.0", + "@playwright/test": "^1.56.1", + "@types/jest": "^30.0.0", + "@types/phoenix": "^1.6.6", + "css.escape": "^1.5.1", + "eslint": "9.29.0", + "eslint-plugin-jest": "28.14.0", + "eslint-plugin-playwright": "^2.2.0", + "globals": "^16.2.0", + "jest": "^30.0.0", + "jest-environment-jsdom": "^30.0.0", + "jest-monocart-coverage": "^1.1.1", + "monocart-reporter": "^2.9.21", + "phoenix": "1.7.21", + "prettier": "3.5.3", + "ts-jest": "^29.4.0", + "typescript": "^5.8.3", + "typescript-eslint": "^8.34.0" + } + }, + "node_modules/@catppuccin/daisyui": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/@catppuccin/daisyui/-/daisyui-2.1.1.tgz", + "integrity": "sha512-PrZttjj8kwfDBJ34sR+DN25Xtjvxx4T5p8uu/iiGYZR8UOsNwzMlO/alYDBwwTOLzP1NKLNRax09kCT39+QM+A==", + "dev": true, + "license": "MIT", + "dependencies": { + "@catppuccin/palette": "^1.7.1" + }, + "peerDependencies": { + "tailwindcss": "^4.0.17" + } + }, + "node_modules/@catppuccin/palette": { + "version": "1.7.1", + "resolved": "https://registry.npmjs.org/@catppuccin/palette/-/palette-1.7.1.tgz", + "integrity": "sha512-aRc1tbzrevOTV7nFTT9SRdF26w/MIwT4Jwt4fDMc9itRZUDXCuEDBLyz4TQMlqO9ZP8mf5Hu4Jr6D03NLFc6Gw==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/catppuccin" + }, + { + "type": "github", + "url": "https://github.com/sponsors/catppuccin" + } + ], + "license": "MIT" + }, + "node_modules/@playwright/test": { + "version": "1.56.1", + "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.56.1.tgz", + "integrity": "sha512-vSMYtL/zOcFpvJCW71Q/OEGQb7KYBPAdKh35WNSkaZA75JlAO8ED8UN6GUNTm3drWomcbcqRPFqQbLae8yBTdg==", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "playwright": "1.56.1" + }, + "bin": { + "playwright": "cli.js" + }, + "engines": { + "node": ">=18" + } + }, + "node_modules/@tailwindcss/forms": { + "version": "0.5.10", + "resolved": "https://registry.npmjs.org/@tailwindcss/forms/-/forms-0.5.10.tgz", + "integrity": "sha512-utI1ONF6uf/pPNO68kmN1b8rEwNXv3czukalo8VtJH8ksIkZXr3Q3VYudZLkCsDd4Wku120uF02hYK25XGPorw==", + "dev": true, + "license": "MIT", + "dependencies": { + "mini-svg-data-uri": "^1.2.3" + }, + "peerDependencies": { + "tailwindcss": ">=3.0.0 || >= 3.0.0-alpha.1 || >= 4.0.0-alpha.20 || >= 4.0.0-beta.1" + } + }, + "node_modules/@types/node": { + "version": "24.10.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-24.10.1.tgz", + "integrity": "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "undici-types": "~7.16.0" + } + }, + "node_modules/@vue/reactivity": { + "version": "3.1.5", + "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.1.5.tgz", + "integrity": "sha512-1tdfLmNjWG6t/CsPldh+foumYFo3cpyCHgBYQ34ylaMsJ+SNHQ1kApMIa8jN+i593zQuaw3AdWH0nJTARzCFhg==", + "license": "MIT", + "dependencies": { + "@vue/shared": "3.1.5" + } + }, + "node_modules/@vue/shared": { + "version": "3.1.5", + "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.1.5.tgz", + "integrity": "sha512-oJ4F3TnvpXaQwZJNF3ZK+kLPHKarDmJjJ6jyzVNDKH9md1dptjC7lWR//jrGuLdek/U6iltWxqAnYOu8gCiOvA==", + "license": "MIT" + }, + "node_modules/alpinejs": { + "version": "3.15.1", + "resolved": "https://registry.npmjs.org/alpinejs/-/alpinejs-3.15.1.tgz", + "integrity": "sha512-HLO1TtiE92VajFHtLLPK8BWaK1YepV/uj31UrfoGnQ00lyFOJZ+oVY3F0DghPAwvg8sLU79pmjGQSytERa2gEg==", + "license": "MIT", + "dependencies": { + "@vue/reactivity": "~3.1.1" + } + }, + "node_modules/autoprefixer": { + "version": "10.4.21", + "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.21.tgz", + "integrity": "sha512-O+A6LWV5LDHSJD3LjHYoNi4VLsj/Whi7k6zG12xTYaU4cQ8oxQGckXNX8cRHK5yOZ/ppVHe0ZBXGzSV9jXdVbQ==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/postcss/" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/autoprefixer" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "MIT", + "dependencies": { + "browserslist": "^4.24.4", + "caniuse-lite": "^1.0.30001702", + "fraction.js": "^4.3.7", + "normalize-range": "^0.1.2", + "picocolors": "^1.1.1", + "postcss-value-parser": "^4.2.0" + }, + "bin": { + "autoprefixer": "bin/autoprefixer" + }, + "engines": { + "node": "^10 || ^12 || >=14" + }, + "peerDependencies": { + "postcss": "^8.1.0" + } + }, + "node_modules/baseline-browser-mapping": { + "version": "2.8.23", + "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.8.23.tgz", + "integrity": "sha512-616V5YX4bepJFzNyOfce5Fa8fDJMfoxzOIzDCZwaGL8MKVpFrXqfNUoIpRn9YMI5pXf/VKgzjB4htFMsFKKdiQ==", + "dev": true, + "license": "Apache-2.0", + "bin": { + "baseline-browser-mapping": "dist/cli.js" + } + }, + "node_modules/browserslist": { + "version": "4.27.0", + "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.27.0.tgz", + "integrity": "sha512-AXVQwdhot1eqLihwasPElhX2tAZiBjWdJ9i/Zcj2S6QYIjkx62OKSfnobkriB81C3l4w0rVy3Nt4jaTBltYEpw==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/browserslist" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/browserslist" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "MIT", + "dependencies": { + "baseline-browser-mapping": "^2.8.19", + "caniuse-lite": "^1.0.30001751", + "electron-to-chromium": "^1.5.238", + "node-releases": "^2.0.26", + "update-browserslist-db": "^1.1.4" + }, + "bin": { + "browserslist": "cli.js" + }, + "engines": { + "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7" + } + }, + "node_modules/caniuse-lite": { + "version": "1.0.30001753", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001753.tgz", + "integrity": "sha512-Bj5H35MD/ebaOV4iDLqPEtiliTN29qkGtEHCwawWn4cYm+bPJM2NsaP30vtZcnERClMzp52J4+aw2UNbK4o+zw==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/browserslist" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/caniuse-lite" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "CC-BY-4.0" + }, + "node_modules/daisyui": { + "version": "5.4.3", + "resolved": "https://registry.npmjs.org/daisyui/-/daisyui-5.4.3.tgz", + "integrity": "sha512-dfDCJnN4utErGoWfElgdEE252FtfHV9Mxj5Dq1+JzUq3nVkluWdF3JYykP0Xy/y/yArnPXYztO1tLNCow3kjmg==", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/saadeghi/daisyui?sponsor=1" + } + }, + "node_modules/electron-to-chromium": { + "version": "1.5.244", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.244.tgz", + "integrity": "sha512-OszpBN7xZX4vWMPJwB9illkN/znA8M36GQqQxi6MNy9axWxhOfJyZZJtSLQCpEFLHP2xK33BiWx9aIuIEXVCcw==", + "dev": true, + "license": "ISC" + }, + "node_modules/escalade": { + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz", + "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/fraction.js": { + "version": "4.3.7", + "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-4.3.7.tgz", + "integrity": "sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew==", + "dev": true, + "license": "MIT", + "engines": { + "node": "*" + }, + "funding": { + "type": "patreon", + "url": "https://github.com/sponsors/rawify" + } + }, + "node_modules/fsevents": { + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz", + "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==", + "dev": true, + "hasInstallScript": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": "^8.16.0 || ^10.6.0 || >=11.0.0" + } + }, + "node_modules/hls.js": { + "version": "1.6.14", + "resolved": "https://registry.npmjs.org/hls.js/-/hls.js-1.6.14.tgz", + "integrity": "sha512-CSpT2aXsv71HST8C5ETeVo+6YybqCpHBiYrCRQSn3U5QUZuLTSsvtq/bj+zuvjLVADeKxoebzo16OkH8m1+65Q==", + "license": "Apache-2.0" + }, + "node_modules/mini-svg-data-uri": { + "version": "1.4.4", + "resolved": "https://registry.npmjs.org/mini-svg-data-uri/-/mini-svg-data-uri-1.4.4.tgz", + "integrity": "sha512-r9deDe9p5FJUPZAk3A59wGH7Ii9YrjjWw0jmw/liSbHl2CHiyXj6FcDXDu2K3TjVAXqiJdaw3xxwlZZr9E6nHg==", + "dev": true, + "license": "MIT", + "bin": { + "mini-svg-data-uri": "cli.js" + } + }, + "node_modules/nanoid": { + "version": "3.3.11", + "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz", + "integrity": "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==", + "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "MIT", + "bin": { + "nanoid": "bin/nanoid.cjs" + }, + "engines": { + "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1" + } + }, + "node_modules/node-releases": { + "version": "2.0.27", + "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.27.tgz", + "integrity": "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA==", + "dev": true, + "license": "MIT" + }, + "node_modules/normalize-range": { + "version": "0.1.2", + "resolved": "https://registry.npmjs.org/normalize-range/-/normalize-range-0.1.2.tgz", + "integrity": "sha512-bdok/XvKII3nUpklnV6P2hxtMNrCboOjAcyBuQnWEhO665FwrSNRxU+AqpsyvO6LgGYPspN+lu5CLtw4jPRKNA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/phoenix": { + "resolved": "../deps/phoenix", + "link": true + }, + "node_modules/phoenix_html": { + "resolved": "../deps/phoenix_html", + "link": true + }, + "node_modules/phoenix_live_view": { + "resolved": "../deps/phoenix_live_view", + "link": true + }, + "node_modules/picocolors": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz", + "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==", + "dev": true, + "license": "ISC" + }, + "node_modules/playwright": { + "version": "1.56.1", + "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.56.1.tgz", + "integrity": "sha512-aFi5B0WovBHTEvpM3DzXTUaeN6eN0qWnTkKx4NQaH4Wvcmc153PdaY2UBdSYKaGYw+UyWXSVyxDUg5DoPEttjw==", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "playwright-core": "1.56.1" + }, + "bin": { + "playwright": "cli.js" + }, + "engines": { + "node": ">=18" + }, + "optionalDependencies": { + "fsevents": "2.3.2" + } + }, + "node_modules/playwright-core": { + "version": "1.56.1", + "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.56.1.tgz", + "integrity": "sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ==", + "dev": true, + "license": "Apache-2.0", + "bin": { + "playwright-core": "cli.js" + }, + "engines": { + "node": ">=18" + } + }, + "node_modules/postcss": { + "version": "8.5.6", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz", + "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/postcss/" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/postcss" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "MIT", + "dependencies": { + "nanoid": "^3.3.11", + "picocolors": "^1.1.1", + "source-map-js": "^1.2.1" + }, + "engines": { + "node": "^10 || ^12 || >=14" + } + }, + "node_modules/postcss-value-parser": { + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz", + "integrity": "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==", + "dev": true, + "license": "MIT" + }, + "node_modules/source-map-js": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz", + "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==", + "dev": true, + "license": "BSD-3-Clause", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/tailwindcss": { + "version": "4.1.16", + "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.1.16.tgz", + "integrity": "sha512-pONL5awpaQX4LN5eiv7moSiSPd/DLDzKVRJz8Q9PgzmAdd1R4307GQS2ZpfiN7ZmekdQrfhZZiSE5jkLR4WNaA==", + "dev": true, + "license": "MIT" + }, + "node_modules/typescript": { + "version": "5.9.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz", + "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", + "dev": true, + "license": "Apache-2.0", + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=14.17" + } + }, + "node_modules/undici-types": { + "version": "7.16.0", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.16.0.tgz", + "integrity": "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==", + "dev": true, + "license": "MIT" + }, + "node_modules/update-browserslist-db": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.1.4.tgz", + "integrity": "sha512-q0SPT4xyU84saUX+tomz1WLkxUbuaJnR1xWt17M7fJtEJigJeWUNGUqrauFXsHnqev9y9JTRGwk13tFBuKby4A==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/browserslist" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/browserslist" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "MIT", + "dependencies": { + "escalade": "^3.2.0", + "picocolors": "^1.1.1" + }, + "bin": { + "update-browserslist-db": "cli.js" + }, + "peerDependencies": { + "browserslist": ">= 4.21.0" + } + } + } +} diff --git a/packages/mydia/package.json b/packages/mydia/package.json new file mode 100644 index 0000000..165a236 --- /dev/null +++ b/packages/mydia/package.json @@ -0,0 +1,37 @@ +{ + "name": "mydia-assets", + "version": "0.1.0", + "description": "Mydia - Modern Media Management Platform", + "repository": {}, + "license": "MIT", + "scripts": { + "deploy": "cd .. && mix assets.deploy && rm -f _build/esbuild*", + "screenshots": "node screenshots.js", + "populate-media": "node populate-media.js", + "test:e2e": "playwright test", + "test:e2e:ui": "playwright test --ui", + "test:e2e:debug": "playwright test --debug", + "test:e2e:headed": "playwright test --headed", + "test:e2e:chromium": "playwright test --project=chromium", + "test:e2e:firefox": "playwright test --project=firefox", + "test:e2e:webkit": "playwright test --project=webkit" + }, + "dependencies": { + "alpinejs": "^3.15.1", + "hls.js": "^1.5.15", + "phoenix": "file:../deps/phoenix", + "phoenix_html": "file:../deps/phoenix_html", + "phoenix_live_view": "file:../deps/phoenix_live_view" + }, + "devDependencies": { + "@catppuccin/daisyui": "^2.1.1", + "@playwright/test": "^1.56.1", + "@tailwindcss/forms": "^0.5.7", + "@types/node": "^24.10.1", + "autoprefixer": "^10.4.16", + "daisyui": "^5.4.3", + "postcss": "^8.4.32", + "tailwindcss": "^4.0.0", + "typescript": "^5.9.3" + } +} diff --git a/shells/default/default.nix b/shells/default/default.nix index 1749c48..248cefd 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -1,4 +1,4 @@ -{ mkShell, inputs, pkgs, ... }: +{ mkShell, inputs, pkgs, stdenv, ... }: mkShell { packages = with pkgs; [ @@ -7,6 +7,7 @@ mkShell { just yq pwgen - inputs.clan-core.packages.x86_64-linux.clan-cli + inputs.clan-core.packages.${stdenv.hostPlatform.system}.clan-cli + inputs.bun2nix.packages.${stdenv.hostPlatform.system}.default ]; } \ No newline at end of file From 78ed7d2a0a8790207b3075191fd328bded1e4bf3 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sat, 6 Dec 2025 17:41:36 +0100 Subject: [PATCH 202/251] feat: remove bun2nix this is not the route I ended up going for, so I removed the dependency again --- flake.lock | 128 +------- flake.nix | 5 - packages/mydia/bun.lock | 99 ------ packages/mydia/bun.nix | 148 --------- packages/mydia/package-lock.json | 543 ------------------------------- packages/mydia/package.json | 37 --- shells/default/default.nix | 1 - 7 files changed, 17 insertions(+), 944 deletions(-) delete mode 100644 packages/mydia/bun.lock delete mode 100644 packages/mydia/bun.nix delete mode 100644 packages/mydia/package-lock.json delete mode 100644 packages/mydia/package.json diff --git a/flake.lock b/flake.lock index d121781..3f5967e 100644 --- a/flake.lock +++ b/flake.lock @@ -68,35 +68,11 @@ "type": "github" } }, - "bun2nix": { - "inputs": { - "flake-parts": "flake-parts", - "import-tree": "import-tree", - "nixpkgs": [ - "nixpkgs" - ], - "systems": "systems", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1763731225, - "narHash": "sha256-YxPBXh8/ZSH6sqDpc4kstfv+9QR6vIb0mB2n5oJGPy8=", - "owner": "baileyluTCD", - "repo": "bun2nix", - "rev": "21f2aed3b1f1d4af93df1a6d34cb3e3f703ac6f9", - "type": "github" - }, - "original": { - "owner": "baileyluTCD", - "repo": "bun2nix", - "type": "github" - } - }, "clan-core": { "inputs": { "data-mesher": "data-mesher", "disko": "disko", - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts", "nix-darwin": "nix-darwin", "nix-select": "nix-select", "nixos-facter-modules": "nixos-facter-modules", @@ -104,8 +80,8 @@ "nixpkgs" ], "sops-nix": "sops-nix", - "systems": "systems_2", - "treefmt-nix": "treefmt-nix_2" + "systems": "systems", + "treefmt-nix": "treefmt-nix" }, "locked": { "lastModified": 1764601856, @@ -323,24 +299,6 @@ } }, "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1762980239, - "narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "52a2caecc898d0b46b2b905f058ccc5081f842da", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "clan-core", @@ -361,7 +319,7 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nvf", @@ -382,7 +340,7 @@ "type": "github" } }, - "flake-parts_4": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -403,7 +361,7 @@ "type": "github" } }, - "flake-parts_5": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "terranix", @@ -426,7 +384,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_3" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -463,7 +421,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_4" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -481,7 +439,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_5" + "systems": "systems_4" }, "locked": { "lastModified": 1731533236, @@ -499,7 +457,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_7" + "systems": "systems_6" }, "locked": { "lastModified": 1694529238, @@ -649,21 +607,6 @@ "type": "github" } }, - "import-tree": { - "locked": { - "lastModified": 1763695721, - "narHash": "sha256-tMfN/JkwWJ129cXDW+lK2gUcjklJ+LpTHj9LlneJRXg=", - "owner": "vic", - "repo": "import-tree", - "rev": "ca69d64711265c68cf71f6c029ab9f1a55a767f8", - "type": "github" - }, - "original": { - "owner": "vic", - "repo": "import-tree", - "type": "github" - } - }, "jovian": { "inputs": { "nix-github-actions": "nix-github-actions", @@ -688,7 +631,7 @@ "lib-aggregate": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs-lib": "nixpkgs-lib_2" + "nixpkgs-lib": "nixpkgs-lib" }, "locked": { "lastModified": 1764506612, @@ -1069,10 +1012,10 @@ "nvf": { "inputs": { "flake-compat": "flake-compat_4", - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_2", "mnw": "mnw", "nixpkgs": "nixpkgs_7", - "systems": "systems_6" + "systems": "systems_5" }, "locked": { "lastModified": 1762622004, @@ -1113,7 +1056,6 @@ }, "root": { "inputs": { - "bun2nix": "bun2nix", "clan-core": "clan-core", "erosanix": "erosanix", "fenix": "fenix", @@ -1243,11 +1185,11 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_4", + "flake-parts": "flake-parts_3", "gnome-shell": "gnome-shell", "nixpkgs": "nixpkgs_9", "nur": "nur", - "systems": "systems_8", + "systems": "systems_7", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -1388,28 +1330,13 @@ "type": "github" } }, - "systems_9": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "terranix": { "inputs": { - "flake-parts": "flake-parts_5", + "flake-parts": "flake-parts_4", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_9" + "systems": "systems_8" }, "locked": { "lastModified": 1762472226, @@ -1507,27 +1434,6 @@ } }, "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "bun2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1762938485, - "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_2": { "inputs": { "nixpkgs": [ "clan-core", diff --git a/flake.nix b/flake.nix index ce29d92..d7a7508 100644 --- a/flake.nix +++ b/flake.nix @@ -88,11 +88,6 @@ url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; - - bun2nix = { - url = "github:baileyluTCD/bun2nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = inputs: inputs.snowfall-lib.mkFlake { diff --git a/packages/mydia/bun.lock b/packages/mydia/bun.lock deleted file mode 100644 index 94ef66d..0000000 --- a/packages/mydia/bun.lock +++ /dev/null @@ -1,99 +0,0 @@ -{ - "lockfileVersion": 1, - "workspaces": { - "": { - "name": "mydia-assets", - "dependencies": { - "alpinejs": "^3.15.1", - "hls.js": "^1.5.15", - "phoenix": "file:../deps/phoenix", - "phoenix_html": "file:../deps/phoenix_html", - "phoenix_live_view": "file:../deps/phoenix_live_view", - }, - "devDependencies": { - "@catppuccin/daisyui": "^2.1.1", - "@playwright/test": "^1.56.1", - "@tailwindcss/forms": "^0.5.7", - "@types/node": "^24.10.1", - "autoprefixer": "^10.4.16", - "daisyui": "^5.4.3", - "postcss": "^8.4.32", - "tailwindcss": "^4.0.0", - "typescript": "^5.9.3", - }, - }, - }, - "packages": { - "@catppuccin/daisyui": ["@catppuccin/daisyui@2.1.1", "", { "dependencies": { "@catppuccin/palette": "^1.7.1" }, "peerDependencies": { "tailwindcss": "^4.0.17" } }, "sha512-PrZttjj8kwfDBJ34sR+DN25Xtjvxx4T5p8uu/iiGYZR8UOsNwzMlO/alYDBwwTOLzP1NKLNRax09kCT39+QM+A=="], - - "@catppuccin/palette": ["@catppuccin/palette@1.7.1", "", {}, "sha512-aRc1tbzrevOTV7nFTT9SRdF26w/MIwT4Jwt4fDMc9itRZUDXCuEDBLyz4TQMlqO9ZP8mf5Hu4Jr6D03NLFc6Gw=="], - - "@playwright/test": ["@playwright/test@1.56.1", "", { "dependencies": { "playwright": "1.56.1" }, "bin": { "playwright": "cli.js" } }, "sha512-vSMYtL/zOcFpvJCW71Q/OEGQb7KYBPAdKh35WNSkaZA75JlAO8ED8UN6GUNTm3drWomcbcqRPFqQbLae8yBTdg=="], - - "@tailwindcss/forms": ["@tailwindcss/forms@0.5.10", "", { "dependencies": { "mini-svg-data-uri": "^1.2.3" }, "peerDependencies": { "tailwindcss": ">=3.0.0 || >= 3.0.0-alpha.1 || >= 4.0.0-alpha.20 || >= 4.0.0-beta.1" } }, "sha512-utI1ONF6uf/pPNO68kmN1b8rEwNXv3czukalo8VtJH8ksIkZXr3Q3VYudZLkCsDd4Wku120uF02hYK25XGPorw=="], - - "@types/node": ["@types/node@24.10.1", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ=="], - - "@vue/reactivity": ["@vue/reactivity@3.1.5", "", { "dependencies": { "@vue/shared": "3.1.5" } }, "sha512-1tdfLmNjWG6t/CsPldh+foumYFo3cpyCHgBYQ34ylaMsJ+SNHQ1kApMIa8jN+i593zQuaw3AdWH0nJTARzCFhg=="], - - "@vue/shared": ["@vue/shared@3.1.5", "", {}, "sha512-oJ4F3TnvpXaQwZJNF3ZK+kLPHKarDmJjJ6jyzVNDKH9md1dptjC7lWR//jrGuLdek/U6iltWxqAnYOu8gCiOvA=="], - - "alpinejs": ["alpinejs@3.15.1", "", { "dependencies": { "@vue/reactivity": "~3.1.1" } }, "sha512-HLO1TtiE92VajFHtLLPK8BWaK1YepV/uj31UrfoGnQ00lyFOJZ+oVY3F0DghPAwvg8sLU79pmjGQSytERa2gEg=="], - - "autoprefixer": ["autoprefixer@10.4.21", "", { "dependencies": { "browserslist": "^4.24.4", "caniuse-lite": "^1.0.30001702", "fraction.js": "^4.3.7", "normalize-range": "^0.1.2", "picocolors": "^1.1.1", "postcss-value-parser": "^4.2.0" }, "peerDependencies": { "postcss": "^8.1.0" }, "bin": "bin/autoprefixer" }, "sha512-O+A6LWV5LDHSJD3LjHYoNi4VLsj/Whi7k6zG12xTYaU4cQ8oxQGckXNX8cRHK5yOZ/ppVHe0ZBXGzSV9jXdVbQ=="], - - "baseline-browser-mapping": ["baseline-browser-mapping@2.8.23", "", { "bin": "dist/cli.js" }, "sha512-616V5YX4bepJFzNyOfce5Fa8fDJMfoxzOIzDCZwaGL8MKVpFrXqfNUoIpRn9YMI5pXf/VKgzjB4htFMsFKKdiQ=="], - - "browserslist": ["browserslist@4.27.0", "", { "dependencies": { "baseline-browser-mapping": "^2.8.19", "caniuse-lite": "^1.0.30001751", "electron-to-chromium": "^1.5.238", "node-releases": "^2.0.26", "update-browserslist-db": "^1.1.4" }, "bin": "cli.js" }, "sha512-AXVQwdhot1eqLihwasPElhX2tAZiBjWdJ9i/Zcj2S6QYIjkx62OKSfnobkriB81C3l4w0rVy3Nt4jaTBltYEpw=="], - - "caniuse-lite": ["caniuse-lite@1.0.30001753", "", {}, "sha512-Bj5H35MD/ebaOV4iDLqPEtiliTN29qkGtEHCwawWn4cYm+bPJM2NsaP30vtZcnERClMzp52J4+aw2UNbK4o+zw=="], - - "daisyui": ["daisyui@5.4.3", "", {}, "sha512-dfDCJnN4utErGoWfElgdEE252FtfHV9Mxj5Dq1+JzUq3nVkluWdF3JYykP0Xy/y/yArnPXYztO1tLNCow3kjmg=="], - - "electron-to-chromium": ["electron-to-chromium@1.5.244", "", {}, "sha512-OszpBN7xZX4vWMPJwB9illkN/znA8M36GQqQxi6MNy9axWxhOfJyZZJtSLQCpEFLHP2xK33BiWx9aIuIEXVCcw=="], - - "escalade": ["escalade@3.2.0", "", {}, "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA=="], - - "fraction.js": ["fraction.js@4.3.7", "", {}, "sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew=="], - - "fsevents": ["fsevents@2.3.2", "", { "os": "darwin" }, "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA=="], - - "hls.js": ["hls.js@1.6.14", "", {}, "sha512-CSpT2aXsv71HST8C5ETeVo+6YybqCpHBiYrCRQSn3U5QUZuLTSsvtq/bj+zuvjLVADeKxoebzo16OkH8m1+65Q=="], - - "mini-svg-data-uri": ["mini-svg-data-uri@1.4.4", "", { "bin": "cli.js" }, "sha512-r9deDe9p5FJUPZAk3A59wGH7Ii9YrjjWw0jmw/liSbHl2CHiyXj6FcDXDu2K3TjVAXqiJdaw3xxwlZZr9E6nHg=="], - - "nanoid": ["nanoid@3.3.11", "", { "bin": "bin/nanoid.cjs" }, "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w=="], - - "node-releases": ["node-releases@2.0.27", "", {}, "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA=="], - - "normalize-range": ["normalize-range@0.1.2", "", {}, "sha512-bdok/XvKII3nUpklnV6P2hxtMNrCboOjAcyBuQnWEhO665FwrSNRxU+AqpsyvO6LgGYPspN+lu5CLtw4jPRKNA=="], - - "phoenix": ["/phoenix@file:../deps/phoenix", {}], - - "phoenix_html": ["/phoenix_html@file:../deps/phoenix_html", {}], - - "phoenix_live_view": ["/phoenix_live_view@file:../deps/phoenix_live_view", { "devDependencies": { "@playwright/test": "^1.56.1", "phoenix": "1.7.21", "typescript": "^5.8.3" } }], - - "picocolors": ["picocolors@1.1.1", "", {}, "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA=="], - - "playwright": ["playwright@1.56.1", "", { "dependencies": { "playwright-core": "1.56.1" }, "optionalDependencies": { "fsevents": "2.3.2" }, "bin": "cli.js" }, "sha512-aFi5B0WovBHTEvpM3DzXTUaeN6eN0qWnTkKx4NQaH4Wvcmc153PdaY2UBdSYKaGYw+UyWXSVyxDUg5DoPEttjw=="], - - "playwright-core": ["playwright-core@1.56.1", "", { "bin": "cli.js" }, "sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ=="], - - "postcss": ["postcss@8.5.6", "", { "dependencies": { "nanoid": "^3.3.11", "picocolors": "^1.1.1", "source-map-js": "^1.2.1" } }, "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg=="], - - "postcss-value-parser": ["postcss-value-parser@4.2.0", "", {}, "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ=="], - - "source-map-js": ["source-map-js@1.2.1", "", {}, "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA=="], - - "tailwindcss": ["tailwindcss@4.1.16", "", {}, "sha512-pONL5awpaQX4LN5eiv7moSiSPd/DLDzKVRJz8Q9PgzmAdd1R4307GQS2ZpfiN7ZmekdQrfhZZiSE5jkLR4WNaA=="], - - "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="], - - "undici-types": ["undici-types@7.16.0", "", {}, "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw=="], - - "update-browserslist-db": ["update-browserslist-db@1.1.4", "", { "dependencies": { "escalade": "^3.2.0", "picocolors": "^1.1.1" }, "peerDependencies": { "browserslist": ">= 4.21.0" }, "bin": "cli.js" }, "sha512-q0SPT4xyU84saUX+tomz1WLkxUbuaJnR1xWt17M7fJtEJigJeWUNGUqrauFXsHnqev9y9JTRGwk13tFBuKby4A=="], - - "phoenix_live_view/phoenix": ["/phoenix@file:../deps/phoenix", {}], - } -} diff --git a/packages/mydia/bun.nix b/packages/mydia/bun.nix deleted file mode 100644 index 95a45a5..0000000 --- a/packages/mydia/bun.nix +++ /dev/null @@ -1,148 +0,0 @@ -# Autogenerated by `bun2nix`, editing manually is not recommended -# -# Set of Bun packages to install -# -# Consume this with `fetchBunDeps` (recommended) -# or `pkgs.callPackage` if you wish to handle -# it manually. -{ - copyPathToStore, - fetchFromGitHub, - fetchgit, - fetchurl, - ... -}: -{ - "@catppuccin/daisyui@2.1.1" = fetchurl { - url = "https://registry.npmjs.org/@catppuccin/daisyui/-/daisyui-2.1.1.tgz"; - hash = "sha512-PrZttjj8kwfDBJ34sR+DN25Xtjvxx4T5p8uu/iiGYZR8UOsNwzMlO/alYDBwwTOLzP1NKLNRax09kCT39+QM+A=="; - }; - "@catppuccin/palette@1.7.1" = fetchurl { - url = "https://registry.npmjs.org/@catppuccin/palette/-/palette-1.7.1.tgz"; - hash = "sha512-aRc1tbzrevOTV7nFTT9SRdF26w/MIwT4Jwt4fDMc9itRZUDXCuEDBLyz4TQMlqO9ZP8mf5Hu4Jr6D03NLFc6Gw=="; - }; - "@playwright/test@1.56.1" = fetchurl { - url = "https://registry.npmjs.org/@playwright/test/-/test-1.56.1.tgz"; - hash = "sha512-vSMYtL/zOcFpvJCW71Q/OEGQb7KYBPAdKh35WNSkaZA75JlAO8ED8UN6GUNTm3drWomcbcqRPFqQbLae8yBTdg=="; - }; - "@tailwindcss/forms@0.5.10" = fetchurl { - url = "https://registry.npmjs.org/@tailwindcss/forms/-/forms-0.5.10.tgz"; - hash = "sha512-utI1ONF6uf/pPNO68kmN1b8rEwNXv3czukalo8VtJH8ksIkZXr3Q3VYudZLkCsDd4Wku120uF02hYK25XGPorw=="; - }; - "@types/node@24.10.1" = fetchurl { - url = "https://registry.npmjs.org/@types/node/-/node-24.10.1.tgz"; - hash = "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ=="; - }; - "@vue/reactivity@3.1.5" = fetchurl { - url = "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.1.5.tgz"; - hash = "sha512-1tdfLmNjWG6t/CsPldh+foumYFo3cpyCHgBYQ34ylaMsJ+SNHQ1kApMIa8jN+i593zQuaw3AdWH0nJTARzCFhg=="; - }; - "@vue/shared@3.1.5" = fetchurl { - url = "https://registry.npmjs.org/@vue/shared/-/shared-3.1.5.tgz"; - hash = "sha512-oJ4F3TnvpXaQwZJNF3ZK+kLPHKarDmJjJ6jyzVNDKH9md1dptjC7lWR//jrGuLdek/U6iltWxqAnYOu8gCiOvA=="; - }; - "alpinejs@3.15.1" = fetchurl { - url = "https://registry.npmjs.org/alpinejs/-/alpinejs-3.15.1.tgz"; - hash = "sha512-HLO1TtiE92VajFHtLLPK8BWaK1YepV/uj31UrfoGnQ00lyFOJZ+oVY3F0DghPAwvg8sLU79pmjGQSytERa2gEg=="; - }; - "autoprefixer@10.4.21" = fetchurl { - url = "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.21.tgz"; - hash = "sha512-O+A6LWV5LDHSJD3LjHYoNi4VLsj/Whi7k6zG12xTYaU4cQ8oxQGckXNX8cRHK5yOZ/ppVHe0ZBXGzSV9jXdVbQ=="; - }; - "baseline-browser-mapping@2.8.23" = fetchurl { - url = "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.8.23.tgz"; - hash = "sha512-616V5YX4bepJFzNyOfce5Fa8fDJMfoxzOIzDCZwaGL8MKVpFrXqfNUoIpRn9YMI5pXf/VKgzjB4htFMsFKKdiQ=="; - }; - "browserslist@4.27.0" = fetchurl { - url = "https://registry.npmjs.org/browserslist/-/browserslist-4.27.0.tgz"; - hash = "sha512-AXVQwdhot1eqLihwasPElhX2tAZiBjWdJ9i/Zcj2S6QYIjkx62OKSfnobkriB81C3l4w0rVy3Nt4jaTBltYEpw=="; - }; - "caniuse-lite@1.0.30001753" = fetchurl { - url = "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001753.tgz"; - hash = "sha512-Bj5H35MD/ebaOV4iDLqPEtiliTN29qkGtEHCwawWn4cYm+bPJM2NsaP30vtZcnERClMzp52J4+aw2UNbK4o+zw=="; - }; - "daisyui@5.4.3" = fetchurl { - url = "https://registry.npmjs.org/daisyui/-/daisyui-5.4.3.tgz"; - hash = "sha512-dfDCJnN4utErGoWfElgdEE252FtfHV9Mxj5Dq1+JzUq3nVkluWdF3JYykP0Xy/y/yArnPXYztO1tLNCow3kjmg=="; - }; - "electron-to-chromium@1.5.244" = fetchurl { - url = "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.244.tgz"; - hash = "sha512-OszpBN7xZX4vWMPJwB9illkN/znA8M36GQqQxi6MNy9axWxhOfJyZZJtSLQCpEFLHP2xK33BiWx9aIuIEXVCcw=="; - }; - "escalade@3.2.0" = fetchurl { - url = "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz"; - hash = "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA=="; - }; - "fraction.js@4.3.7" = fetchurl { - url = "https://registry.npmjs.org/fraction.js/-/fraction.js-4.3.7.tgz"; - hash = "sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew=="; - }; - "fsevents@2.3.2" = fetchurl { - url = "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz"; - hash = "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA=="; - }; - "hls.js@1.6.14" = fetchurl { - url = "https://registry.npmjs.org/hls.js/-/hls.js-1.6.14.tgz"; - hash = "sha512-CSpT2aXsv71HST8C5ETeVo+6YybqCpHBiYrCRQSn3U5QUZuLTSsvtq/bj+zuvjLVADeKxoebzo16OkH8m1+65Q=="; - }; - "mini-svg-data-uri@1.4.4" = fetchurl { - url = "https://registry.npmjs.org/mini-svg-data-uri/-/mini-svg-data-uri-1.4.4.tgz"; - hash = "sha512-r9deDe9p5FJUPZAk3A59wGH7Ii9YrjjWw0jmw/liSbHl2CHiyXj6FcDXDu2K3TjVAXqiJdaw3xxwlZZr9E6nHg=="; - }; - "nanoid@3.3.11" = fetchurl { - url = "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz"; - hash = "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w=="; - }; - "node-releases@2.0.27" = fetchurl { - url = "https://registry.npmjs.org/node-releases/-/node-releases-2.0.27.tgz"; - hash = "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA=="; - }; - "normalize-range@0.1.2" = fetchurl { - url = "https://registry.npmjs.org/normalize-range/-/normalize-range-0.1.2.tgz"; - hash = "sha512-bdok/XvKII3nUpklnV6P2hxtMNrCboOjAcyBuQnWEhO665FwrSNRxU+AqpsyvO6LgGYPspN+lu5CLtw4jPRKNA=="; - }; - "phoenix" = "/nix/store/phoenix"; #copyPathToStore "./file:../deps/phoenix"; - "phoenix_html" = "/nix/store/phoenix_html"; #copyPathToStore "./file:../deps/phoenix_html"; - "phoenix_live_view" = "/nix/store/phoenix_live_view"; #copyPathToStore "./file:../deps/phoenix_live_view"; - "phoenix_live_view/phoenix" = "/nix/store/phoenix_live_view__phoenix"; #copyPathToStore "./file:../deps/phoenix"; - "picocolors@1.1.1" = fetchurl { - url = "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz"; - hash = "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA=="; - }; - "playwright-core@1.56.1" = fetchurl { - url = "https://registry.npmjs.org/playwright-core/-/playwright-core-1.56.1.tgz"; - hash = "sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ=="; - }; - "playwright@1.56.1" = fetchurl { - url = "https://registry.npmjs.org/playwright/-/playwright-1.56.1.tgz"; - hash = "sha512-aFi5B0WovBHTEvpM3DzXTUaeN6eN0qWnTkKx4NQaH4Wvcmc153PdaY2UBdSYKaGYw+UyWXSVyxDUg5DoPEttjw=="; - }; - "postcss-value-parser@4.2.0" = fetchurl { - url = "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz"; - hash = "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ=="; - }; - "postcss@8.5.6" = fetchurl { - url = "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz"; - hash = "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg=="; - }; - "source-map-js@1.2.1" = fetchurl { - url = "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz"; - hash = "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA=="; - }; - "tailwindcss@4.1.16" = fetchurl { - url = "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.1.16.tgz"; - hash = "sha512-pONL5awpaQX4LN5eiv7moSiSPd/DLDzKVRJz8Q9PgzmAdd1R4307GQS2ZpfiN7ZmekdQrfhZZiSE5jkLR4WNaA=="; - }; - "typescript@5.9.3" = fetchurl { - url = "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz"; - hash = "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="; - }; - "undici-types@7.16.0" = fetchurl { - url = "https://registry.npmjs.org/undici-types/-/undici-types-7.16.0.tgz"; - hash = "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw=="; - }; - "update-browserslist-db@1.1.4" = fetchurl { - url = "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.1.4.tgz"; - hash = "sha512-q0SPT4xyU84saUX+tomz1WLkxUbuaJnR1xWt17M7fJtEJigJeWUNGUqrauFXsHnqev9y9JTRGwk13tFBuKby4A=="; - }; -} \ No newline at end of file diff --git a/packages/mydia/package-lock.json b/packages/mydia/package-lock.json deleted file mode 100644 index ad53f59..0000000 --- a/packages/mydia/package-lock.json +++ /dev/null @@ -1,543 +0,0 @@ -{ - "name": "mydia-assets", - "version": "0.1.0", - "lockfileVersion": 3, - "requires": true, - "packages": { - "": { - "name": "mydia-assets", - "version": "0.1.0", - "license": "MIT", - "dependencies": { - "alpinejs": "^3.15.1", - "hls.js": "^1.5.15", - "phoenix": "file:../deps/phoenix", - "phoenix_html": "file:../deps/phoenix_html", - "phoenix_live_view": "file:../deps/phoenix_live_view" - }, - "devDependencies": { - "@catppuccin/daisyui": "^2.1.1", - "@playwright/test": "^1.56.1", - "@tailwindcss/forms": "^0.5.7", - "@types/node": "^24.10.1", - "autoprefixer": "^10.4.16", - "daisyui": "^5.4.3", - "postcss": "^8.4.32", - "tailwindcss": "^4.0.0", - "typescript": "^5.9.3" - } - }, - "../deps/phoenix": { - "version": "1.8.1", - "license": "MIT", - "devDependencies": { - "@babel/cli": "7.28.3", - "@babel/core": "7.28.3", - "@babel/preset-env": "7.28.3", - "@eslint/js": "^9.28.0", - "@stylistic/eslint-plugin": "^5.0.0", - "documentation": "^14.0.3", - "eslint": "9.34.0", - "eslint-plugin-jest": "29.0.1", - "jest": "^30.0.0", - "jest-environment-jsdom": "^30.0.0", - "jsdom": "^26.1.0", - "mock-socket": "^9.3.1" - } - }, - "../deps/phoenix_html": { - "version": "4.3.0" - }, - "../deps/phoenix_live_view": { - "version": "1.1.16", - "license": "MIT", - "dependencies": { - "morphdom": "2.7.7" - }, - "devDependencies": { - "@babel/cli": "7.27.2", - "@babel/core": "7.27.4", - "@babel/preset-env": "7.27.2", - "@babel/preset-typescript": "^7.27.1", - "@eslint/js": "^9.29.0", - "@playwright/test": "^1.56.1", - "@types/jest": "^30.0.0", - "@types/phoenix": "^1.6.6", - "css.escape": "^1.5.1", - "eslint": "9.29.0", - "eslint-plugin-jest": "28.14.0", - "eslint-plugin-playwright": "^2.2.0", - "globals": "^16.2.0", - "jest": "^30.0.0", - "jest-environment-jsdom": "^30.0.0", - "jest-monocart-coverage": "^1.1.1", - "monocart-reporter": "^2.9.21", - "phoenix": "1.7.21", - "prettier": "3.5.3", - "ts-jest": "^29.4.0", - "typescript": "^5.8.3", - "typescript-eslint": "^8.34.0" - } - }, - "node_modules/@catppuccin/daisyui": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/@catppuccin/daisyui/-/daisyui-2.1.1.tgz", - "integrity": "sha512-PrZttjj8kwfDBJ34sR+DN25Xtjvxx4T5p8uu/iiGYZR8UOsNwzMlO/alYDBwwTOLzP1NKLNRax09kCT39+QM+A==", - "dev": true, - "license": "MIT", - "dependencies": { - "@catppuccin/palette": "^1.7.1" - }, - "peerDependencies": { - "tailwindcss": "^4.0.17" - } - }, - "node_modules/@catppuccin/palette": { - "version": "1.7.1", - "resolved": "https://registry.npmjs.org/@catppuccin/palette/-/palette-1.7.1.tgz", - "integrity": "sha512-aRc1tbzrevOTV7nFTT9SRdF26w/MIwT4Jwt4fDMc9itRZUDXCuEDBLyz4TQMlqO9ZP8mf5Hu4Jr6D03NLFc6Gw==", - "dev": true, - "funding": [ - { - "type": "opencollective", - "url": "https://opencollective.com/catppuccin" - }, - { - "type": "github", - "url": "https://github.com/sponsors/catppuccin" - } - ], - "license": "MIT" - }, - "node_modules/@playwright/test": { - "version": "1.56.1", - "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.56.1.tgz", - "integrity": "sha512-vSMYtL/zOcFpvJCW71Q/OEGQb7KYBPAdKh35WNSkaZA75JlAO8ED8UN6GUNTm3drWomcbcqRPFqQbLae8yBTdg==", - "dev": true, - "license": "Apache-2.0", - "dependencies": { - "playwright": "1.56.1" - }, - "bin": { - "playwright": "cli.js" - }, - "engines": { - "node": ">=18" - } - }, - "node_modules/@tailwindcss/forms": { - "version": "0.5.10", - "resolved": "https://registry.npmjs.org/@tailwindcss/forms/-/forms-0.5.10.tgz", - "integrity": "sha512-utI1ONF6uf/pPNO68kmN1b8rEwNXv3czukalo8VtJH8ksIkZXr3Q3VYudZLkCsDd4Wku120uF02hYK25XGPorw==", - "dev": true, - "license": "MIT", - "dependencies": { - "mini-svg-data-uri": "^1.2.3" - }, - "peerDependencies": { - "tailwindcss": ">=3.0.0 || >= 3.0.0-alpha.1 || >= 4.0.0-alpha.20 || >= 4.0.0-beta.1" - } - }, - "node_modules/@types/node": { - "version": "24.10.1", - "resolved": "https://registry.npmjs.org/@types/node/-/node-24.10.1.tgz", - "integrity": "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ==", - "dev": true, - "license": "MIT", - "dependencies": { - "undici-types": "~7.16.0" - } - }, - "node_modules/@vue/reactivity": { - "version": "3.1.5", - "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.1.5.tgz", - "integrity": "sha512-1tdfLmNjWG6t/CsPldh+foumYFo3cpyCHgBYQ34ylaMsJ+SNHQ1kApMIa8jN+i593zQuaw3AdWH0nJTARzCFhg==", - "license": "MIT", - "dependencies": { - "@vue/shared": "3.1.5" - } - }, - "node_modules/@vue/shared": { - "version": "3.1.5", - "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.1.5.tgz", - "integrity": "sha512-oJ4F3TnvpXaQwZJNF3ZK+kLPHKarDmJjJ6jyzVNDKH9md1dptjC7lWR//jrGuLdek/U6iltWxqAnYOu8gCiOvA==", - "license": "MIT" - }, - "node_modules/alpinejs": { - "version": "3.15.1", - "resolved": "https://registry.npmjs.org/alpinejs/-/alpinejs-3.15.1.tgz", - "integrity": "sha512-HLO1TtiE92VajFHtLLPK8BWaK1YepV/uj31UrfoGnQ00lyFOJZ+oVY3F0DghPAwvg8sLU79pmjGQSytERa2gEg==", - "license": "MIT", - "dependencies": { - "@vue/reactivity": "~3.1.1" - } - }, - "node_modules/autoprefixer": { - "version": "10.4.21", - "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.21.tgz", - "integrity": "sha512-O+A6LWV5LDHSJD3LjHYoNi4VLsj/Whi7k6zG12xTYaU4cQ8oxQGckXNX8cRHK5yOZ/ppVHe0ZBXGzSV9jXdVbQ==", - "dev": true, - "funding": [ - { - "type": "opencollective", - "url": "https://opencollective.com/postcss/" - }, - { - "type": "tidelift", - "url": "https://tidelift.com/funding/github/npm/autoprefixer" - }, - { - "type": "github", - "url": "https://github.com/sponsors/ai" - } - ], - "license": "MIT", - "dependencies": { - "browserslist": "^4.24.4", - "caniuse-lite": "^1.0.30001702", - "fraction.js": "^4.3.7", - "normalize-range": "^0.1.2", - "picocolors": "^1.1.1", - "postcss-value-parser": "^4.2.0" - }, - "bin": { - "autoprefixer": "bin/autoprefixer" - }, - "engines": { - "node": "^10 || ^12 || >=14" - }, - "peerDependencies": { - "postcss": "^8.1.0" - } - }, - "node_modules/baseline-browser-mapping": { - "version": "2.8.23", - "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.8.23.tgz", - "integrity": "sha512-616V5YX4bepJFzNyOfce5Fa8fDJMfoxzOIzDCZwaGL8MKVpFrXqfNUoIpRn9YMI5pXf/VKgzjB4htFMsFKKdiQ==", - "dev": true, - "license": "Apache-2.0", - "bin": { - "baseline-browser-mapping": "dist/cli.js" - } - }, - "node_modules/browserslist": { - "version": "4.27.0", - "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.27.0.tgz", - "integrity": "sha512-AXVQwdhot1eqLihwasPElhX2tAZiBjWdJ9i/Zcj2S6QYIjkx62OKSfnobkriB81C3l4w0rVy3Nt4jaTBltYEpw==", - "dev": true, - "funding": [ - { - "type": "opencollective", - "url": "https://opencollective.com/browserslist" - }, - { - "type": "tidelift", - "url": "https://tidelift.com/funding/github/npm/browserslist" - }, - { - "type": "github", - "url": "https://github.com/sponsors/ai" - } - ], - "license": "MIT", - "dependencies": { - "baseline-browser-mapping": "^2.8.19", - "caniuse-lite": "^1.0.30001751", - "electron-to-chromium": "^1.5.238", - "node-releases": "^2.0.26", - "update-browserslist-db": "^1.1.4" - }, - "bin": { - "browserslist": "cli.js" - }, - "engines": { - "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7" - } - }, - "node_modules/caniuse-lite": { - "version": "1.0.30001753", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001753.tgz", - "integrity": "sha512-Bj5H35MD/ebaOV4iDLqPEtiliTN29qkGtEHCwawWn4cYm+bPJM2NsaP30vtZcnERClMzp52J4+aw2UNbK4o+zw==", - "dev": true, - "funding": [ - { - "type": "opencollective", - "url": "https://opencollective.com/browserslist" - }, - { - "type": "tidelift", - "url": "https://tidelift.com/funding/github/npm/caniuse-lite" - }, - { - "type": "github", - "url": "https://github.com/sponsors/ai" - } - ], - "license": "CC-BY-4.0" - }, - "node_modules/daisyui": { - "version": "5.4.3", - "resolved": "https://registry.npmjs.org/daisyui/-/daisyui-5.4.3.tgz", - "integrity": "sha512-dfDCJnN4utErGoWfElgdEE252FtfHV9Mxj5Dq1+JzUq3nVkluWdF3JYykP0Xy/y/yArnPXYztO1tLNCow3kjmg==", - "dev": true, - "license": "MIT", - "funding": { - "url": "https://github.com/saadeghi/daisyui?sponsor=1" - } - }, - "node_modules/electron-to-chromium": { - "version": "1.5.244", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.244.tgz", - "integrity": "sha512-OszpBN7xZX4vWMPJwB9illkN/znA8M36GQqQxi6MNy9axWxhOfJyZZJtSLQCpEFLHP2xK33BiWx9aIuIEXVCcw==", - "dev": true, - "license": "ISC" - }, - "node_modules/escalade": { - "version": "3.2.0", - "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz", - "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=6" - } - }, - "node_modules/fraction.js": { - "version": "4.3.7", - "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-4.3.7.tgz", - "integrity": "sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew==", - "dev": true, - "license": "MIT", - "engines": { - "node": "*" - }, - "funding": { - "type": "patreon", - "url": "https://github.com/sponsors/rawify" - } - }, - "node_modules/fsevents": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz", - "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==", - "dev": true, - "hasInstallScript": true, - "license": "MIT", - "optional": true, - "os": [ - "darwin" - ], - "engines": { - "node": "^8.16.0 || ^10.6.0 || >=11.0.0" - } - }, - "node_modules/hls.js": { - "version": "1.6.14", - "resolved": "https://registry.npmjs.org/hls.js/-/hls.js-1.6.14.tgz", - "integrity": "sha512-CSpT2aXsv71HST8C5ETeVo+6YybqCpHBiYrCRQSn3U5QUZuLTSsvtq/bj+zuvjLVADeKxoebzo16OkH8m1+65Q==", - "license": "Apache-2.0" - }, - "node_modules/mini-svg-data-uri": { - "version": "1.4.4", - "resolved": "https://registry.npmjs.org/mini-svg-data-uri/-/mini-svg-data-uri-1.4.4.tgz", - "integrity": "sha512-r9deDe9p5FJUPZAk3A59wGH7Ii9YrjjWw0jmw/liSbHl2CHiyXj6FcDXDu2K3TjVAXqiJdaw3xxwlZZr9E6nHg==", - "dev": true, - "license": "MIT", - "bin": { - "mini-svg-data-uri": "cli.js" - } - }, - "node_modules/nanoid": { - "version": "3.3.11", - "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz", - "integrity": "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==", - "dev": true, - "funding": [ - { - "type": "github", - "url": "https://github.com/sponsors/ai" - } - ], - "license": "MIT", - "bin": { - "nanoid": "bin/nanoid.cjs" - }, - "engines": { - "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1" - } - }, - "node_modules/node-releases": { - "version": "2.0.27", - "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.27.tgz", - "integrity": "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA==", - "dev": true, - "license": "MIT" - }, - "node_modules/normalize-range": { - "version": "0.1.2", - "resolved": "https://registry.npmjs.org/normalize-range/-/normalize-range-0.1.2.tgz", - "integrity": "sha512-bdok/XvKII3nUpklnV6P2hxtMNrCboOjAcyBuQnWEhO665FwrSNRxU+AqpsyvO6LgGYPspN+lu5CLtw4jPRKNA==", - "dev": true, - "license": "MIT", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/phoenix": { - "resolved": "../deps/phoenix", - "link": true - }, - "node_modules/phoenix_html": { - "resolved": "../deps/phoenix_html", - "link": true - }, - "node_modules/phoenix_live_view": { - "resolved": "../deps/phoenix_live_view", - "link": true - }, - "node_modules/picocolors": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz", - "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==", - "dev": true, - "license": "ISC" - }, - "node_modules/playwright": { - "version": "1.56.1", - "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.56.1.tgz", - "integrity": "sha512-aFi5B0WovBHTEvpM3DzXTUaeN6eN0qWnTkKx4NQaH4Wvcmc153PdaY2UBdSYKaGYw+UyWXSVyxDUg5DoPEttjw==", - "dev": true, - "license": "Apache-2.0", - "dependencies": { - "playwright-core": "1.56.1" - }, - "bin": { - "playwright": "cli.js" - }, - "engines": { - "node": ">=18" - }, - "optionalDependencies": { - "fsevents": "2.3.2" - } - }, - "node_modules/playwright-core": { - "version": "1.56.1", - "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.56.1.tgz", - "integrity": "sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ==", - "dev": true, - "license": "Apache-2.0", - "bin": { - "playwright-core": "cli.js" - }, - "engines": { - "node": ">=18" - } - }, - "node_modules/postcss": { - "version": "8.5.6", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz", - "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==", - "dev": true, - "funding": [ - { - "type": "opencollective", - "url": "https://opencollective.com/postcss/" - }, - { - "type": "tidelift", - "url": "https://tidelift.com/funding/github/npm/postcss" - }, - { - "type": "github", - "url": "https://github.com/sponsors/ai" - } - ], - "license": "MIT", - "dependencies": { - "nanoid": "^3.3.11", - "picocolors": "^1.1.1", - "source-map-js": "^1.2.1" - }, - "engines": { - "node": "^10 || ^12 || >=14" - } - }, - "node_modules/postcss-value-parser": { - "version": "4.2.0", - "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz", - "integrity": "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==", - "dev": true, - "license": "MIT" - }, - "node_modules/source-map-js": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz", - "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==", - "dev": true, - "license": "BSD-3-Clause", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/tailwindcss": { - "version": "4.1.16", - "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.1.16.tgz", - "integrity": "sha512-pONL5awpaQX4LN5eiv7moSiSPd/DLDzKVRJz8Q9PgzmAdd1R4307GQS2ZpfiN7ZmekdQrfhZZiSE5jkLR4WNaA==", - "dev": true, - "license": "MIT" - }, - "node_modules/typescript": { - "version": "5.9.3", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz", - "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", - "dev": true, - "license": "Apache-2.0", - "bin": { - "tsc": "bin/tsc", - "tsserver": "bin/tsserver" - }, - "engines": { - "node": ">=14.17" - } - }, - "node_modules/undici-types": { - "version": "7.16.0", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.16.0.tgz", - "integrity": "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==", - "dev": true, - "license": "MIT" - }, - "node_modules/update-browserslist-db": { - "version": "1.1.4", - "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.1.4.tgz", - "integrity": "sha512-q0SPT4xyU84saUX+tomz1WLkxUbuaJnR1xWt17M7fJtEJigJeWUNGUqrauFXsHnqev9y9JTRGwk13tFBuKby4A==", - "dev": true, - "funding": [ - { - "type": "opencollective", - "url": "https://opencollective.com/browserslist" - }, - { - "type": "tidelift", - "url": "https://tidelift.com/funding/github/npm/browserslist" - }, - { - "type": "github", - "url": "https://github.com/sponsors/ai" - } - ], - "license": "MIT", - "dependencies": { - "escalade": "^3.2.0", - "picocolors": "^1.1.1" - }, - "bin": { - "update-browserslist-db": "cli.js" - }, - "peerDependencies": { - "browserslist": ">= 4.21.0" - } - } - } -} diff --git a/packages/mydia/package.json b/packages/mydia/package.json deleted file mode 100644 index 165a236..0000000 --- a/packages/mydia/package.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "name": "mydia-assets", - "version": "0.1.0", - "description": "Mydia - Modern Media Management Platform", - "repository": {}, - "license": "MIT", - "scripts": { - "deploy": "cd .. && mix assets.deploy && rm -f _build/esbuild*", - "screenshots": "node screenshots.js", - "populate-media": "node populate-media.js", - "test:e2e": "playwright test", - "test:e2e:ui": "playwright test --ui", - "test:e2e:debug": "playwright test --debug", - "test:e2e:headed": "playwright test --headed", - "test:e2e:chromium": "playwright test --project=chromium", - "test:e2e:firefox": "playwright test --project=firefox", - "test:e2e:webkit": "playwright test --project=webkit" - }, - "dependencies": { - "alpinejs": "^3.15.1", - "hls.js": "^1.5.15", - "phoenix": "file:../deps/phoenix", - "phoenix_html": "file:../deps/phoenix_html", - "phoenix_live_view": "file:../deps/phoenix_live_view" - }, - "devDependencies": { - "@catppuccin/daisyui": "^2.1.1", - "@playwright/test": "^1.56.1", - "@tailwindcss/forms": "^0.5.7", - "@types/node": "^24.10.1", - "autoprefixer": "^10.4.16", - "daisyui": "^5.4.3", - "postcss": "^8.4.32", - "tailwindcss": "^4.0.0", - "typescript": "^5.9.3" - } -} diff --git a/shells/default/default.nix b/shells/default/default.nix index 248cefd..ffe74f1 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -8,6 +8,5 @@ mkShell { yq pwgen inputs.clan-core.packages.${stdenv.hostPlatform.system}.clan-cli - inputs.bun2nix.packages.${stdenv.hostPlatform.system}.default ]; } \ No newline at end of file From 93ad4f17f3c46a325148ae6890d79a89150c761a Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 26 Nov 2025 16:35:52 +0100 Subject: [PATCH 203/251] still complaining about missing ffmpeg.... --- packages/mydia/default.nix | 110 +++++-------------------------------- 1 file changed, 15 insertions(+), 95 deletions(-) diff --git a/packages/mydia/default.nix b/packages/mydia/default.nix index 57fdd4c..73f4cc9 100644 --- a/packages/mydia/default.nix +++ b/packages/mydia/default.nix @@ -31,115 +31,35 @@ let }; mixFodDeps = erlangPackages.fetchMixDeps { inherit version src; - pname = "${pname}-mix-deps"; + pname = "mix-deps-${pname}"; hash = "sha256-19q56IZe8YjuUBXirFGgmBsewJ0cmdOoO1yfiMaWGWk="; }; - bunDeps = bun2nix.fetchBunDeps { - bunNix = ./bun.nix; - overrides = { - "phoenix" = pkg: pkgs.runCommandLocal "override-phoenix" {} '' - mkdir $out - echo "je moeder!" > $out/kaas.txt - ''; - "phoenix_html" = pkg: pkgs.runCommandLocal "override-phoenix_html" {} '' - mkdir $out - echo "je moeder!" > $out/kaas.txt - ''; - "phoenix_live_view" = pkg: pkgs.runCommandLocal "override-phoenix_live_view" {} '' - mkdir $out - echo "je moeder!" > $out/kaas.txt - ''; - "phoenix_live_view/phoenix" = pkg: pkgs.runCommandLocal "override-phoenix_live_view__phoenix" {} '' - mkdir $out - echo "je moeder!" > $out/kaas.txt - ''; - }; + npmFodDeps= pkgs.fetchNpmDeps { + src = "${src}/assets"; + hash = "sha256-0cz75pxhxvzo1RogsV8gTP6GrgLIboWQXcKpq42JZ6o="; }; in erlangPackages.mixRelease { - inherit pname version src mixFodDeps bunDeps; + inherit pname version src mixFodDeps; - nativeBuildInputs = with pkgs; [ ffmpeg_7-headless pkg-config bun2nix.hook ]; - - dontUseBunPatch = true; - dontUseBunBuild = true; + nativeBuildInputs = with pkgs; [ + # ffmpeg_7 + # pkg-config + # tailwindcss + ]; + buildInputs = with pkgs; [ + ffmpeg_7 + pkg-config + ]; preInstall = '' ln -s ${pkgs.tailwindcss}/bin/tailwind _build/tailwind-${translatedPlatform} ln -s ${pkgs.esbuild}/bin/esbuild _build/esbuild-${translatedPlatform} - ln -s ${bunDeps}/node_modules assets/node_modules + ln -s ${npmFodDeps} assets/node_modules ${mix} assets.deploy ''; - # nativeBuildInputs = with pkgs; [ - # elixir - # rebar - # hex - # git - # bun - # postgresql - # curl - # ffmpeg_7-headless - # fdk_aac - # pkg-config - # ]; - - # buildPhase = '' - # runHook preBuild - - # # Prepare environment - # DATABASE_TYPE="postgres" - - # # I don't think this is needed, but lets copy the dockerfile for now - # mkdir -p ./app - # cp mix.exs ./app - # cp mix.lock ./app - # cd ./app - - # # Install dependencies - # ${mix} deps.get --only prod && ${mix} deps.compile - # pwd - # ls -al - - # # Copy source - # echo "Copy source" - # cp -r ../config ./config - # cp -r ../priv ./priv - # cp -r ../lib ./lib - # cp -r ../assets ./assets - - # # Compile app - # echo "Compile app" - # ${mix} compile - - # # Build assets - # echo "Build assets" - # $(cd ./assets && bun i --silent --production --frozen-lockfile) - # ${mix} assets.deploy - - # # Build executabe - # echo "Build executabe" - # ${mix} release - - # bun run build --bun - - # runHook postBuild - # ''; - - # installPhase = '' - # runHook preInstall - - # mkdir -p $out - # cp -r ./.output/* $out - - # makeWrapper ${lib.getExe pkgs.bun} $out/bin/${pname} \ - # --chdir $out \ - # --append-flags "server/index.mjs" - - # runHook postInstall - # ''; - meta = { description = "Your personal media companion, built with Phoenix LiveView"; longDescription = '' From 95520c14d1790a731261dbc38d81ca49e6b4b0b9 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 27 Nov 2025 11:05:35 +0100 Subject: [PATCH 204/251] chore: refactor code --- packages/mydia/default.nix | 124 ++++++++++++++++++++----------------- shells/default/default.nix | 14 ++++- 2 files changed, 78 insertions(+), 60 deletions(-) diff --git a/packages/mydia/default.nix b/packages/mydia/default.nix index 73f4cc9..06516a2 100644 --- a/packages/mydia/default.nix +++ b/packages/mydia/default.nix @@ -1,15 +1,12 @@ -{ lib, inputs, fetchFromGitHub, pkgs, stdenv, ... }: -let - erl = pkgs.beam.interpreters.erlang_28; - erlangPackages = pkgs.beam.packagesWith erl; - - elixir = erlangPackages.elixir; - mix = "${elixir}/bin/mix"; - rebar = erlangPackages.rebar; - hex = erlangPackages.hex; - - bun = pkgs.bun; - bun2nix = inputs.bun2nix.packages.${stdenv.hostPlatform.system}.default; +{ + lib, + fetchFromGitHub, + pkgs, + stdenv, + ... +}: let + erlang = pkgs.beam.packagesWith pkgs.beam.interpreters.erlang; + mix = "${erlang.elixir}/bin/mix"; translatedPlatform = { @@ -19,8 +16,10 @@ let x86_64-darwin = "macos-x64"; x86_64-linux = "linux-x64"; } - .${stdenv.hostPlatform.system}; - + .${ + stdenv.hostPlatform.system + }; + version = "v0.6.0"; pname = "mydia"; src = fetchFromGitHub { @@ -29,62 +28,73 @@ let rev = version; hash = "sha256-JGT52ulnqcx8o+3e0l50TLAwLIWXEI8nwFGUsA95vH0="; }; - mixFodDeps = erlangPackages.fetchMixDeps { + mixFodDeps = erlang.fetchMixDeps { inherit version src; - pname = "mix-deps-${pname}"; + pname = "mix-deps-${pname}-${version}"; hash = "sha256-19q56IZe8YjuUBXirFGgmBsewJ0cmdOoO1yfiMaWGWk="; + + DATABASE_TYPE = "postgres"; }; - npmFodDeps= pkgs.fetchNpmDeps { + npmFodDeps = pkgs.fetchNpmDeps { src = "${src}/assets"; hash = "sha256-0cz75pxhxvzo1RogsV8gTP6GrgLIboWQXcKpq42JZ6o="; }; in -erlangPackages.mixRelease { - inherit pname version src mixFodDeps; + erlang.mixRelease { + inherit pname version src mixFodDeps; - nativeBuildInputs = with pkgs; [ - # ffmpeg_7 - # pkg-config - # tailwindcss - ]; - buildInputs = with pkgs; [ - ffmpeg_7 - pkg-config - ]; + enableDebugInfo = true; - preInstall = '' - ln -s ${pkgs.tailwindcss}/bin/tailwind _build/tailwind-${translatedPlatform} - ln -s ${pkgs.esbuild}/bin/esbuild _build/esbuild-${translatedPlatform} - ln -s ${npmFodDeps} assets/node_modules + nativeBuildInputs = with pkgs; [ + ffmpeg_6 + fdk_aac + sqlite + postgresql + pkg-config + ]; + buildInputs = with pkgs; [ + ffmpeg_6 + fdk_aac + sqlite + postgresql + pkg-config + ]; - ${mix} assets.deploy - ''; + DATABASE_TYPE = "postgres"; - meta = { - description = "Your personal media companion, built with Phoenix LiveView"; - longDescription = '' - A modern, self-hosted media management platform for tracking, organizing, and monitoring your media library. + preInstall = '' + ln -s ${pkgs.tailwindcss}/bin/tailwind _build/tailwind-${translatedPlatform} + ln -s ${pkgs.esbuild}/bin/esbuild _build/esbuild-${translatedPlatform} + ln -s ${npmFodDeps} assets/node_modules - # ✨ Features - - - 📺 Unified Media Management – Track both movies and TV shows with rich metadata from TMDB/TVDB - - 🤖 Automated Downloads – Background search and download with quality profiles and smart release ranking - - ⬇️ Download Clients – qBittorrent, Transmission, SABnzbd, and NZBGet support - - 🔎 Indexer Integration – Search via Prowlarr and Jackett for finding releases - - 📚 Built-in Indexer Library – Native Cardigann support (experimental, limited testing) - - 👥 Multi-User System – Built-in admin/guest roles with request approval workflow - - 🔐 SSO Support – Local authentication plus OIDC/OpenID Connect integration - - 🔔 Release Calendar – Track upcoming releases and monitor episodes - - 🎨 Modern Real-Time UI – Phoenix LiveView with instant updates and responsive design + ${mix} assets.deploy ''; - homepage = "https://github.com/getmydia/mydia"; - changelog = "https://github.com/getmydia/mydia/releases"; - license = lib.licenses.agpl3Only; + meta = { + description = "Your personal media companion, built with Phoenix LiveView"; + longDescription = '' + A modern, self-hosted media management platform for tracking, organizing, and monitoring your media library. - maintainers = []; + # ✨ Features - platforms = lib.platforms.all; - mainProgram = pname; - }; -} \ No newline at end of file + - 📺 Unified Media Management – Track both movies and TV shows with rich metadata from TMDB/TVDB + - 🤖 Automated Downloads – Background search and download with quality profiles and smart release ranking + - ⬇️ Download Clients – qBittorrent, Transmission, SABnzbd, and NZBGet support + - 🔎 Indexer Integration – Search via Prowlarr and Jackett for finding releases + - 📚 Built-in Indexer Library – Native Cardigann support (experimental, limited testing) + - 👥 Multi-User System – Built-in admin/guest roles with request approval workflow + - 🔐 SSO Support – Local authentication plus OIDC/OpenID Connect integration + - 🔔 Release Calendar – Track upcoming releases and monitor episodes + - 🎨 Modern Real-Time UI – Phoenix LiveView with instant updates and responsive design + ''; + + homepage = "https://github.com/getmydia/mydia"; + changelog = "https://github.com/getmydia/mydia/releases"; + license = lib.licenses.agpl3Only; + + maintainers = []; + + platforms = lib.platforms.all; + mainProgram = pname; + }; + } diff --git a/shells/default/default.nix b/shells/default/default.nix index ffe74f1..03756be 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -1,5 +1,10 @@ -{ mkShell, inputs, pkgs, stdenv, ... }: - +{ + mkShell, + inputs, + pkgs, + stdenv, + ... +}: mkShell { packages = with pkgs; [ bash @@ -7,6 +12,9 @@ mkShell { just yq pwgen + alejandra + nil + nixd inputs.clan-core.packages.${stdenv.hostPlatform.system}.clan-cli ]; -} \ No newline at end of file +} From f6a504667ef6bd955c703295ea51c92cc2de8970 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 27 Nov 2025 16:28:33 +0100 Subject: [PATCH 205/251] feat: fix most issues with mydia --- packages/mydia/default.nix | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/packages/mydia/default.nix b/packages/mydia/default.nix index 06516a2..769bef3 100644 --- a/packages/mydia/default.nix +++ b/packages/mydia/default.nix @@ -6,9 +6,8 @@ ... }: let erlang = pkgs.beam.packagesWith pkgs.beam.interpreters.erlang; - mix = "${erlang.elixir}/bin/mix"; - translatedPlatform = + erlangSystem = { aarch64-darwin = "macos-arm64"; aarch64-linux = "linux-arm64"; @@ -32,8 +31,6 @@ inherit version src; pname = "mix-deps-${pname}-${version}"; hash = "sha256-19q56IZe8YjuUBXirFGgmBsewJ0cmdOoO1yfiMaWGWk="; - - DATABASE_TYPE = "postgres"; }; npmFodDeps = pkgs.fetchNpmDeps { src = "${src}/assets"; @@ -46,28 +43,32 @@ in enableDebugInfo = true; nativeBuildInputs = with pkgs; [ + which ffmpeg_6 fdk_aac sqlite postgresql - pkg-config - ]; - buildInputs = with pkgs; [ - ffmpeg_6 - fdk_aac - sqlite - postgresql + tailwindcss_4 + esbuild pkg-config ]; - DATABASE_TYPE = "postgres"; + env = { + EXQLITE_USE_SYSTEM = "1"; + EXQLITE_SYSTEM_CFLAGS = "-I${pkgs.sqlite.dev}/include"; + EXQLITE_SYSTEM_LDFLAGS = "-L${pkgs.sqlite.out}/lib -lsqlite3"; + DATABASE_TYPE = "postgres"; + }; preInstall = '' - ln -s ${pkgs.tailwindcss}/bin/tailwind _build/tailwind-${translatedPlatform} - ln -s ${pkgs.esbuild}/bin/esbuild _build/esbuild-${translatedPlatform} + ln -s ${lib.getExe pkgs.tailwindcss_4} _build/tailwind-${erlangSystem} + ln -s ${lib.getExe pkgs.esbuild} _build/esbuild-${erlangSystem} ln -s ${npmFodDeps} assets/node_modules - ${mix} assets.deploy + mix do \ + deps.loadpaths --no-deps-check, \ + tailwind default --minify + esbuild default --minify + phx.digest, \ + assets.deploy ''; meta = { From f04b540efb87db2dc04bfb151dc56c19ffcd5be6 Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 1 Dec 2025 09:03:21 +0000 Subject: [PATCH 206/251] chore(secrets): set secret "mydia/oidc_id" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 7a26401..535bd07 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -19,6 +19,8 @@ lidarr: apikey: ENC[AES256_GCM,data:I2eKaxidmxem7C7ukmyIfwASNqrkS4vEOiCcU5kSNY6DR0pXsYg0PBdgu8vzK6llbXODLdG5t55BordIWvVRJGAauo0FMvtp59NSNpza7cK68tdKGvNefD6bqhUIR06BY11niQ==,iv:48AD7cd17TlWY5yAagepLOIVwgxhD/d13Pnup6GsWDA=,tag:teOVtW8opE99hqAXQwvlrA==,type:str] prowlarr: apikey: ENC[AES256_GCM,data:pyZ2WGEs/PlIdhDsQq2TPGJbplkd5fLF0ZkBjITqIJlnAzYHb+rl+KOM4rHqQcI6yAJM8X1Y3ymGrD7vG7GiRxB7yoEG13SKhZIWOddTnxIhbkz81RfrL2fUJIydOaP6sS//9Q==,iv:Tr6MWoC6nC7rdVTOjT1T2itT+lVL4GnUiAr5/+IHAs0=,tag:keIJNuGeVht8+xSN3FnBGA==,type:str] +mydia: + oidc_id: ENC[AES256_GCM,data:ymZdkUjbbTuJuGvI5T9d,iv:ccKpjKnzUH+/sGEBnmxnMNU3lY+j8NPUjvj8q4phprs=,tag:11H0Vd28gPajyU+3uAUYUQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -39,7 +41,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-19T09:51:26Z" - mac: ENC[AES256_GCM,data:pMMkxHPochpI8si/oHhU7MHqC1JjNhMP7HCRNQQEkwBQI489xiC02t+qUwpmG4oIheqi8lEcZPpL4t9HzRN9sZImaI2LrJn3cHFojHzXzo7FPfvfUilZe1+JXLfm+wn+bflAEutIcfDiZc/MjiKOxRHwZy5Pr41Mj6uPIUr62zk=,iv:GwvMVgJ6m1DQcRZMVzshbuMK/Kx8vE8Ym83KbxuvYRg=,tag:wVSol9LDRzoFjQppB8J9gA==,type:str] + lastmodified: "2025-12-01T09:03:20Z" + mac: ENC[AES256_GCM,data:rdsebviO54N08/Fq/CaaVscWN2rnnVtUZMcGrmTLIwIWdmkbPRWTirbDUt4QajJ6J1ws522jW9LdJ2ndNUPjPApSmk9UUrnmRlo2GNd2A3x/J+tqztCoObzCH6M+v/5XHEx0dv67QO0koY7HH4CbJKqMSYIoKsZxGcKJLb28z+o=,iv:L/jdRsgL0kw2lsHYFHtcPRcbslDUzE9hEcL6tbVYnzA=,tag:bMWA+kKP885FehbQwvW8vA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 1ee19c886567ea88734dcf8b21c7a78efd968ff6 Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 1 Dec 2025 09:03:28 +0000 Subject: [PATCH 207/251] chore(secrets): set secret "mydia/oidc_secret" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 535bd07..38b0d1d 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -21,6 +21,7 @@ prowlarr: apikey: ENC[AES256_GCM,data:pyZ2WGEs/PlIdhDsQq2TPGJbplkd5fLF0ZkBjITqIJlnAzYHb+rl+KOM4rHqQcI6yAJM8X1Y3ymGrD7vG7GiRxB7yoEG13SKhZIWOddTnxIhbkz81RfrL2fUJIydOaP6sS//9Q==,iv:Tr6MWoC6nC7rdVTOjT1T2itT+lVL4GnUiAr5/+IHAs0=,tag:keIJNuGeVht8+xSN3FnBGA==,type:str] mydia: oidc_id: ENC[AES256_GCM,data:ymZdkUjbbTuJuGvI5T9d,iv:ccKpjKnzUH+/sGEBnmxnMNU3lY+j8NPUjvj8q4phprs=,tag:11H0Vd28gPajyU+3uAUYUQ==,type:str] + oidc_secret: ENC[AES256_GCM,data:N7qdoueB9ayGx0RWdw/w,iv:k09TaKjNShaFWImZ82Fjqvjj4CPVIqVhCPZ7o1DgjX4=,tag:q+HMYN4zd7pFqCX90uaWgQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -41,7 +42,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-01T09:03:20Z" - mac: ENC[AES256_GCM,data:rdsebviO54N08/Fq/CaaVscWN2rnnVtUZMcGrmTLIwIWdmkbPRWTirbDUt4QajJ6J1ws522jW9LdJ2ndNUPjPApSmk9UUrnmRlo2GNd2A3x/J+tqztCoObzCH6M+v/5XHEx0dv67QO0koY7HH4CbJKqMSYIoKsZxGcKJLb28z+o=,iv:L/jdRsgL0kw2lsHYFHtcPRcbslDUzE9hEcL6tbVYnzA=,tag:bMWA+kKP885FehbQwvW8vA==,type:str] + lastmodified: "2025-12-01T09:03:27Z" + mac: ENC[AES256_GCM,data:q+gsAFJwt8yKY71ieBejVgJkZjZ0glBKTOoOahISS43xgJzs2y+QhWPfGnYsTxxKbG/hJiP0QA4ZjoIhhf+YEy6BQypNSOvxcZzzdQB43LDEeEwIj0QuwyiyH3X4YStlkBY7t69ju/E4X2x46n8Ajm/qAP3U0+hxoVOITLp8gjQ=,iv:wscK5N/WBMvQGxo9W3Jn1/JCUpzwJKvSBIxALNsgoYI=,tag:7xUd3QcBfmaJk6UaPPwIOw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 413af80f9c5cfe41fe746d8afadcb9ff5cde1563 Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 1 Dec 2025 09:04:18 +0000 Subject: [PATCH 208/251] chore(secrets): set secret "mydia/secret_key_base" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 38b0d1d..3eb3ff7 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -22,6 +22,7 @@ prowlarr: mydia: oidc_id: ENC[AES256_GCM,data:ymZdkUjbbTuJuGvI5T9d,iv:ccKpjKnzUH+/sGEBnmxnMNU3lY+j8NPUjvj8q4phprs=,tag:11H0Vd28gPajyU+3uAUYUQ==,type:str] oidc_secret: ENC[AES256_GCM,data:N7qdoueB9ayGx0RWdw/w,iv:k09TaKjNShaFWImZ82Fjqvjj4CPVIqVhCPZ7o1DgjX4=,tag:q+HMYN4zd7pFqCX90uaWgQ==,type:str] + secret_key_base: "" sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -42,7 +43,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-01T09:03:27Z" - mac: ENC[AES256_GCM,data:q+gsAFJwt8yKY71ieBejVgJkZjZ0glBKTOoOahISS43xgJzs2y+QhWPfGnYsTxxKbG/hJiP0QA4ZjoIhhf+YEy6BQypNSOvxcZzzdQB43LDEeEwIj0QuwyiyH3X4YStlkBY7t69ju/E4X2x46n8Ajm/qAP3U0+hxoVOITLp8gjQ=,iv:wscK5N/WBMvQGxo9W3Jn1/JCUpzwJKvSBIxALNsgoYI=,tag:7xUd3QcBfmaJk6UaPPwIOw==,type:str] + lastmodified: "2025-12-01T09:04:17Z" + mac: ENC[AES256_GCM,data:SQ/4V10qCuaYqojCXmB8lFYDva44CQCitmBTT4boC/rhzt9YmPBGqqu5VSc4tddpcWoXAv2TEfzbzugZfOzAcdK55xqKbzY5tYYzomG0uk0obLytTaBhlMNbTByykBYhjzY8UXb+ZBZvpstr+L6QqZ6jneXwGYAb82J9i/ndnSw=,iv:DRQZWziOmjdM82JP3qiCZvLncptetoMD4222//yGoeg=,tag:7yhmKeUF9I2VKQYoOMB/yw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 11dc6e33d6c3756e7b42eb3bacb44372468653a2 Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 1 Dec 2025 09:04:53 +0000 Subject: [PATCH 209/251] chore(secrets): set secret "mydia/secret_key_base" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 3eb3ff7..bae2e49 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -22,7 +22,7 @@ prowlarr: mydia: oidc_id: ENC[AES256_GCM,data:ymZdkUjbbTuJuGvI5T9d,iv:ccKpjKnzUH+/sGEBnmxnMNU3lY+j8NPUjvj8q4phprs=,tag:11H0Vd28gPajyU+3uAUYUQ==,type:str] oidc_secret: ENC[AES256_GCM,data:N7qdoueB9ayGx0RWdw/w,iv:k09TaKjNShaFWImZ82Fjqvjj4CPVIqVhCPZ7o1DgjX4=,tag:q+HMYN4zd7pFqCX90uaWgQ==,type:str] - secret_key_base: "" + secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -43,7 +43,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-01T09:04:17Z" - mac: ENC[AES256_GCM,data:SQ/4V10qCuaYqojCXmB8lFYDva44CQCitmBTT4boC/rhzt9YmPBGqqu5VSc4tddpcWoXAv2TEfzbzugZfOzAcdK55xqKbzY5tYYzomG0uk0obLytTaBhlMNbTByykBYhjzY8UXb+ZBZvpstr+L6QqZ6jneXwGYAb82J9i/ndnSw=,iv:DRQZWziOmjdM82JP3qiCZvLncptetoMD4222//yGoeg=,tag:7yhmKeUF9I2VKQYoOMB/yw==,type:str] + lastmodified: "2025-12-01T09:04:52Z" + mac: ENC[AES256_GCM,data:2qNJvVO7pQuBk1UWMQ/MvGrepDwuk7E4vcUJ/xkUjMVizq03VAxgtZyIpVRP2kgC79XmIwUi9YFK0Ndno2ZAUOyOZqhTUBgK5H6F26Sfv5CoN62yyYBD382yE1VUSicvQk7++knoIAsLOgrUhQKyxhzmpK1SoC0MEFW+rR/do6s=,iv:8jIugT0vCSGxdsqoIQXg1ybtHcZ1c5+uqBXDm0VsEdk=,tag:9UnKMznQWumtEB+WFX4EGg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From e6829d99ce9291fad077641feaa83e0d3efa61f5 Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 1 Dec 2025 09:05:12 +0000 Subject: [PATCH 210/251] chore(secrets): set secret "mydia/guardian_secret" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index bae2e49..b0d432e 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -23,6 +23,7 @@ mydia: oidc_id: ENC[AES256_GCM,data:ymZdkUjbbTuJuGvI5T9d,iv:ccKpjKnzUH+/sGEBnmxnMNU3lY+j8NPUjvj8q4phprs=,tag:11H0Vd28gPajyU+3uAUYUQ==,type:str] oidc_secret: ENC[AES256_GCM,data:N7qdoueB9ayGx0RWdw/w,iv:k09TaKjNShaFWImZ82Fjqvjj4CPVIqVhCPZ7o1DgjX4=,tag:q+HMYN4zd7pFqCX90uaWgQ==,type:str] secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str] + guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -43,7 +44,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-01T09:04:52Z" - mac: ENC[AES256_GCM,data:2qNJvVO7pQuBk1UWMQ/MvGrepDwuk7E4vcUJ/xkUjMVizq03VAxgtZyIpVRP2kgC79XmIwUi9YFK0Ndno2ZAUOyOZqhTUBgK5H6F26Sfv5CoN62yyYBD382yE1VUSicvQk7++knoIAsLOgrUhQKyxhzmpK1SoC0MEFW+rR/do6s=,iv:8jIugT0vCSGxdsqoIQXg1ybtHcZ1c5+uqBXDm0VsEdk=,tag:9UnKMznQWumtEB+WFX4EGg==,type:str] + lastmodified: "2025-12-01T09:05:11Z" + mac: ENC[AES256_GCM,data:6gFet+aW7tlQqy4aSulBTJ+mYpu1OxfK8Wa3noXNNDlFwTEpCWEhdwFDqWZ+sd5opINQoPrHD23BwiXYoJtKPeLd9/kpn//CgHvYcwgGDpPzCMbyDOLutlspyY4pfYrEezm8+yg3r5TkJK3o7U2Q8kkfdQQcfEGIsr9GDRKSplw=,iv:PYclBivPBifGreNWeCCZ74koSb51xBMYeviHf0SaxbA=,tag:Lb+vlcBUgpJE0XfJ/gwDiw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From afbf168c352abefe59247c387cec1c2d018bc065 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 1 Dec 2025 14:14:32 +0100 Subject: [PATCH 211/251] kaas --- .just/machine.just | 20 +-- .just/vars.just | 70 +++++----- .justfile | 64 ++++----- flake.lock | 129 ++++++++++++++---- flake.nix | 75 +++++----- modules/home/application/steam/default.nix | 110 +++++++-------- .../home/application/teamspeak/default.nix | 30 ++-- .../authentication/zitadel/default.nix | 124 ++++++++--------- .../services/communication/matrix/default.nix | 24 ++-- .../services/development/forgejo/default.nix | 20 +-- .../nixos/services/media/mydia/default.nix | 51 +++++++ .../nixos/services/media/servarr/default.nix | 115 +++++++++------- modules/nixos/shells/default.nix | 7 +- packages/mydia/default.nix | 101 -------------- shells/default/default.nix | 1 + systems/x86_64-linux/ulmo/default.nix | 67 +++++---- 16 files changed, 541 insertions(+), 467 deletions(-) create mode 100644 modules/nixos/services/media/mydia/default.nix delete mode 100644 packages/mydia/default.nix diff --git a/.just/machine.just b/.just/machine.just index cbdf345..1ab5ca8 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -1,11 +1,11 @@ -@_default: list - -[doc('List machines')] -@list: - ls -1 ../systems/x86_64-linux/ - -[no-exit-message] -[doc('Update the target machine')] -@update machine: - just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" +@_default: list + +[doc('List machines')] +@list: + ls -1 ../systems/x86_64-linux/ + +[no-exit-message] +[doc('Update the target machine')] +@update machine: + just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} \ No newline at end of file diff --git a/.just/vars.just b/.just/vars.just index d8bd181..0d381ef 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,36 +1,36 @@ -set unstable - -base_path := invocation_directory() / "systems/x86_64-linux" -# sops := "nix shell nixpkgs#sops --command sops" -# yq := "nix shell nixpkgs#yq --command yq" -sops := "sops" -yq := "yq" - -@_default: - just --list - -[doc('list all vars of the target machine')] -list machine: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml - -@edit machine: - sops edit {{ base_path }}/{{ machine }}/secrets.yml - -@set machine key value: - sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" - - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - - echo "Done" - -@get machine key: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" - -@remove machine key: - sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" - - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - +set unstable + +base_path := invocation_directory() / "systems/x86_64-linux" +# sops := "nix shell nixpkgs#sops --command sops" +# yq := "nix shell nixpkgs#yq --command yq" +sops := "sops" +yq := "yq" + +@_default: + just --list + +[doc('list all vars of the target machine')] +list machine: + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml + +@edit machine: + sops edit {{ base_path }}/{{ machine }}/secrets.yml + +@set machine key value: + sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + + echo "Done" + +@get machine key: + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" + +@remove machine key: + sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + echo "Done" \ No newline at end of file diff --git a/.justfile b/.justfile index 3a15d20..87563d0 100644 --- a/.justfile +++ b/.justfile @@ -1,33 +1,33 @@ -@_default: - just --list --list-submodules - -[doc('Manage vars')] -mod vars '.just/vars.just' - -[doc('Manage machines')] -mod machine '.just/machine.just' - -[doc('Show information about project')] -@show: - echo "show" - -[doc('update the flake dependencies')] -@update: - nix flake update - git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null - echo "Done" - -[doc('Introspection on flake output')] -@select key: - nix eval --json .#{{ key }} | jq . - - - -#=============================================================================================== -# Utils -#=============================================================================================== -[no-exit-message] -[no-cd] -[private] -@assert condition message: +@_default: + just --list --list-submodules + +[doc('Manage vars')] +mod vars '.just/vars.just' + +[doc('Manage machines')] +mod machine '.just/machine.just' + +[doc('Show information about project')] +@show: + echo "show" + +[doc('update the flake dependencies')] +@update: + nix flake update + git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null + echo "Done" + +[doc('Introspection on flake output')] +@select key: + nix eval --json .#{{ key }} | jq . + + + +#=============================================================================================== +# Utils +#=============================================================================================== +[no-exit-message] +[no-cd] +[private] +@assert condition message: [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; } \ No newline at end of file diff --git a/flake.lock b/flake.lock index 3f5967e..4f55a24 100644 --- a/flake.lock +++ b/flake.lock @@ -402,7 +402,7 @@ }, "flake-utils-plus": { "inputs": { - "flake-utils": "flake-utils_4" + "flake-utils": "flake-utils_5" }, "locked": { "lastModified": 1715533576, @@ -457,7 +457,25 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_6" + "systems": "systems_5" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "inputs": { + "systems": "systems_7" }, "locked": { "lastModified": 1694529238, @@ -662,6 +680,25 @@ "type": "github" } }, + "mydia": { + "inputs": { + "flake-utils": "flake-utils_3", + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1764568388, + "narHash": "sha256-kl8165eI0lUz9E96sdreZ48/nApydDfJP8IksjBveAw=", + "owner": "getmydia", + "repo": "mydia", + "rev": "74f0cf9a8ca782581ec0a35acf6526fccfbb6e2a", + "type": "github" + }, + "original": { + "owner": "getmydia", + "repo": "mydia", + "type": "github" + } + }, "nix-darwin": { "inputs": { "nixpkgs": [ @@ -708,8 +745,8 @@ "nix-minecraft": { "inputs": { "flake-compat": "flake-compat_3", - "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_5" + "flake-utils": "flake-utils_4", + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1764556167, @@ -856,6 +893,22 @@ "type": "github" } }, + "nixpkgs_10": { + "locked": { + "lastModified": 1762977756, + "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1764547213, @@ -905,6 +958,22 @@ } }, "nixpkgs_5": { + "locked": { + "lastModified": 1764242076, + "narHash": "sha256-sKoIWfnijJ0+9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2fad6eac6077f03fe109c4d4eb171cf96791faa4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1748929857, "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", @@ -920,7 +989,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1764517877, "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=", @@ -936,7 +1005,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1761880412, "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", @@ -952,7 +1021,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1764445028, "narHash": "sha256-ik6H/0Zl+qHYDKTXFPpzuVHSZE+uvVz2XQuQd1IVXzo=", @@ -968,22 +1037,6 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1762977756, - "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nur": { "inputs": { "flake-parts": [ @@ -1014,8 +1067,8 @@ "flake-compat": "flake-compat_4", "flake-parts": "flake-parts_2", "mnw": "mnw", - "nixpkgs": "nixpkgs_7", - "systems": "systems_5" + "nixpkgs": "nixpkgs_8", + "systems": "systems_6" }, "locked": { "lastModified": 1762622004, @@ -1065,11 +1118,12 @@ "himmelblau": "himmelblau", "home-manager": "home-manager", "jovian": "jovian", + "mydia": "mydia", "nix-minecraft": "nix-minecraft", "nixos-boot": "nixos-boot", "nixos-generators": "nixos-generators", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_7", "nvf": "nvf", "plasma-manager": "plasma-manager", "snowfall-lib": "snowfall-lib", @@ -1162,7 +1216,7 @@ }, "sops-nix_2": { "inputs": { - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_9" }, "locked": { "lastModified": 1764483358, @@ -1187,9 +1241,9 @@ "firefox-gnome-theme": "firefox-gnome-theme", "flake-parts": "flake-parts_3", "gnome-shell": "gnome-shell", - "nixpkgs": "nixpkgs_9", + "nixpkgs": "nixpkgs_10", "nur": "nur", - "systems": "systems_7", + "systems": "systems_8", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -1330,13 +1384,28 @@ "type": "github" } }, + "systems_9": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "terranix": { "inputs": { "flake-parts": "flake-parts_4", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_8" + "systems": "systems_9" }, "locked": { "lastModified": 1762472226, diff --git a/flake.nix b/flake.nix index d7a7508..5668380 100644 --- a/flake.nix +++ b/flake.nix @@ -88,49 +88,54 @@ url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; + + mydia = { + url = "github:getmydia/mydia"; + }; }; - outputs = inputs: inputs.snowfall-lib.mkFlake { - inherit inputs; - src = ./.; + outputs = inputs: + inputs.snowfall-lib.mkFlake { + inherit inputs; + src = ./.; - snowfall = { - namespace = "sneeuwvlok"; + snowfall = { + namespace = "sneeuwvlok"; - meta = { - name = "sneeuwvlok"; - title = "Sneeuwvlok"; + meta = { + name = "sneeuwvlok"; + title = "Sneeuwvlok"; + }; }; - }; - channels-config = { - allowUnfree = true; - permittedInsecurePackages = [ - # Due to *arr stack - "dotnet-sdk-6.0.428" - "aspnetcore-runtime-6.0.36" + channels-config = { + allowUnfree = true; + permittedInsecurePackages = [ + # Due to *arr stack + "dotnet-sdk-6.0.428" + "aspnetcore-runtime-6.0.36" - # I think this is because of zen - "qtwebengine-5.15.19" + # I think this is because of zen + "qtwebengine-5.15.19" - # For Nheko, the matrix client - "olm-3.2.16" + # For Nheko, the matrix client + "olm-3.2.16" + ]; + }; + + overlays = with inputs; [ + fenix.overlays.default + nix-minecraft.overlay + flux.overlays.default + ]; + + systems.modules = with inputs; [ + clan-core.nixosModules.default + ]; + + homes.modules = with inputs; [ + stylix.homeModules.stylix + plasma-manager.homeModules.plasma-manager ]; }; - - overlays = with inputs; [ - fenix.overlays.default - nix-minecraft.overlay - flux.overlays.default - ]; - - systems.modules = with inputs; [ - clan-core.nixosModules.default - ]; - - homes.modules = with inputs; [ - stylix.homeModules.stylix - plasma-manager.homeModules.plasma-manager - ]; - }; } diff --git a/modules/home/application/steam/default.nix b/modules/home/application/steam/default.nix index 8c87b40..ec47942 100644 --- a/modules/home/application/steam/default.nix +++ b/modules/home/application/steam/default.nix @@ -1,55 +1,55 @@ -{ inputs, config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.application.steam; -in -{ - options.${namespace}.application.steam = { - enable = mkEnableOption "enable steam"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ protonup-ng ]; - - home.sessionVariables = { - STEAM_EXTRA_COMPAT_TOOLS_PATHS = "\${HOME}/.steam/root/compatibilitytools.d"; - }; - - programs = { - # steam = { - # enable = true; - # package = pkgs.steam-small.override { - # extraEnv = { - # DXVK_HUD = "compiler"; - # MANGOHUD = true; - # }; - # }; - - # gamescopeSession = { - # enable = true; - # args = ["--immediate-flips"]; - # }; - # }; - - # https://github.com/FeralInteractive/gamemode - # gamemode = { - # enable = true; - # enableRenice = true; - # settings = {}; - # }; - - # gamescope = { - # enable = true; - # capSysNice = true; - # env = { - # DXVK_HDR = "1"; - # ENABLE_GAMESCOPE_WSI = "1"; - # WINE_FULLSCREEN_FSR = "1"; - # WLR_RENDERER = "vulkan"; - # }; - # args = ["--hdr-enabled"]; - # }; - }; - }; -} +{ inputs, config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.application.steam; +in +{ + options.${namespace}.application.steam = { + enable = mkEnableOption "enable steam"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ protonup-ng ]; + + home.sessionVariables = { + STEAM_EXTRA_COMPAT_TOOLS_PATHS = "\${HOME}/.steam/root/compatibilitytools.d"; + }; + + programs = { + # steam = { + # enable = true; + # package = pkgs.steam-small.override { + # extraEnv = { + # DXVK_HUD = "compiler"; + # MANGOHUD = true; + # }; + # }; + + # gamescopeSession = { + # enable = true; + # args = ["--immediate-flips"]; + # }; + # }; + + # https://github.com/FeralInteractive/gamemode + # gamemode = { + # enable = true; + # enableRenice = true; + # settings = {}; + # }; + + # gamescope = { + # enable = true; + # capSysNice = true; + # env = { + # DXVK_HDR = "1"; + # ENABLE_GAMESCOPE_WSI = "1"; + # WINE_FULLSCREEN_FSR = "1"; + # WLR_RENDERER = "vulkan"; + # }; + # args = ["--hdr-enabled"]; + # }; + }; + }; +} diff --git a/modules/home/application/teamspeak/default.nix b/modules/home/application/teamspeak/default.nix index d234e9a..aab3c5d 100644 --- a/modules/home/application/teamspeak/default.nix +++ b/modules/home/application/teamspeak/default.nix @@ -1,15 +1,15 @@ -{ inputs, config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.application.teamspeak; -in -{ - options.${namespace}.application.teamspeak = { - enable = mkEnableOption "enable teamspeak"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ teamspeak3 teamspeak6-client ]; - }; -} +{ inputs, config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.application.teamspeak; +in +{ + options.${namespace}.application.teamspeak = { + enable = mkEnableOption "enable teamspeak"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ teamspeak3 teamspeak6-client ]; + }; +} diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 9a02f01..8a80902 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -13,7 +13,7 @@ in organization = mkOption { type = types.attrsOf (types.submodule ({ name, ... }: { - options = + options = let org = name; in @@ -23,11 +23,11 @@ in default = false; example = "true"; description = '' - True sets the org as default org for the instance. Only one org can be default org. + True sets the '${org}' org as default org for the instance. Only one org can be default org. Nothing happens if you set it to false until you set another org as default org. ''; }; - + project = mkOption { default = {}; type = types.attrsOf (types.submodule { @@ -46,7 +46,7 @@ in default = null; example = "enforceProjectResourceOwnerPolicy"; description = '' - Defines from where the private labeling should be triggered, + Defines from where the private labeling should be triggered, supported values: - unspecified @@ -54,7 +54,7 @@ in - allowLoginUserResourceOwnerPolicy ''; }; - + projectRoleAssertion = mkOption { type = types.bool; default = false; @@ -63,7 +63,7 @@ in Describes if roles of user should be added in token. ''; }; - + projectRoleCheck = mkOption { type = types.bool; default = false; @@ -72,11 +72,11 @@ in ZITADEL checks if the user has at least one on this project. ''; }; - + role = mkOption { default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { - options = + options = let roleName = name; in @@ -101,12 +101,12 @@ in }; })); }; - + assign = mkOption { default = {}; type = types.attrsOf (types.listOf types.str); }; - + application = mkOption { default = {}; type = types.attrsOf (types.submodule { @@ -141,8 +141,8 @@ in ''; }; - exportMap = - let + exportMap = + let strOpt = mkOption { type = types.nullOr types.str; default = null; }; in mkOption { @@ -164,11 +164,11 @@ in }; }); }; - + user = mkOption { default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { - options = + options = let username = name; in @@ -226,7 +226,7 @@ in }; })); }; - + action = mkOption { default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { @@ -263,7 +263,7 @@ in }; })); }; - + triggers = mkOption { default = []; type = types.listOf (types.submodule { @@ -321,26 +321,26 @@ in accessTokenType = mapEnum "OIDC_TOKEN_TYPE" value; }."${type}" or value); - toResource = name: value: nameValuePair + toResource = name: value: nameValuePair (toSnakeCase name) (lib.mapAttrs' (k: v: nameValuePair (toSnakeCase k) (mapValue k v)) value); withRef = type: name: attrs: attrs // (mapRef type name); select = keys: callback: set: - if (length keys) == 0 then + if (length keys) == 0 then mapAttrs' callback set else let key = head keys; in concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set ; append = attrList: set: set // (listToAttrs attrList); - forEach = src: key: set: + forEach = src: key: set: let _key = concatMapStringsSep "_" (k: "\${item.${k}}") key; in - { - forEach = "{ for item in ${src} : \"${_key}\" => item }"; + { + forEach = "{ for item in ${src} : \"${_key}\" => item }"; } // set; @@ -376,18 +376,18 @@ in } ] ]) "; - orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id"); + orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id"); }; resource = { # Organizations - zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: + zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: { inherit name isDefault; } |> toResource name ); # Projects per organization - zitadel_project = cfg.organization |> select [ "project" ] (org: name: { hasProjectCheck, privateLabelingSetting, projectRoleAssertion, projectRoleCheck, ... }: + zitadel_project = cfg.organization |> select [ "project" ] (org: name: { hasProjectCheck, privateLabelingSetting, projectRoleAssertion, projectRoleCheck, ... }: { inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck; } @@ -396,7 +396,7 @@ in ); # Each OIDC app per project - zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: { redirectUris, grantTypes, responseTypes, ...}: + zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: { redirectUris, grantTypes, responseTypes, ...}: { inherit name redirectUris grantTypes responseTypes; @@ -404,41 +404,41 @@ in idTokenRoleAssertion = true; accessTokenType = "JWT"; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" |> toResource "${org}_${project}_${name}" ); # Each project role - zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: + zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: { inherit (value) displayName group; roleKey = name; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" |> toResource "${org}_${project}_${name}" ); # Each project role assignment zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles: { roleKeys = roles; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> withRef "user" "${org}_${user}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> withRef "user" "${org}_${user}" |> toResource "${org}_${project}_${user}" ); # Users - zitadel_human_user = - cfg.organization - |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: + zitadel_human_user = + cfg.organization + |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }: { inherit email userName firstName lastName; isEmailVerified = true; - } + } |> withRef "org" org |> toResource "${org}_${name}" ) - |> append + |> append [ (forEach "local.extra_users" [ "org" "name" ] { orgId = lib.tfRef "local.orgs[each.value.org]"; @@ -446,7 +446,7 @@ in email = lib.tfRef "each.value.email"; firstName = lib.tfRef "each.value.firstName"; lastName = lib.tfRef "each.value.lastName"; - + isEmailVerified = true; } |> toResource "extraUsers") @@ -454,20 +454,20 @@ in ; # Global user roles - zitadel_instance_member = - cfg.organization + zitadel_instance_member = + cfg.organization |> filterAttrsRecursive (n: v: !(v ? "instanceRoles" && (length v.instanceRoles) == 0)) - |> select [ "user" ] (org: name: { instanceRoles, ... }: - { roles = instanceRoles; } + |> select [ "user" ] (org: name: { instanceRoles, ... }: + { roles = instanceRoles; } |> withRef "user" "${org}_${name}" |> toResource "${org}_${name}" ); # Organazation specific roles - zitadel_org_member = + zitadel_org_member = cfg.organization |> filterAttrsRecursive (n: v: !(v ? "roles" && (length v.roles) == 0)) - |> select [ "user" ] (org: name: { roles, ... }: + |> select [ "user" ] (org: name: { roles, ... }: { inherit roles; } |> withRef "org" org |> withRef "user" "${org}_${name}" @@ -475,9 +475,9 @@ in ); # Organazation's actions - zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: - { - inherit allowedToFail name; + zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: + { + inherit allowedToFail name; timeout = "${toString timeout}s"; script = "const ${name} = ${script}"; } @@ -486,20 +486,20 @@ in ); # Organazation's action assignments - zitadel_trigger_actions = + zitadel_trigger_actions = cfg.organization |> concatMapAttrs (org: { triggers, ... }: triggers |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in { - inherit flowType triggerType; + inherit flowType triggerType; - actionIds = - actions + actionIds = + actions |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); - } - |> withRef "org" org - |> toResource "${org}_${name}" + } + |> withRef "org" org + |> toResource "${org}_${name}" )) |> listToAttrs ); @@ -516,7 +516,7 @@ in }; # Client credentials per app - local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }: + local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }: nameValuePair "${org}_${project}_${name}" { content = '' ${if exportMap.client_id != null then exportMap.client_id else "CLIENT_ID"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"} @@ -530,7 +530,7 @@ in }) ]; }; - in + in mkIf cfg.enable { ${namespace}.services.persistance.postgresql.enable = true; @@ -548,7 +548,7 @@ in wantedBy = [ "multi-user.target" ]; wants = [ "zitadel.service" ]; - + script = '' #!/usr/bin/env bash @@ -628,7 +628,7 @@ in Org = { Name = "kruining"; - + Human = { UserName = "chris"; FirstName = "Chris"; @@ -639,7 +639,7 @@ in }; Password = "KaasIsAwesome1!"; }; - + Machine = { Machine = { Username = "terraform-service-user"; @@ -648,7 +648,7 @@ in MachineKey = { ExpirationDate = "2026-01-01T00:00:00Z"; Type = 1; }; # Pat = { ExpirationDate = "2026-01-01T00:00:00Z"; }; }; - + # LoginClient.Machine = { # Username = "terraform-service-user"; # Name = "Terraform"; @@ -689,7 +689,7 @@ in ''; }; }; - + networking.firewall.allowedTCPPorts = [ 80 443 ]; # Secrets diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index ce92df4..6405932 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -1,5 +1,10 @@ -{ config, lib, pkgs, namespace, ... }: -let +{ + config, + lib, + pkgs, + namespace, + ... +}: let inherit (builtins) toString toJSON; inherit (lib) mkIf mkEnableOption; @@ -10,8 +15,7 @@ let port = 4001; database = "synapse"; -in -{ +in { options.${namespace}.services.communication.matrix = { enable = mkEnableOption "Matrix server (Synapse)"; }; @@ -22,13 +26,13 @@ in # virtualisation.podman.enable = true; }; - networking.firewall.allowedTCPPorts = [ 4001 ]; + networking.firewall.allowedTCPPorts = [4001]; services = { matrix-synapse = { enable = true; - extras = [ "oidc" ]; + extras = ["oidc"]; extraConfigFiles = [ config.sops.templates."synapse-oidc.yaml".path @@ -52,7 +56,7 @@ in backchannel_logout_enabled = true; sso = { - client_whitelist = [ "http://[::1]:9092" ]; + client_whitelist = ["http://[::1]:9092"]; update_profile_information = true; }; @@ -75,7 +79,7 @@ in resources = [ { - names = [ "client" "federation" "openid" "metrics" "media" "health" ]; + names = ["client" "federation" "openid" "metrics" "media" "health"]; compress = true; } ]; @@ -132,7 +136,7 @@ in postgresql = { enable = true; - ensureDatabases = [ database ]; + ensureDatabases = [database]; ensureUsers = [ { name = database; @@ -192,7 +196,7 @@ in localpart_template: "{{ user.preferred_username }}" display_name_template: "{{ user.name }}" ''; - restartUnits = [ "matrix-synapse.service" ]; + restartUnits = ["matrix-synapse.service"]; }; }; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 52f026f..c7aff89 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -1,12 +1,16 @@ -{ config, lib, pkgs, namespace, ... }: -let +{ + config, + lib, + pkgs, + namespace, + ... +}: let inherit (builtins) toString; inherit (lib) mkIf mkEnableOption mkOption; cfg = config.${namespace}.services.development.forgejo; domain = "git.amarth.cloud"; -in -{ +in { options.${namespace}.services.development.forgejo = { enable = mkEnableOption "Forgejo"; @@ -26,7 +30,7 @@ in virtualisation.podman.enable = true; }; - environment.systemPackages = with pkgs; [ forgejo ]; + environment.systemPackages = with pkgs; [forgejo]; services = { forgejo = { @@ -141,7 +145,7 @@ in }; }; - openssh.settings.AllowUsers = [ "forgejo" ]; + openssh.settings.AllowUsers = ["forgejo"]; gitea-actions-runner = { package = pkgs.forgejo-runner; @@ -184,14 +188,14 @@ in "forgejo/action_runner_token" = { owner = "gitea-runner"; group = "gitea-runner"; - restartUnits = [ "gitea-runner-default.service" ]; + restartUnits = ["gitea-runner-default.service"]; }; "forgejo/email" = { owner = "forgejo"; group = "forgejo"; key = "email/chris_kruining_eu"; - restartUnits = [ "forgejo.service" ]; + restartUnits = ["forgejo.service"]; }; }; }; diff --git a/modules/nixos/services/media/mydia/default.nix b/modules/nixos/services/media/mydia/default.nix new file mode 100644 index 0000000..6fa94ca --- /dev/null +++ b/modules/nixos/services/media/mydia/default.nix @@ -0,0 +1,51 @@ +{ + config, + lib, + namespace, + inputs, + system, + ... +}: let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.media.mydia; +in { + imports = [ + inputs.mydia.nixosModules.default + ]; + + options.${namespace}.services.media.mydia = { + enable = mkEnableOption "Enable Mydia"; + }; + + config = mkIf cfg.enable { + services.mydia = { + enable = true; + package = inputs.mydia.packages.${system}.default; + + port = 2010; + openFirewall = true; + + secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path; + guardianSecretKeyFile = config.sops.secrets."mydia/guardian_secret".path; + + oidc = { + enable = true; + issuer = "https://auth.kruining.eu"; + clientIdFile = config.sops.secrets."mydia/oidc_id".path; + clientSecretFile = config.sops.secrets."mydia/oidc_secret".path; + scopes = ["openid" "profile" "email"]; + }; + }; + + sops.secrets = + ["secret_key_base" "guardian_secret" "oidc_id" "oidc_secret"] + |> lib.map (name: + lib.nameValuePair "mydia/${name}" { + owner = config.services.mydia.user; + group = config.services.mydia.group; + restartUnits = ["mydia.service"]; + }) + |> lib.listToAttrs; + }; +} diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix index c67e52d..733fe99 100644 --- a/modules/nixos/services/media/servarr/default.nix +++ b/modules/nixos/services/media/servarr/default.nix @@ -1,14 +1,20 @@ -{ pkgs, config, lib, namespace, inputs, system, ... }: -let +{ + pkgs, + config, + lib, + namespace, + inputs, + system, + ... +}: let inherit (builtins) toString; inherit (lib) mkIf mkEnableOption mkOption types; cfg = config.${namespace}.services.media.servarr; -in -{ +in { options.${namespace}.services.media = { servarr = mkOption { - type = types.attrsOf (types.submodule ({ name, ... }: { + type = types.attrsOf (types.submodule ({name, ...}: { options = { enable = mkEnableOption "Enable ${name}"; debug = mkEnableOption "Use tofu plan instead of tofu apply for ${name} "; @@ -28,9 +34,13 @@ in }; config = { - services = + services = cfg - |> lib.mapAttrsToList (service: { enable, port, ... }: (mkIf enable { + |> lib.mapAttrsToList (service: { + enable, + port, + ... + }: (mkIf enable { "${service}" = { enable = true; openFirewall = true; @@ -58,31 +68,44 @@ in }; })) |> lib.mergeAttrsList - |> (set: set // { - postgresql = { - ensureDatabases = cfg |> lib.attrNames; - ensureUsers = cfg |> lib.attrNames |> lib.map (service: { - name = service; - ensureDBOwnership = true; - }); - }; - }) - ; + |> (set: + set + // { + postgresql = { + ensureDatabases = cfg |> lib.attrNames; + ensureUsers = + cfg + |> lib.attrNames + |> lib.map (service: { + name = service; + ensureDBOwnership = true; + }); + }; + }); - systemd = + systemd = cfg - |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { + |> lib.mapAttrsToList (service: { + enable, + debug, + port, + rootFolders, + ... + }: (mkIf enable { tmpfiles.rules = [ "d /var/lib/${service}ApplyTerraform 0755 ${service} ${service} -" ]; - services."${service}ApplyTerraform" = - let + services."${service}ApplyTerraform" = let terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; modules = [ - ({ config, lib, ... }: { + ({ + config, + lib, + ... + }: { config = { variable = { api_key = { @@ -102,23 +125,21 @@ in }; resource = { - "${service}_root_folder" = + "${service}_root_folder" = rootFolders - |> lib.imap (i: f: lib.nameValuePair "local${toString i}" { path = f; }) - |> lib.listToAttrs - ; + |> lib.imap (i: f: lib.nameValuePair "local${toString i}" {path = f;}) + |> lib.listToAttrs; }; }; }) ]; }; - in - { + in { description = "${service} terraform apply"; - wantedBy = [ "multi-user.target" ]; - wants = [ "${service}.service" ]; - + wantedBy = ["multi-user.target"]; + wants = ["${service}.service"]; + script = '' #!/usr/bin/env bash @@ -141,7 +162,11 @@ in # Run the infrastructure code ${lib.getExe pkgs.opentofu} \ - ${if debug then "plan" else "apply -auto-approve"} \ + ${ + if debug + then "plan" + else "apply -auto-approve" + } \ -var-file='${config.sops.templates."${service}/config.tfvars".path}' ''; @@ -158,31 +183,29 @@ in }; }; })) - |> lib.mergeAttrsList - ; + |> lib.mergeAttrsList; - users.users = + users.users = cfg - |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { - "${service}".extraGroups = [ "media" ]; + |> lib.mapAttrsToList (service: {enable, ...}: (mkIf enable { + "${service}".extraGroups = ["media"]; })) - |> lib.mergeAttrsList - ; + |> lib.mergeAttrsList; - sops = + sops = cfg - |> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable { + |> lib.mapAttrsToList (service: {enable, ...}: (mkIf enable { secrets."${service}/apikey" = { owner = service; group = service; - restartUnits = [ "${service}.service" ]; + restartUnits = ["${service}.service"]; }; templates = { "${service}/config.env" = { owner = service; group = service; - restartUnits = [ "${service}.service" ]; + restartUnits = ["${service}.service"]; content = '' ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" ''; @@ -191,18 +214,16 @@ in "${service}/config.tfvars" = { owner = service; group = service; - restartUnits = [ "${service}.service" ]; + restartUnits = ["${service}.service"]; content = '' api_key = "${config.sops.placeholder."${service}/apikey"}" ''; }; }; })) - |> lib.mergeAttrsList - ; + |> lib.mergeAttrsList; }; - # cfg # |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { diff --git a/modules/nixos/shells/default.nix b/modules/nixos/shells/default.nix index 6b5c058..37afd9b 100644 --- a/modules/nixos/shells/default.nix +++ b/modules/nixos/shells/default.nix @@ -1,2 +1,5 @@ -{ ... }: -{} \ No newline at end of file +{...}: { + config = { + programs.bash.enableCompletion = true; + }; +} diff --git a/packages/mydia/default.nix b/packages/mydia/default.nix deleted file mode 100644 index 769bef3..0000000 --- a/packages/mydia/default.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ - lib, - fetchFromGitHub, - pkgs, - stdenv, - ... -}: let - erlang = pkgs.beam.packagesWith pkgs.beam.interpreters.erlang; - - erlangSystem = - { - aarch64-darwin = "macos-arm64"; - aarch64-linux = "linux-arm64"; - armv7l-linux = "linux-armv7"; - x86_64-darwin = "macos-x64"; - x86_64-linux = "linux-x64"; - } - .${ - stdenv.hostPlatform.system - }; - - version = "v0.6.0"; - pname = "mydia"; - src = fetchFromGitHub { - owner = "getmydia"; - repo = "mydia"; - rev = version; - hash = "sha256-JGT52ulnqcx8o+3e0l50TLAwLIWXEI8nwFGUsA95vH0="; - }; - mixFodDeps = erlang.fetchMixDeps { - inherit version src; - pname = "mix-deps-${pname}-${version}"; - hash = "sha256-19q56IZe8YjuUBXirFGgmBsewJ0cmdOoO1yfiMaWGWk="; - }; - npmFodDeps = pkgs.fetchNpmDeps { - src = "${src}/assets"; - hash = "sha256-0cz75pxhxvzo1RogsV8gTP6GrgLIboWQXcKpq42JZ6o="; - }; -in - erlang.mixRelease { - inherit pname version src mixFodDeps; - - enableDebugInfo = true; - - nativeBuildInputs = with pkgs; [ - which - ffmpeg_6 - fdk_aac - sqlite - postgresql - tailwindcss_4 - esbuild - pkg-config - ]; - - env = { - EXQLITE_USE_SYSTEM = "1"; - EXQLITE_SYSTEM_CFLAGS = "-I${pkgs.sqlite.dev}/include"; - EXQLITE_SYSTEM_LDFLAGS = "-L${pkgs.sqlite.out}/lib -lsqlite3"; - DATABASE_TYPE = "postgres"; - }; - - preInstall = '' - ln -s ${lib.getExe pkgs.tailwindcss_4} _build/tailwind-${erlangSystem} - ln -s ${lib.getExe pkgs.esbuild} _build/esbuild-${erlangSystem} - ln -s ${npmFodDeps} assets/node_modules - - mix do \ - deps.loadpaths --no-deps-check, \ - tailwind default --minify + esbuild default --minify + phx.digest, \ - assets.deploy - ''; - - meta = { - description = "Your personal media companion, built with Phoenix LiveView"; - longDescription = '' - A modern, self-hosted media management platform for tracking, organizing, and monitoring your media library. - - # ✨ Features - - - 📺 Unified Media Management – Track both movies and TV shows with rich metadata from TMDB/TVDB - - 🤖 Automated Downloads – Background search and download with quality profiles and smart release ranking - - ⬇️ Download Clients – qBittorrent, Transmission, SABnzbd, and NZBGet support - - 🔎 Indexer Integration – Search via Prowlarr and Jackett for finding releases - - 📚 Built-in Indexer Library – Native Cardigann support (experimental, limited testing) - - 👥 Multi-User System – Built-in admin/guest roles with request approval workflow - - 🔐 SSO Support – Local authentication plus OIDC/OpenID Connect integration - - 🔔 Release Calendar – Track upcoming releases and monitor episodes - - 🎨 Modern Real-Time UI – Phoenix LiveView with instant updates and responsive design - ''; - - homepage = "https://github.com/getmydia/mydia"; - changelog = "https://github.com/getmydia/mydia/releases"; - license = lib.licenses.agpl3Only; - - maintainers = []; - - platforms = lib.platforms.all; - mainProgram = pname; - }; - } diff --git a/shells/default/default.nix b/shells/default/default.nix index 03756be..5bd5b5f 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -15,6 +15,7 @@ mkShell { alejandra nil nixd + openssl inputs.clan-core.packages.${stdenv.hostPlatform.system}.clan-cli ]; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 0310818..93171d8 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ./disks.nix ./hardware.nix @@ -8,7 +7,10 @@ networking = { interfaces.enp2s0 = { ipv6.addresses = [ - { address = "2a0d:6e00:1dc9:0::dead:beef"; prefixLength = 64; } + { + address = "2a0d:6e00:1dc9:0::dead:beef"; + prefixLength = 64; + } ]; useDHCP = true; @@ -39,7 +41,7 @@ sneeuwvlok = { services = { backup.borg.enable = true; - + authentication.zitadel = { enable = true; @@ -51,8 +53,8 @@ firstName = "Chris"; lastName = "Kruining"; - roles = [ "ORG_OWNER" ]; - instanceRoles = [ "IAM_OWNER" ]; + roles = ["ORG_OWNER"]; + instanceRoles = ["IAM_OWNER"]; }; kaas = { @@ -78,27 +80,27 @@ }; assign = { - chris = [ "jellyfin" "jellyfin_admin" ]; - kaas = [ "jellyfin" ]; + chris = ["jellyfin" "jellyfin_admin"]; + kaas = ["jellyfin"]; }; application = { jellyfin = { - redirectUris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/zitadel" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; + redirectUris = ["https://jellyfin.kruining.eu/sso/OID/redirect/zitadel"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; }; forgejo = { - redirectUris = [ "https://git.amarth.cloud/user/oauth2/zitadel/callback" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; + redirectUris = ["https://git.amarth.cloud/user/oauth2/zitadel/callback"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; }; vaultwarden = { - redirectUris = [ "https://vault.kruining.eu/identity/connect/oidc-signin" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; + redirectUris = ["https://vault.kruining.eu/identity/connect/oidc-signin"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; exportMap = { client_id = "SSO_CLIENT_ID"; client_secret = "SSO_CLIENT_SECRET"; @@ -106,9 +108,15 @@ }; matrix = { - redirectUris = [ "https://matrix.kruining.eu/_synapse/client/oidc/callback" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; + redirectUris = ["https://matrix.kruining.eu/_synapse/client/oidc/callback"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; + }; + + mydia = { + redirectUris = ["http://localhost:2010/auth/oidc/callback"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; }; }; }; @@ -121,9 +129,9 @@ if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) { return; } - + const roles = ctx.v1.user.grants.grants.flatMap(({ roles, projectId }) => roles.map(role => projectId + ':' + role)); - + api.v1.claims.setClaim('nix:zitadel:custom', JSON.stringify({ roles })); }; ''; @@ -131,8 +139,16 @@ }; triggers = [ - { flowType = "customiseToken"; triggerType = "preUserinfoCreation"; actions = [ "flattenRoles" ]; } - { flowType = "customiseToken"; triggerType = "preAccessTokenCreation"; actions = [ "flattenRoles" ]; } + { + flowType = "customiseToken"; + triggerType = "preUserinfoCreation"; + actions = ["flattenRoles"]; + } + { + flowType = "customiseToken"; + triggerType = "preAccessTokenCreation"; + actions = ["flattenRoles"]; + } ]; }; }; @@ -146,6 +162,7 @@ media.enable = true; media.homer.enable = true; + media.mydia.enable = true; media.nfs.enable = true; media.servarr = { # radarr = { @@ -190,7 +207,7 @@ database = { # type = "sqlite"; # file = "/var/lib/vaultwarden/state.db"; - + type = "postgresql"; host = "localhost"; port = 5432; From b64cfa9e7363f2b261a790b2cbf19189f4f2854c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 1 Dec 2025 14:49:33 +0100 Subject: [PATCH 212/251] fix: forEach implementation in zitadel module --- .just/machine.just | 8 +++---- .../authentication/zitadel/default.nix | 24 ++++++++++++------- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/.just/machine.just b/.just/machine.just index 1ab5ca8..098e101 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -2,10 +2,10 @@ [doc('List machines')] @list: - ls -1 ../systems/x86_64-linux/ + ls -1 ../systems/x86_64-linux/ -[no-exit-message] [doc('Update the target machine')] +[no-exit-message] @update machine: - just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} \ No newline at end of file + just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')" + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 8a80902..ee06900 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -335,14 +335,6 @@ in ; append = attrList: set: set // (listToAttrs attrList); - forEach = src: key: set: - let - _key = concatMapStringsSep "_" (k: "\${item.${k}}") key; - in - { - forEach = "{ for item in ${src} : \"${_key}\" => item }"; - } - // set; config' = config; @@ -352,7 +344,21 @@ in modules = [ ({ config, lib, ... }: { - config = { + config = + let + forEach = src: key: set: + let + _key = concatMapStringsSep "_" (k: "\${item.${k}}") key; + in + { + forEach = lib.tfRef ''{ + for item in ${src} : + "''${item.org}_''${item.name}" => item + }''; + } + // set; + in + { terraform.required_providers.zitadel = { source = "zitadel/zitadel"; version = "2.2.0"; From ac4cc09ab5879a8a4c0eb4d6816ebddd0bf4af01 Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 1 Dec 2025 14:26:40 +0000 Subject: [PATCH 213/251] chore(secrets): set secret "mydia/oidc_id" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index b0d432e..3d163b6 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -20,7 +20,7 @@ lidarr: prowlarr: apikey: ENC[AES256_GCM,data:pyZ2WGEs/PlIdhDsQq2TPGJbplkd5fLF0ZkBjITqIJlnAzYHb+rl+KOM4rHqQcI6yAJM8X1Y3ymGrD7vG7GiRxB7yoEG13SKhZIWOddTnxIhbkz81RfrL2fUJIydOaP6sS//9Q==,iv:Tr6MWoC6nC7rdVTOjT1T2itT+lVL4GnUiAr5/+IHAs0=,tag:keIJNuGeVht8+xSN3FnBGA==,type:str] mydia: - oidc_id: ENC[AES256_GCM,data:ymZdkUjbbTuJuGvI5T9d,iv:ccKpjKnzUH+/sGEBnmxnMNU3lY+j8NPUjvj8q4phprs=,tag:11H0Vd28gPajyU+3uAUYUQ==,type:str] + oidc_id: ENC[AES256_GCM,data:LfYWh9EC0aio3w1Xsj/jtU6z,iv:+dX9KkNtfQMYSX4yr83KyXalWMD/aWby7fC8aL4ZT3I=,tag:CvdbMoMTuC9FohTMIE5pmg==,type:str] oidc_secret: ENC[AES256_GCM,data:N7qdoueB9ayGx0RWdw/w,iv:k09TaKjNShaFWImZ82Fjqvjj4CPVIqVhCPZ7o1DgjX4=,tag:q+HMYN4zd7pFqCX90uaWgQ==,type:str] secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str] guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] @@ -44,7 +44,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-01T09:05:11Z" - mac: ENC[AES256_GCM,data:6gFet+aW7tlQqy4aSulBTJ+mYpu1OxfK8Wa3noXNNDlFwTEpCWEhdwFDqWZ+sd5opINQoPrHD23BwiXYoJtKPeLd9/kpn//CgHvYcwgGDpPzCMbyDOLutlspyY4pfYrEezm8+yg3r5TkJK3o7U2Q8kkfdQQcfEGIsr9GDRKSplw=,iv:PYclBivPBifGreNWeCCZ74koSb51xBMYeviHf0SaxbA=,tag:Lb+vlcBUgpJE0XfJ/gwDiw==,type:str] + lastmodified: "2025-12-01T14:26:39Z" + mac: ENC[AES256_GCM,data:UFp+14rzSop6XoqLQcihDd935hQOmihyjBxXQGweLGHHZZapk0rCsgkO5/zZnjRgTf0Aeyr9u5fQHGcZn7lFASkx4yiTdoRgjnezeI+hHd3tSqYt6cfsY5jm0w24AIve7JCF16hdLMUP5ho4jusX1beKfnb7HQYJjfqR4dGhxek=,iv:IaUd1X73GH1RSn+nf2C/XVlPXmSOAGrrEbvKM7G5Xn4=,tag:oWZSb+QIc2dg1EvweuWrXA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 0e57c4f4252207eed4ad646df5a1effc15f77bfa Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 1 Dec 2025 14:27:13 +0000 Subject: [PATCH 214/251] chore(secrets): set secret "mydia/oidc_secret" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 3d163b6..9e80086 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -21,7 +21,7 @@ prowlarr: apikey: ENC[AES256_GCM,data:pyZ2WGEs/PlIdhDsQq2TPGJbplkd5fLF0ZkBjITqIJlnAzYHb+rl+KOM4rHqQcI6yAJM8X1Y3ymGrD7vG7GiRxB7yoEG13SKhZIWOddTnxIhbkz81RfrL2fUJIydOaP6sS//9Q==,iv:Tr6MWoC6nC7rdVTOjT1T2itT+lVL4GnUiAr5/+IHAs0=,tag:keIJNuGeVht8+xSN3FnBGA==,type:str] mydia: oidc_id: ENC[AES256_GCM,data:LfYWh9EC0aio3w1Xsj/jtU6z,iv:+dX9KkNtfQMYSX4yr83KyXalWMD/aWby7fC8aL4ZT3I=,tag:CvdbMoMTuC9FohTMIE5pmg==,type:str] - oidc_secret: ENC[AES256_GCM,data:N7qdoueB9ayGx0RWdw/w,iv:k09TaKjNShaFWImZ82Fjqvjj4CPVIqVhCPZ7o1DgjX4=,tag:q+HMYN4zd7pFqCX90uaWgQ==,type:str] + oidc_secret: ENC[AES256_GCM,data:PgI4hmP/3wt9uj+1QvCYcT8Wav0hgCRADouzWM3V695SSfXfbwDgez8tA/tm1/1jymAU2F2sZH8G2hZ1cdHyHQ==,iv:h3o3jsTmnoNE3+mGX12J3ZU0/6PlQNjdndEvaj/czj0=,tag:p3+p4E8fBtR7a8UpM8cUsg==,type:str] secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str] guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] sops: @@ -44,7 +44,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-01T14:26:39Z" - mac: ENC[AES256_GCM,data:UFp+14rzSop6XoqLQcihDd935hQOmihyjBxXQGweLGHHZZapk0rCsgkO5/zZnjRgTf0Aeyr9u5fQHGcZn7lFASkx4yiTdoRgjnezeI+hHd3tSqYt6cfsY5jm0w24AIve7JCF16hdLMUP5ho4jusX1beKfnb7HQYJjfqR4dGhxek=,iv:IaUd1X73GH1RSn+nf2C/XVlPXmSOAGrrEbvKM7G5Xn4=,tag:oWZSb+QIc2dg1EvweuWrXA==,type:str] + lastmodified: "2025-12-01T14:27:13Z" + mac: ENC[AES256_GCM,data:v8t65zlWw6UuFeFQ5oBNVGjnuewPlZZG7ea8P4cEHXN+JnSAE67HivSCyjhUAFmX/UbksxnSLYdl72swTb9ASv6JaW2FVJsaF+5zmZbuM5pAjZl4MR6Y7+Vc9YqAi+axnSE1s8pRe9U1PYmcbLWaY9kRZdccavfM2bsoAIpJRTk=,iv:EevmWMh6ygEAlf9RE4qZ1KVKm6yDR5dTZeraoFHmdRg=,tag:sCdtEYc9iNjfEvyYyXH8rQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 5396c9bab6a13133a8e9fccb53a8203e90fccc82 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 1 Dec 2025 15:30:47 +0100 Subject: [PATCH 215/251] chore: revert bash option --- modules/nixos/shells/default.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/nixos/shells/default.nix b/modules/nixos/shells/default.nix index 37afd9b..ea8f50d 100644 --- a/modules/nixos/shells/default.nix +++ b/modules/nixos/shells/default.nix @@ -1,5 +1,2 @@ {...}: { - config = { - programs.bash.enableCompletion = true; - }; } From 7a7e8bb088c38b6bf8c33f8da034ac0e0a9cd027 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 1 Dec 2025 15:31:14 +0100 Subject: [PATCH 216/251] fix: zitadel script --- .../services/authentication/zitadel/default.nix | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index ee06900..1b400bb 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -555,7 +555,11 @@ in wantedBy = [ "multi-user.target" ]; wants = [ "zitadel.service" ]; - script = '' + script = + let + tofu = lib.getExe pkgs.opentofu; + in + '' #!/usr/bin/env bash if [ "$(systemctl is-active zitadel)" != "active" ]; then @@ -570,11 +574,11 @@ in cp -f ${terraformConfiguration} config.tf.json # Initialize OpenTofu - ${lib.getExe pkgs.opentofu} init + ${tofu} init # Run the infrastructure code - # ${lib.getExe pkgs.opentofu} plan - ${lib.getExe pkgs.opentofu} apply -auto-approve + ${tofu} plan -refresh=false -out=tfplan + ${tofu} apply -auto-approve tfplan ''; serviceConfig = { From 70fd7c3d7a2a5eb68813e04b4bafee18f164a58f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 1 Dec 2025 20:56:56 +0100 Subject: [PATCH 217/251] . --- .../nixos/services/media/mydia/default.nix | 1 + .../services/security/vaultwarden/default.nix | 131 +++++++++--------- 2 files changed, 68 insertions(+), 64 deletions(-) diff --git a/modules/nixos/services/media/mydia/default.nix b/modules/nixos/services/media/mydia/default.nix index 6fa94ca..aa44856 100644 --- a/modules/nixos/services/media/mydia/default.nix +++ b/modules/nixos/services/media/mydia/default.nix @@ -24,6 +24,7 @@ in { package = inputs.mydia.packages.${system}.default; port = 2010; + listenAddress = "0.0.0.0"; openFirewall = true; secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path; diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index abab566..07f7058 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,25 +1,31 @@ -{ pkgs, config, lib, namespace, ... }: -let +{ + pkgs, + config, + lib, + namespace, + ... +}: let inherit (builtins) toString; inherit (lib) mkIf mkEnableOption mkOption types getAttrs toUpper concatMapAttrsStringSep; cfg = config.${namespace}.services.security.vaultwarden; - databaseProviderSqlite = types.submodule ({ ... }: { + databaseProviderSqlite = types.submodule ({...}: { options = { type = mkOption { - type = types.enum [ "sqlite" ]; + type = types.enum ["sqlite"]; }; file = mkOption { - type = types.str; - description = ''''; + type = types.path; + description = '' + Path to sqlite database file. + ''; }; }; }); - databaseProviderPostgresql = types.submodule ({ ... }: - let + databaseProviderPostgresql = types.submodule ({...}: let urlOptions = lib.${namespace}.options.mkUrlOptions { host = { description = '' @@ -40,36 +46,36 @@ let example = "postgres"; }; }; - in - { - options = { - type = mkOption { - type = types.enum [ "postgresql" ]; - }; + in { + options = + { + type = mkOption { + type = types.enum ["postgresql"]; + }; - sslMode = mkOption { - type = types.enum [ "verify-ca" "verify-full" "require" "prefer" "allow" "disabled" ]; - default = "verify-full"; - example = "verify-ca"; - description = '' - How to verify the server's ssl + sslMode = mkOption { + type = types.enum ["verify-ca" "verify-full" "require" "prefer" "allow" "disabled"]; + default = "verify-full"; + example = "verify-ca"; + description = '' + How to verify the server's ssl - | mode | eavesdropping protection | MITM protection | Statement | - |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| - | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | - | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | - | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | - | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | - | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | - | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | - - [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) - ''; - }; - } // (urlOptions |> getAttrs [ "protocol" "host" "port" ]); + | mode | eavesdropping protection | MITM protection | Statement | + |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| + | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | + | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | + | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | + | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | + | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | + | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | + + [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) + ''; + }; + } + // (urlOptions |> getAttrs ["protocol" "host" "port"]); }); -in -{ +in { options.${namespace}.services.security.vaultwarden = { enable = mkEnableOption "enable vaultwarden"; @@ -136,7 +142,7 @@ in postgresql = { enable = true; - ensureDatabases = [ "vaultwarden" ]; + ensureDatabases = ["vaultwarden"]; ensureUsers = [ { name = "vaultwarden"; @@ -171,7 +177,7 @@ in owner = config.users.users.vaultwarden.name; group = config.users.users.vaultwarden.name; key = "email/chris_kruining_eu"; - restartUnits = [ "vaultwarden.service" ]; + restartUnits = ["vaultwarden.service"]; }; }; @@ -183,34 +189,31 @@ in owner = config.users.users.vaultwarden.name; group = config.users.groups.vaultwarden.name; }; - temp-db-output.content = - let - config = - cfg.database - |> ({ type, ... }@db: - if type == "sqlite" then - { inherit (db) type file; } - else if type == "postgresql" then - { - inherit (db) type; - url = lib.${namespace}.strings.toUrl { - inherit (db) protocol host port; - path = "vaultwarden"; - query = { - sslmode = db.sslMode; - }; + temp-db-output.content = let + config = + cfg.database + |> ( + {type, ...} @ db: + if type == "sqlite" + then {inherit (db) type file;} + else if type == "postgresql" + then { + inherit (db) type; + url = lib.${namespace}.strings.toUrl { + inherit (db) protocol host port; + path = "vaultwarden"; + query = { + sslmode = db.sslMode; }; - } - else - {} - ) - |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}") - ; - in - '' - # GENERATED VALUES - ${config} - ''; + }; + } + else {} + ) + |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}"); + in '' + # GENERATED VALUES + ${config} + ''; }; }; }; From 2130c44388f94e466c9c748797772206c65e779d Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 2 Dec 2025 09:18:02 +0100 Subject: [PATCH 218/251] . --- .gitattributes | 1 + .just/machine.just | 22 ++-- .just/vars.just | 70 +++++------ .justfile | 64 +++++----- flake.lock | 88 ++++++-------- flake.nix | 3 +- homes/x86_64-linux/chris@mandos/default.nix | 9 +- homes/x86_64-linux/chris@manwe/default.nix | 9 +- homes/x86_64-linux/chris@orome/default.nix | 9 +- homes/x86_64-linux/chris@tulkas/default.nix | 9 +- .../home/application/onlyoffice/default.nix | 16 ++- modules/home/application/steam/default.nix | 110 +++++++++--------- .../home/application/teamspeak/default.nix | 30 ++--- modules/home/shell/toolset/git/default.nix | 34 +++--- modules/nixos/application/steam/default.nix | 15 ++- .../authentication/zitadel/default.nix | 2 - .../nixos/services/media/mydia/default.nix | 6 +- 17 files changed, 254 insertions(+), 243 deletions(-) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..176a458 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +* text=auto diff --git a/.just/machine.just b/.just/machine.just index 098e101..cc7665e 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -1,11 +1,11 @@ -@_default: list - -[doc('List machines')] -@list: - ls -1 ../systems/x86_64-linux/ - -[doc('Update the target machine')] -[no-exit-message] -@update machine: - just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')" - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} +@_default: list + +[doc('List machines')] +@list: + ls -1 ../systems/x86_64-linux/ + +[doc('Update the target machine')] +[no-exit-message] +@update machine: + just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')" + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} diff --git a/.just/vars.just b/.just/vars.just index 0d381ef..d8bd181 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,36 +1,36 @@ -set unstable - -base_path := invocation_directory() / "systems/x86_64-linux" -# sops := "nix shell nixpkgs#sops --command sops" -# yq := "nix shell nixpkgs#yq --command yq" -sops := "sops" -yq := "yq" - -@_default: - just --list - -[doc('list all vars of the target machine')] -list machine: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml - -@edit machine: - sops edit {{ base_path }}/{{ machine }}/secrets.yml - -@set machine key value: - sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" - - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - - echo "Done" - -@get machine key: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" - -@remove machine key: - sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" - - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - +set unstable + +base_path := invocation_directory() / "systems/x86_64-linux" +# sops := "nix shell nixpkgs#sops --command sops" +# yq := "nix shell nixpkgs#yq --command yq" +sops := "sops" +yq := "yq" + +@_default: + just --list + +[doc('list all vars of the target machine')] +list machine: + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml + +@edit machine: + sops edit {{ base_path }}/{{ machine }}/secrets.yml + +@set machine key value: + sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + + echo "Done" + +@get machine key: + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" + +@remove machine key: + sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + echo "Done" \ No newline at end of file diff --git a/.justfile b/.justfile index 87563d0..3a15d20 100644 --- a/.justfile +++ b/.justfile @@ -1,33 +1,33 @@ -@_default: - just --list --list-submodules - -[doc('Manage vars')] -mod vars '.just/vars.just' - -[doc('Manage machines')] -mod machine '.just/machine.just' - -[doc('Show information about project')] -@show: - echo "show" - -[doc('update the flake dependencies')] -@update: - nix flake update - git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null - echo "Done" - -[doc('Introspection on flake output')] -@select key: - nix eval --json .#{{ key }} | jq . - - - -#=============================================================================================== -# Utils -#=============================================================================================== -[no-exit-message] -[no-cd] -[private] -@assert condition message: +@_default: + just --list --list-submodules + +[doc('Manage vars')] +mod vars '.just/vars.just' + +[doc('Manage machines')] +mod machine '.just/machine.just' + +[doc('Show information about project')] +@show: + echo "show" + +[doc('update the flake dependencies')] +@update: + nix flake update + git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null + echo "Done" + +[doc('Introspection on flake output')] +@select key: + nix eval --json .#{{ key }} | jq . + + + +#=============================================================================================== +# Utils +#=============================================================================================== +[no-exit-message] +[no-cd] +[private] +@assert condition message: [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; } \ No newline at end of file diff --git a/flake.lock b/flake.lock index 4f55a24..5fda659 100644 --- a/flake.lock +++ b/flake.lock @@ -320,6 +320,27 @@ } }, "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "mydia", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1763759067, + "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "nvf", @@ -340,7 +361,7 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -361,7 +382,7 @@ "type": "github" } }, - "flake-parts_4": { + "flake-parts_5": { "inputs": { "nixpkgs-lib": [ "terranix", @@ -402,7 +423,7 @@ }, "flake-utils-plus": { "inputs": { - "flake-utils": "flake-utils_5" + "flake-utils": "flake-utils_4" }, "locked": { "lastModified": 1715533576, @@ -457,25 +478,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_5" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_5": { - "inputs": { - "systems": "systems_7" + "systems": "systems_6" }, "locked": { "lastModified": 1694529238, @@ -682,19 +685,19 @@ }, "mydia": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-parts": "flake-parts_2", "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1764568388, - "narHash": "sha256-kl8165eI0lUz9E96sdreZ48/nApydDfJP8IksjBveAw=", - "owner": "getmydia", + "lastModified": 1764661298, + "narHash": "sha256-sdYGCZnrbjshBDvGDI34MepTHAJsdL3FZQHdqRJzPSk=", + "owner": "chris-kruining", "repo": "mydia", - "rev": "74f0cf9a8ca782581ec0a35acf6526fccfbb6e2a", + "rev": "a5a03289332c435946c4ebdcaee70d96380bc1a7", "type": "github" }, "original": { - "owner": "getmydia", + "owner": "chris-kruining", "repo": "mydia", "type": "github" } @@ -745,7 +748,7 @@ "nix-minecraft": { "inputs": { "flake-compat": "flake-compat_3", - "flake-utils": "flake-utils_4", + "flake-utils": "flake-utils_3", "nixpkgs": "nixpkgs_6" }, "locked": { @@ -1065,10 +1068,10 @@ "nvf": { "inputs": { "flake-compat": "flake-compat_4", - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts_3", "mnw": "mnw", "nixpkgs": "nixpkgs_8", - "systems": "systems_6" + "systems": "systems_5" }, "locked": { "lastModified": 1762622004, @@ -1239,11 +1242,11 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_4", "gnome-shell": "gnome-shell", "nixpkgs": "nixpkgs_10", "nur": "nur", - "systems": "systems_8", + "systems": "systems_7", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -1384,28 +1387,13 @@ "type": "github" } }, - "systems_9": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "terranix": { "inputs": { - "flake-parts": "flake-parts_4", + "flake-parts": "flake-parts_5", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_9" + "systems": "systems_8" }, "locked": { "lastModified": 1762472226, diff --git a/flake.nix b/flake.nix index 5668380..7ccab59 100644 --- a/flake.nix +++ b/flake.nix @@ -90,7 +90,8 @@ }; mydia = { - url = "github:getmydia/mydia"; + url = "github:chris-kruining/mydia"; + # url = "github:getmydia/mydia"; }; }; diff --git a/homes/x86_64-linux/chris@mandos/default.nix b/homes/x86_64-linux/chris@mandos/default.nix index 6989314..ba87e73 100644 --- a/homes/x86_64-linux/chris@mandos/default.nix +++ b/homes/x86_64-linux/chris@mandos/default.nix @@ -1,10 +1,11 @@ -{ osConfig, ... }: -{ +{osConfig, ...}: { home.stateVersion = osConfig.system.stateVersion; programs.git = { - userName = "Chris Kruining"; - userEmail = "chris@kruining.eu"; + settings.user = { + name = "Chris Kruining"; + email = "chris@kruining.eu"; + }; }; sneeuwvlok = { diff --git a/homes/x86_64-linux/chris@manwe/default.nix b/homes/x86_64-linux/chris@manwe/default.nix index 9abe613..0aced9b 100644 --- a/homes/x86_64-linux/chris@manwe/default.nix +++ b/homes/x86_64-linux/chris@manwe/default.nix @@ -1,10 +1,11 @@ -{ osConfig, ... }: -{ +{osConfig, ...}: { home.stateVersion = osConfig.system.stateVersion; programs.git = { - userName = "Chris Kruining"; - userEmail = "chris@kruining.eu"; + settings.user = { + name = "Chris Kruining"; + email = "chris@kruining.eu"; + }; }; sneeuwvlok = { diff --git a/homes/x86_64-linux/chris@orome/default.nix b/homes/x86_64-linux/chris@orome/default.nix index dece506..7a1dc43 100644 --- a/homes/x86_64-linux/chris@orome/default.nix +++ b/homes/x86_64-linux/chris@orome/default.nix @@ -1,10 +1,11 @@ -{ osConfig, ... }: -{ +{osConfig, ...}: { home.stateVersion = osConfig.system.stateVersion; programs.git = { - userName = "Chris Kruining"; - userEmail = "chris@kruining.eu"; + settings.user = { + name = "Chris Kruining"; + email = "chris@kruining.eu"; + }; }; sneeuwvlok = { diff --git a/homes/x86_64-linux/chris@tulkas/default.nix b/homes/x86_64-linux/chris@tulkas/default.nix index 6989314..ba87e73 100644 --- a/homes/x86_64-linux/chris@tulkas/default.nix +++ b/homes/x86_64-linux/chris@tulkas/default.nix @@ -1,10 +1,11 @@ -{ osConfig, ... }: -{ +{osConfig, ...}: { home.stateVersion = osConfig.system.stateVersion; programs.git = { - userName = "Chris Kruining"; - userEmail = "chris@kruining.eu"; + settings.user = { + name = "Chris Kruining"; + email = "chris@kruining.eu"; + }; }; sneeuwvlok = { diff --git a/modules/home/application/onlyoffice/default.nix b/modules/home/application/onlyoffice/default.nix index 8153b68..0479539 100644 --- a/modules/home/application/onlyoffice/default.nix +++ b/modules/home/application/onlyoffice/default.nix @@ -1,16 +1,20 @@ -{ inputs, config, lib, pkgs, namespace, ... }: -let +{ + inputs, + config, + lib, + pkgs, + namespace, + ... +}: let inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.application.onlyoffice; -in -{ +in { options.${namespace}.application.onlyoffice = { enable = mkEnableOption "enable onlyoffice"; }; config = mkIf cfg.enable { - home.packages = with pkgs; [ onlyoffice-bin ]; - # fonts.packages = with pkgs; [ corefonts ]; + home.packages = with pkgs; [onlyoffice-desktopeditors]; }; } diff --git a/modules/home/application/steam/default.nix b/modules/home/application/steam/default.nix index ec47942..8c87b40 100644 --- a/modules/home/application/steam/default.nix +++ b/modules/home/application/steam/default.nix @@ -1,55 +1,55 @@ -{ inputs, config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.application.steam; -in -{ - options.${namespace}.application.steam = { - enable = mkEnableOption "enable steam"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ protonup-ng ]; - - home.sessionVariables = { - STEAM_EXTRA_COMPAT_TOOLS_PATHS = "\${HOME}/.steam/root/compatibilitytools.d"; - }; - - programs = { - # steam = { - # enable = true; - # package = pkgs.steam-small.override { - # extraEnv = { - # DXVK_HUD = "compiler"; - # MANGOHUD = true; - # }; - # }; - - # gamescopeSession = { - # enable = true; - # args = ["--immediate-flips"]; - # }; - # }; - - # https://github.com/FeralInteractive/gamemode - # gamemode = { - # enable = true; - # enableRenice = true; - # settings = {}; - # }; - - # gamescope = { - # enable = true; - # capSysNice = true; - # env = { - # DXVK_HDR = "1"; - # ENABLE_GAMESCOPE_WSI = "1"; - # WINE_FULLSCREEN_FSR = "1"; - # WLR_RENDERER = "vulkan"; - # }; - # args = ["--hdr-enabled"]; - # }; - }; - }; -} +{ inputs, config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.application.steam; +in +{ + options.${namespace}.application.steam = { + enable = mkEnableOption "enable steam"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ protonup-ng ]; + + home.sessionVariables = { + STEAM_EXTRA_COMPAT_TOOLS_PATHS = "\${HOME}/.steam/root/compatibilitytools.d"; + }; + + programs = { + # steam = { + # enable = true; + # package = pkgs.steam-small.override { + # extraEnv = { + # DXVK_HUD = "compiler"; + # MANGOHUD = true; + # }; + # }; + + # gamescopeSession = { + # enable = true; + # args = ["--immediate-flips"]; + # }; + # }; + + # https://github.com/FeralInteractive/gamemode + # gamemode = { + # enable = true; + # enableRenice = true; + # settings = {}; + # }; + + # gamescope = { + # enable = true; + # capSysNice = true; + # env = { + # DXVK_HDR = "1"; + # ENABLE_GAMESCOPE_WSI = "1"; + # WINE_FULLSCREEN_FSR = "1"; + # WLR_RENDERER = "vulkan"; + # }; + # args = ["--hdr-enabled"]; + # }; + }; + }; +} diff --git a/modules/home/application/teamspeak/default.nix b/modules/home/application/teamspeak/default.nix index aab3c5d..d234e9a 100644 --- a/modules/home/application/teamspeak/default.nix +++ b/modules/home/application/teamspeak/default.nix @@ -1,15 +1,15 @@ -{ inputs, config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.application.teamspeak; -in -{ - options.${namespace}.application.teamspeak = { - enable = mkEnableOption "enable teamspeak"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ teamspeak3 teamspeak6-client ]; - }; -} +{ inputs, config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.application.teamspeak; +in +{ + options.${namespace}.application.teamspeak = { + enable = mkEnableOption "enable teamspeak"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ teamspeak3 teamspeak6-client ]; + }; +} diff --git a/modules/home/shell/toolset/git/default.nix b/modules/home/shell/toolset/git/default.nix index 299b2a6..dd138c8 100644 --- a/modules/home/shell/toolset/git/default.nix +++ b/modules/home/shell/toolset/git/default.nix @@ -1,10 +1,14 @@ -{ config, lib, pkgs, namespace, ... }: -let +{ + config, + lib, + pkgs, + namespace, + ... +}: let inherit (lib) mkEnableOption mkIf; cfg = config.${namespace}.shell.toolset.git; -in -{ +in { options.${namespace}.shell.toolset.git = { enable = mkEnableOption "version-control system"; }; @@ -12,7 +16,7 @@ in config = mkIf cfg.enable { home.sessionVariables.GITHUB_TOKEN = "$(cat /run/agenix/tokenGH)"; - home.packages = with pkgs; [ lazygit lazyjj jujutsu ]; + home.packages = with pkgs; [lazygit lazyjj jujutsu]; programs = { zsh.initContent = '' @@ -29,14 +33,6 @@ in git = { enable = true; package = pkgs.gitFull; - difftastic = { - enable = true; - options = { - background = "dark"; - color = "always"; - display = "inline"; - }; - }; ignores = [ # General: @@ -69,7 +65,7 @@ in "*.elc" ]; - extraConfig = { + settings = { init.defaultBranch = "main"; core = { editor = "nvim"; @@ -106,6 +102,16 @@ in }; }; }; + + difftastic = { + enable = true; + git.enable = true; + options = { + background = "dark"; + color = "always"; + display = "inline"; + }; + }; }; }; } diff --git a/modules/nixos/application/steam/default.nix b/modules/nixos/application/steam/default.nix index 6170e8a..735aa80 100644 --- a/modules/nixos/application/steam/default.nix +++ b/modules/nixos/application/steam/default.nix @@ -1,10 +1,15 @@ -{ inputs, config, lib, pkgs, namespace, ... }: -let +{ + inputs, + config, + lib, + pkgs, + namespace, + ... +}: let inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.application.steam; -in -{ +in { options.${namespace}.application.steam = { enable = mkEnableOption "enable steam"; }; @@ -13,7 +18,7 @@ in programs = { steam = { enable = true; - package = pkgs.steam-small.override { + package = pkgs.steam.override { extraEnv = { DXVK_HUD = "compiler"; MANGOHUD = true; diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 1b400bb..c0d9dc5 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -560,8 +560,6 @@ in tofu = lib.getExe pkgs.opentofu; in '' - #!/usr/bin/env bash - if [ "$(systemctl is-active zitadel)" != "active" ]; then echo "Zitadel is not running" exit 1 diff --git a/modules/nixos/services/media/mydia/default.nix b/modules/nixos/services/media/mydia/default.nix index aa44856..1dbacda 100644 --- a/modules/nixos/services/media/mydia/default.nix +++ b/modules/nixos/services/media/mydia/default.nix @@ -21,12 +21,16 @@ in { config = mkIf cfg.enable { services.mydia = { enable = true; - package = inputs.mydia.packages.${system}.default; port = 2010; listenAddress = "0.0.0.0"; openFirewall = true; + database = { + type = "postgres"; + uri = "postgres://localhost:5432/mydia?sslMode=disable"; + }; + secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path; guardianSecretKeyFile = config.sops.secrets."mydia/guardian_secret".path; From 37600b71161d342b4ef5fa608eefbfbf321b85be Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 4 Dec 2025 11:24:36 +0000 Subject: [PATCH 219/251] chore(secrets): set secret "qbittorrent/password_hash" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 9e80086..b50f9c5 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -24,6 +24,8 @@ mydia: oidc_secret: ENC[AES256_GCM,data:PgI4hmP/3wt9uj+1QvCYcT8Wav0hgCRADouzWM3V695SSfXfbwDgez8tA/tm1/1jymAU2F2sZH8G2hZ1cdHyHQ==,iv:h3o3jsTmnoNE3+mGX12J3ZU0/6PlQNjdndEvaj/czj0=,tag:p3+p4E8fBtR7a8UpM8cUsg==,type:str] secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str] guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] +qbittorrent: + password_hash: ENC[AES256_GCM,data:QWuQYmfBn9eLDYztH7TmQvw74MvmzCQ98OlBtyjm1Icr2c63epRuHWzQbm+Q+1jrCSiQreOB3ZyjLzkeV6SlLonryUSD71uBWVwctgPXO0XDrxE1Vi6dkiwC3TF65JTMDhyjDLEj1YkiMP25Fz5NidJTP/r9GlXTfM7gjWo=,iv:bpgL5IoAv+1PUtgNIjLcbzN8C9z55ndypz4LEELAhLc=,tag:VB+XTCwLeIEYKnOr/0f7zA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -44,7 +46,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-01T14:27:13Z" - mac: ENC[AES256_GCM,data:v8t65zlWw6UuFeFQ5oBNVGjnuewPlZZG7ea8P4cEHXN+JnSAE67HivSCyjhUAFmX/UbksxnSLYdl72swTb9ASv6JaW2FVJsaF+5zmZbuM5pAjZl4MR6Y7+Vc9YqAi+axnSE1s8pRe9U1PYmcbLWaY9kRZdccavfM2bsoAIpJRTk=,iv:EevmWMh6ygEAlf9RE4qZ1KVKm6yDR5dTZeraoFHmdRg=,tag:sCdtEYc9iNjfEvyYyXH8rQ==,type:str] + lastmodified: "2025-12-04T11:24:33Z" + mac: ENC[AES256_GCM,data:vj6S7BjI7WqsdXxn2QGawJ1joiaCXYm42VJ/qw8ZMeoNBUJfyokYvdTxEG7jPJxBP0MSnbXPfkPXk7TPh6q2HiWG4QEbawTkoHZ9BFWZlqmyRxwHuTOU07+AgV1+DywScwrVlbFRo3vd1LkWZl/gyLWm7oYPfsknzxBDYpOf04M=,iv:mlK1eEG0m7tnjCzf++q4dNfAn4EZtT5INyiyMv2ZZGI=,tag:Gd2Swbq2JhDeyUm4svlGUg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From f079fa7487c76103cf89afbea906ad7b2198d275 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 4 Dec 2025 11:24:52 +0000 Subject: [PATCH 220/251] chore(secrets): set secret "qbittorrent/password" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index b50f9c5..086d86d 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -26,6 +26,7 @@ mydia: guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] qbittorrent: password_hash: ENC[AES256_GCM,data:QWuQYmfBn9eLDYztH7TmQvw74MvmzCQ98OlBtyjm1Icr2c63epRuHWzQbm+Q+1jrCSiQreOB3ZyjLzkeV6SlLonryUSD71uBWVwctgPXO0XDrxE1Vi6dkiwC3TF65JTMDhyjDLEj1YkiMP25Fz5NidJTP/r9GlXTfM7gjWo=,iv:bpgL5IoAv+1PUtgNIjLcbzN8C9z55ndypz4LEELAhLc=,tag:VB+XTCwLeIEYKnOr/0f7zA==,type:str] + password: ENC[AES256_GCM,data:UepYY6UjJV/jo2aXTOEnKRtsjSqOSYPQlKlrAa7rf9rdnt2UXGjCkvN+A72pICuIBCAmhXZBAUMvmWTV9trk6NREHe0cY1xTC7pNv3x9TM/ZQmH498pbT/95pYAKwouHp9heJQ==,iv:FzjF+xPoaOp+gplxpz940V2dkWSTWe8dWUxexCoxxHc=,tag:TDZsboq9fEmmBrwJN/HTpQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -46,7 +47,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-04T11:24:33Z" - mac: ENC[AES256_GCM,data:vj6S7BjI7WqsdXxn2QGawJ1joiaCXYm42VJ/qw8ZMeoNBUJfyokYvdTxEG7jPJxBP0MSnbXPfkPXk7TPh6q2HiWG4QEbawTkoHZ9BFWZlqmyRxwHuTOU07+AgV1+DywScwrVlbFRo3vd1LkWZl/gyLWm7oYPfsknzxBDYpOf04M=,iv:mlK1eEG0m7tnjCzf++q4dNfAn4EZtT5INyiyMv2ZZGI=,tag:Gd2Swbq2JhDeyUm4svlGUg==,type:str] + lastmodified: "2025-12-04T11:24:52Z" + mac: ENC[AES256_GCM,data:jIgkl1lcVDSlKqJs9fjaHUAZsGL+22T86/qqKyDziHl0+VU763Ezwm8P+la+55jIIT2zLhFcUjhn2BabBi90OeEPztAC4rGpZj6+ZZ0GDCj/JhjPAAo3LgAKOCG0Xgf8MZWr/rXd6bLhW7Qj36PMJnap26rjEiUZeSvpWS2dz8g=,iv:CDx8fBI9Dl1uwrbMD1fa7/h3C7haK3xZxJI59mtL1LA=,tag:2UDRFJoevGEBKZA/9eUiOw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From a787c8c646be6dff1ff3fdda18c3540914391de9 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sat, 6 Dec 2025 17:42:02 +0100 Subject: [PATCH 221/251] chore: update deps --- flake.lock | 148 ++++++++++++++---- .../authentication/himmelblau/default.nix | 15 +- 2 files changed, 128 insertions(+), 35 deletions(-) diff --git a/flake.lock b/flake.lock index 5fda659..66f4631 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ "base16-helix": { "flake": false, "locked": { - "lastModified": 1752979451, - "narHash": "sha256-0CQM+FkYy0fOO/sMGhOoNL80ftsAzYCg9VhIrodqusM=", + "lastModified": 1760703920, + "narHash": "sha256-m82fGUYns4uHd+ZTdoLX2vlHikzwzdu2s2rYM2bNwzw=", "owner": "tinted-theming", "repo": "base16-helix", - "rev": "27cf1e66e50abc622fb76a3019012dc07c678fac", + "rev": "d646af9b7d14bff08824538164af99d0c521b185", "type": "github" }, "original": { @@ -206,11 +206,11 @@ "firefox-gnome-theme": { "flake": false, "locked": { - "lastModified": 1758112371, - "narHash": "sha256-lizRM2pj6PHrR25yimjyFn04OS4wcdbc38DCdBVa2rk=", + "lastModified": 1764724327, + "narHash": "sha256-OkFLrD3pFR952TrjQi1+Vdj604KLcMnkpa7lkW7XskI=", "owner": "rafaelmardojai", "repo": "firefox-gnome-theme", - "rev": "0909cfe4a2af8d358ad13b20246a350e14c2473d", + "rev": "66b7c635763d8e6eb86bd766de5a1e1fbfcc1047", "type": "github" }, "original": { @@ -369,11 +369,11 @@ ] }, "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", + "lastModified": 1763759067, + "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", + "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0", "type": "github" }, "original": { @@ -532,11 +532,11 @@ "flake": false, "locked": { "host": "gitlab.gnome.org", - "lastModified": 1762869044, - "narHash": "sha256-nwm/GJ2Syigf7VccLAZ66mFC8mZJFqpJmIxSGKl7+Ds=", + "lastModified": 1764524476, + "narHash": "sha256-bTmNn3Q4tMQ0J/P0O5BfTQwqEnCiQIzOGef9/aqAZvk=", "owner": "GNOME", "repo": "gnome-shell", - "rev": "680e3d195a92203f28d4bf8c6e8bb537cc3ed4ad", + "rev": "c0e1ad9f0f703fd0519033b8f46c3267aab51a22", "type": "gitlab" }, "original": { @@ -574,11 +574,19 @@ "rust-overlay": "rust-overlay" }, "locked": { +<<<<<<< HEAD "lastModified": 1764617621, "narHash": "sha256-Eq0TvWs6xhKZs5HXH1hlrNasrHD7AOEdeLkTis//X7w=", "owner": "himmelblau-idm", "repo": "himmelblau", "rev": "c19494250d8c15e7c75e9301bdc271579a6dc77a", +======= + "lastModified": 1764787446, + "narHash": "sha256-RUfGGM8kiXSQA3ct1BZXN5Sm8hxr3XF0P/eR/WGLaGU=", + "owner": "himmelblau-idm", + "repo": "himmelblau", + "rev": "8ab33affe6db4cf5e9c17c2abcd7f3b2cedcfbd8", +>>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -594,11 +602,19 @@ ] }, "locked": { +<<<<<<< HEAD "lastModified": 1764603455, "narHash": "sha256-Q70rxlbrxPcTtqWIb9+71rkJESxIOou5isZBvyOieXw=", "owner": "nix-community", "repo": "home-manager", "rev": "effe4c007d6243d9e69ce2242d76a2471c1b8d5c", +======= + "lastModified": 1764839789, + "narHash": "sha256-QCgaXEj8036JlfyVM2e5fgKIxoF7IgGRcAi8LkehKvo=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "d441981b200305ebb8e2e2921395f51d207fded6", +>>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -636,11 +652,19 @@ ] }, "locked": { +<<<<<<< HEAD "lastModified": 1764612577, "narHash": "sha256-sHI+7m/ryVYf7agWkutYbvzUS07aAd8g2NVWgUqhxLg=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", "rev": "bcb22e208cf8883004fcec3a33f2500e7dc319a5", +======= + "lastModified": 1764746434, + "narHash": "sha256-6ymFuw+Z1C90ezf8H0BP3c2JFZhJYwMq31px2StwWHU=", + "owner": "Jovian-Experiments", + "repo": "Jovian-NixOS", + "rev": "b4c0b604148adacf119b89824ed26df8926ce42c", +>>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -689,11 +713,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1764661298, - "narHash": "sha256-sdYGCZnrbjshBDvGDI34MepTHAJsdL3FZQHdqRJzPSk=", + "lastModified": 1764840646, + "narHash": "sha256-ffhLaQWDm4iyf7j3uxmMXg5k7FRimaj8PXA4Jj9EpB0=", "owner": "chris-kruining", "repo": "mydia", - "rev": "a5a03289332c435946c4ebdcaee70d96380bc1a7", + "rev": "035fa63a276ed4dd9743fdf5ff50a651cabb9bcd", "type": "github" }, "original": { @@ -752,11 +776,19 @@ "nixpkgs": "nixpkgs_6" }, "locked": { +<<<<<<< HEAD "lastModified": 1764556167, "narHash": "sha256-/b+oEls56HDRzsSp60tsRfPFRjFebBPHq6k1I+hfPqw=", "owner": "Infinidoge", "repo": "nix-minecraft", "rev": "849d1b2b1adddfc7bddbd3be6bffd218a3f5a6fe", +======= + "lastModified": 1764813963, + "narHash": "sha256-Vs7Mamto+T8r1evk9myHepgHGNJkS2Kr0BF64NIei94=", + "owner": "Infinidoge", + "repo": "nix-minecraft", + "rev": "491200d6848402bbab1421cccbc15a46f08c7f78", +>>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -852,11 +884,19 @@ ] }, "locked": { +<<<<<<< HEAD "lastModified": 1764591717, "narHash": "sha256-T/HMA0Bb/O6UnlGQ0Xt+wGe1j8m7eyyQ5+vVcCJslsM=", "owner": "nix-community", "repo": "nixos-wsl", "rev": "84d1dab290feb4865d0cfcffc7aa0cf9bc65c3b7", +======= + "lastModified": 1764730608, + "narHash": "sha256-FxKIa3OCSRVC23qrk7VT68vExUcmSruJ8OobVlSWOxc=", + "owner": "nix-community", + "repo": "nixos-wsl", + "rev": "10124c58674360765adcb38c9a8b081fb72904e4", +>>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -898,11 +938,11 @@ }, "nixpkgs_10": { "locked": { - "lastModified": 1762977756, - "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=", + "lastModified": 1764517877, + "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55", + "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c", "type": "github" }, "original": { @@ -914,11 +954,19 @@ }, "nixpkgs_2": { "locked": { +<<<<<<< HEAD "lastModified": 1764547213, "narHash": "sha256-pGXM6frMKLRJmeMcQ228O1QQBuNEUjzmWx9uBd+CbXM=", "owner": "nixos", "repo": "nixpkgs", "rev": "64de27c1c985895c1a9f92aaeaab4e6a4c0960f5", +======= + "lastModified": 1764811743, + "narHash": "sha256-Ypfd8oBuG3HWtzcY7VtYiI6Pawznag7YHWy8RoOfiBs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "4a6ebaabd716d6479b39fa234a8f895f0ec1cb88", +>>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -946,11 +994,19 @@ }, "nixpkgs_4": { "locked": { +<<<<<<< HEAD "lastModified": 1764618760, "narHash": "sha256-QTUgygkdUq4sq7mXoO2Q2IPpvkKOZtTAJkbTaTjMi0A=", "owner": "NixOS", "repo": "nixpkgs", "rev": "29a7d6eec7e1177020f62f7599e5021317219c37", +======= + "lastModified": 1764856222, + "narHash": "sha256-yEJmtoFu4cJre1NuU4fb8q57Oux+NTbocnALtJ64aEI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ece6e266caf1effab32eceef0403b797b4330373", +>>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -994,11 +1050,19 @@ }, "nixpkgs_7": { "locked": { +<<<<<<< HEAD "lastModified": 1764517877, "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=", "owner": "nixos", "repo": "nixpkgs", "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c", +======= + "lastModified": 1764667669, + "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "418468ac9527e799809c900eda37cbff999199b6", +>>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -1052,11 +1116,11 @@ ] }, "locked": { - "lastModified": 1758998580, - "narHash": "sha256-VLx0z396gDCGSiowLMFz5XRO/XuNV+4EnDYjdJhHvUk=", + "lastModified": 1764773531, + "narHash": "sha256-mCBl7MD1WZ7yCG6bR9MmpPO2VydpNkWFgnslJRIT1YU=", "owner": "nix-community", "repo": "NUR", - "rev": "ba8d9c98f5f4630bcb0e815ab456afd90c930728", + "rev": "1d9616689e98beded059ad0384b9951e967a17fa", "type": "github" }, "original": { @@ -1139,11 +1203,19 @@ "rust-analyzer-src": { "flake": false, "locked": { +<<<<<<< HEAD "lastModified": 1764525349, "narHash": "sha256-vR3vU9AwzMsBvjNeeG2inA5W/2MwseFk5NIIrLFEMHk=", "owner": "rust-lang", "repo": "rust-analyzer", "rev": "d646b23f000d099d845f999c2c1e05b15d9cdc78", +======= + "lastModified": 1764778537, + "narHash": "sha256-SNL+Fj1ZWiBqCrHJT1S9vMZujrWxCOmf3zkT66XSnhE=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "633cff25206d5108043d87617a43c9d04aa42c88", +>>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -1254,11 +1326,19 @@ "tinted-zed": "tinted-zed" }, "locked": { +<<<<<<< HEAD "lastModified": 1764550443, "narHash": "sha256-ArO2V1YEHmEILilTj4KPtqF4gqc1q2HBrrrmygQ/UyU=", "owner": "nix-community", "repo": "stylix", "rev": "794b6e1fa75177ebfeb32967f135858a1ab1ba15", +======= + "lastModified": 1764798099, + "narHash": "sha256-IIwR5ZWo7tjxjRpkz0tViF9KFbQ1YXs9Wkan46WQbfk=", + "owner": "nix-community", + "repo": "stylix", + "rev": "4b9e0e7ba3cccb86fe2bf0f4a2dd18256bef1cc6", +>>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -1445,11 +1525,11 @@ "tinted-schemes": { "flake": false, "locked": { - "lastModified": 1757716333, - "narHash": "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=", + "lastModified": 1763914658, + "narHash": "sha256-Hju0WtMf3iForxtOwXqGp3Ynipo0EYx1AqMKLPp9BJw=", "owner": "tinted-theming", "repo": "schemes", - "rev": "317a5e10c35825a6c905d912e480dfe8e71c7559", + "rev": "0f6be815d258e435c9b137befe5ef4ff24bea32c", "type": "github" }, "original": { @@ -1461,11 +1541,11 @@ "tinted-tmux": { "flake": false, "locked": { - "lastModified": 1757811970, - "narHash": "sha256-n5ZJgmzGZXOD9pZdAl1OnBu3PIqD+X3vEBUGbTi4JiI=", + "lastModified": 1764465359, + "narHash": "sha256-lbSVPqLEk2SqMrnpvWuKYGCaAlfWFMA6MVmcOFJjdjE=", "owner": "tinted-theming", "repo": "tinted-tmux", - "rev": "d217ba31c846006e9e0ae70775b0ee0f00aa6b1e", + "rev": "edf89a780e239263cc691a987721f786ddc4f6aa", "type": "github" }, "original": { @@ -1477,11 +1557,11 @@ "tinted-zed": { "flake": false, "locked": { - "lastModified": 1757811247, - "narHash": "sha256-4EFOUyLj85NRL3OacHoLGEo0wjiRJzfsXtR4CZWAn6w=", + "lastModified": 1764464512, + "narHash": "sha256-rCD/pAhkMdCx6blsFwxIyvBJbPZZ1oL2sVFrH07lmqg=", "owner": "tinted-theming", "repo": "base16-zed", - "rev": "824fe0aacf82b3c26690d14e8d2cedd56e18404e", + "rev": "907dbba5fb8cf69ebfd90b00813418a412d0a29a", "type": "github" }, "original": { @@ -1519,11 +1599,19 @@ ] }, "locked": { +<<<<<<< HEAD "lastModified": 1764598958, "narHash": "sha256-sJQHRL8trBoG/ArR+mUlyp5cyKU0pgQY+qDQzZGnVgM=", "owner": "0xc000022070", "repo": "zen-browser-flake", "rev": "8cded25e10b13e2999241f1c73a7d4e5e5d6f69e", +======= + "lastModified": 1764825646, + "narHash": "sha256-QkKEkj3GXpkPxJz9S1RgaMlxstkyaj5IKVWvxIbtC8w=", + "owner": "0xc000022070", + "repo": "zen-browser-flake", + "rev": "8c9284cc227a5c7cd8f1e1fa7a6882b0907187c8", +>>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { diff --git a/modules/nixos/services/authentication/himmelblau/default.nix b/modules/nixos/services/authentication/himmelblau/default.nix index 1228759..d39d4cf 100644 --- a/modules/nixos/services/authentication/himmelblau/default.nix +++ b/modules/nixos/services/authentication/himmelblau/default.nix @@ -1,10 +1,15 @@ -{ inputs, lib, config, namespace, ... }: let +{ + inputs, + lib, + config, + namespace, + ... +}: let inherit (lib) mkEnableOption mkIf; cfg = config.${namespace}.services.authentication.himmelblau; -in -{ - imports = [ inputs.himmelblau.nixosModules.himmelblau ]; +in { + imports = [inputs.himmelblau.nixosModules.himmelblau]; options.${namespace}.services.authentication.himmelblau = { enable = mkEnableOption "enable azure entra ID authentication"; @@ -14,7 +19,7 @@ in services.himmelblau = { enable = true; settings = { - domains = []; + domain = ""; pam_allow_groups = []; local_groups = []; }; From 98425c9dcc393aec60b5775bde56c71d4db98209 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sat, 6 Dec 2025 17:39:16 +0100 Subject: [PATCH 222/251] kaas --- .forgejo/workflows/action.yml | 2 +- .just/machine.just | 2 +- .just/vars.just | 36 +- .justfile | 4 +- flake.lock | 6 +- .../services/development/forgejo/default.nix | 8 + modules/nixos/services/media/default.nix | 323 ++++++++++-------- .../nixos/services/media/mydia/default.nix | 44 ++- 8 files changed, 251 insertions(+), 174 deletions(-) diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml index 684cfad..2c61087 100644 --- a/.forgejo/workflows/action.yml +++ b/.forgejo/workflows/action.yml @@ -12,4 +12,4 @@ jobs: steps: - name: Echo run: | - nix --version \ No newline at end of file + nix --version diff --git a/.just/machine.just b/.just/machine.just index cc7665e..ca10e1c 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -8,4 +8,4 @@ [no-exit-message] @update machine: just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')" - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} + nixos-rebuild switch -L --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} diff --git a/.just/vars.just b/.just/vars.just index d8bd181..3b706da 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,36 +1,38 @@ -set unstable +set unstable := true base_path := invocation_directory() / "systems/x86_64-linux" + # sops := "nix shell nixpkgs#sops --command sops" # yq := "nix shell nixpkgs#yq --command yq" + sops := "sops" yq := "yq" @_default: - just --list + just --list [doc('list all vars of the target machine')] list machine: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml - + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml + @edit machine: - sops edit {{ base_path }}/{{ machine }}/secrets.yml - + sops edit {{ base_path }}/{{ machine }}/secrets.yml + @set machine key value: - sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" + sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\"" - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine }}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + + echo "Done" - echo "Done" - @get machine key: - sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" - + sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" + @remove machine key: - sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine }}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - echo "Done" \ No newline at end of file + echo "Done" diff --git a/.justfile b/.justfile index 3a15d20..75537e1 100644 --- a/.justfile +++ b/.justfile @@ -19,7 +19,7 @@ mod machine '.just/machine.just' [doc('Introspection on flake output')] @select key: - nix eval --json .#{{ key }} | jq . + nix eval --show-trace --json .#{{ key }} | jq . @@ -30,4 +30,4 @@ mod machine '.just/machine.just' [no-cd] [private] @assert condition message: - [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; } \ No newline at end of file + [ {{ condition }} ] || { echo -e 1>&2 "\n\x1b[1;41m Error \x1b[0m {{ message }}\n"; exit 1; } diff --git a/flake.lock b/flake.lock index 66f4631..9d00509 100644 --- a/flake.lock +++ b/flake.lock @@ -713,11 +713,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1764840646, - "narHash": "sha256-ffhLaQWDm4iyf7j3uxmMXg5k7FRimaj8PXA4Jj9EpB0=", + "lastModified": 1764866402, + "narHash": "sha256-0NOWsPks+/vV5ZM9ti71hUPMLy3FzbEIlFI6vxARvuY=", "owner": "chris-kruining", "repo": "mydia", - "rev": "035fa63a276ed4dd9743fdf5ff50a651cabb9bcd", + "rev": "458fc9a21c6987d994bc7932efb6c49df25ba806", "type": "github" }, "original": { diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index c7aff89..114726e 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -184,6 +184,14 @@ in { }; }; + users = { + users."gitea-runner" = { + isSystemUser = true; + group = "gitea-runner"; + }; + groups."gitea-runner" = {}; + }; + sops.secrets = { "forgejo/action_runner_token" = { owner = "gitea-runner"; diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 1950bf0..c880580 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -1,13 +1,19 @@ -{ pkgs, lib, namespace, config, inputs, system, ... }: -let +{ + pkgs, + lib, + namespace, + config, + inputs, + system, + ... +}: let inherit (lib) mkIf mkEnableOption mkOption; inherit (lib.types) str; cfg = config.${namespace}.services.media; - arr = ["radarr" ]; -in -{ + arr = ["radarr"]; +in { options.${namespace}.services.media = { enable = mkEnableOption "Enable media services"; @@ -69,117 +75,132 @@ in # Services #========================================================================= services = let - arr-services = + arr-services = arr |> lib.imap (i: service: { name = service; - value = { - enable = true; - openFirewall = true; + value = + { + enable = true; + openFirewall = true; - environmentFiles = [ - config.sops.templates."${service}/config.env".path - ]; + environmentFiles = [ + config.sops.templates."${service}/config.env".path + ]; - settings = { - auth.authenticationMethod = "External"; + settings = { + auth.authenticationMethod = "External"; - server = { - bindaddress = "0.0.0.0"; - port = 2000 + i; + server = { + bindaddress = "0.0.0.0"; + port = 2000 + i; + }; + + postgres = { + host = "localhost"; + port = "5432"; + user = service; + maindb = service; + logdb = service; + }; }; - - postgres = { - host = "localhost"; - port = "5432"; - user = service; - maindb = service; - logdb = service; - }; - }; - } - // (if service != "prowlarr" then { user = cfg.user; group = cfg.group; } else {}); + } + // ( + if service != "prowlarr" + then { + user = cfg.user; + group = cfg.group; + } + else {} + ); }) - |> lib.listToAttrs - ; - in - arr-services // { - bazarr = { - enable = true; - openFirewall = true; - user = cfg.user; - group = cfg.group; - listenPort = 2005; - }; - - # port is harcoded in nixpkgs module - jellyfin = { - enable = true; - openFirewall = true; - user = cfg.user; - group = cfg.group; - }; - - flaresolverr = { - enable = true; - openFirewall = true; - port = 2007; - }; - - qbittorrent = { - enable = true; - openFirewall = true; - webuiPort = 2008; - - serverConfig = { - LegalNotice.Accepted = true; + |> lib.listToAttrs; + in + arr-services + // { + bazarr = { + enable = true; + openFirewall = true; + user = cfg.user; + group = cfg.group; + listenPort = 2005; }; - user = cfg.user; - group = cfg.group; - }; + # port is harcoded in nixpkgs module + jellyfin = { + enable = true; + openFirewall = true; + user = cfg.user; + group = cfg.group; + }; - # port is harcoded in nixpkgs module - sabnzbd = { - enable = true; - openFirewall = true; - configFile = "${cfg.path}/sabnzbd/config.ini"; + flaresolverr = { + enable = true; + openFirewall = true; + port = 2007; + }; - user = cfg.user; - group = cfg.group; - }; + qbittorrent = { + enable = true; + openFirewall = true; + webuiPort = 2008; - postgresql = - let - databases = arr |> lib.concatMap (s: [ s "${s}-log" ]); - in - { - enable = true; - ensureDatabases = arr; - ensureUsers = arr |> lib.map (service: { - name = service; - ensureDBOwnership = true; - }); - }; + serverConfig = { + LegalNotice.Accepted = true; - caddy = { - enable = true; - virtualHosts = { - "jellyfin.kruining.eu".extraConfig = '' - reverse_proxy http://[::1]:8096 - ''; + Prefecences.WebUI = { + Username = "admin"; + }; + }; + + user = cfg.user; + group = cfg.group; + }; + + # port is harcoded in nixpkgs module + sabnzbd = { + enable = true; + openFirewall = true; + configFile = "${cfg.path}/sabnzbd/config.ini"; + + user = cfg.user; + group = cfg.group; + }; + + postgresql = let + databases = arr |> lib.concatMap (s: [s "${s}-log"]); + in { + enable = true; + ensureDatabases = arr; + ensureUsers = + arr + |> lib.map (service: { + name = service; + ensureDBOwnership = true; + }); + }; + + caddy = { + enable = true; + virtualHosts = { + "jellyfin.kruining.eu".extraConfig = '' + reverse_proxy http://[::1]:8096 + ''; + }; }; }; - }; - systemd.services.radarrApplyTerraform = - let + systemd.services.radarrApplyTerraform = let # this is a nix package, the generated json file to be exact terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; modules = [ - ({ config, lib, ... }: { + ({ + config, + lib, + ... + }: { config = { variable = { api_key = { @@ -207,13 +228,12 @@ in }) ]; }; - in - { + in { description = "Radarr terraform apply"; - wantedBy = [ "multi-user.target" ]; - wants = [ "radarr.service" ]; - + wantedBy = ["multi-user.target"]; + wants = ["radarr.service"]; + script = '' #!/usr/bin/env bash @@ -255,53 +275,70 @@ in systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; sops = { - secrets = - arr - |> lib.map (service: { - name = "${service}/apikey"; - value = { + secrets = let + arrSecrets = + arr + |> lib.map (service: { + name = "${service}/apikey"; + value = { + owner = cfg.user; + group = cfg.group; + restartUnits = ["${service}.service"]; + }; + }) + |> lib.listToAttrs; + in + arrSecrets + // { + # "qbittorrent/password" = {}; + "qbittorrent/password_hash" = {}; + }; + + templates = let + apikeys = + arr + |> lib.map (service: { + name = "${service}/config.env"; + value = { + owner = cfg.user; + group = cfg.group; + restartUnits = ["${service}.service"]; + content = '' + ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" + ''; + }; + }) + |> lib.listToAttrs; + + tfvars = + arr + |> lib.map (service: { + name = "${service}/config.tfvars"; + value = { + owner = cfg.user; + group = cfg.group; + restartUnits = ["${service}ApplyTerraform.service"]; + content = '' + api_key = "${config.sops.placeholder."${service}/apikey"}" + ''; + }; + }) + |> lib.listToAttrs; + + qbittorrent = { + "qbittorrent/password.conf" = { owner = cfg.user; group = cfg.group; - restartUnits = [ "${service}.service" ]; + restartUnits = ["qbittorrent.service"]; + path = "${config.services.qbittorrent.profileDir}/qBittorrent/config/password.conf"; + content = '' + [Preferences] + WebUI\Password_PBKDF2="${config.sops.placeholder."qbittorrent/password_hash"}" + ''; }; - }) - |> lib.listToAttrs - ; - - templates = - let - apikeys = - arr - |> lib.map (service: { - name = "${service}/config.env"; - value = { - owner = cfg.user; - group = cfg.group; - restartUnits = [ "${service}.service" ]; - content = '' - ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" - ''; - }; - }) - |> lib.listToAttrs; - - tfvars = - arr - |> lib.map(service: { - name = "${service}/config.tfvars"; - value = { - owner = cfg.user; - group = cfg.group; - restartUnits = [ "${service}ApplyTerraform.service" ]; - content = '' - api_key = "${config.sops.placeholder."${service}/apikey"}" - ''; - }; - }) - |> lib.listToAttrs; - in - apikeys // tfvars - ; + }; + in + apikeys // tfvars // qbittorrent; }; }; } diff --git a/modules/nixos/services/media/mydia/default.nix b/modules/nixos/services/media/mydia/default.nix index 1dbacda..2bee38a 100644 --- a/modules/nixos/services/media/mydia/default.nix +++ b/modules/nixos/services/media/mydia/default.nix @@ -26,9 +26,17 @@ in { listenAddress = "0.0.0.0"; openFirewall = true; + mediaLibraries = [ + "/var/mydia/movies" + "/var/mydia/series" + ]; + database = { + # type = "sqlite"; + # uri = "file:///var/lib/mydia/mydia.db"; type = "postgres"; - uri = "postgres://localhost:5432/mydia?sslMode=disable"; + uri = "postgres://mydia@localhost:5432/mydia?sslmode=disable"; + passwordFile = config.sops.secrets."mydia/qbittorrent_password".path; }; secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path; @@ -41,16 +49,38 @@ in { clientSecretFile = config.sops.secrets."mydia/oidc_secret".path; scopes = ["openid" "profile" "email"]; }; + + downloadClients = { + qbittorrent = { + type = "qbittorrent"; + host = "localhost"; + port = 2008; + username = "admin"; + passwordFile = config.sops.secrets."mydia/qbittorrent_password".path; + useSsl = false; + }; + }; }; - sops.secrets = - ["secret_key_base" "guardian_secret" "oidc_id" "oidc_secret"] - |> lib.map (name: - lib.nameValuePair "mydia/${name}" { + sops.secrets = let + base = + ["secret_key_base" "guardian_secret" "oidc_id" "oidc_secret"] + |> lib.map (name: + lib.nameValuePair "mydia/${name}" { + owner = config.services.mydia.user; + group = config.services.mydia.group; + restartUnits = ["mydia.service"]; + }) + |> lib.listToAttrs; + in + base + // { + "mydia/qbittorrent_password" = { owner = config.services.mydia.user; group = config.services.mydia.group; restartUnits = ["mydia.service"]; - }) - |> lib.listToAttrs; + key = "qbittorrent/password"; + }; + }; }; } From f1800a90f980eaedfccc5fc5af413895bd79f863 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Dec 2025 10:31:56 +0100 Subject: [PATCH 223/251] chore: update dependencies --- flake.lock | 126 ++++++++--------------------------------------------- 1 file changed, 19 insertions(+), 107 deletions(-) diff --git a/flake.lock b/flake.lock index 9d00509..adfa1cf 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1764601856, - "narHash": "sha256-AWohz0cJ5J1keDnUkuWeX2QbWDa62yGSSeMNfdstx10=", - "rev": "a61aac8bf2c97cf142b70d344a7174811c62b1a4", + "lastModified": 1765033957, + "narHash": "sha256-yL5IjUOne+h6AodxxqoqwPgRy2HXle6+W4Aa2GVJruk=", + "rev": "9985ce76af367e7c9e3022c5b893418059a17491", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/a61aac8bf2c97cf142b70d344a7174811c62b1a4.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/9985ce76af367e7c9e3022c5b893418059a17491.tar.gz" }, "original": { "type": "tarball", @@ -130,11 +130,11 @@ ] }, "locked": { - "lastModified": 1764350888, - "narHash": "sha256-6Rp18zavTlnlZzcoLoBTJMBahL2FycVkw2rAEs3cQvo=", + "lastModified": 1764627417, + "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=", "owner": "nix-community", "repo": "disko", - "rev": "2055a08fd0e2fd41318279a5355eb8a161accf26", + "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3", "type": "github" }, "original": { @@ -149,11 +149,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1764542190, - "narHash": "sha256-einnpQaGZ4OoinhfKWm8mfatrBeYNnc3K4TYoKmVOSw=", + "lastModified": 1764775116, + "narHash": "sha256-S4fY3fytcqXBuOSbQjEVke2eqK9/e/6Jy3jp0JGM2X4=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "eef0ab9b05d3d27f320226daaffb18d9dcc41c06", + "rev": "172661ccc78b1529a294eee5e99ca1616c934f37", "type": "github" }, "original": { @@ -170,11 +170,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1764571808, - "narHash": "sha256-+oo9W5rz03TjfpNqDSLEQwgKiuBbjrHdORyTHli2RuM=", + "lastModified": 1764915802, + "narHash": "sha256-eHTucU43sRCpvvTt5eey9htcWipS7ZN3B7ts6MiXLxo=", "owner": "nix-community", "repo": "fenix", - "rev": "df3c2e78ec13418f85c1f26e77a50f865ec57d38", + "rev": "a83a78fd3587d9f3388f0b459ad9c2bbd6d1b6d8", "type": "github" }, "original": { @@ -190,11 +190,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1764592856, - "narHash": "sha256-ODwJzh/AiFyhFtmJoAGP5Gbp38ARsUiesBVMXXd1x/s=", + "lastModified": 1765024561, + "narHash": "sha256-xtfg5gNfyiyBTfWwbKgatV1sPeJjEnUczHCaSWi+crY=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "5aadac137f2c49991cea2bc367dddbb905ffe645", + "rev": "e6f559729459a7890f01b258c33c1025800f5dbb", "type": "github" }, "original": { @@ -574,19 +574,11 @@ "rust-overlay": "rust-overlay" }, "locked": { -<<<<<<< HEAD "lastModified": 1764617621, "narHash": "sha256-Eq0TvWs6xhKZs5HXH1hlrNasrHD7AOEdeLkTis//X7w=", "owner": "himmelblau-idm", "repo": "himmelblau", "rev": "c19494250d8c15e7c75e9301bdc271579a6dc77a", -======= - "lastModified": 1764787446, - "narHash": "sha256-RUfGGM8kiXSQA3ct1BZXN5Sm8hxr3XF0P/eR/WGLaGU=", - "owner": "himmelblau-idm", - "repo": "himmelblau", - "rev": "8ab33affe6db4cf5e9c17c2abcd7f3b2cedcfbd8", ->>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -602,19 +594,11 @@ ] }, "locked": { -<<<<<<< HEAD "lastModified": 1764603455, "narHash": "sha256-Q70rxlbrxPcTtqWIb9+71rkJESxIOou5isZBvyOieXw=", "owner": "nix-community", "repo": "home-manager", "rev": "effe4c007d6243d9e69ce2242d76a2471c1b8d5c", -======= - "lastModified": 1764839789, - "narHash": "sha256-QCgaXEj8036JlfyVM2e5fgKIxoF7IgGRcAi8LkehKvo=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "d441981b200305ebb8e2e2921395f51d207fded6", ->>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -652,19 +636,11 @@ ] }, "locked": { -<<<<<<< HEAD "lastModified": 1764612577, "narHash": "sha256-sHI+7m/ryVYf7agWkutYbvzUS07aAd8g2NVWgUqhxLg=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", "rev": "bcb22e208cf8883004fcec3a33f2500e7dc319a5", -======= - "lastModified": 1764746434, - "narHash": "sha256-6ymFuw+Z1C90ezf8H0BP3c2JFZhJYwMq31px2StwWHU=", - "owner": "Jovian-Experiments", - "repo": "Jovian-NixOS", - "rev": "b4c0b604148adacf119b89824ed26df8926ce42c", ->>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -776,19 +752,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { -<<<<<<< HEAD "lastModified": 1764556167, "narHash": "sha256-/b+oEls56HDRzsSp60tsRfPFRjFebBPHq6k1I+hfPqw=", "owner": "Infinidoge", "repo": "nix-minecraft", "rev": "849d1b2b1adddfc7bddbd3be6bffd218a3f5a6fe", -======= - "lastModified": 1764813963, - "narHash": "sha256-Vs7Mamto+T8r1evk9myHepgHGNJkS2Kr0BF64NIei94=", - "owner": "Infinidoge", - "repo": "nix-minecraft", - "rev": "491200d6848402bbab1421cccbc15a46f08c7f78", ->>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -884,19 +852,11 @@ ] }, "locked": { -<<<<<<< HEAD "lastModified": 1764591717, "narHash": "sha256-T/HMA0Bb/O6UnlGQ0Xt+wGe1j8m7eyyQ5+vVcCJslsM=", "owner": "nix-community", "repo": "nixos-wsl", "rev": "84d1dab290feb4865d0cfcffc7aa0cf9bc65c3b7", -======= - "lastModified": 1764730608, - "narHash": "sha256-FxKIa3OCSRVC23qrk7VT68vExUcmSruJ8OobVlSWOxc=", - "owner": "nix-community", - "repo": "nixos-wsl", - "rev": "10124c58674360765adcb38c9a8b081fb72904e4", ->>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -954,19 +914,11 @@ }, "nixpkgs_2": { "locked": { -<<<<<<< HEAD "lastModified": 1764547213, "narHash": "sha256-pGXM6frMKLRJmeMcQ228O1QQBuNEUjzmWx9uBd+CbXM=", "owner": "nixos", "repo": "nixpkgs", "rev": "64de27c1c985895c1a9f92aaeaab4e6a4c0960f5", -======= - "lastModified": 1764811743, - "narHash": "sha256-Ypfd8oBuG3HWtzcY7VtYiI6Pawznag7YHWy8RoOfiBs=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "4a6ebaabd716d6479b39fa234a8f895f0ec1cb88", ->>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -994,19 +946,11 @@ }, "nixpkgs_4": { "locked": { -<<<<<<< HEAD "lastModified": 1764618760, "narHash": "sha256-QTUgygkdUq4sq7mXoO2Q2IPpvkKOZtTAJkbTaTjMi0A=", "owner": "NixOS", "repo": "nixpkgs", "rev": "29a7d6eec7e1177020f62f7599e5021317219c37", -======= - "lastModified": 1764856222, - "narHash": "sha256-yEJmtoFu4cJre1NuU4fb8q57Oux+NTbocnALtJ64aEI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ece6e266caf1effab32eceef0403b797b4330373", ->>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -1050,19 +994,11 @@ }, "nixpkgs_7": { "locked": { -<<<<<<< HEAD "lastModified": 1764517877, "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=", "owner": "nixos", "repo": "nixpkgs", "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c", -======= - "lastModified": 1764667669, - "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "418468ac9527e799809c900eda37cbff999199b6", ->>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -1138,11 +1074,11 @@ "systems": "systems_5" }, "locked": { - "lastModified": 1762622004, - "narHash": "sha256-NpzzgaoMK8aRHnndHWbYNKLcZN0r1y6icCoJvGoBsoE=", + "lastModified": 1764904740, + "narHash": "sha256-TzqXUQlESmS5XGJ3tR1/xdoU0vySyp6YUUpmGF5F0kY=", "owner": "notashelf", "repo": "nvf", - "rev": "09470524a214ed26633ddc2b6ec0c9bf31a8b909", + "rev": "249cabe0c5392c384c82fa9d28d3f49fbeb04266", "type": "github" }, "original": { @@ -1203,19 +1139,11 @@ "rust-analyzer-src": { "flake": false, "locked": { -<<<<<<< HEAD "lastModified": 1764525349, "narHash": "sha256-vR3vU9AwzMsBvjNeeG2inA5W/2MwseFk5NIIrLFEMHk=", "owner": "rust-lang", "repo": "rust-analyzer", "rev": "d646b23f000d099d845f999c2c1e05b15d9cdc78", -======= - "lastModified": 1764778537, - "narHash": "sha256-SNL+Fj1ZWiBqCrHJT1S9vMZujrWxCOmf3zkT66XSnhE=", - "owner": "rust-lang", - "repo": "rust-analyzer", - "rev": "633cff25206d5108043d87617a43c9d04aa42c88", ->>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -1326,19 +1254,11 @@ "tinted-zed": "tinted-zed" }, "locked": { -<<<<<<< HEAD "lastModified": 1764550443, "narHash": "sha256-ArO2V1YEHmEILilTj4KPtqF4gqc1q2HBrrrmygQ/UyU=", "owner": "nix-community", "repo": "stylix", "rev": "794b6e1fa75177ebfeb32967f135858a1ab1ba15", -======= - "lastModified": 1764798099, - "narHash": "sha256-IIwR5ZWo7tjxjRpkz0tViF9KFbQ1YXs9Wkan46WQbfk=", - "owner": "nix-community", - "repo": "stylix", - "rev": "4b9e0e7ba3cccb86fe2bf0f4a2dd18256bef1cc6", ->>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { @@ -1599,19 +1519,11 @@ ] }, "locked": { -<<<<<<< HEAD "lastModified": 1764598958, "narHash": "sha256-sJQHRL8trBoG/ArR+mUlyp5cyKU0pgQY+qDQzZGnVgM=", "owner": "0xc000022070", "repo": "zen-browser-flake", "rev": "8cded25e10b13e2999241f1c73a7d4e5e5d6f69e", -======= - "lastModified": 1764825646, - "narHash": "sha256-QkKEkj3GXpkPxJz9S1RgaMlxstkyaj5IKVWvxIbtC8w=", - "owner": "0xc000022070", - "repo": "zen-browser-flake", - "rev": "8c9284cc227a5c7cd8f1e1fa7a6882b0907187c8", ->>>>>>> ba1d4e1 (chore: update deps) "type": "github" }, "original": { From 28c9d0136bb89ffcabb6fa297b02c5f01d4def45 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Dec 2025 10:32:27 +0100 Subject: [PATCH 224/251] feat: add git config --- .gitattributes | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitattributes b/.gitattributes index 176a458..780e15a 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,4 @@ * text=auto +core.autocrlf=false +core.eol=lf +core.filemode=false From 894774be4f738b7e1b5daf291bdf722fd2f74665 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Dec 2025 16:28:31 +0100 Subject: [PATCH 225/251] feat: switch homer to glance --- .../nixos/services/media/glance/default.nix | 183 ++++++++++++++++++ .../nixos/services/media/homer/default.nix | 161 --------------- systems/x86_64-linux/ulmo/default.nix | 2 +- 3 files changed, 184 insertions(+), 162 deletions(-) create mode 100644 modules/nixos/services/media/glance/default.nix delete mode 100644 modules/nixos/services/media/homer/default.nix diff --git a/modules/nixos/services/media/glance/default.nix b/modules/nixos/services/media/glance/default.nix new file mode 100644 index 0000000..333035d --- /dev/null +++ b/modules/nixos/services/media/glance/default.nix @@ -0,0 +1,183 @@ +{ + config, + lib, + namespace, + ... +}: let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.media.glance; +in { + options.${namespace}.services.media.glance = { + enable = mkEnableOption "Enable Glance"; + }; + + config = mkIf cfg.enable { + services.glance = { + enable = true; + openFirewall = true; + + environmentFile = config.sops.templates."glance/secrets.env".path; + + settings = { + server = { + host = "0.0.0.0"; + port = 2000; + }; + + theme = { + # Teal city predefined theme (https://github.com/glanceapp/glance/blob/main/docs/themes.md#teal-city) + background-color = "225 14 15"; + primary-color = "157 47 65"; + contrast-multiplier = 1.1; + }; + + pages = [ + { + name = "Home"; + columns = [ + { + size = "small"; + widgets = [ + { + type = "calendar"; + first-day-of-the-week = "monday"; + } + ]; + } + + { + size = "full"; + widgets = [ + { + type = "monitor"; + cache = "1m"; + title = "Services"; + sites = [ + { + title = "Zitadel"; + url = "https://auth.kruining.eu"; + icon = "sh:zitadel"; + } + { + title = "Forgejo"; + url = "https://git.amarth.cloud/chris"; + icon = "sh:forgejo"; + } + { + title = "Vaultwarden"; + url = "https://vault.kruining.eu"; + icon = "sh:vaultwarden"; + } + ]; + } + { + type = "monitor"; + cache = "1m"; + title = "Observability"; + sites = [ + { + title = "Grafana"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; + icon = "sh:grafana"; + } + { + title = "Prometheus"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}"; + icon = "sh:prometheus"; + } + ]; + } + { + type = "monitor"; + cache = "1m"; + title = "Media"; + sites = [ + { + title = "Jellyfin"; + url = "http://${config.networking.hostName}:8096"; + icon = "sh:jellyfin"; + } + { + title = "Radarr"; + url = "http://${config.networking.hostName}:2001"; + icon = "sh:radarr"; + } + { + title = "Sonarr"; + url = "http://${config.networking.hostName}:2002"; + icon = "sh:sonarr"; + } + { + title = "Lidarr"; + url = "http://${config.networking.hostName}:2003"; + icon = "sh:lidarr"; + } + { + title = "Prowlarr"; + url = "http://${config.networking.hostName}:2004"; + icon = "sh:prowlarr"; + } + { + title = "qBittorrent"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; + icon = "sh:qbittorrent"; + } + { + title = "SABnzbd"; + url = "http://${config.networking.hostName}:8080"; + icon = "sh:sabnzbd"; + } + ]; + } + { + type = "videos"; + channels = [ + "UCXuqSBlHAE6Xw-yeJA0Tunw" # Linus Tech Tips + "UCR-DXc1voovS8nhAvccRZhg" # Jeff Geerling + "UCsBjURrPoezykLs9EqgamOA" # Fireship + "UCBJycsmduvYEL83R_U4JriQ" # Marques Brownlee + "UCHnyfMqiRRG1u-2MsSQLbXA" # Veritasium + ]; + } + ]; + } + + { + size = "small"; + widgets = [ + { + type = "weather"; + location = "Amsterdam, The Netherlands"; + units = "metric"; + hour-format = "24h"; + } + + { + type = "server-stats"; + servers = [ + { + type = "local"; + name = "Ulmo"; + } + ]; + } + ]; + } + ]; + } + ]; + }; + }; + + sops.templates."glance/secrets.env" = { + # owner = config.services.glance.user; + # group = config.services.glance.group; + content = '' + RADARR_KEY="${config.sops.placeholder."radarr/apikey"}" + SONARR_KEY="${config.sops.placeholder."sonarr/apikey"}" + LIDARR_KEY="${config.sops.placeholder."lidarr/apikey"}" + ''; + }; + }; +} diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix deleted file mode 100644 index 79633ab..0000000 --- a/modules/nixos/services/media/homer/default.nix +++ /dev/null @@ -1,161 +0,0 @@ -{ config, lib, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.media.homer; -in -{ - options.${namespace}.services.media.homer = { - enable = mkEnableOption "Enable homer"; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ 2000 ]; - - services = { - homer = { - enable = true; - - virtualHost = { - caddy.enable = true; - domain = "http://:2000"; - }; - - settings = { - title = "Ulmo dashboard"; - - columns = 4; - connectivityCheck = true; - - links = []; - - services = [ - { - name = "Services"; - items = [ - { - name = "Zitadel"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg"; - tag = "app"; - url = "https://auth.kruining.eu"; - target = "_blank"; - } - - { - name = "Forgejo"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg"; - tag = "app"; - type = "Gitea"; - url = "https://git.amarth.cloud"; - target = "_blank"; - } - - { - name = "Vaultwarden"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg"; - type = "Vaultwarden"; - tag = "app"; - url = "https://vault.kruining.eu"; - target = "_blank"; - } - ]; - } - - { - name = "Observability"; - items = [ - { - name = "Grafana"; - type = "Grafana"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; - target = "_blank"; - } - - { - name = "Prometheus"; - type = "Prometheus"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}"; - target = "_blank"; - } - ]; - } - - { - name = "Media"; - items = [ - { - name = "Jellyfin (Movies)"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg"; - tag = "app"; - type = "Emby"; - url = "http://${config.networking.hostName}:8096"; - apikey = "e3ceed943eeb409ba8342738db7cc1f5"; - libraryType = "movies"; - target = "_blank"; - } - - { - name = "Radarr"; - type = "Radarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:2001"; - target = "_blank"; - } - - { - name = "Sonarr"; - type = "Sonarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:2002"; - target = "_blank"; - } - - { - name = "Lidarr"; - type = "Lidarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:2003"; - target = "_blank"; - } - - { - name = "Prowlarr"; - type = "Prowlarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:2004"; - target = "_blank"; - } - - { - name = "qBittorrent"; - type = "qBittorrent"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; - target = "_blank"; - } - - { - name = "SABnzbd"; - type = "SABnzbd"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:8080"; - target = "_blank"; - } - ]; - } - ]; - }; - }; - }; - }; -} diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 93171d8..3638dbc 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -161,7 +161,7 @@ networking.ssh.enable = true; media.enable = true; - media.homer.enable = true; + media.glance.enable = true; media.mydia.enable = true; media.nfs.enable = true; media.servarr = { From 4826cb6a72655cb1bb3fe6378e252131751599e1 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Dec 2025 16:29:02 +0100 Subject: [PATCH 226/251] feat: implement more stuff with new servarr module --- modules/nixos/services/media/default.nix | 316 +++--------------- .../nixos/services/media/servarr/default.nix | 146 +++++--- systems/x86_64-linux/ulmo/default.nix | 10 +- 3 files changed, 152 insertions(+), 320 deletions(-) diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index c880580..d257aea 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -3,16 +3,12 @@ lib, namespace, config, - inputs, - system, ... }: let inherit (lib) mkIf mkEnableOption mkOption; inherit (lib.types) str; cfg = config.${namespace}.services.media; - - arr = ["radarr"]; in { options.${namespace}.services.media = { enable = mkEnableOption "Enable media services"; @@ -60,285 +56,75 @@ in { }; systemd.tmpfiles.rules = [ - "d '${cfg.path}/series' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/movies' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/music' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/qbittorrent' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/sabnzbd' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/reiverr/config' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/downloads/incomplete' 0700 ${cfg.user} ${cfg.group} - -" - "d '${cfg.path}/downloads/done' 0700 ${cfg.user} ${cfg.group} - -" - "d /var/lib/radarrApplyTerraform 0755 ${cfg.user} ${cfg.group} -" + # "d '${cfg.path}/series' 0770 ${cfg.user} ${cfg.group} - -" + # "d '${cfg.path}/movies' 0770 ${cfg.user} ${cfg.group} - -" + # "d '${cfg.path}/music' 0770 ${cfg.user} ${cfg.group} - -" + "d '${cfg.path}/qbittorrent' 0770 ${cfg.user} ${cfg.group} - -" + "d '${cfg.path}/sabnzbd' 0770 ${cfg.user} ${cfg.group} - -" + "d '${cfg.path}/downloads/incomplete' 0770 ${cfg.user} ${cfg.group} - -" + "d '${cfg.path}/downloads/done' 0770 ${cfg.user} ${cfg.group} - -" ]; #========================================================================= # Services #========================================================================= - services = let - arr-services = - arr - |> lib.imap (i: service: { - name = service; - value = - { - enable = true; - openFirewall = true; - - environmentFiles = [ - config.sops.templates."${service}/config.env".path - ]; - - settings = { - auth.authenticationMethod = "External"; - - server = { - bindaddress = "0.0.0.0"; - port = 2000 + i; - }; - - postgres = { - host = "localhost"; - port = "5432"; - user = service; - maindb = service; - logdb = service; - }; - }; - } - // ( - if service != "prowlarr" - then { - user = cfg.user; - group = cfg.group; - } - else {} - ); - }) - |> lib.listToAttrs; - in - arr-services - // { - bazarr = { - enable = true; - openFirewall = true; - user = cfg.user; - group = cfg.group; - listenPort = 2005; - }; - - # port is harcoded in nixpkgs module - jellyfin = { - enable = true; - openFirewall = true; - user = cfg.user; - group = cfg.group; - }; - - flaresolverr = { - enable = true; - openFirewall = true; - port = 2007; - }; - - qbittorrent = { - enable = true; - openFirewall = true; - webuiPort = 2008; - - serverConfig = { - LegalNotice.Accepted = true; - - Prefecences.WebUI = { - Username = "admin"; - }; - }; - - user = cfg.user; - group = cfg.group; - }; - - # port is harcoded in nixpkgs module - sabnzbd = { - enable = true; - openFirewall = true; - configFile = "${cfg.path}/sabnzbd/config.ini"; - - user = cfg.user; - group = cfg.group; - }; - - postgresql = let - databases = arr |> lib.concatMap (s: [s "${s}-log"]); - in { - enable = true; - ensureDatabases = arr; - ensureUsers = - arr - |> lib.map (service: { - name = service; - ensureDBOwnership = true; - }); - }; - - caddy = { - enable = true; - virtualHosts = { - "jellyfin.kruining.eu".extraConfig = '' - reverse_proxy http://[::1]:8096 - ''; - }; - }; + services = { + bazarr = { + enable = true; + openFirewall = true; + user = cfg.user; + group = cfg.group; + listenPort = 2005; }; - systemd.services.radarrApplyTerraform = let - # this is a nix package, the generated json file to be exact - terraformConfiguration = inputs.terranix.lib.terranixConfiguration { - inherit system; - - modules = [ - ({ - config, - lib, - ... - }: { - config = { - variable = { - api_key = { - type = "string"; - description = "Radarr api key"; - }; - }; - - terraform.required_providers.radarr = { - source = "devopsarr/radarr"; - version = "2.2.0"; - }; - - provider.radarr = { - url = "http://127.0.0.1:2001"; - api_key = lib.tfRef "var.api_key"; - }; - - resource = { - radarr_root_folder.local = { - path = "/var/media/movies"; - }; - }; - }; - }) - ]; + flaresolverr = { + enable = true; + openFirewall = true; + port = 2007; }; - in { - description = "Radarr terraform apply"; - wantedBy = ["multi-user.target"]; - wants = ["radarr.service"]; + # port is harcoded in nixpkgs module + jellyfin = { + enable = true; + openFirewall = true; + user = cfg.user; + group = cfg.group; + }; - script = '' - #!/usr/bin/env bash + postgresql = { + enable = true; + }; - if [ "$(systemctl is-active radarr)" != "active" ]; then - echo "Radarr is not running" - exit 1 - fi - - # Sleep for a bit to give radarr the chance to start up - sleep 5s - - # Print the path to the source for easier debugging - echo "config location: ${terraformConfiguration}" - - # Copy infra code into workspace - cp -f ${terraformConfiguration} config.tf.json - - # Initialize OpenTofu - ${lib.getExe pkgs.opentofu} init - - # Run the infrastructure code - # ${lib.getExe pkgs.opentofu} plan -var-file='${config.sops.templates."radarr/config.tfvars".path}' - ${lib.getExe pkgs.opentofu} apply -auto-approve -var-file='${config.sops.templates."radarr/config.tfvars".path}' - ''; - - serviceConfig = { - Type = "oneshot"; - User = cfg.user; - Group = cfg.group; - - WorkingDirectory = "/var/lib/radarrApplyTerraform"; - - EnvironmentFile = [ - config.sops.templates."radarr/config.env".path - ]; + caddy = { + enable = true; + virtualHosts = { + "jellyfin.kruining.eu".extraConfig = '' + reverse_proxy http://[::1]:8096 + ''; + }; }; }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; sops = { - secrets = let - arrSecrets = - arr - |> lib.map (service: { - name = "${service}/apikey"; - value = { - owner = cfg.user; - group = cfg.group; - restartUnits = ["${service}.service"]; - }; - }) - |> lib.listToAttrs; - in - arrSecrets - // { - # "qbittorrent/password" = {}; - "qbittorrent/password_hash" = {}; + secrets = { + # "qbittorrent/password" = {}; + "qbittorrent/password_hash" = {}; + }; + + templates = { + "qbittorrent/password.conf" = { + owner = cfg.user; + group = cfg.group; + restartUnits = ["qbittorrent.service"]; + path = "${config.services.qbittorrent.profileDir}/qBittorrent/config/password.conf"; + content = '' + [Preferences] + WebUI\Password_PBKDF2="${config.sops.placeholder."qbittorrent/password_hash"}" + ''; }; - - templates = let - apikeys = - arr - |> lib.map (service: { - name = "${service}/config.env"; - value = { - owner = cfg.user; - group = cfg.group; - restartUnits = ["${service}.service"]; - content = '' - ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" - ''; - }; - }) - |> lib.listToAttrs; - - tfvars = - arr - |> lib.map (service: { - name = "${service}/config.tfvars"; - value = { - owner = cfg.user; - group = cfg.group; - restartUnits = ["${service}ApplyTerraform.service"]; - content = '' - api_key = "${config.sops.placeholder."${service}/apikey"}" - ''; - }; - }) - |> lib.listToAttrs; - - qbittorrent = { - "qbittorrent/password.conf" = { - owner = cfg.user; - group = cfg.group; - restartUnits = ["qbittorrent.service"]; - path = "${config.services.qbittorrent.profileDir}/qBittorrent/config/password.conf"; - content = '' - [Preferences] - WebUI\Password_PBKDF2="${config.sops.placeholder."qbittorrent/password_hash"}" - ''; - }; - }; - in - apikeys // tfvars // qbittorrent; + }; }; }; } diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix index 733fe99..373e09b 100644 --- a/modules/nixos/services/media/servarr/default.nix +++ b/modules/nixos/services/media/servarr/default.nix @@ -41,36 +41,68 @@ in { port, ... }: (mkIf enable { - "${service}" = { - enable = true; - openFirewall = true; + "${service}" = + { + enable = true; + openFirewall = true; - environmentFiles = [ - config.sops.templates."${service}/config.env".path - ]; + environmentFiles = [ + config.sops.templates."${service}/config.env".path + ]; - settings = { - auth.authenticationMethod = "External"; + settings = { + auth.authenticationMethod = "External"; - server = { - bindaddress = "0.0.0.0"; - port = port; + server = { + bindaddress = "0.0.0.0"; + port = port; + }; + + postgres = { + host = "localhost"; + port = "5432"; + user = service; + maindb = service; + logdb = service; + }; }; - - postgres = { - host = "localhost"; - port = "5432"; - user = service; - maindb = service; - logdb = service; - }; - }; - }; + } + // (lib.optionalAttrs (service != "prowlarr") { + user = service; + group = "media"; + }); })) - |> lib.mergeAttrsList + |> lib.mkMerge |> (set: set // { + qbittorrent = { + enable = true; + openFirewall = true; + webuiPort = 2008; + + serverConfig = { + LegalNotice.Accepted = true; + + Prefecences.WebUI = { + Username = "admin"; + }; + }; + + user = "qbittorrent"; + group = "media"; + }; + + # port is harcoded in nixpkgs module + sabnzbd = { + enable = true; + openFirewall = true; + configFile = "${cfg.path}/sabnzbd/config.ini"; + + user = "sabnzbd"; + group = "media"; + }; + postgresql = { ensureDatabases = cfg |> lib.attrNames; ensureUsers = @@ -83,7 +115,7 @@ in { }; }); - systemd = + systemd.services = cfg |> lib.mapAttrsToList (service: { enable, @@ -92,11 +124,7 @@ in { rootFolders, ... }: (mkIf enable { - tmpfiles.rules = [ - "d /var/lib/${service}ApplyTerraform 0755 ${service} ${service} -" - ]; - - services."${service}ApplyTerraform" = let + "${service}ApplyTerraform" = let terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; @@ -116,7 +144,17 @@ in { terraform.required_providers.${service} = { source = "devopsarr/${service}"; - version = "2.2.0"; + version = + { + radarr = "2.3.3"; + sonarr = "3.4.0"; + prowlarr = "3.1.0"; + lidarr = "1.13.0"; + readarr = "2.1.0"; + whisparr = "1.2.0"; + }.${ + service + }; }; provider.${service} = { @@ -125,10 +163,11 @@ in { }; resource = { - "${service}_root_folder" = + "${service}_root_folder" = mkIf (lib.elem service ["radarr" "sonarr" "whisparr"]) ( rootFolders |> lib.imap (i: f: lib.nameValuePair "local${toString i}" {path = f;}) - |> lib.listToAttrs; + |> lib.listToAttrs + ); }; }; }) @@ -140,9 +179,16 @@ in { wantedBy = ["multi-user.target"]; wants = ["${service}.service"]; - script = '' - #!/usr/bin/env bash + preStart = '' + install -d -m 0770 -o ${service} -g media /var/lib/${service}ApplyTerraform + ${ + rootFolders + |> lib.map (folder: "install -d -m 0770 -o media -g media ${folder}") + |> lib.join "\n" + } + ''; + script = '' # Sleep for a bit to give the service a chance to start up sleep 5s @@ -158,7 +204,7 @@ in { cp -f ${terraformConfiguration} config.tf.json # Initialize OpenTofu - ${lib.getExe pkgs.opentofu} init + ${lib.getExe pkgs.opentofu} init -upgrade # Run the infrastructure code ${lib.getExe pkgs.opentofu} \ @@ -173,7 +219,7 @@ in { serviceConfig = { Type = "oneshot"; User = service; - Group = service; + Group = "media"; WorkingDirectory = "/var/lib/${service}ApplyTerraform"; @@ -183,28 +229,33 @@ in { }; }; })) - |> lib.mergeAttrsList; + |> lib.mkMerge; - users.users = + users = cfg |> lib.mapAttrsToList (service: {enable, ...}: (mkIf enable { - "${service}".extraGroups = ["media"]; + users.${service} = { + isSystemUser = true; + group = lib.mkDefault service; + extraGroups = ["media"]; + }; + groups.${service} = {}; })) - |> lib.mergeAttrsList; + |> lib.mkMerge; sops = cfg |> lib.mapAttrsToList (service: {enable, ...}: (mkIf enable { secrets."${service}/apikey" = { owner = service; - group = service; + group = "media"; restartUnits = ["${service}.service"]; }; templates = { "${service}/config.env" = { owner = service; - group = service; + group = "media"; restartUnits = ["${service}.service"]; content = '' ${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}" @@ -213,7 +264,7 @@ in { "${service}/config.tfvars" = { owner = service; - group = service; + group = "media"; restartUnits = ["${service}.service"]; content = '' api_key = "${config.sops.placeholder."${service}/apikey"}" @@ -221,15 +272,6 @@ in { }; }; })) - |> lib.mergeAttrsList; + |> lib.mkMerge; }; - - # cfg - # |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable { - - # # sops = { - # # }; - # })) - # |> lib.mergeAttrsList - # ; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 3638dbc..9d12de8 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -165,9 +165,13 @@ media.mydia.enable = true; media.nfs.enable = true; media.servarr = { - # radarr = { - # port = 2001; - # }; + radarr = { + enable = true; + port = 2001; + rootFolders = [ + "/var/media/movies" + ]; + }; sonarr = { enable = true; From f210c5b5adb44405826e6330eba088e1d4b7f18e Mon Sep 17 00:00:00 2001 From: chris Date: Tue, 9 Dec 2025 07:20:31 +0000 Subject: [PATCH 227/251] chore: update dependencies --- flake.lock | 130 ++++++++++++++++++++++++++--------------------------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/flake.lock b/flake.lock index adfa1cf..6f6ed7e 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1765033957, - "narHash": "sha256-yL5IjUOne+h6AodxxqoqwPgRy2HXle6+W4Aa2GVJruk=", - "rev": "9985ce76af367e7c9e3022c5b893418059a17491", + "lastModified": 1765256668, + "narHash": "sha256-kUcoFL7wNAzJhoHACpCrBOKdjwCRKgunrCV2p6LRqeQ=", + "rev": "c57b02cdf2c8fe313072a71c3433e7110640ce97", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/9985ce76af367e7c9e3022c5b893418059a17491.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/c57b02cdf2c8fe313072a71c3433e7110640ce97.tar.gz" }, "original": { "type": "tarball", @@ -111,11 +111,11 @@ ] }, "locked": { - "lastModified": 1762942435, - "narHash": "sha256-zIWGs5FIytTtJN+dhDb8Yx+q4TQI/yczuL539yVcyPE=", - "rev": "0ee328404b12c65e8106bde9e9fab8abf4ecada4", + "lastModified": 1765163284, + "narHash": "sha256-tCrc6IyhXrMTTeF5lZHlwbfMBvDUr0OM5Uz+kToJ+ow=", + "rev": "986035f01ba7339c6c9d80f37aec9c5f93dfa47f", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0ee328404b12c65e8106bde9e9fab8abf4ecada4.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/986035f01ba7339c6c9d80f37aec9c5f93dfa47f.tar.gz" }, "original": { "type": "tarball", @@ -170,11 +170,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1764915802, - "narHash": "sha256-eHTucU43sRCpvvTt5eey9htcWipS7ZN3B7ts6MiXLxo=", + "lastModified": 1765252472, + "narHash": "sha256-byMt/uMi7DJ8tRniFopDFZMO3leSjGp6GS4zWOFT+uQ=", "owner": "nix-community", "repo": "fenix", - "rev": "a83a78fd3587d9f3388f0b459ad9c2bbd6d1b6d8", + "rev": "8456b985f6652e3eef0632ee9992b439735c5544", "type": "github" }, "original": { @@ -190,11 +190,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1765024561, - "narHash": "sha256-xtfg5gNfyiyBTfWwbKgatV1sPeJjEnUczHCaSWi+crY=", + "lastModified": 1765243386, + "narHash": "sha256-JhKIDDrkGLZHFExPSzLLlmiPp2+/Sr0uzMMevzIJ4kQ=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "e6f559729459a7890f01b258c33c1025800f5dbb", + "rev": "8aa54e856394834c594f423c30ae871041e263c1", "type": "github" }, "original": { @@ -574,11 +574,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1764617621, - "narHash": "sha256-Eq0TvWs6xhKZs5HXH1hlrNasrHD7AOEdeLkTis//X7w=", + "lastModified": 1765227577, + "narHash": "sha256-2YyCvI3aGFkFfT6JKmaer8YyhwAk6lJwO6vCikqJwa8=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "c19494250d8c15e7c75e9301bdc271579a6dc77a", + "rev": "70b63803f6429dafa20be0035548072092e0e512", "type": "github" }, "original": { @@ -594,11 +594,11 @@ ] }, "locked": { - "lastModified": 1764603455, - "narHash": "sha256-Q70rxlbrxPcTtqWIb9+71rkJESxIOou5isZBvyOieXw=", + "lastModified": 1765217760, + "narHash": "sha256-BVVyAodLcAD8KOtR3yCStBHSE0WAH/xQWH9f0qsxbmk=", "owner": "nix-community", "repo": "home-manager", - "rev": "effe4c007d6243d9e69ce2242d76a2471c1b8d5c", + "rev": "e5b1f87841810fc24772bf4389f9793702000c9b", "type": "github" }, "original": { @@ -636,11 +636,11 @@ ] }, "locked": { - "lastModified": 1764612577, - "narHash": "sha256-sHI+7m/ryVYf7agWkutYbvzUS07aAd8g2NVWgUqhxLg=", + "lastModified": 1764922999, + "narHash": "sha256-LSvUxKm6S6ZAd/otQSkAHd3+8KJhi8OwGJGSe0K//B8=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "bcb22e208cf8883004fcec3a33f2500e7dc319a5", + "rev": "9b9ead1b5591b68f4048e7205ba1397bc85ce6c4", "type": "github" }, "original": { @@ -655,11 +655,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1764506612, - "narHash": "sha256-47a2OvGsq1AfffWQqKAGlB9GjmoVa1yXVyfZP3f3kog=", + "lastModified": 1765111385, + "narHash": "sha256-Gn8IIq9FGLvQSDK2bXKzsqqkgKExTExLkYfH7n8Nnpk=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "f7208cc4a3200a2573fc566066ef4d3c041bc924", + "rev": "e562ca084a8b3490337d446f1e0d6afadb509d1e", "type": "github" }, "original": { @@ -752,11 +752,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1764556167, - "narHash": "sha256-/b+oEls56HDRzsSp60tsRfPFRjFebBPHq6k1I+hfPqw=", + "lastModified": 1765245994, + "narHash": "sha256-6mra5F/nfee/MXqSXMSxSpjll6U/jfo8D9X+5H2ldmM=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "849d1b2b1adddfc7bddbd3be6bffd218a3f5a6fe", + "rev": "b83769c7fd3f3ab87221fdfda23f454ae95efc46", "type": "github" }, "original": { @@ -852,11 +852,11 @@ ] }, "locked": { - "lastModified": 1764591717, - "narHash": "sha256-T/HMA0Bb/O6UnlGQ0Xt+wGe1j8m7eyyQ5+vVcCJslsM=", + "lastModified": 1765191003, + "narHash": "sha256-d3b3eQsdgXZDW/y4fmDuNiGBjZzwFrLhwD5i3NmM1mM=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "84d1dab290feb4865d0cfcffc7aa0cf9bc65c3b7", + "rev": "a16b061ec61831755df35fae916d19b0ac5a43cc", "type": "github" }, "original": { @@ -883,11 +883,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1764465291, - "narHash": "sha256-jJ/E4B9Hp7U2ZmT3E0tD1LtAfATw/xjVf8sueNyeYmc=", + "lastModified": 1765070080, + "narHash": "sha256-5D1Mcm2dQ1aPzQ0sbXluHVUHququ8A7PKJd7M3eI9+E=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "e9537535ae8f4a2f78dbef0aaa0cbb6af4abd047", + "rev": "e0cad9791b0c168931ae562977703b72d9360836", "type": "github" }, "original": { @@ -914,11 +914,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1764547213, - "narHash": "sha256-pGXM6frMKLRJmeMcQ228O1QQBuNEUjzmWx9uBd+CbXM=", + "lastModified": 1765183668, + "narHash": "sha256-TBA7CE44IHYfvOPBWcyLncpVrrKEiXWPdOrF8CD6W84=", "owner": "nixos", "repo": "nixpkgs", - "rev": "64de27c1c985895c1a9f92aaeaab4e6a4c0960f5", + "rev": "fc2de1563f89f0843eba27f14576d261df0e3b80", "type": "github" }, "original": { @@ -946,11 +946,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1764618760, - "narHash": "sha256-QTUgygkdUq4sq7mXoO2Q2IPpvkKOZtTAJkbTaTjMi0A=", + "lastModified": 1765264094, + "narHash": "sha256-BCYwzfbI353cpjFesVAcEelBrkPOhu5cQMBNPADkEj4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "29a7d6eec7e1177020f62f7599e5021317219c37", + "rev": "e82b0773d332dc78ba550aa46227f21057cbaff8", "type": "github" }, "original": { @@ -994,11 +994,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1764517877, - "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=", + "lastModified": 1764950072, + "narHash": "sha256-BmPWzogsG2GsXZtlT+MTcAWeDK5hkbGRZTeZNW42fwA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c", + "rev": "f61125a668a320878494449750330ca58b78c557", "type": "github" }, "original": { @@ -1026,11 +1026,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1764445028, - "narHash": "sha256-ik6H/0Zl+qHYDKTXFPpzuVHSZE+uvVz2XQuQd1IVXzo=", + "lastModified": 1764947035, + "narHash": "sha256-EYHSjVM4Ox4lvCXUMiKKs2vETUSL5mx+J2FfutM7T9w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a09378c0108815dbf3961a0e085936f4146ec415", + "rev": "a672be65651c80d3f592a89b3945466584a22069", "type": "github" }, "original": { @@ -1074,11 +1074,11 @@ "systems": "systems_5" }, "locked": { - "lastModified": 1764904740, - "narHash": "sha256-TzqXUQlESmS5XGJ3tR1/xdoU0vySyp6YUUpmGF5F0kY=", + "lastModified": 1765119282, + "narHash": "sha256-iI0fuBBYJMnOprGD2L+rum2P8lHMcZ5n35hzdlpwayI=", "owner": "notashelf", "repo": "nvf", - "rev": "249cabe0c5392c384c82fa9d28d3f49fbeb04266", + "rev": "26c4a7e3c33e739d474ddaf52aa4c5f3d11922ba", "type": "github" }, "original": { @@ -1139,11 +1139,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1764525349, - "narHash": "sha256-vR3vU9AwzMsBvjNeeG2inA5W/2MwseFk5NIIrLFEMHk=", + "lastModified": 1765120009, + "narHash": "sha256-nG76b87rkaDzibWbnB5bYDm6a52b78A+fpm+03pqYIw=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "d646b23f000d099d845f999c2c1e05b15d9cdc78", + "rev": "5e3e9c4e61bba8a5e72134b9ffefbef8f531d008", "type": "github" }, "original": { @@ -1204,11 +1204,11 @@ ] }, "locked": { - "lastModified": 1764483358, - "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", + "lastModified": 1765231718, + "narHash": "sha256-qdBzo6puTgG4G2RHG0PkADg22ZnQo1JmSVFRxrD4QM4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5aca6ff67264321d47856a2ed183729271107c9c", + "rev": "7fd1416aba1865eddcdec5bb11339b7222c2363e", "type": "github" }, "original": { @@ -1222,11 +1222,11 @@ "nixpkgs": "nixpkgs_9" }, "locked": { - "lastModified": 1764483358, - "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", + "lastModified": 1765231718, + "narHash": "sha256-qdBzo6puTgG4G2RHG0PkADg22ZnQo1JmSVFRxrD4QM4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5aca6ff67264321d47856a2ed183729271107c9c", + "rev": "7fd1416aba1865eddcdec5bb11339b7222c2363e", "type": "github" }, "original": { @@ -1254,11 +1254,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1764550443, - "narHash": "sha256-ArO2V1YEHmEILilTj4KPtqF4gqc1q2HBrrrmygQ/UyU=", + "lastModified": 1765047449, + "narHash": "sha256-VQcqjJ2g0kT9TW4ENwA2HBQJzfbCUd5s1Wm3K+R2QZY=", "owner": "nix-community", "repo": "stylix", - "rev": "794b6e1fa75177ebfeb32967f135858a1ab1ba15", + "rev": "bd00e01aab676aee88e6cc5c9238b4a5a7d6639a", "type": "github" }, "original": { @@ -1519,11 +1519,11 @@ ] }, "locked": { - "lastModified": 1764598958, - "narHash": "sha256-sJQHRL8trBoG/ArR+mUlyp5cyKU0pgQY+qDQzZGnVgM=", + "lastModified": 1765175766, + "narHash": "sha256-M4zs4bVUv0UNuVGspwwlcGs5FpCDt52LQBA5a9nj5Lg=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "8cded25e10b13e2999241f1c73a7d4e5e5d6f69e", + "rev": "5126a8426773dc213a8c0f0d646aca116194dab6", "type": "github" }, "original": { From 03e8fea254eb6e3f6d0c51fdcf3dd12abab55bf3 Mon Sep 17 00:00:00 2001 From: chris Date: Tue, 9 Dec 2025 14:53:08 +0000 Subject: [PATCH 228/251] chore(secrets): set secret "grafana/oidc_id" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 086d86d..4e02424 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -27,6 +27,8 @@ mydia: qbittorrent: password_hash: ENC[AES256_GCM,data:QWuQYmfBn9eLDYztH7TmQvw74MvmzCQ98OlBtyjm1Icr2c63epRuHWzQbm+Q+1jrCSiQreOB3ZyjLzkeV6SlLonryUSD71uBWVwctgPXO0XDrxE1Vi6dkiwC3TF65JTMDhyjDLEj1YkiMP25Fz5NidJTP/r9GlXTfM7gjWo=,iv:bpgL5IoAv+1PUtgNIjLcbzN8C9z55ndypz4LEELAhLc=,tag:VB+XTCwLeIEYKnOr/0f7zA==,type:str] password: ENC[AES256_GCM,data:UepYY6UjJV/jo2aXTOEnKRtsjSqOSYPQlKlrAa7rf9rdnt2UXGjCkvN+A72pICuIBCAmhXZBAUMvmWTV9trk6NREHe0cY1xTC7pNv3x9TM/ZQmH498pbT/95pYAKwouHp9heJQ==,iv:FzjF+xPoaOp+gplxpz940V2dkWSTWe8dWUxexCoxxHc=,tag:TDZsboq9fEmmBrwJN/HTpQ==,type:str] +grafana: + oidc_id: ENC[AES256_GCM,data:NVdIgCQ6nz4BSUDJYCKyILtK,iv:tcljy9PzC/yyd7TSdngyJt+uh60uXi2PKu47czErbaQ=,tag:zE4q3dD4UQaHIpGeZ1L48Q==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -47,7 +49,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-04T11:24:52Z" - mac: ENC[AES256_GCM,data:jIgkl1lcVDSlKqJs9fjaHUAZsGL+22T86/qqKyDziHl0+VU763Ezwm8P+la+55jIIT2zLhFcUjhn2BabBi90OeEPztAC4rGpZj6+ZZ0GDCj/JhjPAAo3LgAKOCG0Xgf8MZWr/rXd6bLhW7Qj36PMJnap26rjEiUZeSvpWS2dz8g=,iv:CDx8fBI9Dl1uwrbMD1fa7/h3C7haK3xZxJI59mtL1LA=,tag:2UDRFJoevGEBKZA/9eUiOw==,type:str] + lastmodified: "2025-12-09T14:53:07Z" + mac: ENC[AES256_GCM,data:/dncb2tqTpQiUdAtmR9xhd22Sl2RBUtL7OIawP25ZHd1S6fwAAiwSC/8p3Zn/dYXv4M4Gq/EJ6CzrZD2V5hYob/K1DlEmBZDf1O53oDU+CneMo0SGXwWI9aZWJRwHW2r+zi6wO2cfQKStryPTJe2gwZFzokSG7+zC2x18yKKdhw=,iv:YVZfXN1iUcnxs94f+ikL8bVVAIM4a2Yh9gU71LhVJ8c=,tag:1nCTSVFhpevhCImLayWffg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From f295f0fc487acc96e1ae6fde0d42a5f60549dede Mon Sep 17 00:00:00 2001 From: chris Date: Tue, 9 Dec 2025 14:53:26 +0000 Subject: [PATCH 229/251] chore(secrets): set secret "grafana/oidc_secret" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4e02424..745479d 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -29,6 +29,7 @@ qbittorrent: password: ENC[AES256_GCM,data:UepYY6UjJV/jo2aXTOEnKRtsjSqOSYPQlKlrAa7rf9rdnt2UXGjCkvN+A72pICuIBCAmhXZBAUMvmWTV9trk6NREHe0cY1xTC7pNv3x9TM/ZQmH498pbT/95pYAKwouHp9heJQ==,iv:FzjF+xPoaOp+gplxpz940V2dkWSTWe8dWUxexCoxxHc=,tag:TDZsboq9fEmmBrwJN/HTpQ==,type:str] grafana: oidc_id: ENC[AES256_GCM,data:NVdIgCQ6nz4BSUDJYCKyILtK,iv:tcljy9PzC/yyd7TSdngyJt+uh60uXi2PKu47czErbaQ=,tag:zE4q3dD4UQaHIpGeZ1L48Q==,type:str] + oidc_secret: ENC[AES256_GCM,data:b7qILK9ZHW2khtM1Hl/KdjCv3Wq6eOo2Ym/cbjcMB8/3Hn2UelpP4K4lFyiV3bn1/GF6Jl5Z7A0EwMybOx0InA==,iv:3HL/7BiyObwT8DmFxzNPI9CdmCH/4j/4oc9x7qBE1k0=,tag:dBhcq1zLKy6N+jp/v42R4A==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -49,7 +50,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-09T14:53:07Z" - mac: ENC[AES256_GCM,data:/dncb2tqTpQiUdAtmR9xhd22Sl2RBUtL7OIawP25ZHd1S6fwAAiwSC/8p3Zn/dYXv4M4Gq/EJ6CzrZD2V5hYob/K1DlEmBZDf1O53oDU+CneMo0SGXwWI9aZWJRwHW2r+zi6wO2cfQKStryPTJe2gwZFzokSG7+zC2x18yKKdhw=,iv:YVZfXN1iUcnxs94f+ikL8bVVAIM4a2Yh9gU71LhVJ8c=,tag:1nCTSVFhpevhCImLayWffg==,type:str] + lastmodified: "2025-12-09T14:53:25Z" + mac: ENC[AES256_GCM,data:bb6YXIClIRCEyvQEYQpuzjqSgAvcHr0Avb0t+HSIoIY69cnCojNxb1cN53b0HBV69qOiXgKlXcQrI4ry2qokfRbAAlp9w5g978+E3fnlefBxGY2wHEeJZL/27BXq7nEfvdepcLVM+o5PMn0iiYUR42OYJkXxAHXqhYNdt9kWjMM=,iv:QfIB9WckrxK2YXMTNVWgUjt6F+QG96KzUlwlYPM5WBc=,tag:X69yLpEsu//3HgtSuHoQig==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 6af9101a135e9c38215177043468eaea0e38b719 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 9 Dec 2025 16:17:26 +0100 Subject: [PATCH 230/251] feat: add oidc from sops for grafana --- .../observability/grafana/default.nix | 33 ++++++++++++++----- systems/x86_64-linux/ulmo/default.nix | 6 ++++ 2 files changed, 31 insertions(+), 8 deletions(-) diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix index 6503493..05d3570 100644 --- a/modules/nixos/services/observability/grafana/default.nix +++ b/modules/nixos/services/observability/grafana/default.nix @@ -1,5 +1,10 @@ -{ pkgs, config, lib, namespace, ... }: -let +{ + pkgs, + config, + lib, + namespace, + ... +}: let inherit (lib.modules) mkIf; inherit (lib.options) mkEnableOption; @@ -7,8 +12,7 @@ let db_user = "grafana"; db_name = "grafana"; -in -{ +in { options.${namespace}.services.observability.grafana = { enable = mkEnableOption "enable Grafana"; }; @@ -35,8 +39,8 @@ in "auth.generic_oauth" = { enable = true; name = "Zitadel"; - client_id = "334170712283611395"; - client_secret = "AFjypmURdladmQn1gz2Ke0Ta5LQXapnuKkALVZ43riCL4qWicgV2Z6RlwpoWBZg1"; + client_id = "$__file{${config.sops.secrets."grafana/oidc_id".path}}"; + client_secret = "$__file{${config.sops.secrets."grafana/oidc_secret".path}}"; scopes = "openid email profile offline_access urn:zitadel:iam:org:project:roles"; email_attribute_path = "email"; login_attribute_path = "username"; @@ -64,7 +68,7 @@ in allow_sign_up = false; allow_org_create = false; viewers_can_edit = false; - + default_theme = "system"; }; @@ -115,7 +119,7 @@ in postgresql = { enable = true; - ensureDatabases = [ db_name ]; + ensureDatabases = [db_name]; ensureUsers = [ { name = db_user; @@ -126,5 +130,18 @@ in }; environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json; + + sops = { + secrets = { + "grafana/oidc_id" = { + owner = "grafana"; + group = "grafana"; + }; + "grafana/oidc_secret" = { + owner = "grafana"; + group = "grafana"; + }; + }; + }; }; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 9d12de8..e661dd8 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -118,6 +118,12 @@ grantTypes = ["authorizationCode"]; responseTypes = ["code"]; }; + + grafana = { + redirectUris = ["http://localhost:9001/login/generic_oauth"]; + grantTypes = ["authorizationCode"]; + responseTypes = ["code"]; + }; }; }; }; From 4624b0b0f7037da54c00b7d1bdf68653c0ee8ea8 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 9 Dec 2025 16:18:09 +0100 Subject: [PATCH 231/251] wip: setting up download clients in the arr stack --- modules/nixos/services/media/default.nix | 20 ------- .../nixos/services/media/servarr/default.nix | 54 ++++++++++++++++--- 2 files changed, 47 insertions(+), 27 deletions(-) diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index d257aea..79d2307 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -106,25 +106,5 @@ in { }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; - - sops = { - secrets = { - # "qbittorrent/password" = {}; - "qbittorrent/password_hash" = {}; - }; - - templates = { - "qbittorrent/password.conf" = { - owner = cfg.user; - group = cfg.group; - restartUnits = ["qbittorrent.service"]; - path = "${config.services.qbittorrent.profileDir}/qBittorrent/config/password.conf"; - content = '' - [Preferences] - WebUI\Password_PBKDF2="${config.sops.placeholder."qbittorrent/password_hash"}" - ''; - }; - }; - }; }; } diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix index 373e09b..c09e66f 100644 --- a/modules/nixos/services/media/servarr/default.nix +++ b/modules/nixos/services/media/servarr/default.nix @@ -72,10 +72,8 @@ in { group = "media"; }); })) - |> lib.mkMerge - |> (set: - set - // { + |> lib.concat [ + { qbittorrent = { enable = true; openFirewall = true; @@ -86,6 +84,7 @@ in { Prefecences.WebUI = { Username = "admin"; + Password_PBKDF2 = "@ByteArray(JpfX3wSUcMolUFD+8AD67w==:fr5kmc6sK9xsCfGW6HkPX2K1lPYHL6g2ncLLwuOVmjphmxkwBJ8pi/XQDsDWzyM/MRh5zPhUld2Xqn8o7BWv3Q==)"; }; }; @@ -97,7 +96,7 @@ in { sabnzbd = { enable = true; openFirewall = true; - configFile = "${cfg.path}/sabnzbd/config.ini"; + configFile = config.sops.templates."sabnzbd/config.ini".path; user = "sabnzbd"; group = "media"; @@ -113,7 +112,9 @@ in { ensureDBOwnership = true; }); }; - }); + } + ] + |> lib.mkMerge; systemd.services = cfg @@ -125,6 +126,8 @@ in { ... }: (mkIf enable { "${service}ApplyTerraform" = let + config' = config; + terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; @@ -168,6 +171,30 @@ in { |> lib.imap (i: f: lib.nameValuePair "local${toString i}" {path = f;}) |> lib.listToAttrs ); + + "${service}_download_client_qbittorrent" = mkIf (lib.elem service ["radarr" "sonarr" "lidarr" "whisparr"]) { + "main" = { + name = "qBittorrent"; + enable = true; + priority = 1; + host = "localhost"; + username = "admin"; + password = "poChieN5feeph0igeaCadeJ9Xux0ohmuy6ruH5ieThaPheib3iuzoo0ahw1aiceif1feegioh9Aimau0pai5thoh5ieH0aechohw"; + url_base = "/"; + port = 2008; + }; + }; + + # "${service}_download_client_sabnzbd" = mkIf (lib.elem service ["radarr" "sonarr" "lidarr" "whisparr"]) { + # "main" = { + # name = "SABnzbd"; + # enable = true; + # priority = 1; + # host = "localhost"; + # url_base = "/"; + # port = 8080; + # }; + # }; }; }; }) @@ -204,7 +231,7 @@ in { cp -f ${terraformConfiguration} config.tf.json # Initialize OpenTofu - ${lib.getExe pkgs.opentofu} init -upgrade + ${lib.getExe pkgs.opentofu} init # Run the infrastructure code ${lib.getExe pkgs.opentofu} \ @@ -272,6 +299,19 @@ in { }; }; })) + |> lib.concat [ + { + templates = { + "sabnzbd/config.ini" = { + owner = "sabnzbd"; + group = "media"; + content = '' + + ''; + }; + }; + } + ] |> lib.mkMerge; }; } From f2a0d05f16f5d44b5806b6eebb119122bfa95239 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 10 Dec 2025 07:21:08 +0000 Subject: [PATCH 232/251] chore(secrets): set secret "qbittorrent/password_hash" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 745479d..12a3115 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -25,7 +25,7 @@ mydia: secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str] guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] qbittorrent: - password_hash: ENC[AES256_GCM,data:QWuQYmfBn9eLDYztH7TmQvw74MvmzCQ98OlBtyjm1Icr2c63epRuHWzQbm+Q+1jrCSiQreOB3ZyjLzkeV6SlLonryUSD71uBWVwctgPXO0XDrxE1Vi6dkiwC3TF65JTMDhyjDLEj1YkiMP25Fz5NidJTP/r9GlXTfM7gjWo=,iv:bpgL5IoAv+1PUtgNIjLcbzN8C9z55ndypz4LEELAhLc=,tag:VB+XTCwLeIEYKnOr/0f7zA==,type:str] + password_hash: ENC[AES256_GCM,data:yCfCslj01wtfwzzPOGlwA6wLLf+EUuEweYa3ZxvDtd/VGMxuV38quV+ob1Of+W0UH3+U4Qmgh4BK3I3IJZuKOvNdkZ0i81YBwW6cgvZUmnxwh8wokpNzxCKbYk5nF7y7SaGEdzQLvV7ad3fNMJsQ+s2zCsKWbm+j8Bwgq0E=,iv:IIktPS9pYXaYPzH0r4wrkp31CpunKnr70Ainu6hOeWY=,tag:bYCfhDfIwiQZ1tKAvITewQ==,type:str] password: ENC[AES256_GCM,data:UepYY6UjJV/jo2aXTOEnKRtsjSqOSYPQlKlrAa7rf9rdnt2UXGjCkvN+A72pICuIBCAmhXZBAUMvmWTV9trk6NREHe0cY1xTC7pNv3x9TM/ZQmH498pbT/95pYAKwouHp9heJQ==,iv:FzjF+xPoaOp+gplxpz940V2dkWSTWe8dWUxexCoxxHc=,tag:TDZsboq9fEmmBrwJN/HTpQ==,type:str] grafana: oidc_id: ENC[AES256_GCM,data:NVdIgCQ6nz4BSUDJYCKyILtK,iv:tcljy9PzC/yyd7TSdngyJt+uh60uXi2PKu47czErbaQ=,tag:zE4q3dD4UQaHIpGeZ1L48Q==,type:str] @@ -50,7 +50,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-09T14:53:25Z" - mac: ENC[AES256_GCM,data:bb6YXIClIRCEyvQEYQpuzjqSgAvcHr0Avb0t+HSIoIY69cnCojNxb1cN53b0HBV69qOiXgKlXcQrI4ry2qokfRbAAlp9w5g978+E3fnlefBxGY2wHEeJZL/27BXq7nEfvdepcLVM+o5PMn0iiYUR42OYJkXxAHXqhYNdt9kWjMM=,iv:QfIB9WckrxK2YXMTNVWgUjt6F+QG96KzUlwlYPM5WBc=,tag:X69yLpEsu//3HgtSuHoQig==,type:str] + lastmodified: "2025-12-10T07:21:06Z" + mac: ENC[AES256_GCM,data:eKWrwVqOXeVz0+IRushA+N+qN6OL9gTXArNELBjIovMrxYwEgDDa+cqIQ4rpkFBzkMZE+tBhM2K+LFOI9CVrEb4LfhvGx75QI9yz2n7etJJlrXD06yKmI1dbkQ1D0zcpGkuf7poa+R06B+PPgDjI+NkgCZYaeZ4VvOlAEubVAR0=,iv:OQYowrnu3saxSA1R9xVcD1BCC936KRLC7HIQ6m0+uS0=,tag:SnBjtM1hrrN860vO8oP/3w==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From d09699f6e9d9a1941a69d9dee0aeb715d96bfc62 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 10 Dec 2025 09:29:33 +0000 Subject: [PATCH 233/251] chore(secrets): set secret "sabnzbd/sunnyweb/password" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 12a3115..606c924 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -30,6 +30,9 @@ qbittorrent: grafana: oidc_id: ENC[AES256_GCM,data:NVdIgCQ6nz4BSUDJYCKyILtK,iv:tcljy9PzC/yyd7TSdngyJt+uh60uXi2PKu47czErbaQ=,tag:zE4q3dD4UQaHIpGeZ1L48Q==,type:str] oidc_secret: ENC[AES256_GCM,data:b7qILK9ZHW2khtM1Hl/KdjCv3Wq6eOo2Ym/cbjcMB8/3Hn2UelpP4K4lFyiV3bn1/GF6Jl5Z7A0EwMybOx0InA==,iv:3HL/7BiyObwT8DmFxzNPI9CdmCH/4j/4oc9x7qBE1k0=,tag:dBhcq1zLKy6N+jp/v42R4A==,type:str] +sabnzbd: + sunnyweb: + password: ENC[AES256_GCM,data:flw8AahqO1Mx,iv:Qhu8iVWMzzqy18y8dj3aHoBnSZatm74/tYvZ456l2sA=,tag:sCYBdw7kD0zJZFFr5EyPIQ==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -50,7 +53,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-10T07:21:06Z" - mac: ENC[AES256_GCM,data:eKWrwVqOXeVz0+IRushA+N+qN6OL9gTXArNELBjIovMrxYwEgDDa+cqIQ4rpkFBzkMZE+tBhM2K+LFOI9CVrEb4LfhvGx75QI9yz2n7etJJlrXD06yKmI1dbkQ1D0zcpGkuf7poa+R06B+PPgDjI+NkgCZYaeZ4VvOlAEubVAR0=,iv:OQYowrnu3saxSA1R9xVcD1BCC936KRLC7HIQ6m0+uS0=,tag:SnBjtM1hrrN860vO8oP/3w==,type:str] + lastmodified: "2025-12-10T09:29:32Z" + mac: ENC[AES256_GCM,data:8gr/VN9Hx5YIWKmqSpRTknlVZz9oJOCN8D43jq+gS9hRaLzbZcnKaxeECPfKwcSaKa3dyGNcyegQqsW8/7aC0dU5kQRmPrI5DftWRhjJRBgFyng8sMln8u8FcfgX1PkmPN/vTvWCzKWgaCiIt9f6nmTlGX7GAbatMax/tU/04Tw=,iv:js7VPZrvhll1fkh+IVDktqS+FbxfYO2g0gEQ04b5jc0=,tag:fNWrytKXUcuGApOoA9hUsg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From a2b1664c2272f30f2b5cde8175ba94a7cf23b12d Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 10 Dec 2025 09:30:20 +0000 Subject: [PATCH 234/251] chore(secrets): set secret "sabnzbd/sunnyweb/username" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 606c924..cbb8b16 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -33,6 +33,7 @@ grafana: sabnzbd: sunnyweb: password: ENC[AES256_GCM,data:flw8AahqO1Mx,iv:Qhu8iVWMzzqy18y8dj3aHoBnSZatm74/tYvZ456l2sA=,tag:sCYBdw7kD0zJZFFr5EyPIQ==,type:str] + username: ENC[AES256_GCM,data:IboJ8WDWuVNgvrk7c3V8I5S6Xg==,iv:BRohMuQFQz2S+HFasIaok6npT3C5v/SlhAhbLQXfB0s=,tag:M3/u0WBQ3AufHqe4DCtsrA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -53,7 +54,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-10T09:29:32Z" - mac: ENC[AES256_GCM,data:8gr/VN9Hx5YIWKmqSpRTknlVZz9oJOCN8D43jq+gS9hRaLzbZcnKaxeECPfKwcSaKa3dyGNcyegQqsW8/7aC0dU5kQRmPrI5DftWRhjJRBgFyng8sMln8u8FcfgX1PkmPN/vTvWCzKWgaCiIt9f6nmTlGX7GAbatMax/tU/04Tw=,iv:js7VPZrvhll1fkh+IVDktqS+FbxfYO2g0gEQ04b5jc0=,tag:fNWrytKXUcuGApOoA9hUsg==,type:str] + lastmodified: "2025-12-10T09:30:19Z" + mac: ENC[AES256_GCM,data:AyVTsx8XHSD5HVShx5C4qivTvWVftrWmcr68BrkWwzaXZ+UCKIdNKITO9ByQwDqP6ZrU+lFoZRUSzJ/xeHdfgbvGuqGnDPqWPVKH030jmu7Y19mpBrsRSwrnEtu8959uhazo8+NMwFo3MoQFEeGWsr7RsV2bKSqVJxDcF0H0nKg=,iv:prrZlz+jaIP4GlBbGygpSlBMof2eMSvcsZQQAcXdhyI=,tag:WR5hJmj2zuiVUwl8Jec0Aw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 01410856f628bd1e5b14b8d3d92a72919e0790db Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 10 Dec 2025 12:55:32 +0000 Subject: [PATCH 235/251] chore(secrets): set secret "sabnzbd/apikey" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index cbb8b16..3f34c21 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -34,6 +34,7 @@ sabnzbd: sunnyweb: password: ENC[AES256_GCM,data:flw8AahqO1Mx,iv:Qhu8iVWMzzqy18y8dj3aHoBnSZatm74/tYvZ456l2sA=,tag:sCYBdw7kD0zJZFFr5EyPIQ==,type:str] username: ENC[AES256_GCM,data:IboJ8WDWuVNgvrk7c3V8I5S6Xg==,iv:BRohMuQFQz2S+HFasIaok6npT3C5v/SlhAhbLQXfB0s=,tag:M3/u0WBQ3AufHqe4DCtsrA==,type:str] + apikey: ENC[AES256_GCM,data:j5sPXKbBhMdNHOuoTfZ+c8nGu5JameOgK2z428iLdP01Hi6MvHVaN8Zs8YxMoSBtOjdtIEC8MS+3m1S1rU/P4pCRfZpK5ua1DBHq4l0xROUqokFWjDcAmJJv3pYXl0cQxQcGKQ==,iv:v5hu3gmO1Zn1FfXkHLPGN9f7JOcQjzoQahdqJwfM+xY=,tag:uI1LFcTgcyRgAaTJ1kzKow==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -54,7 +55,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-10T09:30:19Z" - mac: ENC[AES256_GCM,data:AyVTsx8XHSD5HVShx5C4qivTvWVftrWmcr68BrkWwzaXZ+UCKIdNKITO9ByQwDqP6ZrU+lFoZRUSzJ/xeHdfgbvGuqGnDPqWPVKH030jmu7Y19mpBrsRSwrnEtu8959uhazo8+NMwFo3MoQFEeGWsr7RsV2bKSqVJxDcF0H0nKg=,iv:prrZlz+jaIP4GlBbGygpSlBMof2eMSvcsZQQAcXdhyI=,tag:WR5hJmj2zuiVUwl8Jec0Aw==,type:str] + lastmodified: "2025-12-10T12:55:31Z" + mac: ENC[AES256_GCM,data:qUZOcbHCssZC5Td1g9+TZFMccgHSDivTPF71+uGpyI88AuZAMt07kZuIuWcP4V8m633fl6WtmDAN/UP9IjbgBSUNLHpRcR5cOCAlxtLu0R0HNNIwMdxgseFTqPV/h/dMNSlEbAu06VZlt9S2CSkuTeyrP+GTpcskPJWF/RC50dk=,iv:QdwALTd3/1eKN7V3YtMf3Av0+XP6D59sQzDwqn7maOU=,tag:MX64z96lIn6RZBBsATi1ZQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 7751f756b7b8edf2ff2e60cbc1b4feed3ae59a33 Mon Sep 17 00:00:00 2001 From: chris Date: Wed, 10 Dec 2025 15:41:34 +0000 Subject: [PATCH 236/251] chore: update dependencies --- flake.lock | 80 +++++++++++++++++++++++++++--------------------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/flake.lock b/flake.lock index 6f6ed7e..cd4b600 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1765256668, - "narHash": "sha256-kUcoFL7wNAzJhoHACpCrBOKdjwCRKgunrCV2p6LRqeQ=", - "rev": "c57b02cdf2c8fe313072a71c3433e7110640ce97", + "lastModified": 1765346666, + "narHash": "sha256-UR8bVZF12rA7yI3jdqvlTA50NUXf3F8H6GZvLYiDqYM=", + "rev": "7c9a2e4fb9d90f213f3bf3782ee460e669231bca", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/c57b02cdf2c8fe313072a71c3433e7110640ce97.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/7c9a2e4fb9d90f213f3bf3782ee460e669231bca.tar.gz" }, "original": { "type": "tarball", @@ -130,11 +130,11 @@ ] }, "locked": { - "lastModified": 1764627417, - "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=", + "lastModified": 1765326679, + "narHash": "sha256-fTLX9kDwLr9Y0rH/nG+h1XG5UU+jBcy0PFYn5eneRX8=", "owner": "nix-community", "repo": "disko", - "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3", + "rev": "d64e5cdca35b5fad7c504f615357a7afe6d9c49e", "type": "github" }, "original": { @@ -190,11 +190,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1765243386, - "narHash": "sha256-JhKIDDrkGLZHFExPSzLLlmiPp2+/Sr0uzMMevzIJ4kQ=", + "lastModified": 1765370621, + "narHash": "sha256-3gAVH9nYc2E82tIXKFv2lMe4JohglxJtPgs0ZmXkx9c=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "8aa54e856394834c594f423c30ae871041e263c1", + "rev": "ea98c8041dad75efc80ec036643a32b12467c8b7", "type": "github" }, "original": { @@ -594,11 +594,11 @@ ] }, "locked": { - "lastModified": 1765217760, - "narHash": "sha256-BVVyAodLcAD8KOtR3yCStBHSE0WAH/xQWH9f0qsxbmk=", + "lastModified": 1765337252, + "narHash": "sha256-HuWQp8fM25fyWflbuunQkQI62Hg0ecJxWD52FAgmxqY=", "owner": "nix-community", "repo": "home-manager", - "rev": "e5b1f87841810fc24772bf4389f9793702000c9b", + "rev": "13cc1efd78b943b98c08d74c9060a5b59bf86921", "type": "github" }, "original": { @@ -636,11 +636,11 @@ ] }, "locked": { - "lastModified": 1764922999, - "narHash": "sha256-LSvUxKm6S6ZAd/otQSkAHd3+8KJhi8OwGJGSe0K//B8=", + "lastModified": 1765365489, + "narHash": "sha256-L0uvs+o8P5JzEcTPe2WPA48+0ZiO6+8nlfh7XSjQql4=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "9b9ead1b5591b68f4048e7205ba1397bc85ce6c4", + "rev": "ddf5db234397043a8af5c38433b5ae933d660f27", "type": "github" }, "original": { @@ -752,11 +752,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1765245994, - "narHash": "sha256-6mra5F/nfee/MXqSXMSxSpjll6U/jfo8D9X+5H2ldmM=", + "lastModified": 1765332486, + "narHash": "sha256-nVTejyI8w3ePrX4tW3lBLLg3DheqhRuxtiRefT+ynrk=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "b83769c7fd3f3ab87221fdfda23f454ae95efc46", + "rev": "a3bdc14045dc7e5fb7a94ab11064766f472279eb", "type": "github" }, "original": { @@ -852,11 +852,11 @@ ] }, "locked": { - "lastModified": 1765191003, - "narHash": "sha256-d3b3eQsdgXZDW/y4fmDuNiGBjZzwFrLhwD5i3NmM1mM=", + "lastModified": 1765376994, + "narHash": "sha256-dsgdFdj8+qh81XPB/9SlwvuhJMHPjqsf7Zk0AnsdVpY=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "a16b061ec61831755df35fae916d19b0ac5a43cc", + "rev": "30f6a14293df4938c35173a73efdeba450653d0a", "type": "github" }, "original": { @@ -914,11 +914,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1765183668, - "narHash": "sha256-TBA7CE44IHYfvOPBWcyLncpVrrKEiXWPdOrF8CD6W84=", + "lastModified": 1765357816, + "narHash": "sha256-Uh7y3tL9SUzMjM8eO9CMqf30pPpa1i+P3asBijc32lY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fc2de1563f89f0843eba27f14576d261df0e3b80", + "rev": "004943ed3cf9de5805a0da377599d1bfdd47a98a", "type": "github" }, "original": { @@ -946,11 +946,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1765264094, - "narHash": "sha256-BCYwzfbI353cpjFesVAcEelBrkPOhu5cQMBNPADkEj4=", + "lastModified": 1765380834, + "narHash": "sha256-MUMk4DZ0V+gU7yee7DdiPwieRclS2uMNvLQGLWwew4M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e82b0773d332dc78ba550aa46227f21057cbaff8", + "rev": "bf83174d5ab54f384b1ec5068b3280241dbb849f", "type": "github" }, "original": { @@ -994,11 +994,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1764950072, - "narHash": "sha256-BmPWzogsG2GsXZtlT+MTcAWeDK5hkbGRZTeZNW42fwA=", + "lastModified": 1765186076, + "narHash": "sha256-hM20uyap1a0M9d344I692r+ik4gTMyj60cQWO+hAYP8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f61125a668a320878494449750330ca58b78c557", + "rev": "addf7cf5f383a3101ecfba091b98d0a1263dc9b8", "type": "github" }, "original": { @@ -1183,11 +1183,11 @@ ] }, "locked": { - "lastModified": 1736130495, - "narHash": "sha256-4i9nAJEZFv7vZMmrE0YG55I3Ggrtfo5/T07JEpEZ/RM=", + "lastModified": 1765361626, + "narHash": "sha256-kX0Dp/kYSRbQ+yd9e3lmmUWdNbipufvKfL2IzbrSpnY=", "owner": "snowfallorg", "repo": "lib", - "rev": "02d941739f98a09e81f3d2d9b3ab08918958beac", + "rev": "c566ad8b7352c30ec3763435de7c8f1c46ebb357", "type": "github" }, "original": { @@ -1254,11 +1254,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1765047449, - "narHash": "sha256-VQcqjJ2g0kT9TW4ENwA2HBQJzfbCUd5s1Wm3K+R2QZY=", + "lastModified": 1765377959, + "narHash": "sha256-MsvpqrovI+iveyVam6sIPlSsUVVcmmhTxpD9w3OOsvw=", "owner": "nix-community", "repo": "stylix", - "rev": "bd00e01aab676aee88e6cc5c9238b4a5a7d6639a", + "rev": "54fcd2f342c6417548cc56f53e401224dcade639", "type": "github" }, "original": { @@ -1519,11 +1519,11 @@ ] }, "locked": { - "lastModified": 1765175766, - "narHash": "sha256-M4zs4bVUv0UNuVGspwwlcGs5FpCDt52LQBA5a9nj5Lg=", + "lastModified": 1765344150, + "narHash": "sha256-RoGBKQglbF19aINeV8F7DHCXxF7FrMRLgL2yjl9vOiQ=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "5126a8426773dc213a8c0f0d646aca116194dab6", + "rev": "1adab25828578301037855c59849e9bbecf8948b", "type": "github" }, "original": { From ddf66697cb0fcbfab13536bd295f923d80dabaee Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Dec 2025 08:32:28 +0100 Subject: [PATCH 237/251] chore: clean up code --- .just/machine.just | 2 +- .just/vars.just | 9 +++++---- modules/nixos/services/communication/matrix/default.nix | 2 -- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.just/machine.just b/.just/machine.just index ca10e1c..207185a 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -8,4 +8,4 @@ [no-exit-message] @update machine: just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | sed ':a;N;$!ba;s/\n/, /g')" - nixos-rebuild switch -L --use-remote-sudo --target-host {{ machine }} --flake ..#{{ machine }} + nixos-rebuild switch -L --sudo --target-host {{ machine }} --flake ..#{{ machine }} diff --git a/.just/vars.just b/.just/vars.just index 3b706da..29a3e56 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -1,4 +1,5 @@ set unstable := true +set quiet := true base_path := invocation_directory() / "systems/x86_64-linux" @@ -8,14 +9,14 @@ base_path := invocation_directory() / "systems/x86_64-linux" sops := "sops" yq := "yq" -@_default: +_default: just --list [doc('list all vars of the target machine')] list machine: sops decrypt {{ base_path }}/{{ machine }}/secrets.yml -@edit machine: +edit machine: sops edit {{ base_path }}/{{ machine }}/secrets.yml @set machine key value: @@ -26,10 +27,10 @@ list machine: echo "Done" -@get machine key: +get machine key: sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')" -@remove machine key: +remove machine key: sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" git add {{ base_path }}/{{ machine }}/secrets.yml diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index 6405932..c8a1f41 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -95,7 +95,6 @@ in { settings = { appservice = { provisioning.enabled = false; - # port = 40011; }; homeserver = { @@ -118,7 +117,6 @@ in { settings = { appservice = { provisioning.enabled = false; - # port = 40012; }; homeserver = { From c9be7ebb43d464a891112fb392bf97f931082213 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Dec 2025 08:34:10 +0100 Subject: [PATCH 238/251] feat: add telegram bridge to matrix --- .../services/communication/matrix/default.nix | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index c8a1f41..8bab5d0 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -110,6 +110,37 @@ in { }; }; + mautrix-telegram = { + enable = true; + registerToSynapse = true; + + settings = { + telegram = { + api_id = 32770816; + api_hash = "7b63778a976619c9d4ab62adc51cde79"; + bot_token = "disabled"; + + catch_up = true; + sequential_updates = false; + }; + + appservice = { + provisioning.enabled = false; + }; + + homeserver = { + address = "http://[::1]:${toString port}"; + domain = domain; + }; + + bridge = { + permissions = { + "@chris:${domain}" = "admin"; + }; + }; + }; + }; + mautrix-whatsapp = { enable = true; registerToSynapse = true; From c16cb15c10f4b6b4c2fe0276f7f142e3d8c1faaa Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 11 Dec 2025 07:35:00 +0000 Subject: [PATCH 239/251] chore(secrets): removed secret "kaas" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 3f34c21..976326e 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -10,7 +10,6 @@ forgejo: synapse: oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str] oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str] -kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str] radarr: apikey: ENC[AES256_GCM,data:G141GW4PyS5pbAV39HcVscMw3s30txOgTZzWaL7o+ccZfnfDLv796O6xKXdqGZ8saLsveghLw9Z6a5luusHyQ3Q5ESL6W7SVeZVTuSqSC3i/4jl75FJxhnsgVsfrnYxzLGpKiw==,iv:sZl/XLh6y3WgSAn6nH3sFB6atBifZdghm+QsCNDbcjY=,tag:Tw+R80nrF0T0yDti0Uf+ig==,type:str] sonarr: @@ -55,7 +54,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-10T12:55:31Z" - mac: ENC[AES256_GCM,data:qUZOcbHCssZC5Td1g9+TZFMccgHSDivTPF71+uGpyI88AuZAMt07kZuIuWcP4V8m633fl6WtmDAN/UP9IjbgBSUNLHpRcR5cOCAlxtLu0R0HNNIwMdxgseFTqPV/h/dMNSlEbAu06VZlt9S2CSkuTeyrP+GTpcskPJWF/RC50dk=,iv:QdwALTd3/1eKN7V3YtMf3Av0+XP6D59sQzDwqn7maOU=,tag:MX64z96lIn6RZBBsATi1ZQ==,type:str] + lastmodified: "2025-12-11T07:34:59Z" + mac: ENC[AES256_GCM,data:wEi918sFOHyo1QE50ce9CffDnxlno6UAGOGduM3GCR33LOsK/brPsQaV79k2EbLOdb2/vOy8A3SYAtmVs7s7tVIpukTyUjOLYL17Zu8DVKiQ5GHnJG+A564hj4kN4vS9fUStkpj+HiaBnkXUvIDRUGmXPkWhomwl8FvQca44ipk=,iv:bjAup4SJI62kQnjU0jzZMjwHJFJgkmtpp601rpl7aqM=,tag:aBrxrysJ/xCvEtM7OoJ1NA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 0fa3b79bd9b1b992ff2435530a5298db511e64da Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Dec 2025 16:48:46 +0100 Subject: [PATCH 240/251] feat: jq just became a 1M times cooler! --- .jq/format.jq | 34 ++ .jq/table.jq | 59 +++ .just/users.just | 27 ++ .just/vars.just | 6 - .justfile | 3 + .../services/communication/matrix/default.nix | 3 +- .../nixos/services/media/mydia/default.nix | 11 +- .../nixos/services/media/servarr/default.nix | 39 +- sabnzbd.ini | 395 ++++++++++++++++++ 9 files changed, 568 insertions(+), 9 deletions(-) create mode 100644 .jq/format.jq create mode 100644 .jq/table.jq create mode 100644 .just/users.just create mode 100644 sabnzbd.ini diff --git a/.jq/format.jq b/.jq/format.jq new file mode 100644 index 0000000..5c65495 --- /dev/null +++ b/.jq/format.jq @@ -0,0 +1,34 @@ +def RESET: "0"; +def BOLD: "1"; +def DIM: "2"; +def ITALIC: "3"; +def UNDERLINE: "4"; +def BLINKING: "5"; +def INVERSE: "7"; +def HIDDEN: "8"; +def STRIKETHROUGH: "9"; +def RESET_FONT: "22"; + +def BLACK: 0; +def RED: 1; +def GREEN: 2; +def YELLOW: 3; +def BLUE: 4; +def MAGENTA: 5; +def CYAN: 6; +def WHITE: 7; +def DEFAULT: 9; + +def foreground(color): 30 + color; +def background(color): 40 + color; +def bright(color): 60 + color; + +def escape(options): + (if ((options|type) == "array") then options else [options] end) as $o + | "\u001b[\($o | map(tostring) | join(";"))m"; + +def style(options): escape(options) + . + escape([RESET]); + +def to_title: + (.|ascii_upcase) as $str + | escape([BOLD, foreground(BLACK), background(WHITE)]) + " " + $str + " " + escape([RESET]); diff --git a/.jq/table.jq b/.jq/table.jq new file mode 100644 index 0000000..83b98f2 --- /dev/null +++ b/.jq/table.jq @@ -0,0 +1,59 @@ +import "format" as _ {search:"./"}; + +def n_max(limit): + if . > limit then limit else . end; + +def n_min(limit): + if . < limit then limit else . end; + +def pad_right(width): + (. | tostring) as $s + | ($s | length) as $l + | ((width - $l) | n_min(0)) as $w + | ($s + (" " * $w)); + +def to_cells(sizes; fn): + to_entries + | map( + (sizes[.key]) as $size + | (" " + .value) + | pad_right($size + 2) + | fn // . + ); + +def to_cells(sizes): to_cells(sizes; null); + +def to_line(left; joiner; right): + [left, .[1], (.[1:] | map([joiner, .]) ), right] | flatten | join(""); + +def to_table(data; header_callback; cell_callback): + (data[0] | to_entries | map(.key)) as $keys + | ([$keys]) as $header + | (data | map(to_entries | map(.value))) as $rows + | ($header + $rows) as $cells + | ( + $keys # Use keys so that we have an array of the correct size + | to_entries + | map( + (.key) as $i + | $cells + | map(.