jordan/nix-config
1
1
Fork 0
Code Issues 10 Pull Requests Actions Projects 3 Wiki Activity

Compare commits

base: jordan:zitadel
Branches Tags
jordan:master jordan:hass jordan:immich jordan:zitadel jordan:skycam jordan:24.05 jordan:lunarvim jordan:matrix jordan:docs jordan:vps1 jordan:wallpapers jordan:fix-odyssey-nix-store
..
compare: jordan:36a6ccf65c8f19d8cd5b37c187125c44f7ecf402
Branches Tags
jordan:master jordan:hass jordan:immich jordan:zitadel jordan:skycam jordan:24.05 jordan:lunarvim jordan:matrix jordan:docs jordan:vps1 jordan:wallpapers jordan:fix-odyssey-nix-store

9 Commits
zitadel ... 36a6ccf65c

Author SHA1 Message Date
Jordan Holt
36a6ccf65c flake.lock: Update
All checks were successful
Check flake / build-amd64-linux (push) Successful in 3m1s
Details 
Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/ffc1f95f6c28e1c6d1e587b51a2147027a3e45ed' (2024-08-08)
  → 'github:nix-community/disko/0d510fe40b56ed74907a021d7e1ffd0042592914' (2024-08-12)
• Updated input 'nixvim':
    'github:nix-community/nixvim/170df9814c3e41d5a4d6e3339e611801b1f02ce2' (2024-08-06)
  → 'github:nix-community/nixvim/fe5ca4919c07c06fd75b7f6d247f95b1030ae095' (2024-08-10)
• Updated input 'nixvim/git-hooks':
    'github:cachix/git-hooks.nix/06939f6b7ec4d4f465bf3132a05367cccbbf64da' (2024-08-05)
  → 'github:cachix/git-hooks.nix/c7012d0c18567c889b948781bc74a501e92275d1' (2024-08-09)
• Updated input 'plasma-manager':
    'github:nix-community/plasma-manager/f843f4258eea57c5ba60f6ce1d96d12d6494b56e' (2024-08-11)
  → 'github:nix-community/plasma-manager/b3b9d4ce20d75319c20a7faada08ad9135a1f008' (2024-08-12)
 2024-08-12 21:14:23 +01:00
Jordan Holt
2def8145b4 Only deploy non-Pi servers 2024-08-12 21:13:57 +01:00
Jordan Holt
413869266e Add kanidm
Some checks failed
Check flake / build-amd64-linux (push) Has been cancelled
Details
2024-08-12 20:56:11 +01:00
Jordan Holt
0cb2740a86 Revert "Add authentik" 
This reverts commit 8ca88da93a.
 2024-08-12 19:44:59 +01:00
Jordan Holt
3a77365452 Add tailscale resolver for skycam 2024-08-12 19:44:30 +01:00
Jordan Holt
8ca88da93a Add authentik
All checks were successful
Check flake / build-amd64-linux (push) Successful in 5m44s
Details
2024-08-12 00:10:54 +01:00
Jordan Holt
cf6898565b flake.lock: Update 
Flake lock file updates:

