chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: chris:e3238aa60cfa9440249fcdb2ab1b0d4485251fe2
Branches Tags
chris:main
chris:feature/convex
chris:feature/nix-anywhere
..
compare: chris:5668e1048da9153d17336616c8bcc93fe4ad1911
Branches Tags
chris:main
chris:feature/convex
chris:feature/nix-anywhere

No commits in common. "e3238aa60cfa9440249fcdb2ab1b0d4485251fe2" and "5668e1048da9153d17336616c8bcc93fe4ad1911" have entirely different histories.
e3238aa60c ... 5668e1048d

12 changed files with 94 additions and 294 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.envrc
View file

@ -1,2 +0,0 @@
# shellcheck shell=bash
use flake

1
.just/machine.just
View file

@ -4,7 +4,6 @@
@list:
ls -1 ../systems/x86_64-linux/
[no-exit-message]
[doc('Update the target machine')]
@update machine:
just assert '-d "../systems/x86_64-linux/{{ machine }}"' "Machine {{ machine }} does not exist, must be one of: $(ls ../systems/x86_64-linux/ | tr '\n' ' ')"

4
.just/vars.just
View file

@ -16,7 +16,7 @@ list machine:
{{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"'
git add {{ base_path }}/{{ machine }}/secrets.yml
git commit -m 'chore(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
echo "Done"
@ -27,6 +27,6 @@ list machine:
{{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')"
git add {{ base_path }}/{{ machine }}/secrets.yml
git commit -m 'chore(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
echo "Done"

