Compare commits
10 commits
bb94e3632a
...
06ad805206
| Author | SHA1 | Date | |
|---|---|---|---|
|
06ad805206 | ||
|
|
7c6c566798 | ||
|
|
d305bf6cee | ||
|
|
30f17f692c | ||
|
|
f1ffa33976 | ||
|
|
f289c3663a | ||
|
|
043eded249 | ||
|
|
e011b893e0 | ||
a8783b4709
|
|||
|
79701acc77
|
19 changed files with 291 additions and 107 deletions
|
|
@ -15,5 +15,26 @@ in
|
|||
home.sessionVariables = {
|
||||
MOZ_ENABLE_WAYLAND = "1";
|
||||
};
|
||||
|
||||
programs.zen-browser = {
|
||||
policies = {
|
||||
AutofillAddressEnabled = true;
|
||||
AutofillCreditCardEnabled = false;
|
||||
DisableAppUpdate = true;
|
||||
DisableFeedbackCommands = true;
|
||||
DisableFirefoxStudies = true;
|
||||
DisablePocket = true;
|
||||
DisableTelemetry = true;
|
||||
# DontCheckDefaultBrowser = false;
|
||||
NoDefaultBookmarks = true;
|
||||
# OfferToSaveLogins = false;
|
||||
EnableTrackingProtection = {
|
||||
Value = true;
|
||||
Locked = true;
|
||||
Cryptomining = true;
|
||||
Fingerprinting = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -37,11 +37,12 @@ in {
|
|||
|
||||
config = {
|
||||
home.sessionVariables = {
|
||||
SHELL = cfg.shell;
|
||||
EDITOR = cfg.editor;
|
||||
TERMINAL = cfg.terminal;
|
||||
BROWSER = cfg.browser;
|
||||
};
|
||||
|
||||
# home.shell = pkgs.${cfg.shell};
|
||||
# users.defaultUserShell = pkgs.${cfg.shell};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,6 +20,11 @@ in
|
|||
panels = import ./panels.nix;
|
||||
powerdevil = import ./power.nix;
|
||||
|
||||
kwin = {
|
||||
edgeBarrier = 0;
|
||||
cornerBarrier = false;
|
||||
};
|
||||
|
||||
session = {
|
||||
general.askForConfirmationOnLogout = false;
|
||||
sessionRestore.restoreOpenApplicationsOnLogin = "onLastLogout";
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ in
|
|||
programs.ghostty = {
|
||||
enable = true;
|
||||
settings = {
|
||||
command = config.${namespace}.defaults.shell;
|
||||
background-blur-radius = 20;
|
||||
theme = "dark:stylix,light:stylix";
|
||||
window-theme = (config.${namespace}.themes.polarity or "dark");
|
||||
|
|
|
|||
|
|
@ -17,18 +17,12 @@ in
|
|||
example = "plasma";
|
||||
description = "Which desktop to enable";
|
||||
};
|
||||
|
||||
autoLogin = mkEnableOption "Enable plasma's auto login feature.";
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
({
|
||||
services.displayManager = {
|
||||
enable = true;
|
||||
|
||||
autoLogin = mkIf cfg.autoLogin {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
})
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,9 @@ in
|
|||
hardware.bluetooth = {
|
||||
enable = true;
|
||||
powerOnBoot = true;
|
||||
settings = {
|
||||
General.Experimental = true; # Show battery charge of Bluetooth devices
|
||||
};
|
||||
};
|
||||
|
||||
services.pipewire.wireplumber.extraConfig.bluetoothEnhancements = {
|
||||
|
|
|
|||
|
|
@ -130,6 +130,23 @@ in
|
|||
scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ];
|
||||
redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ];
|
||||
}
|
||||
{
|
||||
client_id = "forgejo";
|
||||
client_name = "forgejo";
|
||||
# ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F
|
||||
client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg";
|
||||
public = false;
|
||||
require_pkce = true;
|
||||
pkce_challenge_method = "S256";
|
||||
token_endpoint_auth_method = "client_secret_post";
|
||||
authorization_policy = "one_factor";
|
||||
userinfo_signed_response_alg = "none";
|
||||
consent_mode = "implicit";
|
||||
scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ];
|
||||
response_types = [ "code" ];
|
||||
grant_types = [ "authorization_code" ];
|
||||
redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
@ -1 +0,0 @@
|
|||
{ ... }: {}
|
||||
|
|
@ -1,86 +0,0 @@
|
|||
{ config, lib, pkgs, namespace, ... }:
