chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: chris:main
Branches Tags
chris:main
chris:feature/convex
chris:feature/nix-anywhere
..
compare: chris:feature/nix-anywhere
Branches Tags
chris:main
chris:feature/convex
chris:feature/nix-anywhere

12 commits
main ... feature/ni

Author SHA1 Message Date
Chris Kruining
9aaf0f0a2b
asdffasdfa 2025-08-13 07:41:30 +02:00
Chris Kruining
5d8c897b4d
update the path to system secrets, still need to fix the home secrets 2025-08-11 16:18:53 +02:00
Chris Kruining
3a6672cad9
get going with sops agian, not that hard, just need to set up my keys properly... 2025-08-11 15:22:58 +02:00
Chris Kruining
69c6d85754
resolve merge artifacts 2025-08-11 15:22:17 +02:00
Chris Kruining
de1bc287d5
reorder inputs 2025-08-07 11:59:22 +02:00
Chris Kruining
4bd4327a6d
Merge branch 'feature/nix-anywhere' of https://github.com/chris-kruining/sneeuwvlok into feature/nix-anywhere 2025-08-07 11:48:27 +02:00
Chris Kruining
7e6beb208d
kaas 2025-08-07 11:48:23 +02:00
Chris Kruining
cfb9d086b8
yep yep, justfiles are cooooool 2025-08-07 11:48:23 +02:00
Chris Kruining
a1316fdf0e
update deps 2025-08-07 11:48:23 +02:00
Chris Kruining
98362802d5
kaas 2025-08-07 11:02:45 +02:00
Chris Kruining
3921693f84
yep yep, justfiles are cooooool 2025-08-04 16:21:29 +02:00
Chris Kruining
8228418b7f
update deps 2025-08-04 16:21:17 +02:00
40 changed files with 451 additions and 1339 deletions
Download patch file Download diff file Expand all files Collapse all files

15
.forgejo/workflows/action.yml
View file

@ -1,15 +0,0 @@
name: Test action
on:
workflow_dispatch:
push:
branches:
- main
jobs:
kaas:
runs-on: nix
steps:
- name: Echo
run: |
nix --version

8
.gitignore vendored
View file

@ -1,8 +1,2 @@
# ---> Nix
# Ignore build outputs from performing a nix-build or `nix build` command
result
result-*
# Ignore automatically generated direnv output
.direnv
*.qcow2

57
.sops.yml
View file

@ -1,8 +1,57 @@
keys:
- &primary age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
- home:
- &chris age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
- system:
- &aule age
- &mandos age
- &manwe age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
- &melkor age
- &orome age
- &tulkas age
- &varda age
- &yavanna age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
creation_rules:
- path_regex: secrets/secrets.yml$
#===================================================================
# HOSTS
#===================================================================
- path_regex: systems/x86_64-linux/aule/secrets.yaml$
age: *aule
- path_regex: systems/x86_64-linux/mandos/secrets.yaml$
age: *mandos
- path_regex: systems/x86_64-linux/manwe/secrets.yaml$
key_groups:
- age:
- *primary
- age:
- *manwe
- *yavanna
- path_regex: systems/x86_64-linux/melkor/secrets.yaml$
age: *melkor
- path_regex: systems/x86_64-linux/orome/secrets.yaml$
age: *orome
- path_regex: systems/x86_64-linux/tulkas/secrets.yaml$
age: *tulkas
- path_regex: systems/x86_64-linux/varda/secrets.yaml$
age: *varda
- path_regex: systems/x86_64-linux/yavanna/secrets.yaml$
age: *yavanna
#===================================================================
# USERS
#===================================================================
- path_regex: homes/x86_64-linux/chris@\w+/secrets.yaml$
age: *chris

1
README.md
View file

@ -18,4 +18,5 @@ nix build .#install-isoConfigurations.minimal
- [dafitt/dotfiles](https://github.com/dafitt/dotfiles/)
- [khaneliman/khanelinix](https://github.com/khaneliman/khanelinix)
- [alex007sirois/nix-config](https://github.com/alex007sirois/nix-config) (justfile)
- [hmajid2301/nixicle](https://gitlab.com/hmajid2301/nixicle) (the GOAT, he did what I am aiming for!)

30
_secrets/secrets.yaml
View file

@ -1,30 +0,0 @@
#ENC[AES256_GCM,data:jozDiJTPaF427kVL4MDV8VOVhft52sOS9YIfj0n8WUJmQzVoiNY=,iv:8kyaDw0l82KZfYKkfKDj0wvcIkY6zas5e8puubEr1mA=,tag:LvuVGvU195BihU8TbPN1xg==,type:comment]
example_key: ENC[AES256_GCM,data:9jefDfjJLP8Ha135Lg==,iv:9SUpjO1t65gA3LiwYN6nMj7icwInxTCQz7JsNEfQ2XA=,tag:Y8BBSLwUQem8wSXAlvnEXg==,type:str]
#ENC[AES256_GCM,data:IU1T4k/+44s8qFnjnreDMihjQRmMd5qSTtfA/ung5/1f1JmBXGP7EwYJBFF9BSBkBqBfv24A9Ok=,iv:tHzL3pW/qsNdWGT3c+ni0uTlkBMWOu/SsraymCuAkqs=,tag:nWZgWdPNiKQ0j/t9Z/5l5g==,type:comment]
#ENC[AES256_GCM,data:BhUTbsJB5voz4m1w8u1Y/MI8kR5lpRW8RpZO65IyGg232uNSoBLXB2QSl1GseyTC8bZHPiCF2gnttPD+76kqVlfzhhDu4EKU,iv:Ic8ZpR2QBBGhF2++S/TR/DRutkTghpMiby+yvNy0CSE=,tag:Z1JEtowycGDNWuznlkId8A==,type:comment]
example:
my_subdir:
my_secret: ENC[AES256_GCM,data:hccfc6uU4tGT,iv:HYjmo9kAVCcXSpDKWGku3vaJVvZHzYB3l079xXw5OEQ=,tag:c2b8BSqlL1LTcDf1nSPfVA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeHZXWkZ2andYSytmYWpR
ckttNVJZaWxDK2ZwME1iY2wrWFNwR0hzWUNFCjVSaWpmTHkzdHpPNjhueTQ5ZUEz
YW1BcnIwU1hsb2lodk1QcHJvTUdrVVUKLS0tIFNpWlBqb2pOWDVLV0FvU1FUODJB
dTg0QXZuSkJXV3ZRSUlKcktDNElia28KKZ62gTVpeiz1CfK7awURrPZ7zAYx9vfR
Ajxk0cw1gleE6EU2iIlLOWtmyZbcNk1X32a+otXijlH8fDGtoxA97Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-09T11:37:49Z"
mac: ENC[AES256_GCM,data:ZEqJc6slPb3YMR9kn/jFImjkQQIT3KyUK3qE3JMty+IAAr9GT8r+rHOwku4TOwL6YzON6L5vkUQFFKnOz9GiJuGkStc6AbML4SfOlRDsaFU4kwO+27UvDBYRqi6iHtJ2pu/uD4wELVhdbElxHvFlCjtgqBWaWmlXw3ATjkiZnik=,iv:zJNM/TqNfBO/mr8ZK/I/FfXwknyn9YpJ0eo4EpHSJvQ=,tag:G4FLx/Hwknq5hYEb8SWQLg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4
zitadel:
masterKey: thisWillBeAnEncryptedValueInTheFuture

