chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: chris:main
Branches Tags
chris:main
chris:feature/convex
chris:feature/nix-anywhere
..
compare: chris:feature/convex
Branches Tags
chris:main
chris:feature/convex
chris:feature/nix-anywhere

1 commit
main ... feature/co

Author SHA1 Message Date
Chris Kruining
69ecd4ff89
trying some stuff 2025-09-01 10:07:28 +02:00
45 changed files with 539 additions and 1340 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.forgejo/workflows/action.yml
View file

@ -7,9 +7,10 @@ on:
- main - main
jobs: jobs:
kaas: hello:
runs-on: nix name: Print hello world
runs-on: default
steps: steps:
- name: Echo - name: Echo
run: | run: |
nix --version echo "Hello, world!"

8
.gitignore vendored
View file

@ -1,8 +1,2 @@
# ---> Nix
# Ignore build outputs from performing a nix-build or `nix build` command
result result
result-* *.qcow2
# Ignore automatically generated direnv output
.direnv

9
.just/machine.just
View file

@ -1,9 +0,0 @@
@_default: list
[doc('List machines')]
@list:
ls -1 ../systems/x86_64-linux/
[doc('Update the target machine')]
update machine:
nixos-rebuild switch --use-remote-sudo --target-host {{ machine }} --flake .#{{ machine }}

28
.just/vars.just
View file

@ -1,28 +0,0 @@
base_path := invocation_directory() / "systems/x86_64-linux"
sops := "nix shell nixpkgs#sops --command sops"
@_default:
just --list
[doc('list all vars of the target machine')]
list machine:
{{ sops }} decrypt {{ base_path }}/{{ machine }}/secrets.yml
@edit machine:
{{ sops }} edit {{ base_path }}/{{ machine }}/secrets.yml
@set machine key value:
{{ sops }} set {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')" '"{{ value }}"'
git add {{ base_path }}/{{ machine }}/secrets.yml
git commit -m 'ops(secrets): set secret "{{ key }}" for machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
echo "Done"
@remove machine key:
{{ sops }} unset {{ base_path }}/{{ machine }}/secrets.yml "$(printf '%s\n' '["{{ key }}"]' | sed -E 's#/#"]["#g; s/\["([0-9]+)"\]/[\1]/g')"
git add {{ base_path }}/{{ machine }}/secrets.yml
git commit -m 'ops(secrets): removed secret "{{ key }}" from machine "{{ machine}}"' -- {{ base_path }}/{{ machine }}/secrets.yml > /dev/null
echo "Done"

18
.justfile
View file

@ -1,18 +0,0 @@
@_default:
just --list --list-submodules
[doc('Manage vars')]
mod vars '.just/vars.just'
[doc('Manage machines')]
mod machine '.just/machine.just'
[doc('Show information about project')]
@show:
echo "show"
[doc('update the flake dependencies')]
@update:
nix flake update
git commit -m 'chore: update dependencies' -- ./flake.lock > /dev/null
echo "Done"

11
.sops.yaml
View file

@ -1,11 +0,0 @@
keys:
- &ulmo_1 age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq
- &ulmo_2 age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
creation_rules:
# All Machine secrets
- path_regex: systems/[^/]+/[^/]+/[^/]+\.(yml|yaml)$
key_groups:
- age:
- *ulmo_1
- *ulmo_2

8
.sops.yml Normal file
View file

@ -0,0 +1,8 @@
keys:
- &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
creation_rules:
- path_regex: secrets/secrets.yml$
key_groups:
- age:
- *primary

30
_secrets/secrets.yaml Normal file
View file

@ -0,0 +1,30 @@
#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment]
example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str]
#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment]
#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment]
example:
my_subdir:
my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR
ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz
YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB
dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR
Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-09T11:37:49Z"
mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4
zitadel:
masterKey: thisWillBeAnEncryptedValueInTheFuture

324
flake.lock generated
View file

@ -5,11 +5,11 @@
"fromYaml": "fromYaml" "fromYaml": "fromYaml"
}, },
"locked": { "locked": {
"lastModified": 1755819240, "lastModified": 1746562888,
"narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=", "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=",
"owner": "SenchoPens", "owner": "SenchoPens",
"repo": "base16.nix", "repo": "base16.nix",
"rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6", "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -21,17 +21,16 @@
"base16-fish": { "base16-fish": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1754405784, "lastModified": 1622559957,
"narHash": "sha256-l9xHIy+85FN+bEo6yquq2IjD1rSg9fjfjpyGP1W8YXo=", "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=",
"owner": "tomyun", "owner": "tomyun",
"repo": "base16-fish", "repo": "base16-fish",
"rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561", "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "tomyun", "owner": "tomyun",
"repo": "base16-fish", "repo": "base16-fish",
"rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561",
"type": "github" "type": "github"
} }
}, },
@ -74,11 +73,11 @@
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1759842236, "lastModified": 1755108317,
"narHash": "sha256-JNFyiEDo1wS+mjNAEM8Q2jjvHQzQt+3hnuP1srIdFeM=", "narHash": "sha256-j7RGK7nyoHuJzQjVFBngpsVowIn4DAtprn66UyAFNRQ=",
"owner": "emmanuelrosa", "owner": "emmanuelrosa",
"repo": "erosanix", "repo": "erosanix",
"rev": "df8a29239b2459d6ee7373be8133d9aa7d6f6d1a", "rev": "5aa322a6e586a2b46af65ab6c9a3d6042a95ff2e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -95,11 +94,11 @@
"rust-analyzer-src": "rust-analyzer-src" "rust-analyzer-src": "rust-analyzer-src"
}, },
"locked": { "locked": {
"lastModified": 1760510549, "lastModified": 1755153894,
"narHash": "sha256-NP+kmLMm7zSyv4Fufv+eSJXyqjLMUhUfPT6lXRlg/bU=", "narHash": "sha256-DEKeIg3MQy5GMFiFRUzcx1hGGBN2ypUPTo0jrMAdmH4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "fenix", "repo": "fenix",
"rev": "ef7178cf086f267113b5c48fdeb6e510729c8214", "rev": "f6874c6e512bc69d881d979a45379b988b80a338",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -115,11 +114,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1760548798, "lastModified": 1755083788,
"narHash": "sha256-LbqqHQklp58hKCO6IMcslsqX0mR32775PG3Z+k2GcwU=", "narHash": "sha256-CXiS6gfw0NH+luSpNhtRZjy4NqVFrmsYpoetu3N/fMk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "flake-firefox-nightly", "repo": "flake-firefox-nightly",
"rev": "fdd8c18c8d3497d267c0750ef08678d32a2dd753", "rev": "523078b104590da5850a61dfe291650a6b49809c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -131,11 +130,11 @@
"firefox-gnome-theme": { "firefox-gnome-theme": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1758112371, "lastModified": 1748383148,
"narHash": "sha256-lizRM2pj6PHrR25yimjyFn04OS4wcdbc38DCdBVa2rk=", "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=",
"owner": "rafaelmardojai", "owner": "rafaelmardojai",
"repo": "firefox-gnome-theme", "repo": "firefox-gnome-theme",
"rev": "0909cfe4a2af8d358ad13b20246a350e14c2473d", "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -231,11 +230,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759362264, "lastModified": 1754487366,
"narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "758cf7296bee11f1706a574c77d072b8a7baa881", "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -252,32 +251,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1756770412, "lastModified": 1751413152,
"narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "4524271976b625a4a605beefd893f270620fd751", "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"terranix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -433,11 +411,11 @@
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_4"
}, },
"locked": { "locked": {
"lastModified": 1757136219, "lastModified": 1755072091,
"narHash": "sha256-tKU+vq34KHu/A2wD7WdgP5A4/RCmSD8hB0TyQAUlixA=", "narHash": "sha256-FCkbELHIFXlVREaopW13QFMzwLPr/otjucmyNLQQXeg=",
"owner": "vinceliuice", "owner": "vinceliuice",
"repo": "grub2-themes", "repo": "grub2-themes",
"rev": "80dd04ddf3ba7b284a7b1a5df2b1e95ee2aad606", "rev": "03d8c9cf0d1bcf67765ac5fa35263f1b08c584fa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -451,15 +429,14 @@
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ]
"rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1760546650, "lastModified": 1754593854,
"narHash": "sha256-ByUcM+gMEob6uWpDt6AAg/v4eX9yvpgOPX6KyHd9/BE=", "narHash": "sha256-fiWzQKZP92+2nm9wGBa/UYuEdVJkshHqNpCFfklas8k=",
"owner": "himmelblau-idm", "owner": "himmelblau-idm",
"repo": "himmelblau", "repo": "himmelblau",
"rev": "ba54075737cb9c688cfadde8048f83371dbaba8d", "rev": "e0b9a3efdcf0c6c59ed3352ffb2b003ab6aa2fed",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -475,32 +452,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760500983, "lastModified": 1755121891,
"narHash": "sha256-zfY4F4CpeUjTGgecIJZ+M7vFpwLc0Gm9epM/iMQd4w8=", "narHash": "sha256-UtYkukiGnPRJ5rpd4W/wFVrLMh8fqtNkqHTPgHEtrqU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "c53e65ec92f38d30e3c14f8d628ab55d462947aa", "rev": "279ca5addcdcfa31ac852b3ecb39fc372684f426",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"zen-browser",
"nixpkgs"
]
},
"locked": {
"lastModified": 1752603129,
"narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -517,11 +473,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760534924, "lastModified": 1755151620,
"narHash": "sha256-OIOCC86DxTxp1VG7xAiM+YABtVqp6vTkYIoAiGQMqso=", "narHash": "sha256-fVMalQZ+tRXR8oue2SdWu4CdlsS2NII+++rI40XQ8rU=",
"owner": "Jovian-Experiments", "owner": "Jovian-Experiments",
"repo": "Jovian-NixOS", "repo": "Jovian-NixOS",
"rev": "100b4e000032b865563a9754e5bca189bc544764", "rev": "16e12d22754d97064867006acae6e16da7a142a6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -551,11 +507,11 @@
}, },
"mnw": { "mnw": {
"locked": { "locked": {
"lastModified": 1758834834, "lastModified": 1748710831,
"narHash": "sha256-Y7IvY4F8vajZyp3WGf+KaiIVwondEkMFkt92Cr9NZmg=", "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=",
"owner": "Gerg-L", "owner": "Gerg-L",
"repo": "mnw", "repo": "mnw",
"rev": "cfbc7d1cc832e318d0863a5fc91d940a96034001", "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -593,11 +549,11 @@
"nixpkgs": "nixpkgs_5" "nixpkgs": "nixpkgs_5"
}, },
"locked": { "locked": {
"lastModified": 1760493654, "lastModified": 1755137329,
"narHash": "sha256-DRJZnMoBw+p6o0XjaAOfAJjwr4s93d1+eCsCRsAP/jY=", "narHash": "sha256-9MxuOLH7jk58IVUUDWwLeqk9U4ATE6X37955Ld+4/zw=",
"owner": "Infinidoge", "owner": "Infinidoge",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "4ca5164f23948b4b5429d8fdcddc142079c6aa6b", "rev": "d9330bc35048238597880e89fb173799de9db5e9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -665,11 +621,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760536587, "lastModified": 1755171343,
"narHash": "sha256-wfWqt+igns/VazjPLkyb4Z/wpn4v+XIjUeI3xY/1ENg=", "narHash": "sha256-h6bbfhqWcHlx9tcyYa7dhaEiNpusLCcFYkJ/AnltLW8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-wsl", "repo": "nixos-wsl",
"rev": "f98ee1de1fa36eca63c67b600f5d617e184e82ea", "rev": "e37cfef071466a9ca649f6899aff05226ce17e9e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -680,11 +636,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1759360550, "lastModified": 1754002724,
"narHash": "sha256-feL8xklo97a8o8ISOszUU2tfHskJdu3zKbpcltzSblw=", "narHash": "sha256-1NBby4k2UU9FR7a9ioXtCOpv8jYO0tZAGarMsxN8sz8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "28b8fe20c34f94a537f71950a9b0c1dc7224d036", "rev": "8271ed4b2e366339dd622f329151e45745ade121",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -709,13 +665,29 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": { "nixpkgs_10": {
"locked": { "locked": {
"lastModified": 1760479263, "lastModified": 1727348695,
"narHash": "sha256-eoVGUqcMyDeT/VwjczlZu7rhrE9wkj3ErWjJhB4Zjpg=", "narHash": "sha256-J+PeFKSDV+pHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "20158056cdd0dd06bfbd04fd1e686d09fbef3db5", "rev": "1925c603f17fc89f4c8f6bf6f631a802ad85d784",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1755061300,
"narHash": "sha256-eov82CkCrpiECJa3dyQ2da1sPGnAP3HK0UEra5eupaM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "d4df8d6cc1ccfd3e4349a1d54e4fb1171e7ec1f5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -743,11 +715,11 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1760548845, "lastModified": 1755178357,
"narHash": "sha256-41gkEmco/WLdEkeCKVRalOpx19e0/VgfS7N9n+DasHs=", "narHash": "sha256-rzgUmlO5/pt7uPAlY6E70clNjg9JmrgBxalEj2zKq08=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "631597d659c37aa267eed8334271d5205244195e", "rev": "6eac4364f979ef460fb6ebd17ca65b8dae03cba4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -775,11 +747,11 @@
}, },
"nixpkgs_6": { "nixpkgs_6": {
"locked": { "locked": {
"lastModified": 1760284886, "lastModified": 1755027561,
"narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43", "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -791,11 +763,11 @@
}, },
"nixpkgs_7": { "nixpkgs_7": {
"locked": { "locked": {
"lastModified": 1759386674, "lastModified": 1755049066,
"narHash": "sha256-wg1Lz/1FC5Q13R+mM5a2oTV9TA9L/CHHTm3/PiLayfA=", "narHash": "sha256-ANrc15FSoOAdNbfKHxqEJjZLftIwIsenJGRb/04K41s=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "625ad6366178f03acd79f9e3822606dd7985b657", "rev": "e45f8f193029378d0aaee5431ba098dc80054e9a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -807,11 +779,11 @@
}, },
"nixpkgs_8": { "nixpkgs_8": {
"locked": { "locked": {
"lastModified": 1760164275, "lastModified": 1744868846,
"narHash": "sha256-gKl2Gtro/LNf8P+4L3S2RsZ0G390ccd5MyXYrTdMCFE=", "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "362791944032cb532aabbeed7887a441496d5e6e", "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -823,11 +795,11 @@
}, },
"nixpkgs_9": { "nixpkgs_9": {
"locked": { "locked": {
"lastModified": 1758690382, "lastModified": 1751792365,
"narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e643668fd71b949c53f8626614b21ff71a07379d", "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -849,11 +821,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1758998580, "lastModified": 1751906969,
"narHash": "sha256-VLx0z396gDCGSiowLMFz5XRO/XuNV+4EnDYjdJhHvUk=", "narHash": "sha256-BSQAOdPnzdpOuCdAGSJmefSDlqmStFNScEnrWzSqKPw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "ba8d9c98f5f4630bcb0e815ab456afd90c930728", "rev": "ddb679f4131e819efe3bbc6457ba19d7ad116f25",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -871,11 +843,11 @@
"systems": "systems_4" "systems": "systems_4"
}, },
"locked": { "locked": {
"lastModified": 1760153667, "lastModified": 1755115677,
"narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=", "narHash": "sha256-98Ad2F5w1xW94KymQiBohNBYpFqMa0K28v9S1SzyTY8=",
"owner": "notashelf", "owner": "notashelf",
"repo": "nvf", "repo": "nvf",
"rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d", "rev": "c5dc7192496a1fad38134e54f8b4fca8ac51a9fe",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -894,11 +866,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759321049, "lastModified": 1754501628,
"narHash": "sha256-8XkU4gIrLT2DJZWQyvsP5woXGZF5eE/7AnKfwQkiwYU=", "narHash": "sha256-FExJ54tVB5iu7Dh2tLcyCSWpaV+lmUzzWKZUkemwXvo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "plasma-manager", "repo": "plasma-manager",
"rev": "205dcfd4a30d4a5d1b4f28defee69daa7c7252cd", "rev": "cca090f8115c4172b9aef6c5299ae784bdd5e133",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -927,18 +899,17 @@
"snowfall-lib": "snowfall-lib", "snowfall-lib": "snowfall-lib",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"stylix": "stylix", "stylix": "stylix",
"terranix": "terranix",
"zen-browser": "zen-browser" "zen-browser": "zen-browser"
} }
}, },
"rust-analyzer-src": { "rust-analyzer-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1760457219, "lastModified": 1755004716,
"narHash": "sha256-WJOUGx42hrhmvvYcGkwea+BcJuQJLcns849OnewQqX4=", "narHash": "sha256-TbhPR5Fqw5LjAeI3/FOPhNNFQCF3cieKCJWWupeZmiA=",
"owner": "rust-lang", "owner": "rust-lang",
"repo": "rust-analyzer", "repo": "rust-analyzer",
"rev": "8747cf81540bd1bbbab9ee2702f12c33aa887b46", "rev": "b2a58b8c6eff3c3a2c8b5c70dbf69ead78284194",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -948,27 +919,6 @@
"type": "github" "type": "github"
} }
}, },
"rust-overlay": {
"inputs": {
"nixpkgs": [
"himmelblau",
"nixpkgs"
]
},
"locked": {
"lastModified": 1760495781,
"narHash": "sha256-3OGPAQNJswy6L4VJyX3U9/z7fwgPFvK6zQtB2NHBV0Y=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "11e0852a2aa3a65955db5824262d76933750e299",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"snowfall-lib": { "snowfall-lib": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_5", "flake-compat": "flake-compat_5",
@ -996,11 +946,11 @@
"nixpkgs": "nixpkgs_8" "nixpkgs": "nixpkgs_8"
}, },
"locked": { "locked": {
"lastModified": 1760393368, "lastModified": 1754988908,
"narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1028,11 +978,11 @@
"tinted-zed": "tinted-zed" "tinted-zed": "tinted-zed"
}, },
"locked": { "locked": {
"lastModified": 1760472212, "lastModified": 1755027820,
"narHash": "sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx+MUkuE+E=", "narHash": "sha256-hBSU7BEhd05y/pC9tliYjkFp8AblkbNEkPei229+0Pg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "stylix", "repo": "stylix",
"rev": "8d008296a1b3be9b57ad570f7acea00dd2fc92db", "rev": "c592717e9f713bbae5f718c784013d541346363d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1131,43 +1081,6 @@
"type": "github" "type": "github"
} }
}, },
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"terranix": {
"inputs": {
"flake-parts": "flake-parts_3",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_7"
},
"locked": {
"lastModified": 1757278723,
"narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=",
"owner": "terranix",
"repo": "terranix",
"rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb",
"type": "github"
},
"original": {
"owner": "terranix",
"repo": "terranix",
"type": "github"
}
},
"tinted-foot": { "tinted-foot": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -1204,11 +1117,11 @@
"tinted-schemes": { "tinted-schemes": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1757716333, "lastModified": 1750770351,
"narHash": "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=", "narHash": "sha256-LI+BnRoFNRa2ffbe3dcuIRYAUcGklBx0+EcFxlHj0SY=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "schemes", "repo": "schemes",
"rev": "317a5e10c35825a6c905d912e480dfe8e71c7559", "rev": "5a775c6ffd6e6125947b393872cde95867d85a2a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1220,11 +1133,11 @@
"tinted-tmux": { "tinted-tmux": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1757811970, "lastModified": 1751159871,
"narHash": "sha256-n5ZJgmzGZXOD9pZdAl1OnBu3PIqD+X3vEBUGbTi4JiI=", "narHash": "sha256-UOHBN1fgHIEzvPmdNMHaDvdRMgLmEJh2hNmDrp3d3LE=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "tinted-tmux", "repo": "tinted-tmux",
"rev": "d217ba31c846006e9e0ae70775b0ee0f00aa6b1e", "rev": "bded5e24407cec9d01bd47a317d15b9223a1546c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1236,11 +1149,11 @@
"tinted-zed": { "tinted-zed": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1757811247, "lastModified": 1751158968,
"narHash": "sha256-4EFOUyLj85NRL3OacHoLGEo0wjiRJzfsXtR4CZWAn6w=", "narHash": "sha256-ksOyv7D3SRRtebpXxgpG4TK8gZSKFc4TIZpR+C98jX8=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "base16-zed", "repo": "base16-zed",
"rev": "824fe0aacf82b3c26690d14e8d2cedd56e18404e", "rev": "86a470d94204f7652b906ab0d378e4231a5b3384",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1251,21 +1164,18 @@
}, },
"zen-browser": { "zen-browser": {
"inputs": { "inputs": {
"home-manager": "home-manager_2", "nixpkgs": "nixpkgs_10"
"nixpkgs": [
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1760466542, "lastModified": 1727721329,
"narHash": "sha256-q2QZhrrjHbvW4eFzoEGkj/wUHNU6bVGPyflurx5ka6U=", "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=",
"owner": "0xc000022070", "owner": "MarceColl",
"repo": "zen-browser-flake", "repo": "zen-browser-flake",
"rev": "3446bcbf5f46ecb18e82244888730c4983c30b22", "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "0xc000022070", "owner": "MarceColl",
"repo": "zen-browser-flake", "repo": "zen-browser-flake",
"type": "github" "type": "github"
} }

19
flake.nix
View file

@ -41,10 +41,7 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
zen-browser = { zen-browser.url = "github:MarceColl/zen-browser-flake";
url = "github:0xc000022070/zen-browser-flake";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-minecraft.url = "github:Infinidoge/nix-minecraft"; nix-minecraft.url = "github:Infinidoge/nix-minecraft";
@ -78,11 +75,6 @@
flake-compat.follows = ""; flake-compat.follows = "";
}; };
}; };
terranix = {
url = "github:terranix/terranix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = inputs: inputs.snowfall-lib.mkFlake { outputs = inputs: inputs.snowfall-lib.mkFlake {
@ -101,15 +93,8 @@
channels-config = { channels-config = {
allowUnfree = true; allowUnfree = true;
permittedInsecurePackages = [ permittedInsecurePackages = [
# Due to *arr stack
"dotnet-sdk-6.0.428" "dotnet-sdk-6.0.428"
"aspnetcore-runtime-6.0.36" "aspnetcore-runtime-6.0.36"
# I think this is because of zen
"qtwebengine-5.15.19"
# For Nheko, the matrix client
"olm-3.2.16"
]; ];
}; };
@ -121,7 +106,7 @@
homes.modules = with inputs; [ homes.modules = with inputs; [
stylix.homeModules.stylix stylix.homeModules.stylix
plasma-manager.homeModules.plasma-manager plasma-manager.homeManagerModules.plasma-manager
]; ];
}; };
} }

1
homes/x86_64-linux/chris@manwe/default.nix
View file

@ -35,7 +35,6 @@
bitwarden.enable = true; bitwarden.enable = true;
discord.enable = true; discord.enable = true;
ladybird.enable = true; ladybird.enable = true;
matrix.enable = true;
obs.enable = true; obs.enable = true;
onlyoffice.enable = true; onlyoffice.enable = true;
signal.enable = true; signal.enable = true;

17
lib/strings/default.nix
View file

@ -1,17 +0,0 @@
{ lib, ...}:
let
inherit (builtins) isString typeOf;
inherit (lib) throwIfNot concatStringsSep splitStringBy toLower map;
in
{
strings = {
toSnakeCase =
str:
throwIfNot (isString str) "toSnakeCase only accepts string values, but got ${typeOf str}" (
str
|> splitStringBy (prev: curr: builtins.match "[a-z]" prev != null && builtins.match "[A-Z]" curr != null) true
|> map (p: toLower p)
|> concatStringsSep "_"
);
};
}

19
modules/home/application/matrix/default.nix
View file

@ -1,19 +0,0 @@
{ config, lib, pkgs, namespace, osConfig ? {}, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.application.matrix;
in
{
options.${namespace}.application.matrix = {
enable = mkEnableOption "enable Matrix client (Fractal)";
};
config = mkIf cfg.enable {
home.packages = with pkgs; [ fractal element-desktop ];
programs.element-desktop = {
enable = true;
};
};
}

34
modules/home/application/zen/default.nix
View file

@ -5,61 +5,35 @@ let
cfg = config.${namespace}.application.zen; cfg = config.${namespace}.application.zen;
in in
{ {
imports = [
inputs.zen-browser.homeModules.default
];
options.${namespace}.application.zen = { options.${namespace}.application.zen = {
enable = mkEnableOption "enable zen"; enable = mkEnableOption "enable zen";
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ];
home.sessionVariables = { home.sessionVariables = {
MOZ_ENABLE_WAYLAND = "1"; MOZ_ENABLE_WAYLAND = "1";
}; };
programs.zen-browser = { programs.zen-browser = {
enable = true;
policies = { policies = {
AutofillAddressEnabled = true; AutofillAddressEnabled = true;
AutofillCreditCardEnabled = false; AutofillCreditCardEnabled = false;
AppAutoUpdate = false;
DisableAppUpdate = true; DisableAppUpdate = true;
ManualAppUpdateOnly = true;
DisableFeedbackCommands = true; DisableFeedbackCommands = true;
DisableFirefoxStudies = true; DisableFirefoxStudies = true;
DisablePocket = true; DisablePocket = true;
DisableTelemetry = true; DisableTelemetry = true;
# DontCheckDefaultBrowser = false;
DontCheckDefaultBrowser = false;
NoDefaultBookmarks = true; NoDefaultBookmarks = true;
OfferToSaveLogins = false; # OfferToSaveLogins = false;
EnableTrackingProtection = { EnableTrackingProtection = {
Value = true; Value = true;
Locked = true; Locked = true;
Cryptomining = true; Cryptomining = true;
Fingerprinting = true; Fingerprinting = true;
}; };
HttpAllowlist = [
"http://ulmo"
];
};
policies.ExtensionSettings = let
mkExtension = id: {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi";
installation_mode = "force_installed";
};
in
{
ublock_origin = 4531307;
ghostry = 4562168;
bitwarden = 4562769;
sponsorblock = 4541835;
}; };
}; };
}; };

2
modules/home/desktop/plasma/default.nix
View file

@ -64,7 +64,7 @@ in
}; };
kwalletrc = { kwalletrc = {
Wallet.Enabled = true; Wallet.Enabled = false;
}; };
plasmarc = { plasmarc = {

4
modules/home/home-manager/default.nix
View file

@ -4,9 +4,7 @@ let
in in
{ {
systemd.user.startServices = "sd-switch"; systemd.user.startServices = "sd-switch";
programs.home-manager = { programs.home-manager.enable = true;
enable = true;
};
home.stateVersion = mkDefault (osConfig.system.stateVersion or "25.05"); home.stateVersion = mkDefault (osConfig.system.stateVersion or "25.05");
} }

1
modules/home/shell/default.nix
View file

@ -17,7 +17,6 @@ in
eza.enable = true; eza.enable = true;
fzf.enable = true; fzf.enable = true;
git.enable = true; git.enable = true;
just.enable = true;
starship.enable = true; starship.enable = true;
tmux.enable = true; tmux.enable = true;
yazi.enable = true; yazi.enable = true;

2
modules/home/shell/toolset/git/default.nix
View file

@ -31,12 +31,10 @@ in
package = pkgs.gitFull; package = pkgs.gitFull;
difftastic = { difftastic = {
enable = true; enable = true;
options = {
background = "dark"; background = "dark";
color = "always"; color = "always";
display = "inline"; display = "inline";
}; };
};
ignores = [ ignores = [
# General: # General:

15
modules/home/shell/toolset/just/default.nix
View file

@ -1,15 +0,0 @@
{ config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.${namespace}.shell.toolset.just;
in
{
options.${namespace}.shell.toolset.just = {
enable = mkEnableOption "version-control system";
};
config = mkIf cfg.enable {
home.packages = with pkgs; [ just gum ];
};
}

4
modules/home/themes/default.nix
View file

@ -31,9 +31,7 @@ in {
base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml"; base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml";
image = ./${cfg.theme}.jpg; image = ./${cfg.theme}.jpg;
polarity = cfg.polarity; polarity = cfg.polarity;
targets.qt.platform = mkDefault "kde6";
# targets.qt.platform = mkDefault "kde";
targets.zen-browser.profileNames = [ "Chris" ];
fonts = { fonts = {
serif = { serif = {

13
modules/nixos/desktop/plasma/default.nix
View file

@ -12,18 +12,7 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.plasma6.excludePackages = with pkgs.kdePackages; [ environment.plasma6.excludePackages = with pkgs.kdePackages; [ konsole kate ghostwriter oxygen ];
elisa
kmahjongg
kmines
konversation
kpat
ksudoku
konsole
kate
ghostwriter
oxygen
];
environment.sessionVariables.NIXOS_OZONE_WL = "1"; environment.sessionVariables.NIXOS_OZONE_WL = "1";
services = { services = {

5
modules/nixos/hardware/gpu/amd/default.nix
View file

@ -17,6 +17,11 @@ in
}; };
amdgpu = { amdgpu = {
amdvlk = {
enable = true;
support32Bit.enable = true;
};
initrd.enable = true; initrd.enable = true;
}; };
}; };

6
modules/nixos/home-manager/default.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
config = {
home-manager.backupFileExtension = "homeManagerBackup";
};
}

12
modules/nixos/nix/default.nix
View file

@ -1,20 +1,24 @@
{ pkgs, lib, namespace, config, ... }: { pkgs, lib, namespace, config, ... }:
let let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.nix; cfg = config.${namespace}.nix;
in in
{ {
options.${namespace}.nix = {}; options.${namespace}.nix = {
enable = mkEnableOption "Enable nix command";
};
config = { config = mkIf cfg.enable {
programs.git.enable = true; programs.git.enable = true;
nix = { nix = {
package = pkgs.nixVersions.latest; package = pkgs.nixVersions.latest;
extraOptions = "experimental-features = nix-command flakes pipe-operators"; extraOptions = "experimental-features = nix-command flakes";
settings = { settings = {
experimental-features = [ "nix-command" "flakes" "pipe-operators" ]; experimental-features = [ "nix-command" "flakes" ];
allowed-users = [ "@wheel" ]; allowed-users = [ "@wheel" ];
trusted-users = [ "@wheel" ]; trusted-users = [ "@wheel" ];

343
modules/nixos/services/authentication/zitadel/default.nix
View file

@ -1,238 +1,22 @@
{ config, lib, pkgs, namespace, system, inputs, ... }: { config, lib, pkgs, namespace, ... }:
let let
inherit (lib) mkIf mkEnableOption mkOption types toUpper nameValuePair mapAttrs' concatMapAttrs getAttrs getAttr hasAttr typeOf head drop length; inherit (lib) mkIf mkEnableOption mkForce;
inherit (lib.${namespace}.strings) toSnakeCase;
cfg = config.${namespace}.services.authentication.zitadel; cfg = config.${namespace}.services.authentication.zitadel;
database = "zitadel"; db_name = "zitadel";
db_user = "zitadel";
in in
{ {
options.${namespace}.services.authentication.zitadel = { options.${namespace}.services.authentication.zitadel = {
enable = mkEnableOption "Zitadel"; enable = mkEnableOption "Zitadel";
organization = mkOption {
type = types.attrsOf (types.submodule {
options = {
isDefault = mkOption {
type = types.bool;
default = false;
example = "true";
description = ''
True sets the org as default org for the instance. Only one org can be default org.
Nothing happens if you set it to false until you set another org as default org.
'';
}; };
project = mkOption { config = mkIf cfg.enable {
default = {};
type = types.attrsOf (types.submodule {
options = {
hasProjectCheck = mkOption {
type = types.bool;
default = false;
example = "true";
description = ''
ZITADEL checks if the org of the user has permission to this project.
'';
};
privateLabelingSetting = mkOption {
type = types.nullOr (types.enum [ "unspecified" "enforceProjectResourceOwnerPolicy" "allowLoginUserResourceOwnerPolicy" ]);
default = null;
example = "enforceProjectResourceOwnerPolicy";
description = ''
Defines from where the private labeling should be triggered,
supported values:
- unspecified
- enforceProjectResourceOwnerPolicy
- allowLoginUserResourceOwnerPolicy
'';
};
projectRoleAssertion = mkOption {
type = types.bool;
default = false;
example = "true";
description = ''
Describes if roles of user should be added in token.
'';
};
projectRoleCheck = mkOption {
type = types.bool;
default = false;
example = "true";
description = ''
ZITADEL checks if the user has at least one on this project.
'';
};
application = mkOption {
default = {};
type = types.attrsOf (types.submodule {
options = {
redirectUris = mkOption {
type = types.nonEmptyListOf types.str;
example = ''
[ "https://example.com/redirect/url" ]
'';
description = ''
.
'';
};
grantTypes = mkOption {
type = types.nonEmptyListOf (types.enum [ "authorizationCode" "implicit" "refreshToken" "deviceCode" "tokenExchange" ]);
example = ''
[ "authorizationCode" ]
'';
description = ''
.
'';
};
responseTypes = mkOption {
type = types.nonEmptyListOf (types.enum [ "code" "idToken" "idTokenToken" ]);
example = ''
[ "code" ]
'';
description = ''
.
'';
};
};
});
};
};
});
};
};
});
};
};
config = let
mapRef = type: name: { "${type}Id" = "\${ resource.zitadel_${type}.${toSnakeCase name}.id }"; };
mapEnum = prefix: value: "${prefix}_${value |> toSnakeCase |> toUpper}";
mapValue = type: value: ({
grantTypes = map (t: mapEnum "OIDC_GRANT_TYPE" t) value;
responseTypes = map (t: mapEnum "OIDC_RESPONSE_TYPE" t) value;
}."${type}" or value);
toResource = name: value: nameValuePair
(toSnakeCase name)
(lib.mapAttrs' (k: v: nameValuePair (toSnakeCase k) (mapValue k v)) value);
withName = name: attrs: attrs // { inherit name; };
withRef = type: name: attrs: attrs // (mapRef type name);
select = keys: callback: set:
if (length keys) == 0 then
mapAttrs' callback set
else let key = head keys; in
concatMapAttrs (k: v: select (drop 1 keys) (callback k) (v.${key} or {})) set;
config' = config;
# this is a nix package, the generated json file to be exact
terraformConfiguration = inputs.terranix.lib.terranixConfiguration {
inherit system;
modules = [
({ config, lib, ... }: {
config = {
terraform.required_providers.zitadel = {
source = "zitadel/zitadel";
version = "2.2.0";
};
provider.zitadel = {
domain = "auth.kruining.eu";
insecure = "false";
jwt_profile_file = "/var/lib/zitadel/machine-key.json";
};
resource = {
zitadel_org = cfg.organization |> select [] (name: value:
value
|> getAttrs [ "isDefault" ]
|> withName name
|> toResource name
);
zitadel_project = cfg.organization |> select [ "project" ] (org: name: value:
value
|> getAttrs [ "hasProjectCheck" "privateLabelingSetting" "projectRoleAssertion" "projectRoleCheck" ]
|> withName name
|> withRef "org" org
|> toResource name
);
zitadel_application_oidc = cfg.organization |> select [ "project" "application" ] (org: project: name: value:
value
|> getAttrs [ "redirectUris" "grantTypes" "responseTypes" ]
|> withName name
|> withRef "org" org
|> withRef "project" project
|> toResource name
);
zitadel_smtp_config.default = {
sender_address = "chris@kruining.eu";
sender_name = "no-reply (Zitadel)";
tls = true;
host = "black-mail.nl";
user = "chris@kruining.eu";
password = "\${file(\"${config'.sops.templates."kaas".path}\")}";
};
};
};
})
];
};
in
mkIf cfg.enable {
${namespace}.services.persistance.postgresql.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
zitadel zitadel
]; ];
systemd.tmpfiles.rules = [
"d /tmp/zitadelApplyTerraform 0755 zitadel zitadel -"
];
systemd.services.zitadelApplyTerraform = {
description = "Zitadel terraform apply";
wantedBy = [ "multi-user.target" ];
wants = [ "zitadel.service" ];
script = ''
#!/usr/bin/env bash
# Copy infra code into workspace
cp -f ${terraformConfiguration} config.tf.json
# Initialize OpenTofu
${lib.getExe pkgs.opentofu} init
# Run the infrastructure code
${lib.getExe pkgs.opentofu} apply -auto-approve
'';
serviceConfig = {
Type = "oneshot";
User = "zitadel";
Group = "zitadel";
WorkingDirectory = "/tmp/zitadelApplyTerraform";
};
};
services = { services = {
zitadel = { zitadel = {
enable = true; enable = true;
@ -243,7 +27,7 @@ in
settings = { settings = {
Port = 9092; Port = 9092;
ExternalDomain = "auth.kruining.eu"; ExternalDomain = "auth.amarth.cloud";
ExternalPort = 443; ExternalPort = 443;
ExternalSecure = true; ExternalSecure = true;
@ -257,25 +41,26 @@ in
}; };
DefaultInstance = { DefaultInstance = {
# PasswordComplexityPolicy = { PasswordComplexityPolicy = {
# MinLength = 0; MinLength = 20;
# HasLowercase = false; HasLowercase = false;
# HasUppercase = false; HasUppercase = false;
# HasNumber = false; HasNumber = false;
# HasSymbol = false; HasSymbol = false;
# }; };
# LoginPolicy = { LoginPolicy = {
# AllowRegister = false; AllowRegister = false;
# ForceMFA = true; ForceMFA = true;
# }; };
# LockoutPolicy = { LockoutPolicy = {
# MaxPasswordAttempts = 5; MaxPasswordAttempts = 5;
# MaxOTPAttempts = 10; MaxOTPAttempts = 10;
# }; };
SMTPConfiguration = { SMTPConfiguration = {
SMTP = { SMTP = {
Host = "black-mail.nl:587"; Host = "black-mail.nl:587";
User = "chris@kruining.eu"; User = "info@amarth.cloud";
Password = "__TODO_USE_SOPS__";
}; };
FromName = "Amarth Zitadel"; FromName = "Amarth Zitadel";
}; };
@ -285,9 +70,9 @@ in
Host = "localhost"; Host = "localhost";
# Zitadel will report error if port is not set # Zitadel will report error if port is not set
Port = 5432; Port = 5432;
Database = database; Database = db_name;
User = { User = {
Username = database; Username = db_user;
SSL.Mode = "disable"; SSL.Mode = "disable";
}; };
Admin = { Admin = {
@ -298,16 +83,9 @@ in
}; };
steps = { steps = {
FirstInstance = { FirstInstance = {
# Not sure, this option seems to be mostly irrelevant InstanceName = "auth.amarth.cloud";
InstanceName = "eu";
MachineKeyPath = "/var/lib/zitadel/machine-key.json";
# PatPath = "/var/lib/zitadel/machine-key.pat";
# LoginClientPatPath = "/var/lib/zitadel/machine-key.json";
Org = { Org = {
Name = "kruining"; Name = "Amarth";
Human = { Human = {
UserName = "chris"; UserName = "chris";
FirstName = "Chris"; FirstName = "Chris";
@ -318,49 +96,39 @@ in
}; };
Password = "KaasIsAwesome1!"; Password = "KaasIsAwesome1!";
}; };
Machine = {
Machine = {
Username = "terraform-service-user";
Name = "Terraform";
};
MachineKey = { ExpirationDate = "2026-01-01T00:00:00Z"; Type = 1; };
# Pat = { ExpirationDate = "2026-01-01T00:00:00Z"; };
};
# LoginClient.Machine = {
# Username = "terraform-service-user";
# Name = "Terraform";
# };
}; };
}; };
}; };
extraStepsPaths = [
config.sops.templates."secrets.yaml".path
];
}; };
postgresql = { postgresql = {
enable = true; enable = true;
ensureDatabases = [ database ]; ensureDatabases = [ db_name ];
ensureUsers = [ ensureUsers = [
{ {
name = database; name = db_user;
ensureDBOwnership = true; ensureDBOwnership = true;
} }
]; ];
authentication = mkForce ''
# Generated file, do not edit!
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
}; };
caddy = { caddy = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
"auth.kruining.eu".extraConfig = '' "auth.amarth.cloud".extraConfig = ''
reverse_proxy h2c://::1:9092 reverse_proxy h2c://127.0.0.1:9092
''; '';
}; };
extraConfig = '' extraConfig = ''
(auth) { (auth-z) {
forward_auth h2c://::1:9092 { forward_auth h2c://127.0.0.1:9092 {
uri /api/authz/forward-auth uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
} }
@ -369,40 +137,11 @@ in
}; };
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ];
# Secrets # Secrets
sops = { sops.secrets."zitadel/masterKey" = {
secrets = {
"zitadel/masterKey" = {
owner = "zitadel";
group = "zitadel";
restartUnits = [ "zitadel.service" ]; #EMGDB#6O$8qpGoLI1XjhUhnng1san@0
};
"email/chris_kruining_eu" = {
owner = "zitadel"; owner = "zitadel";
group = "zitadel"; group = "zitadel";
restartUnits = [ "zitadel.service" ]; restartUnits = [ "zitadel.service" ];
}; };
}; };
templates."secrets.yaml" = {
owner = "zitadel";
group = "zitadel";
content = ''
DefaultInstance:
SMTPConfiguration:
SMTP:
Password: ${config.sops.placeholder."email/chris_kruining_eu"}
'';
};
templates."kaas" = {
owner = "zitadel";
group = "zitadel";
content = config.sops.placeholder."email/chris_kruining_eu";
};
};
};
} }

26
modules/nixos/services/backup/borg/default.nix
View file

@ -1,26 +0,0 @@
{ config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.backup.borg;
in
{
options.${namespace}.services.backup.borg = {
enable = mkEnableOption "Borg Backup";
};
config = mkIf cfg.enable {
services = {
borgbackup.jobs = {
media = {
paths = "/var/media/test";
encryption.mode = "none";
environment.BORG_SSH = "ssh -i /home/chris/.ssh/id_ed25519 -4";
repo = "ssh://chris@beheer.hazelhof.nl:222/home/chris/backups/media";
compression = "auto,zstd";
startAt = "daily";
};
};
};
};
}

179
modules/nixos/services/communication/matrix/default.nix
View file

@ -1,179 +0,0 @@
{ config, lib, pkgs, namespace, ... }:
let
inherit (builtins) toString toJSON;
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.communication.matrix;
domain = "kruining.eu";
fqn = "matrix.${domain}";
port = 4001;
database = "synapse";
in
{
options.${namespace}.services.communication.matrix = {
enable = mkEnableOption "Matrix server (Synapse)";
};
config = mkIf cfg.enable {
${namespace}.services = {
persistance.postgresql.enable = true;
# virtualisation.podman.enable = true;
};
networking.firewall.allowedTCPPorts = [ 4001 ];
services = {
matrix-synapse = {
enable = true;
extras = [ "oidc" ];
# plugins = with config.services.matrix-synapse.package.plugins; [];
settings = {
server_name = domain;
public_baseurl = "https://${fqn}";
registration_shared_secret = "tZtBnlhEmLbMwF0lQ112VH1Rl5MkZzYH9suI4pEoPXzk6nWUB8FJF4eEnwLkbstz";
url_preview_enabled = true;
precence.enabled = true;
# Since we'll be using OIDC for auth disable all local options
enable_registration = false;
password_config.enabled = false;
sso = {
client_whitelist = [ "http://[::1]:9092" ];
update_profile_information = true;
};
oidc_providers = [
{
discover = true;
idp_id = "zitadel";
idp_name = "Zitadel";
issuer = "https://auth.kruining.eu";
client_id = "337858153251143939";
client_secret = "ePkf5n8BxGD5DF7t1eNThTL0g6PVBO5A1RC0EqPp61S7VsiyXvDs8aJeczrpCpsH";
scopes = [ "openid" "profile" ];
# user_mapping_provider.config = {
# localpart_template = "{{ user.prefered_username }}";
# display_name_template = "{{ user.name }}";
# };
}
];
database = {
# this is postgresql (also the default, but I prefer to be explicit)
name = "psycopg2";
args = {
database = database;
user = database;
};
};
listeners = [
{
bind_addresses = ["::"];
port = port;
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
];
};
};
mautrix-signal = {
enable = true;
registerToSynapse = true;
settings = {
appservice = {
provisioning.enabled = false;
# port = 40011;
};
homeserver = {
address = "http://[::1]:${toString port}";
domain = domain;
};
bridge = {
permissions = {
"@chris:${domain}" = "admin";
};
};
};
};
mautrix-whatsapp = {
enable = true;
registerToSynapse = true;
settings = {
appservice = {
provisioning.enabled = false;
# port = 40012;
};
homeserver = {
address = "http://[::1]:${toString port}";
domain = domain;
};
bridge = {
permissions = {
"@chris:${domain}" = "admin";
};
};
};
};
postgresql = {
enable = true;
ensureDatabases = [ database ];
ensureUsers = [
{
name = database;
ensureDBOwnership = true;
}
];
};
caddy = {
enable = true;
virtualHosts = let
server = {
"m.server" = "${fqn}:443";
};
client = {
"m.homeserver".base_url = "https://${fqn}";
"m.identity_server".base_url = "https://auth.kruining.eu";
};
in {
"${domain}".extraConfig = ''
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `${toJSON server}`
respond /.well-known/matrix/client `${toJSON client}`
'';
"${fqn}".extraConfig = ''
reverse_proxy /_matrix/* http://::1:4001
reverse_proxy /_synapse/client/* http://::1:4001
'';
};
};
};
};
}

14
modules/nixos/services/development/forgejo/default.nix
View file

@ -11,10 +11,7 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
${namespace}.services = { ${namespace}.services.virtualisation.podman.enable = true;
persistance.postgresql.enable = true;
virtualisation.podman.enable = true;
};
environment.systemPackages = with pkgs; [ forgejo ]; environment.systemPackages = with pkgs; [ forgejo ];
@ -94,7 +91,6 @@ in
actions = { actions = {
ENABLED = true; ENABLED = true;
# DEFAULT_ACTIONS_URL = "https://data.forgejo.org";
}; };
other = { other = {
@ -140,12 +136,10 @@ in
# tokenFile = config.age.secrets.forgejo-runner-token.path; # tokenFile = config.age.secrets.forgejo-runner-token.path;
token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw";
labels = [ labels = [
"default:docker://nixos/nix:latest" "default:docker://node:22-bullseye"
"ubuntu:docker://ubuntu:24-bookworm"
"nix:docker://git.amarth.cloud/amarth/runners/default:latest"
]; ];
settings = { settings = {
log.level = "info";
}; };
}; };
}; };
@ -158,7 +152,7 @@ in
# stupid dumb way to prevent the login page and go to zitadel instead # stupid dumb way to prevent the login page and go to zitadel instead
# be aware that this does not disable local login at all! # be aware that this does not disable local login at all!
# rewrite /user/login /user/oauth2/Zitadel rewrite /user/login /user/oauth2/Zitadel
reverse_proxy http://127.0.0.1:5002 reverse_proxy http://127.0.0.1:5002
''; '';

135
modules/nixos/services/media/default.nix
View file

@ -66,73 +66,38 @@ in
# Services # Services
#========================================================================= #=========================================================================
services = let services = let
arrService = { serviceConf = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
settings = {
auth.AuthenticationMethod = "External";
# postgres = {
# PostgresHost = "localhost";
# PostgresPort = "5432";
# PostgresUser = "media";
# };
};
};
withPort = port: service: service // { settings.server.Port = builtins.toString port; };
withUserAndGroup = service: service // {
user = cfg.user; user = cfg.user;
group = cfg.group; group = cfg.group;
}; };
in { in {
radarr = jellyfin = serviceConf;
arrService radarr = serviceConf;
|> withPort 2001 sonarr = serviceConf;
|> withUserAndGroup; bazarr = serviceConf;
lidarr = serviceConf;
sonarr =
arrService
|> withPort 2002
|> withUserAndGroup;
lidarr =
arrService
|> withPort 2003
|> withUserAndGroup;
prowlarr =
arrService
|> withPort 2004;
bazarr = {
enable = true;
openFirewall = true;
user = cfg.user;
group = cfg.group;
listenPort = 2005;
};
# port is harcoded in nixpkgs module
jellyfin = {
enable = true;
openFirewall = true;
user = cfg.user;
group = cfg.group;
};
flaresolverr = { flaresolverr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
port = 2007; };
jellyseerr = {
enable = true;
openFirewall = true;
};
prowlarr = {
enable = true;
openFirewall = true;
}; };
qbittorrent = { qbittorrent = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
webuiPort = 2008; webuiPort = 5000;
serverConfig = { serverConfig = {
LegalNotice.Accepted = true; LegalNotice.Accepted = true;
@ -142,7 +107,6 @@ in
group = cfg.group; group = cfg.group;
}; };
# port is harcoded in nixpkgs module
sabnzbd = { sabnzbd = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
@ -152,49 +116,46 @@ in
group = cfg.group; group = cfg.group;
}; };
# postgresql = {
# enable = true;
# ensureDatabases = [
# "radarr-main" "radarr-log"
# "sonarr-main" "sonarr-log"
# "lidarr-main" "lidarr-log"
# "prowlarr-main" "prowlarr-log"
# ];
# identMap = ''
# media media radarr-main
# media media radarr-log
# media media sonarr-main
# media media sonarr-log
# media media lidarr-main
# media media lidarr-log
# media media prowlarr-main
# media media prowlarr-log
# '';
# ensureUsers = [
# { name = "radarr-main"; ensureDBOwnership = true; }
# { name = "radarr-log"; ensureDBOwnership = true; }
# { name = "sonarr-main"; ensureDBOwnership = true; }
# { name = "sonarr-log"; ensureDBOwnership = true; }
# { name = "lidarr-main"; ensureDBOwnership = true; }
# { name = "lidarr-log"; ensureDBOwnership = true; }
# { name = "prowlarr-main"; ensureDBOwnership = true; }
# { name = "prowlarr-log"; ensureDBOwnership = true; }
# ];
# };
caddy = { caddy = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
"media.kruining.eu".extraConfig = ''
import auth
reverse_proxy http://127.0.0.1:9494
'';
"jellyfin.kruining.eu".extraConfig = '' "jellyfin.kruining.eu".extraConfig = ''
reverse_proxy http://[::1]:8096 reverse_proxy http://127.0.0.1:8096
''; '';
}; };
}; };
}; };
systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";
${namespace}.services.virtualisation.podman.enable = true;
virtualisation = {
oci-containers = {
backend = "podman";
containers = {
# flaresolverr = {
# image = "flaresolverr/flaresolverr";
# autoStart = true;
# ports = [ "127.0.0.1:8191:8191" ];
# };
reiverr = {
image = "ghcr.io/aleksilassila/reiverr:v2.2.0";
autoStart = true;
ports = [ "127.0.0.1:9494:9494" ];
volumes = [ "${cfg.path}/reiverr/config:/config" ];
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 6969 ];
}; };
} }

161
modules/nixos/services/media/homer/default.nix
View file

@ -1,161 +0,0 @@
{ config, lib, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.media.homer;
in
{
options.${namespace}.services.media.homer = {
enable = mkEnableOption "Enable homer";
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 2000 ];
services = {
homer = {
enable = true;
virtualHost = {
caddy.enable = true;
domain = "http://:2000";
};
settings = {
title = "Ulmo dashboard";
columns = 4;
connectivityCheck = true;
links = [];
services = [
{
name = "Services";
items = [
{
name = "Zitadel";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg";
tag = "app";
url = "https://auth.kruining.eu";
target = "_blank";
}
{
name = "Forgejo";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg";
tag = "app";
type = "Gitea";
url = "https://git.amarth.cloud";
target = "_blank";
}
{
name = "Vaultwarden";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg";
type = "Vaultwarden";
tag = "app";
url = "https://vault.kruining.eu";
target = "_blank";
}
];
}
{
name = "Observability";
items = [
{
name = "Grafana";
type = "Grafana";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}";
target = "_blank";
}
{
name = "Prometheus";
type = "Prometheus";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}";
target = "_blank";
}
];
}
{
name = "Media";
items = [
{
name = "Jellyfin (Movies)";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg";
tag = "app";
type = "Emby";
url = "http://${config.networking.hostName}:8096";
apikey = "e3ceed943eeb409ba8342738db7cc1f5";
libraryType = "movies";
target = "_blank";
}
{
name = "Radarr";
type = "Radarr";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}";
target = "_blank";
}
{
name = "Sonarr";
type = "Sonarr";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}";
target = "_blank";
}
{
name = "Lidarr";
type = "Lidarr";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}";
target = "_blank";
}
{
name = "Prowlarr";
type = "Prowlarr";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}";
target = "_blank";
}
{
name = "qBittorrent";
type = "qBittorrent";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}";
target = "_blank";
}
{
name = "SABnzbd";
type = "SABnzbd";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg";
tag = "app";
url = "http://${config.networking.hostName}:8080";
target = "_blank";
}
];
}
];
};
};
};
};
}

6
modules/nixos/services/observability/grafana/default.nix
View file

@ -42,9 +42,9 @@ in
login_attribute_path = "username"; login_attribute_path = "username";
name_attribute_path = "full_name"; name_attribute_path = "full_name";
role_attribute_path = "contains(urn:zitadel:iam:org:project:roles[*], 'owner') && 'GrafanaAdmin' || contains(urn:zitadel:iam:org:project:roles[*], 'contributer') && 'Editor' || 'Viewer'"; role_attribute_path = "contains(urn:zitadel:iam:org:project:roles[*], 'owner') && 'GrafanaAdmin' || contains(urn:zitadel:iam:org:project:roles[*], 'contributer') && 'Editor' || 'Viewer'";
auth_url = "https://auth.kruining.eu/oauth/v2/authorize"; auth_url = "https://auth.amarth.cloud/oauth/v2/authorize";
token_url = "https://auth.kruining.eu/oauth/v2/token"; token_url = "https://auth.amarth.cloud/oauth/v2/token";
api_url = "https://auth.kruining.eu/oidc/v1/userinfo"; api_url = "https://auth.amarth.cloud/oidc/v1/userinfo";
allow_sign_up = true; allow_sign_up = true;
auto_login = true; auto_login = true;
use_pkce = true; use_pkce = true;

2
modules/nixos/services/observability/loki/default.nix
View file

@ -23,7 +23,7 @@ in
common = { common = {
ring = { ring = {
instance_addr = "127.0.0.1"; instance_addr = "127.0.0.1";
kvstore.store = "inmemory"; kvstore.store = "inmmemory";
}; };
replication_factor = 1; replication_factor = 1;
path_prefix = "/tmp/loki"; path_prefix = "/tmp/loki";

8
modules/nixos/services/observability/promtail/default.nix
View file

@ -29,11 +29,9 @@ in
filename = "filename"; filename = "filename";
}; };
clients = [ clients = {
{ url = "http://127.0.0.1:3100/loki/api/v1/push";
url = "http://::1:9003/loki/api/v1/push"; };
}
];
scrape_configs = [ scrape_configs = [
{ {

21
modules/nixos/services/persistance/convex/default.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, pkgs, lib, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.persistance.convex;
in
{
imports = [ ./source.nix ];
options.${namespace}.services.persistance.convex = {
enable = mkEnableOption "enable Convex";
};
config = mkIf cfg.enable {
services.convex = {
enable = true;
package = pkgs.${namespace}.convex;
secret = "ThisIsMyAwesomeSecret";
};
};
}

149
modules/nixos/services/persistance/convex/source.nix Normal file
View file

@ -0,0 +1,149 @@
{ config, pkgs, lib, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption mkPackageOption mkOption optional types;
cfg = config.services.convex;
default_user = "convex";
default_group = "convex";
in
{
options.services.convex = {
enable = mkEnableOption "enable Convex (backend only for now)";
package = mkPackageOption pkgs "convex" {};
name = lib.mkOption {
type = types.str;
default = "convex";
description = ''
Name for the instance.
'';
};
secret = lib.mkOption {
type = types.str;
default = "";
description = ''
Secret for the instance.
'';
};
apiPort = mkOption {
type = types.port;
default = 3210;
description = ''
The TCP port to use for the API.
'';
};
actionsPort = mkOption {
type = types.port;
default = 3211;
description = ''
The TCP port to use for the HTTP actions.
'';
};
dashboardPort = mkOption {
type = types.port;
default = 6791;
description = ''
The TCP port to use for the Dashboard.
'';
};
openFirewall = lib.mkOption {
type = types.bool;
default = false;
description = ''
Whether to open ports in the firewall for the server.
'';
};
user = lib.mkOption {
type = types.str;
default = default_user;
description = ''
As which user to run the service.
'';
};
group = lib.mkOption {
type = types.str;
default = default_group;
description = ''
As which group to run the service.
'';
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.secret != "";
message = ''
No secret provided for convex
'';
}
];
users = {
users.${cfg.user} = {
description = "System user for convex service";
isSystemUser = true;
group = cfg.group;
};
groups.${cfg.group} = {};
};
networking.firewall.allowedTCPPorts = optional cfg.openFirewall [ cfg.apiPort cfg.actionsPort cfg.dashboardPort ];
environment.systemPackages = [ cfg.package ];
systemd.services.convex = {
description = "Convex Backend server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${cfg.package}/bin --instance-name ${cfg.name} --instance-secret ${cfg.secret}";
Type = "notify";
User = cfg.user;
Group = cfg.group;
RuntimeDirectory = "convex";
RuntimeDirectoryMode = "0775";
StateDirectory = "convex";
StateDirectoryMode = "0775";
Umask = "0077";
CapabilityBoundingSet = "";
NoNewPrivileges = true;
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
LockPersonality = true;
};
};
};
}

26
modules/nixos/services/persistance/postgesql/default.nix
View file

@ -1,26 +0,0 @@
{ config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.persistance.postgresql;
in
{
options.${namespace}.services.persistance.postgresql = {
enable = mkEnableOption "Postgresql";
};
config = mkIf cfg.enable {
services = {
postgresql = {
enable = true;
authentication = ''
# Generated file, do not edit!
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
};
};
};
}

12
modules/nixos/services/security/vaultwarden/default.nix
View file

@ -39,7 +39,7 @@ in
SSO_ROLES_ENABLED = true; SSO_ROLES_ENABLED = true;
SSO_ORGANIZATIONS_ENABLED = true; SSO_ORGANIZATIONS_ENABLED = true;
SSO_ORGANIZATIONS_REVOCATION = true; SSO_ORGANIZATIONS_REVOCATION = true;
SSO_AUTHORITY = "https://auth.kruining.eu/"; SSO_AUTHORITY = "https://auth.amarth.cloud/";
SSO_SCOPES = "email profile offline_access"; SSO_SCOPES = "email profile offline_access";
SSO_AUDIENCE_TRUSTED = "^333297815511892227$"; SSO_AUDIENCE_TRUSTED = "^333297815511892227$";
SSO_CLIENT_ID = "335178854421299459"; SSO_CLIENT_ID = "335178854421299459";
@ -52,9 +52,9 @@ in
SMTP_HOST = "black-mail.nl"; SMTP_HOST = "black-mail.nl";
SMTP_PORT = 587; SMTP_PORT = 587;
SMTP_SECURITY = "starttls"; SMTP_SECURITY = "starttls";
SMTP_USERNAME = "chris@kruining.eu"; SMTP_USERNAME = "info@amarth.cloud";
SMTP_PASSWORD = ""; SMTP_PASSWORD = "";
SMTP_FROM = "chris@kruining.eu"; SMTP_FROM = "info@amarth.cloud";
SMTP_FROM_NAME = "Chris' Vaultwarden"; SMTP_FROM_NAME = "Chris' Vaultwarden";
}; };
}; };
@ -76,12 +76,6 @@ in
"vault.kruining.eu".extraConfig = '' "vault.kruining.eu".extraConfig = ''
encode zstd gzip encode zstd gzip
handle_path /admin {
respond 401 {
close
}
}
reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
header_up X-Real-IP {remote_host} header_up X-Real-IP {remote_host}
} }

1
modules/nixos/services/virtualisation/podman/default.nix
View file

@ -12,7 +12,6 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
virtualisation = { virtualisation = {
containers.enable = true; containers.enable = true;
oci-containers.backend = "podman";
podman = { podman = {
enable = true; enable = true;

10
modules/nixos/system/security/sops/default.nix
View file

@ -1,4 +1,4 @@
{ pkgs, config, namespace, inputs, system, ... }: { pkgs, config, namespace, inputs, ... }:
let let
cfg = config.${namespace}.system.security.sops; cfg = config.${namespace}.system.security.sops;
in in
@ -13,14 +13,10 @@ in
environment.systemPackages = with pkgs; [ sops ]; environment.systemPackages = with pkgs; [ sops ];
sops = { sops = {
defaultSopsFile = ../../../../../_secrets/secrets.yaml;
defaultSopsFormat = "yaml"; defaultSopsFormat = "yaml";
defaultSopsFile = inputs.self + "/systems/${system}/${config.networking.hostName}/secrets.yml";
age = { age.keyFile = "/home/";
# keyFile = "~/.config/sops/age/keys.txt";
# sshKeyPaths = [ "~/.ssh/id_ed25519" ];
# generateKey = true;
};
}; };
}; };
} }

59
packages/convex/default.nix Normal file
View file

@ -0,0 +1,59 @@
{
lib,
stdenv,
rustPlatform,
fetchFromGitHub,
# dependencies
openssl,
pkg-config,
cmake,
llvmPackages,
postgresql,
sqlite,
#options
dbBackend ? "postgresql",
...
}:
rustPlatform.buildRustPackage rec {
pname = "convex";
version = "2025-08-20-c9b561e";
src = fetchFromGitHub {
owner = "get-convex";
repo = "convex-backend";
rev = "c9b561e1b365c85ef28af35d742cb7dd174b5555";
hash = "sha256-4h4AQt+rQ+nTw6eTbbB5vqFt9MFjKYw3Z7bGXdXijJ0=";
};
cargoHash = "sha256-pcDNWGrk9D0qcF479QAglPLFDZp27f8RueP5/lq9jho=";
cargoBuildFlags = [
"-p" "local_backend"
"--bin" "convex-local-backend"
];
env = {
LIBCLANG_PATH = "${llvmPackages.libclang}/lib";
};
strictDeps = true;
# Build-time dependencies
nativeBuildInputs = [ pkg-config cmake rustPlatform.bindgenHook ];
# Run-time dependencies
buildInputs =
[ openssl ]
++ lib.optional (dbBackend == "sqlite") sqlite
++ lib.optional (dbBackend == "postgresql") postgresql;
buildFeatures = "";
meta = with lib; {
license = licenses.fsl11Asl20;
mainProgram = "convex";
};
}

2
systems/x86_64-linux/manwe/default.nix
View file

@ -5,8 +5,6 @@
./hardware.nix ./hardware.nix
]; ];
system.activationScripts.remove-gtkrc.text = "rm -f /home/chris/.gtkrc-2.0";
sneeuwvlok = { sneeuwvlok = {
hardware.has = { hardware.has = {
gpu.amd = true; gpu.amd = true;

8
systems/x86_64-linux/manwe/disks.nix
View file

@ -26,9 +26,9 @@ in
fsType = "nfs"; fsType = "nfs";
}; };
# "/home/chris/mandos" = { "/home/chris/mandos" = {
# device = "mandos:/"; device = "mandos:/";
# fsType = "nfs"; fsType = "nfs";
# }; };
}; };
} }

66
systems/x86_64-linux/ulmo/default.nix
View file

@ -5,76 +5,16 @@
./hardware.nix ./hardware.nix
]; ];
networking = {
interfaces.enp2s0 = {
ipv6.addresses = [
{ address = "2a0d:6e00:1dc9:0::dead:beef"; prefixLength = 64; }
];
useDHCP = true;
};
defaultGateway = {
address = "192.168.1.1";
interface = "enp2s0";
};
defaultGateway6 = {
address = "fe80::1";
interface = "enp2s0";
};
};
# Expose amarht cloud stuff like this until I have a proper solution
services.caddy.virtualHosts = {
"auth.amarth.cloud".extraConfig = ''
reverse_proxy http://192.168.1.223:9092
'';
"amarth.cloud".extraConfig = ''
reverse_proxy http://192.168.1.223:8080
'';
};
sneeuwvlok = { sneeuwvlok = {
services = { services = {
# authentication.authelia.enable = true; authentication.authelia.enable = true;
authentication.zitadel = { authentication.zitadel.enable = true;
enable = true;
organization = {
thisIsMyAwesomeOrg = {};
nix = {
project = {
ulmo = {
application = {
jellyfin = {
redirectUris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/zitadel" ];
grantTypes = [ "authorizationCode" ];
responseTypes = [ "code" ];
};
forgejo = {
redirectUris = [ "https://git.amarth.cloud/user/oauth2/zitadel/callback" ];
grantTypes = [ "authorizationCode" ];
responseTypes = [ "code" ];
};
};
};
};
};
};
};
communication.matrix.enable = true;
development.forgejo.enable = true; development.forgejo.enable = true;
networking.ssh.enable = true; networking.ssh.enable = true;
media.enable = true; media.enable = true;
media.homer.enable = true;
media.nfs.enable = true; media.nfs.enable = true;
observability = { observability = {
@ -84,6 +24,8 @@
promtail.enable = true; promtail.enable = true;
}; };
persistance.convex.enable = true;
security.vaultwarden.enable = true; security.vaultwarden.enable = true;
}; };

4
systems/x86_64-linux/ulmo/disks.nix
View file

@ -5,7 +5,9 @@ in
{ {
# TODO :: Implement disko at some point # TODO :: Implement disko at some point
swapDevices = []; swapDevices = [
{ device = "/dev/disk/by-uuid/0ddf001a-5679-482e-b254-04a1b9094794"; }
];
boot.supportedFilesystems = [ "nfs" ]; boot.supportedFilesystems = [ "nfs" ];

30
systems/x86_64-linux/ulmo/secrets.yml
View file

@ -1,30 +0,0 @@
email:
info@amarth.cloud: ENC[AES256_GCM,data:xwR3XS/zxr85e8wQLqIJfc8b3CaRlMqts3kWQpQTy6c=,iv:6N48IIRhFvgPtzP7/w6ZQM80mHCZ7ZHAsvv2tHFP9mE=,tag:FK2OboYbnmgq6eJp5Oyjng==,type:str]
chris_kruining_eu: ENC[AES256_GCM,data:/JS+dQ6ABlkdjRZP+sGeUY3js30swS4=,iv:d5CcoY6DD3DJ/e3t0OU/KUULccJpTN0uBQPQzl/3R0s=,tag:aTN7RdzXkIpci9tEBjevSA==,type:str]
info_amarth_cloud: ENC[AES256_GCM,data:/x7aAFAxXYYf79tB08VQmmuTIy2TvdSTFfAzIWdIr+I=,iv:plNxS6oOin+oEql+1xsePOsUfLJkf+ZPBviPRTbIghE=,tag:hjtK3rysd2NNBA2mWdv8cw==,type:str]
zitadel:
masterKey: ENC[AES256_GCM,data:DyBNWV+4HmPa1mA4I3TERWmrIEn/c4/XYlgfmel7Ag==,iv:CjS5kAHH8j0ExCNFZf3dnyBsDPnAShRt55onPcUfkwU=,tag:CeINNaH5hOprAxm/DZFDPA==,type:str]
sops:
age:
- recipient: age19qfpf980tadguqq44zf6xwvjvl428dyrj46ha3n6aeqddwhtnuqqml7etq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdDZyZkxvNU4zM3NHb2gx
ZlhLZk5JWUFGMWZGeUVHNkFFU1NtZlBQVVhjCmZGai9NdmdUeU5VcW9ROVZKTW5q
cmZaQ2JlaldaTWduQklocUZLT2FUcGcKLS0tIHlqVU0wdXJ0dTE4dlZSVEczd2Yv
RVFxVHFxbkVNbEZsaVcwYXZCdUc5R1kKQdAN6LEKmGLCSkKhNuEr0YK2zl9Aw1kK
6C25lN532mG55zIRectZda1Fmi1GMZ/2v3b5qz7x+TDMA9m/47OjmA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoK3lqRDhEMXEvaUp3OWdV
eFlZSGpJcGs0RTdRbllWdmdZTzl3RTlDNlIwCm92R290NjNyK2NNbWpINTBhazNS
NTJYWEw0SGc1TUtrd0NZSmowakMvSlEKLS0tIG5uUEIrZGVORkRNVnBVOHgyMXZG
TTRWaHhpNWlkVDFmMFN4ZTNHMUxyNVkKV693pzTKRkZboQCMPr9IyMGSgxfuHXcb
Y6BNcp6Qg6PWtX5QI7wRkPNINAK1TEbRBba+b8h6gMmVU4DliQyFiQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-23T14:25:59Z"
mac: ENC[AES256_GCM,data:p3A1ZSr6S21SUjEZbL4V0uh3HVqcRhFi1N93IeUKs2yVbBYAXzWJ+2ejSxfM+W9MSCAYxx27i0ZoBPjQJu/xQzwmW8HWn4rRfCsa2TGqOw25PLvkHgnBUc70X759cKxvR0Pm7ha22JCnzJVrzvUMlBVs61wxHT57x0El9Gan8eY=,iv:SKN+R4wsN/L2pZW/s5ocEtCXXZB5wK4tgFIYWGWtRPA=,tag:CNLl4lVO06gAcsSCfU2KjA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0