diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml deleted file mode 100644 index 684cfad..0000000 --- a/.forgejo/workflows/action.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: Test action - -on: - workflow_dispatch: - push: - branches: - - main - -jobs: - kaas: - runs-on: nix - steps: - - name: Echo - run: | - nix --version \ No newline at end of file diff --git a/.gitignore b/.gitignore index 3cb44c3..87a3018 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,2 @@ -# ---> Nix -# Ignore build outputs from performing a nix-build or `nix build` command result -result-* - -# Ignore automatically generated direnv output -.direnv - +*.qcow2 diff --git a/.just/machine.just b/.just/machine.just deleted file mode 100644 index 65d1a7b..0000000 --- a/.just/machine.just +++ /dev/null @@ -1,9 +0,0 @@ -@_default: list - -[doc('List machines')] -@list: - ls -1 ../systems/x86_64-linux/ - -[doc('Update the target machine')] -update machine: - nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }} \ No newline at end of file diff --git a/.just/vars.just b/.just/vars.just deleted file mode 100644 index 46bb5fd..0000000 --- a/.just/vars.just +++ /dev/null @@ -1,28 +0,0 @@ -base_path := invocation_directory() / "systems/x86_64-linux" -sops := "nix shell nixpkgs#sops --command sops" - -@_default: - just --list - -[doc('list all vars of the target machine')] -list machine: - {{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml - -@edit machine: - {{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml - -@set machine key value: - {{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"' - - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - - echo "Done" - -@remove machine key: - {{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" - - git add {{ base_path }}/{{ machine }}/secrets.yml - git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null - - echo "Done" \ No newline at end of file diff --git a/.justfile b/.justfile deleted file mode 100644 index 1c9fc03..0000000 --- a/.justfile +++ /dev/null @@ -1,18 +0,0 @@ -@_default: - just --list --list-submodules - -[doc('Manage vars')] -mod vars '.just/vars.just' - -[doc('Manage machines')] -mod machine '.just/machine.just' - -[doc('Show information about project')] -@show: - echo "show" - -[doc('update the flake dependencies')] -@update: - nix flake update - git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null - echo "Done" \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index 9e7956c..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,11 +0,0 @@ -keys: - - &ulmo_1 age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq - - &ulmo_2 age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x - -creation_rules: - # All Machine secrets - - path_regex: systems/[^/]+/[^/]+/[^/]+\.(yml|yaml)$ - key_groups: - - age: - - *ulmo_1 - - *ulmo_2 \ No newline at end of file diff --git a/.sops.yml b/.sops.yml new file mode 100644 index 0000000..2d6e291 --- /dev/null +++ b/.sops.yml @@ -0,0 +1,57 @@ +keys: + - home: + - &chris age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + - system: + - &aule age + - &mandos age + - &manwe age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + - &melkor age + - &orome age + - &tulkas age + - &varda age + - &yavanna age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + +creation_rules: + #=================================================================== + # HOSTS + #=================================================================== + - path_regex: systems/x86_64-linux/aule/secrets.yaml$ + age: *aule + + - path_regex: systems/x86_64-linux/mandos/secrets.yaml$ + age: *mandos + + - path_regex: systems/x86_64-linux/manwe/secrets.yaml$ + key_groups: + - age: + - *manwe + - *yavanna + + - path_regex: systems/x86_64-linux/melkor/secrets.yaml$ + age: *melkor + + - path_regex: systems/x86_64-linux/orome/secrets.yaml$ + age: *orome + + - path_regex: systems/x86_64-linux/tulkas/secrets.yaml$ + age: *tulkas + + - path_regex: systems/x86_64-linux/varda/secrets.yaml$ + age: *varda + + - path_regex: systems/x86_64-linux/yavanna/secrets.yaml$ + age: *yavanna + + #=================================================================== + # USERS + #=================================================================== + - path_regex: homes/x86_64-linux/chris@\w+/secrets.yaml$ + age: *chris + + + + + + + + diff --git a/README.md b/README.md index 2eb75c9..db11887 100644 --- a/README.md +++ b/README.md @@ -18,4 +18,5 @@ nix build .#install-isoConfigurations.minimal - [dafitt/dotfiles](https://github.com/dafitt/dotfiles/) - [khaneliman/khanelinix](https://github.com/khaneliman/khanelinix) +- [alex007sirois/nix-config](https://github.com/alex007sirois/nix-config) (justfile) - [hmajid2301/nixicle](https://gitlab.com/hmajid2301/nixicle) (the GOAT, he did what I am aiming for!) \ No newline at end of file diff --git a/flake.lock b/flake.lock index 935fbaf..ef769ed 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "fromYaml": "fromYaml" }, "locked": { - "lastModified": 1755819240, - "narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=", + "lastModified": 1746562888, + "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=", "owner": "SenchoPens", "repo": "base16.nix", - "rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6", + "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89", "type": "github" }, "original": { @@ -21,17 +21,16 @@ "base16-fish": { "flake": false, "locked": { - "lastModified": 1754405784, - "narHash": "sha256-l9xHIy+85FN+bEo6yquq2IjD1rSg9fjfjpyGP1W8YXo=", + "lastModified": 1622559957, + "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", "owner": "tomyun", "repo": "base16-fish", - "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561", + "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", "type": "github" }, "original": { "owner": "tomyun", "repo": "base16-fish", - "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561", "type": "github" } }, @@ -68,17 +67,37 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1753140376, + "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", + "owner": "nix-community", + "repo": "disko", + "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "erosanix": { "inputs": { "flake-compat": "flake-compat", "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1759842236, - "narHash": "sha256-JNFyiEDo1wS+mjNAEM8Q2jjvHQzQt+3hnuP1srIdFeM=", + "lastModified": 1753879613, + "narHash": "sha256-oYhCJSAIZiu3maM2q6JBzh0+MYd4KTaq5eNFIstUurE=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "df8a29239b2459d6ee7373be8133d9aa7d6f6d1a", + "rev": "0ad38bd182cd737f0f4b878ea04cb3676ecd4000", "type": "github" }, "original": { @@ -95,11 +114,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1760510549, - "narHash": "sha256-NP+kmLMm7zSyv4Fufv+eSJXyqjLMUhUfPT6lXRlg/bU=", + "lastModified": 1754290399, + "narHash": "sha256-KwYm1/FeLqP9uE4Sbw+j2nI2/ErNbc9Mn+LPcrEOpX0=", "owner": "nix-community", "repo": "fenix", - "rev": "ef7178cf086f267113b5c48fdeb6e510729c8214", + "rev": "f53ddf7518d85d59b58df6e9955b25b0ac25f569", "type": "github" }, "original": { @@ -115,11 +134,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1760548798, - "narHash": "sha256-LbqqHQklp58hKCO6IMcslsqX0mR32775PG3Z+k2GcwU=", + "lastModified": 1754311269, + "narHash": "sha256-y84Q8qS5acSxl3QsLLGs4DboPhM/AYUMiTsJJZwmQxY=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "fdd8c18c8d3497d267c0750ef08678d32a2dd753", + "rev": "5a6856f353975206aec02373c18e8cea3fa6bb75", "type": "github" }, "original": { @@ -131,11 +150,11 @@ "firefox-gnome-theme": { "flake": false, "locked": { - "lastModified": 1758112371, - "narHash": "sha256-lizRM2pj6PHrR25yimjyFn04OS4wcdbc38DCdBVa2rk=", + "lastModified": 1748383148, + "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=", "owner": "rafaelmardojai", "repo": "firefox-gnome-theme", - "rev": "0909cfe4a2af8d358ad13b20246a350e14c2473d", + "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf", "type": "github" }, "original": { @@ -231,11 +250,11 @@ ] }, "locked": { - "lastModified": 1759362264, - "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", + "lastModified": 1753121425, + "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "758cf7296bee11f1706a574c77d072b8a7baa881", + "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", "type": "github" }, "original": { @@ -252,32 +271,11 @@ ] }, "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", + "lastModified": 1751413152, + "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_3": { - "inputs": { - "nixpkgs-lib": [ - "terranix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1736143030, - "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", + "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", "type": "github" }, "original": { @@ -433,11 +431,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1757136219, - "narHash": "sha256-tKU+vq34KHu/A2wD7WdgP5A4/RCmSD8hB0TyQAUlixA=", + "lastModified": 1753279958, + "narHash": "sha256-EJ1udnwKYgWeAJzncAccbLPtbSWiuIANryXTGI9nY6w=", "owner": "vinceliuice", "repo": "grub2-themes", - "rev": "80dd04ddf3ba7b284a7b1a5df2b1e95ee2aad606", + "rev": "6c26f99622cb1c705b3fe2dbe1eb88521096b25a", "type": "github" }, "original": { @@ -451,15 +449,14 @@ "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" - ], - "rust-overlay": "rust-overlay" + ] }, "locked": { - "lastModified": 1760546650, - "narHash": "sha256-ByUcM+gMEob6uWpDt6AAg/v4eX9yvpgOPX6KyHd9/BE=", + "lastModified": 1754075821, + "narHash": "sha256-ihlkNqYsNgJPCDOE2LPpUl/ww3LBKfsxeWs2sivhb10=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "ba54075737cb9c688cfadde8048f83371dbaba8d", + "rev": "f77821437959ecd67f2fb2b1266e5a644a46d149", "type": "github" }, "original": { @@ -475,32 +472,11 @@ ] }, "locked": { - "lastModified": 1760500983, - "narHash": "sha256-zfY4F4CpeUjTGgecIJZ+M7vFpwLc0Gm9epM/iMQd4w8=", + "lastModified": 1754263839, + "narHash": "sha256-ck7lILfCNuunsLvExPI4Pw9OOCJksxXwozum24W8b+8=", "owner": "nix-community", "repo": "home-manager", - "rev": "c53e65ec92f38d30e3c14f8d628ab55d462947aa", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { - "inputs": { - "nixpkgs": [ - "zen-browser", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1752603129, - "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b", + "rev": "1d7abbd5454db97e0af51416f4960b3fb64a4773", "type": "github" }, "original": { @@ -517,11 +493,11 @@ ] }, "locked": { - "lastModified": 1760534924, - "narHash": "sha256-OIOCC86DxTxp1VG7xAiM+YABtVqp6vTkYIoAiGQMqso=", + "lastModified": 1754110197, + "narHash": "sha256-N7GWK2084EsNdwzwg6FCIgMrSau1WwzxGSNdPHx5Tak=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "100b4e000032b865563a9754e5bca189bc544764", + "rev": "04ce5c103eb621220d69102bc0ee27c3abd89204", "type": "github" }, "original": { @@ -536,11 +512,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1754828166, - "narHash": "sha256-i7c+fpXVsnvj2+63Gl3YfU1hVyxbLeqeFj55ZBZACWI=", + "lastModified": 1754223384, + "narHash": "sha256-pewBF80b4slivTMSeONyOPceyzUUlBLpVOxlGf0hFEY=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "f01c8d121a3100230612be96e4ac668e15eafb77", + "rev": "2d6fee65844e851060a6817984248bcf8358c6b0", "type": "github" }, "original": { @@ -551,11 +527,11 @@ }, "mnw": { "locked": { - "lastModified": 1758834834, - "narHash": "sha256-Y7IvY4F8vajZyp3WGf+KaiIVwondEkMFkt92Cr9NZmg=", + "lastModified": 1748710831, + "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=", "owner": "Gerg-L", "repo": "mnw", - "rev": "cfbc7d1cc832e318d0863a5fc91d940a96034001", + "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d", "type": "github" }, "original": { @@ -593,11 +569,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1760493654, - "narHash": "sha256-DRJZnMoBw+p6o0XjaAOfAJjwr4s93d1+eCsCRsAP/jY=", + "lastModified": 1754274768, + "narHash": "sha256-bI+Z15bpec7VEnxkrqOG+JX0bFa9CnVeg/uiaf8iiS0=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "4ca5164f23948b4b5429d8fdcddc142079c6aa6b", + "rev": "b54894d44fbe4d29c081ade695ffdb07bb21b322", "type": "github" }, "original": { @@ -665,11 +641,11 @@ ] }, "locked": { - "lastModified": 1760536587, - "narHash": "sha256-wfWqt+igns/VazjPLkyb4Z/wpn4v+XIjUeI3xY/1ENg=", + "lastModified": 1754260137, + "narHash": "sha256-IViMH6Fwj8nwO1nuYCqOTpjm9OK9rQ0w8nmoOwPlo98=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "f98ee1de1fa36eca63c67b600f5d617e184e82ea", + "rev": "57ba096649fa4e12dc564e8e3c529255baf89b35", "type": "github" }, "original": { @@ -680,11 +656,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1759360550, - "narHash": "sha256-feL8xklo97a8o8ISOszUU2tfHskJdu3zKbpcltzSblw=", + "lastModified": 1751186460, + "narHash": "sha256-tSnI50oYaXOi/SFUmJC+gZ2xE9pAhTnV0D2/3JoKL7g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "28b8fe20c34f94a537f71950a9b0c1dc7224d036", + "rev": "dd5540905b1a13176efa13fa2f8dac776bcb275a", "type": "github" }, "original": { @@ -696,11 +672,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", + "lastModified": 1754184128, + "narHash": "sha256-AjhoyBL4eSyXf01Bmc6DiuaMrJRNdWopmdnMY0Pa/M0=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", + "rev": "02e72200e6d56494f4a7c0da8118760736e41b60", "type": "github" }, "original": { @@ -709,13 +685,29 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_10": { "locked": { - "lastModified": 1760479263, - "narHash": "sha256-eoVGUqcMyDeT/VwjczlZu7rhrE9wkj3ErWjJhB4Zjpg=", + "lastModified": 1727348695, + "narHash": "sha256-J+PeFKSDV+pHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "20158056cdd0dd06bfbd04fd1e686d09fbef3db5", + "rev": "1925c603f17fc89f4c8f6bf6f631a802ad85d784", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1754284898, + "narHash": "sha256-wzM6HN0xxyooekXfl7p5P4Bn0LieOKOfsLg4DqY7XLk=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "114484ca7213ac06fa7907e58dd8ef9d801d39f0", "type": "github" }, "original": { @@ -743,11 +735,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1760548845, - "narHash": "sha256-41gkEmco/WLdEkeCKVRalOpx19e0/VgfS7N9n+DasHs=", + "lastModified": 1754315431, + "narHash": "sha256-fnVgd+mIJeR/fsaJB11KcTFjoJzLZNglLjVRtAzwcUI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "631597d659c37aa267eed8334271d5205244195e", + "rev": "66023e4de2495a69792a2b72bd131358b824d2e3", "type": "github" }, "original": { @@ -775,11 +767,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1760284886, - "narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", + "lastModified": 1754214453, + "narHash": "sha256-Q/I2xJn/j1wpkGhWkQnm20nShYnG7TI99foDBpXm1SY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43", + "rev": "5b09dc45f24cf32316283e62aec81ffee3c3e376", "type": "github" }, "original": { @@ -791,11 +783,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1759386674, - "narHash": "sha256-wg1Lz/1FC5Q13R+mM5a2oTV9TA9L/CHHTm3/PiLayfA=", + "lastModified": 1753432016, + "narHash": "sha256-cnL5WWn/xkZoyH/03NNUS7QgW5vI7D1i74g48qplCvg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "625ad6366178f03acd79f9e3822606dd7985b657", + "rev": "6027c30c8e9810896b92429f0092f624f7b1aace", "type": "github" }, "original": { @@ -807,11 +799,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1760164275, - "narHash": "sha256-gKl2Gtro/LNf8P+4L3S2RsZ0G390ccd5MyXYrTdMCFE=", + "lastModified": 1744868846, + "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "362791944032cb532aabbeed7887a441496d5e6e", + "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", "type": "github" }, "original": { @@ -823,11 +815,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1758690382, - "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", + "lastModified": 1751792365, + "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e643668fd71b949c53f8626614b21ff71a07379d", + "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb", "type": "github" }, "original": { @@ -849,11 +841,11 @@ ] }, "locked": { - "lastModified": 1758998580, - "narHash": "sha256-VLx0z396gDCGSiowLMFz5XRO/XuNV+4EnDYjdJhHvUk=", + "lastModified": 1751906969, + "narHash": "sha256-BSQAOdPnzdpOuCdAGSJmefSDlqmStFNScEnrWzSqKPw=", "owner": "nix-community", "repo": "NUR", - "rev": "ba8d9c98f5f4630bcb0e815ab456afd90c930728", + "rev": "ddb679f4131e819efe3bbc6457ba19d7ad116f25", "type": "github" }, "original": { @@ -871,11 +863,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1760153667, - "narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=", + "lastModified": 1754137146, + "narHash": "sha256-V2AE32tLNvtYVBuc8ZRbkGjAZGsJchFbNVd6v5JXvg8=", "owner": "notashelf", "repo": "nvf", - "rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d", + "rev": "16d396f039ffefabf93b7b3261e2a17e2f84439b", "type": "github" }, "original": { @@ -894,11 +886,11 @@ ] }, "locked": { - "lastModified": 1759321049, - "narHash": "sha256-8XkU4gIrLT2DJZWQyvsP5woXGZF5eE/7AnKfwQkiwYU=", + "lastModified": 1754241118, + "narHash": "sha256-nsBBqbAFB7lUYIh6S6l7fQ/ALDhCckp7+rqbY2767uE=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "205dcfd4a30d4a5d1b4f28defee69daa7c7252cd", + "rev": "968109159b4bbe4386ac281272ddcebeef09ebfc", "type": "github" }, "original": { @@ -909,6 +901,7 @@ }, "root": { "inputs": { + "disko": "disko", "erosanix": "erosanix", "fenix": "fenix", "firefox": "firefox", @@ -927,18 +920,17 @@ "snowfall-lib": "snowfall-lib", "sops-nix": "sops-nix", "stylix": "stylix", - "terranix": "terranix", "zen-browser": "zen-browser" } }, "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1760457219, - "narHash": "sha256-WJOUGx42hrhmvvYcGkwea+BcJuQJLcns849OnewQqX4=", + "lastModified": 1754218780, + "narHash": "sha256-M+bLCsYRYA7iudlZkeOf+Azm/1TUvihIq51OKia6KJ8=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "8747cf81540bd1bbbab9ee2702f12c33aa887b46", + "rev": "8d75311400a108d7ffe17dc9c38182c566952e6e", "type": "github" }, "original": { @@ -948,27 +940,6 @@ "type": "github" } }, - "rust-overlay": { - "inputs": { - "nixpkgs": [ - "himmelblau", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1760495781, - "narHash": "sha256-3OGPAQNJswy6L4VJyX3U9/z7fwgPFvK6zQtB2NHBV0Y=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "11e0852a2aa3a65955db5824262d76933750e299", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, "snowfall-lib": { "inputs": { "flake-compat": "flake-compat_5", @@ -996,11 +967,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1760393368, - "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", + "lastModified": 1752544651, + "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", + "rev": "2c8def626f54708a9c38a5861866660395bb3461", "type": "github" }, "original": { @@ -1028,11 +999,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1760472212, - "narHash": "sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx+MUkuE+E=", + "lastModified": 1754264048, + "narHash": "sha256-Yg1W0sFhBpnglfhWGlFmxzSmte1F157luHAADp5Hguk=", "owner": "nix-community", "repo": "stylix", - "rev": "8d008296a1b3be9b57ad570f7acea00dd2fc92db", + "rev": "1b5e1c5642cf96e07daf14ae4c5ddd23d7ed5623", "type": "github" }, "original": { @@ -1131,43 +1102,6 @@ "type": "github" } }, - "systems_7": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "terranix": { - "inputs": { - "flake-parts": "flake-parts_3", - "nixpkgs": [ - "nixpkgs" - ], - "systems": "systems_7" - }, - "locked": { - "lastModified": 1757278723, - "narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=", - "owner": "terranix", - "repo": "terranix", - "rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb", - "type": "github" - }, - "original": { - "owner": "terranix", - "repo": "terranix", - "type": "github" - } - }, "tinted-foot": { "flake": false, "locked": { @@ -1204,11 +1138,11 @@ "tinted-schemes": { "flake": false, "locked": { - "lastModified": 1757716333, - "narHash": "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=", + "lastModified": 1750770351, + "narHash": "sha256-LI+BnRoFNRa2ffbe3dcuIRYAUcGklBx0+EcFxlHj0SY=", "owner": "tinted-theming", "repo": "schemes", - "rev": "317a5e10c35825a6c905d912e480dfe8e71c7559", + "rev": "5a775c6ffd6e6125947b393872cde95867d85a2a", "type": "github" }, "original": { @@ -1220,11 +1154,11 @@ "tinted-tmux": { "flake": false, "locked": { - "lastModified": 