chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: chris:e3238aa60cfa9440249fcdb2ab1b0d4485251fe2
Branches Tags
chris:main
chris:feature/convex
chris:feature/nix-anywhere
..
compare: chris:2d3da197ee8e549b46a52266af22271a817127fd
Branches Tags
chris:main
chris:feature/convex
chris:feature/nix-anywhere

28 commits
e3238aa60c ... 2d3da197ee

Author SHA1 Message Date
Chris Kruining
2d3da197ee
lets actually commit for once...
Some checks failed
Test action / kaas (push) Failing after 1s
Details
2025-11-20 00:05:34 +01:00
Chris Kruining
169b62e6f3
chore: update config after update 2025-11-19 11:49:09 +01:00
chris
09e4e940bc chore: update dependencies 2025-11-19 10:27:29 +00:00
chris
ba246b145f chore(secrets): set secret "prowlarr/apikey" for machine "ulmo" 2025-11-19 09:51:27 +00:00
chris
d0e374c8bb chore(secrets): set secret "lidarr/apikey" for machine "ulmo" 2025-11-19 09:51:06 +00:00
chris
6a0195587d chore(secrets): set secret "sonarr/apikey" for machine "ulmo" 2025-11-19 09:50:58 +00:00
chris
80e61ec5d8 chore(secrets): set secret "radarr/apikey" for machine "ulmo" 2025-11-19 09:50:35 +00:00
chris
9116361b90 chore(secrets): set secret "radarr/apikey" for machine "ulmo" 2025-11-19 09:48:56 +00:00
chris
272f48a9ab chore(secrets): set secret "kaas" for machine "ulmo" 2025-11-13 07:50:45 +00:00
Chris Kruining
4e09252e75
feat(zitadel): add remapping of exported keys 2025-11-12 17:26:17 +01:00
Chris Kruining
fa37c3eb50
feat(zitadel): add extra users via secrets 2025-11-12 17:23:40 +01:00
Chris Kruining
df5dfa61a9
fix(justfile): escape double quotes for inputs 2025-11-12 17:20:21 +01:00
chris
4dc24de8eb chore(secrets): set secret "zitadel/users" for machine "ulmo" 2025-11-12 16:13:37 +00:00
chris
91d8a32239 chore(secrets): set secret "zitadel/users" for machine "ulmo" 2025-11-12 16:13:10 +00:00
chris
9a664b2438 chore(secrets): set secret "zitadel/users" for machine "ulmo" 2025-11-12 13:40:34 +00:00
chris
8203f653f9 chore(secrets): set secret "zitadel/users" for machine "ulmo" 2025-11-12 13:40:15 +00:00
chris
9a3f154cab chore(secrets): removed secret "zitadel/nix/users" from machine "ulmo" 2025-11-12 13:40:07 +00:00
chris
c5ec450517 chore(secrets): removed secret "zitadel/users" from machine "ulmo" 2025-11-12 13:36:56 +00:00
chris
983f1aa7d8 chore(secrets): set secret "zitadel/nix/users" for machine "ulmo" 2025-11-12 13:36:42 +00:00
chris
cebc2ec040 chore(secrets): removed secret "test" from machine "ulmo" 2025-11-12 13:31:42 +00:00
chris
4c3adb782c chore(secrets): set secret "zitadel/users" for machine "ulmo" 2025-11-12 13:31:01 +00:00
chris
d61e9e19ca chore(secrets): set secret "zitadel/users" for machine "ulmo" 2025-11-12 13:13:06 +00:00
chris
95f115f04c chore(secrets): removed secret "users" from machine "ulmo" 2025-11-12 13:12:57 +00:00
chris
d02f5fc4ee chore(secrets): set secret "users" for machine "ulmo" 2025-11-12 13:12:27 +00:00
chris
c6f1e93f7e chore(secrets): removed secret "test/users" from machine "ulmo" 2025-11-12 13:12:15 +00:00
chris
6fd6b74a74 chore(secrets): removed secret "test.users" from machine "ulmo" 2025-11-12 13:11:36 +00:00
chris
61deef854f chore(secrets): set secret "test/users" for machine "ulmo" 2025-11-12 13:11:05 +00:00
chris
5ff60d46c7 chore(secrets): set secret "test.users" for machine "ulmo" 2025-11-12 13:09:40 +00:00
16 changed files with 904 additions and 185 deletions
Download patch file Download diff file Expand all files Collapse all files

18
.just/vars.just
View file

@ -1,19 +1,23 @@
set unstable
base_path := invocation_directory() / "systems/x86_64-linux"
sops := "nix shell nixpkgs#sops --command sops"
yq := "nix shell nixpkgs#yq --command yq"
# sops := "nix shell nixpkgs#sops --command sops"
# yq := "nix shell nixpkgs#yq --command yq"
sops := "sops"
yq := "yq"
@_default:
just --list
[doc('list all vars of the target machine')]
list machine:
{{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml
sops decrypt {{ base_path }}/{{ machine }}/secrets.yml
@edit machine:
{{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml
sops edit {{ base_path }}/{{ machine }}/secrets.yml
@set machine key value:
{{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"'
sops set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" "\"$(echo '{{ value }}' | sed 's/\"/\\\"/g')\""
git add {{ base_path }}/{{ machine }}/secrets.yml
git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
@ -21,10 +25,10 @@ list machine:
echo "Done"
@get machine key:
{{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml | {{ yq }} ".$(echo "{{ key }}" | sed -E 's/\//./g')"
sops decrypt {{ base_path }}/{{ machine }}/secrets.yml | yq ".$(echo "{{ key }}" | sed -E 's/\//./g')"
@remove machine key:
{{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')"
sops unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')"
git add {{ base_path }}/{{ machine }}/secrets.yml
git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null