|
||||
let
|
||||
inherit (lib) mkIf mkEnableOption;
|
||||
|
||||
cfg = config.${namespace}.services.authentication.zitadel;
|
||||
|
||||
db_name = "zitadel";
|
||||
db_user = "zitadel";
|
||||
in
|
||||
{
|
||||
options.${namespace}.services.authentication.zitadel = {
|
||||
enable = mkEnableOption "Zitadel";
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = with pkgs; [
|
||||
zitadel
|
||||
];
|
||||
|
||||
services = {
|
||||
zitadel = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
masterKeyFile = config.sops.secrets."zitadel/masterKey".path;
|
||||
tlsMode = "external";
|
||||
settings = {
|
||||
Port = 9092;
|
||||
Database = {
|
||||
Host = "/run/postgresql";
|
||||
# Zitadel will report error if port is not set
|
||||
Port = 5432;
|
||||
Database = db_name;
|
||||
User.Username = db_user;
|
||||
};
|
||||
};
|
||||
steps = {
|
||||
TestInstance = {
|
||||
InstanceName = "Zitadel test";
|
||||
Org = {
|
||||
Name = "Kruining.eu";
|
||||
Human = {
|
||||
UserName = "admin";
|
||||
Password = "kaas";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ db_name ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = db_user;
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
caddy = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"auth-z.kruining.eu".extraConfig = ''
|
||||
reverse_proxy h2c://127.0.0.1:9092
|
||||
'';
|
||||
};
|
||||
# extraConfig = ''
|
||||
# (auth) {
|
||||
# forward_auth h2c://127.0.0.1:9092 {
|
||||
# uri /api/authz/forward-auth
|
||||
# copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
|
||||
# }
|
||||
# }
|
||||
# '';
|
||||
};
|
||||
};
|
||||
|
||||
# Secrets
|
||||
sops.secrets."zitadel/masterKey" = {
|
||||
owner = "zitadel";
|
||||
group = "zitadel";
|
||||
restartUnits = [ "zitadel.service" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
111
modules/nixos/services/authentication/zitadel/default.nix
Normal file
111
modules/nixos/services/authentication/zitadel/default.nix
Normal file
|
|
@ -0,0 +1,111 @@
|
|||
{ config, lib, pkgs, namespace, ... }:
|
||||
let
|
||||
inherit (lib) mkIf mkEnableOption mkForce;
|
||||
|
||||
cfg = config.${namespace}.services.authentication.zitadel;
|
||||
|
||||
db_name = "zitadel";
|
||||
db_user = "zitadel";
|
||||
in
|
||||
{
|
||||
options.${namespace}.services.authentication.zitadel = {
|
||||
enable = mkEnableOption "Zitadel";
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = with pkgs; [
|
||||
zitadel
|
||||
];
|
||||
|
||||
services = {
|
||||
zitadel = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
# masterKeyFile = config.sops.secrets."zitadel/masterKey".path;
|
||||
masterKeyFile = "/var/lib/zitadel/master_key";
|
||||
tlsMode = "external";
|
||||
settings = {
|
||||
Port = 9092;
|
||||
ExternalDomain = "auth-z.kruining.eu";
|
||||
ExternalPort = 443;
|
||||
ExternalSecure = true;
|
||||
|
||||
Database.postgres = {
|
||||
Host = "localhost";
|
||||
# Zitadel will report error if port is not set
|
||||
Port = 5432;
|
||||
Database = db_name;
|
||||
User = {
|
||||
Username = db_user;
|
||||
SSL.Mode = "disable";
|
||||
};
|
||||
Admin = {
|
||||
Username = "postgres";
|
||||
SSL.Mode = "disable";
|
||||
};
|
||||
};
|
||||
};
|
||||
steps = {
|
||||
FirstInstance = {
|
||||
InstanceName = "auth-z.kruining.eu";
|
||||
Org = {
|
||||
Name = "Default";
|
||||
Human = {
|
||||
UserName = "chris";
|
||||
FirstName = "Chris";
|
||||
LastName = "Kruining";
|
||||
Email = {
|
||||
Address = "chris@kruining.eu";
|
||||
Verified = true;
|
||||
};
|
||||
Password = "KaasIsAwesome1!";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ db_name ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = db_user;
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
authentication = mkForce ''