191
flake.lock generated
View file

@ -67,17 +67,37 @@
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1753140376,
"narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
"owner": "nix-community",
"repo": "disko",
"rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"erosanix": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1756593129,
"narHash": "sha256-xpdGBk57lErbo03ZJS8uDDF5cZjoza7kzr7X+y0wj2g=",
"lastModified": 1753879613,
"narHash": "sha256-oYhCJSAIZiu3maM2q6JBzh0+MYd4KTaq5eNFIstUurE=",
"owner": "emmanuelrosa",
"repo": "erosanix",
"rev": "f28776c49ddb4d34abc01092009fba0cd96836bd",
"rev": "0ad38bd182cd737f0f4b878ea04cb3676ecd4000",
"type": "github"
},
"original": {
@ -94,11 +114,11 @@
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1756622179,
"narHash": "sha256-K3CimrAcMhdDYkErd3oiWPZNaoyaGZEuvGrFuDPFMZY=",
"lastModified": 1754290399,
"narHash": "sha256-KwYm1/FeLqP9uE4Sbw+j2nI2/ErNbc9Mn+LPcrEOpX0=",
"owner": "nix-community",
"repo": "fenix",
"rev": "0abcb15ae6279dcb40a8ae7c1ed980705245cb79",
"rev": "f53ddf7518d85d59b58df6e9955b25b0ac25f569",
"type": "github"
},
"original": {
@ -114,11 +134,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1756643456,
"narHash": "sha256-SbRGlArZnspW/xd/vnMPSyuZGXSVtxyJEoXpvpzDpSE=",
"lastModified": 1754311269,
"narHash": "sha256-y84Q8qS5acSxl3QsLLGs4DboPhM/AYUMiTsJJZwmQxY=",
"owner": "nix-community",
"repo": "flake-firefox-nightly",
"rev": "6772a49573fc08b3e05502cccd90a8f5a82ee42e",
"rev": "5a6856f353975206aec02373c18e8cea3fa6bb75",
"type": "github"
},
"original": {
@ -230,11 +250,11 @@
]
},
"locked": {
"lastModified": 1754487366,
"narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
"lastModified": 1753121425,
"narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
"rev": "644e0fc48951a860279da645ba77fe4a6e814c5e",
"type": "github"
},
"original": {
@ -411,11 +431,11 @@
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1756381920,
"narHash": "sha256-h6FZq485lEhkTICK779ZQ2kUWe3BieUqIKuJ2jef7SI=",
"lastModified": 1753279958,
"narHash": "sha256-EJ1udnwKYgWeAJzncAccbLPtbSWiuIANryXTGI9nY6w=",
"owner": "vinceliuice",
"repo": "grub2-themes",
"rev": "8f30385f556a92ecbcc0c1800521730187da1cd7",
"rev": "6c26f99622cb1c705b3fe2dbe1eb88521096b25a",
"type": "github"
},
"original": {
@ -432,11 +452,11 @@
]
},
"locked": {
"lastModified": 1756413980,
"narHash": "sha256-pxTwEjWZ1GohJeTEpxoZRHRoLDZjDw9CarGqxE5e908=",
"lastModified": 1754075821,
"narHash": "sha256-ihlkNqYsNgJPCDOE2LPpUl/ww3LBKfsxeWs2sivhb10=",
"owner": "himmelblau-idm",
"repo": "himmelblau",
"rev": "0c12a2b5862cd673307bbe191c1f7b52cf0f091a",
"rev": "f77821437959ecd67f2fb2b1266e5a644a46d149",
"type": "github"
},
"original": {
@ -452,32 +472,11 @@
]
},
"locked": {
"lastModified": 1756650373,
"narHash": "sha256-Iz0dNCNvLLxVGjOOF1/TJvZ4iKXE96BTgKDObCs9u+M=",
"lastModified": 1754263839,
"narHash": "sha256-ck7lILfCNuunsLvExPI4Pw9OOCJksxXwozum24W8b+8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e44549074a574d8bda612945a88e4a1fd3c456a8",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"zen-browser",
"nixpkgs"
]
},
"locked": {
"lastModified": 1756842514,
"narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382",
"rev": "1d7abbd5454db97e0af51416f4960b3fb64a4773",
"type": "github"
},
"original": {
@ -494,11 +493,11 @@
]
},
"locked": {
"lastModified": 1756638688,
"narHash": "sha256-ddxbPTnIchM6tgxb6fRrCvytlPE2KLifckTnde/irVQ=",
"lastModified": 1754110197,
"narHash": "sha256-N7GWK2084EsNdwzwg6FCIgMrSau1WwzxGSNdPHx5Tak=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "e7b8679cba79f4167199f018b05c82169249f654",
"rev": "04ce5c103eb621220d69102bc0ee27c3abd89204",
"type": "github"
},
"original": {
@ -513,11 +512,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1754828166,
"narHash": "sha256-i7c+fpXVsnvj2+63Gl3YfU1hVyxbLeqeFj55ZBZACWI=",
"lastModified": 1754223384,
"narHash": "sha256-pewBF80b4slivTMSeONyOPceyzUUlBLpVOxlGf0hFEY=",
"owner": "nix-community",
"repo": "lib-aggregate",
"rev": "f01c8d121a3100230612be96e4ac668e15eafb77",
"rev": "2d6fee65844e851060a6817984248bcf8358c6b0",
"type": "github"
},
"original": {
@ -528,11 +527,11 @@
},
"mnw": {
"locked": {
"lastModified": 1756580127,
"narHash": "sha256-XK+ZQWjnd96Uko73jY1dc23ksnuWnF/Myc4rT/LQOmc=",
"lastModified": 1748710831,
"narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=",
"owner": "Gerg-L",
"repo": "mnw",
"rev": "ecdb5ba1b08ac198d9e9bfbf9de3b234fb1eb252",
"rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d",
"type": "github"
},
"original": {
@ -570,11 +569,11 @@
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1756518625,
"narHash": "sha256-Mxh2wumeSsb968dSDksblubQqHTTdRTC5lH0gmhq9jI=",
"lastModified": 1754274768,
"narHash": "sha256-bI+Z15bpec7VEnxkrqOG+JX0bFa9CnVeg/uiaf8iiS0=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
"rev": "92654796f8f6c3279e4b7d409a3e5b43b0539a19",
"rev": "b54894d44fbe4d29c081ade695ffdb07bb21b322",
"type": "github"
},
"original": {
@ -642,11 +641,11 @@
]
},
"locked": {
"lastModified": 1755261305,
"narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=",
"lastModified": 1754260137,
"narHash": "sha256-IViMH6Fwj8nwO1nuYCqOTpjm9OK9rQ0w8nmoOwPlo98=",
"owner": "nix-community",
"repo": "nixos-wsl",
"rev": "203a7b463f307c60026136dd1191d9001c43457f",
"rev": "57ba096649fa4e12dc564e8e3c529255baf89b35",
"type": "github"
},
"original": {
@ -657,11 +656,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1754002724,
"narHash": "sha256-1NBby4k2UU9FR7a9ioXtCOpv8jYO0tZAGarMsxN8sz8=",
"lastModified": 1751186460,
"narHash": "sha256-tSnI50oYaXOi/SFUmJC+gZ2xE9pAhTnV0D2/3JoKL7g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8271ed4b2e366339dd622f329151e45745ade121",
"rev": "dd5540905b1a13176efa13fa2f8dac776bcb275a",
"type": "github"
},
"original": {
@ -673,11 +672,11 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1754788789,
"narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
"lastModified": 1754184128,
"narHash": "sha256-AjhoyBL4eSyXf01Bmc6DiuaMrJRNdWopmdnMY0Pa/M0=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
"rev": "02e72200e6d56494f4a7c0da8118760736e41b60",
"type": "github"
},
"original": {
@ -704,11 +703,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1756578978,
"narHash": "sha256-dLgwMLIMyHlSeIDsoT2OcZBkuruIbjhIAv1sGANwtes=",
"lastModified": 1754284898,
"narHash": "sha256-wzM6HN0xxyooekXfl7p5P4Bn0LieOKOfsLg4DqY7XLk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "a85a50bef870537a9705f64ed75e54d1f4bf9c23",
"rev": "114484ca7213ac06fa7907e58dd8ef9d801d39f0",
"type": "github"
},
"original": {
@ -736,11 +735,11 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1756653691,
"narHash": "sha256-tx6C07uPiAzq57mfb4EWDqPRV4BZVqvrlvDfibzL67U=",
"lastModified": 1754315431,
"narHash": "sha256-fnVgd+mIJeR/fsaJB11KcTFjoJzLZNglLjVRtAzwcUI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7a1057ff3f7636bc71f58671c3a1210742149f3b",
"rev": "66023e4de2495a69792a2b72bd131358b824d2e3",
"type": "github"
},
"original": {
@ -768,11 +767,11 @@
},
"nixpkgs_6": {
"locked": {
"lastModified": 1756542300,
"narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=",
"lastModified": 1754214453,
"narHash": "sha256-Q/I2xJn/j1wpkGhWkQnm20nShYnG7TI99foDBpXm1SY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "d7600c775f877cd87b4f5a831c28aa94137377aa",
"rev": "5b09dc45f24cf32316283e62aec81ffee3c3e376",
"type": "github"
},
"original": {
@ -784,11 +783,11 @@
},
"nixpkgs_7": {
"locked": {
"lastModified": 1756536218,
"narHash": "sha256-ynQxPVN2FIPheUgTFhv01gYLbaiSOS7NgWJPm9LF9D0=",
"lastModified": 1753432016,
"narHash": "sha256-cnL5WWn/xkZoyH/03NNUS7QgW5vI7D1i74g48qplCvg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "a918bb3594dd243c2f8534b3be01b3cb4ed35fd1",
"rev": "6027c30c8e9810896b92429f0092f624f7b1aace",
"type": "github"
},
"original": {
@ -864,11 +863,11 @@
"systems": "systems_4"
},
"locked": {
"lastModified": 1756646417,
"narHash": "sha256-1dU+BRKjczVnsTznKGaM0xrWzg2+MGQqWlde0Id9JnI=",
"lastModified": 1754137146,
"narHash": "sha256-V2AE32tLNvtYVBuc8ZRbkGjAZGsJchFbNVd6v5JXvg8=",
"owner": "notashelf",
"repo": "nvf",
"rev": "939fb8cfc630190cd5607526f81693525e3d593b",
"rev": "16d396f039ffefabf93b7b3261e2a17e2f84439b",
"type": "github"
},
"original": {
@ -887,11 +886,11 @@
]
},
"locked": {
"lastModified": 1756632588,
"narHash": "sha256-ydam6eggXf3ZwRutyCABwSbMAlX+5lW6w1SVZQ+kfSo=",
"lastModified": 1754241118,
"narHash": "sha256-nsBBqbAFB7lUYIh6S6l7fQ/ALDhCckp7+rqbY2767uE=",
"owner": "nix-community",
"repo": "plasma-manager",
"rev": "d47428e5390d6a5a8f764808a4db15929347cd77",
"rev": "968109159b4bbe4386ac281272ddcebeef09ebfc",
"type": "github"
},
"original": {
@ -902,6 +901,7 @@
},
"root": {
"inputs": {
"disko": "disko",
"erosanix": "erosanix",
"fenix": "fenix",
"firefox": "firefox",
@ -926,11 +926,11 @@
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1756597274,
"narHash": "sha256-wfaKRKsEVQDB7pQtAt04vRgFphkVscGRpSx3wG1l50E=",
"lastModified": 1754218780,
"narHash": "sha256-M+bLCsYRYA7iudlZkeOf+Azm/1TUvihIq51OKia6KJ8=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "21614ed2d3279a9aa1f15c88d293e65a98991b30",
"rev": "8d75311400a108d7ffe17dc9c38182c566952e6e",
"type": "github"
},
"original": {
@ -967,11 +967,11 @@
"nixpkgs": "nixpkgs_8"
},
"locked": {
"lastModified": 1754988908,
"narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=",
"lastModified": 1752544651,
"narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "3223c7a92724b5d804e9988c6b447a0d09017d48",
"rev": "2c8def626f54708a9c38a5861866660395bb3461",
"type": "github"
},
"original": {
@ -999,11 +999,11 @@
"tinted-zed": "tinted-zed"
},
"locked": {
"lastModified": 1755997543,
"narHash": "sha256-/fejmCQ7AWa655YxyPxRDbhdU7c5+wYsFSjmEMXoBCM=",
"lastModified": 1754264048,
"narHash": "sha256-Yg1W0sFhBpnglfhWGlFmxzSmte1F157luHAADp5Hguk=",
"owner": "nix-community",
"repo": "stylix",
"rev": "f47c0edcf71e802378b1b7725fa57bb44fe85ee8",
"rev": "1b5e1c5642cf96e07daf14ae4c5ddd23d7ed5623",
"type": "github"
},
"original": {
@ -1185,19 +1185,18 @@
},
"zen-browser": {
"inputs": {
"home-manager": "home-manager_2",
"nixpkgs": "nixpkgs_10"
},
"locked": {
"lastModified": 1756876659,
"narHash": "sha256-B2bpNR7VOoZuKfuNnASfWI/jGveetP2yhG44S3XnI/k=",
"owner": "0xc000022070",
"lastModified": 1727721329,
"narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=",
"owner": "MarceColl",
"repo": "zen-browser-flake",
"rev": "07c14b39cad581d9a8bb2dc8959a59e17d26d529",
"rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc",
"type": "github"
},
"original": {
"owner": "0xc000022070",
"owner": "MarceColl",
"repo": "zen-browser-flake",
"type": "github"
}

50
flake.nix
View file

@ -9,6 +9,11 @@
inputs.nixpkgs.follows = "nixpkgs";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
@ -24,14 +29,14 @@
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
# neovim
nvf.url = "github:notashelf/nvf";
# plymouth theme
nixos-boot.url = "github:Melkor333/nixos-boot";
firefox.url = "github:nix-community/flake-firefox-nightly";
nixos-wsl = {
url = "github:nix-community/nixos-wsl";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-compat.follows = "";
};
};
stylix.url = "github:nix-community/stylix";
@ -41,7 +46,13 @@
inputs.nixpkgs.follows = "nixpkgs";
};
zen-browser.url = "github:0xc000022070/zen-browser-flake";
# neovim
nvf.url = "github:notashelf/nvf";
# plymouth theme
nixos-boot.url = "github:Melkor333/nixos-boot";
zen-browser.url = "github:MarceColl/zen-browser-flake";
nix-minecraft.url = "github:Infinidoge/nix-minecraft";
@ -63,18 +74,10 @@
url = "github:Jovian-Experiments/Jovian-NixOS";
inputs.nixpkgs.follows = "nixpkgs";
};
grub2-themes = {
url = "github:vinceliuice/grub2-themes";
};
nixos-wsl = {
url = "github:nix-community/nixos-wsl";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-compat.follows = "";
};
};
};
outputs = inputs: inputs.snowfall-lib.mkFlake {
@ -93,15 +96,8 @@
channels-config = {
allowUnfree = true;
permittedInsecurePackages = [
# Due to *arr stack
"dotnet-sdk-6.0.428"
"aspnetcore-runtime-6.0.36"
# I think this is because of zen
"qtwebengine-5.15.19"
# For Nheko, the matrix client
"olm-3.2.16"
];
};
@ -110,10 +106,10 @@
nix-minecraft.overlay
flux.overlays.default
];
homes.modules = with inputs; [
stylix.homeModules.stylix
plasma-manager.homeModules.plasma-manager
plasma-manager.homeManagerModules.plasma-manager
];
};
}

1
homes/x86_64-linux/chris@manwe/default.nix
View file

@ -35,7 +35,6 @@
bitwarden.enable = true;
discord.enable = true;
ladybird.enable = true;
nheko.enable = true;
obs.enable = true;
onlyoffice.enable = true;
signal.enable = true;

21
homes/x86_64-linux/chris@manwe/secrets.yaml Normal file
View file

@ -0,0 +1,21 @@
user_level_secrets: ENC[AES256_GCM,data:TNT+via+r4bpgROz,iv:cVO6/r4Aovr5uJFhU87mE5XwRJ518y4OJdHo4m92ahM=,tag:jYInD+euh7k1zSnMRppI5Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYVRQTEVSMWM3WXY3eTdW
ZkUwSnNidlJwWGVETURpNUJRRUllYXo4WjNvCmxmN21qVzNFV3N4UVR6WEV1am1W
eW1KTk9HVDluek1BUnBmSGI3Y2ZqaDQKLS0tIHlMYldYMTVORVNWbEgrWlBSanRM
bUZiMHlOU3pxYUhQSTREb0l4TmFlOEkKiasV2H481aJzAvEAvyeWqGYDOW+WKRFX
yyocZDo0o1lHz/gNXoC0/ujU+O3rSXdsy6Qdz6Rm+xeFUfe4KoD4bg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-11T13:21:38Z"
mac: ENC[AES256_GCM,data:kfMcZuYuQqxxfqtyfH7DltSkq8YNz+vroB+ZQKTIpCNC/W6vJP1o23/xLRzdnEgnnH5GfgZQFAK8Am00/bUD2BgEPyXxXNf1lG70ocFbRM9htii92BFfHgfi25zlEqCO7yrudm1HEJyYrFbZnT63H6u1OgWSC38CzEZTBsCE0kU=,iv:feWGBau48s2GSvZjnKPfP2z46SBuHbh//4zzcLv+MTY=,tag:D86akwawLxobhEu2AvBFKg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

24
justfile Normal file
View file

@ -0,0 +1,24 @@
[private]
default:
@just -l
[doc('Update flake dependencies')]
update:
nix flake update
[doc('install nixos on a system (uses nix-anywhere)
> profile: Which profile to use
> host: How to reach the target system in the standard format of `user@host`
')]
install profile host:
nix run nixpkgs#nixos-anywhere -- \
--flake .#{{profile}} \
--generate-hardware-config nixos-generate-config ./hardware-configuration.nix \
{{host}}
[doc('builds the configuration for the host')]
build host:
nh os build . -H {{host}}
edit-secrets target:
sops --config "{{justfile_directory()}}/.sops.yml" edit "{{justfile_directory()}}/{{ if target =~ ".+@.+" { "homes" } else { "systems" } }}/x86_64-linux/{{target}}/secrets.yaml"

15
modules/home/application/nheko/default.nix
View file

@ -1,15 +0,0 @@
{ config, lib, pkgs, namespace, osConfig ? {}, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.application.nheko;
in
{
options.${namespace}.application.nheko = {
enable = mkEnableOption "enable nheko (matrix client)";
};
config = mkIf cfg.enable {
home.packages = with pkgs; [ nheko ];
};
}

32
modules/home/application/zen/default.nix
View file

@ -5,15 +5,13 @@ let
cfg = config.${namespace}.application.zen;
in
{
imports = [
inputs.zen-browser.homeModules.default
];
options.${namespace}.application.zen = {
enable = mkEnableOption "enable zen";
};
config = mkIf cfg.enable {
home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ];
home.sessionVariables = {
MOZ_ENABLE_WAYLAND = "1";
};
@ -22,42 +20,20 @@ in
policies = {
AutofillAddressEnabled = true;
AutofillCreditCardEnabled = false;
AppAutoUpdate = false;
DisableAppUpdate = true;
ManualAppUpdateOnly = true;
DisableFeedbackCommands = true;
DisableFirefoxStudies = true;
DisablePocket = true;
DisableTelemetry = true;
DontCheckDefaultBrowser = false;
# DontCheckDefaultBrowser = false;
NoDefaultBookmarks = true;
OfferToSaveLogins = false;
# OfferToSaveLogins = false;
EnableTrackingProtection = {
Value = true;
Locked = true;
Cryptomining = true;
Fingerprinting = true;
};
HttpAllowlist = [
"http://ulmo"
];
};
policies.ExtensionSettings = let
mkExtension = id: {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi";
installation_mode = "force_installed";
};
in
{
ublock_origin = 4531307;
ghostry = 4562168;
bitwarden = 4562769;
sponsorblock = 4541835;
};
};
};

6
modules/home/home-manager/default.nix
View file

@ -4,9 +4,7 @@ let
in
{
systemd.user.startServices = "sd-switch";
programs.home-manager = {
enable = true;
};
programs.home-manager.enable = true;
home.stateVersion = mkDefault (osConfig.system.stateVersion or "25.05");
}
}

6
modules/nixos/home-manager/default.nix
View file

@ -1,6 +0,0 @@
{ ... }:
{
config = {
home-manager.backupFileExtension = "back";
};
}

17
modules/nixos/services/authentication/authelia/default.nix → modules/nixos/services/authentication/authelia.nix
View file

@ -130,23 +130,6 @@ in
scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ];
redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ];
}
{
client_id = "forgejo";
client_name = "forgejo";
# ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F
client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg";
public = false;
require_pkce = true;
pkce_challenge_method = "S256";
token_endpoint_auth_method = "client_secret_post";
authorization_policy = "one_factor";
userinfo_signed_response_alg = "none";
consent_mode = "implicit";
scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ];
response_types = [ "code" ];
grant_types = [ "authorization_code" ];
redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ];
}
];
};
};

1
modules/nixos/services/authentication/default.nix Normal file
View file

@ -0,0 +1 @@
{ ... }: {}

0
modules/nixos/services/authentication/himmelblau/default.nix → modules/nixos/services/authentication/himmelblau.nix
View file

86
modules/nixos/services/authentication/zitadel.nix Normal file
View file

@ -0,0 +1,86 @@
{ config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.authentication.zitadel;
db_name = "zitadel";
db_user = "zitadel";
in
{
options.${namespace}.services.authentication.zitadel = {
enable = mkEnableOption "Zitadel";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
zitadel
];
services = {
zitadel = {
enable = true;
openFirewall = true;
masterKeyFile = config.sops.secrets."zitadel/masterKey".path;
tlsMode = "external";
settings = {
Port = 9092;
Database = {
Host = "/run/postgresql";
# Zitadel will report error if port is not set
Port = 5432;
Database = db_name;
User.Username = db_user;
};
};
steps = {
TestInstance = {
InstanceName = "Zitadel test";
Org = {
Name = "Kruining.eu";
Human = {
UserName = "admin";
Password = "kaas";
};
};
};
};
};
postgresql = {
enable = true;
ensureDatabases = [ db_name ];
ensureUsers = [
{
name = db_user;
ensureDBOwnership = true;
}
];
};
caddy = {
enable = true;
virtualHosts = {
"auth-z.kruining.eu".extraConfig = ''
reverse_proxy h2c://127.0.0.1:9092
'';
};
# extraConfig = ''
# (auth) {
# forward_auth h2c://127.0.0.1:9092 {
# uri /api/authz/forward-auth
# copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
# }
# }
# '';
};
};
# Secrets
sops.secrets."zitadel/masterKey" = {
owner = "zitadel";
group = "zitadel";
restartUnits = [ "zitadel.service" ];
};
};
}

142
modules/nixos/services/authentication/zitadel/default.nix
View file

@ -1,142 +0,0 @@
{ config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.authentication.zitadel;
db_name = "zitadel";
db_user = "zitadel";
in
{
options.${namespace}.services.authentication.zitadel = {
enable = mkEnableOption "Zitadel";
};
config = mkIf cfg.enable {
${namespace}.services.persistance.postgresql.enable = true;
environment.systemPackages = with pkgs; [
zitadel
];
services = {
zitadel = {
enable = true;
openFirewall = true;
# masterKeyFile = config.sops.secrets."zitadel/masterKey".path;
masterKeyFile = "/var/lib/zitadel/master_key";
tlsMode = "external";
settings = {
Port = 9092;
ExternalDomain = "auth.amarth.cloud";
ExternalPort = 443;
ExternalSecure = true;
Metrics.Type = "otel";
Tracing.Type = "otel";
Telemetry.Enabled = true;
SystemDefaults = {
PasswordHasher.Hasher.Algorithm = "argon2id";
SecretHasher.Hasher.Algorithm = "argon2id";
};
DefaultInstance = {
PasswordComplexityPolicy = {
MinLength = 20;
HasLowercase = false;
HasUppercase = false;
HasNumber = false;
HasSymbol = false;
};
LoginPolicy = {
AllowRegister = false;
ForceMFA = true;
};
LockoutPolicy = {
MaxPasswordAttempts = 5;
MaxOTPAttempts = 10;
};
SMTPConfiguration = {
SMTP = {
Host = "black-mail.nl:587";
User = "info@amarth.cloud";
Password = "__TODO_USE_SOPS__";
};
FromName = "Amarth Zitadel";
};
};
Database.postgres = {
Host = "localhost";
# Zitadel will report error if port is not set
Port = 5432;
Database = db_name;
User = {
Username = db_user;
SSL.Mode = "disable";
};
Admin = {
Username = "postgres";
SSL.Mode = "disable";
};
};
};
steps = {
FirstInstance = {
InstanceName = "auth.amarth.cloud";
Org = {
Name = "Amarth";
Human = {
UserName = "chris";
FirstName = "Chris";
LastName = "Kruining";
Email = {
Address = "chris@kruining.eu";
Verified = true;
};
Password = "KaasIsAwesome1!";
};
};
};
};
};
postgresql = {
enable = true;
ensureDatabases = [ db_name ];
ensureUsers = [
{
name = db_user;
ensureDBOwnership = true;
}
];
};
caddy = {
enable = true;
virtualHosts = {
"auth.amarth.cloud".extraConfig = ''
reverse_proxy h2c://127.0.0.1:9092
'';
};
extraConfig = ''
(auth-z) {
forward_auth h2c://127.0.0.1:9092 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
};
# Secrets
sops.secrets."zitadel/masterKey" = {
owner = "zitadel";
group = "zitadel";
restartUnits = [ "zitadel.service" ];
};
};
}

56
modules/nixos/services/communication/conduit/default.nix
View file

@ -1,56 +0,0 @@
{ config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.communication.conduit;
domain = "matrix.kruining.eu";
in
{
options.${namespace}.services.communication.conduit = {
enable = mkEnableOption "conduit (Matrix server)";
};
config = mkIf cfg.enable {
# ${namespace}.services = {
# persistance.postgresql.enable = true;
# virtualisation.podman.enable = true;
# };
services = {
matrix-conduit = {
enable = true;
settings.global = {
address = "::1";
port = 4001;
database_backend = "rocksdb";
server_name = "chris-matrix";
};
};
# postgresql = {
# enable = true;
# ensureDatabases = [ "conduit" ];
# ensureUsers = [
# {
# name = "conduit";
# ensureDBOwnership = true;
# }
# ];
# };
caddy = {
enable = true;
virtualHosts = {
${domain}.extraConfig = ''
# import auth-z
# reverse_proxy http://127.0.0.1:5002
'';
};
};
};
};
}

169
modules/nixos/services/development/forgejo/default.nix
View file

@ -1,169 +0,0 @@
{ config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.development.forgejo;
domain = "git.amarth.cloud";
in
{
options.${namespace}.services.development.forgejo = {
enable = mkEnableOption "Forgejo";
};
config = mkIf cfg.enable {
${namespace}.services = {
persistance.postgresql.enable = true;
virtualisation.podman.enable = true;
};
environment.systemPackages = with pkgs; [ forgejo ];
services = {
forgejo = {
enable = true;
useWizard = false;
database.type = "postgres";
settings = {
DEFAULT = {
APP_NAME = "Tamin Amarth";
APP_SLOGAN = "Where code is forged";
};
server = {
DOMAIN = domain;
ROOT_URL = "https://${domain}/";
HTTP_PORT = 5002;
LANDING_PAGE = "explore";
};
cors = {
ENABLED = true;
ALLOW_DOMAIN = "https://*.amarth.cloud";
};
security = {
INSTALL_LOCK = true;
PASSWORD_HASH_ALGO = "argon2";
DISABLE_WEBHOOKS = true;
};
ui = {
EXPLORE_PAGING_NUM = 50;
ISSUE_PAGING_NUM = 50;
MEMBERS_PAGING_NUM = 50;
};
"ui.meta" = {
AUTHOR = "Where code is forged!";
DESCRIPTION = "Self-hosted solution for git, because FOSS is the anvil of the future";
};
admin = {
USER_DISABLED_FEATURES = "manage_gpg_keys";
EXTERNAL_USER_DISABLE_FEATURES = "manage_gpg_keys";
};
service = {
# Auth
ENABLE_BASIC_AUTHENTICATION = false;
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
# Privacy
DEFAULT_KEEP_EMAIL_PRIVATE = true;
DEFAULT_USER_VISIBILITY = "private";
DEFAULT_ORG_VISIBILITY = "private";
# Common sense
VALID_SITE_URL_SCHEMES = "https";
};
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "https://auth.amarth.cloud";
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = true;
ACCOUNT_LINKING = "auto";
};
actions = {
ENABLED = true;
# DEFAULT_ACTIONS_URL = "https://data.forgejo.org";
};
other = {
SHOW_FOOTER_VERSION = false;
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
};
api = {
ENABLE_SWAGGER = false;
};
mirror = {
ENABLED = false;
};
session = {
PROVIDER = "db";
COOKIE_SECURE = true;
};
mailer = {
ENABLED = true;
PROTOCOL = "smtp+starttls";
SMTP_ADDR = "black-mail.nl";
SMTP_PORT = 587;
FROM = "info@amarth.cloud";
USER = "info@amarth.cloud";
PASSWD = "__TODO_USE_SOPS__";
};
};
};
openssh.settings.AllowUsers = [ "forgejo" ];
gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
name = "default";
url = "https://git.amarth.cloud";
# Obtaining the path to the runner token file may differ
# tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
# tokenFile = config.age.secrets.forgejo-runner-token.path;
token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw";
labels = [
"default:docker://nixos/nix:latest"
"ubuntu:docker://ubuntu:24-bookworm"
"nix:docker://git.amarth.cloud/amarth/runners/default:latest"
];
settings = {
log.level = "info";
};
};
};
caddy = {
enable = true;
virtualHosts = {
${domain}.extraConfig = ''
# import auth-z
# stupid dumb way to prevent the login page and go to zitadel instead
# be aware that this does not disable local login at all!
# rewrite /user/login /user/oauth2/Zitadel
reverse_proxy http://127.0.0.1:5002
'';
};
};
};
};
}

124
modules/nixos/services/media/default.nix
View file

@ -66,73 +66,33 @@ in
# Services
#=========================================================================
services = let
arrService = {
serviceConf = {
enable = true;
openFirewall = true;
settings = {
auth.AuthenticationMethod = "External";
# postgres = {
# PostgresHost = "localhost";
# PostgresPort = "5432";
# PostgresUser = "media";
# };
};
};
withPort = port: service: service // { settings.server.Port = builtins.toString port; };
withUserAndGroup = service: service // {
user = cfg.user;
group = cfg.group;
};
in {
radarr =
arrService
|> withPort 2001
|> withUserAndGroup;
jellyfin = serviceConf;
radarr = serviceConf;
sonarr = serviceConf;
bazarr = serviceConf;
lidarr = serviceConf;
sonarr =
arrService
|> withPort 2002
|> withUserAndGroup;
lidarr =
arrService
|> withPort 2003
|> withUserAndGroup;
prowlarr =
arrService
|> withPort 2004;
bazarr = {
jellyseerr = {
enable = true;
openFirewall = true;
user = cfg.user;
group = cfg.group;
listenPort = 2005;
};
# port is harcoded in nixpkgs module
jellyfin = {
prowlarr = {
enable = true;
openFirewall = true;
user = cfg.user;
group = cfg.group;
};
flaresolverr = {
enable = true;
openFirewall = true;
port = 2007;
};
qbittorrent = {
enable = true;
openFirewall = true;
webuiPort = 2008;
webuiPort = 5000;
serverConfig = {
LegalNotice.Accepted = true;
@ -142,7 +102,6 @@ in
group = cfg.group;
};
# port is harcoded in nixpkgs module
sabnzbd = {
enable = true;
openFirewall = true;
@ -152,49 +111,46 @@ in
group = cfg.group;
};
# postgresql = {
# enable = true;
# ensureDatabases = [
# "radarr-main" "radarr-log"
# "sonarr-main" "sonarr-log"
# "lidarr-main" "lidarr-log"
# "prowlarr-main" "prowlarr-log"
# ];
# identMap = ''
# media media radarr-main
# media media radarr-log
# media media sonarr-main
# media media sonarr-log
# media media lidarr-main
# media media lidarr-log
# media media prowlarr-main
# media media prowlarr-log
# '';
# ensureUsers = [
# { name = "radarr-main"; ensureDBOwnership = true; }
# { name = "radarr-log"; ensureDBOwnership = true; }
# { name = "sonarr-main"; ensureDBOwnership = true; }
# { name = "sonarr-log"; ensureDBOwnership = true; }
# { name = "lidarr-main"; ensureDBOwnership = true; }
# { name = "lidarr-log"; ensureDBOwnership = true; }
# { name = "prowlarr-main"; ensureDBOwnership = true; }
# { name = "prowlarr-log"; ensureDBOwnership = true; }
# ];
# };
caddy = {
enable = true;
virtualHosts = {
"media.kruining.eu".extraConfig = ''
import auth
reverse_proxy http://127.0.0.1:9494
'';
"jellyfin.kruining.eu".extraConfig = ''
reverse_proxy http://[::1]:8096
reverse_proxy http://127.0.0.1:8096
'';
};
};
};
systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";
${namespace}.services.virtualisation.podman.enable = true;
virtualisation = {
oci-containers = {
backend = "podman";
containers = {
flaresolverr = {
image = "flaresolverr/flaresolverr";
autoStart = true;
ports = [ "127.0.0.1:8191:8191" ];
};
reiverr = {
image = "ghcr.io/aleksilassila/reiverr:v2.2.0";
autoStart = true;
ports = [ "127.0.0.1:9494:9494" ];
volumes = [ "${cfg.path}/reiverr/config:/config" ];
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 6969 ];
};
}

161
modules/nixos/services/media/homer/default.nix
View file

@ -1,161 +0,0 @@
{ config, lib, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.media.homer;
in
{
options.${namespace}.services.media.homer = {
enable = mkEnableOption "Enable homer";
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 2000 ];
services = {
homer = {
enable = true;
virtualHost = {
caddy.enable = true;
domain = "http://:2000";
};
settings = {
title = "Ulmo dashboard";
columns = 4;
connectivityCheck = true;
links = [];
services = [
{
name = "Services";
items = [
{
name = "Zitadel";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg";
tag = "app";
url = "https://auth.amarth.cloud";
target = "_blank";
}
{
name = "Forgejo";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg";
tag = "app";
type = "Gitea";
url = "https://git.amarth.cloud";
target = "_blank";
}
{
name = "Vaultwarden";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg";
type = "Vaultwarden";
tag = "app";
url = "https://vault.kruining.eu";
target = "_blank";
}
];
}
{
name = "Observability";
items = [
{
name = "Grafana";
type = "Grafana";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}";
target = "_blank";
}
{
name = "Prometheus";
type = "Prometheus";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}";
target = "_blank";
}
];
}
{
name = "Media";
items = [
{
name = "Jellyfin (Movies)";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg";
tag = "app";
type = "Emby";
url = "http://${config.networking.hostName}:8096";
apikey = "e3ceed943eeb409ba8342738db7cc1f5";
libraryType = "movies";
target = "_blank";
}
{
name = "Radarr";
type = "Radarr";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}";
target = "_blank";
}
{
name = "Sonarr";
type = "Sonarr";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}";
target = "_blank";
}
{
name = "Lidarr";
type = "Lidarr";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}";
target = "_blank";
}
{
name = "Prowlarr";
type = "Prowlarr";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}";
target = "_blank";
}
{
name = "qBittorrent";
type = "qBittorrent";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg";
tag = "app";
url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}";
target = "_blank";
}
{
name = "SABnzbd";
type = "SABnzbd";
logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg";
tag = "app";
url = "http://${config.networking.hostName}:8080";
target = "_blank";
}
];
}
];
};
};
};
};
}

4
modules/nixos/services/media/nextcloud/default.nix → modules/nixos/services/media/nextcloud.nix
View file

@ -6,7 +6,7 @@ let
cfg = config.${namespace}.services.media.nextcloud;
in
{
options.${namespace}.services.media.nextcloud = {
options.modules.services.nextcloud = {
enable = mkEnableOption "Nextcloud";
user = mkOption {
@ -40,7 +40,7 @@ in
services.nextcloud = {
enable = true;
# webserver = "caddy";
webserver = "caddy";
package = pkgs.nextcloud31;
hostName = "localhost";

4
modules/nixos/services/media/nfs/default.nix → modules/nixos/services/media/nfs.nix
View file

@ -2,10 +2,10 @@
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.media.nfs;
cfg = config.${namespace}.media.nfs;
in
{
options.${namespace}.services.media.nfs = {
options.${namespace}.media.nfs = {
enable = mkEnableOption "Enable NFS";
};

7
modules/nixos/services/observability/grafana/dashboards/default.json
View file

@ -1,7 +0,0 @@
{
"title": "Default Dash",
"description": "The default dashboard",
"timezone": "browser",
"editable": false,
"panels": []
}

