chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: chris:d9dff63ceaa5c93ecf4e6e27d2618aaa4e81c02a
Branches Tags
chris:main
chris:feature/convex
chris:feature/nix-anywhere
..
compare: chris:b739cd41900b398e927310fa3cc7709a6ecfa04f
Branches Tags
chris:main
chris:feature/convex
chris:feature/nix-anywhere

No commits in common. "d9dff63ceaa5c93ecf4e6e27d2618aaa4e81c02a" and "b739cd41900b398e927310fa3cc7709a6ecfa04f" have entirely different histories.
d9dff63cea ... b739cd4190

5 changed files with 75 additions and 80 deletions
Download patch file Download diff file Expand all files Collapse all files

12
modules/nixos/services/authentication/zitadel/default.nix
View file

@ -555,11 +555,7 @@ in
wantedBy = [ "multi-user.target" ];
wants = [ "zitadel.service" ];
script =
let
tofu = lib.getExe pkgs.opentofu;
in
''
script = ''
#!/usr/bin/env bash
if [ "$(systemctl is-active zitadel)" != "active" ]; then
@ -574,11 +570,11 @@ in
cp -f ${terraformConfiguration} config.tf.json
# Initialize OpenTofu
${tofu} init
${lib.getExe pkgs.opentofu} init
# Run the infrastructure code
${tofu} plan -refresh=false -out=tfplan
${tofu} apply -auto-approve tfplan
# ${lib.getExe pkgs.opentofu} plan
${lib.getExe pkgs.opentofu} apply -auto-approve
'';
serviceConfig = {

1
modules/nixos/services/media/mydia/default.nix
View file

@ -24,7 +24,6 @@ in {
package = inputs.mydia.packages.${system}.default;
port = 2010;
listenAddress = "0.0.0.0";
openFirewall = true;
secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path;

129
modules/nixos/services/security/vaultwarden/default.nix
View file

@ -1,31 +1,25 @@
{
pkgs,
config,
lib,
namespace,
...
}: let
{ pkgs, config, lib, namespace, ... }:
let
inherit (builtins) toString;
inherit (lib) mkIf mkEnableOption mkOption types getAttrs toUpper concatMapAttrsStringSep;
cfg = config.${namespace}.services.security.vaultwarden;
databaseProviderSqlite = types.submodule ({...}: {
databaseProviderSqlite = types.submodule ({ ... }: {
options = {
type = mkOption {
type = types.enum ["sqlite"];
type = types.enum [ "sqlite" ];
};
file = mkOption {
type = types.path;
description = ''
Path to sqlite database file.
'';
type = types.str;
description = '''';
};
};
});
databaseProviderPostgresql = types.submodule ({...}: let
databaseProviderPostgresql = types.submodule ({ ... }:
let
urlOptions = lib.${namespace}.options.mkUrlOptions {
host = {
description = ''
@ -46,36 +40,36 @@
example = "postgres";
};
};
in {
options =
{
type = mkOption {
type = types.enum ["postgresql"];
};
in
{
options = {
type = mkOption {
type = types.enum [ "postgresql" ];
};
sslMode = mkOption {
type = types.enum ["verify-ca" "verify-full" "require" "prefer" "allow" "disabled"];
default = "verify-full";
example = "verify-ca";
description = ''
How to verify the server's ssl
sslMode = mkOption {
type = types.enum [ "verify-ca" "verify-full" "require" "prefer" "allow" "disabled" ];
default = "verify-full";
example = "verify-ca";
description = ''
How to verify the server's ssl
| mode | eavesdropping protection | MITM protection | Statement |
|-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
| disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. |
| allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. |
| prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. |
| require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. |
| verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. |
| verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. |
| mode | eavesdropping protection | MITM protection | Statement |
|-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
| disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. |
| allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. |
| prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. |
| require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. |
| verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. |
| verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. |
[Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS)
'';
};
}
// (urlOptions |> getAttrs ["protocol" "host" "port"]);
[Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS)
'';
};
} // (urlOptions |> getAttrs [ "protocol" "host" "port" ]);
});
in {
in
{
options.${namespace}.services.security.vaultwarden = {
enable = mkEnableOption "enable vaultwarden";
@ -142,7 +136,7 @@ in {
postgresql = {
enable = true;
ensureDatabases = ["vaultwarden"];
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [
{
name = "vaultwarden";
@ -177,7 +171,7 @@ in {
owner = config.users.users.vaultwarden.name;
group = config.users.users.vaultwarden.name;
key = "email/chris_kruining_eu";
restartUnits = ["vaultwarden.service"];
restartUnits = [ "vaultwarden.service" ];
};
};
@ -189,31 +183,34 @@ in {
owner = config.users.users.vaultwarden.name;
group = config.users.groups.vaultwarden.name;
};
temp-db-output.content = let
config =
cfg.database
|> (
{type, ...} @ db:
if type == "sqlite"
then {inherit (db) type file;}
else if type == "postgresql"
then {
inherit (db) type;
url = lib.${namespace}.strings.toUrl {
inherit (db) protocol host port;
path = "vaultwarden";
query = {
sslmode = db.sslMode;
temp-db-output.content =
let
config =
cfg.database
|> ({ type, ... }@db:
if type == "sqlite" then
{ inherit (db) type file; }
else if type == "postgresql" then
{
inherit (db) type;
url = lib.${namespace}.strings.toUrl {
inherit (db) protocol host port;
path = "vaultwarden";
query = {
sslmode = db.sslMode;
};
};
};
}
else {}
)
|> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}");
in ''
# GENERATED VALUES
${config}
'';
}
else
{}
)
|> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}")
;
in
''
# GENERATED VALUES
${config}
'';
};
};
};