|
||||
# Generated file, do not edit!
|
||||
# TYPE DATABASE USER ADDRESS METHOD
|
||||
local all all trust
|
||||
host all all 127.0.0.1/32 trust
|
||||
host all all ::1/128 trust
|
||||
'';
|
||||
};
|
||||
|
||||
caddy = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"auth-z.kruining.eu".extraConfig = ''
|
||||
reverse_proxy h2c://127.0.0.1:9092
|
||||
'';
|
||||
};
|
||||
extraConfig = ''
|
||||
(auth-z) {
|
||||
forward_auth h2c://127.0.0.1:9092 {
|
||||
uri /api/authz/forward-auth
|
||||
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
# Secrets
|
||||
sops.secrets."zitadel/masterKey" = {
|
||||
owner = "zitadel";
|
||||
group = "zitadel";
|
||||
restartUnits = [ "zitadel.service" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
101
modules/nixos/services/development/forgejo/default.nix
Normal file
101
modules/nixos/services/development/forgejo/default.nix
Normal file
|
|
@ -0,0 +1,101 @@
|
|||
{ config, lib, pkgs, namespace, ... }:
|
||||
let
|
||||
inherit (lib) mkIf mkEnableOption;
|
||||
|
||||
cfg = config.${namespace}.services.development.forgejo;
|
||||
domain = "git.kruining.eu";
|
||||
in
|
||||
{
|
||||
options.${namespace}.services.development.forgejo = {
|
||||
enable = mkEnableOption "Forgejo";
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = with pkgs; [ forgejo ];
|
||||
|
||||
services = {
|
||||
forgejo = {
|
||||
enable = true;
|
||||
useWizard = false;
|
||||
database.type = "postgres";
|
||||
|
||||
settings = {
|
||||
DEFAULT = {
|
||||
APP_NAME = "Chris' Forge";
|
||||
};
|
||||
|
||||
server = {
|
||||
DOMAIN = domain;
|
||||
ROOT_URL = "https://${domain}/";
|
||||
HTTP_PORT = 5002;
|
||||
};
|
||||
|
||||
security = {
|
||||
PASSWORD_HASH_ALGO = "argon2";
|
||||
};
|
||||
|
||||
service = {
|
||||
REQUIRE_SIGNIN_VIEW = true; # must be signed in to see anything
|
||||
DISABLE_REGISTRATION = true;
|
||||
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
||||
SHOW_REGISTRATION_BUTTON = false;
|
||||
};
|
||||
|
||||
openid = {
|
||||
ENABLE_OPENID_SIGNIN = true;
|
||||
ENABLE_OPENID_SIGNUP = true;
|
||||
WHITELISTED_URIS = "https://auth-z.kruining.eu";
|
||||
};
|
||||
|
||||
oauth2_client = {
|
||||
ENABLE_AUTO_REGISTRATION = true;
|
||||
UPDATE_AVATAR = true;
|
||||
};
|
||||
|
||||
# actions = {
|
||||
# ENABLED = true;
|
||||
# DEFAULT_ACTIONS_URL = "forgejo";
|
||||
# };
|
||||
|
||||
session = {
|
||||
COOKIE_SECURE = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# gitea-actions-runner = {
|
||||
# package = pkgs.forgejo-actions-runner;
|
||||
# instances.default = {
|
||||
# enable = true;
|
||||
# name = "monolith";
|
||||
# url = "https://git.kruining.eu";
|
||||
# # Obtaining the path to the runner token file may differ
|
||||
# # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
|
||||
# tokenFile = config.age.secrets.forgejo-runner-token.path;
|
||||
# labels = [
|
||||
# "ubuntu-latest:docker://node:16-bullseye"
|
||||
# "ubuntu-22.04:docker://node:16-bullseye"
|
||||
# "ubuntu-20.04:docker://node:16-bullseye"
|
||||
# "ubuntu-18.04:docker://node:16-buster"
|
||||
# "native:host"
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
|
||||
caddy = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
${domain}.extraConfig = ''
