diff --git a/.envrc b/.envrc deleted file mode 100644 index 0f94eed..0000000 --- a/.envrc +++ /dev/null @@ -1,2 +0,0 @@ -# shellcheck shell=bash -use flake diff --git a/.just/machine.just b/.just/machine.just index cbdf345..1ce791f 100644 --- a/.just/machine.just +++ b/.just/machine.just @@ -4,7 +4,6 @@ @list: ls -1 ../systems/x86_64-linux/ -[no-exit-message] [doc('Update the target machine')] @update machine: just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')" diff --git a/.just/vars.just b/.just/vars.just index b4d6be2..167144a 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -16,7 +16,7 @@ list machine: {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" @@ -27,6 +27,6 @@ list machine: {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null + git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" \ No newline at end of file diff --git a/flake.lock b/flake.lock index 5ed2f72..935fbaf 100644 --- a/flake.lock +++ b/flake.lock @@ -68,81 +68,6 @@ "type": "github" } }, - "clan-core": { - "inputs": { - "data-mesher": "data-mesher", - "disko": "disko", - "flake-parts": "flake-parts", - "nix-darwin": "nix-darwin", - "nix-select": "nix-select", - "nixos-facter-modules": "nixos-facter-modules", - "nixpkgs": [ - "nixpkgs" - ], - "sops-nix": "sops-nix", - "systems": "systems", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1762254206, - "narHash": "sha256-ZyQUrUSuIUZRmMPzeCXI4vDFhHOLNtGUMBaHXCD6nEQ=", - "rev": "43a7652624e76d60a93325c711d01620801d4382", - "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/43a7652624e76d60a93325c711d01620801d4382.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://git.clan.lol/clan/clan-core/archive/main.tar.gz" - } - }, - "data-mesher": { - "inputs": { - "flake-parts": [ - "clan-core", - "flake-parts" - ], - "nixpkgs": [ - "clan-core", - "nixpkgs" - ], - "treefmt-nix": [ - "clan-core", - "treefmt-nix" - ] - }, - "locked": { - "lastModified": 1760612273, - "narHash": "sha256-pP/bSqUHubxAOTI7IHD5ZBQ2Qm11Nb4pXXTPv334UEM=", - "rev": "0099739c78be750b215cbdefafc9ba1533609393", - "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0099739c78be750b215cbdefafc9ba1533609393.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://git.clan.lol/clan/data-mesher/archive/main.tar.gz" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "clan-core", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1761899396, - "narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=", - "owner": "nix-community", - "repo": "disko", - "rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, "erosanix": { "inputs": { "flake-compat": "flake-compat", @@ -299,27 +224,6 @@ } }, "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "clan-core", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1762040540, - "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "0010412d62a25d959151790968765a70c436598b", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nvf", @@ -340,7 +244,7 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -361,7 +265,7 @@ "type": "github" } }, - "flake-parts_4": { + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "terranix", @@ -384,7 +288,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems" }, "locked": { "lastModified": 1731533236, @@ -421,7 +325,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -439,7 +343,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_4" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -457,7 +361,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_6" + "systems": "systems_5" }, "locked": { "lastModified": 1694529238, @@ -660,27 +564,6 @@ "type": "github" } }, - "nix-darwin": { - "inputs": { - "nixpkgs": [ - "clan-core", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1762186368, - "narHash": "sha256-dzLBZKccS0jMefj+WAYwsk7gKDluqavC7I4KfFwVh8k=", - "owner": "nix-darwin", - "repo": "nix-darwin", - "rev": "69921864a70b58787abf5ba189095566c3f0ffd3", - "type": "github" - }, - "original": { - "owner": "nix-darwin", - "repo": "nix-darwin", - "type": "github" - } - }, "nix-github-actions": { "inputs": { "nixpkgs": [ @@ -723,19 +606,6 @@ "type": "github" } }, - "nix-select": { - "locked": { - "lastModified": 1755887746, - "narHash": "sha256-lzWbpHKX0WAn/jJDoCijIDss3rqYIPawe46GDaE6U3g=", - "rev": "92c2574c5e113281591be01e89bb9ddb31d19156", - "type": "tarball", - "url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/92c2574c5e113281591be01e89bb9ddb31d19156.