230
flake.lock generated
View file

@ -84,11 +84,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1762254206,
"narHash": "sha256-ZyQUrUSuIUZRmMPzeCXI4vDFhHOLNtGUMBaHXCD6nEQ=",
"rev": "43a7652624e76d60a93325c711d01620801d4382",
"lastModified": 1763547157,
"narHash": "sha256-lJcMap2uT+x1R8WUUKKQ6ndynysJ/JOkrMThMGz6DP0=",
"rev": "2cb2134a6ee32d427097077c4fb4c416b52ae988",
"type": "tarball",
"url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/43a7652624e76d60a93325c711d01620801d4382.tar.gz"
"url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/2cb2134a6ee32d427097077c4fb4c416b52ae988.tar.gz"
},
"original": {
"type": "tarball",
@ -111,11 +111,11 @@
]
},
"locked": {
"lastModified": 1760612273,
"narHash": "sha256-pP/bSqUHubxAOTI7IHD5ZBQ2Qm11Nb4pXXTPv334UEM=",
"rev": "0099739c78be750b215cbdefafc9ba1533609393",
"lastModified": 1762942435,
"narHash": "sha256-zIWGs5FIytTtJN+dhDb8Yx+q4TQI/yczuL539yVcyPE=",
"rev": "0ee328404b12c65e8106bde9e9fab8abf4ecada4",
"type": "tarball",
"url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0099739c78be750b215cbdefafc9ba1533609393.tar.gz"
"url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0ee328404b12c65e8106bde9e9fab8abf4ecada4.tar.gz"
},
"original": {
"type": "tarball",
@ -130,11 +130,11 @@
]
},
"locked": {
"lastModified": 1761899396,
"narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=",
"lastModified": 1762276996,
"narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=",
"owner": "nix-community",
"repo": "disko",
"rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998",
"rev": "af087d076d3860760b3323f6b583f4d828c1ac17",
"type": "github"
},
"original": {
@ -149,11 +149,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1759842236,
"narHash": "sha256-JNFyiEDo1wS+mjNAEM8Q2jjvHQzQt+3hnuP1srIdFeM=",
"lastModified": 1762360792,
"narHash": "sha256-YR7vqk+XEvFUQ/miuBAD3+p+97QUN86ya9Aw0K5feJE=",
"owner": "emmanuelrosa",
"repo": "erosanix",
"rev": "df8a29239b2459d6ee7373be8133d9aa7d6f6d1a",
"rev": "9075dff5685d3e7269284e53ca496da0beb24596",
"type": "github"
},
"original": {
@ -170,11 +170,11 @@
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1760510549,
"narHash": "sha256-NP+kmLMm7zSyv4Fufv+eSJXyqjLMUhUfPT6lXRlg/bU=",
"lastModified": 1763534658,
"narHash": "sha256-i/51/Zi/1pM9hZxxSuA3nVPpyqlGoWwJwajyA/loOpo=",
"owner": "nix-community",
"repo": "fenix",
"rev": "ef7178cf086f267113b5c48fdeb6e510729c8214",
"rev": "69e40ddf45698d0115a62a7a15d8412f35dd4c09",
"type": "github"
},
"original": {
@ -190,11 +190,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1760548798,
"narHash": "sha256-LbqqHQklp58hKCO6IMcslsqX0mR32775PG3Z+k2GcwU=",
"lastModified": 1763504432,
"narHash": "sha256-kpmPI67TdoTxiK7LsmgmkKW3iHoyvZJwZeiJhpwPfmw=",
"owner": "nix-community",
"repo": "flake-firefox-nightly",
"rev": "fdd8c18c8d3497d267c0750ef08678d32a2dd753",
"rev": "49d5d8d42a7650e5353f8467c813839290cb7c9f",
"type": "github"
},
"original": {
@ -237,11 +237,11 @@
},
"flake-compat_2": {
"locked": {
"lastModified": 1746162366,
"narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=",
"lastModified": 1761640442,
"narHash": "sha256-AtrEP6Jmdvrqiv4x2xa5mrtaIp3OEe8uBYCDZDS+hu8=",
"owner": "nix-community",
"repo": "flake-compat",
"rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b",
"rev": "4a56054d8ffc173222d09dad23adf4ba946c8884",
"type": "github"
},
"original": {
@ -306,11 +306,11 @@
]
},
"locked": {
"lastModified": 1762040540,
"narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=",
"lastModified": 1762980239,
"narHash": "sha256-8oNVE8TrD19ulHinjaqONf9QWCKK+w4url56cdStMpM=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "0010412d62a25d959151790968765a70c436598b",
"rev": "52a2caecc898d0b46b2b905f058ccc5081f842da",
"type": "github"
},
"original": {
@ -327,11 +327,11 @@
]
},
"locked": {
"lastModified": 1759362264,
"narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=",
"lastModified": 1760948891,
"narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "758cf7296bee11f1706a574c77d072b8a7baa881",
"rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
"type": "github"
},
"original": {
@ -510,18 +510,20 @@
"gnome-shell": {
"flake": false,
"locked": {
"lastModified": 1748186689,
"narHash": "sha256-UaD7Y9f8iuLBMGHXeJlRu6U1Ggw5B9JnkFs3enZlap0=",
"host": "gitlab.gnome.org",
"lastModified": 1762869044,
"narHash": "sha256-nwm/GJ2Syigf7VccLAZ66mFC8mZJFqpJmIxSGKl7+Ds=",
"owner": "GNOME",
"repo": "gnome-shell",
"rev": "8c88f917db0f1f0d80fa55206c863d3746fa18d0",
"type": "github"
"rev": "680e3d195a92203f28d4bf8c6e8bb537cc3ed4ad",
"type": "gitlab"
},
"original": {
"host": "gitlab.gnome.org",
"owner": "GNOME",
"ref": "48.2",
"ref": "gnome-49",
"repo": "gnome-shell",
"type": "github"
"type": "gitlab"
}
},
"grub2-themes": {
@ -551,11 +553,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1760546650,
"narHash": "sha256-ByUcM+gMEob6uWpDt6AAg/v4eX9yvpgOPX6KyHd9/BE=",
"lastModified": 1763486183,
"narHash": "sha256-10EvBTF9ELezWg+KoKZJ3bxrPzT1Xz95ifurC6HixLY=",
"owner": "himmelblau-idm",
"repo": "himmelblau",
"rev": "ba54075737cb9c688cfadde8048f83371dbaba8d",
"rev": "fb27f4bee812e4b4df9df9f78bd5280f0aa2193c",
"type": "github"
},
"original": {
@ -571,11 +573,11 @@
]
},
"locked": {
"lastModified": 1760500983,
"narHash": "sha256-zfY4F4CpeUjTGgecIJZ+M7vFpwLc0Gm9epM/iMQd4w8=",
"lastModified": 1763416652,
"narHash": "sha256-8EBEEvtzQ11LCxpQHMNEBQAGtQiCu/pqP9zSovDSbNM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "c53e65ec92f38d30e3c14f8d628ab55d462947aa",
"rev": "ea164b7c9ccdc2321379c2ff78fd4317b4c41312",
"type": "github"
},
"original": {
@ -592,11 +594,11 @@
]
},
"locked": {
"lastModified": 1752603129,
"narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=",
"lastModified": 1762964643,
"narHash": "sha256-RYHN8O/Aja59XDji6WSJZPkJpYVUfpSkyH+PEupBJqM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b",
"rev": "827f2a23373a774a8805f84ca5344654c31f354b",
"type": "github"
},
"original": {
@ -613,11 +615,11 @@
]
},
"locked": {
"lastModified": 1760534924,
"narHash": "sha256-OIOCC86DxTxp1VG7xAiM+YABtVqp6vTkYIoAiGQMqso=",
"lastModified": 1763453666,
"narHash": "sha256-Hu8lDUlbMFvcYX30LBXX7Gq5FbU35bERH0pSX5qHf/Q=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "100b4e000032b865563a9754e5bca189bc544764",
"rev": "b843b551415c7aecc97c8b3ab3fff26fd0cd8bbf",
"type": "github"
},
"original": {
@ -668,11 +670,11 @@
]
},
"locked": {
"lastModified": 1762186368,
"narHash": "sha256-dzLBZKccS0jMefj+WAYwsk7gKDluqavC7I4KfFwVh8k=",
"lastModified": 1763136804,
"narHash": "sha256-6p2ljK42s0S8zS0UU59EsEqupz0GVCaBYRylpUadeBM=",
"owner": "nix-darwin",
"repo": "nix-darwin",
"rev": "69921864a70b58787abf5ba189095566c3f0ffd3",
"rev": "973db96394513fd90270ea5a1211a82a4a0ba47f",
"type": "github"
},
"original": {
@ -710,11 +712,11 @@
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1760493654,
"narHash": "sha256-DRJZnMoBw+p6o0XjaAOfAJjwr4s93d1+eCsCRsAP/jY=",
"lastModified": 1763171892,
"narHash": "sha256-6cg9zSiqKA89yJzVtYhBaBptqq6bX4pr4g7WLAHOD4Y=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
"rev": "4ca5164f23948b4b5429d8fdcddc142079c6aa6b",
"rev": "316858c27d278b20e776cd4dd8f787812f587ba2",
"type": "github"
},
"original": {
@ -725,11 +727,11 @@
},
"nix-select": {
"locked": {
"lastModified": 1755887746,
"narHash": "sha256-lzWbpHKX0WAn/jJDoCijIDss3rqYIPawe46GDaE6U3g=",
"rev": "92c2574c5e113281591be01e89bb9ddb31d19156",
"lastModified": 1763303120,
"narHash": "sha256-yxcNOha7Cfv2nhVpz9ZXSNKk0R7wt4AiBklJ8D24rVg=",
"rev": "3d1e3860bef36857a01a2ddecba7cdb0a14c35a9",
"type": "tarball",
"url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/92c2574c5e113281591be01e89bb9ddb31d19156.tar.gz"
"url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/3d1e3860bef36857a01a2ddecba7cdb0a14c35a9.tar.gz"
