diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml index 684cfad..4aac00e 100644 --- a/.forgejo/workflows/action.yml +++ b/.forgejo/workflows/action.yml @@ -7,9 +7,10 @@ on: - main jobs: - kaas: - runs-on: nix + hello: + name: Print hello world + runs-on: default steps: - name: Echo run: | - nix --version \ No newline at end of file + echo "Hello, world!" \ No newline at end of file diff --git a/.gitignore b/.gitignore index 3cb44c3..87a3018 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,2 @@ -# ---> Nix -# Ignore build outputs from performing a nix-build or `nix build` command result -result-* - -# Ignore automatically generated direnv output -.direnv - +*.qcow2 diff --git a/.just/machine.just b/.just/machine.just deleted file mode 100644 index 65d1a7b..0000000 --- a/.just/machine.just +++ /dev/null @@ -1,9 +0,0 @@ -@_default: list - -[doc('List machines')] -@list: - ls -1 ../systems/x86_64-linux/ - -[doc('Update the target machine')] -update machine: - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file diff --git a/.just/vars.just b/.just/vars.just deleted file mode 100644 index 46bb5fd..0000000 --- a/.just/vars.just +++ /dev/null @@ -1,28 +0,0 @@ -base_path := invocation_directory() / "systems/x86_64-linux" -sops := "nix shell nixpkgs#sops --command sops" - -@_default: - just --list - -[doc('list all vars of the target machine')] -list machine: - {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml - -@edit machine: - {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml - -@set machine key value: - {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' - - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - - echo "Done" - -@remove machine key: - {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" - - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - - echo "Done" \ No newline at end of file diff --git a/.justfile b/.justfile deleted file mode 100644 index 1c9fc03..0000000 --- a/.justfile +++ /dev/null @@ -1,18 +0,0 @@ -@_default: - just --list --list-submodules - -[doc('Manage vars')] -mod vars '.just/vars.just' - -[doc('Manage machines')] -mod machine '.just/machine.just' - -[doc('Show information about project')] -@show: - echo "show" - -[doc('update the flake dependencies')] -@update: - nix flake update - git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null - echo "Done" \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index 9e7956c..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,11 +0,0 @@ -keys: - - &ulmo_1 age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq - - &ulmo_2 age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x - -creation_rules: - # All Machine secrets - - path_regex: systems/[^/]+/[^/]+/[^/]+\.(yml|yaml)$ - key_groups: - - age: - - *ulmo_1 - - *ulmo_2 \ No newline at end of file diff --git a/.sops.yml b/.sops.yml new file mode 100644 index 0000000..96e09c3 --- /dev/null +++ b/.sops.yml @@ -0,0 +1,8 @@ +keys: + - &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + +creation_rules: + - path_regex: secrets/secrets.yml$ + key_groups: + - age: + - *primary diff --git a/_secrets/secrets.yaml b/_secrets/secrets.yaml new file mode 100644 index 0000000..78b1a8c --- /dev/null +++ b/_secrets/secrets.yaml @@ -0,0 +1,30 @@ +#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment] +example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str] +#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment] +#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment] +example: + my_subdir: + my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR + ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz + YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB + dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR + Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-09T11:37:49Z" + mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 + +zitadel: + masterKey: thisWillBeAnEncryptedValueInTheFuture diff --git a/flake.lock b/flake.lock index 935fbaf..27521bd 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "fromYaml": "fromYaml" }, "locked": { - "lastModified": 1755819240, - "narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=", + "lastModified": 1746562888, + "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=", "owner": "SenchoPens", "repo": "base16.nix", - "rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6", + "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89", "type": "github" }, "original": { @@ -21,17 +21,16 @@ "base16-fish": { "flake": false, "locked": { - "lastModified": 1754405784, - "narHash": "sha256-l9xHIy+85FN+bEo6yquq2IjD1rSg9fjfjpyGP1W8YXo=", + "lastModified": 1622559957, + "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", "owner": "tomyun", "repo": "base16-fish", - "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561", + "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", "type": "github" }, "original": { "owner": "tomyun", "repo": "base16-fish", - "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561", "type": "github" } }, @@ -74,11 +73,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1759842236, - "narHash": "sha256-JNFyiEDo1wS+mjNAEM8Q2jjvHQzQt+3hnuP1srIdFeM=", + "lastModified": 1755108317, + "narHash": "sha256-j7RGK7nyoHuJzQjVFBngpsVowIn4DAtprn66UyAFNRQ=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "df8a29239b2459d6ee7373be8133d9aa7d6f6d1a", + "rev": "5aa322a6e586a2b46af65ab6c9a3d6042a95ff2e", "type": "github" }, "original": { @@ -95,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1760510549, - "narHash": "sha256-NP+kmLMm7zSyv4Fufv+eSJXyqjLMUhUfPT6lXRlg/bU=", + "lastModified": 1755153894, + "narHash": "sha256-DEKeIg3MQy5GMFiFRUzcx1hGGBN2ypUPTo0jrMAdmH4=", "owner": "nix-community", "repo": "fenix", - "rev": "ef7178cf086f267113b5c48fdeb6e510729c8214", + "rev": "f6874c6e512bc69d881d979a45379b988b80a338", "type": "github" }, "original": { @@ -115,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1760548798, - "narHash": "sha256-LbqqHQklp58hKCO6IMcslsqX0mR32775PG3Z+k2GcwU=", + "lastModified": 1755083788, + "narHash": "sha256-CXiS6gfw0NH+luSpNhtRZjy4NqVFrmsYpoetu3N/fMk=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "fdd8c18c8d3497d267c0750ef08678d32a2dd753", + "rev": "523078b104590da5850a61dfe291650a6b49809c", "type": "github" }, "original": { @@ -131,11 +130,11 @@ "firefox-gnome-theme": { "flake": false, "locked": { - "lastModified": 1758112371, - "narHash": "sha256-lizRM2pj6PHrR25yimjyFn04OS4wcdbc38DCdBVa2rk=", + "lastModified": 1748383148, + "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=", "owner": "rafaelmardojai", "repo": "firefox-gnome-theme", - "rev": "0909cfe4a2af8d358ad13b20246a350e14c2473d", + "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf", "type": "github" }, "original": { @@ -231,11 +230,11 @@ ] }, "locked": { - "lastModified": 1759362264, - "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", + "lastModified": 1754487366, + "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", + "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", "type": "github" }, "original": { @@ -252,32 +251,11 @@ ] }, "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", + "lastModified": 1751413152, + "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_3": { - "inputs": { - "nixpkgs-lib": [ - "terranix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1736143030, - "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", + "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", "type": "github" }, "original": { @@ -433,11 +411,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1757136219, - "narHash": "sha256-tKU+vq34KHu/A2wD7WdgP5A4/RCmSD8hB0TyQAUlixA=", + "lastModified": 1755072091, + "narHash": "sha256-FCkbELHIFXlVREaopW13QFMzwLPr/otjucmyNLQQXeg=", "owner": "vinceliuice", "repo": "grub2-themes", - "rev": "80dd04ddf3ba7b284a7b1a5df2b1e95ee2aad606", + "rev": "03d8c9cf0d1bcf67765ac5fa35263f1b08c584fa", "type": "github" }, "original": { @@ -451,15 +429,14 @@ "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" - ], - "rust-overlay": "rust-overlay" + ] }, "locked": { - "lastModified": 1760546650, - "narHash": "sha256-ByUcM+gMEob6uWpDt6AAg/v4eX9yvpgOPX6KyHd9/BE=", + "lastModified": 1754593854, + "narHash": "sha256-fiWzQKZP92+2nm9wGBa/UYuEdVJkshHqNpCFfklas8k=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "ba54075737cb9c688cfadde8048f83371dbaba8d", + "rev": "e0b9a3efdcf0c6c59ed3352ffb2b003ab6aa2fed", "type": "github" }, "original": { @@ -475,32 +452,11 @@ ] }, "locked": { - "lastModified": 1760500983, - "narHash": "sha256-zfY4F4CpeUjTGgecIJZ+M7vFpwLc0Gm9epM/iMQd4w8=", + "lastModified": 1755121891, + "narHash": "sha256-UtYkukiGnPRJ5rpd4W/wFVrLMh8fqtNkqHTPgHEtrqU=", "owner": "nix-community", "repo": "home-manager", - "rev": "c53e65ec92f38d30e3c14f8d628ab55d462947aa", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { - "inputs": { - "nixpkgs": [ - "zen-browser", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1752603129, - "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b", + "rev": "279ca5addcdcfa31ac852b3ecb39fc372684f426", "type": "github" }, "original": { @@ -517,11 +473,11 @@ ] }, "locked": { - "lastModified": 1760534924, - "narHash": "sha256-OIOCC86DxTxp1VG7xAiM+YABtVqp6vTkYIoAiGQMqso=", + "lastModified": 1755151620, + "narHash": "sha256-fVMalQZ+tRXR8oue2SdWu4CdlsS2NII+++rI40XQ8rU=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "100b4e000032b865563a9754e5bca189bc544764", + "rev": "16e12d22754d97064867006acae6e16da7a142a6", "type": "github" }, "original": { @@ -551,11 +507,11 @@ }, "mnw": { "locked": { - "lastModified": 1758834834, - "narHash": "sha256-Y7IvY4F8vajZyp3WGf+KaiIVwondEkMFkt92Cr9NZmg=", + "lastModified": 1748710831, + "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=", "owner": "Gerg-L", "repo": "mnw", - "rev": "cfbc7d1cc832e318d0863a5fc91d940a96034001", + "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d", "type": "github" }, "original": { @@ -593,11 +549,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1760493654, - "narHash": "sha256-DRJZnMoBw+p6o0XjaAOfAJjwr4s93d1+eCsCRsAP/jY=", + "lastModified": 1755137329, + "narHash": "sha256-9MxuOLH7jk58IVUUDWwLeqk9U4ATE6X37955Ld+4/zw=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "4ca5164f23948b4b5429d8fdcddc142079c6aa6b", + "rev": "d9330bc35048238597880e89fb173799de9db5e9", "type": "github" }, "original": { @@ -665,11 +621,11 @@ ] }, "locked": { - "lastModified": 1760536587, - "narHash": "sha256-wfWqt+igns/VazjPLkyb4Z/wpn4v+XIjUeI3xY/1ENg=", + "lastModified": 1755171343, + "narHash": "sha256-h6bbfhqWcHlx9tcyYa7dhaEiNpusLCcFYkJ/AnltLW8=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "f98ee1de1fa36eca63c67b600f5d617e184e82ea", + "rev": "e37cfef071466a9ca649f6899aff05226ce17e9e", "type": "github" }, "original": { @@ -680,11 +636,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1759360550, - "narHash": "sha256-feL8xklo97a8o8ISOszUU2tfHskJdu3zKbpcltzSblw=", + "lastModified": 1754002724, + "narHash": "sha256-1NBby4k2UU9FR7a9ioXtCOpv8jYO0tZAGarMsxN8sz8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "28b8fe20c34f94a537f71950a9b0c1dc7224d036", + "rev": "8271ed4b2e366339dd622f329151e45745ade121", "type": "github" }, "original": { @@ -709,13 +665,29 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_10": { "locked": { - "lastModified": 1760479263, - "narHash": "sha256-eoVGUqcMyDeT/VwjczlZu7rhrE9wkj3ErWjJhB4Zjpg=", + "lastModified": 1727348695, + "narHash": "sha256-J+PeFKSDV+pHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "20158056cdd0dd06bfbd04fd1e686d09fbef3db5", + "rev": "1925c603f17fc89f4c8f6bf6f631a802ad85d784", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1755061300, + "narHash": "sha256-eov82CkCrpiECJa3dyQ2da1sPGnAP3HK0UEra5eupaM=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d4df8d6cc1ccfd3e4349a1d54e4fb1171e7ec1f5", "type": "github" }, "original": { @@ -743,11 +715,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1760548845, - "narHash": "sha256-41gkEmco/WLdEkeCKVRalOpx19e0/VgfS7N9n+DasHs=", + "lastModified": 1755178357, + "narHash": "sha256-rzgUmlO5/pt7uPAlY6E70clNjg9JmrgBxalEj2zKq08=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "631597d659c37aa267eed8334271d5205244195e", + "rev": "6eac4364f979ef460fb6ebd17ca65b8dae03cba4", "type": "github" }, "original": { @@ -775,11 +747,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1760284886, - "narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", + "lastModified": 1755027561, + "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43", + "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3", "type": "github" }, "original": { @@ -791,11 +763,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1759386674, - "narHash": "sha256-wg1Lz/1FC5Q13R+mM5a2oTV9TA9L/CHHTm3/PiLayfA=", + "lastModified": 1755049066, + "narHash": "sha256-ANrc15FSoOAdNbfKHxqEJjZLftIwIsenJGRb/04K41s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "625ad6366178f03acd79f9e3822606dd7985b657", + "rev": "e45f8f193029378d0aaee5431ba098dc80054e9a", "type": "github" }, "original": { @@ -807,11 +779,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1760164275, - "narHash": "sha256-gKl2Gtro/LNf8P+4L3S2RsZ0G390ccd5MyXYrTdMCFE=", + "lastModified": 1744868846, + "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "362791944032cb532aabbeed7887a441496d5e6e", + "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", "type": "github" }, "original": { @@ -823,11 +795,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1758690382, - "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", + "lastModified": 1751792365, + "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e643668fd71b949c53f8626614b21ff71a07379d", + "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", "type": "github" }, "original": { @@ -849,11 +821,11 @@ ] }, "locked": { - "lastModified": 1758998580, - "narHash": "sha256-VLx0z396gDCGSiowLMFz5XRO/XuNV+4EnDYjdJhHvUk=", + "lastModified": 1751906969, + "narHash": "sha256-BSQAOdPnzdpOuCdAGSJmefSDlqmStFNScEnrWzSqKPw=", "owner": "nix-community", "repo": "NUR", - "rev": "ba8d9c98f5f4630bcb0e815ab456afd90c930728", + "rev": "ddb679f4131e819efe3bbc6457ba19d7ad116f25", "type": "github" }, "original": { @@ -871,11 +843,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1760153667, - "narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=", + "lastModified": 1755115677, + "narHash": "sha256-98Ad2F5w1xW94KymQiBohNBYpFqMa0K28v9S1SzyTY8=", "owner": "notashelf", "repo": "nvf", - "rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d", + "rev": "c5dc7192496a1fad38134e54f8b4fca8ac51a9fe", "type": "github" }, "original": { @@ -894,11 +866,11 @@ ] }, "locked": { - "lastModified": 1759321049, - "narHash": "sha256-8XkU4gIrLT2DJZWQyvsP5woXGZF5eE/7AnKfwQkiwYU=", + "lastModified": 1754501628, + "narHash": "sha256-FExJ54tVB5iu7Dh2tLcyCSWpaV+lmUzzWKZUkemwXvo=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "205dcfd4a30d4a5d1b4f28defee69daa7c7252cd", + "rev": "cca090f8115c4172b9aef6c5299ae784bdd5e133", "type": "github" }, "original": { @@ -927,18 +899,17 @@ "snowfall-lib": "snowfall-lib", "sops-nix": "sops-nix", "stylix": "stylix", - "terranix": "terranix", "zen-browser": "zen-browser" } }, "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1760457219, - "narHash": "sha256-WJOUGx42hrhmvvYcGkwea+BcJuQJLcns849OnewQqX4=", + "lastModified": 1755004716, + "narHash": "sha256-TbhPR5Fqw5LjAeI3/FOPhNNFQCF3cieKCJWWupeZmiA=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "8747cf81540bd1bbbab9ee2702f12c33aa887b46", + "rev": "b2a58b8c6eff3c3a2c8b5c70dbf69ead78284194", "type": "github" }, "original": { @@ -948,27 +919,6 @@ "type": "github" } }, - "rust-overlay": { - "inputs": { - "nixpkgs": [ - "himmelblau", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1760495781, - "narHash": "sha256-3OGPAQNJswy6L4VJyX3U9/z7fwgPFvK6zQtB2NHBV0Y=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "11e0852a2aa3a65955db5824262d76933750e299", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, "snowfall-lib": { "inputs": { "flake-compat": "flake-compat_5", @@ -996,11 +946,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1760393368, - "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", + "lastModified": 1754988908, + "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", + "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", "type": "github" }, "original": { @@ -1028,11 +978,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1760472212, - "narHash": "sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx+MUkuE+E=", + "lastModified": 1755027820, + "narHash": "sha256-hBSU7BEhd05y/pC9tliYjkFp8AblkbNEkPei229+0Pg=", "owner": "nix-community", "repo": "stylix", - "rev": "8d008296a1b3be9b57ad570f7acea00dd2fc92db", + "rev": "c592717e9f713bbae5f718c784013d541346363d", "type": "github" }, "original": { @@ -1131,43 +1081,6 @@ "type": "github" } }, - "systems_7": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "terranix": { - "inputs": { - "flake-parts": "flake-parts_3", - "nixpkgs": [ - "nixpkgs" - ], - "systems": "systems_7" - }, - "locked": { - "lastModified": 1757278723, - "narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=", - "owner": "terranix", - "repo": "terranix", - "rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb", - "type": "github" - }, - "original": { - "owner": "terranix", - "repo": "terranix", - "type": "github" - } - }, "tinted-foot": { "flake": false, "locked": { @@ -1204,11 +1117,11 @@ "tinted-schemes": { "flake": false, "locked": { - "lastModified": 1757716333, - "narHash": "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=", + "lastModified": 1750770351, + "narHash": "sha256-LI+BnRoFNRa2ffbe3dcuIRYAUcGklBx0+EcFxlHj0SY=", "owner": "tinted-theming", "repo": "schemes", - "rev": "317a5e10c35825a6c905d912e480dfe8e71c7559", + "rev": "5a775c6ffd6e6125947b393872cde95867d85a2a", "type": "github" }, "original": { @@ -1220,11 +1133,11 @@ "tinted-tmux": { "flake": false, "locked": { - "lastModified": 1757811970, - "narHash": "sha256-n5ZJgmzGZXOD9pZdAl1OnBu3PIqD+X3vEBUGbTi4JiI=", + "lastModified": 1751159871, + "narHash": "sha256-UOHBN1fgHIEzvPmdNMHaDvdRMgLmEJh2hNmDrp3d3LE=", "owner": "tinted-theming", "repo": "tinted-tmux", - "rev": "d217ba31c846006e9e0ae70775b0ee0f00aa6b1e", + "rev": "bded5e24407cec9d01bd47a317d15b9223a1546c", "type": "github" }, "original": { @@ -1236,11 +1149,11 @@ "tinted-zed": { "flake": false, "locked": { - "lastModified": 1757811247, - "narHash": "sha256-4EFOUyLj85NRL3OacHoLGEo0wjiRJzfsXtR4CZWAn6w=", + "lastModified": 1751158968, + "narHash": "sha256-ksOyv7D3SRRtebpXxgpG4TK8gZSKFc4TIZpR+C98jX8=", "owner": "tinted-theming", "repo": "base16-zed", - "rev": "824fe0aacf82b3c26690d14e8d2cedd56e18404e", + "rev": "86a470d94204f7652b906ab0d378e4231a5b3384", "type": "github" }, "original": { @@ -1251,21 +1164,18 @@ }, "zen-browser": { "inputs": { - "home-manager": "home-manager_2", - "nixpkgs": [ - "nixpkgs" - ] + "nixpkgs": "nixpkgs_10" }, "locked": { - "lastModified": 1760466542, - "narHash": "sha256-q2QZhrrjHbvW4eFzoEGkj/wUHNU6bVGPyflurx5ka6U=", - "owner": "0xc000022070", + "lastModified": 1727721329, + "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=", + "owner": "MarceColl", "repo": "zen-browser-flake", - "rev": "3446bcbf5f46ecb18e82244888730c4983c30b22", + "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc", "type": "github" }, "original": { - "owner": "0xc000022070", + "owner": "MarceColl", "repo": "zen-browser-flake", "type": "github" } diff --git a/flake.nix b/flake.nix index 8ea1571..d696f4b 100644 --- a/flake.nix +++ b/flake.nix @@ -41,10 +41,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - zen-browser = { - url = "github:0xc000022070/zen-browser-flake"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + zen-browser.url = "github:MarceColl/zen-browser-flake"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; @@ -66,11 +63,11 @@ url = "github:Jovian-Experiments/Jovian-NixOS"; inputs.nixpkgs.follows = "nixpkgs"; }; - + grub2-themes = { url = "github:vinceliuice/grub2-themes"; }; - + nixos-wsl = { url = "github:nix-community/nixos-wsl"; inputs = { @@ -78,11 +75,6 @@ flake-compat.follows = ""; }; }; - - terranix = { - url = "github:terranix/terranix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = inputs: inputs.snowfall-lib.mkFlake { @@ -101,15 +93,8 @@ channels-config = { allowUnfree = true; permittedInsecurePackages = [ - # Due to *arr stack "dotnet-sdk-6.0.428" "aspnetcore-runtime-6.0.36" - - # I think this is because of zen - "qtwebengine-5.15.19" - - # For Nheko, the matrix client - "olm-3.2.16" ]; }; @@ -121,7 +106,7 @@ homes.modules = with inputs; [ stylix.homeModules.stylix - plasma-manager.homeModules.plasma-manager + plasma-manager.homeManagerModules.plasma-manager ]; }; } diff --git a/homes/x86_64-linux/chris@manwe/default.nix b/homes/x86_64-linux/chris@manwe/default.nix index 9abe613..cd6fa1a 100644 --- a/homes/x86_64-linux/chris@manwe/default.nix +++ b/homes/x86_64-linux/chris@manwe/default.nix @@ -35,7 +35,6 @@ bitwarden.enable = true; discord.enable = true; ladybird.enable = true; - matrix.enable = true; obs.enable = true; onlyoffice.enable = true; signal.enable = true; diff --git a/lib/strings/default.nix b/lib/strings/default.nix deleted file mode 100644 index 52b05e3..0000000 --- a/lib/strings/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ lib, ...}: -let - inherit (builtins) isString typeOf; - inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map; -in -{ - strings = { - toSnakeCase = - str: - throwIfNot (isString str) "toSnakeCase only accepts string values, but got ${typeOf str}" ( - str - |> splitStringBy (prev: curr: builtins.match "[a-z]" prev != null && builtins.match "[A-Z]" curr != null) true - |> map (p: toLower p) - |> concatStringsSep "_" - ); - }; -} \ No newline at end of file diff --git a/modules/home/application/matrix/default.nix b/modules/home/application/matrix/default.nix deleted file mode 100644 index 867a94f..0000000 --- a/modules/home/application/matrix/default.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, lib, pkgs, namespace, osConfig ? {}, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.application.matrix; -in -{ - options.${namespace}.application.matrix = { - enable = mkEnableOption "enable Matrix client (Fractal)"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ fractal element-desktop ]; - - programs.element-desktop = { - enable = true; - }; - }; -} diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index b7cec03..ad4cb92 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -5,61 +5,35 @@ let cfg = config.${namespace}.application.zen; in { - imports = [ - inputs.zen-browser.homeModules.default - ]; - options.