diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 1b400bb..ee06900 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -555,11 +555,7 @@ in wantedBy = [ "multi-user.target" ]; wants = [ "zitadel.service" ]; - script = - let - tofu = lib.getExe pkgs.opentofu; - in - '' + script = '' #!/usr/bin/env bash if [ "$(systemctl is-active zitadel)" != "active" ]; then @@ -574,11 +570,11 @@ in cp -f ${terraformConfiguration} config.tf.json # Initialize OpenTofu - ${tofu} init + ${lib.getExe pkgs.opentofu} init # Run the infrastructure code - ${tofu} plan -refresh=false -out=tfplan - ${tofu} apply -auto-approve tfplan + # ${lib.getExe pkgs.opentofu} plan + ${lib.getExe pkgs.opentofu} apply -auto-approve ''; serviceConfig = { diff --git a/modules/nixos/services/media/mydia/default.nix b/modules/nixos/services/media/mydia/default.nix index aa44856..6fa94ca 100644 --- a/modules/nixos/services/media/mydia/default.nix +++ b/modules/nixos/services/media/mydia/default.nix @@ -24,7 +24,6 @@ in { package = inputs.mydia.packages.${system}.default; port = 2010; - listenAddress = "0.0.0.0"; openFirewall = true; secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path; diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index 07f7058..abab566 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,31 +1,25 @@ -{ - pkgs, - config, - lib, - namespace, - ... -}: let +{ pkgs, config, lib, namespace, ... }: +let inherit (builtins) toString; inherit (lib) mkIf mkEnableOption mkOption types getAttrs toUpper concatMapAttrsStringSep; cfg = config.${namespace}.services.security.vaultwarden; - databaseProviderSqlite = types.submodule ({...}: { + databaseProviderSqlite = types.submodule ({ ... }: { options = { type = mkOption { - type = types.enum ["sqlite"]; + type = types.enum [ "sqlite" ]; }; file = mkOption { - type = types.path; - description = '' - Path to sqlite database file. - ''; + type = types.str; + description = ''''; }; }; }); - databaseProviderPostgresql = types.submodule ({...}: let + databaseProviderPostgresql = types.submodule ({ ... }: + let urlOptions = lib.${namespace}.options.mkUrlOptions { host = { description = '' @@ -46,36 +40,36 @@ example = "postgres"; }; }; - in { - options = - { - type = mkOption { - type = types.enum ["postgresql"]; - }; + in + { + options = { + type = mkOption { + type = types.enum [ "postgresql" ]; + }; - sslMode = mkOption { - type = types.enum ["verify-ca" "verify-full" "require" "prefer" "allow" "disabled"]; - default = "verify-full"; - example = "verify-ca"; - description = '' - How to verify the server's ssl + sslMode = mkOption { + type = types.enum [ "verify-ca" "verify-full" "require" "prefer" "allow" "disabled" ]; + default = "verify-full"; + example = "verify-ca"; + description = '' + How to verify the server's ssl - | mode | eavesdropping protection | MITM protection | Statement | - |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| - | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | - | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | - | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | - | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | - | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | - | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | - - [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) - ''; - }; - } - // (urlOptions |> getAttrs ["protocol" "host" "port"]); + | mode | eavesdropping protection | MITM protection | Statement | + |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| + | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | + | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | + | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | + | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | + | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | + | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | + + [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) + ''; + }; + } // (urlOptions |> getAttrs [ "protocol" "host" "port" ]); }); -in { +in +{ options.