130
modules/nixos/services/observability/grafana/default.nix
View file

@ -1,130 +0,0 @@
{ pkgs, config, lib, namespace, ... }:
let
inherit (lib.modules) mkIf;
inherit (lib.options) mkEnableOption;
cfg = config.${namespace}.services.observability.grafana;
db_user = "grafana";
db_name = "grafana";
in
{
options.${namespace}.services.observability.grafana = {
enable = mkEnableOption "enable Grafana";
};
config = mkIf cfg.enable {
services = {
grafana = {
enable = true;
openFirewall = true;
settings = {
server = {
http_port = 9001;
http_addr = "0.0.0.0";
domain = "ulmo";
};
auth = {
disable_login_form = false;
oauth_auto_login = true;
};
"auth.basic".enable = false;
"auth.generic_oauth" = {
enable = true;
name = "Zitadel";
client_id = "334170712283611395";
client_secret = "AFjypmURdladmQn1gz2Ke0Ta5LQXapnuKkALVZ43riCL4qWicgV2Z6RlwpoWBZg1";
scopes = "openid email profile offline_access urn:zitadel:iam:org:project:roles";
email_attribute_path = "email";
login_attribute_path = "username";
name_attribute_path = "full_name";
role_attribute_path = "contains(urn:zitadel:iam:org:project:roles[*], 'owner') && 'GrafanaAdmin' || contains(urn:zitadel:iam:org:project:roles[*], 'contributer') && 'Editor' || 'Viewer'";
auth_url = "https://auth.amarth.cloud/oauth/v2/authorize";
token_url = "https://auth.amarth.cloud/oauth/v2/token";
api_url = "https://auth.amarth.cloud/oidc/v1/userinfo";
allow_sign_up = true;
auto_login = true;
use_pkce = true;
usr_refresh_token = true;
allow_assign_grafana_admin = true;
};
database = {
type = "postgres";
host = "/var/run/postgresql:5432";
name = db_name;
user = db_user;
ssl_mode = "disable";
};
users = {
allow_sign_up = false;
allow_org_create = false;
viewers_can_edit = false;
default_theme = "system";
};
analytics = {
reporting_enabled = false;
check_for_updates = false;
check_for_plugin_updates = false;
feedback_links_enabled = false;
};
};
provision = {
enable = true;
dashboards.settings = {
apiVersion = 1;
providers = [
{
name = "Default Dashboard";
disableDeletion = true;
allowUiUpdates = false;
options = {
path = "/etc/grafana/dashboards";
foldersFromFilesStructure = true;
};
}
];
};
datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
url = "http://localhost:9005";
isDefault = true;
editable = false;
}
{
name = "Loki";
type = "loki";
url = "http://localhost:9003";
editable = false;
}
];
};
};
postgresql = {
enable = true;
ensureDatabases = [ db_name ];
ensureUsers = [
{
name = db_user;
ensureDBOwnership = true;
}
];
};
};
environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json;
};
}

49
modules/nixos/services/observability/loki/default.nix
View file

@ -1,49 +0,0 @@
{ pkgs, config, lib, namespace, ... }:
let
inherit (lib.modules) mkIf;
inherit (lib.options) mkEnableOption;
cfg = config.${namespace}.services.observability.loki;
in
{
options.${namespace}.services.observability.loki = {
enable = mkEnableOption "enable Grafana Loki";
};
config = mkIf cfg.enable {
services.loki = {
enable = true;
configuration = {
auth_enabled = false;
server = {
http_listen_port = 9003;
};
common = {
ring = {
instance_addr = "127.0.0.1";
kvstore.store = "inmmemory";
};
replication_factor = 1;
path_prefix = "/tmp/loki";
};
schema_config.configs = [
{
from = "2025-01-01";
store = "tsdb";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
};
networking.firewall.allowedTCPPorts = [ 9003 ];
};
}

48
modules/nixos/services/observability/prometheus/default.nix
View file

@ -1,48 +0,0 @@
{ pkgs, config, lib, namespace, ... }:
let
inherit (builtins) toString;
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.observability.prometheus;
in
{
options.${namespace}.services.observability.prometheus = {
enable = mkEnableOption "enable Prometheus";
};
config = mkIf cfg.enable {
services.prometheus = {
enable = true;
port = 9002;
globalConfig.scrape_interval = "15s";
scrapeConfigs = [
{
job_name = "prometheus";
static_configs = [
{ targets = [ "localhost:9002" ]; }
];
}
{
job_name = "node";
static_configs = [
{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }
];
}
];
exporters = {
node = {
enable = true;
port = 9005;
enabledCollectors = [ "systemd" ];
openFirewall = true;
};
};
};
networking.firewall.allowedTCPPorts = [ 9002 ];
};
}

56
modules/nixos/services/observability/promtail/default.nix
View file

@ -1,56 +0,0 @@
{ pkgs, config, lib, namespace, ... }:
let
inherit (lib.modules) mkIf;
inherit (lib.options) mkEnableOption;
cfg = config.${namespace}.services.observability.promtail;
in
{
options.${namespace}.services.observability.promtail = {
enable = mkEnableOption "enable Grafana Promtail";
};
config = mkIf cfg.enable {
services.promtail = {
enable = true;
# Ensures proper permissions
extraFlags = [
"-config.expand-env=true"
];
configuration = {
server = {
http_listen_port = 9004;
grpc_listen_port = 0;
};
positions = {
filename = "filename";
};
clients = {
url = "http://127.0.0.1:3100/loki/api/v1/push";
};
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "ulmo";
};
};
relabel_configs = [
{ source_labels = [ "__journal__systemd_unit" ]; target_label = "unit"; }
];
}
];
};
};
networking.firewall.allowedTCPPorts = [ 9004 ];
};
}

26
modules/nixos/services/persistance/postgesql/default.nix
View file

@ -1,26 +0,0 @@
{ config, lib, pkgs, namespace, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.${namespace}.services.persistance.postgresql;
in
{
options.${namespace}.services.persistance.postgresql = {
enable = mkEnableOption "Postgresql";
};
config = mkIf cfg.enable {
services = {
postgresql = {
enable = true;
authentication = ''
# Generated file, do not edit!
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
};
};
};
}

86
modules/nixos/services/security/vaultwarden/default.nix
View file

@ -1,7 +1,7 @@
{ pkgs, config, lib, namespace, ... }:
let
inherit (builtins) toString;
inherit (lib) mkIf mkEnableOption;
inherit (lib.modules) mkIf;
inherit (lib.options) mkEnableOption;
cfg = config.${namespace}.services.security.vaultwarden;
in
@ -11,82 +11,18 @@ in
};
config = mkIf cfg.enable {
systemd.tmpfiles.rules = [
"d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -"
environment.systemPackages = with pkgs; [
vaultwarden
vaultwarden-postgresql
];
services = {
vaultwarden = {
enable = true;
dbBackend = "postgresql";
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
package = pkgs.${namespace}.vaultwarden;
config = {
SIGNUPS_ALLOWED = false;
DOMAIN = "https://vault.kruining.eu";
ADMIN_TOKEN = "";
DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable";
WEB_VAULT_ENABLED = true;
SSO_ENABLED = true;
SSO_ONLY = true;
SSO_PKCE = true;
SSO_AUTH_ONLY_NOT_SESSION = false;
SSO_ROLES_ENABLED = true;
SSO_ORGANIZATIONS_ENABLED = true;
SSO_ORGANIZATIONS_REVOCATION = true;
SSO_AUTHORITY = "https://auth.amarth.cloud/";
SSO_SCOPES = "email profile offline_access";
SSO_AUDIENCE_TRUSTED = "^333297815511892227$";
SSO_CLIENT_ID = "335178854421299459";
SSO_CLIENT_SECRET = "";
ROCKET_ADDRESS = "::1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
SMTP_HOST = "black-mail.nl";
SMTP_PORT = 587;
SMTP_SECURITY = "starttls";
SMTP_USERNAME = "info@amarth.cloud";
SMTP_PASSWORD = "";
SMTP_FROM = "info@amarth.cloud";
SMTP_FROM_NAME = "Chris' Vaultwarden";
};
};
postgresql = {
enable = true;
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
};
caddy = {
enable = true;
virtualHosts = {
"vault.kruining.eu".extraConfig = ''
encode zstd gzip
handle_path /admin {
respond 401 {
close
}
}
reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
header_up X-Real-IP {remote_host}
}
'';
};
config = {
SIGNUPS_ALLOWED = false;
DOMAIN = "https://passwords.kruining.eu";
};
};
};

