diff --git a/config/services/firefly.nix b/config/services/firefly.nix index 9d27365..5c629cc 100644 --- a/config/services/firefly.nix +++ b/config/services/firefly.nix @@ -1,24 +1,31 @@ { config, + nodes, lib, ... }: { - imports = [../../modules/fireflyIII.nix]; - wireguard.elisabeth = { client.via = "elisabeth"; firewallRuleForNode.elisabeth.allowedTCPPorts = [80]; }; + age.secrets.appKey = { + generator.script = _: '' + echo "base64:$(head -c 32 /dev/urandom | base64)" + ''; + owner = "firefly-iii"; + }; + services.firefly-iii = { enable = true; + enableNginx = true; virtualHost = "money.${config.secrets.secrets.global.domains.web}"; settings = { - APP_URL = "https://money.${config.secrets.secrets.global.domains.web}"; + APP_URL = lib.mkForce "https://money.${config.secrets.secrets.global.domains.web}"; TZ = "Europe/Berlin"; - TRUSTED_PROXIES = lib.trace "fix" "*"; + TRUSTED_PROXIES = nodes.elisabeth.config.wireguard.elisabeth.ipv4; SITE_OWNER = "firefly-admin@${config.secrets.secrets.global.domains.mail_public}"; - APP_KEY = lib.trace "fix" "ctiectiectiectctiectiectiectieie"; + APP_KEY_FILE = config.age.secrets.appKey.path; }; }; diff --git a/config/services/netbird.nix b/config/services/netbird.nix index 3562b8e..57f8b23 100644 --- a/config/services/netbird.nix +++ b/config/services/netbird.nix @@ -1,30 +1,68 @@ -{config, ...}: { - imports = [ - ../../modules/netbird-server.nix - ../../modules/netbird-dashboard.nix - ]; +{ + config, + lib, + ... +}: { wireguard.elisabeth = { client.via = "elisabeth"; firewallRuleForNode.elisabeth.allowedTCPPorts = [80 3000 3001]; }; + age.secrets.coturnPassword = { + generator.script = "alnum"; + group = "netbird"; + }; + + age.secrets.coturnSecret = { + generator.script = "alnum"; + group = "netbird"; + }; + + age.secrets.dataEnc = { + generator.script = "alnum"; + group = "netbird"; + }; + networking.firewall.allowedTCPPorts = [80 3000 3001]; networking.firewall.allowedUDPPorts = [3478]; - services.netbird-dashboard = { - enable = true; - enableNginx = true; - domain = "netbird.${config.secrets.secrets.global.domains.web}"; - settings = { - AUTH_AUTHORITY = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird"; + services.netbird = { + server = { + enable = true; + domain = "netbird.${config.secrets.secrets.global.domains.web}"; + + dashboard = { + enableNginx = lib.mkForce true; + settings = { + AUTH_AUTHORITY = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird"; + }; + }; + + coturn = { + enable = true; + passwordFile = config.age.secrets.coturnPassword.path; + }; + + management = { + port = 3000; + dnsDomain = "internal.${config.secrets.secrets.global.domains.web}"; + singleAccountModeDomain = "netbird.patrick"; + oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration"; + settings = { + TURNConfig = { + Secret._secret = config.age.secrets.coturnSecret.path; + # TODO I think this is broken + Turns = [ + { + Password._secret = config.age.secrets.coturnPassword.path; + } + ]; + }; + DataStoreEncryptionKey._secret = config.age.secrets.dataEnc.path; + }; + }; }; }; - services.netbird-server = { - enableCoturn = true; - enable = true; - domain = "netbird.${config.secrets.secrets.global.domains.web}"; - oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration"; - singleAccountModeDomain = "netbird.patrick"; - }; + security.acme.certs = lib.mkForce {}; environment.persistence."/persist".directories = [ { directory = "/var/lib/netbird-mgmt"; diff --git a/flake.lock b/flake.lock index 9422a61..ac30f03 100644 --- a/flake.lock +++ b/flake.lock @@ -37,11 +37,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1712180480, - "narHash": "sha256-fmjbIcYT4Hj/Tow004I9FKz/DbIYRjTDOPDRXaddt08=", + "lastModified": 1713903302, + "narHash": "sha256-qPy0BYFTenmyG4EU+oXej0V/i4jSsVvWbGGrv9Sb0kQ=", "owner": "oddlama", "repo": "agenix-rekey", - "rev": "85df729446fca1b9f22097b03e0ae2427c3246e2", + "rev": "8da0392e75373711604a07907de25ec9d5277384", "type": "github" }, "original": { @@ -68,39 +68,6 @@ "type": "github" } }, - "base16-alacritty": { - "flake": false, - "locked": { - "lastModified": 1703982197, - "narHash": "sha256-TNxKbwdiUXGi4Z4chT72l3mt3GSvOcz6NZsUH8bQU/k=", - "owner": "aarowill", - "repo": "base16-alacritty", - "rev": "c95c200b3af739708455a03b5d185d3d2d263c6e", - "type": "github" - }, - "original": { - "owner": "aarowill", - "repo": "base16-alacritty", - "type": "github" - } - }, - "base16-alacritty-yaml": { - "flake": false, - "locked": { - "lastModified": 1674275109, - "narHash": "sha256-Adwx9yP70I6mJrjjODOgZJjt4OPPe8gJu7UuBboXO4M=", - "owner": "aarowill", - "repo": "base16-alacritty", - "rev": "63d8ae5dfefe5db825dd4c699d0cdc2fc2c3eaf7", - "type": "github" - }, - "original": { - "owner": "aarowill", - "repo": "base16-alacritty", - "rev": "63d8ae5dfefe5db825dd4c699d0cdc2fc2c3eaf7", - "type": "github" - } - }, "base16-fish": { "flake": false, "locked": { @@ -303,11 +270,11 @@ ] }, "locked": { - "lastModified": 1711099426, - "narHash": "sha256-HzpgM/wc3aqpnHJJ2oDqPBkNsqWbW0WfWUO8lKu8nGk=", + "lastModified": 1713532798, + "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=", "owner": "numtide", "repo": "devshell", - "rev": "2d45b54ca4a183f2fdcf4b19c895b64fbf620ee8", + "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40", "type": "github" }, "original": { @@ -369,11 +336,11 @@ ] }, "locked": { - "lastModified": 1711099426, - "narHash": "sha256-HzpgM/wc3aqpnHJJ2oDqPBkNsqWbW0WfWUO8lKu8nGk=", + "lastModified": 1713532798, + "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=", "owner": "numtide", "repo": "devshell", - "rev": "2d45b54ca4a183f2fdcf4b19c895b64fbf620ee8", + "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40", "type": "github" }, "original": { @@ -389,11 +356,11 @@ ] }, "locked": { - "lastModified": 1712318811, - "narHash": "sha256-6T5sM2Vdg1xr8nbaI4gFKcp7P6AX5HSsPRs0Nl+QThU=", + "lastModified": 1713875178, + "narHash": "sha256-FFJ4dojuziC6HLxugW+2YJ1P+m5veDq0WZSpZRSm/SY=", "owner": "nix-community", "repo": "disko", - "rev": "9fd80a030b8aaae1619c805aa092556cbe328f96", + "rev": "dea314155a9b8a4de242bdd4c005ba8a5dce8385", "type": "github" }, "original": { @@ -573,11 +540,11 @@ ] }, "locked": { - "lastModified": 1701473968, - "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", "type": "github" }, "original": { @@ -594,11 +561,11 @@ ] }, "locked": { - "lastModified": 1709336216, - "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=", + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", "type": "github" }, "original": { @@ -960,11 +927,11 @@ ] }, "locked": { - "lastModified": 1712317700, - "narHash": "sha256-rnkQ6qMhlxfjpCECkTMlFXHU/88QvC5KpdJWq5H6F1E=", + "lastModified": 1713894582, + "narHash": "sha256-pHJYZIVFmzPAwyTfcMGJwlfz18nOsS4p0CuDnI1EDL4=", "owner": "nix-community", "repo": "home-manager", - "rev": "782eed8bb64b27acaeb7c17be4a095c85e65717f", + "rev": "33a20182e3164f451b6a4ac2ecadcab5c2c36703", "type": "github" }, "original": { @@ -981,11 +948,11 @@ ] }, "locked": { - "lastModified": 1711625603, - "narHash": "sha256-W+9dfqA9bqUIBV5u7jaIARAzMe3kTq/Hp2SpSVXKRQw=", + "lastModified": 1713732794, + "narHash": "sha256-AYCofb8Zu4Mbc1lHDtju/uxeARawRijmOueAqEMEfMU=", "owner": "nix-community", "repo": "home-manager", - "rev": "c0ef0dab55611c676ad7539bf4e41b3ec6fa87d2", + "rev": "670d9ecc3e46a6e3265c203c2d136031a3d3548e", "type": "github" }, "original": { @@ -1002,11 +969,11 @@ ] }, "locked": { - "lastModified": 1706001011, - "narHash": "sha256-J7Bs9LHdZubgNHZ6+eE/7C18lZ1P6S5/zdJSdXFItI4=", + "lastModified": 1711915616, + "narHash": "sha256-co6LoFA+j6BZEeJNSR8nZ4oOort5qYPskjrDHBaJgmo=", "owner": "nix-community", "repo": "home-manager", - "rev": "3df2a80f3f85f91ea06e5e91071fa74ba92e5084", + "rev": "820be197ccf3adaad9a8856ef255c13b6cc561a6", "type": "github" }, "original": { @@ -1063,11 +1030,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1711886936, - "narHash": "sha256-D2WENp9GuaCostvNcQ7vElekk0V5cuMdnFZ7NfRhVrQ=", + "lastModified": 1713701427, + "narHash": "sha256-v6z8hz/UDaC/rbnkH+hxGFUxlNyseVntRetVpSxLU6c=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "9c06929b83e57c18d125f1105ba6a423f24083d2", + "rev": "3b32a98eb3053f8c8ca55497d1881443ef2996e6", "type": "github" }, "original": { @@ -1100,11 +1067,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1712322624, - "narHash": "sha256-mq9oLUqteBMCxhv4TFASiqZN/O9OfpPRyoziNnRlr+Y=", + "lastModified": 1713463636, + "narHash": "sha256-IPdnR0Rs7XoffnCn6rExYDlft/GHD/UFgQ11lTVEK48=", "owner": "astro", "repo": "microvm.nix", - "rev": "d0ac4be743b4fdb5bdafd6f9f230e3c20801d527", + "rev": "6a4f822a817180be03fcdceb654088d002c9ec5e", "type": "github" }, "original": { @@ -1121,11 +1088,11 @@ ] }, "locked": { - "lastModified": 1711763326, - "narHash": "sha256-sXcesZWKXFlEQ8oyGHnfk4xc9f2Ip0X/+YZOq3sKviI=", + "lastModified": 1713543876, + "narHash": "sha256-olEWxacm1xZhAtpq+ZkEyQgR4zgfE7ddpNtZNvubi3g=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "36524adc31566655f2f4d55ad6b875fb5c1a4083", + "rev": "9e7c20ffd056e406ddd0276ee9d89f09c5e5f4ed", "type": "github" }, "original": { @@ -1142,11 +1109,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1705242886, - "narHash": "sha256-TLj334vRwFtSym3m+NnKcNCnKKPNoTC/TDZL40vmOso=", + "lastModified": 1713858845, + "narHash": "sha256-StJq7Zy+/iVBUAKFzhHWlsirFucZ3gNtzXhAYXAsNnw=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "6b03a93296faf174b97546fd573c8b379f523a8d", + "rev": "7b6640f2a10701bf0db16aff048070f400e8ea7c", "type": "github" }, "original": { @@ -1164,11 +1131,11 @@ ] }, "locked": { - "lastModified": 1701208414, - "narHash": "sha256-xrQ0FyhwTZK6BwKhahIkUVZhMNk21IEI1nUcWSONtpo=", + "lastModified": 1703863825, + "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=", "owner": "nix-community", "repo": "nix-github-actions", - "rev": "93e39cc1a087d65bcf7a132e75a650c44dd2b734", + "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547", "type": "github" }, "original": { @@ -1184,11 +1151,11 @@ ] }, "locked": { - "lastModified": 1711854532, - "narHash": "sha256-JPStavwlT7TfxxiXHk6Q7sbNxtnXAIjXQJMLO0KB6M0=", + "lastModified": 