• Updated input 'secrets':
    'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=2725922f5ed145f060e840c93ad5f73606eddb28' (2024-08-11)
  → 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=db951141cab2de0b4176f4f6fc42a50b30dd3950' (2024-08-11)
 2024-08-11 23:23:46 +01:00
Jordan Holt
cc97ede099 flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/3f1dae074a12feb7327b4bf43cbac0d124488bb7' (2024-07-30)
  → 'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41' (2024-08-10)
• Added input 'authentik-nix':
    'github:nix-community/authentik-nix/80fc87361809f78b8a8cd7e57a14b66a726379ef' (2024-08-05)
• Added input 'authentik-nix/authentik-src':
    'github:goauthentik/authentik/8f207c75046d722c17dee2bcf65fa386b06f5b9a' (2024-08-05)
• Added input 'authentik-nix/flake-compat':
    'github:edolstra/flake-compat/0f9255e01c2351cc7d116c072cb317785dd33b33' (2023-10-04)
• Added input 'authentik-nix/flake-parts':
    'github:hercules-ci/flake-parts/c3c5ecc05edc7dafba779c6c1a61cd08ac6583e9' (2024-06-30)
• Added input 'authentik-nix/flake-parts/nixpkgs-lib':
    'eb9ceca17d.tar.gz?narHash=sha256-lIbdfCsf8LMFloheeE6N31%2BBMIeixqyQWbSr2vk79EQ%3D' (2024-06-01)
• Added input 'authentik-nix/flake-utils':
    'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a' (2024-03-11)
• Added input 'authentik-nix/flake-utils/systems':
    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09)
• Added input 'authentik-nix/napalm':
    'github:nix-community/napalm/e1babff744cd278b56abe8478008b4a9e23036cf' (2024-06-09)
• Added input 'authentik-nix/napalm/flake-utils':
    follows 'authentik-nix/flake-utils'
• Added input 'authentik-nix/napalm/nixpkgs':
    follows 'authentik-nix/nixpkgs'
• Added input 'authentik-nix/nixpkgs':
    'github:NixOS/nixpkgs/feb2849fdeb70028c70d73b848214b00d324a497' (2024-07-09)
• Added input 'authentik-nix/poetry2nix':
    'github:nix-community/poetry2nix/4fd045cdb85f2a0173021a4717dc01d92d7ab2b2' (2024-06-28)
• Added input 'authentik-nix/poetry2nix/flake-utils':
    follows 'authentik-nix/flake-utils'
• Added input 'authentik-nix/poetry2nix/nix-github-actions':
    'github:nix-community/nix-github-actions/5163432afc817cf8bd1f031418d1869e4c9d5547' (2023-12-29)
• Added input 'authentik-nix/poetry2nix/nix-github-actions/nixpkgs':
    follows 'authentik-nix/poetry2nix/nixpkgs'
• Added input 'authentik-nix/poetry2nix/nixpkgs':
    follows 'authentik-nix/nixpkgs'
• Added input 'authentik-nix/poetry2nix/systems':
    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09)
• Added input 'authentik-nix/poetry2nix/treefmt-nix':
    'github:numtide/treefmt-nix/68eb1dc333ce82d0ab0c0357363ea17c31ea1f81' (2024-06-16)
• Added input 'authentik-nix/poetry2nix/treefmt-nix/nixpkgs':
    follows 'authentik-nix/poetry2nix/nixpkgs'
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/107bb46eef1f05e86fc485ee8af9b637e5157988' (2024-08-08)
  → 'github:NixOS/nixos-hardware/c54cf53e022b0b3c1d3b8207aa0f9b194c24f0cf' (2024-08-10)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/21cc704b5e918c5fbf4f9fff22b4ac2681706d90' (2024-08-06)
  → 'github:NixOS/nixpkgs/a781ff33ae258bbcfd4ed6e673860c3e923bf2cc' (2024-08-10)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/cb9a96f23c491c081b38eab96d22fa958043c9fa' (2024-08-04)
  → 'github:NixOS/nixpkgs/5e0ca22929f3342b19569b21b2f3462f053e497b' (2024-08-09)
• Updated input 'plasma-manager':
    'github:nix-community/plasma-manager/22bea90404c5ff6457913a03c1a54a3caa5b1c57' (2024-08-09)
  → 'github:nix-community/plasma-manager/f843f4258eea57c5ba60f6ce1d96d12d6494b56e' (2024-08-11)
• Updated input 'secrets':
    'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=dfe0e95be5ef539bf28602ff47beeea26cc4d1b8' (2024-08-03)
  → 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=2725922f5ed145f060e840c93ad5f73606eddb28' (2024-08-11)
 2024-08-11 23:05:46 +01:00
Jordan Holt
6ddb31c36f Evaluate skycam upstream at runtime
All checks were successful
Check flake / build-amd64-linux (push) Successful in 2m52s
Details
2024-08-11 22:27:45 +01:00
11 changed files with 56 additions and 97 deletions
Expand all files Collapse all files

32
flake.lock generated
View File

@@ -107,11 +107,11 @@
]
},
"locked": {
"lastModified": 1723080788,
"narHash": "sha256-C5LbM5VMdcolt9zHeLQ0bYMRjUL+N+AL5pK7/tVTdes=",
"lastModified": 1723426710,
"narHash": "sha256-yrS9al6l3fYfFfvovnyBWnyELDQOdfKyai4K/jKgoBw=",
"owner": "nix-community",
"repo": "disko",
"rev": "ffc1f95f6c28e1c6d1e587b51a2147027a3e45ed",
"rev": "0d510fe40b56ed74907a021d7e1ffd0042592914",
"type": "github"
},
"original": {
@@ -233,11 +233,11 @@
]
},
"locked": {
"lastModified": 1722857853,
"narHash": "sha256-3Zx53oz/MSIyevuWO/SumxABkrIvojnB7g9cimxkhiE=",
"lastModified": 1723202784,
"narHash": "sha256-qbhjc/NEGaDbyy0ucycubq4N3//gDFFH3DOmp1D3u1Q=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "06939f6b7ec4d4f465bf3132a05367cccbbf64da",
"rev": "c7012d0c18567c889b948781bc74a501e92275d1",
"type": "github"
},
"original": {
@@ -517,11 +517,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1722925293,
"narHash": "sha256-saXm5dd/e3PMsYTEcp1Qbzifm3KsZtNFkrWjmLhXHGE=",
"lastModified": 1723292996,
"narHash": "sha256-OdIiDIQGOMEE/FEsKmZU07lGACUD8yGGI62ydZbJEVs=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "170df9814c3e41d5a4d6e3339e611801b1f02ce2",
"rev": "fe5ca4919c07c06fd75b7f6d247f95b1030ae095",
"type": "github"
},
"original": {
@@ -541,11 +541,11 @@
]
},
"locked": {
"lastModified": 1723232379,
"narHash": "sha256-F4Y3f9305aHGWKqAd3s2GyNRONdpDBuNuK4TCSdaHz8=",
"lastModified": 1723483411,
"narHash": "sha256-h6F9JK9PrrTmt5WgsZChLCn7ECk+G/cYJL2CuQVY/Cc=",
"owner": "nix-community",
"repo": "plasma-manager",
"rev": "22bea90404c5ff6457913a03c1a54a3caa5b1c57",
"rev": "b3b9d4ce20d75319c20a7faada08ad9135a1f008",
"type": "github"
},
"original": {
@@ -576,11 +576,11 @@
"secrets": {
"flake": false,
"locked": {
"lastModified": 1723385164,
"narHash": "sha256-/z4nBwpHsGWl1gmGv7FQQgoOcPwUaVzL7rfjI5nTOLg=",
"lastModified": 1723415003,
"narHash": "sha256-zSzDvI0sHayG5se7ALXhJhl41tConoWYbdqeow6OmBo=",
"ref": "refs/heads/master",
"rev": "b47efe67031e12a2d5560b94fdb4de7dca3df80c",
"revCount": 24,
"rev": "db951141cab2de0b4176f4f6fc42a50b30dd3950",
"revCount": 26,
"type": "git",
"url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
},

7
flake.nix
View File

@@ -112,7 +112,12 @@
magicRollback = true;
autoRollback = true;
sshUser = "root";
nodes = lib.genAttrs [ "mail" "pi" "skycam" "vps1" ] mkDeployNode;
nodes = lib.genAttrs [
"mail"
# "pi"
# "skycam"
"vps1"
] mkDeployNode;
};
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;

2
hosts/desktop.nix
View File

@@ -6,7 +6,7 @@
];
nixpkgs.overlays = [
(import ../overlays/gnome)
(import ../overlays/gnome.nix)
];
services.printing.enable = true;

2
hosts/skycam/default.nix
View File

@@ -55,7 +55,7 @@
'';
nixpkgs.overlays = [
(import ./../../overlays/libcamera)
(import ./../../overlays/libcamera.nix)
];
networking = {

103
hosts/vps1/default.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, self, ... }:
{ config, lib, ... }:
{
imports = [
@@ -37,91 +37,42 @@
groups = {
jellyfin = { };
};
extraGroups.acme.members = [ "kanidm" "nginx" ];
};
services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
services.postgresql = {
ensureUsers = [
{
name = "zitadel";
ensureDBOwnership = true;
ensureClauses = {
superuser = true;
};
}
];
ensureDatabases = [ "zitadel" ];
security.acme.certs."auth.vimium.com" = {
postRun = "systemctl restart kanidm.service";
group = "acme";
};
age.secrets."files/services/zitadel/masterkey" = {
file = "${self.inputs.secrets}/files/services/zitadel/masterkey.age";
owner = "zitadel";
group = "zitadel";
};
systemd.services.zitadel = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
services.zitadel = {
enable = true;
masterKeyFile = config.age.secrets."files/services/zitadel/masterkey".path;
settings = {
Database.postgres = {
Host = "/run/postgresql";
Port = 5432;
Database = "zitadel";
User = {
Username = "zitadel";
SSL.Mode = "disable";
};
Admin = {
ExistingDatabase = "zitadel";
Username = "zitadel";
SSL.Mode = "disable";
};
};
ExternalDomain = "id.vimium.com";
ExternalPort = 443;
ExternalSecure = true;
Machine = {
Identification = {
Hostname.Enabled = true;
PrivateIp.Enabled = false;
Webhook.Enabled = false;
};
};
Port = 8081;
WebAuthNName = "Vimium";
services.kanidm = let
baseDomain = "vimium.com";
domain = "auth.${baseDomain}";
uri = "https://${domain}";
in {
enableClient = true;
enableServer = true;
clientSettings = {
inherit uri;
};
steps.FirstInstance = {
InstanceName = "Vimium";
Org.Name = "Vimium";
Org.Human = {
UserName = "jordan@vimium.com";
FirstName = "Jordan";
LastName = "Holt";
Email = {
Address = "jordan@vimium.com";
Verified = true;
};
Password = "Password1!";
PasswordChangeRequired = true;
};
LoginPolicy.AllowRegister = false;
serverSettings = {
bindaddress = "[::1]:3013";
domain = baseDomain;
origin = uri;
tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
};
};
services.nginx.virtualHosts."id.vimium.com" = {
enableACME = true;
forceSSL = true;
locations."/" = {
extraConfig = ''
grpc_pass grpc://localhost:${builtins.toString config.services.zitadel.settings.Port};
grpc_set_header Host $host:$server_port;
'';
services.nginx.virtualHosts = {
"auth.vimium.com" = {
useACMEHost = "auth.vimium.com";
forceSSL = true;
locations."/" = {
proxyPass = "https://[::1]:3013";
};
};
};

1
modules/databases/postgresql.nix
View File

@@ -17,7 +17,6 @@ in {
config = lib.mkIf cfg.enable {
services.postgresql = {
enable = true;
enableJIT = true;
initdbArgs = [
"--allow-group-access"
"--encoding=UTF8"

6
modules/services/nginx/default.nix
View File

@@ -118,8 +118,12 @@ in {
serverAliases = [ "www.jdholt.com" ];
extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
locations."/skycam/snapshot.jpg" = {
proxyPass = "http://skycam.mesh.vimium.net:8080/snapshot";
extraConfig = ''
set $backend "skycam.mesh.vimium.net:8080";
resolver 100.100.100.100;
proxy_pass http://$backend/snapshot;
proxy_cache skycam_cache;
proxy_cache_valid any 10s;
proxy_ignore_headers Cache-Control Expires Set-Cookie;

0
overlays/libcamera/0001-Ignore-IPA-signing.patch → overlays/0001-Ignore-IPA-signing.patch
View File

0
overlays/libcamera/0001-Remove-relative-config-lookups.patch → overlays/0001-Remove-relative-config-lookups.patch
View File

0
overlays/gnome/default.nix → overlays/gnome.nix
View File

0
overlays/libcamera/default.nix → overlays/libcamera.nix
View File