1
modules/nixos/services/virtualisation/podman/default.nix
View file

@ -12,7 +12,6 @@ in
config = mkIf cfg.enable {
virtualisation = {
containers.enable = true;
oci-containers.backend = "podman";
podman = {
enable = true;

6
modules/nixos/system/security/sops/default.nix
View file

@ -13,10 +13,10 @@ in
environment.systemPackages = with pkgs; [ sops ];
sops = {
defaultSopsFile = ../../../../../_secrets/secrets.yaml;
defaultSopsFormat = "yaml";
age.keyFile = "/home/.sops-key.age";
age.keyFile = "/home/";
defaultSopsFile = ../../../../systems/x86_64-linux/${config.networking.hostName}/secrets.yaml;
defaultSopsFormat = "yaml";
};
};
}

5
modules/nixos/system/security/sudo/default.nix
View file

@ -14,8 +14,9 @@ in
sudo-rs = {
enable = true;
execWheelOnly = true;
extraConfig = ''Defaults env_keep += "EDITOR PATH DISPLAY"'';
extraConfig = ''
Defaults env_keep += "EDITOR PATH DISPLAY"
'';
};
};
};

29
packages/vaultwarden/default.nix
View file

@ -1,29 +0,0 @@
{ lib, stdenv, rustPlatform, fetchFromGitHub, openssl, pkg-config, postgresql, dbBackend ? "postgresql", ... }:
rustPlatform.buildRustPackage rec {
pname = "vaultwarden";
version = "1.34.3";
src = fetchFromGitHub {
owner = "Timshel";
repo = "vaultwarden";
rev = "1.34.3";
hash = "sha256-Dj0ySVRvBZ/57+UHas3VI8bi/0JBRqn0IW1Dq+405J0=";
};
cargoHash = "sha256-4sDagd2XGamBz1XvDj4ycRVJ0F+4iwHOPlj/RglNDqE=";
# used for "Server Installed" version in admin panel
env.VW_VERSION = version;
nativeBuildInputs = [ pkg-config ];
buildInputs =
[ openssl ]
++ lib.optional (dbBackend == "postgresql") postgresql;
buildFeatures = dbBackend;
meta = with lib; {
license = licenses.agpl3Only;
mainProgram = "vaultwarden";
};
}

5
systems/x86_64-linux/manwe/README.md
View file

@ -1,8 +1,3 @@
# Description
<<<<<<< HEAD
My steambox.
=======
My desktop, reasoning for the name being the following chain of thought:
**Manwe -> the king of the valar -> leader -> desktop is main machine**
>>>>>>> 72b0f6f8fad97a4ade1b54dfada26828a170febf

71
systems/x86_64-linux/manwe/disks.nix
View file

@ -1,34 +1,59 @@
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, pkgs, modulesPath, inputs, ... }:
let
inherit (lib.modules) mkDefault;
in
{
# TODO :: Implement disko at some point
imports = [
inputs.disko.nixosModules.disko
];
swapDevices = [];
config = {
swapDevices = [];
boot.supportedFilesystems = [ "nfs" ];
fileSystems = {
"/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
boot.supportedFilesystems = [ "nfs" ];
disko.devices = {
disk = {
main = {
device = "/dev/nvme0";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
size = "100M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
fileSystems = {
"/home/chris/media" = {
device = "ulmo:/";
fsType = "nfs";
};
"/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
"/home/chris/media" = {
device = "ulmo:/";
fsType = "nfs";
};
"/home/chris/mandos" = {
device = "mandos:/";
fsType = "nfs";
"/home/chris/mandos" = {
device = "mandos:/";
fsType = "nfs";
};
};
};
}

31
systems/x86_64-linux/manwe/secrets.yaml Normal file
View file

@ -0,0 +1,31 @@
zitadel:
masterKey: ENC[AES256_GCM,data:iSeZOloWLrdP8S+ac7ubIcv9TF3Sm8Ni,iv:8v3/ratFQ5vq2rbZOUMKfPhVTA9uQY2eFQU4IR8s3VU=,tag:9y90aDQ2PfFT//X2i2YvvA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age10c5hmykkduvy75yvqfnchm5lcesr5puarhkwp4l7xdwpykdm397q6xdxuy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4R0UyWmx5L3hCbGhQVXI0
NmpkMThPVlgrRHZZMnFrNTAwbzVTY1F6NEVVCjJaRHdhbHV6R1RJM2JIQzc3dkNu
a01FYlM3b1dXbmxGN2tWU3FMdXMveG8KLS0tIG1SSjNXdXZNN2ZyQ2UyZ0pIZXJJ
NmpMS2oySFE1S1RER3J1RGl4MlRQK00Ks+PcxcHmygYz+a+d0ZrzrdUpTQ50NYkA
aDFbtRtukn9e7i3bGUyD4nisSvs4YjfoQxR/pC8hs4k3f5V2jwDh2w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ewes0f5snqx3sh5ul6fa6qtxzhd25829v6mf5rx2wnheat6fefps5rme2x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwaTN4clFoWDNwU2lpaHBn
M2pVeU5oM0JRNmp6NEJjQ3BHeWlzeSs3bTI0CnBocngvbzZQUXBsMG9Oc2J6dlBT
MjdtaFdmOHg5ZmZmSkViWGJFYThQYXcKLS0tIFRNd2JiVlFTREtDMTdzR2V0SlVo
Q0d5ZDVDM05LdFp4UnB4dFRPUm5vU0UKR/MAONEWaT6XXyPB1IrSIKqW5PZNIbuB
n7QX3DJIzlajtmq+82/wPFPTBkLvSSjV5FKL5ErMwTDndcIn+NlOhQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-11T13:11:00Z"
mac: ENC[AES256_GCM,data:P34YsR/Rvc3q4Os5n9hxonJLCXwifMRnKOCM59h5MRMT/aqjl+QlBX+oUADsqDSrhUscQb3N/UlpFeOT6qg+FmJbT/mYMH6v1xK16VD0M7VWydXpmjDu5If+O89lgDHsiEOGDgeR04jkiaY0yzT9U8l9CND5fMvF3I9o5Z1SZQk=,iv:NgUD8gB2bQa5vh0nb0Ngqp5dn0yqskHudWo8xoVjM4Q=,tag:5oTcnailDCHeMvMLz63e1w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

19
systems/x86_64-linux/ulmo/default.nix
View file

@ -7,27 +7,8 @@
sneeuwvlok = {
services = {
authentication.authelia.enable = true;
authentication.zitadel.enable = true;
communication.conduit.enable = true;
development.forgejo.enable = true;
networking.ssh.enable = true;
media.enable = true;
media.homer.enable = true;
media.nfs.enable = true;
observability = {
grafana.enable = true;
prometheus.enable = true;
loki.enable = true;
promtail.enable = true;
};
security.vaultwarden.enable = true;
};
editor = {