},
"original": {
"type": "tarball",
@ -768,11 +770,11 @@
},
"nixos-facter-modules": {
"locked": {
"lastModified": 1761137276,
"narHash": "sha256-4lDjGnWRBLwqKQ4UWSUq6Mvxu9r8DSqCCydodW/Jsi8=",
"lastModified": 1762264948,
"narHash": "sha256-iaRf6n0KPl9hndnIft3blm1YTAyxSREV1oX0MFZ6Tk4=",
"owner": "nix-community",
"repo": "nixos-facter-modules",
"rev": "70bcd64225d167c7af9b475c4df7b5abba5c7de8",
"rev": "fa695bff9ec37fd5bbd7ee3181dbeb5f97f53c96",
"type": "github"
},
"original": {
@ -810,11 +812,11 @@
]
},
"locked": {
"lastModified": 1760536587,
"narHash": "sha256-wfWqt+igns/VazjPLkyb4Z/wpn4v+XIjUeI3xY/1ENg=",
"lastModified": 1763537456,
"narHash": "sha256-/WRqcqeE9C+mxxWgI7jy5blMrvg2lHFSlTFjC8pRWos=",
"owner": "nix-community",
"repo": "nixos-wsl",
"rev": "f98ee1de1fa36eca63c67b600f5d617e184e82ea",
"rev": "cd9eb5225fc91eb67629966844d2ff371824abb1",
"type": "github"
},
"original": {
@ -825,11 +827,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1759360550,
"narHash": "sha256-feL8xklo97a8o8ISOszUU2tfHskJdu3zKbpcltzSblw=",
"lastModified": 1761828793,
"narHash": "sha256-xjdPwMD4wVuDD85U+3KST62VzFkJueI6oBwIzpzUHLY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "28b8fe20c34f94a537f71950a9b0c1dc7224d036",
"rev": "843859a08e114403f44aaf5b996b44c38094aa46",
"type": "github"
},
"original": {
@ -856,11 +858,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1760479263,
"narHash": "sha256-eoVGUqcMyDeT/VwjczlZu7rhrE9wkj3ErWjJhB4Zjpg=",
"lastModified": 1763469780,
"narHash": "sha256-IW67Db/wBNQwJ5e0fF9Yk4SmdivMcecrUVDs7QJoC/s=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "20158056cdd0dd06bfbd04fd1e686d09fbef3db5",
"rev": "a70b03ca5dc9d46294740f165abdef9f9bea5632",
"type": "github"
},
"original": {
@ -888,11 +890,11 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1760548845,
"narHash": "sha256-41gkEmco/WLdEkeCKVRalOpx19e0/VgfS7N9n+DasHs=",
"lastModified": 1763547551,
"narHash": "sha256-YOdXVAqEGmrPUgs71r8ziuu9qqpn3jJEiIxsIls+VQA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "631597d659c37aa267eed8334271d5205244195e",
"rev": "06aa4d5f488875b6af46e10b45b8000ed0906860",
"type": "github"
},
"original": {
@ -920,11 +922,11 @@
},
"nixpkgs_6": {
"locked": {
"lastModified": 1760284886,
"narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=",
"lastModified": 1763421233,
"narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43",
"rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648",
"type": "github"
},
"original": {
@ -936,11 +938,11 @@
},
"nixpkgs_7": {
"locked": {
"lastModified": 1759386674,
"narHash": "sha256-wg1Lz/1FC5Q13R+mM5a2oTV9TA9L/CHHTm3/PiLayfA=",
"lastModified": 1761880412,
"narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "625ad6366178f03acd79f9e3822606dd7985b657",
"rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386",
"type": "github"
},
"original": {
@ -952,11 +954,11 @@
},
"nixpkgs_8": {
"locked": {
"lastModified": 1760164275,
"narHash": "sha256-gKl2Gtro/LNf8P+4L3S2RsZ0G390ccd5MyXYrTdMCFE=",
"lastModified": 1763191728,
"narHash": "sha256-esRhOS0APE6k40Hs/jjReXg+rx+J5LkWw7cuWFKlwYA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "362791944032cb532aabbeed7887a441496d5e6e",
"rev": "1d4c88323ac36805d09657d13a5273aea1b34f0c",
"type": "github"
},
"original": {
@ -968,11 +970,11 @@
},
"nixpkgs_9": {
"locked": {
"lastModified": 1758690382,
"narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=",
"lastModified": 1762977756,
"narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e643668fd71b949c53f8626614b21ff71a07379d",
"rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55",
"type": "github"
},
"original": {
@ -1016,11 +1018,11 @@
"systems": "systems_5"
},
"locked": {
"lastModified": 1760153667,
"narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=",
"lastModified": 1762622004,
"narHash": "sha256-NpzzgaoMK8aRHnndHWbYNKLcZN0r1y6icCoJvGoBsoE=",
"owner": "notashelf",
"repo": "nvf",
"rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d",
"rev": "09470524a214ed26633ddc2b6ec0c9bf31a8b909",
"type": "github"
},
"original": {
@ -1039,11 +1041,11 @@
]
},
"locked": {
"lastModified": 1759321049,
"narHash": "sha256-8XkU4gIrLT2DJZWQyvsP5woXGZF5eE/7AnKfwQkiwYU=",
"lastModified": 1762784320,
"narHash": "sha256-odsk96Erywk5hs0dhArF38zb7Oe0q6LZ70gXbxAPKno=",
"owner": "nix-community",
"repo": "plasma-manager",
"rev": "205dcfd4a30d4a5d1b4f28defee69daa7c7252cd",
"rev": "7911a0f8a44c7e8b29d031be3149ee8943144321",
"type": "github"
},
"original": {
@ -1080,11 +1082,11 @@
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1760457219,
"narHash": "sha256-WJOUGx42hrhmvvYcGkwea+BcJuQJLcns849OnewQqX4=",
"lastModified": 1762860488,
"narHash": "sha256-rMfWMCOo/pPefM2We0iMBLi2kLBAnYoB9thi4qS7uk4=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "8747cf81540bd1bbbab9ee2702f12c33aa887b46",
"rev": "2efc80078029894eec0699f62ec8d5c1a56af763",
"type": "github"
},
"original": {
@ -1102,11 +1104,11 @@
]
},
"locked": {
"lastModified": 1760495781,
"narHash": "sha256-3OGPAQNJswy6L4VJyX3U9/z7fwgPFvK6zQtB2NHBV0Y=",
"lastModified": 1759977258,
"narHash": "sha256-hOxEFSEBoqDmJb7BGX1CzT1gvUPK6r+Qs+n3IxBgfTs=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "11e0852a2aa3a65955db5824262d76933750e299",
"rev": "1d0c6173f57d07db7957b50e799240d4f2d7520f",
"type": "github"
},
"original": {
@ -1145,11 +1147,11 @@
]
},
"locked": {
"lastModified": 1760998189,
"narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=",
"lastModified": 1763264763,
"narHash": "sha256-N0BEoJIlJ+M6sWZJ8nnfAjGY9VLvM6MXMitRenmhBkY=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3",
"rev": "882e56c8293e44d57d882b800a82f8b2ee7a858f",
"type": "github"
},
"original": {
@ -1163,11 +1165,11 @@
"nixpkgs": "nixpkgs_8"
},
"locked": {
"lastModified": 1760393368,
"narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=",
"lastModified": 1763509310,
"narHash": "sha256-s2WzTAD3vJtPACBCZXezNUMTG/wC6SFsU9DxazB9wDI=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437",
"rev": "3ee33c0ed7c5aa61b4e10484d2ebdbdc98afb03e",
"type": "github"
},
"original": {
@ -1195,11 +1197,11 @@
"tinted-zed": "tinted-zed"
},
"locked": {
"lastModified": 1760472212,
"narHash": "sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx+MUkuE+E=",
"lastModified": 1763497248,
"narHash": "sha256-OGP6MYc+lVkLVQOTS6ORszDcCnZm7kDOGpFBdDoLd0k=",
"owner": "nix-community",
"repo": "stylix",
"rev": "8d008296a1b3be9b57ad570f7acea00dd2fc92db",
"rev": "f19ac46f6aa26188b2020ed40066a5b832be9c53",
"type": "github"
},
"original": {
@ -1337,11 +1339,11 @@
"systems": "systems_8"
},
"locked": {
"lastModified": 1757278723,
"narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=",
"lastModified": 1762472226,
"narHash": "sha256-iVS4sxVgGn+T74rGJjEJbzx+kjsuaP3wdQVXBNJ79A0=",
"owner": "terranix",
"repo": "terranix",
"rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb",
"rev": "3b5947a48da5694094b301a3b1ef7b22ec8b19fc",
"type": "github"
},
"original": {
@ -1439,11 +1441,11 @@
]
},
"locked": {
"lastModified": 1761311587,
"narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=",
"lastModified": 1762938485,
"narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc",
"rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4",
"type": "github"
},
"original": {
@ -1460,11 +1462,11 @@
]
},
"locked": {
"lastModified": 1760466542,
"narHash": "sha256-q2QZhrrjHbvW4eFzoEGkj/wUHNU6bVGPyflurx5ka6U=",
"lastModified": 1763521945,
"narHash": "sha256-Zcrafbe4niRJMbzaVOwg7+iedJhwBFttre2DpyCC6qA=",
"owner": "0xc000022070",
"repo": "zen-browser-flake",
"rev": "3446bcbf5f46ecb18e82244888730c4983c30b22",
"rev": "24d7381b9231c23daceec5d372cc28e877f7785d",
"type": "github"
},
"original": {

38
lib/options/default.nix Normal file
View file

@ -0,0 +1,38 @@
{ lib, ...}:
let
inherit (builtins) isString typeOf;
inherit (lib) mkOption types throwIfNot concatStringsSep splitStringBy toLower map;
in
{
options = {
mkUrlOptions =
defaults:
{
host = mkOption {
type = types.str;
example = "host.tld";
description = ''
Hostname
'';
} // (defaults.host or {});
port = mkOption {
type = types.port;
default = 1234;
example = "1234";
description = ''
Port
'';
} // (defaults.port or {});
protocol = mkOption {
type = types.str;
default = "https";
example = "https";
description = ''
Which protocol to use when creating a url string
'';
} // (defaults.protocol or {});
};
};
}

26
lib/strings/default.nix
View file

@ -1,10 +1,15 @@
{ lib, ...}:
let
inherit (builtins) isString typeOf;
inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map;
inherit (builtins) isString typeOf match toString head;
inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map concatMapAttrsStringSep;
in
{
strings = {
#========================================================================================
# Converts a string to snake case
#
# simply replaces any uppercase letter to its lowercase variant preceeded by an underscore
#========================================================================================
toSnakeCase =
str:
throwIfNot (isString str) "toSnakeCase only accepts string values, but got ${typeOf str}" (
@ -13,5 +18,22 @@ in
|> map (p: toLower p)
|> concatStringsSep "_"
);
#========================================================================================
# Converts a set of url parts to a string
#========================================================================================
toUrl =
{ protocol ? null, host, port ? null, path ? null, query ? null, hash ? null }:
let
trim_slashes = str: str |> match "^\/*(.+?)\/*$" |> head;
encode_to_str = set: concatMapAttrsStringSep "&" (n: v: "${n}=${v}") set;
_protocol = if protocol != null then "${protocol}://" else "";
_port = if port != null then ":${toString port}" else "";
_path = if path != null then "/${path |> trim_slashes}" else "";
_query = if query != null then "?${query |> encode_to_str}" else "";
_hash = if hash != null then "#${hash |> encode_to_str}" else "";
in
"${_protocol}${host}${_port}${_path}${_query}${_hash}";
};
}

2
modules/home/themes/default.nix
View file

@ -52,7 +52,7 @@ in {
};
emoji = {
package = pkgs.noto-fonts-emoji;
package = pkgs.noto-fonts-color-emoji;
name = "Noto Color Emoji";
};
};

83
modules/nixos/services/authentication/zitadel/default.nix
View file

@ -1,6 +1,6 @@
{ config, lib, pkgs, namespace, system, inputs, ... }:
let
inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length;
inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs mapAttrs' concatMapAttrs concatMapStringsSep filterAttrsRecursive listToAttrs imap0 head drop length literalExpression attrNames;
inherit (lib.${namespace}.strings) toSnakeCase;
cfg = config.${namespace}.services.authentication.zitadel;
@ -140,6 +140,24 @@ in
.
'';
};
exportMap =
let
strOpt = mkOption { type = types.nullOr types.str; default = null; };
in
mkOption {
type = types.submodule { options = { client_id = strOpt; client_secret = strOpt; }; };
default = {};
example = literalExpression ''
{
client_id = "SSO_CLIENT_ID";
client_secret = "SSO_CLIENT_SECRET";
}
'';
description = ''
Remap the outputted variables to another key.
'';
};
};
});
};
@ -316,6 +334,16 @@ in
concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set
;
append = attrList: set: set // (listToAttrs attrList);
forEach = src: key: set:
let
_key = concatMapStringsSep "_" (k: "\${item.${k}}") key;
in
{
forEach = "{ for item in ${src} : \"${_key}\" => item }";
}
// set;
config' = config;
# this is a nix package, the generated json file to be exact
@ -336,6 +364,21 @@ in
jwt_profile_file = "/var/lib/zitadel/machine-key.json";
};
locals = {
extra_users = lib.tfRef "
flatten([ for org, users in jsondecode(file(\"${config'.sops.secrets."zitadel/users".path}\")): [
for name, details in users: {
org = org
name = name
email = details.email
firstName = details.firstName
lastName = details.lastName
}
] ])
";
orgs = cfg.organization |> mapAttrs (org: _: lib.tfRef "resource.zitadel_org.${org}.id");
};
resource = {
# Organizations
zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }:
@ -384,7 +427,9 @@ in
);
# Users
zitadel_human_user = cfg.organization |> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }:
zitadel_human_user =
cfg.organization
|> select [ "user" ] (org: name: { email, userName, firstName, lastName, ... }:
{
inherit email userName firstName lastName;
@ -392,7 +437,21 @@ in
}
|> withRef "org" org
|> toResource "${org}_${name}"
);
)
|> append
[
(forEach "local.extra_users" [ "org" "name" ] {
orgId = lib.tfRef "local.orgs[each.value.org]";
userName = lib.tfRef "each.value.name";
email = lib.tfRef "each.value.email";
firstName = lib.tfRef "each.value.firstName";
lastName = lib.tfRef "each.value.lastName";
isEmailVerified = true;
}
|> toResource "extraUsers")
]
;
# Global user roles
zitadel_instance_member =
@ -457,11 +516,11 @@ in
};
# Client credentials per app
local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: value:
local_sensitive_file = cfg.organization |> select [ "project" "application" ] (org: project: name: { exportMap, ... }:
nameValuePair "${org}_${project}_${name}" {
content = ''
CLIENT_ID=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"}
CLIENT_SECRET=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"}
${if exportMap.client_id != null then exportMap.client_id else "CLIENT_ID"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_id"}
${if exportMap.client_secret != null then exportMap.client_secret else "CLIENT_SECRET"}=${lib.tfRef "resource.zitadel_application_oidc.${org}_${project}_${name}.client_secret"}
'';
filename = "/var/lib/zitadel/clients/${org}_${project}_${name}";
}
@ -648,6 +707,18 @@ in
key = "email/chris_kruining_eu";
restartUnits = [ "zitadel.service" ];
};
"zitadel/users" = {
owner = "zitadel";
group = "zitadel";
restartUnits = [ "zitadelApplyTerraform.service" ];
};
};
templates = {
"users.yml" = {
};
};
};
};

13
modules/nixos/services/backup/borg/default.nix
View file

@ -10,13 +10,22 @@ in
};
config = mkIf cfg.enable {
programs.ssh.extraConfig = ''
Host beheer.hazelhof.nl
Port 222
User chris
AddressFamily inet
IdentityFile /home/chris/.ssh/id_ed25519
'';
services = {
borgbackup.jobs = {
media = {
paths = "/var/media/test";
encryption.mode = "none";
environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4";
repo = "ssh://chris@beheer.hazelhof.nl:222/media";
# environment.BORG_SSH = "ssh -4 -i /home/chris/.ssh/id_ed25519";
environment.BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
repo = "ssh://beheer.hazelhof.nl//media";
compression = "auto,zstd";
startAt = "daily";
};

2
modules/nixos/services/development/forgejo/default.nix
View file

@ -144,7 +144,7 @@ in
openssh.settings.AllowUsers = [ "forgejo" ];
gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
package = pkgs.forgejo-runner;
instances.default = {
enable = true;
name = "default";

204
modules/nixos/services/media/default.nix
View file

@ -1,9 +1,11 @@
{ pkgs, lib, namespace, config, ... }:
{ pkgs, lib, namespace, config, inputs, system, ... }:
let
inherit (lib) mkIf mkEnableOption mkOption;
inherit (lib.types) str;
cfg = config.${namespace}.services.media;
arr = ["radarr" ];
in
{
options.${namespace}.services.media = {
@ -60,47 +62,48 @@ in
"d '${cfg.path}/reiverr/config' 0700 ${cfg.user} ${cfg.group} - -"
"d '${cfg.path}/downloads/incomplete' 0700 ${cfg.user} ${cfg.group} - -"
"d '${cfg.path}/downloads/done' 0700 ${cfg.user} ${cfg.group} - -"
"d /var/lib/radarrApplyTerraform 0755 ${cfg.user} ${cfg.group} -"
];
#=========================================================================
# Services
#=========================================================================
services = let
arrService = {
arr-services =
arr
|> lib.imap (i: service: {
name = service;
value = {
enable = true;
openFirewall = true;
environmentFiles = [
config.sops.templates."${service}/config.env".path
];
settings = {
auth.AuthenticationMethod = "External";
};
auth.authenticationMethod = "External";
server = {
bindaddress = "0.0.0.0";
port = 2000 + i;
};
withPort = port: service: service // { settings.server.Port = builtins.toString port; };
withUserAndGroup = service: service // {
user = cfg.user;
group = cfg.group;
postgres = {
host = "localhost";
port = "5432";
user = service;
maindb = service;
logdb = service;
};
in {
radarr =
arrService
|> withPort 2001
|> withUserAndGroup;
sonarr =
arrService
|> withPort 2002
|> withUserAndGroup;
lidarr =
arrService
|> withPort 2003
|> withUserAndGroup;
prowlarr =
arrService
|> withPort 2004;
};
}
// (if service != "prowlarr" then { user = cfg.user; group = cfg.group; } else {});
})
|> lib.listToAttrs
;
in
arr-services // {
bazarr = {
enable = true;
openFirewall = true;
@ -146,6 +149,19 @@ in
group = cfg.group;
};
postgresql =
let
databases = arr |> lib.concatMap (s: [ s "${s}-log" ]);
in
{
enable = true;
ensureDatabases = arr;
ensureUsers = arr |> lib.map (service: {
name = service;
ensureDBOwnership = true;
});
};
caddy = {
enable = true;
virtualHosts = {
@ -156,6 +172,136 @@ in
};
};
systemd.services.radarrApplyTerraform =
let
# this is a nix package, the generated json file to be exact
terraformConfiguration = inputs.terranix.lib.terranixConfiguration {
inherit system;
modules = [
({ config, lib, ... }: {
config = {
variable = {
api_key = {
type = "string";
description = "Radarr api key";
};
};
terraform.required_providers.radarr = {
source = "devopsarr/radarr";
version = "2.2.0";
};
provider.radarr = {
url = "http://127.0.0.1:2001";
api_key = lib.tfRef "var.api_key";
};
resource = {
radarr_root_folder.local = {
path = "/var/media/movies";
};
};
};
})
];
};
in
{
description = "Radarr terraform apply";
wantedBy = [ "multi-user.target" ];
wants = [ "radarr.service" ];
script = ''
#!/usr/bin/env bash
if [ "$(systemctl is-active radarr)" != "active" ]; then
echo "Radarr is not running"
exit 1
fi
# Sleep for a bit to give radarr the chance to start up
sleep 5s
# Print the path to the source for easier debugging
echo "config location: ${terraformConfiguration}"
# Copy infra code into workspace
cp -f ${terraformConfiguration} config.tf.json
# Initialize OpenTofu
${lib.getExe pkgs.opentofu} init
# Run the infrastructure code
# ${lib.getExe pkgs.opentofu} plan -var-file='${config.sops.templates."radarr/config.tfvars".path}'
${lib.getExe pkgs.opentofu} apply -auto-approve -var-file='${config.sops.templates."radarr/config.tfvars".path}'
'';
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
WorkingDirectory = "/var/lib/radarrApplyTerraform";
EnvironmentFile = [
config.sops.templates."radarr/config.env".path
];
};
};
systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";
sops = {
secrets =
arr
|> lib.map (service: {
name = "${service}/apikey";
value = {
owner = cfg.user;
group = cfg.group;
restartUnits = [ "${service}.service" ];
};
})
|> lib.listToAttrs
;
templates =
let
apikeys =
arr
|> lib.map (service: {
name = "${service}/config.env";
value = {
owner = cfg.user;
group = cfg.group;
restartUnits = [ "${service}.service" ];
content = ''
${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}"
'';
};
})
|> lib.listToAttrs;
tfvars =
arr
|> lib.map(service: {
name = "${service}/config.tfvars";
value = {
owner = cfg.user;
group = cfg.group;
restartUnits = [ "${service}ApplyTerraform.service" ];
content = ''
api_key = "${config.sops.placeholder."${service}/apikey"}"
'';
};
})
|> lib.listToAttrs;
in
apikeys // tfvars
;
};
};
}

8
modules/nixos/services/media/homer/default.nix
View file

@ -103,7 +103,7 @@ in
type = "Radarr";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}";
url = "http://${config.networking.hostName}:2001";
target = "_blank";
}
@ -112,7 +112,7 @@ in
type = "Sonarr";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}";
url = "http://${config.networking.hostName}:2002";
target = "_blank";
}
@ -121,7 +121,7 @@ in
type = "Lidarr";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}";
url = "http://${config.networking.hostName}:2003";
target = "_blank";
}
@ -130,7 +130,7 @@ in
type = "Prowlarr";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}";
url = "http://${config.networking.hostName}:2004";
target = "_blank";
}

214
modules/nixos/services/media/servarr/default.nix Normal file
View file

@ -0,0 +1,214 @@
{ pkgs, config, lib, namespace, inputs, system, ... }:
let
inherit (builtins) toString;
inherit (lib) mkIf mkEnableOption mkOption types;
cfg = config.${namespace}.services.media.servarr;
in
{
options.${namespace}.services.media = {
servarr = mkOption {
type = types.attrsOf (types.submodule ({ name, ... }: {
options = {
enable = mkEnableOption "Enable ${name}";
debug = mkEnableOption "Use tofu plan instead of tofu apply for ${name} ";
port = mkOption {
type = types.port;
};
rootFolders = mkOption {
type = types.listOf types.str;
default = [];
};
};
}));
default = {};
};
};
config = {
services =
cfg
|> lib.mapAttrsToList (service: { enable, port, ... }: (mkIf enable {
"${service}" = {
enable = true;
openFirewall = true;
environmentFiles = [
config.sops.templates."${service}/config.env".path
];
settings = {
auth.authenticationMethod = "External";
server = {
bindaddress = "0.0.0.0";
port = port;
};
postgres = {
host = "localhost";
port = "5432";
user = service;
maindb = service;
logdb = service;
};
};
};
}))
|> lib.mergeAttrsList
|> (set: set // {
postgres = {
ensureDatabases = cfg |> lib.attrNames;
ensureUsers = cfg |> lib.attrNames |> lib.map (service: {
name = service;
ensureDBOwnership = true;
});
};
})
;
systemd =
cfg
|> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable {
tmpfiles.rules = [
"d /var/lib/${service}ApplyTerraform 0755 ${service} ${service} -"
];
services."${service}ApplyTerraform" =
let
terraformConfiguration = inputs.terranix.lib.terranixConfiguration {
inherit system;
modules = [
({ config, lib, ... }: {
config = {
variable = {
api_key = {
type = "string";
description = "${service} api key";
};
};
terraform.required_providers.${service} = {
source = "devopsarr/${service}";
version = "2.2.0";
};
provider.${service} = {
url = "http://127.0.0.1:${toString port}";
api_key = lib.tfRef "var.api_key";
};
resource = {
"${service}_root_folder" =
rootFolders
|> lib.imap (i: f: lib.nameValuePair "local${toString i}" { path = f; })
|> lib.listToAttrs
;
};
};
})
];
};
in
{
description = "${service} terraform apply";
wantedBy = [ "multi-user.target" ];
wants = [ "${service}.service" ];
script = ''
#!/usr/bin/env bash
# Sleep for a bit to give the service a chance to start up
sleep 5s
if [ "$(systemctl is-active ${service})" != "active" ]; then
echo "${service} is not running"
exit 1
fi
# Print the path to the source for easier debugging
echo "config location: ${terraformConfiguration}"
# Copy infra code into workspace
cp -f ${terraformConfiguration} config.tf.json
# Initialize OpenTofu
${lib.getExe pkgs.opentofu} init
# Run the infrastructure code
${lib.getExe pkgs.opentofu} \
${if debug then "plan" else "apply -auto-approve"} \
-var-file='${config.sops.templates."${service}/config.tfvars".path}'
'';
serviceConfig = {
Type = "oneshot";
User = service;
Group = service;
WorkingDirectory = "/var/lib/${service}ApplyTerraform";
EnvironmentFile = [
config.sops.templates."${service}/config.env".path
];
};
};
}))
|> lib.mergeAttrsList
;
users.users =
cfg
|> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable {
"${service}".extraGroups = [ "media" ];
}))
|> lib.mergeAttrsList
;
sops =
cfg
|> lib.mapAttrsToList (service: { enable, ... }: (mkIf enable {
secrets."${service}/apikey" = {
owner = service;
group = service;
restartUnits = [ "${service}.service" ];
};
templates = {
"${service}/config.env" = {
owner = service;
group = service;
restartUnits = [ "${service}.service" ];
content = ''
${lib.toUpper service}__AUTH__APIKEY="${config.sops.placeholder."${service}/apikey"}"
'';
};
"${service}/config.tfvars" = {
owner = service;
group = service;
restartUnits = [ "${service}.service" ];
content = ''
api_key = "${config.sops.placeholder."${service}/apikey"}"
'';
};
};
}))
|> lib.mergeAttrsList
;
};
# cfg
# |> lib.mapAttrsToList (service: { enable, debug, port, rootFolders, ... }: (mkIf enable {
# # sops = {
# # };
# }))
# |> lib.mergeAttrsList
# ;
}