${namespace}.application.zen = { enable = mkEnableOption "enable zen"; }; config = mkIf cfg.enable { + home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ]; + home.sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; }; programs.zen-browser = { - enable = true; - policies = { AutofillAddressEnabled = true; AutofillCreditCardEnabled = false; - - AppAutoUpdate = false; DisableAppUpdate = true; - ManualAppUpdateOnly = true; - DisableFeedbackCommands = true; DisableFirefoxStudies = true; DisablePocket = true; DisableTelemetry = true; - - DontCheckDefaultBrowser = false; + # DontCheckDefaultBrowser = false; NoDefaultBookmarks = true; - OfferToSaveLogins = false; + # OfferToSaveLogins = false; EnableTrackingProtection = { Value = true; Locked = true; Cryptomining = true; Fingerprinting = true; }; - - HttpAllowlist = [ - "http://ulmo" - ]; - }; - - policies.ExtensionSettings = let - mkExtension = id: { - install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi"; - installation_mode = "force_installed"; - }; - in - { - ublock_origin = 4531307; - ghostry = 4562168; - bitwarden = 4562769; - sponsorblock = 4541835; }; }; }; diff --git a/modules/home/desktop/plasma/default.nix b/modules/home/desktop/plasma/default.nix index 0b679a0..13476fb 100644 --- a/modules/home/desktop/plasma/default.nix +++ b/modules/home/desktop/plasma/default.nix @@ -64,7 +64,7 @@ in }; kwalletrc = { - Wallet.Enabled = true; + Wallet.Enabled = false; }; plasmarc = { diff --git a/modules/home/home-manager/default.nix b/modules/home/home-manager/default.nix index 5f3be03..93bae2e 100644 --- a/modules/home/home-manager/default.nix +++ b/modules/home/home-manager/default.nix @@ -4,9 +4,7 @@ let in { systemd.user.startServices = "sd-switch"; - programs.home-manager = { - enable = true; - }; + programs.home-manager.enable = true; home.stateVersion = mkDefault (osConfig.system.stateVersion or "25.05"); -} +} \ No newline at end of file diff --git a/modules/home/shell/default.nix b/modules/home/shell/default.nix index 9968e54..d1df4cb 100644 --- a/modules/home/shell/default.nix +++ b/modules/home/shell/default.nix @@ -17,7 +17,6 @@ in eza.enable = true; fzf.enable = true; git.enable = true; - just.enable = true; starship.enable = true; tmux.enable = true; yazi.enable = true; diff --git a/modules/home/shell/toolset/git/default.nix b/modules/home/shell/toolset/git/default.nix index 299b2a6..3edfb60 100644 --- a/modules/home/shell/toolset/git/default.nix +++ b/modules/home/shell/toolset/git/default.nix @@ -31,11 +31,9 @@ in package = pkgs.gitFull; difftastic = { enable = true; - options = { - background = "dark"; - color = "always"; - display = "inline"; - }; + background = "dark"; + color = "always"; + display = "inline"; }; ignores = [ diff --git a/modules/home/shell/toolset/just/default.nix b/modules/home/shell/toolset/just/default.nix deleted file mode 100644 index e956b2a..0000000 --- a/modules/home/shell/toolset/just/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkEnableOption mkIf; - - cfg = config.${namespace}.shell.toolset.just; -in -{ - options.${namespace}.shell.toolset.just = { - enable = mkEnableOption "version-control system"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ just gum ]; - }; -} diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index 3fa74b9..276e850 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -31,9 +31,7 @@ in { base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml"; image = ./${cfg.theme}.jpg; polarity = cfg.polarity; - -# targets.qt.platform = mkDefault "kde"; - targets.zen-browser.profileNames = [ "Chris" ]; + targets.qt.platform = mkDefault "kde6"; fonts = { serif = { diff --git a/modules/nixos/desktop/plasma/default.nix b/modules/nixos/desktop/plasma/default.nix index d1e2a28..11c0cd9 100644 --- a/modules/nixos/desktop/plasma/default.nix +++ b/modules/nixos/desktop/plasma/default.nix @@ -12,18 +12,7 @@ in }; config = mkIf cfg.enable { - environment.plasma6.excludePackages = with pkgs.kdePackages; [ - elisa - kmahjongg - kmines - konversation - kpat - ksudoku - konsole - kate - ghostwriter - oxygen - ]; + environment.plasma6.excludePackages = with pkgs.kdePackages; [ konsole kate ghostwriter oxygen ]; environment.sessionVariables.NIXOS_OZONE_WL = "1"; services = { diff --git a/modules/nixos/hardware/gpu/amd/default.nix b/modules/nixos/hardware/gpu/amd/default.nix index cdc9d1e..68db574 100644 --- a/modules/nixos/hardware/gpu/amd/default.nix +++ b/modules/nixos/hardware/gpu/amd/default.nix @@ -17,6 +17,11 @@ in }; amdgpu = { + amdvlk = { + enable = true; + support32Bit.enable = true; + }; + initrd.enable = true; }; }; diff --git a/modules/nixos/home-manager/default.nix b/modules/nixos/home-manager/default.nix deleted file mode 100644 index d147d46..0000000 --- a/modules/nixos/home-manager/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - config = { - home-manager.backupFileExtension = "homeManagerBackup"; - }; -} diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index bf96f59..7d1f069 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -1,20 +1,24 @@ { pkgs, lib, namespace, config, ... }: let + inherit (lib) mkIf mkEnableOption; + cfg = config.${namespace}.nix; in { - options.${namespace}.nix = {}; + options.${namespace}.nix = { + enable = mkEnableOption "Enable nix command"; + }; - config = { + config = mkIf cfg.enable { programs.git.enable = true; nix = { package = pkgs.nixVersions.latest; - extraOptions = "experimental-features = nix-command flakes pipe-operators"; + extraOptions = "experimental-features = nix-command flakes"; settings = { - experimental-features = [ "nix-command" "flakes" "pipe-operators" ]; + experimental-features = [ "nix-command" "flakes" ]; allowed-users = [ "@wheel" ]; trusted-users = [ "@wheel" ]; diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 59abcf3..a95d849 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,238 +1,22 @@ -{ config, lib, pkgs, namespace, system, inputs, ... }: +{ config, lib, pkgs, namespace, ... }: let - inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair mapAttrs' concatMapAttrs getAttrs getAttr hasAttr typeOf head drop length; - inherit (lib.${namespace}.strings) toSnakeCase; + inherit (lib) mkIf mkEnableOption mkForce; cfg = config.${namespace}.services.authentication.zitadel; - database = "zitadel"; + db_name = "zitadel"; + db_user = "zitadel"; in { options.${namespace}.services.authentication.zitadel = { enable = mkEnableOption "Zitadel"; - - organization = mkOption { - type = types.attrsOf (types.submodule { - options = { - isDefault = mkOption { - type = types.bool; - default = false; - example = "true"; - description = '' - True sets the org as default org for the instance. Only one org can be default org. - Nothing happens if you set it to false until you set another org as default org. - ''; - }; - - project = mkOption { - default = {}; - type = types.attrsOf (types.submodule { - options = { - hasProjectCheck = mkOption { - type = types.bool; - default = false; - example = "true"; - description = '' - ZITADEL checks if the org of the user has permission to this project. - ''; - }; - - privateLabelingSetting = mkOption { - type = types.nullOr (types.enum [ "unspecified" "enforceProjectResourceOwnerPolicy" "allowLoginUserResourceOwnerPolicy" ]); - default = null; - example = "enforceProjectResourceOwnerPolicy"; - description = '' - Defines from where the private labeling should be triggered, - - supported values: - - unspecified - - enforceProjectResourceOwnerPolicy - - allowLoginUserResourceOwnerPolicy - ''; - }; - - projectRoleAssertion = mkOption { - type = types.bool; - default = false; - example = "true"; - description = '' - Describes if roles of user should be added in token. - ''; - }; - - projectRoleCheck = mkOption { - type = types.bool; - default = false; - example = "true"; - description = '' - ZITADEL checks if the user has at least one on this project. - ''; - }; - - application = mkOption { - default = {}; - type = types.attrsOf (types.submodule { - options = { - redirectUris = mkOption { - type = types.nonEmptyListOf types.str; - example = '' - [ "https://example.com/redirect/url" ] - ''; - description = '' - . - ''; - }; - - grantTypes = mkOption { - type = types.nonEmptyListOf (types.enum [ "authorizationCode" "implicit" "refreshToken" "deviceCode" "tokenExchange" ]); - example = '' - [ "authorizationCode" ] - ''; - description = '' - . - ''; - }; - - responseTypes = mkOption { - type = types.nonEmptyListOf (types.enum [ "code" "idToken" "idTokenToken" ]); - example = '' - [ "code" ] - ''; - description = '' - . - ''; - }; - }; - }); - }; - }; - }); - }; - }; - }); - }; }; - config = let - mapRef = type: name: { "${type}Id" = "\${ resource.zitadel_${type}.${toSnakeCase name}.id }"; }; - mapEnum = prefix: value: "${prefix}_${value |> toSnakeCase |> toUpper}"; - - mapValue = type: value: ({ - grantTypes = map (t: mapEnum "OIDC_GRANT_TYPE" t) value; - responseTypes = map (t: mapEnum "OIDC_RESPONSE_TYPE" t) value; - }."${type}" or value); - - toResource = name: value: nameValuePair - (toSnakeCase name) - (lib.mapAttrs' (k: v: nameValuePair (toSnakeCase k) (mapValue k v)) value); - - withName = name: attrs: attrs // { inherit name; }; - withRef = type: name: attrs: attrs // (mapRef type name); - - select = keys: callback: set: - if (length keys) == 0 then - mapAttrs' callback set - else let key = head keys; in - concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; - - config' = config; - - # this is a nix package, the generated json file to be exact - terraformConfiguration = inputs.terranix.lib.terranixConfiguration { - inherit system; - - modules = [ - ({ config, lib, ... }: { - config = { - terraform.required_providers.zitadel = { - source = "zitadel/zitadel"; - version = "2.2.0"; - }; - - provider.zitadel = { - domain = "auth.kruining.eu"; - insecure = "false"; - jwt_profile_file = "/var/lib/zitadel/machine-key.json"; - }; - - resource = { - zitadel_org = cfg.organization |> select [] (name: value: - value - |> getAttrs [ "isDefault" ] - |> withName name - |> toResource name - ); - - zitadel_project = cfg.organization |> select [ "project" ] (org: name: value: - value - |> getAttrs [ "hasProjectCheck" "privateLabelingSetting" "projectRoleAssertion" "projectRoleCheck" ] - |> withName name - |> withRef "org" org - |> toResource name - ); - - zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: value: - value - |> getAttrs [ "redirectUris" "grantTypes" "responseTypes" ] - |> withName name - |> withRef "org" org - |> withRef "project" project - |> toResource name - ); - - zitadel_smtp_config.default = { - sender_address = "chris@kruining.eu"; - sender_name = "no-reply (Zitadel)"; - tls = true; - host = "black-mail.nl"; - user = "chris@kruining.eu"; - password = "\${file(\"${config'.sops.templates."kaas".path}\")}"; - }; - }; - }; - }) - ]; - }; - in - mkIf cfg.enable { - ${namespace}.services.persistance.postgresql.enable = true; - + config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ zitadel ]; - systemd.tmpfiles.rules = [ - "d /tmp/zitadelApplyTerraform 0755 zitadel zitadel -" - ]; - - systemd.services.zitadelApplyTerraform = { - description = "Zitadel terraform apply"; - - wantedBy = [ "multi-user.target" ]; - wants = [ "zitadel.service" ]; - - script = '' - #!/usr/bin/env bash - - # Copy infra code into workspace - cp -f ${terraformConfiguration} config.tf.json - - # Initialize OpenTofu - ${lib.getExe pkgs.opentofu} init - - # Run the infrastructure code - ${lib.getExe pkgs.opentofu} apply -auto-approve - ''; - - serviceConfig = { - Type = "oneshot"; - User = "zitadel"; - Group = "zitadel"; - - WorkingDirectory = "/tmp/zitadelApplyTerraform"; - }; - }; - services = { zitadel = { enable = true; @@ -243,7 +27,7 @@ in settings = { Port = 9092; - ExternalDomain = "auth.kruining.eu"; + ExternalDomain = "auth.amarth.cloud"; ExternalPort = 443; ExternalSecure = true; @@ -257,25 +41,26 @@ in }; DefaultInstance = { - # PasswordComplexityPolicy = { - # MinLength = 0; - # HasLowercase = false; - # HasUppercase = false; - # HasNumber = false; - # HasSymbol = false; - # }; - # LoginPolicy = { - # AllowRegister = false; - # ForceMFA = true; - # }; - # LockoutPolicy = { - # MaxPasswordAttempts = 5; - # MaxOTPAttempts = 10; - # }; + PasswordComplexityPolicy = { + MinLength = 20; + HasLowercase = false; + HasUppercase = false; + HasNumber = false; + HasSymbol = false; + }; + LoginPolicy = { + AllowRegister = false; + ForceMFA = true; + }; + LockoutPolicy = { + MaxPasswordAttempts = 5; + MaxOTPAttempts = 10; + }; SMTPConfiguration = { SMTP = { Host = "black-mail.nl:587"; - User = "chris@kruining.eu"; + User = "info@amarth.cloud"; + Password = "__TODO_USE_SOPS__"; }; FromName = "Amarth Zitadel"; }; @@ -285,9 +70,9 @@ in Host = "localhost"; # Zitadel will report error if port is not set Port = 5432; - Database = database; + Database = db_name; User = { - Username = database; + Username = db_user; SSL.Mode = "disable"; }; Admin = { @@ -298,16 +83,9 @@ in }; steps = { FirstInstance = { - # Not sure, this option seems to be mostly irrelevant - InstanceName = "eu"; - - MachineKeyPath = "/var/lib/zitadel/machine-key.json"; - # PatPath = "/var/lib/zitadel/machine-key.pat"; - # LoginClientPatPath = "/var/lib/zitadel/machine-key.json"; - + InstanceName = "auth.amarth.cloud"; Org = { - Name = "kruining"; - + Name = "Amarth"; Human = { UserName = "chris"; FirstName = "Chris"; @@ -318,49 +96,39 @@ in }; Password = "KaasIsAwesome1!"; }; - - Machine = { - Machine = { - Username = "terraform-service-user"; - Name = "Terraform"; - }; - MachineKey = { ExpirationDate = "2026-01-01T00:00:00Z"; Type = 1; }; - # Pat = { ExpirationDate = "2026-01-01T00:00:00Z"; }; - }; - - # LoginClient.Machine = { - # Username = "terraform-service-user"; - # Name = "Terraform"; - # }; }; }; }; - extraStepsPaths = [ - config.sops.templates."secrets.yaml".path - ]; }; postgresql = { enable = true; - ensureDatabases = [ database ]; + ensureDatabases = [ db_name ]; ensureUsers = [ { - name = database; + name = db_user; ensureDBOwnership = true; } ]; + authentication = mkForce '' + # Generated file, do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; }; caddy = { enable = true; virtualHosts = { - "auth.kruining.eu".extraConfig = '' - reverse_proxy h2c://::1:9092 + "auth.amarth.cloud".extraConfig = '' + reverse_proxy h2c://127.0.0.1:9092 ''; }; extraConfig = '' - (auth) { - forward_auth h2c://::1:9092 { + (auth-z) { + forward_auth h2c://127.0.0.1:9092 { uri /api/authz/forward-auth copy_headers Remote-User Remote-Groups Remote-Email Remote-Name } @@ -368,41 +136,12 @@ in ''; }; }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; # Secrets - sops = { - secrets = { - "zitadel/masterKey" = { - owner = "zitadel"; - group = "zitadel"; - restartUnits = [ "zitadel.service" ]; #EMGDB#6O$8qpGoLI1XjhUhnng1san@0 - }; - - "email/chris_kruining_eu" = { - owner = "zitadel"; - group = "zitadel"; - restartUnits = [ "zitadel.service" ]; - }; - }; - - templates."secrets.yaml" = { - owner = "zitadel"; - group = "zitadel"; - content = '' - DefaultInstance: - SMTPConfiguration: - SMTP: - Password: ${config.sops.placeholder."email/chris_kruining_eu"} - ''; - }; - - templates."kaas" = { - owner = "zitadel"; - group = "zitadel"; - content = config.sops.placeholder."email/chris_kruining_eu"; - }; + sops.secrets."zitadel/masterKey" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; }; }; } diff --git a/modules/nixos/services/backup/borg/default.nix b/modules/nixos/services/backup/borg/default.nix deleted file mode 100644 index fbe5235..0000000 --- a/modules/nixos/services/backup/borg/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.backup.borg; -in -{ - options.${namespace}.services.backup.borg = { - enable = mkEnableOption "Borg Backup"; - }; - - config = mkIf cfg.enable { - services = { - borgbackup.jobs = { - media = { - paths = "/var/media/test"; - encryption.mode = "none"; - environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4"; - repo = "ssh://chris@beheer.hazelhof.nl:222/home/chris/backups/media"; - compression = "auto,zstd"; - startAt = "daily"; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix deleted file mode 100644 index 38dfe0c..0000000 --- a/modules/nixos/services/communication/matrix/default.nix +++ /dev/null @@ -1,179 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (builtins) toString toJSON; - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.communication.matrix; - - domain = "kruining.eu"; - fqn = "matrix.${domain}"; - port = 4001; - - database = "synapse"; -in -{ - options.