|
||||
# import auth-z
|
||||
|
||||
# stupid dumb way to prevent the login page and go to zitadel instead
|
||||
# be aware that this does not disable local login at all!
|
||||
rewrite /user/login /user/oauth2/Zitadel
|
||||
|
||||
reverse_proxy http://127.0.0.1:5002
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -79,6 +79,11 @@ in
|
|||
bazarr = serviceConf;
|
||||
lidarr = serviceConf;
|
||||
|
||||
flaresolverr = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
|
||||
jellyseerr = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
|
|
@ -135,11 +140,11 @@ in
|
|||
backend = "podman";
|
||||
|
||||
containers = {
|
||||
flaresolverr = {
|
||||
image = "flaresolverr/flaresolverr";
|
||||
autoStart = true;
|
||||
ports = [ "127.0.0.1:8191:8191" ];
|
||||
};
|
||||
# flaresolverr = {
|
||||
# image = "flaresolverr/flaresolverr";
|
||||
# autoStart = true;
|
||||
# ports = [ "127.0.0.1:8191:8191" ];
|
||||
# };
|
||||
|
||||
reiverr = {
|
||||
image = "ghcr.io/aleksilassila/reiverr:v2.2.0";
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ let
|
|||
cfg = config.${namespace}.services.media.nextcloud;
|
||||
in
|
||||
{
|
||||
options.modules.services.nextcloud = {
|
||||
options.${namespace}.services.media.nextcloud = {
|
||||
enable = mkEnableOption "Nextcloud";
|
||||
|
||||
user = mkOption {
|
||||
|
|
@ -40,7 +40,7 @@ in
|
|||
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
webserver = "caddy";
|
||||
# webserver = "caddy";
|
||||
package = pkgs.nextcloud31;
|
||||
hostName = "localhost";
|
||||
|
||||
|
|
@ -2,10 +2,10 @@
|
|||
let
|
||||
inherit (lib) mkIf mkEnableOption;
|
||||
|
||||
cfg = config.${namespace}.media.nfs;
|
||||
cfg = config.${namespace}.services.media.nfs;
|
||||
in
|
||||
{
|
||||
options.${namespace}.media.nfs = {
|
||||
options.${namespace}.services.media.nfs = {
|
||||
enable = mkEnableOption "Enable NFS";
|
||||
};
|
||||
|
||||
|
|
@ -13,7 +13,7 @@ in
|
|||
environment.systemPackages = with pkgs; [ sops ];
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ../../../../secrets/secrets.yaml;
|
||||
defaultSopsFile = ../../../../../_secrets/secrets.yaml;
|
||||
defaultSopsFormat = "yaml";
|
||||
|
||||
age.keyFile = "/home/";
|
||||
|
|
|
|||
|
|
@ -14,9 +14,8 @@ in
|
|||
|
||||
sudo-rs = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
Defaults env_keep += "EDITOR PATH DISPLAY"
|
||||
'';
|
||||
execWheelOnly = true;
|
||||
extraConfig = ''Defaults env_keep += "EDITOR PATH DISPLAY"'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -28,5 +28,11 @@
|
|||
};
|
||||
};
|
||||
|
||||
|
||||
services.displayManager.autoLogin = {
|
||||
enable = true;
|
||||
user = "chris";
|
||||
};
|
||||
|
||||
system.stateVersion = "23.11";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,8 +7,15 @@
|
|||
|
||||
sneeuwvlok = {
|
||||
services = {
|
||||
authentication.authelia.enable = true;
|
||||
authentication.zitadel.enable = true;
|
||||
|
||||
networking.ssh.enable = true;
|
||||
|
||||
media.enable = true;
|
||||
media.nfs.enable = true;
|
||||
|
||||
development.forgejo.enable = true;
|
||||
};
|
||||
|
||||
editor = {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue