From b11a33de6e3986e30ee3ad1d0519100dc57225d2 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:43:51 +0000 Subject: [PATCH 01/14] ops(secrets): removed secret "je_moeder" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 29 +++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 systems/x86_64-linux/ulmo/secrets.yml diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml new file mode 100644 index 0000000..a4847e5 --- /dev/null +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -0,0 +1,29 @@ +email: + chris@kruining.eu: ENC[AES256_GCM,data:uS85B/xn2a+c6Cys66pyfth2Bm4zZx4=,iv:vo8VKON3B9/Yau6PqAHI0xyCpqpU2UuU/WEH1Z7SMos=,tag:jVIHPxRI/0IpUxoKzO9GAA==,type:str] + info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] +zitadel: + masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] +sops: + age: + - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdDZyZkxvNU4zM3NHb2gx + ZlhLZk5JWUFGMWZGeUVHNkFFU1NtZlBQVVhjCmZGai9NdmdUeU5VcW9ROVZKTW5q + cmZaQ2JlaldaTWduQklocUZLT2FUcGcKLS0tIHlqVU0wdXJ0dTE4dlZSVEczd2Yv + RVFxVHFxbkVNbEZsaVcwYXZCdUc5R1kKQdAN6LEKmGLCSkKhNuEr0YK2zl9Aw1kK + 6C25lN532mG55zIRectZda1Fmi1GMZ/2v3b5qz7x+TDMA9m/47OjmA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoK3lqRDhEMXEvaUp3OWdV + eFlZSGpJcGs0RTdRbllWdmdZTzl3RTlDNlIwCm92R290NjNyK2NNbWpINTBhazNS + NTJYWEw0SGc1TUtrd0NZSmowakMvSlEKLS0tIG5uUEIrZGVORkRNVnBVOHgyMXZG + TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb + Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-23T12:43:51Z" + mac: ENC[AES256_GCM,data:3pYyKM07BQ3xB866YsKhqIyuuk0x1fNW5i5DmZ7C9wPV7sM/4Xh1kItA71pf8Jh4Us7ztNt/td1KgH1Aux2RTgi8rSooKlqjoMOQP75q0BjHqyCPJdLCmXe95C7YvwCFYBadbcsJsOJKRpOldwxHz8mwpsDs9hLwiFQFeBc7orY=,iv:VjrNJw3JFeSavSjrQ/x45LJ1Xqq7TnGu68aFl0bkIjw=,tag:oqyr2XxwY6gNniDnDBYPlQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 From a8dbf792e32b5b557c23e8aed3a26cf8ffb7d93b Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:44:08 +0000 Subject: [PATCH 02/14] ops(secrets): removed secret "je_moeder/0/awesome/2" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index a4847e5..4eb461f 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,6 +3,9 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] zitadel: masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] +je_moeder: + - awesome: + - ENC[AES256_GCM,data:3htXBQ==,iv:f8LZSfHxkQ+RJlaFgq4lUjjtNisjwJZJtFqm1l/HC0o=,tag:BK0gx2gxrNPdfqOn/01KWg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +26,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:43:51Z" - mac: ENC[AES256_GCM,data:3pYyKM07BQ3xB866YsKhqIyuuk0x1fNW5i5DmZ7C9wPV7sM/4Xh1kItA71pf8Jh4Us7ztNt/td1KgH1Aux2RTgi8rSooKlqjoMOQP75q0BjHqyCPJdLCmXe95C7YvwCFYBadbcsJsOJKRpOldwxHz8mwpsDs9hLwiFQFeBc7orY=,iv:VjrNJw3JFeSavSjrQ/x45LJ1Xqq7TnGu68aFl0bkIjw=,tag:oqyr2XxwY6gNniDnDBYPlQ==,type:str] + lastmodified: "2025-10-23T12:44:07Z" + mac: ENC[AES256_GCM,data:ns/UoRJG/czGOy4cztz/ynuvf29z+K0Tx7ck6/G5hFyZ+r2fqLoK/Kqn/qjjB69knA8EbarIcrGiFRmXeRXydK3VRFhVNAbl15baIBMXTiUxG+rzEEPr/9upobRTIZNgOiNJDnsBm5A//MTLro2KIMepW/pJ1QfTjOnbSg0vH7E=,iv:r7Y6mkujSWxYf6N/edJRjKb/hkIf/q11P0b3+jpdeLU=,tag:RUshke1gKAnfB0UHrYSrkQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From e17b144c9f361901b304a5a41ae1e7c690173254 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:45:25 +0000 Subject: [PATCH 03/14] ops(secrets): removed secret "je_moeder" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 4eb461f..2fdce33 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,9 +3,6 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] zitadel: masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] -je_moeder: - - awesome: - - ENC[AES256_GCM,data:3htXBQ==,iv:f8LZSfHxkQ+RJlaFgq4lUjjtNisjwJZJtFqm1l/HC0o=,tag:BK0gx2gxrNPdfqOn/01KWg==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -26,7 +23,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:44:07Z" - mac: ENC[AES256_GCM,data:ns/UoRJG/czGOy4cztz/ynuvf29z+K0Tx7ck6/G5hFyZ+r2fqLoK/Kqn/qjjB69knA8EbarIcrGiFRmXeRXydK3VRFhVNAbl15baIBMXTiUxG+rzEEPr/9upobRTIZNgOiNJDnsBm5A//MTLro2KIMepW/pJ1QfTjOnbSg0vH7E=,iv:r7Y6mkujSWxYf6N/edJRjKb/hkIf/q11P0b3+jpdeLU=,tag:RUshke1gKAnfB0UHrYSrkQ==,type:str] + lastmodified: "2025-10-23T12:45:24Z" + mac: ENC[AES256_GCM,data:hfTa17ELKJQIATXrDupWHv83mOaKAx6s0kpTfiLpBW6BjG0Ae5/oRF8b3oeP6Yp263PFT0uINFz5MjBsoPk9lCJu6zJDdWLliRrjM73Ob/y/EXG07rzEup5kFHblSWsRNteF9Xhd7C+OgOebxWzgr/AoE6FldhTLOyiKfNuaR6U=,iv:gElzOo9HZlcjfBJQbUeJc7v3hwJavn0cE7rbtFkLFTg=,tag:TVGLZSHIM/kZZ6CKXS77JA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 40da937ee0a8737bc4f39e135eedff4cd884f09b Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:45:28 +0000 Subject: [PATCH 04/14] ops(secrets): set secret "je_moeder/0/awesome/2" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 2fdce33..293e901 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,6 +3,9 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] zitadel: masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] +je_moeder: + - awesome: + - ENC[AES256_GCM,data:VftBLg==,iv:Rtfi+AlMB7bhsTS8d1IT8l358F2QQP+952Mxzpk5JMA=,tag:rDyanvogMKPbLRyyGHAUVw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +26,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:45:24Z" - mac: ENC[AES256_GCM,data:hfTa17ELKJQIATXrDupWHv83mOaKAx6s0kpTfiLpBW6BjG0Ae5/oRF8b3oeP6Yp263PFT0uINFz5MjBsoPk9lCJu6zJDdWLliRrjM73Ob/y/EXG07rzEup5kFHblSWsRNteF9Xhd7C+OgOebxWzgr/AoE6FldhTLOyiKfNuaR6U=,iv:gElzOo9HZlcjfBJQbUeJc7v3hwJavn0cE7rbtFkLFTg=,tag:TVGLZSHIM/kZZ6CKXS77JA==,type:str] + lastmodified: "2025-10-23T12:45:27Z" + mac: ENC[AES256_GCM,data:QtQAU1vxUvlK/XrN5bxwMY+KC7yOMKqGkHIB6y3KE/eiRKZAGXNNyG81Z4aGhhFwQj3lmIeU2/Qw3ZeLJz8evRDeJ7JNZH/ZDFNyeUyRqGMldtqKHKAQDJDC5OVAFxf/6owgiYbr4og2J7PFqfoiG0ODM9+bPN4V7axmtd5KFkg=,iv:nFdTrIe+eEhG1H4VeAshuvI3ELpxe54CVP2LSdPj1fE=,tag:JvGKgiDvepytiKVuwxN8cQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From e9fef516ecbc90f56d33e7ff2e18313a642f2292 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 14:47:53 +0200 Subject: [PATCH 05/14] feat(sops): finally somewhat properly set up with sops --- .just/machine.just | 9 +++++++++ .just/vars.just | 28 ++++++++++++++++++++++++++++ .justfile | 15 ++++++++++----- .sops.yaml | 11 +++++++++++ .sops.yml | 8 -------- _secrets/secrets.yaml | 30 ------------------------------ 6 files changed, 58 insertions(+), 43 deletions(-) create mode 100644 .just/machine.just create mode 100644 .just/vars.just create mode 100644 .sops.yaml delete mode 100644 .sops.yml delete mode 100644 _secrets/secrets.yaml diff --git a/.just/machine.just b/.just/machine.just new file mode 100644 index 0000000..65d1a7b --- /dev/null +++ b/.just/machine.just @@ -0,0 +1,9 @@ +@_default: list + +[doc('List machines')] +@list: + ls -1 ../systems/x86_64-linux/ + +[doc('Update the target machine')] +update machine: + nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file diff --git a/.just/vars.just b/.just/vars.just new file mode 100644 index 0000000..78b7cb5 --- /dev/null +++ b/.just/vars.just @@ -0,0 +1,28 @@ +base_path := invocation_directory() / "systems/x86_64-linux" +sops := "nix shell nixpkgs#sops --command sops" + +@_default: + just --list + +[doc('list all vars of the target machine')] +list machine: + {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml + +@edit machine: + {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml + +@set machine key value: + {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" \"{{ value }}\" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml + + echo "Done" + +@remove machine key: + {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" + + git add {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml + + echo "Done" \ No newline at end of file diff --git a/.justfile b/.justfile index 67ac3a4..4e8a323 100644 --- a/.justfile +++ b/.justfile @@ -1,7 +1,12 @@ +@_default: + just --list --list-submodules -try-again: - nix flake update amarth-customer-portal - nix flake check --all-systems --show-trace +[doc('Manage vars')] +mod vars '.just/vars.just' -update machine: - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file +[doc('Manage machines')] +mod machine '.just/machine.just' + +[doc('Show information about project')] +@show: + echo "show" \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..9e7956c --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +keys: + - &ulmo_1 age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq + - &ulmo_2 age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + +creation_rules: + # All Machine secrets + - path_regex: systems/[^/]+/[^/]+/[^/]+\.(yml|yaml)$ + key_groups: + - age: + - *ulmo_1 + - *ulmo_2 \ No newline at end of file diff --git a/.sops.yml b/.sops.yml deleted file mode 100644 index 96e09c3..0000000 --- a/.sops.yml +++ /dev/null @@ -1,8 +0,0 @@ -keys: - - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - -creation_rules: - - path_regex: secrets/secrets.yml$ - key_groups: - - age: - - *primary diff --git a/_secrets/secrets.yaml b/_secrets/secrets.yaml deleted file mode 100644 index 78b1a8c..0000000 --- a/_secrets/secrets.yaml +++ /dev/null @@ -1,30 +0,0 @@ -#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment] -example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str] -#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment] -#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment] -example: - my_subdir: - my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR - ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz - YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB - dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR - Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-09T11:37:49Z" - mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.4 - -zitadel: - masterKey: thisWillBeAnEncryptedValueInTheFuture From e3ae7220d3b468561a122e5f9a983ddc19c97a9b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 14:49:47 +0200 Subject: [PATCH 06/14] fix(stylix): add zen-browser profile --- modules/home/themes/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index ede7c53..3fa74b9 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -31,7 +31,9 @@ in { base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml"; image = ./${cfg.theme}.jpg; polarity = cfg.polarity; + # targets.qt.platform = mkDefault "kde"; + targets.zen-browser.profileNames = [ "Chris" ]; fonts = { serif = { From 