${namespace}.services.communication.matrix = { - enable = mkEnableOption "Matrix server (Synapse)"; - }; - - config = mkIf cfg.enable { - ${namespace}.services = { - persistance.postgresql.enable = true; - # virtualisation.podman.enable = true; - }; - - networking.firewall.allowedTCPPorts = [ 4001 ]; - - services = { - matrix-synapse = { - enable = true; - - extras = [ "oidc" ]; - # plugins = with config.services.matrix-synapse.package.plugins; []; - - settings = { - server_name = domain; - public_baseurl = "https://${fqn}"; - - registration_shared_secret = "tZtBnlhEmLbMwF0lQ112VH1Rl5MkZzYH9suI4pEoPXzk6nWUB8FJF4eEnwLkbstz"; - - url_preview_enabled = true; - precence.enabled = true; - - # Since we'll be using OIDC for auth disable all local options - enable_registration = false; - password_config.enabled = false; - - sso = { - client_whitelist = [ "http://[::1]:9092" ]; - update_profile_information = true; - }; - - oidc_providers = [ - { - discover = true; - - idp_id = "zitadel"; - idp_name = "Zitadel"; - issuer = "https://auth.kruining.eu"; - client_id = "337858153251143939"; - client_secret = "ePkf5n8BxGD5DF7t1eNThTL0g6PVBO5A1RC0EqPp61S7VsiyXvDs8aJeczrpCpsH"; - scopes = [ "openid" "profile" ]; - # user_mapping_provider.config = { - # localpart_template = "{{ user.prefered_username }}"; - # display_name_template = "{{ user.name }}"; - # }; - } - ]; - - database = { - # this is postgresql (also the default, but I prefer to be explicit) - name = "psycopg2"; - args = { - database = database; - user = database; - }; - }; - - listeners = [ - { - bind_addresses = ["::"]; - port = port; - type = "http"; - tls = false; - x_forwarded = true; - - resources = [ - { - names = [ "client" "federation" ]; - compress = true; - } - ]; - } - ]; - }; - }; - - mautrix-signal = { - enable = true; - registerToSynapse = true; - - settings = { - appservice = { - provisioning.enabled = false; - # port = 40011; - }; - - homeserver = { - address = "http://[::1]:${toString port}"; - domain = domain; - }; - - bridge = { - permissions = { - "@chris:${domain}" = "admin"; - }; - }; - }; - }; - - mautrix-whatsapp = { - enable = true; - registerToSynapse = true; - - settings = { - appservice = { - provisioning.enabled = false; - # port = 40012; - }; - - homeserver = { - address = "http://[::1]:${toString port}"; - domain = domain; - }; - - bridge = { - permissions = { - "@chris:${domain}" = "admin"; - }; - }; - }; - }; - - postgresql = { - enable = true; - ensureDatabases = [ database ]; - ensureUsers = [ - { - name = database; - ensureDBOwnership = true; - } - ]; - }; - - caddy = { - enable = true; - virtualHosts = let - server = { - "m.server" = "${fqn}:443"; - }; - client = { - "m.homeserver".base_url = "https://${fqn}"; - "m.identity_server".base_url = "https://auth.kruining.eu"; - }; - in { - "${domain}".extraConfig = '' - header /.well-known/matrix/* Content-Type application/json - header /.well-known/matrix/* Access-Control-Allow-Origin * - respond /.well-known/matrix/server `${toJSON server}` - respond /.well-known/matrix/client `${toJSON client}` - ''; - "${fqn}".extraConfig = '' - reverse_proxy /_matrix/* http://::1:4001 - reverse_proxy /_synapse/client/* http://::1:4001 - ''; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 46e0995..bdabbd6 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -11,10 +11,7 @@ in }; config = mkIf cfg.enable { - ${namespace}.services = { - persistance.postgresql.enable = true; - virtualisation.podman.enable = true; - }; + ${namespace}.services.virtualisation.podman.enable = true; environment.systemPackages = with pkgs; [ forgejo ]; @@ -94,7 +91,6 @@ in actions = { ENABLED = true; - # DEFAULT_ACTIONS_URL = "https://data.forgejo.org"; }; other = { @@ -140,12 +136,10 @@ in # tokenFile = config.age.secrets.forgejo-runner-token.path; token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; labels = [ - "default:docker://nixos/nix:latest" - "ubuntu:docker://ubuntu:24-bookworm" - "nix:docker://git.amarth.cloud/amarth/runners/default:latest" + "default:docker://node:22-bullseye" ]; settings = { - log.level = "info"; + }; }; }; @@ -158,7 +152,7 @@ in # stupid dumb way to prevent the login page and go to zitadel instead # be aware that this does not disable local login at all! - # rewrite /user/login /user/oauth2/Zitadel + rewrite /user/login /user/oauth2/Zitadel reverse_proxy http://127.0.0.1:5002 ''; diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index bc41fb4..f76e4ae 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -66,73 +66,38 @@ in # Services #========================================================================= services = let - arrService = { + serviceConf = { enable = true; openFirewall = true; - - settings = { - auth.AuthenticationMethod = "External"; - - # postgres = { - # PostgresHost = "localhost"; - # PostgresPort = "5432"; - # PostgresUser = "media"; - # }; - }; - }; - - withPort = port: service: service // { settings.server.Port = builtins.toString port; }; - - withUserAndGroup = service: service // { user = cfg.user; group = cfg.group; }; in { - radarr = - arrService - |> withPort 2001 - |> withUserAndGroup; - - sonarr = - arrService - |> withPort 2002 - |> withUserAndGroup; - - lidarr = - arrService - |> withPort 2003 - |> withUserAndGroup; - - prowlarr = - arrService - |> withPort 2004; - - bazarr = { - enable = true; - openFirewall = true; - user = cfg.user; - group = cfg.group; - listenPort = 2005; - }; - - # port is harcoded in nixpkgs module - jellyfin = { - enable = true; - openFirewall = true; - user = cfg.user; - group = cfg.group; - }; + jellyfin = serviceConf; + radarr = serviceConf; + sonarr = serviceConf; + bazarr = serviceConf; + lidarr = serviceConf; flaresolverr = { enable = true; openFirewall = true; - port = 2007; + }; + + jellyseerr = { + enable = true; + openFirewall = true; + }; + + prowlarr = { + enable = true; + openFirewall = true; }; qbittorrent = { enable = true; openFirewall = true; - webuiPort = 2008; + webuiPort = 5000; serverConfig = { LegalNotice.Accepted = true; @@ -142,7 +107,6 @@ in group = cfg.group; }; - # port is harcoded in nixpkgs module sabnzbd = { enable = true; openFirewall = true; @@ -152,49 +116,46 @@ in group = cfg.group; }; - # postgresql = { - # enable = true; - # ensureDatabases = [ - # "radarr-main" "radarr-log" - # "sonarr-main" "sonarr-log" - # "lidarr-main" "lidarr-log" - # "prowlarr-main" "prowlarr-log" - # ]; - # identMap = '' - # media media radarr-main - # media media radarr-log - # media media sonarr-main - # media media sonarr-log - # media media lidarr-main - # media media lidarr-log - # media media prowlarr-main - # media media prowlarr-log - # ''; - # ensureUsers = [ - # { name = "radarr-main"; ensureDBOwnership = true; } - # { name = "radarr-log"; ensureDBOwnership = true; } - - # { name = "sonarr-main"; ensureDBOwnership = true; } - # { name = "sonarr-log"; ensureDBOwnership = true; } - - # { name = "lidarr-main"; ensureDBOwnership = true; } - # { name = "lidarr-log"; ensureDBOwnership = true; } - - # { name = "prowlarr-main"; ensureDBOwnership = true; } - # { name = "prowlarr-log"; ensureDBOwnership = true; } - # ]; - # }; - caddy = { enable = true; virtualHosts = { + "media.kruining.eu".extraConfig = '' + import auth + + reverse_proxy http://127.0.0.1:9494 + ''; "jellyfin.kruining.eu".extraConfig = '' - reverse_proxy http://[::1]:8096 + reverse_proxy http://127.0.0.1:8096 ''; }; }; }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; + + ${namespace}.services.virtualisation.podman.enable = true; + + virtualisation = { + oci-containers = { + backend = "podman"; + + containers = { + # flaresolverr = { + # image = "flaresolverr/flaresolverr"; + # autoStart = true; + # ports = [ "127.0.0.1:8191:8191" ]; + # }; + + reiverr = { + image = "ghcr.io/aleksilassila/reiverr:v2.2.0"; + autoStart = true; + ports = [ "127.0.0.1:9494:9494" ]; + volumes = [ "${cfg.path}/reiverr/config:/config" ]; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 6969 ]; }; } diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix deleted file mode 100644 index 41535cd..0000000 --- a/modules/nixos/services/media/homer/default.nix +++ /dev/null @@ -1,161 +0,0 @@ -{ config, lib, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.media.homer; -in -{ - options.