229
flake.lock generated
View file

@ -68,81 +68,6 @@
"type": "github"
}
},
"clan-core": {
"inputs": {
"data-mesher": "data-mesher",
"disko": "disko",
"flake-parts": "flake-parts",
"nix-darwin": "nix-darwin",
"nix-select": "nix-select",
"nixos-facter-modules": "nixos-facter-modules",
"nixpkgs": [
"nixpkgs"
],
"sops-nix": "sops-nix",
"systems": "systems",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1762254206,
"narHash": "sha256-ZyQUrUSuIUZRmMPzeCXI4vDFhHOLNtGUMBaHXCD6nEQ=",
"rev": "43a7652624e76d60a93325c711d01620801d4382",
"type": "tarball",
"url": "https://git.clan.lol/api/v1/repos/clan/clan-core/archive/43a7652624e76d60a93325c711d01620801d4382.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://git.clan.lol/clan/clan-core/archive/main.tar.gz"
}
},
"data-mesher": {
"inputs": {
"flake-parts": [
"clan-core",
"flake-parts"
],
"nixpkgs": [
"clan-core",
"nixpkgs"
],
"treefmt-nix": [
"clan-core",
"treefmt-nix"
]
},
"locked": {
"lastModified": 1760612273,
"narHash": "sha256-pP/bSqUHubxAOTI7IHD5ZBQ2Qm11Nb4pXXTPv334UEM=",
"rev": "0099739c78be750b215cbdefafc9ba1533609393",
"type": "tarball",
"url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/0099739c78be750b215cbdefafc9ba1533609393.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://git.clan.lol/clan/data-mesher/archive/main.tar.gz"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1761899396,
"narHash": "sha256-XOpKBp6HLzzMCbzW50TEuXN35zN5WGQREC7n34DcNMM=",
"owner": "nix-community",
"repo": "disko",
"rev": "6f4cf5abbe318e4cd1e879506f6eeafd83f7b998",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"erosanix": {
"inputs": {
"flake-compat": "flake-compat",
@ -299,27 +224,6 @@
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1762040540,
"narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "0010412d62a25d959151790968765a70c436598b",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"nvf",
@ -340,7 +244,7 @@
"type": "github"
}
},
"flake-parts_3": {
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"stylix",
@ -361,7 +265,7 @@
"type": "github"
}
},
"flake-parts_4": {
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"terranix",
@ -384,7 +288,7 @@
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
@ -421,7 +325,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
@ -439,7 +343,7 @@
},
"flake-utils_3": {
"inputs": {
"systems": "systems_4"
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
@ -457,7 +361,7 @@
},
"flake-utils_4": {
"inputs": {
"systems": "systems_6"
"systems": "systems_5"
},
"locked": {
"lastModified": 1694529238,
@ -660,27 +564,6 @@
"type": "github"
}
},
"nix-darwin": {
"inputs": {
"nixpkgs": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1762186368,
"narHash": "sha256-dzLBZKccS0jMefj+WAYwsk7gKDluqavC7I4KfFwVh8k=",
"owner": "nix-darwin",
"repo": "nix-darwin",
"rev": "69921864a70b58787abf5ba189095566c3f0ffd3",
"type": "github"
},
"original": {
"owner": "nix-darwin",
"repo": "nix-darwin",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
@ -723,19 +606,6 @@
"type": "github"
}
},
"nix-select": {
"locked": {
"lastModified": 1755887746,
"narHash": "sha256-lzWbpHKX0WAn/jJDoCijIDss3rqYIPawe46GDaE6U3g=",
"rev": "92c2574c5e113281591be01e89bb9ddb31d19156",
"type": "tarball",
"url": "https://git.clan.lol/api/v1/repos/clan/nix-select/archive/92c2574c5e113281591be01e89bb9ddb31d19156.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://git.clan.lol/clan/nix-select/archive/main.tar.gz"
}
},
"nixlib": {
"locked": {
"lastModified": 1736643958,
@ -766,21 +636,6 @@
"type": "github"
}
},
"nixos-facter-modules": {
"locked": {
"lastModified": 1761137276,
"narHash": "sha256-4lDjGnWRBLwqKQ4UWSUq6Mvxu9r8DSqCCydodW/Jsi8=",
"owner": "nix-community",
"repo": "nixos-facter-modules",
"rev": "70bcd64225d167c7af9b475c4df7b5abba5c7de8",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-facter-modules",
"type": "github"
}
},
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
@ -1010,10 +865,10 @@
"nvf": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-parts": "flake-parts_2",
"flake-parts": "flake-parts",
"mnw": "mnw",
"nixpkgs": "nixpkgs_7",
"systems": "systems_5"
"systems": "systems_4"
},
"locked": {
"lastModified": 1760153667,
@ -1054,7 +909,6 @@
},
"root": {
"inputs": {
"clan-core": "clan-core",
"erosanix": "erosanix",
"fenix": "fenix",
"firefox": "firefox",
@ -1071,7 +925,7 @@
"nvf": "nvf",
"plasma-manager": "plasma-manager",
"snowfall-lib": "snowfall-lib",
"sops-nix": "sops-nix_2",
"sops-nix": "sops-nix",
"stylix": "stylix",
"terranix": "terranix",
"zen-browser": "zen-browser"
@ -1138,27 +992,6 @@
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1760998189,
"narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"sops-nix_2": {
"inputs": {
"nixpkgs": "nixpkgs_8"
},
@ -1183,11 +1016,11 @@
"base16-helix": "base16-helix",
"base16-vim": "base16-vim",
"firefox-gnome-theme": "firefox-gnome-theme",
"flake-parts": "flake-parts_3",
"flake-parts": "flake-parts_2",
"gnome-shell": "gnome-shell",
"nixpkgs": "nixpkgs_9",
"nur": "nur",
"systems": "systems_7",
"systems": "systems_6",
"tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty",
"tinted-schemes": "tinted-schemes",
@ -1313,28 +1146,13 @@
"type": "github"
}
},
"systems_8": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"terranix": {
"inputs": {
"flake-parts": "flake-parts_4",
"flake-parts": "flake-parts_3",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_8"
"systems": "systems_7"
},
"locked": {
"lastModified": 1757278723,
@ -1431,27 +1249,6 @@
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"clan-core",
"nixpkgs"
]
},
"locked": {
"lastModified": 1761311587,
"narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"zen-browser": {
"inputs": {
"home-manager": "home-manager_2",

9
flake.nix
View file

@ -83,11 +83,6 @@
url = "github:terranix/terranix";
inputs.nixpkgs.follows = "nixpkgs";
};
clan-core = {
url = "https://git.clan.lol/clan/clan-core/archive/main.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = inputs: inputs.snowfall-lib.mkFlake {
@ -124,10 +119,6 @@
flux.overlays.default
];
systems.modules = with inputs; [
clan-core.nixosModules.default
];
homes.modules = with inputs; [
stylix.homeModules.stylix
plasma-manager.homeModules.plasma-manager