3
modules/nixos/shells/default.nix
View file

@ -1,2 +1,5 @@
{...}: {
config = {
programs.bash.enableCompletion = true;
};
}

8
systems/x86_64-linux/ulmo/secrets.yml
View file

@ -20,8 +20,8 @@ lidarr:
prowlarr:
apikey: ENC[AES256_GCM,data:pyZ2WGEs/PlIdhDsQq2TPGJbplkd5fLF0ZkBjITqIJlnAzYHb+rl+KOM4rHqQcI6yAJM8X1Y3ymGrD7vG7GiRxB7yoEG13SKhZIWOddTnxIhbkz81RfrL2fUJIydOaP6sS//9Q==,iv:Tr6MWoC6nC7rdVTOjT1T2itT+lVL4GnUiAr5/+IHAs0=,tag:keIJNuGeVht8+xSN3FnBGA==,type:str]
mydia:
oidc_id: ENC[AES256_GCM,data:LfYWh9EC0aio3w1Xsj/jtU6z,iv:+dX9KkNtfQMYSX4yr83KyXalWMD/aWby7fC8aL4ZT3I=,tag:CvdbMoMTuC9FohTMIE5pmg==,type:str]
oidc_secret: ENC[AES256_GCM,data:PgI4hmP/3wt9uj+1QvCYcT8Wav0hgCRADouzWM3V695SSfXfbwDgez8tA/tm1/1jymAU2F2sZH8G2hZ1cdHyHQ==,iv:h3o3jsTmnoNE3+mGX12J3ZU0/6PlQNjdndEvaj/czj0=,tag:p3+p4E8fBtR7a8UpM8cUsg==,type:str]
oidc_id: ENC[AES256_GCM,data:ymZdkUjbbTuJuGvI5T9d,iv:ccKpjKnzUH+/sGEBnmxnMNU3lY+j8NPUjvj8q4phprs=,tag:11H0Vd28gPajyU+3uAUYUQ==,type:str]
oidc_secret: ENC[AES256_GCM,data:N7qdoueB9ayGx0RWdw/w,iv:k09TaKjNShaFWImZ82Fjqvjj4CPVIqVhCPZ7o1DgjX4=,tag:q+HMYN4zd7pFqCX90uaWgQ==,type:str]
secret_key_base: ENC[AES256_GCM,data:yG7HJ5r74Qtxbeyf8F6dA0uHv2pQ8YAJKlKiKjS+m24JRvJWQaTThJ+c5HbuUa6R3e9XtVHchhlVPkF0Is/b+g==,iv:v65xdRr4JdKZmBtjZ08/J3LLqnphSGt9QfVPNQ2x/xg=,tag:n7tD2dhr4IJn1LWM9WW8UA==,type:str]
guardian_secret: ENC[AES256_GCM,data:OjnNFSHlecL+qXwlhTm++itRM6ga5E5KrSJxbgIUpbMEkIWgu3xhRtnPdipXbedgall0XdO/s+jnWCagZX94BA==,iv:DukdKvm9vey8BWUiml20tgA/Vji1XVX4+sUPge9nTk0=,tag:q3HdvgUYqR0APiaFz0ul5Q==,type:str]
sops:
@ -44,7 +44,7 @@ sops:
TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb
Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-01T14:27:13Z"
mac: ENC[AES256_GCM,data:v8t65zlWw6UuFeFQ5oBNVGjnuewPlZZG7ea8P4cEHXN+JnSAE67HivSCyjhUAFmX/UbksxnSLYdl72swTb9ASv6JaW2FVJsaF+5zmZbuM5pAjZl4MR6Y7+Vc9YqAi+axnSE1s8pRe9U1PYmcbLWaY9kRZdccavfM2bsoAIpJRTk=,iv:EevmWMh6ygEAlf9RE4qZ1KVKm6yDR5dTZeraoFHmdRg=,tag:sCdtEYc9iNjfEvyYyXH8rQ==,type:str]
lastmodified: "2025-12-01T09:05:11Z"
mac: ENC[AES256_GCM,data:6gFet+aW7tlQqy4aSulBTJ+mYpu1OxfK8Wa3noXNNDlFwTEpCWEhdwFDqWZ+sd5opINQoPrHD23BwiXYoJtKPeLd9/kpn//CgHvYcwgGDpPzCMbyDOLutlspyY4pfYrEezm8+yg3r5TkJK3o7U2Q8kkfdQQcfEGIsr9GDRKSplw=,iv:PYclBivPBifGreNWeCCZ74koSb51xBMYeviHf0SaxbA=,tag:Lb+vlcBUgpJE0XfJ/gwDiw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0