25
modules/nixos/services/observability/uptime-kuma/default.nix Normal file
View file

@ -0,0 +1,25 @@
{ pkgs, config, lib, namespace, ... }:
let
inherit (builtins) toString;
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.observability.uptime-kuma;
in
{
options.${namespace}.services.observability.uptime-kuma = {
enable = mkEnableOption "enable uptime kuma";
};
config = mkIf cfg.enable {
services.uptime-kuma = {
enable = true;
settings = {
PORT = toString 9006;
HOST = "0.0.0.0";
};
};
networking.firewall.allowedTCPPorts = [ 9006 ];
};
}

138
modules/nixos/services/security/vaultwarden/default.nix
View file

@ -1,13 +1,87 @@
{ pkgs, config, lib, namespace, ... }:
let
inherit (builtins) toString;
inherit (lib) mkIf mkEnableOption;
inherit (lib) mkIf mkEnableOption mkOption types getAttrs toUpper concatMapAttrsStringSep;
cfg = config.${namespace}.services.security.vaultwarden;
databaseProviderSqlite = types.submodule ({ ... }: {
options = {
type = mkOption {
type = types.enum [ "sqlite" ];
};
file = mkOption {
type = types.str;
description = '''';
};
};
});
databaseProviderPostgresql = types.submodule ({ ... }:
let
urlOptions = lib.${namespace}.options.mkUrlOptions {
host = {
description = ''
Hostname of the postgresql server
'';
};
port = {
default = 5432;
example = "5432";
description = ''
Port of the postgresql server
'';
};
protocol = mkOption {
default = "postgres";
example = "postgres";
};
};
in
{
options = {
type = mkOption {
type = types.enum [ "postgresql" ];
};
sslMode = mkOption {
type = types.enum [ "verify-ca" "verify-full" "require" "prefer" "allow" "disabled" ];
default = "verify-full";
example = "verify-ca";
description = ''
How to verify the server's ssl
| mode | eavesdropping protection | MITM protection | Statement |
|-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
| disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. |
| allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. |
| prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. |
| require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. |
| verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. |
| verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. |
[Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS)
'';
};
} // (urlOptions |> getAttrs [ "protocol" "host" "port" ]);
});
in
{
options.${namespace}.services.security.vaultwarden = {
enable = mkEnableOption "enable vaultwarden";
database = mkOption {
type = types.oneOf [
(types.addCheck databaseProviderSqlite (x: x ? type && x.type == "sqlite"))
(types.addCheck databaseProviderPostgresql (x: x ? type && x.type == "postgresql"))
null
];
default = null;
description = '''';
};
};
config = mkIf cfg.enable {
@ -15,6 +89,8 @@ in
"d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -"
];
# systemd.services.vaultwarden.wants = [ "zitadelApplyTerraform.service" ];
services = {
vaultwarden = {
enable = true;
@ -26,8 +102,6 @@ in
SIGNUPS_ALLOWED = false;
DOMAIN = "https://vault.kruining.eu";
ADMIN_TOKEN = "";
DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable";
WEB_VAULT_ENABLED = true;
@ -41,9 +115,6 @@ in
SSO_ORGANIZATIONS_REVOCATION = true;
SSO_AUTHORITY = "https://auth.kruining.eu/";
SSO_SCOPES = "email profile offline_access";
SSO_AUDIENCE_TRUSTED = "^333297815511892227$";
SSO_CLIENT_ID = "335178854421299459";
SSO_CLIENT_SECRET = "";
ROCKET_ADDRESS = "::1";
ROCKET_PORT = 8222;
@ -53,10 +124,14 @@ in
SMTP_PORT = 587;
SMTP_SECURITY = "starttls";
SMTP_USERNAME = "chris@kruining.eu";
SMTP_PASSWORD = "";
SMTP_FROM = "chris@kruining.eu";
SMTP_FROM_NAME = "Chris' Vaultwarden";
};
environmentFile = [
"/var/lib/zitadel/clients/nix_ulmo_vaultwarden"
config.sops.templates."vaultwarden/config.env".path
];
};
postgresql = {
@ -89,5 +164,54 @@ in
};
};
};
sops = {
secrets = {
"vaultwarden/email" = {
owner = config.users.users.vaultwarden.name;
group = config.users.users.vaultwarden.name;
key = "email/chris_kruining_eu";
restartUnits = [ "vaultwarden.service" ];
};
};
templates = {
"vaultwarden/config.env" = {
content = ''
SMTP_PASSWORD='${config.sops.placeholder."vaultwarden/email"}';
'';
owner = config.users.users.vaultwarden.name;
group = config.users.groups.vaultwarden.name;
};
temp-db-output.content =
let
config =
cfg.database
|> ({ type, ... }@db:
if type == "sqlite" then
{ inherit (db) type file; }
else if type == "postgresql" then
{
inherit (db) type;
url = lib.${namespace}.strings.toUrl {
inherit (db) protocol host port;
path = "vaultwarden";
query = {
sslmode = db.sslMode;
};
};
}
else
{}
)
|> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}")
;
in
''
# GENERATED VALUES
${config}
'';
};
};
};
}

2
shells/default/default.nix
View file

@ -5,6 +5,8 @@ mkShell {
bash
sops
just
yq
pwgen
inputs.clan-core.packages.x86_64-linux.clan-cli
];
}

53
systems/x86_64-linux/ulmo/default.nix
View file

@ -95,6 +95,16 @@
responseTypes = [ "code" ];
};
vaultwarden = {
redirectUris = [ "https://vault.kruining.eu/identity/connect/oidc-signin" ];
grantTypes = [ "authorizationCode" ];
responseTypes = [ "code" ];
exportMap = {
client_id = "SSO_CLIENT_ID";
client_secret = "SSO_CLIENT_SECRET";
};
};
matrix = {
redirectUris = [ "https://matrix.kruining.eu/_synapse/client/oidc/callback" ];
grantTypes = [ "authorizationCode" ];
@ -137,15 +147,56 @@
media.enable = true;
media.homer.enable = true;
media.nfs.enable = true;
media.servarr = {
# radarr = {
# port = 2001;
# };
sonarr = {
enable = true;
# debug = true;
port = 2002;
rootFolders = [
"/var/media/series"
];
};
lidarr = {
enable = true;
debug = true;
port = 2003;
rootFolders = [
"/var/media/music"
];
};
prowlarr = {
enable = true;
debug = true;
port = 2004;
};
};
observability = {
grafana.enable = true;
prometheus.enable = true;
loki.enable = true;
promtail.enable = true;
# uptime-kuma.enable = true;
};
security.vaultwarden.enable = true;
security.vaultwarden = {
enable = true;
database = {
# type = "sqlite";
# file = "/var/lib/vaultwarden/state.db";
type = "postgresql";
host = "localhost";
port = 5432;
sslMode = "disabled";
};
};
};
editor = {