352c05765222b1cefdfddf5b8ac6f6b96c48c10a Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 14:50:42 +0200 Subject: [PATCH 07/14] refactor: tidy up zitadel service module --- .../authentication/zitadel/default.nix | 21 +++++++------------ 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 66f5fc0..75b1bf2 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, system, inputs, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair; + inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair mapAttrs' concatMapAttrs getAttrs getAttr hasAttr typeOf head drop length; inherit (lib.${namespace}.strings) toSnakeCase; cfg = config.${namespace}.services.authentication.zitadel; @@ -129,21 +129,17 @@ in withName = name: attrs: attrs // { inherit name; }; withRef = type: name: attrs: attrs // (mapRef type name); + select = keys: callback: set: + if (length keys) == 0 then + mapAttrs' callback set + else let key = head keys; in + concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; + # this is a nix package, the generated json file to be exact terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; - modules = - let - inherit (lib) mapAttrs' concatMapAttrs nameValuePair getAttrs getAttr hasAttr typeOf head drop length; - - select = keys: callback: set: - if (length keys) == 0 then - mapAttrs' callback set - else let key = head keys; in - concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; - in - [ + modules = [ ({ config, lib, ... }: { config = { terraform.required_providers.zitadel = { @@ -214,7 +210,6 @@ in ${lib.getExe pkgs.opentofu} init # Run the infrastructure code - # ${lib.getExe pkgs.opentofu} plan ${lib.getExe pkgs.opentofu} apply -auto-approve ''; From dd9e79b8890a420b2c8c527a7055eabafb22d630 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 12:53:40 +0000 Subject: [PATCH 08/14] ops(secrets): removed secret "je_moeder" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 293e901..1bd3967 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -3,9 +3,6 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] zitadel: masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] -je_moeder: - - awesome: - - ENC[AES256_GCM,data:VftBLg==,iv:Rtfi+AlMB7bhsTS8d1IT8l358F2QQP+952Mxzpk5JMA=,tag:rDyanvogMKPbLRyyGHAUVw==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -26,7 +23,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:45:27Z" - mac: ENC[AES256_GCM,data:QtQAU1vxUvlK/XrN5bxwMY+KC7yOMKqGkHIB6y3KE/eiRKZAGXNNyG81Z4aGhhFwQj3lmIeU2/Qw3ZeLJz8evRDeJ7JNZH/ZDFNyeUyRqGMldtqKHKAQDJDC5OVAFxf/6owgiYbr4og2J7PFqfoiG0ODM9+bPN4V7axmtd5KFkg=,iv:nFdTrIe+eEhG1H4VeAshuvI3ELpxe54CVP2LSdPj1fE=,tag:JvGKgiDvepytiKVuwxN8cQ==,type:str] + lastmodified: "2025-10-23T12:53:39Z" + mac: ENC[AES256_GCM,data:d4caeqSPWSaRNHcGKrxTCarX3OWJVf7uDx4pd5ldjdvHxUZu8xThDLpq850/jzCoX3T6bCes52o4TSSBYQCX+blPLdWetqJ/GulOvlsmudQJArZIcg4ZY96nVSv+sIJnP/1YEw0g6QxYxLa7IeEs6ZxNlBIaF/bff7AEHbtRNGs=,iv:DN/vvD2smUt+SFEfm08IpW+H7QtCChXYYKVLwE7SXPU=,tag:Uua+KE5+V6OT1O0aNrm6+g==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From fe628075d984b5fa68db5e40d468b4f20f8bb855 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 13:58:11 +0000 Subject: [PATCH 09/14] ops(secrets): removed secret "zitadel/masterkey" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 1bd3967..6f7ded0 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,8 +1,7 @@ email: chris@kruining.eu: ENC[AES256_GCM,data:uS85B/xn2a+c6Cys66pyfth2Bm4zZx4=,iv:vo8VKON3B9/Yau6PqAHI0xyCpqpU2UuU/WEH1Z7SMos=,tag:jVIHPxRI/0IpUxoKzO9GAA==,type:str] info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] -zitadel: - masterkey: ENC[AES256_GCM,data:o/6bSmkxbjxkxof6vxGw5gwn4O5QVg/JUoK7M80WlA==,iv:BwEmI0jvNCMsfcEWn0zXzjsXHYgxkksqe02j2l4ohGc=,tag:BRl0h1QvRn5e57vPgIFx8Q==,type:str] +zitadel: {} sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -23,7 +22,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T12:53:39Z" - mac: ENC[AES256_GCM,data:d4caeqSPWSaRNHcGKrxTCarX3OWJVf7uDx4pd5ldjdvHxUZu8xThDLpq850/jzCoX3T6bCes52o4TSSBYQCX+blPLdWetqJ/GulOvlsmudQJArZIcg4ZY96nVSv+sIJnP/1YEw0g6QxYxLa7IeEs6ZxNlBIaF/bff7AEHbtRNGs=,iv:DN/vvD2smUt+SFEfm08IpW+H7QtCChXYYKVLwE7SXPU=,tag:Uua+KE5+V6OT1O0aNrm6+g==,type:str] + lastmodified: "2025-10-23T13:58:10Z" + mac: ENC[AES256_GCM,data:ZiK2BIND4a7cCh0HaYzqU4oicnrG9o83D9q63GiCNU6RSj8JKDeVdZ6zu+Nj0rzFgk7k42pv5LGaDf9F/G4vYwlvYYDah2aZOFVMFuE1lvUgZNKkWwIRd+Oe4Fo1yghhCkQOv6Ctcym9/2ALTKbgF8+ZkaxIkwV2o8w/VWnr4HM=,iv:SxA5sdPXo4ALAFTiD/6jYRICsXyjcBake5QPP7mmqn8=,tag:wEI2pVcNz9Ypyi3vt+cg+g==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 5f0f986c598c994d3ea3a41b0686ee89e0dd03b9 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 14:23:22 +0000 Subject: [PATCH 10/14] ops(secrets): set secret "email/chris_kruining_eu" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 6f7ded0..1eeb402 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,7 +1,9 @@ email: chris@kruining.eu: ENC[AES256_GCM,data:uS85B/xn2a+c6Cys66pyfth2Bm4zZx4=,iv:vo8VKON3B9/Yau6PqAHI0xyCpqpU2UuU/WEH1Z7SMos=,tag:jVIHPxRI/0IpUxoKzO9GAA==,type:str] info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] -zitadel: {} + chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] +zitadel: + masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str] sops: age: - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq @@ -22,7 +24,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T13:58:10Z" - mac: ENC[AES256_GCM,data:ZiK2BIND4a7cCh0HaYzqU4oicnrG9o83D9q63GiCNU6RSj8JKDeVdZ6zu+Nj0rzFgk7k42pv5LGaDf9F/G4vYwlvYYDah2aZOFVMFuE1lvUgZNKkWwIRd+Oe4Fo1yghhCkQOv6Ctcym9/2ALTKbgF8+ZkaxIkwV2o8w/VWnr4HM=,iv:SxA5sdPXo4ALAFTiD/6jYRICsXyjcBake5QPP7mmqn8=,tag:wEI2pVcNz9Ypyi3vt+cg+g==,type:str] + lastmodified: "2025-10-23T14:23:21Z" + mac: ENC[AES256_GCM,data:BVxgNIS+o5TW3XdTFJPd5BwsYPB5/iLPRLC72KV4zLALxO+ZzgZni1ADlDKpNf0W1pB67brguQvT0Jk/3jl/mSGAUS0AC+d2fBAl4m1I8KgRkhFTlzKJBaHn39iNJBkgM0ILNqdxNjFF6r472Ib3p/UNe1EPJgCQzqq5WVSumoo=,iv:aEBuJcjVaEYdCOAW3AiwVoskhH/+P3uSwZScssLi3OQ=,tag:kzJg99OjRsLaL7/hKHzs9Q==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 34fd079fb7ed77f71a89b314786f5ccb8bf23860 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 14:23:40 +0000 Subject: [PATCH 11/14] ops(secrets): removed secret "email/chris@kruining.eu" from machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 1eeb402..1fb64b9 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,5 +1,4 @@ email: - chris@kruining.eu: ENC[AES256_GCM,data:uS85B/xn2a+c6Cys66pyfth2Bm4zZx4=,iv:vo8VKON3B9/Yau6PqAHI0xyCpqpU2UuU/WEH1Z7SMos=,tag:jVIHPxRI/0IpUxoKzO9GAA==,type:str] info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] zitadel: @@ -24,7 +23,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T14:23:21Z" - mac: ENC[AES256_GCM,data:BVxgNIS+o5TW3XdTFJPd5BwsYPB5/iLPRLC72KV4zLALxO+ZzgZni1ADlDKpNf0W1pB67brguQvT0Jk/3jl/mSGAUS0AC+d2fBAl4m1I8KgRkhFTlzKJBaHn39iNJBkgM0ILNqdxNjFF6r472Ib3p/UNe1EPJgCQzqq5WVSumoo=,iv:aEBuJcjVaEYdCOAW3AiwVoskhH/+P3uSwZScssLi3OQ=,tag:kzJg99OjRsLaL7/hKHzs9Q==,type:str] + lastmodified: "2025-10-23T14:23:39Z" + mac: ENC[AES256_GCM,data:FoQYZwmra35BdYu/5RO4P9KdfKDZ1DPYN1q0fUFJ95eowK+rCXHAO9Bftjk1rEYTWO1bdKS7lYCLPgAh0sQHhovQoMXC5wlCkKpgMoi47Ji/qCbXXmDiayMpMxosKcrCMEV4wPvcLEVXgS5MlPUOT4xhm7tCa+h9d7WBZmU2ho8=,iv:P0s+TcMlnxToPl6roU8ZE9l8x4vOsfu/4BzrbcPSIec=,tag:ZO5yFyoCA/8RBdLQIOhsgw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 47df6b544a46c35e2e88ef9320be0eae55ccd4f0 Mon Sep 17 00:00:00 2001 From: chris Date: Thu, 23 Oct 2025 14:26:00 +0000 Subject: [PATCH 12/14] ops(secrets): set secret "email/info_amarth_cloud" for machine "ulmo" --- systems/x86_64-linux/ulmo/secrets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml index 1fb64b9..6add209 100644 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ b/systems/x86_64-linux/ulmo/secrets.yml @@ -1,6 +1,7 @@ email: info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] + info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] zitadel: masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str] sops: @@ -23,7 +24,7 @@ sops: TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T14:23:39Z" - mac: ENC[AES256_GCM,data:FoQYZwmra35BdYu/5RO4P9KdfKDZ1DPYN1q0fUFJ95eowK+rCXHAO9Bftjk1rEYTWO1bdKS7lYCLPgAh0sQHhovQoMXC5wlCkKpgMoi47Ji/qCbXXmDiayMpMxosKcrCMEV4wPvcLEVXgS5MlPUOT4xhm7tCa+h9d7WBZmU2ho8=,iv:P0s+TcMlnxToPl6roU8ZE9l8x4vOsfu/4BzrbcPSIec=,tag:ZO5yFyoCA/8RBdLQIOhsgw==,type:str] + lastmodified: "2025-10-23T14:25:59Z" + mac: ENC[AES256_GCM,data:p3A1ZSr6S21SUjEZbL4V0uh3HVqcRhFi1N93IeUKs2yVbBYAXzWJ+2ejSxfM+W9MSCAYxx27i0ZoBPjQJu/xQzwmW8HWn4rRfCsa2TGqOw25PLvkHgnBUc70X759cKxvR0Pm7ha22JCnzJVrzvUMlBVs61wxHT57x0El9Gan8eY=,iv:SKN+R4wsN/L2pZW/s5ocEtCXXZB5wK4tgFIYWGWtRPA=,tag:CNLl4lVO06gAcsSCfU2KjA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 4f0d0f7f0e0454b305e08415ce64f601a46fa6c5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 16:31:19 +0200 Subject: [PATCH 13/14] fix: various fixes to just commands --- .just/vars.just | 6 +++--- .justfile | 8 +++++++- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.just/vars.just b/.just/vars.just index 78b7cb5..46bb5fd 100644 --- a/.just/vars.just +++ b/.just/vars.just @@ -12,10 +12,10 @@ list machine: {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml @set machine key value: - {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" \"{{ value }}\" + {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" @@ -23,6 +23,6 @@ list machine: {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml + git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null echo "Done" \ No newline at end of file diff --git a/.justfile b/.justfile index 4e8a323..1c9fc03 100644 --- a/.justfile +++ b/.justfile @@ -9,4 +9,10 @@ mod machine '.just/machine.just' [doc('Show information about project')] @show: - echo "show" \ No newline at end of file + echo "show" + +[doc('update the flake dependencies')] +@update: + nix flake update + git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null + echo "Done" \ No newline at end of file From f390d4195562e69aa43fc326ca6efb33167cc6ad Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 23 Oct 2025 16:31:56 +0200 Subject: [PATCH 14/14] WIP: trying to get smtp configured for zitadel --- .../authentication/zitadel/default.nix | 98 +++++++++++++------ .../nixos/system/security/sops/default.nix | 10 +- 2 files changed, 76 insertions(+), 32 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 75b1bf2..59abcf3 