1757811970, - "narHash": "sha256-n5ZJgmzGZXOD9pZdAl1OnBu3PIqD+X3vEBUGbTi4JiI=", + "lastModified": 1751159871, + "narHash": "sha256-UOHBN1fgHIEzvPmdNMHaDvdRMgLmEJh2hNmDrp3d3LE=", "owner": "tinted-theming", "repo": "tinted-tmux", - "rev": "d217ba31c846006e9e0ae70775b0ee0f00aa6b1e", + "rev": "bded5e24407cec9d01bd47a317d15b9223a1546c", "type": "github" }, "original": { @@ -1236,11 +1170,11 @@ "tinted-zed": { "flake": false, "locked": { - "lastModified": 1757811247, - "narHash": "sha256-4EFOUyLj85NRL3OacHoLGEo0wjiRJzfsXtR4CZWAn6w=", + "lastModified": 1751158968, + "narHash": "sha256-ksOyv7D3SRRtebpXxgpG4TK8gZSKFc4TIZpR+C98jX8=", "owner": "tinted-theming", "repo": "base16-zed", - "rev": "824fe0aacf82b3c26690d14e8d2cedd56e18404e", + "rev": "86a470d94204f7652b906ab0d378e4231a5b3384", "type": "github" }, "original": { @@ -1251,21 +1185,18 @@ }, "zen-browser": { "inputs": { - "home-manager": "home-manager_2", - "nixpkgs": [ - "nixpkgs" - ] + "nixpkgs": "nixpkgs_10" }, "locked": { - "lastModified": 1760466542, - "narHash": "sha256-q2QZhrrjHbvW4eFzoEGkj/wUHNU6bVGPyflurx5ka6U=", - "owner": "0xc000022070", + "lastModified": 1727721329, + "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=", + "owner": "MarceColl", "repo": "zen-browser-flake", - "rev": "3446bcbf5f46ecb18e82244888730c4983c30b22", + "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc", "type": "github" }, "original": { - "owner": "0xc000022070", + "owner": "MarceColl", "repo": "zen-browser-flake", "type": "github" } diff --git a/flake.nix b/flake.nix index 8ea1571..fa4895c 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -24,14 +29,14 @@ url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; - - # neovim - nvf.url = "github:notashelf/nvf"; - - # plymouth theme - nixos-boot.url = "github:Melkor333/nixos-boot"; - - firefox.url = "github:nix-community/flake-firefox-nightly"; + + nixos-wsl = { + url = "github:nix-community/nixos-wsl"; + inputs = { + nixpkgs.follows = "nixpkgs"; + flake-compat.follows = ""; + }; + }; stylix.url = "github:nix-community/stylix"; @@ -41,10 +46,13 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - zen-browser = { - url = "github:0xc000022070/zen-browser-flake"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + # neovim + nvf.url = "github:notashelf/nvf"; + + # plymouth theme + nixos-boot.url = "github:Melkor333/nixos-boot"; + + zen-browser.url = "github:MarceColl/zen-browser-flake"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; @@ -66,23 +74,10 @@ url = "github:Jovian-Experiments/Jovian-NixOS"; inputs.nixpkgs.follows = "nixpkgs"; }; - + grub2-themes = { url = "github:vinceliuice/grub2-themes"; }; - - nixos-wsl = { - url = "github:nix-community/nixos-wsl"; - inputs = { - nixpkgs.follows = "nixpkgs"; - flake-compat.follows = ""; - }; - }; - - terranix = { - url = "github:terranix/terranix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = inputs: inputs.snowfall-lib.mkFlake { @@ -101,15 +96,8 @@ channels-config = { allowUnfree = true; permittedInsecurePackages = [ - # Due to *arr stack "dotnet-sdk-6.0.428" "aspnetcore-runtime-6.0.36" - - # I think this is because of zen - "qtwebengine-5.15.19" - - # For Nheko, the matrix client - "olm-3.2.16" ]; }; @@ -118,10 +106,10 @@ nix-minecraft.overlay flux.overlays.default ]; - + homes.modules = with inputs; [ stylix.homeModules.stylix - plasma-manager.homeModules.plasma-manager + plasma-manager.homeManagerModules.plasma-manager ]; }; } diff --git a/homes/x86_64-linux/chris@manwe/default.nix b/homes/x86_64-linux/chris@manwe/default.nix index 9abe613..cd6fa1a 100644 --- a/homes/x86_64-linux/chris@manwe/default.nix +++ b/homes/x86_64-linux/chris@manwe/default.nix @@ -35,7 +35,6 @@ bitwarden.enable = true; discord.enable = true; ladybird.enable = true; - matrix.enable = true; obs.enable = true; onlyoffice.enable = true; signal.enable = true; diff --git a/homes/x86_64-linux/chris@manwe/secrets.yaml b/homes/x86_64-linux/chris@manwe/secrets.yaml new file mode 100644 index 0000000..0af2506 --- /dev/null +++ b/homes/x86_64-linux/chris@manwe/secrets.yaml @@ -0,0 +1,21 @@ +user_level_secrets: ENC[AES256_GCM,data:TNT+via+r4bpgROz,iv:cVO6/r4Aovr5uJFhU87mE5XwRJ518y4OJdHo4m92ahM=,tag:jYInD+euh7k1zSnMRppI5Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYVRQTEVSMWM3WXY3eTdW + ZkUwSnNidlJwWGVETURpNUJRRUllYXo4WjNvCmxmN21qVzNFV3N4UVR6WEV1am1W + eW1KTk9HVDluek1BUnBmSGI3Y2ZqaDQKLS0tIHlMYldYMTVORVNWbEgrWlBSanRM + bUZiMHlOU3pxYUhQSTREb0l4TmFlOEkKiasV2H481aJzAvEAvyeWqGYDOW+WKRFX + yyocZDo0o1lHz/gNXoC0/ujU+O3rSXdsy6Qdz6Rm+xeFUfe4KoD4bg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-11T13:21:38Z" + mac: ENC[AES256_GCM,data:kfMcZuYuQqxxfqtyfH7DltSkq8YNz+vroB+ZQKTIpCNC/W6vJP1o23/xLRzdnEgnnH5GfgZQFAK8Am00/bUD2BgEPyXxXNf1lG70ocFbRM9htii92BFfHgfi25zlEqCO7yrudm1HEJyYrFbZnT63H6u1OgWSC38CzEZTBsCE0kU=,iv:feWGBau48s2GSvZjnKPfP2z46SBuHbh//4zzcLv+MTY=,tag:D86akwawLxobhEu2AvBFKg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/justfile b/justfile new file mode 100644 index 0000000..70450dd --- /dev/null +++ b/justfile @@ -0,0 +1,24 @@ +[private] +default: + @just -l + +[doc('Update flake dependencies')] +update: + nix flake update + +[doc('install nixos on a system (uses nix-anywhere) +> profile: Which profile to use +> host: How to reach the target system in the standard format of `user@host` +')] +install profile host: + nix run nixpkgs#nixos-anywhere -- \ + --flake .#{{profile}} \ + --generate-hardware-config nixos-generate-config ./hardware-configuration.nix \ + {{host}} + +[doc('builds the configuration for the host')] +build host: + nh os build . -H {{host}} + +edit-secrets target: + sops --config "{{justfile_directory()}}/.sops.yml" edit "{{justfile_directory()}}/{{ if target =~ ".+@.+" { "homes" } else { "systems" } }}/x86_64-linux/{{target}}/secrets.yaml" \ No newline at end of file diff --git a/lib/strings/default.nix b/lib/strings/default.nix deleted file mode 100644 index 52b05e3..0000000 --- a/lib/strings/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ lib, ...}: -let - inherit (builtins) isString typeOf; - inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map; -in -{ - strings = { - toSnakeCase = - str: - throwIfNot (isString str) "toSnakeCase only accepts string values, but got ${typeOf str}" ( - str - |> splitStringBy (prev: curr: builtins.match "[a-z]" prev != null && builtins.match "[A-Z]" curr != null) true - |> map (p: toLower p) - |> concatStringsSep "_" - ); - }; -} \ No newline at end of file diff --git a/modules/home/application/matrix/default.nix b/modules/home/application/matrix/default.nix deleted file mode 100644 index 867a94f..0000000 --- a/modules/home/application/matrix/default.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, lib, pkgs, namespace, osConfig ? {}, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.application.matrix; -in -{ - options.${namespace}.application.matrix = { - enable = mkEnableOption "enable Matrix client (Fractal)"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ fractal element-desktop ]; - - programs.element-desktop = { - enable = true; - }; - }; -} diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index b7cec03..ad4cb92 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -5,61 +5,35 @@ let cfg = config.${namespace}.application.zen; in { - imports = [ - inputs.zen-browser.homeModules.default - ]; - options.${namespace}.application.zen = { enable = mkEnableOption "enable zen"; }; config = mkIf cfg.enable { + home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ]; + home.sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; }; programs.zen-browser = { - enable = true; - policies = { AutofillAddressEnabled = true; AutofillCreditCardEnabled = false; - - AppAutoUpdate = false; DisableAppUpdate = true; - ManualAppUpdateOnly = true; - DisableFeedbackCommands = true; DisableFirefoxStudies = true; DisablePocket = true; DisableTelemetry = true; - - DontCheckDefaultBrowser = false; + # DontCheckDefaultBrowser = false; NoDefaultBookmarks = true; - OfferToSaveLogins = false; + # OfferToSaveLogins = false; EnableTrackingProtection = { Value = true; Locked = true; Cryptomining = true; Fingerprinting = true; }; - - HttpAllowlist = [ - "http://ulmo" - ]; - }; - - policies.ExtensionSettings = let - mkExtension = id: { - install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi"; - installation_mode = "force_installed"; - }; - in - { - ublock_origin = 4531307; - ghostry = 4562168; - bitwarden = 4562769; - sponsorblock = 4541835; }; }; }; diff --git a/modules/home/desktop/plasma/default.nix b/modules/home/desktop/plasma/default.nix index 0b679a0..13476fb 100644 --- a/modules/home/desktop/plasma/default.nix +++ b/modules/home/desktop/plasma/default.nix @@ -64,7 +64,7 @@ in }; kwalletrc = { - Wallet.Enabled = true; + Wallet.Enabled = false; }; plasmarc = { diff --git a/modules/home/home-manager/default.nix b/modules/home/home-manager/default.nix index 5f3be03..93bae2e 100644 --- a/modules/home/home-manager/default.nix +++ b/modules/home/home-manager/default.nix @@ -4,9 +4,7 @@ let in { systemd.user.startServices = "sd-switch"; - programs.home-manager = { - enable = true; - }; + programs.home-manager.enable = true; home.stateVersion = mkDefault (osConfig.system.stateVersion or "25.05"); -} +} \ No newline at end of file diff --git a/modules/home/shell/default.nix b/modules/home/shell/default.nix index 9968e54..d1df4cb 100644 --- a/modules/home/shell/default.nix +++ b/modules/home/shell/default.nix @@ -17,7 +17,6 @@ in eza.enable = true; fzf.enable = true; git.enable = true; - just.enable = true; starship.enable = true; tmux.enable = true; yazi.enable = true; diff --git a/modules/home/shell/toolset/git/default.nix b/modules/home/shell/toolset/git/default.nix index 299b2a6..3edfb60 100644 --- a/modules/home/shell/toolset/git/default.nix +++ b/modules/home/shell/toolset/git/default.nix @@ -31,11 +31,9 @@ in package = pkgs.gitFull; difftastic = { enable = true; - options = { - background = "dark"; - color = "always"; - display = "inline"; - }; + background = "dark"; + color = "always"; + display = "inline"; }; ignores = [ diff --git a/modules/home/shell/toolset/just/default.nix b/modules/home/shell/toolset/just/default.nix deleted file mode 100644 index e956b2a..0000000 --- a/modules/home/shell/toolset/just/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkEnableOption mkIf; - - cfg = config.