78
modules/nixos/services/authentication/zitadel/default.nix
View file

@ -1,6 +1,6 @@
{ config, lib, pkgs, namespace, system, inputs, ... }:
let
inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs filterAttrsRecursive listToAttrs imap0 head drop length;
inherit (lib) mkIf mkEnableOption mkOption types toUpper toSentenceCase nameValuePair mapAttrs' concatMapAttrs concatMap listToAttrs imap0 getAttrs getAttr hasAttr typeOf head drop length;
inherit (lib.${namespace}.strings) toSnakeCase;
cfg = config.${namespace}.services.authentication.zitadel;
@ -340,7 +340,7 @@ in
# Organizations
zitadel_org = cfg.organization |> select [] (name: { isDefault, ... }:
{ inherit name isDefault; }
|> toResource name
|> toResource name
);
# Projects per organization
@ -348,8 +348,8 @@ in
{
inherit name hasProjectCheck privateLabelingSetting projectRoleAssertion projectRoleCheck;
}
|> withRef "org" org
|> toResource "${org}_${name}"
|> withRef "org" org
|> toResource "${org}_${name}"
);
# Each OIDC app per project
@ -361,26 +361,26 @@ in
idTokenRoleAssertion = true;
accessTokenType = "JWT";
}
|> withRef "org" org
|> withRef "project" "${org}_${project}"
|> toResource "${org}_${project}_${name}"
|> withRef "org" org
|> withRef "project" "${org}_${project}"
|> toResource "${org}_${project}_${name}"
);
# Each project role
zitadel_project_role = cfg.organization |> select [ "project" "role" ] (org: project: name: value:
{ inherit (value) displayName group; roleKey = name; }
|> withRef "org" org
|> withRef "project" "${org}_${project}"
|> toResource "${org}_${project}_${name}"
|> withRef "org" org
|> withRef "project" "${org}_${project}"
|> toResource "${org}_${project}_${name}"
);
# Each project role assignment
zitadel_user_grant = cfg.organization |> select [ "project" "assign" ] (org: project: user: roles:
{ roleKeys = roles; }
|> withRef "org" org
|> withRef "project" "${org}_${project}"
|> withRef "user" "${org}_${user}"
|> toResource "${org}_${project}_${user}"
|> withRef "org" org
|> withRef "project" "${org}_${project}"
|> withRef "user" "${org}_${user}"
|> toResource "${org}_${project}_${user}"
);
# Users
@ -390,30 +390,24 @@ in
isEmailVerified = true;
}
|> withRef "org" org
|> toResource "${org}_${name}"
|> withRef "org" org
|> toResource "${org}_${name}"
);
# Global user roles
zitadel_instance_member =
cfg.organization
|> filterAttrsRecursive (n: v: !(v ? "instanceRoles" && (length v.instanceRoles) == 0))
|> select [ "user" ] (org: name: { instanceRoles, ... }:
{ roles = instanceRoles; }
zitadel_instance_member = cfg.organization |> select [ "user" ] (org: name: value:
{ roles = value.instanceRoles; }
|> withRef "user" "${org}_${name}"
|> toResource "${org}_${name}"
);
);
# Organazation specific roles
zitadel_org_member =
cfg.organization
|> filterAttrsRecursive (n: v: !(v ? "roles" && (length v.roles) == 0))
|> select [ "user" ] (org: name: { roles, ... }:
{ inherit roles; }
zitadel_org_member = cfg.organization |> select [ "user" ] (org: name: { roles, ... }:
{ inherit roles; }
|> withRef "org" org
|> withRef "user" "${org}_${name}"
|> toResource "${org}_${name}"
);
);
# Organazation's actions
zitadel_action = cfg.organization |> select [ "action" ] (org: name: { timeout, allowedToFail, script, ...}:
@ -422,27 +416,25 @@ in
timeout = "${toString timeout}s";
script = "const ${name} = ${script}";
}
|> withRef "org" org
|> toResource "${org}_${name}"
|> withRef "org" org
|> toResource "${org}_${name}"
);
# Organazation's action assignments
zitadel_trigger_actions =
cfg.organization
zitadel_trigger_actions = cfg.organization
|> concatMapAttrs (org: { triggers, ... }:
triggers
|> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in
{
inherit flowType triggerType;
|> imap0 (i: { flowType, triggerType, actions, ... }: (let name = "trigger_${toString i}"; in
{
inherit flowType triggerType;
actionIds =
actions
|> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id"));
}
|> withRef "org" org
|> toResource "${org}_${name}"
))
|> listToAttrs
actionIds = actions
|> map (action: (lib.tfRef "zitadel_action.${org}_${toSnakeCase action}.id"));
}
|> withRef "org" org
|> toResource "${org}_${name}"
))
|> listToAttrs
);
# SMTP config