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -135,6 +135,8 @@ in else let key = head keys; in concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; + config' = config; + # this is a nix package, the generated json file to be exact terraformConfiguration = inputs.terranix.lib.terranixConfiguration { inherit system; @@ -177,6 +179,15 @@ in |> withRef "project" project |> toResource name ); + + zitadel_smtp_config.default = { + sender_address = "chris@kruining.eu"; + sender_name = "no-reply (Zitadel)"; + tls = true; + host = "black-mail.nl"; + user = "chris@kruining.eu"; + password = "\${file(\"${config'.sops.templates."kaas".path}\")}"; + }; }; }; }) @@ -245,31 +256,30 @@ in SecretHasher.Hasher.Algorithm = "argon2id"; }; - # DefaultInstance = { - # # PasswordComplexityPolicy = { - # # MinLength = 0; - # # HasLowercase = false; - # # HasUppercase = false; - # # HasNumber = false; - # # HasSymbol = false; - # # }; - # LoginPolicy = { - # AllowRegister = false; - # ForceMFA = true; - # }; - # LockoutPolicy = { - # MaxPasswordAttempts = 5; - # MaxOTPAttempts = 10; - # }; - # # SMTPConfiguration = { - # # SMTP = { - # # Host = "black-mail.nl:587"; - # # User = "chris@kruining.eu"; - # # Password = "__TODO_USE_SOPS__"; - # # }; - # # FromName = "Amarth Zitadel"; - # # }; - # }; + DefaultInstance = { + # PasswordComplexityPolicy = { + # MinLength = 0; + # HasLowercase = false; + # HasUppercase = false; + # HasNumber = false; + # HasSymbol = false; + # }; + # LoginPolicy = { + # AllowRegister = false; + # ForceMFA = true; + # }; + # LockoutPolicy = { + # MaxPasswordAttempts = 5; + # MaxOTPAttempts = 10; + # }; + SMTPConfiguration = { + SMTP = { + Host = "black-mail.nl:587"; + User = "chris@kruining.eu"; + }; + FromName = "Amarth Zitadel"; + }; + }; Database.postgres = { Host = "localhost"; @@ -325,6 +335,9 @@ in }; }; }; + extraStepsPaths = [ + config.sops.templates."secrets.yaml".path + ]; }; postgresql = { @@ -359,10 +372,37 @@ in networking.firewall.allowedTCPPorts = [ 80 443 ]; # Secrets - sops.secrets."zitadel/masterKey" = { - owner = "zitadel"; - group = "zitadel"; - restartUnits = [ "zitadel.service" ]; + sops = { + secrets = { + "zitadel/masterKey" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; #EMGDB#6O$8qpGoLI1XjhUhnng1san@0 + }; + + "email/chris_kruining_eu" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; + }; + }; + + templates."secrets.yaml" = { + owner = "zitadel"; + group = "zitadel"; + content = '' + DefaultInstance: + SMTPConfiguration: + SMTP: + Password: ${config.sops.placeholder."email/chris_kruining_eu"} + ''; + }; + + templates."kaas" = { + owner = "zitadel"; + group = "zitadel"; + content = config.sops.placeholder."email/chris_kruining_eu"; + }; }; }; } diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index 68ab4ca..bee7b3c 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -1,4 +1,4 @@ -{ pkgs, config, namespace, inputs, ... }: +{ pkgs, config, namespace, inputs, system, ... }: let cfg = config.${namespace}.system.security.sops; in @@ -13,10 +13,14 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { - defaultSopsFile = ../../../../../_secrets/secrets.yaml; defaultSopsFormat = "yaml"; + defaultSopsFile = inputs.self + "/systems/${system}/${config.networking.hostName}/secrets.yml"; - age.keyFile = "/home/"; + age = { + # keyFile = "~/.config/sops/age/keys.txt"; + # sshKeyPaths = [ "~/.ssh/id_ed25519" ]; + # generateKey = true; + }; }; }; } \ No newline at end of file