${namespace}.services.media.homer = { - enable = mkEnableOption "Enable homer"; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ 2000 ]; - - services = { - homer = { - enable = true; - - virtualHost = { - caddy.enable = true; - domain = "http://:2000"; - }; - - settings = { - title = "Ulmo dashboard"; - - columns = 4; - connectivityCheck = true; - - links = []; - - services = [ - { - name = "Services"; - items = [ - { - name = "Zitadel"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg"; - tag = "app"; - url = "https://auth.kruining.eu"; - target = "_blank"; - } - - { - name = "Forgejo"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg"; - tag = "app"; - type = "Gitea"; - url = "https://git.amarth.cloud"; - target = "_blank"; - } - - { - name = "Vaultwarden"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg"; - type = "Vaultwarden"; - tag = "app"; - url = "https://vault.kruining.eu"; - target = "_blank"; - } - ]; - } - - { - name = "Observability"; - items = [ - { - name = "Grafana"; - type = "Grafana"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; - target = "_blank"; - } - - { - name = "Prometheus"; - type = "Prometheus"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}"; - target = "_blank"; - } - ]; - } - - { - name = "Media"; - items = [ - { - name = "Jellyfin (Movies)"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg"; - tag = "app"; - type = "Emby"; - url = "http://${config.networking.hostName}:8096"; - apikey = "e3ceed943eeb409ba8342738db7cc1f5"; - libraryType = "movies"; - target = "_blank"; - } - - { - name = "Radarr"; - type = "Radarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "Sonarr"; - type = "Sonarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "Lidarr"; - type = "Lidarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "Prowlarr"; - type = "Prowlarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "qBittorrent"; - type = "qBittorrent"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; - target = "_blank"; - } - - { - name = "SABnzbd"; - type = "SABnzbd"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:8080"; - target = "_blank"; - } - ]; - } - ]; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix index 6503493..c399729 100644 --- a/modules/nixos/services/observability/grafana/default.nix +++ b/modules/nixos/services/observability/grafana/default.nix @@ -42,9 +42,9 @@ in login_attribute_path = "username"; name_attribute_path = "full_name"; role_attribute_path = "contains(urn:zitadel:iam:org:project:roles[*], 'owner') && 'GrafanaAdmin' || contains(urn:zitadel:iam:org:project:roles[*], 'contributer') && 'Editor' || 'Viewer'"; - auth_url = "https://auth.kruining.eu/oauth/v2/authorize"; - token_url = "https://auth.kruining.eu/oauth/v2/token"; - api_url = "https://auth.kruining.eu/oidc/v1/userinfo"; + auth_url = "https://auth.amarth.cloud/oauth/v2/authorize"; + token_url = "https://auth.amarth.cloud/oauth/v2/token"; + api_url = "https://auth.amarth.cloud/oidc/v1/userinfo"; allow_sign_up = true; auto_login = true; use_pkce = true; diff --git a/modules/nixos/services/observability/loki/default.nix b/modules/nixos/services/observability/loki/default.nix index d4774ac..8f6e0e3 100644 --- a/modules/nixos/services/observability/loki/default.nix +++ b/modules/nixos/services/observability/loki/default.nix @@ -23,7 +23,7 @@ in common = { ring = { instance_addr = "127.0.0.1"; - kvstore.store = "inmemory"; + kvstore.store = "inmmemory"; }; replication_factor = 1; path_prefix = "/tmp/loki"; diff --git a/modules/nixos/services/observability/promtail/default.nix b/modules/nixos/services/observability/promtail/default.nix index 25aabbd..1f32adc 100644 --- a/modules/nixos/services/observability/promtail/default.nix +++ b/modules/nixos/services/observability/promtail/default.nix @@ -29,11 +29,9 @@ in filename = "filename"; }; - clients = [ - { - url = "http://::1:9003/loki/api/v1/push"; - } - ]; + clients = { + url = "http://127.0.0.1:3100/loki/api/v1/push"; + }; scrape_configs = [ { diff --git a/modules/nixos/services/persistance/convex/default.nix b/modules/nixos/services/persistance/convex/default.nix new file mode 100644 index 0000000..3e01c59 --- /dev/null +++ b/modules/nixos/services/persistance/convex/default.nix @@ -0,0 +1,21 @@ +{ config, pkgs, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.persistance.convex; +in +{ + imports = [ ./source.nix ]; + + options.${namespace}.services.persistance.convex = { + enable = mkEnableOption "enable Convex"; + }; + + config = mkIf cfg.enable { + services.convex = { + enable = true; + package = pkgs.${namespace}.convex; + secret = "ThisIsMyAwesomeSecret"; + }; + }; +} diff --git a/modules/nixos/services/persistance/convex/source.nix b/modules/nixos/services/persistance/convex/source.nix new file mode 100644 index 0000000..c56e3ab --- /dev/null +++ b/modules/nixos/services/persistance/convex/source.nix @@ -0,0 +1,149 @@ +{ config, pkgs, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption mkPackageOption mkOption optional types; + + cfg = config.services.convex; + + default_user = "convex"; + default_group = "convex"; +in +{ + options.services.convex = { + enable = mkEnableOption "enable Convex (backend only for now)"; + + package = mkPackageOption pkgs "convex" {}; + + name = lib.mkOption { + type = types.str; + default = "convex"; + description = '' + Name for the instance. + ''; + }; + + secret = lib.mkOption { + type = types.str; + default = ""; + description = '' + Secret for the instance. + ''; + }; + + apiPort = mkOption { + type = types.port; + default = 3210; + description = '' + The TCP port to use for the API. + ''; + }; + + actionsPort = mkOption { + type = types.port; + default = 3211; + description = '' + The TCP port to use for the HTTP actions. + ''; + }; + + dashboardPort = mkOption { + type = types.port; + default = 6791; + description = '' + The TCP port to use for the Dashboard. + ''; + }; + + openFirewall = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether to open ports in the firewall for the server. + ''; + }; + + user = lib.mkOption { + type = types.str; + default = default_user; + description = '' + As which user to run the service. + ''; + }; + + group = lib.mkOption { + type = types.str; + default = default_group; + description = '' + As which group to run the service. + ''; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.secret != ""; + message = '' + No secret provided for convex + ''; + } + ]; + + users = { + users.${cfg.user} = { + description = "System user for convex service"; + isSystemUser = true; + group = cfg.group; + }; + + groups.${cfg.group} = {}; + }; + + networking.firewall.allowedTCPPorts = optional cfg.openFirewall [ cfg.apiPort cfg.actionsPort cfg.dashboardPort ]; + + environment.systemPackages = [ cfg.package ]; + + systemd.services.convex = { + description = "Convex Backend server"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${cfg.package}/bin --instance-name ${cfg.name} --instance-secret ${cfg.secret}"; + Type = "notify"; + + User = cfg.user; + Group = cfg.group; + + RuntimeDirectory = "convex"; + RuntimeDirectoryMode = "0775"; + StateDirectory = "convex"; + StateDirectoryMode = "0775"; + Umask = "0077"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + LockPersonality = true; + }; + }; + }; +} diff --git a/modules/nixos/services/persistance/postgesql/default.nix b/modules/nixos/services/persistance/postgesql/default.nix deleted file mode 100644 index dbd6604..0000000 --- a/modules/nixos/services/persistance/postgesql/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.persistance.postgresql; -in -{ - options.