${namespace}.services.security.vaultwarden = { enable = mkEnableOption "enable vaultwarden"; @@ -142,7 +136,7 @@ in { postgresql = { enable = true; - ensureDatabases = ["vaultwarden"]; + ensureDatabases = [ "vaultwarden" ]; ensureUsers = [ { name = "vaultwarden"; @@ -177,7 +171,7 @@ in { owner = config.users.users.vaultwarden.name; group = config.users.users.vaultwarden.name; key = "email/chris_kruining_eu"; - restartUnits = ["vaultwarden.service"]; + restartUnits = [ "vaultwarden.service" ]; }; }; @@ -189,31 +183,34 @@ in { owner = config.users.users.vaultwarden.name; group = config.users.groups.vaultwarden.name; }; - temp-db-output.content = let - config = - cfg.database - |> ( - {type, ...} @ db: - if type == "sqlite" - then {inherit (db) type file;} - else if type == "postgresql" - then { - inherit (db) type; - url = lib.${namespace}.strings.toUrl { - inherit (db) protocol host port; - path = "vaultwarden"; - query = { - sslmode = db.sslMode; + temp-db-output.content = + let + config = + cfg.database + |> ({ type, ... }@db: + if type == "sqlite" then + { inherit (db) type file; } + else if type == "postgresql" then + { + inherit (db) type; + url = lib.${namespace}.strings.toUrl { + inherit (db) protocol host port; + path = "vaultwarden"; + query = { + sslmode = db.sslMode; + }; }; - }; - } - else {} - ) - |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}"); - in '' - # GENERATED VALUES - ${config} - ''; + } + else + {} + ) + |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}") + ; + in + '' + # GENERATED VALUES + ${config} + ''; }; }; }; diff --git a/modules/nixos/shells/default.nix b/modules/nixos/shells/default.nix index ea8f50d..37afd9b 100644 --- a/modules/nixos/shells/default.nix +++ b/modules/nixos/shells/default.nix @@ -1,2 +1,5 @@ {...}: { + config = { + programs.bash.enableCompletion = true; + }; } diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 9e80086..b0d432e 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -20,8 +20,8 @@ lidarr: prowlarr: apikey: ENC[AES256_GCM,data:pyZ2WGEs/PlIdhDsQq2TPGJbplkd5fLF0ZkBjITqIJlnAzYHb+rl+KOM4rHqQcI6yAJM8X1Y3ymGrD7vG7GiRxB7yoEG13SKhZIWOddTnxIhbkz81RfrL2fUJIydOaP6sS//9Q==,iv:Tr6MWoC6nC7rdVTOjT1T2itT+lVL4GnUiAr5/+IHAs0=,tag:keIJNuGeVht8+xSN3FnBGA==,type:str] mydia: - oidc_id: ENC[AES256_GCM,data:LfYWh9EC0aio3w1Xsj/jtU6z,iv:+dX9KkNtfQMYSX4yr83KyXalWMD/aWby7fC8aL4ZT3I=,tag:CvdbMoMTuC9FohTMIE5pmg==,type:str] - oidc_secret: ENC[AES256_GCM,data:PgI4hmP/3wt9uj+1QvCYcT8Wav0hgCRADouzWM3V695SSfXfbwDgez8tA/tm1/1jymAU2F2sZH8G2hZ1cdHyHQ==,iv:h3o3jsTmnoNE3+mGX12J3ZU0/6PlQNjdndEvaj/czj0=,tag:p3+p4E8fBtR7a8UpM8cUsg==,type:str] + oidc_id: ENC[AES256_GCM,data:ymZdkUjbbTuJuGvI5T9d,iv:ccKpjKnzUH+/sGEBnmxnMNU3lY+j8NPUjvj8q4phprs=,tag:11H0Vd28gPajyU+3uAUYUQ==,type:str] + oidc_secret: ENC[AES256_GCM,data:N7qdoueB9ayGx0RWdw/w,iv:k09TaKjNShaFWImZ82Fjqvjj4CPVIqVhCPZ7o1DgjX4=,tag:q+HMYN4zd7pFqCX90uaWgQ==,type:str] secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str] guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str] sops: @@ -44,7 +44,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-01T14:27:13Z" - mac: ENC[AES256_GCM,data:v8t65zlWw6UuFeFQ5oBNVGjnuewPlZZG7ea8P4cEHXN+JnSAE67HivSCyjhUAFmX/UbksxnSLYdl72swTb9ASv6JaW2FVJsaF+5zmZbuM5pAjZl4MR6Y7+Vc9YqAi+axnSE1s8pRe9U1PYmcbLWaY9kRZdccavfM2bsoAIpJRTk=,iv:EevmWMh6ygEAlf9RE4qZ1KVKm6yDR5dTZeraoFHmdRg=,tag:sCdtEYc9iNjfEvyYyXH8rQ==,type:str] + lastmodified: "2025-12-01T09:05:11Z" + mac: ENC[AES256_GCM,data:6gFet+aW7tlQqy4aSulBTJ+mYpu1OxfK8Wa3noXNNDlFwTEpCWEhdwFDqWZ+sd5opINQoPrHD23BwiXYoJtKPeLd9/kpn//CgHvYcwgGDpPzCMbyDOLutlspyY4pfYrEezm8+yg3r5TkJK3o7U2Q8kkfdQQcfEGIsr9GDRKSplw=,iv:PYclBivPBifGreNWeCCZ74koSb51xBMYeviHf0SaxbA=,tag:Lb+vlcBUgpJE0XfJ/gwDiw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0