diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index 4723cc3..ad4cb92 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -15,5 +15,26 @@ in home.sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; }; + + programs.zen-browser = { + policies = { + AutofillAddressEnabled = true; + AutofillCreditCardEnabled = false; + DisableAppUpdate = true; + DisableFeedbackCommands = true; + DisableFirefoxStudies = true; + DisablePocket = true; + DisableTelemetry = true; + # DontCheckDefaultBrowser = false; + NoDefaultBookmarks = true; + # OfferToSaveLogins = false; + EnableTrackingProtection = { + Value = true; + Locked = true; + Cryptomining = true; + Fingerprinting = true; + }; + }; + }; }; } diff --git a/modules/home/default.nix b/modules/home/default.nix index e3185e0..6dc81b5 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -37,11 +37,12 @@ in { config = { home.sessionVariables = { + SHELL = cfg.shell; EDITOR = cfg.editor; TERMINAL = cfg.terminal; BROWSER = cfg.browser; }; - # home.shell = pkgs.${cfg.shell}; + # users.defaultUserShell = pkgs.${cfg.shell}; }; } diff --git a/modules/home/desktop/plasma/default.nix b/modules/home/desktop/plasma/default.nix index 8614a97..13476fb 100644 --- a/modules/home/desktop/plasma/default.nix +++ b/modules/home/desktop/plasma/default.nix @@ -20,6 +20,11 @@ in panels = import ./panels.nix; powerdevil = import ./power.nix; + kwin = { + edgeBarrier = 0; + cornerBarrier = false; + }; + session = { general.askForConfirmationOnLogout = false; sessionRestore.restoreOpenApplicationsOnLogin = "onLastLogout"; diff --git a/modules/home/terminal/ghostty/default.nix b/modules/home/terminal/ghostty/default.nix index 00d925c..4681b53 100644 --- a/modules/home/terminal/ghostty/default.nix +++ b/modules/home/terminal/ghostty/default.nix @@ -13,6 +13,7 @@ in programs.ghostty = { enable = true; settings = { + command = config.${namespace}.defaults.shell; background-blur-radius = 20; theme = "dark:stylix,light:stylix"; window-theme = (config.${namespace}.themes.polarity or "dark"); diff --git a/modules/nixos/desktop/default.nix b/modules/nixos/desktop/default.nix index f38a28e..9fd9192 100644 --- a/modules/nixos/desktop/default.nix +++ b/modules/nixos/desktop/default.nix @@ -17,18 +17,12 @@ in example = "plasma"; description = "Which desktop to enable"; }; - - autoLogin = mkEnableOption "Enable plasma's auto login feature."; }; config = mkMerge [ ({ services.displayManager = { enable = true; - - autoLogin = mkIf cfg.autoLogin { - enable = true; - }; }; }) diff --git a/modules/nixos/hardware/bluetooth/default.nix b/modules/nixos/hardware/bluetooth/default.nix index 1b99eef..98fc678 100644 --- a/modules/nixos/hardware/bluetooth/default.nix +++ b/modules/nixos/hardware/bluetooth/default.nix @@ -11,6 +11,9 @@ in hardware.bluetooth = { enable = true; powerOnBoot = true; + settings = { + General.Experimental = true; # Show battery charge of Bluetooth devices + }; }; services.pipewire.wireplumber.extraConfig.bluetoothEnhancements = { diff --git a/modules/nixos/services/authentication/authelia.nix b/modules/nixos/services/authentication/authelia/default.nix similarity index 90% rename from modules/nixos/services/authentication/authelia.nix rename to modules/nixos/services/authentication/authelia/default.nix index e706439..9990003 100644 --- a/modules/nixos/services/authentication/authelia.nix +++ b/modules/nixos/services/authentication/authelia/default.nix @@ -130,6 +130,23 @@ in scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ]; } + { + client_id = "forgejo"; + client_name = "forgejo"; + # ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F + client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg"; + public = false; + require_pkce = true; + pkce_challenge_method = "S256"; + token_endpoint_auth_method = "client_secret_post"; + authorization_policy = "one_factor"; + userinfo_signed_response_alg = "none"; + consent_mode = "implicit"; + scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; + response_types = [ "code" ]; + grant_types = [ "authorization_code" ]; + redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ]; + } ]; }; }; diff --git a/modules/nixos/services/authentication/default.nix b/modules/nixos/services/authentication/default.nix deleted file mode 100644 index c157af7..0000000 --- a/modules/nixos/services/authentication/default.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: {} diff --git a/modules/nixos/services/authentication/himmelblau.nix b/modules/nixos/services/authentication/himmelblau/default.nix similarity index 100% rename from modules/nixos/services/authentication/himmelblau.nix rename to modules/nixos/services/authentication/himmelblau/default.nix diff --git a/modules/nixos/services/authentication/zitadel.nix b/modules/nixos/services/authentication/zitadel.nix deleted file mode 100644 index 6142857..0000000 --- a/modules/nixos/services/authentication/zitadel.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.authentication.zitadel; - - db_name = "zitadel"; - db_user = "zitadel"; -in -{ - options.${namespace}.services.authentication.zitadel = { - enable = mkEnableOption "Zitadel"; - }; - - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - zitadel - ]; - - services = { - zitadel = { - enable = true; - openFirewall = true; - masterKeyFile = config.sops.secrets."zitadel/masterKey".path; - tlsMode = "external"; - settings = { - Port = 9092; - Database = { - Host = "/run/postgresql"; - # Zitadel will report error if port is not set - Port = 5432; - Database = db_name; - User.Username = db_user; - }; - }; - steps = { - TestInstance = { - InstanceName = "Zitadel test"; - Org = { - Name = "Kruining.eu"; - Human = { - UserName = "admin"; - Password = "kaas"; - }; - }; - }; - }; - }; - - postgresql = { - enable = true; - ensureDatabases = [ db_name ]; - ensureUsers = [ - { - name = db_user; - ensureDBOwnership = true; - } - ]; - }; - - caddy = { - enable = true; - virtualHosts = { - "auth-z.kruining.eu".extraConfig = '' - reverse_proxy h2c://127.0.0.1:9092 - ''; - }; - # extraConfig = '' - # (auth) { - # forward_auth h2c://127.0.0.1:9092 { - # uri /api/authz/forward-auth - # copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - # } - # } - # ''; - }; - }; - - # Secrets - sops.secrets."zitadel/masterKey" = { - owner = "zitadel"; - group = "zitadel"; - restartUnits = [ "zitadel.service" ]; - }; - }; -} diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix new file mode 100644 index 0000000..aa1a0dd --- /dev/null +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -0,0 +1,111 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption mkForce; + + cfg = config.${namespace}.services.authentication.zitadel; + + db_name = "zitadel"; + db_user = "zitadel"; +in +{ + options.${namespace}.services.authentication.zitadel = { + enable = mkEnableOption "Zitadel"; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + zitadel + ]; + + services = { + zitadel = { + enable = true; + openFirewall = true; + # masterKeyFile = config.sops.secrets."zitadel/masterKey".path; + masterKeyFile = "/var/lib/zitadel/master_key"; + tlsMode = "external"; + settings = { + Port = 9092; + ExternalDomain = "auth-z.kruining.eu"; + ExternalPort = 443; + ExternalSecure = true; + + Database.postgres = { + Host = "localhost"; + # Zitadel will report error if port is not set + Port = 5432; + Database = db_name; + User = { + Username = db_user; + SSL.Mode = "disable"; + }; + Admin = { + Username = "postgres"; + SSL.Mode = "disable"; + }; + }; + }; + steps = { + FirstInstance = { + InstanceName = "auth-z.kruining.eu"; + Org = { + Name = "Default"; + Human = { + UserName = "chris"; + FirstName = "Chris"; + LastName = "Kruining"; + Email = { + Address = "chris@kruining.eu"; + Verified = true; + }; + Password = "KaasIsAwesome1!"; + }; + }; + }; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ db_name ]; + ensureUsers = [ + { + name = db_user; + ensureDBOwnership = true; + } + ]; + authentication = mkForce '' + # Generated file, do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; + }; + + caddy = { + enable = true; + virtualHosts = { + "auth-z.kruining.eu".extraConfig = '' + reverse_proxy h2c://127.0.0.1:9092 + ''; + }; + extraConfig = '' + (auth-z) { + forward_auth h2c://127.0.0.1:9092 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + } + ''; + }; + }; + + # Secrets + sops.secrets."zitadel/masterKey" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; + }; + }; +} diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix new file mode 100644 index 0000000..5342b56 --- /dev/null +++ b/modules/nixos/services/development/forgejo/default.nix @@ -0,0 +1,101 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.development.forgejo; + domain = "git.kruining.eu"; +in +{ + options.${namespace}.services.development.forgejo = { + enable = mkEnableOption "Forgejo"; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ forgejo ]; + + services = { + forgejo = { + enable = true; + useWizard = false; + database.type = "postgres"; + + settings = { + DEFAULT = { + APP_NAME = "Chris' Forge"; + }; + + server = { + DOMAIN = domain; + ROOT_URL = "https://${domain}/"; + HTTP_PORT = 5002; + }; + + security = { + PASSWORD_HASH_ALGO = "argon2"; + }; + + service = { + REQUIRE_SIGNIN_VIEW = true; # must be signed in to see anything + DISABLE_REGISTRATION = true; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + }; + + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = true; + WHITELISTED_URIS = "https://auth-z.kruining.eu"; + }; + + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = true; + }; + + # actions = { + # ENABLED = true; + # DEFAULT_ACTIONS_URL = "forgejo"; + # }; + + session = { + COOKIE_SECURE = true; + }; + }; + }; + + # gitea-actions-runner = { + # package = pkgs.forgejo-actions-runner; + # instances.default = { + # enable = true; + # name = "monolith"; + # url = "https://git.kruining.eu"; + # # Obtaining the path to the runner token file may differ + # # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + # tokenFile = config.age.secrets.forgejo-runner-token.path; + # labels = [ + # "ubuntu-latest:docker://node:16-bullseye" + # "ubuntu-22.04:docker://node:16-bullseye" + # "ubuntu-20.04:docker://node:16-bullseye" + # "ubuntu-18.04:docker://node:16-buster" + # "native:host" + # ]; + # }; + # }; + + caddy = { + enable = true; + virtualHosts = { + ${domain}.extraConfig = '' + # import auth-z + + # stupid dumb way to prevent the login page and go to zitadel instead + # be aware that this does not disable local login at all! + rewrite /user/login /user/oauth2/Zitadel + + reverse_proxy http://127.0.0.1:5002 + ''; + }; + }; + }; + }; +} diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 7d76794..f76e4ae 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -79,6 +79,11 @@ in bazarr = serviceConf; lidarr = serviceConf; + flaresolverr = { + enable = true; + openFirewall = true; + }; + jellyseerr = { enable = true; openFirewall = true; @@ -135,11 +140,11 @@ in backend = "podman"; containers = { - flaresolverr = { - image = "flaresolverr/flaresolverr"; - autoStart = true; - ports = [ "127.0.0.1:8191:8191" ]; - }; + # flaresolverr = { + # image = "flaresolverr/flaresolverr"; + # autoStart = true; + # ports = [ "127.0.0.1:8191:8191" ]; + # }; reiverr = { image = "ghcr.io/aleksilassila/reiverr:v2.2.0"; diff --git a/modules/nixos/services/media/nextcloud.nix b/modules/nixos/services/media/nextcloud/default.nix similarity index 96% rename from modules/nixos/services/media/nextcloud.nix rename to modules/nixos/services/media/nextcloud/default.nix index 658a5b4..14d6863 100644 --- a/modules/nixos/services/media/nextcloud.nix +++ b/modules/nixos/services/media/nextcloud/default.nix @@ -6,7 +6,7 @@ let cfg = config.${namespace}.services.media.nextcloud; in { - options.modules.services.nextcloud = { + options.${namespace}.services.media.nextcloud = { enable = mkEnableOption "Nextcloud"; user = mkOption { @@ -40,7 +40,7 @@ in services.nextcloud = { enable = true; - webserver = "caddy"; + # webserver = "caddy"; package = pkgs.nextcloud31; hostName = "localhost"; diff --git a/modules/nixos/services/media/nfs.nix b/modules/nixos/services/media/nfs/default.nix similarity index 79% rename from modules/nixos/services/media/nfs.nix rename to modules/nixos/services/media/nfs/default.nix index 7674e69..54b58e7 100644 --- a/modules/nixos/services/media/nfs.nix +++ b/modules/nixos/services/media/nfs/default.nix @@ -2,10 +2,10 @@ let inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.media.nfs; + cfg = config.${namespace}.services.media.nfs; in { - options.${namespace}.media.nfs = { + options.${namespace}.services.media.nfs = { enable = mkEnableOption "Enable NFS"; }; diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index a75856d..68ab4ca 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -13,7 +13,7 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { - defaultSopsFile = ../../../../secrets/secrets.yaml; + defaultSopsFile = ../../../../../_secrets/secrets.yaml; defaultSopsFormat = "yaml"; age.keyFile = "/home/"; diff --git a/modules/nixos/system/security/sudo/default.nix b/modules/nixos/system/security/sudo/default.nix index 6dedf50..b79efbc 100644 --- a/modules/nixos/system/security/sudo/default.nix +++ b/modules/nixos/system/security/sudo/default.nix @@ -14,9 +14,8 @@ in sudo-rs = { enable = true; - extraConfig = '' - Defaults env_keep += "EDITOR PATH DISPLAY" - ''; + execWheelOnly = true; + extraConfig = ''Defaults env_keep += "EDITOR PATH DISPLAY"''; }; }; }; diff --git a/systems/x86_64-linux/manwe/default.nix b/systems/x86_64-linux/manwe/default.nix index c333f85..76d4e6d 100644 --- a/systems/x86_64-linux/manwe/default.nix +++ b/systems/x86_64-linux/manwe/default.nix @@ -28,5 +28,11 @@ }; }; + + services.displayManager.autoLogin = { + enable = true; + user = "chris"; + }; + system.stateVersion = "23.11"; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 7a2540f..f47c580 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -7,8 +7,15 @@ sneeuwvlok = { services = { + authentication.authelia.enable = true; + authentication.zitadel.enable = true; + networking.ssh.enable = true; + media.enable = true; + media.nfs.enable = true; + + development.forgejo.enable = true; }; editor = {