${namespace}.services.persistance.postgresql = { - enable = mkEnableOption "Postgresql"; - }; - - config = mkIf cfg.enable { - services = { - postgresql = { - enable = true; - authentication = '' - # Generated file, do not edit! - # TYPE DATABASE USER ADDRESS METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - ''; - }; - }; - }; -} diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index de50be7..0bb05f7 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -39,7 +39,7 @@ in SSO_ROLES_ENABLED = true; SSO_ORGANIZATIONS_ENABLED = true; SSO_ORGANIZATIONS_REVOCATION = true; - SSO_AUTHORITY = "https://auth.kruining.eu/"; + SSO_AUTHORITY = "https://auth.amarth.cloud/"; SSO_SCOPES = "email profile offline_access"; SSO_AUDIENCE_TRUSTED = "^333297815511892227$"; SSO_CLIENT_ID = "335178854421299459"; @@ -52,9 +52,9 @@ in SMTP_HOST = "black-mail.nl"; SMTP_PORT = 587; SMTP_SECURITY = "starttls"; - SMTP_USERNAME = "chris@kruining.eu"; + SMTP_USERNAME = "info@amarth.cloud"; SMTP_PASSWORD = ""; - SMTP_FROM = "chris@kruining.eu"; + SMTP_FROM = "info@amarth.cloud"; SMTP_FROM_NAME = "Chris' Vaultwarden"; }; }; @@ -76,12 +76,6 @@ in "vault.kruining.eu".extraConfig = '' encode zstd gzip - handle_path /admin { - respond 401 { - close - } - } - reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { header_up X-Real-IP {remote_host} } diff --git a/modules/nixos/services/virtualisation/podman/default.nix b/modules/nixos/services/virtualisation/podman/default.nix index 0faf8ce..9b9dc89 100644 --- a/modules/nixos/services/virtualisation/podman/default.nix +++ b/modules/nixos/services/virtualisation/podman/default.nix @@ -12,7 +12,6 @@ in config = mkIf cfg.enable { virtualisation = { containers.enable = true; - oci-containers.backend = "podman"; podman = { enable = true; diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index bee7b3c..68ab4ca 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -1,4 +1,4 @@ -{ pkgs, config, namespace, inputs, system, ... }: +{ pkgs, config, namespace, inputs, ... }: let cfg = config.${namespace}.system.security.sops; in @@ -13,14 +13,10 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { + defaultSopsFile = ../../../../../_secrets/secrets.yaml; defaultSopsFormat = "yaml"; - defaultSopsFile = inputs.self + "/systems/${system}/${config.networking.hostName}/secrets.yml"; - age = { - # keyFile = "~/.config/sops/age/keys.txt"; - # sshKeyPaths = [ "~/.ssh/id_ed25519" ]; - # generateKey = true; - }; + age.keyFile = "/home/"; }; }; } \ No newline at end of file diff --git a/packages/convex/default.nix b/packages/convex/default.nix new file mode 100644 index 0000000..9dab056 --- /dev/null +++ b/packages/convex/default.nix @@ -0,0 +1,59 @@ +{ + lib, + stdenv, + rustPlatform, + fetchFromGitHub, + + # dependencies + openssl, + pkg-config, + cmake, + llvmPackages, + postgresql, + sqlite, + + #options + dbBackend ? "postgresql", + + ... +}: +rustPlatform.buildRustPackage rec { + pname = "convex"; + version = "2025-08-20-c9b561e"; + + src = fetchFromGitHub { + owner = "get-convex"; + repo = "convex-backend"; + rev = "c9b561e1b365c85ef28af35d742cb7dd174b5555"; + hash = "sha256-4h4AQt+rQ+nTw6eTbbB5vqFt9MFjKYw3Z7bGXdXijJ0="; + }; + + cargoHash = "sha256-pcDNWGrk9D0qcF479QAglPLFDZp27f8RueP5/lq9jho="; + + cargoBuildFlags = [ + "-p" "local_backend" + "--bin" "convex-local-backend" + ]; + + env = { + LIBCLANG_PATH = "${llvmPackages.libclang}/lib"; + }; + + strictDeps = true; + + # Build-time dependencies + nativeBuildInputs = [ pkg-config cmake rustPlatform.bindgenHook ]; + + # Run-time dependencies + buildInputs = + [ openssl ] + ++ lib.optional (dbBackend == "sqlite") sqlite + ++ lib.optional (dbBackend == "postgresql") postgresql; + + buildFeatures = ""; + + meta = with lib; { + license = licenses.fsl11Asl20; + mainProgram = "convex"; + }; +} \ No newline at end of file diff --git a/systems/x86_64-linux/manwe/default.nix b/systems/x86_64-linux/manwe/default.nix index c2d9978..76d4e6d 100644 --- a/systems/x86_64-linux/manwe/default.nix +++ b/systems/x86_64-linux/manwe/default.nix @@ -5,8 +5,6 @@ ./hardware.nix ]; - system.activationScripts.remove-gtkrc.text = "rm -f /home/chris/.gtkrc-2.0"; - sneeuwvlok = { hardware.has = { gpu.amd = true; diff --git a/systems/x86_64-linux/manwe/disks.nix b/systems/x86_64-linux/manwe/disks.nix index f33ec71..d68db6a 100644 --- a/systems/x86_64-linux/manwe/disks.nix +++ b/systems/x86_64-linux/manwe/disks.nix @@ -8,7 +8,7 @@ in swapDevices = []; boot.supportedFilesystems = [ "nfs" ]; - + fileSystems = { "/" = { device = "/dev/disk/by-label/nixos"; @@ -26,9 +26,9 @@ in fsType = "nfs"; }; - # "/home/chris/mandos" = { - # device = "mandos:/"; - # fsType = "nfs"; - # }; + "/home/chris/mandos" = { + device = "mandos:/"; + fsType = "nfs"; + }; }; } diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 4845e73..13b0f33 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -5,76 +5,16 @@ ./hardware.nix ]; - networking = { - interfaces.enp2s0 = { - ipv6.addresses = [ - { address = "2a0d:6e00:1dc9:0::dead:beef"; prefixLength = 64; } - ]; - - useDHCP = true; - }; - - defaultGateway = { - address = "192.168.1.1"; - interface = "enp2s0"; - }; - - defaultGateway6 = { - address = "fe80::1"; - interface = "enp2s0"; - }; - }; - - # Expose amarht cloud stuff like this until I have a proper solution - services.caddy.virtualHosts = { - "auth.amarth.cloud".extraConfig = '' - reverse_proxy http://192.168.1.223:9092 - ''; - - "amarth.cloud".extraConfig = '' - reverse_proxy http://192.168.1.223:8080 - ''; - }; - sneeuwvlok = { services = { - # authentication.authelia.enable = true; - authentication.zitadel = { - enable = true; - - organization = { - thisIsMyAwesomeOrg = {}; - - nix = { - project = { - ulmo = { - application = { - jellyfin = { - redirectUris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/zitadel" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; - }; - - forgejo = { - redirectUris = [ "https://git.amarth.cloud/user/oauth2/zitadel/callback" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; - }; - }; - }; - }; - }; - }; - }; - - communication.matrix.enable = true; + authentication.authelia.enable = true; + authentication.zitadel.enable = true; development.forgejo.enable = true; networking.ssh.enable = true; media.enable = true; - media.homer.enable = true; media.nfs.enable = true; observability = { @@ -84,6 +24,8 @@ promtail.enable = true; }; + persistance.convex.enable = true; + security.vaultwarden.enable = true; }; diff --git a/systems/x86_64-linux/ulmo/disks.nix b/systems/x86_64-linux/ulmo/disks.nix index 0b272f4..a4033f7 100644 --- a/systems/x86_64-linux/ulmo/disks.nix +++ b/systems/x86_64-linux/ulmo/disks.nix @@ -5,7 +5,9 @@ in { # TODO :: Implement disko at some point - swapDevices = []; + swapDevices = [ + { device = "/dev/disk/by-uuid/0ddf001a-5679-482e-b254-04a1b9094794"; } + ]; boot.supportedFilesystems = [ "nfs" ]; diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml deleted file mode 100644 index 6add209..0000000 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ /dev/null @@ -1,30 +0,0 @@ -email: - info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] - chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] - info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] -zitadel: - masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str] -sops: - age: - - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdDZyZkxvNU4zM3NHb2gx - ZlhLZk5JWUFGMWZGeUVHNkFFU1NtZlBQVVhjCmZGai9NdmdUeU5VcW9ROVZKTW5q - cmZaQ2JlaldaTWduQklocUZLT2FUcGcKLS0tIHlqVU0wdXJ0dTE4dlZSVEczd2Yv - RVFxVHFxbkVNbEZsaVcwYXZCdUc5R1kKQdAN6LEKmGLCSkKhNuEr0YK2zl9Aw1kK - 6C25lN532mG55zIRectZda1Fmi1GMZ/2v3b5qz7x+TDMA9m/47OjmA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoK3lqRDhEMXEvaUp3OWdV - eFlZSGpJcGs0RTdRbllWdmdZTzl3RTlDNlIwCm92R290NjNyK2NNbWpINTBhazNS - NTJYWEw0SGc1TUtrd0NZSmowakMvSlEKLS0tIG5uUEIrZGVORkRNVnBVOHgyMXZG - TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb - Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T14:25:59Z" - mac: ENC[AES256_GCM,data:p3A1ZSr6S21SUjEZbL4V0uh3HVqcRhFi1N93IeUKs2yVbBYAXzWJ+2ejSxfM+W9MSCAYxx27i0ZoBPjQJu/xQzwmW8HWn4rRfCsa2TGqOw25PLvkHgnBUc70X759cKxvR0Pm7ha22JCnzJVrzvUMlBVs61wxHT57x0El9Gan8eY=,iv:SKN+R4wsN/L2pZW/s5ocEtCXXZB5wK4tgFIYWGWtRPA=,tag:CNLl4lVO06gAcsSCfU2KjA==,type:str] - unencrypted_suffix: _unencrypted - version: 3.11.0