15
systems/x86_64-linux/ulmo/secrets.yml
View file

@ -3,11 +3,22 @@ email:
info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str]
zitadel:
masterKey: ENC[AES256_GCM,data:4MPvBo407qrS7NF4oUTf84tZoPkSRmiHdD7qpkYeHME=,iv:H2NIAN0xBUDqnyco9gA3zYAsKtSeA/JpqYrPhc1eqc0=,tag:6OFGDfsucG5gDerImgpuXA==,type:str]
nix: {}
users: ENC[AES256_GCM,data:xkjm0+PBt6gmZyfi3n3OIEe5b+d4OtN0Y3UfmdcbcJHbJZuiz+60oUjlAN0vjtsi0muufoAqtGJTIpm9nDZzzN7b7LK43TAhcuSlIm5LpbZFp1U3H4laRbTwauAT6wA0aDCfAkwTozxAuEUk1jAu+65ktJNJb7b0PR7s/I/wf7IgW2+K4Jv3LIOZIipUwfuvXuTzsxCElYRvGZXmIuXrYq1EaymksHHggemrKeMWLAae7mzz5v3aBbwxiVjQNkQkS4ApsO/5nZUat0oqXA==,iv:fptZn4NmX3iYKSEPLJAOFpt+KQ6TR1w9KaY9IF4p/Wk=,tag:UKvMOSIT5/mhfZA3usbLhQ==,type:str]
forgejo:
action_runner_token: ENC[AES256_GCM,data:yJ6OnRq5kinbuhvH06K5o3l86EafuBoojMwg/qhP+cgeH+BwPeE+Ng==,iv:IeXJahPxgLNIUFmkgp495tLVh8UyQBmJ2SnVEUhlhHs=,tag:XYQi613CxSp8AQeilJMrsg==,type:str]
synapse:
oidc_id: ENC[AES256_GCM,data:XbCpyGq0LeRJWq8dv/5Dipvp,iv:YDhgl26z1NBbIQLoLdGVz0+ze6o1ZcmgVHPfwoRj57I=,tag:y2vUuqnDmtTvVQmZCAlnLg==,type:str]
oidc_secret: ENC[AES256_GCM,data:nVFi5EFbNMZ0mvrDHVYC0NiwJlo2eEw44D+Fcv9SKSb2oO00lGEDkP/oXDj5YgDq6RLQSe3f/SUOn77ntwnZYg==,iv:awe7VNUYOn9ofl1QlQTrEN5d0i5WkVM35qndruL4VXo=,tag:8Yoc9lFF9aWbtAa5fzQGEA==,type:str]
kaas: ENC[AES256_GCM,data:3yI6lH0rw+f2OFJ94Z7zb0pYwy4FDFs9rJi2wpd9VVWghmey5g4O788ypXa34XqKCQDDHDgTxwyDs6KpvCQQaLV1PDhXd4Po0SSlIOkUtCWhOf6Tp3PM2ASoE+AAAzJLJUc6AZdBJRyYU9V+UvO9jW+WmlpZpsg5crnVMzZo7f2AF0ep9A/A5BL1Y2UhYQE4LDVkLC9AL3hl8IhF5xSdZdO0ugrP0x7CKVUxA7fJyOjx7/IKVwvgKD4xlhIgv9lYPTvE2vUs+w==,iv:e6b98ZnBqf7hh3SSKGdTl63OpQm1oK95lHXdwTiLft8=,tag:IS/lDgvJvSd7OmDLP+uG1g==,type:str]
radarr:
apikey: ENC[AES256_GCM,data:G141GW4PyS5pbAV39HcVscMw3s30txOgTZzWaL7o+ccZfnfDLv796O6xKXdqGZ8saLsveghLw9Z6a5luusHyQ3Q5ESL6W7SVeZVTuSqSC3i/4jl75FJxhnsgVsfrnYxzLGpKiw==,iv:sZl/XLh6y3WgSAn6nH3sFB6atBifZdghm+QsCNDbcjY=,tag:Tw+R80nrF0T0yDti0Uf+ig==,type:str]
sonarr:
apikey: ENC[AES256_GCM,data:s8bgDJ+LpIH1Mt3KSiIKB8LnxztOkHdc8J6+50o+HoDUAfIIsZkA2oX/m7UecrTSRi6ay8D9yjhe6ZwSNXhJh6wQqTS7gZWn8f6QfrfI+8DKdc9enh91suQxjkz8Q+wnKK0zBg==,iv:LmAe6v+6ItVnHB6gko6mhiGOuVBksBYP4dXfbxpAIPE=,tag:DZ8kwOwaWwWTGWEGu5S0Kg==,type:str]
lidarr:
apikey: ENC[AES256_GCM,data:I2eKaxidmxem7C7ukmyIfwASNqrkS4vEOiCcU5kSNY6DR0pXsYg0PBdgu8vzK6llbXODLdG5t55BordIWvVRJGAauo0FMvtp59NSNpza7cK68tdKGvNefD6bqhUIR06BY11niQ==,iv:48AD7cd17TlWY5yAagepLOIVwgxhD/d13Pnup6GsWDA=,tag:teOVtW8opE99hqAXQwvlrA==,type:str]
prowlarr:
apikey: ENC[AES256_GCM,data:pyZ2WGEs/PlIdhDsQq2TPGJbplkd5fLF0ZkBjITqIJlnAzYHb+rl+KOM4rHqQcI6yAJM8X1Y3ymGrD7vG7GiRxB7yoEG13SKhZIWOddTnxIhbkz81RfrL2fUJIydOaP6sS//9Q==,iv:Tr6MWoC6nC7rdVTOjT1T2itT+lVL4GnUiAr5/+IHAs0=,tag:keIJNuGeVht8+xSN3FnBGA==,type:str]
sops:
age:
- recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq
@ -28,7 +39,7 @@ sops:
TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb
Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-03T15:23:12Z"
mac: ENC[AES256_GCM,data:XJW6H5FTjkGhbXtiGvscfm5W+04OqtUmYPrrzfZ5brNRviYiikwKR4OB2yFFNmRpMxseWOy+3a4Nk+/oTqJ4ycBIlatzoL3GxwfysLi6f5+Qtdjr+EG4MzZRaQobJ9NXjB6pAYGBe5OxDMvHHOuhv5lMI9SFsNzdIHzFRLQv0QQ=,iv:UUZzsyqnJG/eZktkRrnPhC5DYB3MeACh7ldx/k9+ZDk=,tag:42cI9dvQowQzeqkqFvzUGQ==,type:str]
lastmodified: "2025-11-19T09:51:26Z"
mac: ENC[AES256_GCM,data:pMMkxHPochpI8si/oHhU7MHqC1JjNhMP7HCRNQQEkwBQI489xiC02t+qUwpmG4oIheqi8lEcZPpL4t9HzRN9sZImaI2LrJn3cHFojHzXzo7FPfvfUilZe1+JXLfm+wn+bflAEutIcfDiZc/MjiKOxRHwZy5Pr41Mj6uPIUr62zk=,iv:GwvMVgJ6m1DQcRZMVzshbuMK/Kx8vE8Ym83KbxuvYRg=,tag:wVSol9LDRzoFjQppB8J9gA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0