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://git.clan.lol/clan/nix-select/archive/main.tar.gz" - } - }, "nixlib": { "locked": { "lastModified": 1736643958, @@ -766,21 +636,6 @@ "type": "github" } }, - "nixos-facter-modules": { - "locked": { - "lastModified": 1761137276, - "narHash": "sha256-4lDjGnWRBLwqKQ4UWSUq6Mvxu9r8DSqCCydodW/Jsi8=", - "owner": "nix-community", - "repo": "nixos-facter-modules", - "rev": "70bcd64225d167c7af9b475c4df7b5abba5c7de8", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-facter-modules", - "type": "github" - } - }, "nixos-generators": { "inputs": { "nixlib": "nixlib", @@ -1010,10 +865,10 @@ "nvf": { "inputs": { "flake-compat": "flake-compat_4", - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts", "mnw": "mnw", "nixpkgs": "nixpkgs_7", - "systems": "systems_5" + "systems": "systems_4" }, "locked": { "lastModified": 1760153667, @@ -1054,7 +909,6 @@ }, "root": { "inputs": { - "clan-core": "clan-core", "erosanix": "erosanix", "fenix": "fenix", "firefox": "firefox", @@ -1071,7 +925,7 @@ "nvf": "nvf", "plasma-manager": "plasma-manager", "snowfall-lib": "snowfall-lib", - "sops-nix": "sops-nix_2", + "sops-nix": "sops-nix", "stylix": "stylix", "terranix": "terranix", "zen-browser": "zen-browser" @@ -1138,27 +992,6 @@ } }, "sops-nix": { - "inputs": { - "nixpkgs": [ - "clan-core", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1760998189, - "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, - "sops-nix_2": { "inputs": { "nixpkgs": "nixpkgs_8" }, @@ -1183,11 +1016,11 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_2", "gnome-shell": "gnome-shell", "nixpkgs": "nixpkgs_9", "nur": "nur", - "systems": "systems_7", + "systems": "systems_6", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -1313,28 +1146,13 @@ "type": "github" } }, - "systems_8": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "terranix": { "inputs": { - "flake-parts": "flake-parts_4", + "flake-parts": "flake-parts_3", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_8" + "systems": "systems_7" }, "locked": { "lastModified": 1757278723, @@ -1431,27 +1249,6 @@ "type": "github" } }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "clan-core", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1761311587, - "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, "zen-browser": { "inputs": { "home-manager": "home-manager_2", diff --git a/flake.nix b/flake.nix index d7a7508..8ea1571 100644 --- a/flake.nix +++ b/flake.nix @@ -83,11 +83,6 @@ url = "github:terranix/terranix"; inputs.nixpkgs.follows = "nixpkgs"; }; - - clan-core = { - url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = inputs: inputs.snowfall-lib.mkFlake { @@ -124,10 +119,6 @@ flux.overlays.default ]; - systems.modules = with inputs; [ - clan-core.nixosModules.default - ]; - homes.modules = with inputs; [ stylix.homeModules.stylix plasma-manager.homeModules.plasma-manager diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 402d59d..7540e2f 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length; + inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs concatMap listToAttrs imap0 getAttrs getAttr hasAttr typeOf head drop length; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -340,7 +340,7 @@ in # Organizations zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }: { inherit name isDefault; } - |> toResource name + |> toResource name ); # Projects per organization @@ -348,8 +348,8 @@ in { inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck; } - |> withRef "org" org - |> toResource "${org}_${name}" + |> withRef "org" org + |> toResource "${org}_${name}" ); # Each OIDC app per project @@ -361,26 +361,26 @@ in idTokenRoleAssertion = true; accessTokenType = "JWT"; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> toResource "${org}_${project}_${name}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" ); # Each project role zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value: { inherit (value) displayName group; roleKey = name; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> toResource "${org}_${project}_${name}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> toResource "${org}_${project}_${name}" ); # Each project role assignment zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles: { roleKeys = roles; } - |> withRef "org" org - |> withRef "project" "${org}_${project}" - |> withRef "user" "${org}_${user}" - |> toResource "${org}_${project}_${user}" + |> withRef "org" org + |> withRef "project" "${org}_${project}" + |> withRef "user" "${org}_${user}" + |> toResource "${org}_${project}_${user}" ); # Users @@ -390,30 +390,24 @@ in isEmailVerified = true; } - |> withRef "org" org - |> toResource "${org}_${name}" + |> withRef "org" org + |> toResource "${org}_${name}" ); # Global user roles - zitadel_instance_member = - cfg.organization - |> filterAttrsRecursive (n: v: !(v ? "instanceRoles" && (length v.instanceRoles) == 0)) - |> select [ "user" ] (org: name: { instanceRoles, ... }: - { roles = instanceRoles; } + zitadel_instance_member = cfg.organization |> select [ "user" ] (org: name: value: + { roles = value.instanceRoles; } |> withRef "user" "${org}_${name}" |> toResource "${org}_${name}" - ); + ); # Organazation specific roles - zitadel_org_member = - cfg.organization - |> filterAttrsRecursive (n: v: !