${namespace}.shell.toolset.just; -in -{ - options.${namespace}.shell.toolset.just = { - enable = mkEnableOption "version-control system"; - }; - - config = mkIf cfg.enable { - home.packages = with pkgs; [ just gum ]; - }; -} diff --git a/modules/home/themes/default.nix b/modules/home/themes/default.nix index 3fa74b9..276e850 100644 --- a/modules/home/themes/default.nix +++ b/modules/home/themes/default.nix @@ -31,9 +31,7 @@ in { base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml"; image = ./${cfg.theme}.jpg; polarity = cfg.polarity; - -# targets.qt.platform = mkDefault "kde"; - targets.zen-browser.profileNames = [ "Chris" ]; + targets.qt.platform = mkDefault "kde6"; fonts = { serif = { diff --git a/modules/nixos/desktop/plasma/default.nix b/modules/nixos/desktop/plasma/default.nix index d1e2a28..11c0cd9 100644 --- a/modules/nixos/desktop/plasma/default.nix +++ b/modules/nixos/desktop/plasma/default.nix @@ -12,18 +12,7 @@ in }; config = mkIf cfg.enable { - environment.plasma6.excludePackages = with pkgs.kdePackages; [ - elisa - kmahjongg - kmines - konversation - kpat - ksudoku - konsole - kate - ghostwriter - oxygen - ]; + environment.plasma6.excludePackages = with pkgs.kdePackages; [ konsole kate ghostwriter oxygen ]; environment.sessionVariables.NIXOS_OZONE_WL = "1"; services = { diff --git a/modules/nixos/hardware/gpu/amd/default.nix b/modules/nixos/hardware/gpu/amd/default.nix index cdc9d1e..68db574 100644 --- a/modules/nixos/hardware/gpu/amd/default.nix +++ b/modules/nixos/hardware/gpu/amd/default.nix @@ -17,6 +17,11 @@ in }; amdgpu = { + amdvlk = { + enable = true; + support32Bit.enable = true; + }; + initrd.enable = true; }; }; diff --git a/modules/nixos/home-manager/default.nix b/modules/nixos/home-manager/default.nix deleted file mode 100644 index d147d46..0000000 --- a/modules/nixos/home-manager/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - config = { - home-manager.backupFileExtension = "homeManagerBackup"; - }; -} diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index bf96f59..3104ecd 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -1,11 +1,15 @@ { pkgs, lib, namespace, config, ... }: let + inherit (lib) mkIf mkEnableOption; + cfg = config.${namespace}.nix; in { - options.${namespace}.nix = {}; + options.${namespace}.nix = { + enable = mkEnableOption "Enable nix command"; + }; - config = { + config = mkIf cfg.enable { programs.git.enable = true; nix = { diff --git a/modules/nixos/services/authentication/authelia/default.nix b/modules/nixos/services/authentication/authelia.nix similarity index 90% rename from modules/nixos/services/authentication/authelia/default.nix rename to modules/nixos/services/authentication/authelia.nix index 9990003..e706439 100644 --- a/modules/nixos/services/authentication/authelia/default.nix +++ b/modules/nixos/services/authentication/authelia.nix @@ -130,23 +130,6 @@ in scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ]; } - { - client_id = "forgejo"; - client_name = "forgejo"; - # ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F - client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg"; - public = false; - require_pkce = true; - pkce_challenge_method = "S256"; - token_endpoint_auth_method = "client_secret_post"; - authorization_policy = "one_factor"; - userinfo_signed_response_alg = "none"; - consent_mode = "implicit"; - scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; - response_types = [ "code" ]; - grant_types = [ "authorization_code" ]; - redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ]; - } ]; }; }; diff --git a/modules/nixos/services/authentication/default.nix b/modules/nixos/services/authentication/default.nix new file mode 100644 index 0000000..c157af7 --- /dev/null +++ b/modules/nixos/services/authentication/default.nix @@ -0,0 +1 @@ +{ ... }: {} diff --git a/modules/nixos/services/authentication/himmelblau/default.nix b/modules/nixos/services/authentication/himmelblau.nix similarity index 100% rename from modules/nixos/services/authentication/himmelblau/default.nix rename to modules/nixos/services/authentication/himmelblau.nix diff --git a/modules/nixos/services/authentication/zitadel.nix b/modules/nixos/services/authentication/zitadel.nix new file mode 100644 index 0000000..6142857 --- /dev/null +++ b/modules/nixos/services/authentication/zitadel.nix @@ -0,0 +1,86 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.authentication.zitadel; + + db_name = "zitadel"; + db_user = "zitadel"; +in +{ + options.${namespace}.services.authentication.zitadel = { + enable = mkEnableOption "Zitadel"; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + zitadel + ]; + + services = { + zitadel = { + enable = true; + openFirewall = true; + masterKeyFile = config.sops.secrets."zitadel/masterKey".path; + tlsMode = "external"; + settings = { + Port = 9092; + Database = { + Host = "/run/postgresql"; + # Zitadel will report error if port is not set + Port = 5432; + Database = db_name; + User.Username = db_user; + }; + }; + steps = { + TestInstance = { + InstanceName = "Zitadel test"; + Org = { + Name = "Kruining.eu"; + Human = { + UserName = "admin"; + Password = "kaas"; + }; + }; + }; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ db_name ]; + ensureUsers = [ + { + name = db_user; + ensureDBOwnership = true; + } + ]; + }; + + caddy = { + enable = true; + virtualHosts = { + "auth-z.kruining.eu".extraConfig = '' + reverse_proxy h2c://127.0.0.1:9092 + ''; + }; + # extraConfig = '' + # (auth) { + # forward_auth h2c://127.0.0.1:9092 { + # uri /api/authz/forward-auth + # copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + # } + # } + # ''; + }; + }; + + # Secrets + sops.secrets."zitadel/masterKey" = { + owner = "zitadel"; + group = "zitadel"; + restartUnits = [ "zitadel.service" ]; + }; + }; +} diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix deleted file mode 100644 index 59abcf3..0000000 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ /dev/null @@ -1,408 +0,0 @@ -{ config, lib, pkgs, namespace, system, inputs, ... }: -let - inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair mapAttrs' concatMapAttrs getAttrs getAttr hasAttr typeOf head drop length; - inherit (lib.${namespace}.strings) toSnakeCase; - - cfg = config.${namespace}.services.authentication.zitadel; - - database = "zitadel"; -in -{ - options.${namespace}.services.authentication.zitadel = { - enable = mkEnableOption "Zitadel"; - - organization = mkOption { - type = types.attrsOf (types.submodule { - options = { - isDefault = mkOption { - type = types.bool; - default = false; - example = "true"; - description = '' - True sets the org as default org for the instance. Only one org can be default org. - Nothing happens if you set it to false until you set another org as default org. - ''; - }; - - project = mkOption { - default = {}; - type = types.attrsOf (types.submodule { - options = { - hasProjectCheck = mkOption { - type = types.bool; - default = false; - example = "true"; - description = '' - ZITADEL checks if the org of the user has permission to this project. - ''; - }; - - privateLabelingSetting = mkOption { - type = types.nullOr (types.enum [ "unspecified" "enforceProjectResourceOwnerPolicy" "allowLoginUserResourceOwnerPolicy" ]); - default = null; - example = "enforceProjectResourceOwnerPolicy"; - description = '' - Defines from where the private labeling should be triggered, - - supported values: - - unspecified - - enforceProjectResourceOwnerPolicy - - allowLoginUserResourceOwnerPolicy - ''; - }; - - projectRoleAssertion = mkOption { - type = types.bool; - default = false; - example = "true"; - description = '' - Describes if roles of user should be added in token. - ''; - }; - - projectRoleCheck = mkOption { - type = types.bool; - default = false; - example = "true"; - description = '' - ZITADEL checks if the user has at least one on this project. - ''; - }; - - application = mkOption { - default = {}; - type = types.attrsOf (types.submodule { - options = { - redirectUris = mkOption { - type = types.nonEmptyListOf types.str; - example = '' - [ "https://example.com/redirect/url" ] - ''; - description = '' - . - ''; - }; - - grantTypes = mkOption { - type = types.nonEmptyListOf (types.enum [ "authorizationCode" "implicit" "refreshToken" "deviceCode" "tokenExchange" ]); - example = '' - [ "authorizationCode" ] - ''; - description = '' - . - ''; - }; - - responseTypes = mkOption { - type = types.nonEmptyListOf (types.enum [ "code" "idToken" "idTokenToken" ]); - example = '' - [ "code" ] - ''; - description = '' - . - ''; - }; - }; - }); - }; - }; - }); - }; - }; - }); - }; - }; - - config = let - mapRef = type: name: { "${type}Id" = "\${ resource.zitadel_${type}.${toSnakeCase name}.id }"; }; - mapEnum = prefix: value: "${prefix}_${value |> toSnakeCase |> toUpper}"; - - mapValue = type: value: ({ - grantTypes = map (t: mapEnum "OIDC_GRANT_TYPE" t) value; - responseTypes = map (t: mapEnum "OIDC_RESPONSE_TYPE" t) value; - }."${type}" or value); - - toResource = name: value: nameValuePair - (toSnakeCase name) - (lib.mapAttrs' (k: v: nameValuePair (toSnakeCase k) (mapValue k v)) value); - - withName = name: attrs: attrs // { inherit name; }; - withRef = type: name: attrs: attrs // (mapRef type name); - - select = keys: callback: set: - if (length keys) == 0 then - mapAttrs' callback set - else let key = head keys; in - concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set; - - config' = config; - - # this is a nix package, the generated json file to be exact - terraformConfiguration = inputs.terranix.lib.terranixConfiguration { - inherit system; - - modules = [ - ({ config, lib, ... }: { - config = { - terraform.required_providers.zitadel = { - source = "zitadel/zitadel"; - version = "2.2.0"; - }; - - provider.zitadel = { - domain = "auth.kruining.eu"; - insecure = "false"; - jwt_profile_file = "/var/lib/zitadel/machine-key.json"; - }; - - resource = { - zitadel_org = cfg.organization |> select [] (name: value: - value - |> getAttrs [ "isDefault" ] - |> withName name - |> toResource name - ); - - zitadel_project = cfg.organization |> select [ "project" ] (org: name: value: - value - |> getAttrs [ "hasProjectCheck" "privateLabelingSetting" "projectRoleAssertion" "projectRoleCheck" ] - |> withName name - |> withRef "org" org - |> toResource name - ); - - zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: value: - value - |> getAttrs [ "redirectUris" "grantTypes" "responseTypes" ] - |> withName name - |> withRef "org" org - |> withRef "project" project - |> toResource name - ); - - zitadel_smtp_config.default = { - sender_address = "chris@kruining.eu"; - sender_name = "no-reply (Zitadel)"; - tls = true; - host = "black-mail.nl"; - user = "chris@kruining.eu"; - password = "\${file(\"${config'.sops.templates."kaas".path}\")}"; - }; - }; - }; - }) - ]; - }; - in - mkIf cfg.enable { - ${namespace}.services.persistance.postgresql.enable = true; - - environment.systemPackages = with pkgs; [ - zitadel - ]; - - systemd.tmpfiles.rules = [ - "d /tmp/zitadelApplyTerraform 0755 zitadel zitadel -" - ]; - - systemd.services.zitadelApplyTerraform = { - description = "Zitadel terraform apply"; - - wantedBy = [ "multi-user.target" ]; - wants = [ "zitadel.service" ]; - - script = '' - #!/usr/bin/env bash - - # Copy infra code into workspace - cp -f ${terraformConfiguration} config.tf.json - - # Initialize OpenTofu - ${lib.getExe pkgs.opentofu} init - - # Run the infrastructure code - ${lib.getExe pkgs.opentofu} apply -auto-approve - ''; - - serviceConfig = { - Type = "oneshot"; - User = "zitadel"; - Group = "zitadel"; - - WorkingDirectory = "/tmp/zitadelApplyTerraform"; - }; - }; - - services = { - zitadel = { - enable = true; - openFirewall = true; - # masterKeyFile = config.sops.secrets."zitadel/masterKey".path; - masterKeyFile = "/var/lib/zitadel/master_key"; - tlsMode = "external"; - settings = { - Port = 9092; - - ExternalDomain = "auth.kruining.eu"; - ExternalPort = 443; - ExternalSecure = true; - - Metrics.Type = "otel"; - Tracing.Type = "otel"; - Telemetry.Enabled = true; - - SystemDefaults = { - PasswordHasher.Hasher.Algorithm = "argon2id"; - SecretHasher.Hasher.Algorithm = "argon2id"; - }; - - DefaultInstance = { - # PasswordComplexityPolicy = { - # MinLength = 0; - # HasLowercase = false; - # HasUppercase = false; - # HasNumber = false; - # HasSymbol = false; - # }; - # LoginPolicy = { - # AllowRegister = false; - # ForceMFA = true; - # }; - # LockoutPolicy = { - # MaxPasswordAttempts = 5; - # MaxOTPAttempts = 10; - # }; - SMTPConfiguration = { - SMTP = { - Host = "black-mail.nl:587"; - User = "chris@kruining.eu"; - }; - FromName = "Amarth Zitadel"; - }; - }; - - Database.postgres = { - Host = "localhost"; - # Zitadel will report error if port is not set - Port = 5432; - Database = database; - User = { - Username = database; - SSL.Mode = "disable"; - }; - Admin = { - Username = "postgres"; - SSL.Mode = "disable"; - }; - }; - }; - steps = { - FirstInstance = { - # Not sure, this option seems to be mostly irrelevant - InstanceName = "eu"; - - MachineKeyPath = "/var/lib/zitadel/machine-key.json"; - # PatPath = "/var/lib/zitadel/machine-key.pat"; - # LoginClientPatPath = "/var/lib/zitadel/machine-key.json"; - - Org = { - Name = "kruining"; - - Human = { - UserName = "chris"; - FirstName = "Chris"; - LastName = "Kruining"; - Email = { - Address = "chris@kruining.eu"; - Verified = true; - }; - Password = "KaasIsAwesome1!"; - }; - - Machine = { - Machine = { - Username = "terraform-service-user"; - Name = "Terraform"; - }; - MachineKey = { ExpirationDate = "2026-01-01T00:00:00Z"; Type = 1; }; - # Pat = { ExpirationDate = "2026-01-01T00:00:00Z"; }; - }; - - # LoginClient.Machine = { - # Username = "terraform-service-user"; - # Name = "Terraform"; - # }; - }; - }; - }; - extraStepsPaths = [ - config.sops.templates."secrets.yaml".path - ]; - }; - - postgresql = { - enable = true; - ensureDatabases = [ database ]; - ensureUsers = [ - { - name = database; - ensureDBOwnership = true; - } - ]; - }; - - caddy = { - enable = true; - virtualHosts = { - "auth.kruining.eu".extraConfig = '' - reverse_proxy h2c://::1:9092 - ''; - }; - extraConfig = '' - (auth) { - forward_auth h2c://::1:9092 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - } - ''; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - # Secrets - sops = { - secrets = { - "zitadel/masterKey" = { - owner = "zitadel"; - group = "zitadel"; - restartUnits = [ "zitadel.service" ]; #EMGDB#6O$8qpGoLI1XjhUhnng1san@0 - }; - - "email/chris_kruining_eu" = { - owner = "zitadel"; - group = "zitadel"; - restartUnits = [ "zitadel.service" ]; - }; - }; - - templates."secrets.yaml" = { - owner = "zitadel"; - group = "zitadel"; - content = '' - DefaultInstance: - SMTPConfiguration: - SMTP: - Password: ${config.sops.placeholder."email/chris_kruining_eu"} - ''; - }; - - templates."kaas" = { - owner = "zitadel"; - group = "zitadel"; - content = config.sops.placeholder."email/chris_kruining_eu"; - }; - }; - }; -} diff --git a/modules/nixos/services/backup/borg/default.nix b/modules/nixos/services/backup/borg/default.nix deleted file mode 100644 index fbe5235..0000000 --- a/modules/nixos/services/backup/borg/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.backup.borg; -in -{ - options.${namespace}.services.backup.borg = { - enable = mkEnableOption "Borg Backup"; - }; - - config = mkIf cfg.enable { - services = { - borgbackup.jobs = { - media = { - paths = "/var/media/test"; - encryption.mode = "none"; - environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4"; - repo = "ssh://chris@beheer.hazelhof.nl:222/home/chris/backups/media"; - compression = "auto,zstd"; - startAt = "daily"; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/communication/matrix/default.nix b/modules/nixos/services/communication/matrix/default.nix deleted file mode 100644 index 38dfe0c..0000000 --- a/modules/nixos/services/communication/matrix/default.nix +++ /dev/null @@ -1,179 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (builtins) toString toJSON; - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.communication.matrix; - - domain = "kruining.eu"; - fqn = "matrix.${domain}"; - port = 4001; - - database = "synapse"; -in -{ - options.${namespace}.services.communication.matrix = { - enable = mkEnableOption "Matrix server (Synapse)"; - }; - - config = mkIf cfg.enable { - ${namespace}.services = { - persistance.postgresql.enable = true; - # virtualisation.podman.enable = true; - }; - - networking.firewall.allowedTCPPorts = [ 4001 ]; - - services = { - matrix-synapse = { - enable = true; - - extras = [ "oidc" ]; - # plugins = with config.services.matrix-synapse.package.plugins; []; - - settings = { - server_name = domain; - public_baseurl = "https://${fqn}"; - - registration_shared_secret = "tZtBnlhEmLbMwF0lQ112VH1Rl5MkZzYH9suI4pEoPXzk6nWUB8FJF4eEnwLkbstz"; - - url_preview_enabled = true; - precence.enabled = true; - - # Since we'll be using OIDC for auth disable all local options - enable_registration = false; - password_config.enabled = false; - - sso = { - client_whitelist = [ "http://[::1]:9092" ]; - update_profile_information = true; - }; - - oidc_providers = [ - { - discover = true; - - idp_id = "zitadel"; - idp_name = "Zitadel"; - issuer = "https://auth.kruining.eu"; - client_id = "337858153251143939"; - client_secret = "ePkf5n8BxGD5DF7t1eNThTL0g6PVBO5A1RC0EqPp61S7VsiyXvDs8aJeczrpCpsH"; - scopes = [ "openid" "profile" ]; - # user_mapping_provider.config = { - # localpart_template = "{{ user.prefered_username }}"; - # display_name_template = "{{ user.name }}"; - # }; - } - ]; - - database = { - # this is postgresql (also the default, but I prefer to be explicit) - name = "psycopg2"; - args = { - database = database; - user = database; - }; - }; - - listeners = [ - { - bind_addresses = ["::"]; - port = port; - type = "http"; - tls = false; - x_forwarded = true; - - resources = [ - { - names = [ "client" "federation" ]; - compress = true; - } - ]; - } - ]; - }; - }; - - mautrix-signal = { - enable = true; - registerToSynapse = true; - - settings = { - appservice = { - provisioning.enabled = false; - # port = 40011; - }; - - homeserver = { - address = "http://[::1]:${toString port}"; - domain = domain; - }; - - bridge = { - permissions = { - "@chris:${domain}" = "admin"; - }; - }; - }; - }; - - mautrix-whatsapp = { - enable = true; - registerToSynapse = true; - - settings = { - appservice = { - provisioning.enabled = false; - # port = 40012; - }; - - homeserver = { - address = "http://[::1]:${toString port}"; - domain = domain; - }; - - bridge = { - permissions = { - "@chris:${domain}" = "admin"; - }; - }; - }; - }; - - postgresql = { - enable = true; - ensureDatabases = [ database ]; - ensureUsers = [ - { - name = database; - ensureDBOwnership = true; - } - ]; - }; - - caddy = { - enable = true; - virtualHosts = let - server = { - "m.server" = "${fqn}:443"; - }; - client = { - "m.homeserver".base_url = "https://${fqn}"; - "m.identity_server".base_url = "https://auth.kruining.eu"; - }; - in { - "${domain}".extraConfig = '' - header /.well-known/matrix/* Content-Type application/json - header /.well-known/matrix/* Access-Control-Allow-Origin * - respond /.well-known/matrix/server `${toJSON server}` - respond /.well-known/matrix/client `${toJSON client}` - ''; - "${fqn}".extraConfig = '' - reverse_proxy /_matrix/* http://::1:4001 - reverse_proxy /_synapse/client/* http://::1:4001 - ''; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix deleted file mode 100644 index 46e0995..0000000 --- a/modules/nixos/services/development/forgejo/default.nix +++ /dev/null @@ -1,169 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.development.forgejo; - domain = "git.amarth.cloud"; -in -{ - options.${namespace}.services.development.forgejo = { - enable = mkEnableOption "Forgejo"; - }; - - config = mkIf cfg.enable { - ${namespace}.services = { - persistance.postgresql.enable = true; - virtualisation.podman.enable = true; - }; - - environment.systemPackages = with pkgs; [ forgejo ]; - - services = { - forgejo = { - enable = true; - useWizard = false; - database.type = "postgres"; - - settings = { - DEFAULT = { - APP_NAME = "Tamin Amarth"; - APP_SLOGAN = "Where code is forged"; - }; - - server = { - DOMAIN = domain; - ROOT_URL = "https://${domain}/"; - HTTP_PORT = 5002; - LANDING_PAGE = "explore"; - }; - - cors = { - ENABLED = true; - ALLOW_DOMAIN = "https://*.amarth.cloud"; - }; - - security = { - INSTALL_LOCK = true; - PASSWORD_HASH_ALGO = "argon2"; - DISABLE_WEBHOOKS = true; - }; - - ui = { - EXPLORE_PAGING_NUM = 50; - ISSUE_PAGING_NUM = 50; - MEMBERS_PAGING_NUM = 50; - }; - - "ui.meta" = { - AUTHOR = "Where code is forged!"; - DESCRIPTION = "Self-hosted solution for git, because FOSS is the anvil of the future"; - }; - - admin = { - USER_DISABLED_FEATURES = "manage_gpg_keys"; - EXTERNAL_USER_DISABLE_FEATURES = "manage_gpg_keys"; - }; - - service = { - # Auth - ENABLE_BASIC_AUTHENTICATION = false; - DISABLE_REGISTRATION = false; - ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - SHOW_REGISTRATION_BUTTON = false; - - # Privacy - DEFAULT_KEEP_EMAIL_PRIVATE = true; - DEFAULT_USER_VISIBILITY = "private"; - DEFAULT_ORG_VISIBILITY = "private"; - - # Common sense - VALID_SITE_URL_SCHEMES = "https"; - }; - - openid = { - ENABLE_OPENID_SIGNIN = true; - ENABLE_OPENID_SIGNUP = true; - WHITELISTED_URIS = "https://auth.amarth.cloud"; - }; - - oauth2_client = { - ENABLE_AUTO_REGISTRATION = true; - UPDATE_AVATAR = true; - ACCOUNT_LINKING = "auto"; - }; - - actions = { - ENABLED = true; - # DEFAULT_ACTIONS_URL = "https://data.forgejo.org"; - }; - - other = { - SHOW_FOOTER_VERSION = false; - SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; - }; - - api = { - ENABLE_SWAGGER = false; - }; - - mirror = { - ENABLED = false; - }; - - session = { - PROVIDER = "db"; - COOKIE_SECURE = true; - }; - - mailer = { - ENABLED = true; - PROTOCOL = "smtp+starttls"; - SMTP_ADDR = "black-mail.nl"; - SMTP_PORT = 587; - FROM = "info@amarth.cloud"; - USER = "info@amarth.cloud"; - PASSWD = "__TODO_USE_SOPS__"; - }; - }; - }; - - openssh.settings.AllowUsers = [ "forgejo" ]; - - gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; - instances.default = { - enable = true; - name = "default"; - url = "https://git.amarth.cloud"; - # Obtaining the path to the runner token file may differ - # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd - # tokenFile = config.age.secrets.forgejo-runner-token.path; - token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; - labels = [ - "default:docker://nixos/nix:latest" - "ubuntu:docker://ubuntu:24-bookworm" - "nix:docker://git.amarth.cloud/amarth/runners/default:latest" - ]; - settings = { - log.level = "info"; - }; - }; - }; - - caddy = { - enable = true; - virtualHosts = { - ${domain}.extraConfig = '' - # import auth-z - - # stupid dumb way to prevent the login page and go to zitadel instead - # be aware that this does not disable local login at all! - # rewrite /user/login /user/oauth2/Zitadel - - reverse_proxy http://127.0.0.1:5002 - ''; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index bc41fb4..7d76794 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -66,73 +66,33 @@ in # Services #========================================================================= services = let - arrService = { + serviceConf = { enable = true; openFirewall = true; - - settings = { - auth.AuthenticationMethod = "External"; - - # postgres = { - # PostgresHost = "localhost"; - # PostgresPort = "5432"; - # PostgresUser = "media"; - # }; - }; - }; - - withPort = port: service: service // { settings.server.Port = builtins.toString port; }; - - withUserAndGroup = service: service // { user = cfg.user; group = cfg.group; }; in { - radarr = - arrService - |> withPort 2001 - |> withUserAndGroup; + jellyfin = serviceConf; + radarr = serviceConf; + sonarr = serviceConf; + bazarr = serviceConf; + lidarr = serviceConf; - sonarr = - arrService - |> withPort 2002 - |> withUserAndGroup; - - lidarr = - arrService - |> withPort 2003 - |> withUserAndGroup; - - prowlarr = - arrService - |> withPort 2004; - - bazarr = { + jellyseerr = { enable = true; openFirewall = true; - user = cfg.user; - group = cfg.group; - listenPort = 2005; }; - # port is harcoded in nixpkgs module - jellyfin = { + prowlarr = { enable = true; openFirewall = true; - user = cfg.user; - group = cfg.group; - }; - - flaresolverr = { - enable = true; - openFirewall = true; - port = 2007; }; qbittorrent = { enable = true; openFirewall = true; - webuiPort = 2008; + webuiPort = 5000; serverConfig = { LegalNotice.Accepted = true; @@ -142,7 +102,6 @@ in group = cfg.group; }; - # port is harcoded in nixpkgs module sabnzbd = { enable = true; openFirewall = true; @@ -152,49 +111,46 @@ in group = cfg.group; }; - # postgresql = { - # enable = true; - # ensureDatabases = [ - # "radarr-main" "radarr-log" - # "sonarr-main" "sonarr-log" - # "lidarr-main" "lidarr-log" - # "prowlarr-main" "prowlarr-log" - # ]; - # identMap = '' - # media media radarr-main - # media media radarr-log - # media media sonarr-main - # media media sonarr-log - # media media lidarr-main - # media media lidarr-log - # media media prowlarr-main - # media media prowlarr-log - # ''; - # ensureUsers = [ - # { name = "radarr-main"; ensureDBOwnership = true; } - # { name = "radarr-log"; ensureDBOwnership = true; } - - # { name = "sonarr-main"; ensureDBOwnership = true; } - # { name = "sonarr-log"; ensureDBOwnership = true; } - - # { name = "lidarr-main"; ensureDBOwnership = true; } - # { name = "lidarr-log"; ensureDBOwnership = true; } - - # { name = "prowlarr-main"; ensureDBOwnership = true; } - # { name = "prowlarr-log"; ensureDBOwnership = true; } - # ]; - # }; - caddy = { enable = true; virtualHosts = { + "media.kruining.eu".extraConfig = '' + import auth + + reverse_proxy http://127.0.0.1:9494 + ''; "jellyfin.kruining.eu".extraConfig = '' - reverse_proxy http://[::1]:8096 + reverse_proxy http://127.0.0.1:8096 ''; }; }; }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; + + ${namespace}.services.virtualisation.podman.enable = true; + + virtualisation = { + oci-containers = { + backend = "podman"; + + containers = { + flaresolverr = { + image = "flaresolverr/flaresolverr"; + autoStart = true; + ports = [ "127.0.0.1:8191:8191" ]; + }; + + reiverr = { + image = "ghcr.io/aleksilassila/reiverr:v2.2.0"; + autoStart = true; + ports = [ "127.0.0.1:9494:9494" ]; + volumes = [ "${cfg.path}/reiverr/config:/config" ]; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 6969 ]; }; } diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix deleted file mode 100644 index 41535cd..0000000 --- a/modules/nixos/services/media/homer/default.nix +++ /dev/null @@ -1,161 +0,0 @@ -{ config, lib, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.media.homer; -in -{ - options.${namespace}.services.media.homer = { - enable = mkEnableOption "Enable homer"; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ 2000 ]; - - services = { - homer = { - enable = true; - - virtualHost = { - caddy.enable = true; - domain = "http://:2000"; - }; - - settings = { - title = "Ulmo dashboard"; - - columns = 4; - connectivityCheck = true; - - links = []; - - services = [ - { - name = "Services"; - items = [ - { - name = "Zitadel"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg"; - tag = "app"; - url = "https://auth.kruining.eu"; - target = "_blank"; - } - - { - name = "Forgejo"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg"; - tag = "app"; - type = "Gitea"; - url = "https://git.amarth.cloud"; - target = "_blank"; - } - - { - name = "Vaultwarden"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg"; - type = "Vaultwarden"; - tag = "app"; - url = "https://vault.kruining.eu"; - target = "_blank"; - } - ]; - } - - { - name = "Observability"; - items = [ - { - name = "Grafana"; - type = "Grafana"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; - target = "_blank"; - } - - { - name = "Prometheus"; - type = "Prometheus"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}"; - target = "_blank"; - } - ]; - } - - { - name = "Media"; - items = [ - { - name = "Jellyfin (Movies)"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg"; - tag = "app"; - type = "Emby"; - url = "http://${config.networking.hostName}:8096"; - apikey = "e3ceed943eeb409ba8342738db7cc1f5"; - libraryType = "movies"; - target = "_blank"; - } - - { - name = "Radarr"; - type = "Radarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "Sonarr"; - type = "Sonarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "Lidarr"; - type = "Lidarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "Prowlarr"; - type = "Prowlarr"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}"; - target = "_blank"; - } - - { - name = "qBittorrent"; - type = "qBittorrent"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; - target = "_blank"; - } - - { - name = "SABnzbd"; - type = "SABnzbd"; - logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg"; - tag = "app"; - url = "http://${config.networking.hostName}:8080"; - target = "_blank"; - } - ]; - } - ]; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/media/nextcloud/default.nix b/modules/nixos/services/media/nextcloud.nix similarity index 96% rename from modules/nixos/services/media/nextcloud/default.nix rename to modules/nixos/services/media/nextcloud.nix index 14d6863..658a5b4 100644 --- a/modules/nixos/services/media/nextcloud/default.nix +++ b/modules/nixos/services/media/nextcloud.nix @@ -6,7 +6,7 @@ let cfg = config.${namespace}.services.media.nextcloud; in { - options.${namespace}.services.media.nextcloud = { + options.modules.services.nextcloud = { enable = mkEnableOption "Nextcloud"; user = mkOption { @@ -40,7 +40,7 @@ in services.nextcloud = { enable = true; - # webserver = "caddy"; + webserver = "caddy"; package = pkgs.nextcloud31; hostName = "localhost"; diff --git a/modules/nixos/services/media/nfs/default.nix b/modules/nixos/services/media/nfs.nix similarity index 79% rename from modules/nixos/services/media/nfs/default.nix rename to modules/nixos/services/media/nfs.nix index 54b58e7..7674e69 100644 --- a/modules/nixos/services/media/nfs/default.nix +++ b/modules/nixos/services/media/nfs.nix @@ -2,10 +2,10 @@ let inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.services.media.nfs; + cfg = config.${namespace}.media.nfs; in { - options.${namespace}.services.media.nfs = { + options.${namespace}.media.nfs = { enable = mkEnableOption "Enable NFS"; }; diff --git a/modules/nixos/services/observability/grafana/dashboards/default.json b/modules/nixos/services/observability/grafana/dashboards/default.json deleted file mode 100644 index f8ea8dc..0000000 --- a/modules/nixos/services/observability/grafana/dashboards/default.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "title": "Default Dash", - "description": "The default dashboard", - "timezone": "browser", - "editable": false, - "panels": [] -} diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix deleted file mode 100644 index 6503493..0000000 --- a/modules/nixos/services/observability/grafana/default.nix +++ /dev/null @@ -1,130 +0,0 @@ -{ pkgs, config, lib, namespace, ... }: -let - inherit (lib.modules) mkIf; - inherit (lib.options) mkEnableOption; - - cfg = config.${namespace}.services.observability.grafana; - - db_user = "grafana"; - db_name = "grafana"; -in -{ - options.${namespace}.services.observability.grafana = { - enable = mkEnableOption "enable Grafana"; - }; - - config = mkIf cfg.enable { - services = { - grafana = { - enable = true; - openFirewall = true; - - settings = { - server = { - http_port = 9001; - http_addr = "0.0.0.0"; - domain = "ulmo"; - }; - - auth = { - disable_login_form = false; - oauth_auto_login = true; - }; - - "auth.basic".enable = false; - "auth.generic_oauth" = { - enable = true; - name = "Zitadel"; - client_id = "334170712283611395"; - client_secret = "AFjypmURdladmQn1gz2Ke0Ta5LQXapnuKkALVZ43riCL4qWicgV2Z6RlwpoWBZg1"; - scopes = "openid email profile offline_access urn:zitadel:iam:org:project:roles"; - email_attribute_path = "email"; - login_attribute_path = "username"; - name_attribute_path = "full_name"; - role_attribute_path = "contains(urn:zitadel:iam:org:project:roles[*], 'owner') && 'GrafanaAdmin' || contains(urn:zitadel:iam:org:project:roles[*], 'contributer') && 'Editor' || 'Viewer'"; - auth_url = "https://auth.kruining.eu/oauth/v2/authorize"; - token_url = "https://auth.kruining.eu/oauth/v2/token"; - api_url = "https://auth.kruining.eu/oidc/v1/userinfo"; - allow_sign_up = true; - auto_login = true; - use_pkce = true; - usr_refresh_token = true; - allow_assign_grafana_admin = true; - }; - - database = { - type = "postgres"; - host = "/var/run/postgresql:5432"; - name = db_name; - user = db_user; - ssl_mode = "disable"; - }; - - users = { - allow_sign_up = false; - allow_org_create = false; - viewers_can_edit = false; - - default_theme = "system"; - }; - - analytics = { - reporting_enabled = false; - check_for_updates = false; - check_for_plugin_updates = false; - feedback_links_enabled = false; - }; - }; - - provision = { - enable = true; - - dashboards.settings = { - apiVersion = 1; - providers = [ - { - name = "Default Dashboard"; - disableDeletion = true; - allowUiUpdates = false; - options = { - path = "/etc/grafana/dashboards"; - foldersFromFilesStructure = true; - }; - } - ]; - }; - - datasources.settings.datasources = [ - { - name = "Prometheus"; - type = "prometheus"; - url = "http://localhost:9005"; - isDefault = true; - editable = false; - } - - { - name = "Loki"; - type = "loki"; - url = "http://localhost:9003"; - editable = false; - } - ]; - }; - }; - - postgresql = { - enable = true; - ensureDatabases = [ db_name ]; - ensureUsers = [ - { - name = db_user; - ensureDBOwnership = true; - } - ]; - }; - }; - - environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json; - }; -} diff --git a/modules/nixos/services/observability/loki/default.nix b/modules/nixos/services/observability/loki/default.nix deleted file mode 100644 index d4774ac..0000000 --- a/modules/nixos/services/observability/loki/default.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ pkgs, config, lib, namespace, ... }: -let - inherit (lib.modules) mkIf; - inherit (lib.options) mkEnableOption; - - cfg = config.${namespace}.services.observability.loki; -in -{ - options.${namespace}.services.observability.loki = { - enable = mkEnableOption "enable Grafana Loki"; - }; - - config = mkIf cfg.enable { - services.loki = { - enable = true; - configuration = { - auth_enabled = false; - - server = { - http_listen_port = 9003; - }; - - common = { - ring = { - instance_addr = "127.0.0.1"; - kvstore.store = "inmemory"; - }; - replication_factor = 1; - path_prefix = "/tmp/loki"; - }; - - schema_config.configs = [ - { - from = "2025-01-01"; - store = "tsdb"; - object_store = "filesystem"; - schema = "v13"; - index = { - prefix = "index_"; - period = "24h"; - }; - } - ]; - }; - }; - - networking.firewall.allowedTCPPorts = [ 9003 ]; - }; -} diff --git a/modules/nixos/services/observability/prometheus/default.nix b/modules/nixos/services/observability/prometheus/default.nix deleted file mode 100644 index af5ee9d..0000000 --- a/modules/nixos/services/observability/prometheus/default.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ pkgs, config, lib, namespace, ... }: -let - inherit (builtins) toString; - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.observability.prometheus; -in -{ - options.${namespace}.services.observability.prometheus = { - enable = mkEnableOption "enable Prometheus"; - }; - - config = mkIf cfg.enable { - services.prometheus = { - enable = true; - port = 9002; - - globalConfig.scrape_interval = "15s"; - - scrapeConfigs = [ - { - job_name = "prometheus"; - static_configs = [ - { targets = [ "localhost:9002" ]; } - ]; - } - - { - job_name = "node"; - static_configs = [ - { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } - ]; - } - ]; - - exporters = { - node = { - enable = true; - port = 9005; - enabledCollectors = [ "systemd" ]; - openFirewall = true; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 9002 ]; - }; -} diff --git a/modules/nixos/services/observability/promtail/default.nix b/modules/nixos/services/observability/promtail/default.nix deleted file mode 100644 index 25aabbd..0000000 --- a/modules/nixos/services/observability/promtail/default.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ pkgs, config, lib, namespace, ... }: -let - inherit (lib.modules) mkIf; - inherit (lib.options) mkEnableOption; - - cfg = config.${namespace}.services.observability.promtail; -in -{ - options.${namespace}.services.observability.promtail = { - enable = mkEnableOption "enable Grafana Promtail"; - }; - - config = mkIf cfg.enable { - services.promtail = { - enable = true; - - # Ensures proper permissions - extraFlags = [ - "-config.expand-env=true" - ]; - - configuration = { - server = { - http_listen_port = 9004; - grpc_listen_port = 0; - }; - - positions = { - filename = "filename"; - }; - - clients = [ - { - url = "http://::1:9003/loki/api/v1/push"; - } - ]; - - scrape_configs = [ - { - job_name = "journal"; - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = "ulmo"; - }; - }; - relabel_configs = [ - { source_labels = [ "__journal__systemd_unit" ]; target_label = "unit"; } - ]; - } - ]; - }; - }; - - networking.firewall.allowedTCPPorts = [ 9004 ]; - }; -} diff --git a/modules/nixos/services/persistance/postgesql/default.nix b/modules/nixos/services/persistance/postgesql/default.nix deleted file mode 100644 index dbd6604..0000000 --- a/modules/nixos/services/persistance/postgesql/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, lib, pkgs, namespace, ... }: -let - inherit (lib) mkIf mkEnableOption; - - cfg = config.${namespace}.services.persistance.postgresql; -in -{ - options.${namespace}.services.persistance.postgresql = { - enable = mkEnableOption "Postgresql"; - }; - - config = mkIf cfg.enable { - services = { - postgresql = { - enable = true; - authentication = '' - # Generated file, do not edit! - # TYPE DATABASE USER ADDRESS METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - ''; - }; - }; - }; -} diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index de50be7..6870606 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,7 +1,7 @@ { pkgs, config, lib, namespace, ... }: let - inherit (builtins) toString; - inherit (lib) mkIf mkEnableOption; + inherit (lib.modules) mkIf; + inherit (lib.options) mkEnableOption; cfg = config.${namespace}.services.security.vaultwarden; in @@ -11,82 +11,18 @@ in }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ - "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" + environment.systemPackages = with pkgs; [ + vaultwarden + vaultwarden-postgresql ]; - services = { - vaultwarden = { - enable = true; - dbBackend = "postgresql"; + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; - package = pkgs.${namespace}.vaultwarden; - - config = { - SIGNUPS_ALLOWED = false; - DOMAIN = "https://vault.kruining.eu"; - - ADMIN_TOKEN = ""; - - DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable"; - - WEB_VAULT_ENABLED = true; - - SSO_ENABLED = true; - SSO_ONLY = true; - SSO_PKCE = true; - SSO_AUTH_ONLY_NOT_SESSION = false; - SSO_ROLES_ENABLED = true; - SSO_ORGANIZATIONS_ENABLED = true; - SSO_ORGANIZATIONS_REVOCATION = true; - SSO_AUTHORITY = "https://auth.kruining.eu/"; - SSO_SCOPES = "email profile offline_access"; - SSO_AUDIENCE_TRUSTED = "^333297815511892227$"; - SSO_CLIENT_ID = "335178854421299459"; - SSO_CLIENT_SECRET = ""; - - ROCKET_ADDRESS = "::1"; - ROCKET_PORT = 8222; - ROCKET_LOG = "critical"; - - SMTP_HOST = "black-mail.nl"; - SMTP_PORT = 587; - SMTP_SECURITY = "starttls"; - SMTP_USERNAME = "chris@kruining.eu"; - SMTP_PASSWORD = ""; - SMTP_FROM = "chris@kruining.eu"; - SMTP_FROM_NAME = "Chris' Vaultwarden"; - }; - }; - - postgresql = { - enable = true; - ensureDatabases = [ "vaultwarden" ]; - ensureUsers = [ - { - name = "vaultwarden"; - ensureDBOwnership = true; - } - ]; - }; - - caddy = { - enable = true; - virtualHosts = { - "vault.kruining.eu".extraConfig = '' - encode zstd gzip - - handle_path /admin { - respond 401 { - close - } - } - - reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { - header_up X-Real-IP {remote_host} - } - ''; - }; + config = { + SIGNUPS_ALLOWED = false; + DOMAIN = "https://passwords.kruining.eu"; }; }; }; diff --git a/modules/nixos/services/virtualisation/podman/default.nix b/modules/nixos/services/virtualisation/podman/default.nix index 0faf8ce..9b9dc89 100644 --- a/modules/nixos/services/virtualisation/podman/default.nix +++ b/modules/nixos/services/virtualisation/podman/default.nix @@ -12,7 +12,6 @@ in config = mkIf cfg.enable { virtualisation = { containers.enable = true; - oci-containers.backend = "podman"; podman = { enable = true; diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index bee7b3c..ebceca3 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -1,4 +1,4 @@ -{ pkgs, config, namespace, inputs, system, ... }: +{ pkgs, config, namespace, inputs, ... }: let cfg = config.${namespace}.system.security.sops; in @@ -13,14 +13,10 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { - defaultSopsFormat = "yaml"; - defaultSopsFile = inputs.self + "/systems/${system}/${config.networking.hostName}/secrets.yml"; + age.keyFile = "/home/.sops-key.age"; - age = { - # keyFile = "~/.config/sops/age/keys.txt"; - # sshKeyPaths = [ "~/.ssh/id_ed25519" ]; - # generateKey = true; - }; + defaultSopsFile = ../../../../systems/x86_64-linux/${config.networking.hostName}/secrets.yaml; + defaultSopsFormat = "yaml"; }; }; } \ No newline at end of file diff --git a/modules/nixos/system/security/sudo/default.nix b/modules/nixos/system/security/sudo/default.nix index b79efbc..6dedf50 100644 --- a/modules/nixos/system/security/sudo/default.nix +++ b/modules/nixos/system/security/sudo/default.nix @@ -14,8 +14,9 @@ in sudo-rs = { enable = true; - execWheelOnly = true; - extraConfig = ''Defaults env_keep += "EDITOR PATH DISPLAY"''; + extraConfig = '' + Defaults env_keep += "EDITOR PATH DISPLAY" + ''; }; }; }; diff --git a/packages/vaultwarden/default.nix b/packages/vaultwarden/default.nix deleted file mode 100644 index 243288b..0000000 --- a/packages/vaultwarden/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ lib, stdenv, rustPlatform, fetchFromGitHub, openssl, pkg-config, postgresql, dbBackend ? "postgresql", ... }: -rustPlatform.buildRustPackage rec { - pname = "vaultwarden"; - version = "1.34.3"; - - src = fetchFromGitHub { - owner = "Timshel"; - repo = "vaultwarden"; - rev = "1.34.3"; - hash = "sha256-Dj0ySVRvBZ/57+UHas3VI8bi/0JBRqn0IW1Dq+405J0="; - }; - - cargoHash = "sha256-4sDagd2XGamBz1XvDj4ycRVJ0F+4iwHOPlj/RglNDqE="; - - # used for "Server Installed" version in admin panel - env.VW_VERSION = version; - - nativeBuildInputs = [ pkg-config ]; - buildInputs = - [ openssl ] - ++ lib.optional (dbBackend == "postgresql") postgresql; - - buildFeatures = dbBackend; - - meta = with lib; { - license = licenses.agpl3Only; - mainProgram = "vaultwarden"; - }; -} \ No newline at end of file diff --git a/systems/x86_64-linux/manwe/README.md b/systems/x86_64-linux/manwe/README.md index 3bb6746..1da7ab1 100644 --- a/systems/x86_64-linux/manwe/README.md +++ b/systems/x86_64-linux/manwe/README.md @@ -1,8 +1,3 @@ # Description -<<<<<<< HEAD My steambox. -======= -My desktop, reasoning for the name being the following chain of thought: -**Manwe -> the king of the valar -> leader -> desktop is main machine** ->>>>>>> 72b0f6f8fad97a4ade1b54dfada26828a170febf diff --git a/systems/x86_64-linux/manwe/default.nix b/systems/x86_64-linux/manwe/default.nix index c2d9978..76d4e6d 100644 --- a/systems/x86_64-linux/manwe/default.nix +++ b/systems/x86_64-linux/manwe/default.nix @@ -5,8 +5,6 @@ ./hardware.nix ]; - system.activationScripts.remove-gtkrc.text = "rm -f /home/chris/.gtkrc-2.0"; - sneeuwvlok = { hardware.has = { gpu.amd = true; diff --git a/systems/x86_64-linux/manwe/disks.nix b/systems/x86_64-linux/manwe/disks.nix index f33ec71..e3e449f 100644 --- a/systems/x86_64-linux/manwe/disks.nix +++ b/systems/x86_64-linux/manwe/disks.nix @@ -1,34 +1,59 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, pkgs, modulesPath, inputs, ... }: let inherit (lib.modules) mkDefault; in { - # TODO :: Implement disko at some point + imports = [ + inputs.disko.nixosModules.disko + ]; - swapDevices = []; + config = { + swapDevices = []; - boot.supportedFilesystems = [ "nfs" ]; + boot.supportedFilesystems = [ "nfs" ]; - fileSystems = { - "/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; + disko.devices = { + disk = { + main = { + device = "/dev/nvme0"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "100M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; }; + + fileSystems = { + "/home/chris/media" = { + device = "ulmo:/"; + fsType = "nfs"; + }; - "/boot" = { - device = "/dev/disk/by-label/boot"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; + "/home/chris/mandos" = { + device = "mandos:/"; + fsType = "nfs"; + }; }; - - "/home/chris/media" = { - device = "ulmo:/"; - fsType = "nfs"; - }; - - # "/home/chris/mandos" = { - # device = "mandos:/"; - # fsType = "nfs"; - # }; }; } diff --git a/systems/x86_64-linux/manwe/secrets.yaml b/systems/x86_64-linux/manwe/secrets.yaml new file mode 100644 index 0000000..6e2a986 --- /dev/null +++ b/systems/x86_64-linux/manwe/secrets.yaml @@ -0,0 +1,31 @@ +zitadel: + masterKey: ENC[AES256_GCM,data:iSeZOloWLrdP8S+ac7ubIcv9TF3Sm8Ni,iv:8v3/ratFQ5vq2rbZOUMKfPhVTA9uQY2eFQU4IR8s3VU=,tag:9y90aDQ2PfFT//X2i2YvvA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4R0UyWmx5L3hCbGhQVXI0 + NmpkMThPVlgrRHZZMnFrNTAwbzVTY1F6NEVVCjJaRHdhbHV6R1RJM2JIQzc3dkNu + a01FYlM3b1dXbmxGN2tWU3FMdXMveG8KLS0tIG1SSjNXdXZNN2ZyQ2UyZ0pIZXJJ + NmpMS2oySFE1S1RER3J1RGl4MlRQK00Ks+PcxcHmygYz+a+d0ZrzrdUpTQ50NYkA + aDFbtRtukn9e7i3bGUyD4nisSvs4YjfoQxR/pC8hs4k3f5V2jwDh2w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwaTN4clFoWDNwU2lpaHBn + M2pVeU5oM0JRNmp6NEJjQ3BHeWlzeSs3bTI0CnBocngvbzZQUXBsMG9Oc2J6dlBT + MjdtaFdmOHg5ZmZmSkViWGJFYThQYXcKLS0tIFRNd2JiVlFTREtDMTdzR2V0SlVo + Q0d5ZDVDM05LdFp4UnB4dFRPUm5vU0UKR/MAONEWaT6XXyPB1IrSIKqW5PZNIbuB + n7QX3DJIzlajtmq+82/wPFPTBkLvSSjV5FKL5ErMwTDndcIn+NlOhQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-11T13:11:00Z" + mac: ENC[AES256_GCM,data:P34YsR/Rvc3q4Os5n9hxonJLCXwifMRnKOCM59h5MRMT/aqjl+QlBX+oUADsqDSrhUscQb3N/UlpFeOT6qg+FmJbT/mYMH6v1xK16VD0M7VWydXpmjDu5If+O89lgDHsiEOGDgeR04jkiaY0yzT9U8l9CND5fMvF3I9o5Z1SZQk=,iv:NgUD8gB2bQa5vh0nb0Ngqp5dn0yqskHudWo8xoVjM4Q=,tag:5oTcnailDCHeMvMLz63e1w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 4845e73..7a2540f 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -5,86 +5,10 @@ ./hardware.nix ]; - networking = { - interfaces.enp2s0 = { - ipv6.addresses = [ - { address = "2a0d:6e00:1dc9:0::dead:beef"; prefixLength = 64; } - ]; - - useDHCP = true; - }; - - defaultGateway = { - address = "192.168.1.1"; - interface = "enp2s0"; - }; - - defaultGateway6 = { - address = "fe80::1"; - interface = "enp2s0"; - }; - }; - - # Expose amarht cloud stuff like this until I have a proper solution - services.caddy.virtualHosts = { - "auth.amarth.cloud".extraConfig = '' - reverse_proxy http://192.168.1.223:9092 - ''; - - "amarth.cloud".extraConfig = '' - reverse_proxy http://192.168.1.223:8080 - ''; - }; - sneeuwvlok = { services = { - # authentication.authelia.enable = true; - authentication.zitadel = { - enable = true; - - organization = { - thisIsMyAwesomeOrg = {}; - - nix = { - project = { - ulmo = { - application = { - jellyfin = { - redirectUris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/zitadel" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; - }; - - forgejo = { - redirectUris = [ "https://git.amarth.cloud/user/oauth2/zitadel/callback" ]; - grantTypes = [ "authorizationCode" ]; - responseTypes = [ "code" ]; - }; - }; - }; - }; - }; - }; - }; - - communication.matrix.enable = true; - - development.forgejo.enable = true; - networking.ssh.enable = true; - media.enable = true; - media.homer.enable = true; - media.nfs.enable = true; - - observability = { - grafana.enable = true; - prometheus.enable = true; - loki.enable = true; - promtail.enable = true; - }; - - security.vaultwarden.enable = true; }; editor = { diff --git a/systems/x86_64-linux/ulmo/disks.nix b/systems/x86_64-linux/ulmo/disks.nix index 0b272f4..a4033f7 100644 --- a/systems/x86_64-linux/ulmo/disks.nix +++ b/systems/x86_64-linux/ulmo/disks.nix @@ -5,7 +5,9 @@ in { # TODO :: Implement disko at some point - swapDevices = []; + swapDevices = [ + { device = "/dev/disk/by-uuid/0ddf001a-5679-482e-b254-04a1b9094794"; } + ]; boot.supportedFilesystems = [ "nfs" ]; diff --git a/systems/x86_64-linux/ulmo/secrets.yml b/systems/x86_64-linux/ulmo/secrets.yml deleted file mode 100644 index 6add209..0000000 --- a/systems/x86_64-linux/ulmo/secrets.yml +++ /dev/null @@ -1,30 +0,0 @@ -email: - info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str] - chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str] - info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str] -zitadel: - masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str] -sops: - age: - - recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdDZyZkxvNU4zM3NHb2gx - ZlhLZk5JWUFGMWZGeUVHNkFFU1NtZlBQVVhjCmZGai9NdmdUeU5VcW9ROVZKTW5q - cmZaQ2JlaldaTWduQklocUZLT2FUcGcKLS0tIHlqVU0wdXJ0dTE4dlZSVEczd2Yv - RVFxVHFxbkVNbEZsaVcwYXZCdUc5R1kKQdAN6LEKmGLCSkKhNuEr0YK2zl9Aw1kK - 6C25lN532mG55zIRectZda1Fmi1GMZ/2v3b5qz7x+TDMA9m/47OjmA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoK3lqRDhEMXEvaUp3OWdV - eFlZSGpJcGs0RTdRbllWdmdZTzl3RTlDNlIwCm92R290NjNyK2NNbWpINTBhazNS - NTJYWEw0SGc1TUtrd0NZSmowakMvSlEKLS0tIG5uUEIrZGVORkRNVnBVOHgyMXZG - TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb - Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-23T14:25:59Z" - mac: ENC[AES256_GCM,data:p3A1ZSr6S21SUjEZbL4V0uh3HVqcRhFi1N93IeUKs2yVbBYAXzWJ+2ejSxfM+W9MSCAYxx27i0ZoBPjQJu/xQzwmW8HWn4rRfCsa2TGqOw25PLvkHgnBUc70X759cKxvR0Pm7ha22JCnzJVrzvUMlBVs61wxHT57x0El9Gan8eY=,iv:SKN+R4wsN/L2pZW/s5ocEtCXXZB5wK4tgFIYWGWtRPA=,tag:CNLl4lVO06gAcsSCfU2KjA==,type:str] - unencrypted_suffix: _unencrypted - version: 3.11.0