2
modules/nixos/services/backup/borg/default.nix
View file

@ -16,7 +16,7 @@ in
paths = "/var/media/test";
encryption.mode = "none";
environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4";
repo = "ssh://chris@beheer.hazelhof.nl:222/media";
repo = "ssh://chris@beheer.hazelhof.nl:222/home/chris/backups/media";
compression = "auto,zstd";
startAt = "daily";
};

9
modules/nixos/services/communication/matrix/default.nix
View file

@ -46,8 +46,8 @@ in
precence.enabled = true;
# Since we'll be using OIDC for auth disable all local options
enable_registration = false;
enable_registration_without_verification = false;
enable_registration = true;
enable_registration_without_verification = true;
password_config.enabled = false;
backchannel_logout_enabled = true;
@ -186,11 +186,6 @@ in
- profile
client_id: '${config.sops.placeholder."synapse/oidc_id"}'
client_secret: '${config.sops.placeholder."synapse/oidc_secret"}'
backchannel_logout_enabled: true
user_mapping_provider:
config:
localpart_template: "{{ user.preferred_username }}"
display_name_template: "{{ user.name }}"
'';
restartUnits = [ "matrix-synapse.service" ];
};

2
modules/nixos/services/development/forgejo/default.nix
View file

@ -121,7 +121,7 @@ in
};
mirror = {
ENABLED = true;
ENABLED = false;
};
session = {

39
modules/nixos/services/media/default.nix
View file

@ -72,6 +72,12 @@ in
settings = {
auth.AuthenticationMethod = "External";
# postgres = {
# PostgresHost = "localhost";
# PostgresPort = "5432";
# PostgresUser = "media";
# };
};
};
@ -146,6 +152,39 @@ in
group = cfg.group;
};
# postgresql = {
# enable = true;
# ensureDatabases = [
# "radarr-main" "radarr-log"
# "sonarr-main" "sonarr-log"
# "lidarr-main" "lidarr-log"
# "prowlarr-main" "prowlarr-log"
# ];
# identMap = ''
# media media radarr-main
# media media radarr-log
# media media sonarr-main
# media media sonarr-log
# media media lidarr-main
# media media lidarr-log
# media media prowlarr-main
# media media prowlarr-log
# '';
# ensureUsers = [
# { name = "radarr-main"; ensureDBOwnership = true; }
# { name = "radarr-log"; ensureDBOwnership = true; }
# { name = "sonarr-main"; ensureDBOwnership = true; }
# { name = "sonarr-log"; ensureDBOwnership = true; }
# { name = "lidarr-main"; ensureDBOwnership = true; }
# { name = "lidarr-log"; ensureDBOwnership = true; }
# { name = "prowlarr-main"; ensureDBOwnership = true; }
# { name = "prowlarr-log"; ensureDBOwnership = true; }
# ];
# };
caddy = {
enable = true;
virtualHosts = {

10
shells/default/default.nix
View file

@ -1,10 +0,0 @@
{ mkShell, inputs, pkgs, ... }:
mkShell {
packages = with pkgs; [
bash
sops
just
inputs.clan-core.packages.x86_64-linux.clan-cli
];
}

3
systems/x86_64-linux/ulmo/default.nix
View file

@ -38,8 +38,7 @@
sneeuwvlok = {
services = {
backup.borg.enable = true;
# authentication.authelia.enable = true;
authentication.zitadel = {
enable = true;