(v ? "roles" && (length v.roles) == 0)) - |> select [ "user" ] (org: name: { roles, ... }: - { inherit roles; } + zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: { roles, ... }: + { inherit roles; } |> withRef "org" org |> withRef "user" "${org}_${name}" |> toResource "${org}_${name}" - ); + ); # Organazation's actions zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}: @@ -422,27 +416,25 @@ in timeout = "${toString timeout}s"; script = "const ${name} = ${script}"; } - |> withRef "org" org - |> toResource "${org}_${name}" + |> withRef "org" org + |> toResource "${org}_${name}" ); # Organazation's action assignments - zitadel_trigger_actions = - cfg.organization + zitadel_trigger_actions = cfg.organization |> concatMapAttrs (org: { triggers, ... }: triggers - |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in - { - inherit flowType triggerType; + |> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in + { + inherit flowType triggerType; - actionIds = - actions - |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); - } - |> withRef "org" org - |> toResource "${org}_${name}" - )) - |> listToAttrs + actionIds = actions + |> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id")); + } + |> withRef "org" org + |> toResource "${org}_${name}" + )) + |> listToAttrs ); # SMTP config diff --git a/modules/nixos/services/backup/borg/default.nix b/modules/nixos/services/backup/borg/default.nix index e200505..fbe5235 100644 --- a/modules/nixos/services/backup/borg/default.nix +++ b/modules/nixos/services/backup/borg/default.nix @@ -16,7 +16,7 @@ in paths = "/var/media/test"; encryption.mode = "none"; environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4"; - repo = "ssh://chris@beheer.hazelhof.nl:222/media"; + repo = "ssh://chris@beheer.hazelhof.nl:222/home/chris/backups/media"; compression = "auto,zstd"; startAt = "daily"; }; diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix index ce92df4..f84c002 100644 --- a/modules/nixos/services/communication/matrix/default.nix +++ b/modules/nixos/services/communication/matrix/default.nix @@ -46,8 +46,8 @@ in precence.enabled = true; # Since we'll be using OIDC for auth disable all local options - enable_registration = false; - enable_registration_without_verification = false; + enable_registration = true; + enable_registration_without_verification = true; password_config.enabled = false; backchannel_logout_enabled = true; @@ -186,11 +186,6 @@ in - profile client_id: '${config.sops.placeholder."synapse/oidc_id"}' client_secret: '${config.sops.placeholder."synapse/oidc_secret"}' - backchannel_logout_enabled: true - user_mapping_provider: - config: - localpart_template: "{{ user.preferred_username }}" - display_name_template: "{{ user.name }}" ''; restartUnits = [ "matrix-synapse.service" ]; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index dbcef87..39e8215 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -121,7 +121,7 @@ in }; mirror = { - ENABLED = true; + ENABLED = false; }; session = { diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 9d915da..bc41fb4 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -72,6 +72,12 @@ in settings = { auth.AuthenticationMethod = "External"; + + # postgres = { + # PostgresHost = "localhost"; + # PostgresPort = "5432"; + # PostgresUser = "media"; + # }; }; }; @@ -146,6 +152,39 @@ in group = cfg.group; }; + # postgresql = { + # enable = true; + # ensureDatabases = [ + # "radarr-main" "radarr-log" + # "sonarr-main" "sonarr-log" + # "lidarr-main" "lidarr-log" + # "prowlarr-main" "prowlarr-log" + # ]; + # identMap = '' + # media media radarr-main + # media media radarr-log + # media media sonarr-main + # media media sonarr-log + # media media lidarr-main + # media media lidarr-log + # media media prowlarr-main + # media media prowlarr-log + # ''; + # ensureUsers = [ + # { name = "radarr-main"; ensureDBOwnership = true; } + # { name = "radarr-log"; ensureDBOwnership = true; } + + # { name = "sonarr-main"; ensureDBOwnership = true; } + # { name = "sonarr-log"; ensureDBOwnership = true; } + + # { name = "lidarr-main"; ensureDBOwnership = true; } + # { name = "lidarr-log"; ensureDBOwnership = true; } + + # { name = "prowlarr-main"; ensureDBOwnership = true; } + # { name = "prowlarr-log"; ensureDBOwnership = true; } + # ]; + # }; + caddy = { enable = true; virtualHosts = { diff --git a/shells/default/default.nix b/shells/default/default.nix deleted file mode 100644 index 0361f88..0000000 --- a/shells/default/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ mkShell, inputs, pkgs, ... }: - -mkShell { - packages = with pkgs; [ - bash - sops - just - inputs.clan-core.packages.x86_64-linux.clan-cli - ]; -} \ No newline at end of file diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 027dad6..7657eac 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -38,8 +38,7 @@ sneeuwvlok = { services = { - backup.borg.enable = true; - + # authentication.authelia.enable = true; authentication.zitadel = { enable = true;