[$i] | length) + | max + ) + ) as $column_sizes + | ( + [ + ($column_sizes | map("═" * (. + 2)) | to_line("╔"; "╤"; "╗")), + ($keys | to_cells($column_sizes; header_callback) | to_line("║"; "│"; "║")), + ($rows | map([ + ($column_sizes | map("─" * (. + 2)) | to_line("╟"; "┼"; "╢")), + (. | to_cells($column_sizes; cell_callback) | to_line("║"; "│"; "║")) + ])), + ($column_sizes | map("═" * (. + 2)) | to_line("╚"; "╧"; "╝")) + ] + | flatten + | join("\n") + ); + +def to_table(data; header_callback): to_table(data; header_callback; null); +def to_table(data): to_table(data; _::style(_::BOLD); null); diff --git a/.just/users.just b/.just/users.just new file mode 100644 index 0000000..cecd74b --- /dev/null +++ b/.just/users.just @@ -0,0 +1,27 @@ +set unstable := true +set quiet := true + +_default: + just --list + +[script] +list: + cd .. && just vars get ulmo zitadel/users \ + | jq fromjson \ + | jq -r -C ' + include ".jq/table"; + include ".jq/format"; + + to_entries + | sort_by(.key) + | map( + (.key|to_title) + ":\n" + + to_table( + .value + | to_entries + | sort_by(.key) + | map({username:.key} + .value) + ) + ) + | join("\n\n┄┄┄\n\n") + ' diff --git a/.just/vars.just b/.just/vars.just index 29a3e56..230f00c 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -3,12 +3,6 @@ set quiet := true base_path := invocation_directory() / "systems/x86_64-linux" -# sops := "nix shell nixpkgs#sops --command sops" -# yq := "nix shell nixpkgs#yq --command yq" - -sops := "sops" -yq := "yq" - _default: just --list diff --git a/.justfile b/.justfile index 75537e1..cee0db9 100644 --- a/.justfile +++ b/.justfile @@ -4,6 +4,9 @@ [doc('Manage vars')] mod vars '.just/vars.just' +[doc('Manage users')] +mod users '.just/users.just' + [doc('Manage machines')] mod machine '.just/machine.just' diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index 8bab5d0..33af8e4 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -121,10 +121,11 @@ in { bot_token = "disabled"; catch_up = true; - sequential_updates = false; + sequential_updates = true; }; appservice = { + port = 40011; provisioning.enabled = false; }; diff --git a/modules/nixos/services/media/mydia/default.nix b/modules/nixos/services/media/mydia/default.nix index 2bee38a..7e082a3 100644 --- a/modules/nixos/services/media/mydia/default.nix +++ b/modules/nixos/services/media/mydia/default.nix @@ -36,7 +36,7 @@ in { # uri = "file:///var/lib/mydia/mydia.db"; type = "postgres"; uri = "postgres://mydia@localhost:5432/mydia?sslmode=disable"; - passwordFile = config.sops.secrets."mydia/qbittorrent_password".path; + passwordFile = config.sops.templates."mydia/database_password".path; }; secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path; @@ -82,5 +82,14 @@ in { key = "qbittorrent/password"; }; }; + + sops.templates."mydia/database_password" = { + owner = config.services.mydia.user; + group = config.services.mydia.group; + restartUnits = ["mydia.service"]; + content = '' + DATABASE_PASSWORD="" + ''; + }; }; } diff --git a/modules/nixos/services/media/servarr/default.nix b/modules/nixos/services/media/servarr/default.nix index c09e66f..bb90352 100644 --- a/modules/nixos/services/media/servarr/default.nix +++ b/modules/nixos/services/media/servarr/default.nix @@ -96,7 +96,8 @@ in { sabnzbd = { enable = true; openFirewall = true; - configFile = config.sops.templates."sabnzbd/config.ini".path; + configFile = "/var/media/sabnzbd/config.ini"; + # configFile = config.sops.templates."sabnzbd/config.ini".path; user = "sabnzbd"; group = "media"; @@ -301,12 +302,48 @@ in { })) |> lib.concat [ { + secrets = { + "sabnzbd/apikey" = {}; + "sabnzbd/sunnyweb/username" = {}; + "sabnzbd/sunnyweb/password" = {}; + }; + templates = { "sabnzbd/config.ini" = { owner = "sabnzbd"; group = "media"; + mode = "0660"; content = '' + __version__ = 19 + __encoding__ = utf-8 + [misc] + download_dir = /var/media/downloads/incomplete + complete_dir = /var/media/downloads/done + api_key = ${config.sops.placeholder."sabnzbd/apikey"} + log_dir = logs + [servers] + [[news.sunnyusenet.com]] + name = news.sunnyusenet.com + displayname = news.sunnyusenet.com + host = news.sunnyusenet.com + port = 563 + timeout = 60 + username = ${config.sops.placeholder."sabnzbd/sunnyweb/username"} + password = ${config.sops.placeholder."sabnzbd/sunnyweb/password"} + connections = 8 + ssl = 1 + ssl_verify = 3 + ssl_ciphers = "" + enable = 1 + required = 0 + optional = 0 + retention = 0 + expire_date = "" + quota = "" + usage_at_start = 0 + priority = 1 + notes = "" ''; }; }; diff --git a/sabnzbd.ini b/sabnzbd.ini new file mode 100644 index 0000000..fd60f57 --- /dev/null +++ b/sabnzbd.ini @@ -0,0 +1,395 @@ +__version__ = 19 +__encoding__ = utf-8 +[misc] +helpful_warnings = 1 +queue_complete = hibernate_pc +queue_complete_pers = 0 +bandwidth_perc = 100 +refresh_rate = 1 +interface_settings = '{"dateFormat":"YYYY-MM-DD HH:mm","extraQueueColumns":[],"extraHistoryColumns":[],"displayCompact":false,"displayFullWidth":false,"confirmDeleteQueue":true,"confirmDeleteHistory":true,"keyboardShortcuts":true}' +queue_limit = 20 +config_lock = 0 +fixed_ports = 1 +notified_new_skin = 2 +direct_unpack_tested = 1 +sorters_converted = 1 +check_new_rel = 1 +auto_browser = 0 +language = en +enable_https_verification = 0 +host = 0.0.0.0 +port = 8080 +https_port = "" +username = "" +password = "" +bandwidth_max = "" +cache_limit = 1G +web_dir = Glitter +web_color = Auto +https_cert = server.cert +https_key = server.key +https_chain = "" +enable_https = 0 +inet_exposure = 0 +api_key = 0052eba0db9d4b4f93a8a96f0cb85198 +nzb_key = 171ebeb3e0044c379dc7719bef6b3144 +socks5_proxy_url = "" +permissions = "" +download_dir = /var/media/downloads/incomplete +download_free = "" +complete_dir = /var/media/downloads/done +complete_free = "" +fulldisk_autoresume = 0 +script_dir = "" +nzb_backup_dir = "" +admin_dir = admin +backup_dir = "" +dirscan_dir = "" +dirscan_speed = 5 +password_file = "" +log_dir = logs +max_art_tries = 3 +top_only = 0 +sfv_check = 1 +script_can_fail = 0 +enable_recursive = 1 +flat_unpack = 0 +par_option = "" +pre_check = 0 +nice = "" +win_process_prio = 3 +ionice = "" +fail_hopeless_jobs = 1 +fast_fail = 1 +auto_disconnect = 1 +pre_script = None +end_queue_script = None +no_dupes = 0 +no_series_dupes = 0 +no_smart_dupes = 0 +dupes_propercheck = 1 +pause_on_pwrar = 1 +ignore_samples = 0 +deobfuscate_final_filenames = 1 +auto_sort = "" +direct_unpack = 0 +propagation_delay = 0 +folder_rename = 1 +replace_spaces = 0 +replace_underscores = 0 +replace_dots = 0 +safe_postproc = 1 +pause_on_post_processing = 0 +enable_all_par = 0 +sanitize_safe = 0 +cleanup_list = , +unwanted_extensions = , +action_on_unwanted_extensions = 0 +unwanted_extensions_mode = 0 +new_nzb_on_failure = 0 +history_retention = "" +history_retention_option = all +history_retention_number = 1 +quota_size = "" +quota_day = "" +quota_resume = 0 +quota_period = m +enable_tv_sorting = 0 +tv_sort_string = "" +tv_categories = tv, +enable_movie_sorting = 0 +movie_sort_string = "" +movie_sort_extra = -cd%1 +movie_categories = movies, +enable_date_sorting = 0 +date_sort_string = "" +date_categories = tv, +schedlines = , +rss_rate = 60 +ampm = 0 +start_paused = 0 +preserve_paused_state = 0 +enable_par_cleanup = 1 +process_unpacked_par2 = 1 +enable_multipar = 1 +enable_unrar = 1 +enable_7zip = 1 +enable_filejoin = 1 +enable_tsjoin = 1 +overwrite_files = 0 +ignore_unrar_dates = 0 +backup_for_duplicates = 0 +empty_postproc = 0 +wait_for_dfolder = 0 +rss_filenames = 0 +api_logging = 1 +html_login = 1 +warn_dupl_jobs = 0 +keep_awake = 1 +tray_icon = 1 +allow_incomplete_nzb = 0 +enable_broadcast = 1 +ipv6_hosting = 0 +ipv6_staging = 0 +api_warnings = 1 +no_penalties = 0 +x_frame_options = 1 +allow_old_ssl_tls = 0 +enable_season_sorting = 1 +verify_xff_header = 0 +rss_odd_titles = nzbindex.nl/, nzbindex.com/, nzbclub.com/ +quick_check_ext_ignore = nfo, sfv, srr +req_completion_rate = 100.2 +selftest_host = self-test.sabnzbd.org +movie_rename_limit = 100M +episode_rename_limit = 20M +size_limit = 0 +direct_unpack_threads = 3 +history_limit = 5 +wait_ext_drive = 5 +max_foldername_length = 246 +nomedia_marker = "" +ipv6_servers = 1 +url_base = /sabnzbd +host_whitelist = usenet.kruining.eu, ulmo +local_ranges = , +max_url_retries = 10 +downloader_sleep_time = 10 +receive_threads = 2 +switchinterval = 0.005 +ssdp_broadcast_interval = 15 +ext_rename_ignore = , +email_server = "" +email_to = , +email_from = "" +email_account = "" +email_pwd = "" +email_endjob = 0 +email_full = 0 +email_dir = "" +email_rss = 0 +email_cats = *, +config_conversion_version = 4 +disable_par2cmdline = 0 +disable_archive = 0 +unrar_parameters = "" +outgoing_nntp_ip = "" +[logging] +log_level = 1 +max_log_size = 5242880 +log_backups = 5 +[ncenter] +ncenter_enable = 0 +ncenter_cats = *, +ncenter_prio_startup = 0 +ncenter_prio_download = 0 +ncenter_prio_pause_resume = 0 +ncenter_prio_pp = 0 +ncenter_prio_complete = 1 +ncenter_prio_failed = 1 +ncenter_prio_disk_full = 1 +ncenter_prio_new_login = 0 +ncenter_prio_warning = 0 +ncenter_prio_error = 0 +ncenter_prio_queue_done = 0 +ncenter_prio_other = 1 +ncenter_prio_quota = 1 +[acenter] +acenter_enable = 0 +acenter_cats = *, +acenter_prio_startup = 0 +acenter_prio_download = 0 +acenter_prio_pause_resume = 0 +acenter_prio_pp = 0 +acenter_prio_complete = 1 +acenter_prio_failed = 1 +acenter_prio_disk_full = 1 +acenter_prio_new_login = 0 +acenter_prio_warning = 0 +acenter_prio_error = 0 +acenter_prio_queue_done = 0 +acenter_prio_other = 1 +acenter_prio_quota = 1 +[ntfosd] +ntfosd_enable = 1 +ntfosd_cats = *, +ntfosd_prio_startup = 0 +ntfosd_prio_download = 0 +ntfosd_prio_pause_resume = 0 +ntfosd_prio_pp = 0 +ntfosd_prio_complete = 1 +ntfosd_prio_failed = 1 +ntfosd_prio_disk_full = 1 +ntfosd_prio_new_login = 0 +ntfosd_prio_warning = 0 +ntfosd_prio_error = 0 +ntfosd_prio_queue_done = 0 +ntfosd_prio_other = 1 +ntfosd_prio_quota = 1 +[prowl] +prowl_enable = 0 +prowl_cats = *, +prowl_apikey = "" +prowl_prio_startup = -3 +prowl_prio_download = -3 +prowl_prio_pause_resume = -3 +prowl_prio_pp = -3 +prowl_prio_complete = 0 +prowl_prio_failed = 1 +prowl_prio_disk_full = 1 +prowl_prio_new_login = -3 +prowl_prio_warning = -3 +prowl_prio_error = -3 +prowl_prio_queue_done = -3 +prowl_prio_other = 0 +prowl_prio_quota = 0 +[pushover] +pushover_token = "" +pushover_userkey = "" +pushover_device = "" +pushover_emergency_expire = 3600 +pushover_emergency_retry = 60 +pushover_enable = 0 +pushover_cats = *, +pushover_prio_startup = -3 +pushover_prio_download = -2 +pushover_prio_pause_resume = -2 +pushover_prio_pp = -3 +pushover_prio_complete = -1 +pushover_prio_failed = -1 +pushover_prio_disk_full = 1 +pushover_prio_new_login = -3 +pushover_prio_warning = 1 +pushover_prio_error = 1 +pushover_prio_queue_done = -3 +pushover_prio_other = -1 +pushover_prio_quota = -1 +[pushbullet] +pushbullet_enable = 0 +pushbullet_cats = *, +pushbullet_apikey = "" +pushbullet_device = "" +pushbullet_prio_startup = 0 +pushbullet_prio_download = 0 +pushbullet_prio_pause_resume = 0 +pushbullet_prio_pp = 0 +pushbullet_prio_complete = 1 +pushbullet_prio_failed = 1 +pushbullet_prio_disk_full = 1 +pushbullet_prio_new_login = 0 +pushbullet_prio_warning = 0 +pushbullet_prio_error = 0 +pushbullet_prio_queue_done = 0 +pushbullet_prio_other = 1 +pushbullet_prio_quota = 1 +[apprise] +apprise_enable = 0 +apprise_cats = *, +apprise_urls = "" +apprise_target_startup = "" +apprise_target_startup_enable = 0 +apprise_target_download = "" +apprise_target_download_enable = 0 +apprise_target_pause_resume = "" +apprise_target_pause_resume_enable = 0 +apprise_target_pp = "" +apprise_target_pp_enable = 0 +apprise_target_complete = "" +apprise_target_complete_enable = 1 +apprise_target_failed = "" +apprise_target_failed_enable = 1 +apprise_target_disk_full = "" +apprise_target_disk_full_enable = 0 +apprise_target_new_login = "" +apprise_target_new_login_enable = 1 +apprise_target_warning = "" +apprise_target_warning_enable = 0 +apprise_target_error = "" +apprise_target_error_enable = 0 +apprise_target_queue_done = "" +apprise_target_queue_done_enable = 0 +apprise_target_other = "" +apprise_target_other_enable = 1 +apprise_target_quota = "" +apprise_target_quota_enable = 1 +[nscript] +nscript_enable = 0 +nscript_cats = *, +nscript_script = "" +nscript_parameters = "" +nscript_prio_startup = 0 +nscript_prio_download = 0 +nscript_prio_pause_resume = 0 +nscript_prio_pp = 0 +nscript_prio_complete = 1 +nscript_prio_failed = 1 +nscript_prio_disk_full = 1 +nscript_prio_new_login = 0 +nscript_prio_warning = 0 +nscript_prio_error = 0 +nscript_prio_queue_done = 0 +nscript_prio_other = 1 +nscript_prio_quota = 1 +[categories] +[[*]] +name = * +order = 0 +pp = 3 +script = None +dir = "" +newzbin = "" +priority = 0 +[[movies]] +name = movies +order = 1 +pp = "" +script = Default +dir = "" +newzbin = "" +priority = -100 +[[tv]] +name = tv +order = 2 +pp = "" +script = Default +dir = "" +newzbin = "" +priority = -100 +[[audio]] +name = audio +order = 3 +pp = "" +script = Default +dir = "" +newzbin = "" +priority = -100 +[[software]] +name = software +order = 4 +pp = "" +script = Default +dir = "" +newzbin = "" +priority = -100 +[servers] +[[news.sunnyusenet.com]] +name = news.sunnyusenet.com +displayname = news.sunnyusenet.com +host = news.sunnyusenet.com +port = 563 +timeout = 60 +username = michiel@hazelhof.nl +password = dasusenet +connections = 8 +ssl = 1 +ssl_verify = 3 +ssl_ciphers = "" +enable = 1 +required = 0 +optional = 0 +retention = 0 +expire_date = "" +quota = "" +usage_at_start = 0 +priority = 1 +notes = "" From 4f5b2372d5237ba7ee538f33aed43a81c67a4b64 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 11 Dec 2025 21:13:42 +0000 Subject: [PATCH 241/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 976326e..255ae2e 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} - users: ENC[AES256_GCM,data:xkjm0+PBt6gmZyfi3n3OIEe5b+d4OtN0Y3UfmdcbcJHbJZuiz+60oUjlAN0vjtsi0muufoAqtGJTIpm9nDZzzN7b7LK43TAhcuSlIm5LpbZFp1U3H4laRbTwauAT6wA0aDCfAkwTozxAuEUk1jAu+65ktJNJb7b0PR7s/I/wf7IgW2+K4Jv3LIOZIipUwfuvXuTzsxCElYRvGZXmIuXrYq1EaymksHHggemrKeMWLAae7mzz5v3aBbwxiVjQNkQkS4ApsO/5nZUat0oqXA==,iv:fptZn4NmX3iYKSEPLJAOFpt+KQ6TR1w9KaY9IF4p/Wk=,tag:UKvMOSIT5/mhfZA3usbLhQ==,type:str] + users: ENC[AES256_GCM,data:J8BydII0eLW7gPo2orNS8VQ/YuxqGKtyXiW5CWtoJJY5EN6CtcmSTPCJB5eftBNxnTZy3RNmYp8OYdD8TE5G1BhmizUsEQv7lrbO5R7p4FuMxeix0bi3hRcBtpv6gOLPjC/V3xs4gIX6hCm+2zOW9k/9e0K30TDTN2PEfwmAV8bOSu5oV6jxvMogu2MJ4sXR+RTmrURVg6hu0IC2m7j9RUExG0HDoZlEWKKDWm2KLncd135s5bEh9qXLCGTTZHPsK+9tp38jXxSEs/eHEmCKAHMrE5ZYUkPQLxsAnbfe34kMYAiM/97fPWwDuQpK7wG2eG+y1HbxbzJCVp1KYftcDXpnMSVYmBc=,iv:+bSmAeoKuxaDrx/2H4/uuwNx+M5swzqRnL7AyYuR49k=,tag:KM7OI6oHME2YosGixHvCQw==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -54,7 +54,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-11T07:34:59Z" - mac: ENC[AES256_GCM,data:wEi918sFOHyo1QE50ce9CffDnxlno6UAGOGduM3GCR33LOsK/brPsQaV79k2EbLOdb2/vOy8A3SYAtmVs7s7tVIpukTyUjOLYL17Zu8DVKiQ5GHnJG+A564hj4kN4vS9fUStkpj+HiaBnkXUvIDRUGmXPkWhomwl8FvQca44ipk=,iv:bjAup4SJI62kQnjU0jzZMjwHJFJgkmtpp601rpl7aqM=,tag:aBrxrysJ/xCvEtM7OoJ1NA==,type:str] + lastmodified: "2025-12-11T21:13:41Z" + mac: ENC[AES256_GCM,data:TK1gJF2n9C9ja/ubPlDy8DCAqG12KqvyxTD6eVJ69fdApYC6B1nLW0FHV7VEqHQOlAhN66RfVhARIl61YCG2UC66IijO2s37tDKpyQOpZUGNf3s4kipwq9SD2zBMletF2SkggqURiBReeVdVxBgPEnPi3uKBLSJ1UVZSlnc43bY=,iv:WU2eTHYPYnREcOcqClqqj1oOrBE2ijNtNwshz7hpdQ8=,tag:Gt6cdlQEhYm8kg/hdhxYTg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 6641632319a7e15ceaf84c8136876de0c7d52c84 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 11 Dec 2025 21:14:40 +0000 Subject: [PATCH 242/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 255ae2e..39a5b5a 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -54,7 +54,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-11T21:13:41Z" - mac: ENC[AES256_GCM,data:TK1gJF2n9C9ja/ubPlDy8DCAqG12KqvyxTD6eVJ69fdApYC6B1nLW0FHV7VEqHQOlAhN66RfVhARIl61YCG2UC66IijO2s37tDKpyQOpZUGNf3s4kipwq9SD2zBMletF2SkggqURiBReeVdVxBgPEnPi3uKBLSJ1UVZSlnc43bY=,iv:WU2eTHYPYnREcOcqClqqj1oOrBE2ijNtNwshz7hpdQ8=,tag:Gt6cdlQEhYm8kg/hdhxYTg==,type:str] + lastmodified: "2025-12-11T21:14:39Z" + mac: ENC[AES256_GCM,data:IdJz6m8YtzyB5PptPBceFuTQH2KLoS1RQSKiXuAQyjSqibOljtAgisixOxbPzjgKij8OkRWxQuNdlLcSFt7RAf13HPlGh1U2tl+zzsgYyKGkOiQql8kmfWzI0RaPsVHOPeM0CJHcPMJs/K+T1QN5H/OlIuMim5/shLkLImTwb54=,iv:Zxz6vs8gJJA1eGgv9wusDz/45R5r0/Da6Eg3lbzqF80=,tag:5ivhveUm4cPMUHT91uthjQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 769bb3d3d0442baeccd0145561d54171542060a5 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 11 Dec 2025 21:26:03 +0000 Subject: [PATCH 243/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 39a5b5a..741511c 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -54,7 +54,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-11T21:14:39Z" - mac: ENC[AES256_GCM,data:IdJz6m8YtzyB5PptPBceFuTQH2KLoS1RQSKiXuAQyjSqibOljtAgisixOxbPzjgKij8OkRWxQuNdlLcSFt7RAf13HPlGh1U2tl+zzsgYyKGkOiQql8kmfWzI0RaPsVHOPeM0CJHcPMJs/K+T1QN5H/OlIuMim5/shLkLImTwb54=,iv:Zxz6vs8gJJA1eGgv9wusDz/45R5r0/Da6Eg3lbzqF80=,tag:5ivhveUm4cPMUHT91uthjQ==,type:str] + lastmodified: "2025-12-11T21:26:03Z" + mac: ENC[AES256_GCM,data:9HIMBsePObNInn83qMDRX39mZ9qrjYCBDWVXcHB2Ws9I3ag5qp1wM/DmtXTI2tuMqS6op3xw0FgwzK2rkO+UHiWOKWBhiI5PQlw15J0WaWS4mDDqc/L8nGwMrdFF1SVJlkM5gk1IriOXgOcsH3nIrdTgL5+6u5W46VMA1DJ23Xw=,iv:0HbK6wIm/CewWX8ppojMRaZMVRcBGOPMWorLFJUBWQk=,tag:sNBm3YeYEQuFuuFxFzR32g==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 5819545a8b02c9c41b3f728865070997b7ba5716 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 11 Dec 2025 21:32:24 +0000 Subject: [PATCH 244/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 741511c..c36cd43 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -54,7 +54,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-11T21:26:03Z" - mac: ENC[AES256_GCM,data:9HIMBsePObNInn83qMDRX39mZ9qrjYCBDWVXcHB2Ws9I3ag5qp1wM/DmtXTI2tuMqS6op3xw0FgwzK2rkO+UHiWOKWBhiI5PQlw15J0WaWS4mDDqc/L8nGwMrdFF1SVJlkM5gk1IriOXgOcsH3nIrdTgL5+6u5W46VMA1DJ23Xw=,iv:0HbK6wIm/CewWX8ppojMRaZMVRcBGOPMWorLFJUBWQk=,tag:sNBm3YeYEQuFuuFxFzR32g==,type:str] + lastmodified: "2025-12-11T21:32:23Z" + mac: ENC[AES256_GCM,data:Y4K10+NXrZOPVRz1+IPcCF9yqJ0bqoGG5TwHeqZ/MpjSwwOXnPLJojF9L+3BnN2EWvIf+Zex8UsLqQVPPkUef2eI/FcNfcjuOe1OVsNOr6Z05Wkouo5j5qwEpKIMEMNzrI1iG6460UpJ6sZBvGTaSd5ShDMt21fqHy2NhUfWDtA=,iv:2z3kA3pRz51wl5ZRp1BORwfERXGaOizroWHXMdztTbI=,tag:4rAYtmk3u9MXmAEn2QnBrw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 1610ab1ca00f2e52ec05a6afd6bd5744ecd59073 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 11 Dec 2025 21:43:37 +0000 Subject: [PATCH 245/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index c36cd43..b7c0cc0 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} - users: ENC[AES256_GCM,data:J8BydII0eLW7gPo2orNS8VQ/YuxqGKtyXiW5CWtoJJY5EN6CtcmSTPCJB5eftBNxnTZy3RNmYp8OYdD8TE5G1BhmizUsEQv7lrbO5R7p4FuMxeix0bi3hRcBtpv6gOLPjC/V3xs4gIX6hCm+2zOW9k/9e0K30TDTN2PEfwmAV8bOSu5oV6jxvMogu2MJ4sXR+RTmrURVg6hu0IC2m7j9RUExG0HDoZlEWKKDWm2KLncd135s5bEh9qXLCGTTZHPsK+9tp38jXxSEs/eHEmCKAHMrE5ZYUkPQLxsAnbfe34kMYAiM/97fPWwDuQpK7wG2eG+y1HbxbzJCVp1KYftcDXpnMSVYmBc=,iv:+bSmAeoKuxaDrx/2H4/uuwNx+M5swzqRnL7AyYuR49k=,tag:KM7OI6oHME2YosGixHvCQw==,type:str] + users: ENC[AES256_GCM,data:PU1JLhErx3dGQHC8nwph+Kz86T5IlU/pN7aScECKSxt6QJoHtpdTdJzEUlfpHN9cshZXBvZLvK8E+bFunS4UEMqhd557dpr7yj0VKIfrMOV+NmWZ4Jp2KX6R+HSV+LC6Tym5TcRJ6MCyYHB9tnxlukI556bFWpGrjYaxwlvn/4lCAlvCW/4HYjnDsj9ILQ1OLy0w4jMFz0hPUjRoQ/w6c8rKGDIa4HTwxNDr+J6LhkoaewdTT1Z8+g/vTN7JaPJ5dknLliJLtsA0q/czSUw7bCqGRpDSZ2tcAgFaFpyTArAZJHeMqjqvKrqP1mzoVrandVYbERXaQqKy0FAtzMl22ddSNT6V8gEVrgHuf99LlPOIM5hEB5Vs3HDvSVsdCp0pAyee42jHPiaUfN9kyI5r1tZjWAg=,iv:bo4jp4nCDBaZWr7RdKAczbrnkv1+itpXlobVwHqJi2s=,tag:edLXxKbRSr9KU3CixFYECg==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -54,7 +54,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-11T21:32:23Z" - mac: ENC[AES256_GCM,data:Y4K10+NXrZOPVRz1+IPcCF9yqJ0bqoGG5TwHeqZ/MpjSwwOXnPLJojF9L+3BnN2EWvIf+Zex8UsLqQVPPkUef2eI/FcNfcjuOe1OVsNOr6Z05Wkouo5j5qwEpKIMEMNzrI1iG6460UpJ6sZBvGTaSd5ShDMt21fqHy2NhUfWDtA=,iv:2z3kA3pRz51wl5ZRp1BORwfERXGaOizroWHXMdztTbI=,tag:4rAYtmk3u9MXmAEn2QnBrw==,type:str] + lastmodified: "2025-12-11T21:43:36Z" + mac: ENC[AES256_GCM,data:DfOJESY42ZRDcrWYWKESRjYx9v3A+tX97dyfVxd+nJUbg3fxirc2ixLNedFG4qiw/O3C2HxikaOOmIntDSTB6iziXfrcgjsRB5fLJ7pyZG0sHl27n/FiNs/MUMd0eJmsiWzujxmYFauozMCuIYX+IjmzSs1k61Bk9OXEjuA+sVM=,iv:fX0fyMQsk6AMiYj6QpaBlxMtVpwnwac2omOMCp3nV1A=,tag:Zq5ggo/t83Ivw3i4ehGZgA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 9247e5c24837cac3ac73a2ed5316bd7d767bf45a Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 11 Dec 2025 21:50:32 +0000 Subject: [PATCH 246/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index b7c0cc0..b7f7e4e 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -54,7 +54,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-11T21:43:36Z" - mac: ENC[AES256_GCM,data:DfOJESY42ZRDcrWYWKESRjYx9v3A+tX97dyfVxd+nJUbg3fxirc2ixLNedFG4qiw/O3C2HxikaOOmIntDSTB6iziXfrcgjsRB5fLJ7pyZG0sHl27n/FiNs/MUMd0eJmsiWzujxmYFauozMCuIYX+IjmzSs1k61Bk9OXEjuA+sVM=,iv:fX0fyMQsk6AMiYj6QpaBlxMtVpwnwac2omOMCp3nV1A=,tag:Zq5ggo/t83Ivw3i4ehGZgA==,type:str] + lastmodified: "2025-12-11T21:50:31Z" + mac: ENC[AES256_GCM,data:abjGTh1BS2n4DYtH8WvSUIsYtVkOVjcJKzIRYhxRi7WzP5LPJroYXL+jgdbr8Ryt+8s2AIZshRnbxitwzfKf3mx6qVQ5pK8+e7C/+sCMHnbQDXf3Z6OKSElqJMT4T5dZBbUj+64lbKM0dbnQLTMHNwjqDmtA9Xn7dCgjLjS+yZ8=,iv:AKyUqCOkoapTpFEK7FZpoDGuIRIqb9SHo2BH2vDy9Ms=,tag:GLQenq7VeIVC9Ir5fwW9Lg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 2e9c79b6f069465585cdb8fbec32cb299f08989e Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 11 Dec 2025 21:51:00 +0000 Subject: [PATCH 247/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index b7f7e4e..e644d84 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -54,7 +54,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-11T21:50:31Z" - mac: ENC[AES256_GCM,data:abjGTh1BS2n4DYtH8WvSUIsYtVkOVjcJKzIRYhxRi7WzP5LPJroYXL+jgdbr8Ryt+8s2AIZshRnbxitwzfKf3mx6qVQ5pK8+e7C/+sCMHnbQDXf3Z6OKSElqJMT4T5dZBbUj+64lbKM0dbnQLTMHNwjqDmtA9Xn7dCgjLjS+yZ8=,iv:AKyUqCOkoapTpFEK7FZpoDGuIRIqb9SHo2BH2vDy9Ms=,tag:GLQenq7VeIVC9Ir5fwW9Lg==,type:str] + lastmodified: "2025-12-11T21:50:59Z" + mac: ENC[AES256_GCM,data:O3I8dUG3JgfhDRC8V4gYjyACfXL/u8kuV0G31yz0qu2J3wkSI0tq3MR4+oZXFxDt8YkMevCUuQFZF4faYyTeFcdwRKlev0WexH1dWT22DUm+tkmcg2R1tv7TI/US6GTlXu/g9WGrLkHZjh1YQZ9AUNxtwL6O/CaKOuiR2nmmtYE=,iv:ojDH8+YWJQK3Rp6dHwj1T+/SVltnFDKKsOmYyeQpoMc=,tag:ieca6xM/sw7pjpu8czdv0A==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 174b85a3e2c0582e3f4d32da50fb422f0a2a9920 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 11 Dec 2025 22:11:51 +0000 Subject: [PATCH 248/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index e644d84..8a8b744 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} - users: ENC[AES256_GCM,data:PU1JLhErx3dGQHC8nwph+Kz86T5IlU/pN7aScECKSxt6QJoHtpdTdJzEUlfpHN9cshZXBvZLvK8E+bFunS4UEMqhd557dpr7yj0VKIfrMOV+NmWZ4Jp2KX6R+HSV+LC6Tym5TcRJ6MCyYHB9tnxlukI556bFWpGrjYaxwlvn/4lCAlvCW/4HYjnDsj9ILQ1OLy0w4jMFz0hPUjRoQ/w6c8rKGDIa4HTwxNDr+J6LhkoaewdTT1Z8+g/vTN7JaPJ5dknLliJLtsA0q/czSUw7bCqGRpDSZ2tcAgFaFpyTArAZJHeMqjqvKrqP1mzoVrandVYbERXaQqKy0FAtzMl22ddSNT6V8gEVrgHuf99LlPOIM5hEB5Vs3HDvSVsdCp0pAyee42jHPiaUfN9kyI5r1tZjWAg=,iv:bo4jp4nCDBaZWr7RdKAczbrnkv1+itpXlobVwHqJi2s=,tag:edLXxKbRSr9KU3CixFYECg==,type:str] + users: ENC[AES256_GCM,data:quxYk+XT5VZy+holUr3g5ycI34Z4BfSp2eKK4CZYBvl5ZES96Jf/oXCAWXhlEpXiKwsvKkAZNBdwLaqWrzRJJBzEi2UwZJfX1I0vDtWMz4VN5mKtzr+Vavty4visrleS46w2O/xg1PzOt/gv2CilyQmcBlpMbhLYVj4A9rbpiaIqXaYB/JMpa0sUyjjs/lxFDugv3pVEvmr7b0Gjqb1+A3TldEDxBT+P10jeomDoVJbMFyF09dpSQZrTlhyDHE742armspwvQyiKjmxmpkK1+L9iRgcBFiKCbkx4aZq5uvh3lNlVbsFqWhBbBRIOMjdgOm9OmQ7FGqqMSihsW6APMi9KTgpWUpk=,iv:mxtamxo8DWaxafC9AsgHKxcqNp5mLOEiPetoHZeA95c=,tag:ITNi8tMqkDxaONEKOYU/UQ==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -54,7 +54,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-11T21:50:59Z" - mac: ENC[AES256_GCM,data:O3I8dUG3JgfhDRC8V4gYjyACfXL/u8kuV0G31yz0qu2J3wkSI0tq3MR4+oZXFxDt8YkMevCUuQFZF4faYyTeFcdwRKlev0WexH1dWT22DUm+tkmcg2R1tv7TI/US6GTlXu/g9WGrLkHZjh1YQZ9AUNxtwL6O/CaKOuiR2nmmtYE=,iv:ojDH8+YWJQK3Rp6dHwj1T+/SVltnFDKKsOmYyeQpoMc=,tag:ieca6xM/sw7pjpu8czdv0A==,type:str] + lastmodified: "2025-12-11T22:11:51Z" + mac: ENC[AES256_GCM,data:7/xlEEZZLlElw3YufxHxRW47d5+w3q+mb+3qJrkTe38SSJDZ/MRyH3mR+T+Vm4jM4Iieh4wR2qz14EjIG6um4GSST84pvl2dj1dz8qd3/mrlWCQUxv/EUW5pSpDtd/HIPbfyMdmZApfspJ9CT40gOY2+91/KRzcHoGebe1ZMvV0=,iv:agzozhVd36roI81y8HYP26dt2DBxw77fJ7VafKyCw7Y=,tag:f6AZ0KaBO81rfDgG2R0Y/Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 20423eb0cd237c82839f1c3b9d030e93dbe93e66 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 11 Dec 2025 22:19:27 +0000 Subject: [PATCH 249/251] chore(secrets): set secret "zitadel/users" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 8a8b744..7709ea3 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -4,7 +4,7 @@ email: zitadel: masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str] nix: {} - users: ENC[AES256_GCM,data:quxYk+XT5VZy+holUr3g5ycI34Z4BfSp2eKK4CZYBvl5ZES96Jf/oXCAWXhlEpXiKwsvKkAZNBdwLaqWrzRJJBzEi2UwZJfX1I0vDtWMz4VN5mKtzr+Vavty4visrleS46w2O/xg1PzOt/gv2CilyQmcBlpMbhLYVj4A9rbpiaIqXaYB/JMpa0sUyjjs/lxFDugv3pVEvmr7b0Gjqb1+A3TldEDxBT+P10jeomDoVJbMFyF09dpSQZrTlhyDHE742armspwvQyiKjmxmpkK1+L9iRgcBFiKCbkx4aZq5uvh3lNlVbsFqWhBbBRIOMjdgOm9OmQ7FGqqMSihsW6APMi9KTgpWUpk=,iv:mxtamxo8DWaxafC9AsgHKxcqNp5mLOEiPetoHZeA95c=,tag:ITNi8tMqkDxaONEKOYU/UQ==,type:str] + users: ENC[AES256_GCM,data:pMSK3Re/DZeMnFNCEgjTGWWMYYX5eLOoZwGg3oO7WQ0Sx7z7sLRPpqlGVw384G6uYjR19MpnVud6hHPkGY/FoTO0vsJ+a2anFpmLjLsPNehiQ57rnvnWJCeVJyTz0kqKt7vS1kGpdtjH5d98PerNzxR0FvTrjJhQCfHyP/S8/G6vD6cLmeBXaStpKJ6TM0UIPcWSTzrpV3O292xAFooWYv19hkM4C6IJtbej8zTmY8pEsHk5OY3w,iv:r3603xOtSE1CEdMR9epaWclbO3PXjMWpnJT7HEbF57o=,tag:HAPUlIuumY0IjL0P4Q1aFA==,type:str] forgejo: action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str] synapse: @@ -54,7 +54,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-11T22:11:51Z" - mac: ENC[AES256_GCM,data:7/xlEEZZLlElw3YufxHxRW47d5+w3q+mb+3qJrkTe38SSJDZ/MRyH3mR+T+Vm4jM4Iieh4wR2qz14EjIG6um4GSST84pvl2dj1dz8qd3/mrlWCQUxv/EUW5pSpDtd/HIPbfyMdmZApfspJ9CT40gOY2+91/KRzcHoGebe1ZMvV0=,iv:agzozhVd36roI81y8HYP26dt2DBxw77fJ7VafKyCw7Y=,tag:f6AZ0KaBO81rfDgG2R0Y/Q==,type:str] + lastmodified: "2025-12-11T22:19:26Z" + mac: ENC[AES256_GCM,data:J1RVA3s9qemyLGo4svCofqIA4XNYgDWDc3JRbfynGLtAocOQPtXOLKoEauplDWMQ8hFIGRznIzv5XkCH6hfxQhjNI0UCuR0WhFZtnQU59hS+Qg4AQKVukRdjY136RpNiBMCMNhiXs8NAbuVxrFramgFClFQgVO+b6+Q3w2JspNE=,iv:hPUnwDUg+Wbx/YDugY8TjFIJqUzJE75tv4vzc2NHdrQ=,tag:xwqb7I315SbAlK7MlT9uBA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 9824616c633ce14c35cb27691fa7042e3c9ea427 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 11 Dec 2025 23:20:36 +0100 Subject: [PATCH 250/251] feat: implement user management in just --- .jq/table.jq | 6 ++-- .just/users.just | 89 +++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 83 insertions(+), 12 deletions(-) diff --git a/.jq/table.jq b/.jq/table.jq index 83b98f2..5c58aef 100644 --- a/.jq/table.jq +++ b/.jq/table.jq @@ -26,7 +26,7 @@ def to_cells(sizes): to_cells(sizes; null); def to_line(left; joiner; right): [left, .[1], (.[1:] | map([joiner, .]) ), right] | flatten | join(""); -def to_table(data; header_callback; cell_callback): +def create(data; header_callback; cell_callback): (data[0] | to_entries | map(.key)) as $keys | ([$keys]) as $header | (data | map(to_entries | map(.value))) as $rows @@ -55,5 +55,5 @@ def to_table(data; header_callback; cell_callback): | join("\n") ); -def to_table(data; header_callback): to_table(data; header_callback; null); -def to_table(data): to_table(data; _::style(_::BOLD); null); +def create(data; header_callback): create(data; header_callback; null); +def create(data): create(data; _::style(_::BOLD); null); diff --git a/.just/users.just b/.just/users.just index cecd74b..486ac67 100644 --- a/.just/users.just +++ b/.just/users.just @@ -6,17 +6,16 @@ _default: [script] list: - cd .. && just vars get ulmo zitadel/users \ - | jq fromjson \ - | jq -r -C ' - include ".jq/table"; - include ".jq/format"; + cd .. && just vars get ulmo zitadel/users | jq -r -C ' + import ".jq/table" as table; + import ".jq/format" as f; - to_entries + fromjson + | to_entries | sort_by(.key) | map( - (.key|to_title) + ":\n" - + to_table( + (.key|f::to_title) + ":\n" + + table::create( .value | to_entries | sort_by(.key) @@ -24,4 +23,76 @@ list: ) ) | join("\n\n┄┄┄\n\n") - ' + '; + +[script] +add: + exec 5>&1 + + pad () { [ "$#" -gt 1 ] && [ -n "$2" ] && printf "%$2.${2#-}s" "$1"; } + + input() { + local label=$1 + local value=$2 + + local res=$(gum input --header "$label" --value "$value") + echo -e "\e[2m$(pad "$label" -11)\e[0m$res" >&5 + echo $res + } + + data=`cd .. && just vars get ulmo zitadel/users | jq 'fromjson'` + + # Gather inputs + org=` + jq -r 'to_entries | map(.key)[]' <<< "$data" \ + | gum choose --header 'Which organisation to save to?' --select-if-one + ` + username=`input 'user name' 'new-user'` + email=`input 'email' 'new.user@example.com'` + first_name=`input 'first name' 'John'` + last_name=`input 'last name' 'Doe'` + + user_exists=`jq --arg 'org' "$org" --arg 'username' "$username" '.[$org][$username]? | . != null' <<< "$data"` + + if [ "$user_exists" == "true" ]; then + gum confirm 'User already exists, overwrite it?' --padding="1 1" || exit 0 + fi + + next=` + jq \ + --arg 'org' "$org" \ + --arg 'username' "$username" \ + --arg 'email' "$email" \ + --arg 'first_name' "$first_name" \ + --arg 'last_name' "$last_name" \ + --compact-output \ + '.[$org] += { $username: { email: $email, firstName: $first_name, lastName: $last_name } }' \ + <<< $data + ` + + gum spin --title "saving..." -- echo "$(cd .. && just vars set ulmo 'zitadel/users' "$next")" + +[script] +remove: + data=`cd .. && just vars get ulmo zitadel/users | jq fromjson` + + # Gather inputs + org=` + jq -r 'to_entries | map(.key)[]' <<< "$data" \ + | gum choose --header 'Which organisation?' --select-if-one + ` + user=` + jq -r --arg org "$org" '.[$org] | to_entries | map(.key)[]' <<< "$data" \ + | gum choose --header 'Which user?' --select-if-one + ` + + next=` + jq \ + --arg 'org' "$org" \ + --arg 'user' "$user" \ + --compact-output \ + 'del(.[$org][$user])' \ + <<< $data + ` + + gum spin --title "saving..." -- echo "$(cd .. && just vars set ulmo 'zitadel/users' "$next")" From a361274b27f7db57a2f461a6ec206bcb3405728f Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 11 Dec 2025 22:21:37 +0000 Subject: [PATCH 251/251] chore: update dependencies --- flake.lock | 68 +++++++++++++++++++++++++++--------------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/flake.lock b/flake.lock index cd4b600..f4f2381 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1765346666, - "narHash": "sha256-UR8bVZF12rA7yI3jdqvlTA50NUXf3F8H6GZvLYiDqYM=", - "rev": "7c9a2e4fb9d90f213f3bf3782ee460e669231bca", + "lastModified": 1765483630, + "narHash": "sha256-4nLng3hXTHuJF1xeMXWVyK26r0O407YG7aEfkWVD3Jg=", + "rev": "b500c2e4c8f50961e976b7a78991d2fd4f96c423", "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/7c9a2e4fb9d90f213f3bf3782ee460e669231bca.tar.gz" + "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/b500c2e4c8f50961e976b7a78991d2fd4f96c423.tar.gz" }, "original": { "type": "tarball", @@ -170,11 +170,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1765252472, - "narHash": "sha256-byMt/uMi7DJ8tRniFopDFZMO3leSjGp6GS4zWOFT+uQ=", + "lastModified": 1765435813, + "narHash": "sha256-C6tT7K1Lx6VsYw1BY5S3OavtapUvEnDQtmQB5DSgbCc=", "owner": "nix-community", "repo": "fenix", - "rev": "8456b985f6652e3eef0632ee9992b439735c5544", + "rev": "6399553b7a300c77e7f07342904eb696a5b6bf9d", "type": "github" }, "original": { @@ -190,11 +190,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1765370621, - "narHash": "sha256-3gAVH9nYc2E82tIXKFv2lMe4JohglxJtPgs0ZmXkx9c=", + "lastModified": 1765448647, + "narHash": "sha256-y29oz4/jfs7TEGR1+pKlcQn5pBsTZGM8TOhVDJEAtXg=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "ea98c8041dad75efc80ec036643a32b12467c8b7", + "rev": "63947e060742f3b023c87e225c3f327befbbd6a3", "type": "github" }, "original": { @@ -594,11 +594,11 @@ ] }, "locked": { - "lastModified": 1765337252, - "narHash": "sha256-HuWQp8fM25fyWflbuunQkQI62Hg0ecJxWD52FAgmxqY=", + "lastModified": 1765480374, + "narHash": "sha256-HlbvQAqLx7WqZFFQZ8nu5UUJAVlXiV/kqKbyueA8srw=", "owner": "nix-community", "repo": "home-manager", - "rev": "13cc1efd78b943b98c08d74c9060a5b59bf86921", + "rev": "39cb677ed9e908e90478aa9fe5f3383dfc1a63f3", "type": "github" }, "original": { @@ -810,11 +810,11 @@ }, "nixos-facter-modules": { "locked": { - "lastModified": 1764252389, - "narHash": "sha256-3bbuneTKZBkYXlm0bE36kUjiDsasoIC1GWBw/UEJ9T4=", + "lastModified": 1765442039, + "narHash": "sha256-k3lYQ+A1F7aTz8HnlU++bd9t/x/NP2A4v9+x6opcVg0=", "owner": "nix-community", "repo": "nixos-facter-modules", - "rev": "5ea68886d95218646d11d3551a476d458df00778", + "rev": "9dd775ee92de63f14edd021d59416e18ac2c00f1", "type": "github" }, "original": { @@ -852,11 +852,11 @@ ] }, "locked": { - "lastModified": 1765376994, - "narHash": "sha256-dsgdFdj8+qh81XPB/9SlwvuhJMHPjqsf7Zk0AnsdVpY=", + "lastModified": 1765483419, + "narHash": "sha256-w6wznH1lBzlSH3+pWDkE+L6xA0F02drFAzu2E7PD/Jo=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "30f6a14293df4938c35173a73efdeba450653d0a", + "rev": "0c040f28b44b18e0d4240e027096078e34dbb029", "type": "github" }, "original": { @@ -914,11 +914,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1765357816, - "narHash": "sha256-Uh7y3tL9SUzMjM8eO9CMqf30pPpa1i+P3asBijc32lY=", + "lastModified": 1765403794, + "narHash": "sha256-bOk4vZjzk419pIkmMWrr8PTg0fK2Oph/owZUAPHWwIE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "004943ed3cf9de5805a0da377599d1bfdd47a98a", + "rev": "6f313d8e9be4d7db523962ecc3ce97c951bacb1f", "type": "github" }, "original": { @@ -946,11 +946,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1765380834, - "narHash": "sha256-MUMk4DZ0V+gU7yee7DdiPwieRclS2uMNvLQGLWwew4M=", + "lastModified": 1765491281, + "narHash": "sha256-adRTsIAzAiMUP40dPHhcAq69+iRcSV93XJdg8YO7lYw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bf83174d5ab54f384b1ec5068b3280241dbb849f", + "rev": "d21f5e3178bdfce2e894e0bd9b6535ac6593a734", "type": "github" }, "original": { @@ -1139,11 +1139,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1765120009, - "narHash": "sha256-nG76b87rkaDzibWbnB5bYDm6a52b78A+fpm+03pqYIw=", + "lastModified": 1765400135, + "narHash": "sha256-D3+4hfNwUhG0fdCpDhOASLwEQ1jKuHi4mV72up4kLQM=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "5e3e9c4e61bba8a5e72134b9ffefbef8f531d008", + "rev": "fface27171988b3d605ef45cf986c25533116f7e", "type": "github" }, "original": { @@ -1254,11 +1254,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1765377959, - "narHash": "sha256-MsvpqrovI+iveyVam6sIPlSsUVVcmmhTxpD9w3OOsvw=", + "lastModified": 1765474444, + "narHash": "sha256-sDG+c73xEnIw1pFNRWffKDnTWiTuyZiEP+Iub0D3mWA=", "owner": "nix-community", "repo": "stylix", - "rev": "54fcd2f342c6417548cc56f53e401224dcade639", + "rev": "dd14de4432a94e93e10d0159f1d411487e435e1e", "type": "github" }, "original": { @@ -1519,11 +1519,11 @@ ] }, "locked": { - "lastModified": 1765344150, - "narHash": "sha256-RoGBKQglbF19aINeV8F7DHCXxF7FrMRLgL2yjl9vOiQ=", + "lastModified": 1765491669, + "narHash": "sha256-LjMIEOyIT5AMvbz/RYRcZPTJ7FB6vnEmeaid9vkIp0k=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "1adab25828578301037855c59849e9bbecf8948b", + "rev": "85feeba579822e7e30cccf549d805f24b86d7235", "type": "github" }, "original": {