1713869268, + "narHash": "sha256-o3CMQeu/S8/4zU0pMtYg51rd1FWdJsI2Xohzng1Ysdg=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "2844b5f3ad3b478468151bd101370b9d8ef8a3a7", + "rev": "dcb6ac44922858ce3a5b46f77a36d6030181460c", "type": "github" }, "original": { @@ -1205,11 +1172,11 @@ "pre-commit-hooks": "pre-commit-hooks_2" }, "locked": { - "lastModified": 1712920175, - "narHash": "sha256-9Tx06/vDa8rk674G8+ySSMqvF3lV7pV4GDbswkFB1O8=", + "lastModified": 1713783363, + "narHash": "sha256-4nSK8+QrCabGTINrQNucPm60Mq9GCuImgMGSVUTtCj4=", "owner": "oddlama", "repo": "nix-topology", - "rev": "eb12c632505b724a4752fd5317481350d47ef61d", + "rev": "d54cacc0ee6c53ae696c954c7105980d9c944c9b", "type": "github" }, "original": { @@ -1220,11 +1187,11 @@ }, "nixlib": { "locked": { - "lastModified": 1711846064, - "narHash": "sha256-cqfX0QJNEnge3a77VnytM0Q6QZZ0DziFXt6tSCV8ZSc=", + "lastModified": 1712450863, + "narHash": "sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "90b1a963ff84dc532db92f678296ff2499a60a87", + "rev": "3c62b6a12571c9a7f65ab037173ee153d539905f", "type": "github" }, "original": { @@ -1244,12 +1211,12 @@ "pre-commit-hooks": "pre-commit-hooks_3" }, "locked": { - "dirtyRev": "3ade74f7616458c38f00ee6fed73794e1a79bbf3-dirty", - "dirtyShortRev": "3ade74f-dirty", - "lastModified": 1712851738, - "narHash": "sha256-fy4D8OlrkEmJILhvWw+O7+frgtHRfbHSnhps2o6177U=", - "type": "git", - "url": "file:///home/patrick/repos/nix/nixos-extra-modules" + "lastModified": 1712921831, + "narHash": "sha256-5WVeVRFoO0QziYNeM+Wcxj12F2H8siNlQ0ueDZBD/e4=", + "owner": "oddlama", + "repo": "nixos-extra-modules", + "rev": "fc2cef598dcf0f407d91cc2cde96144199fd1dca", + "type": "github" }, "original": { "owner": "oddlama", @@ -1265,11 +1232,11 @@ ] }, "locked": { - "lastModified": 1712191720, - "narHash": "sha256-xXtSSnVHURHsxLQO30dzCKW5NJVGV/umdQPmFjPFMVA=", + "lastModified": 1713783234, + "narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "0c15e76bed5432d7775a22e8d22059511f59d23a", + "rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e", "type": "github" }, "original": { @@ -1280,11 +1247,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1711352745, - "narHash": "sha256-luvqik+i3HTvCbXQZgB6uggvEcxI9uae0nmrgtXJ17U=", + "lastModified": 1713864415, + "narHash": "sha256-/BPDMJEkrsFAFOsQWhwm31wezlgshPFlLBn34KEUdVA=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "9a763a7acc4cfbb8603bb0231fec3eda864f81c0", + "rev": "797f8d8082c7cc3259cba7275c699d4991b09ecc", "type": "github" }, "original": { @@ -1332,11 +1299,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1711846064, - "narHash": "sha256-cqfX0QJNEnge3a77VnytM0Q6QZZ0DziFXt6tSCV8ZSc=", + "lastModified": 1713660444, + "narHash": "sha256-2bVnrEGyWJhRNKspzfTJmVD/fsH9HQURD4cWpz79Ulw=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "90b1a963ff84dc532db92f678296ff2499a60a87", + "rev": "6882347415e352cfc9c277cc01f73e0f5cb7b93c", "type": "github" }, "original": { @@ -1435,11 +1402,11 @@ ] }, "locked": { - "lastModified": 1712237761, - "narHash": "sha256-NoMBBCADTms3yx5BL+sbc7vfDivNiYULO6t9GBAsPt0=", + "lastModified": 1713889202, + "narHash": "sha256-cQdLbp8JedDOULe9jXMbL20H526O8OTWkvOPh4ZGpyY=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "9b77653338f52da4b498abdf4835efb6ff6e453e", + "rev": "f3b71af6d8503e427e81321f49bc823303a84b10", "type": "github" }, "original": { @@ -1450,11 +1417,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1712163089, - "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=", + "lastModified": 1713714899, + "narHash": "sha256-+z/XjO3QJs5rLE5UOf015gdVauVRQd2vZtsFkaXBq2Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5", + "rev": "6143fc5eeb9c4f00163267708e26191d1e918932", "type": "github" }, "original": { @@ -1466,11 +1433,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1703134684, - "narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=", + "lastModified": 1713805509, + "narHash": "sha256-YgSEan4CcrjivCNO5ZNzhg7/8ViLkZ4CB/GrGBVSudo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d6863cbcbbb80e71cecfc03356db1cda38919523", + "rev": "1e1dc66fe68972a76679644a5577828b6a7e8be4", "type": "github" }, "original": { @@ -1498,11 +1465,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1700856099, - "narHash": "sha256-RnEA7iJ36Ay9jI0WwP+/y4zjEhmeN6Cjs9VOFBH7eVQ=", + "lastModified": 1713596654, + "narHash": "sha256-LJbHQQ5aX1LVth2ST+Kkse/DRzgxlVhTL1rxthvyhZc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0bd59c54ef06bc34eca01e37d689f5e46b3fe2f1", + "rev": "fd16bb6d3bcca96039b11aa52038fafeb6e4f4be", "type": "github" }, "original": { @@ -1525,11 +1492,11 @@ "pre-commit-hooks": "pre-commit-hooks_4" }, "locked": { - "lastModified": 1712299511, - "narHash": "sha256-yrBK6Jq0UuJjP+nc01OFNoKRRJgPNkbmwPpE4mD2Bis=", + "lastModified": 1713856119, + "narHash": "sha256-TfNc8vxF7IaRhTlMgOeUN01y7QoBx50MYmGU1sSU6Vw=", "owner": "nix-community", "repo": "nixvim", - "rev": "f285a958c089ccbca9c5710d4a075683fa1af654", + "rev": "c826d146c65bfa8164f31931cf54278b99f5a3a0", "type": "github" }, "original": { @@ -1668,11 +1635,11 @@ ] }, "locked": { - "lastModified": 1711760932, - "narHash": "sha256-DqUTQ2iAAqSDwMhKBqvi24v0Oc7pD3LCK/0FCG//TdA=", + "lastModified": 1713775815, + "narHash": "sha256-Wu9cdYTnGQQwtT20QQMg7jzkANKQjwBD9iccfGKkfls=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "c11e43aed6f17336c25cd120eac886b96c455731", + "rev": "2ac4dcbf55ed43f3be0bae15e181f08a57af24a4", "type": "github" }, "original": { @@ -1694,11 +1661,11 @@ "nixpkgs-stable": "nixpkgs-stable_5" }, "locked": { - "lastModified": 1712055707, - "narHash": "sha256-4XLvuSIDZJGS17xEwSrNuJLL7UjDYKGJSbK1WWX2AK8=", + "lastModified": 1713775815, + "narHash": "sha256-Wu9cdYTnGQQwtT20QQMg7jzkANKQjwBD9iccfGKkfls=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "e35aed5fda3cc79f88ed7f1795021e559582093a", + "rev": "2ac4dcbf55ed43f3be0bae15e181f08a57af24a4", "type": "github" }, "original": { @@ -1730,7 +1697,8 @@ "pre-commit-hooks": "pre-commit-hooks_5", "spicetify-nix": "spicetify-nix", "stylix": "stylix", - "systems": "systems_13" + "systems": "systems_13", + "templates": "templates" } }, "rust-overlay": { @@ -1796,8 +1764,6 @@ "stylix": { "inputs": { "base16": "base16", - "base16-alacritty": "base16-alacritty", - "base16-alacritty-yaml": "base16-alacritty-yaml", "base16-fish": "base16-fish", "base16-foot": "base16-foot", "base16-helix": "base16-helix", @@ -1810,11 +1776,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1712154372, - "narHash": "sha256-2HFQm/gpmxtMokn6pInHlTlU7mBONLb3Y1aN8SlY0tc=", + "lastModified": 1713821140, + "narHash": "sha256-/kGc9R01h8mTmZKhrVyGWaK/w9zgettmHIE3GZW8Khs=", "owner": "danth", "repo": "stylix", - "rev": "f9b9bc7c8e69942cd2583a3309f86fc5260f1275", + "rev": "0fe277a3641a849478a94c7900c2d5a90609a306", "type": "github" }, "original": { @@ -2018,6 +1984,21 @@ "type": "github" } }, + "templates": { + "locked": { + "lastModified": 1696855554, + "narHash": "sha256-9VYXESOCqGGZ8HHl4LN51k+74Kf5Nf9czoqqIN7IEo0=", + "ref": "refs/heads/main", + "rev": "a6c35c2af9f26599e81002630329054b99efbe79", + "revCount": 11, + "type": "git", + "url": "https://forge.lel.lol/patrick/nix-templates.git" + }, + "original": { + "type": "git", + "url": "https://forge.lel.lol/patrick/nix-templates.git" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -2027,11 +2008,11 @@ ] }, "locked": { - "lastModified": 1702979157, - "narHash": "sha256-RnFBbLbpqtn4AoJGXKevQMCGhra4h6G2MPcuTSZZQ+g=", + "lastModified": 1711963903, + "narHash": "sha256-N3QDhoaX+paWXHbEXZapqd1r95mdshxToGowtjtYkGI=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "2961375283668d867e64129c22af532de8e77734", + "rev": "49dc4a92b02b8e68798abd99184f228243b6e3ac", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 17e254d..3f003b7 100644 --- a/flake.nix +++ b/flake.nix @@ -66,7 +66,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - #templates.url = "git+https://forge.lel.lol/patrick/nix-templates.git"; + templates.url = "git+https://forge.lel.lol/patrick/nix-templates.git"; nix-topology.url = "github:oddlama/nix-topology"; @@ -115,7 +115,7 @@ inherit (nixpkgs) lib; stateVersion = "23.05"; in - rec { + { secretsConfig = { # This should be a link to one of the age public keys is './keys' masterIdentities = ["/run/decrypt.key.pub"]; diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index 4c40ea5..032bc9d 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -230,7 +230,6 @@ in { ]; }; - #deadnix: skip mkMicrovm = guestName: cfg: { ${guestName} = mkGuest guestName cfg diff --git a/hosts/elisabeth/secrets/firefly/generated/appKey.age b/hosts/elisabeth/secrets/firefly/generated/appKey.age new file mode 100644 index 0000000..ba6b49a Binary files /dev/null and b/hosts/elisabeth/secrets/firefly/generated/appKey.age differ diff --git a/hosts/elisabeth/secrets/netbird/generated/coturnPassword.age b/hosts/elisabeth/secrets/netbird/generated/coturnPassword.age new file mode 100644 index 0000000..727ed75 --- /dev/null +++ b/hosts/elisabeth/secrets/netbird/generated/coturnPassword.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> X25519 MeYJjzQMjRwPh8EFqiGeorYdWehfCS71htIQhK5o2nM +LJgMpOnjNBqYwPB4mL3FEGlUnIap5AGfr/e9z7O5dpI +-> piv-p256 XTQkUA A8jLlK5Oec/xxduaGJou2CSZ8eYTnVu5jhjiJL/BJ6fS +RSt3pbvdPPfclk3Gtt0OYkHZ/kAYjKjEQcsjir3cUtI +-> piv-p256 ZFgiIw AhdUtYJ+Nw07WaE5eSXg1F9MyivwmkfdCburxobwZeVD +GbvesLFDdGz4iwMC7a7qse8twlVewqBYgGRrLMGtjnk +-> piv-p256 5vmPtQ An4wYxzXJlnk1gQmXQkF1oixlA2wEz82KD9vyBAc25rn +tD6dUznwI2przLOvVSK4lB5CBKmxkdOrfvtyLYY9ZuM +-> piv-p256 ZFgiIw A5cJyQ++Uq97VsMSt2O9XFtZ+j9FsOVgTUfu9RT/IBsn +XJlU8biGUQEoK/5u6Z+FZX7y0MCfA0NITxtRNuH+dyI +-> sS#fxj8|-grease m7Z $ +xPy1jk5euWH0L/pIV/PWdoVJRsmMUVa1MecxzOqqYrP8qqp5My0Gdb44 +--- eAewnJjC+jcQ0JRKf+va3B5PFFxubrbpiah8x8oGyt0 +'C!:͕dws 8[-E74bD2z`k34џT@k)S #syab \ No newline at end of file diff --git a/hosts/elisabeth/secrets/netbird/generated/coturnSecret.age b/hosts/elisabeth/secrets/netbird/generated/coturnSecret.age new file mode 100644 index 0000000..6f87a09 Binary files /dev/null and b/hosts/elisabeth/secrets/netbird/generated/coturnSecret.age differ diff --git a/hosts/elisabeth/secrets/netbird/generated/dataEnc.age b/hosts/elisabeth/secrets/netbird/generated/dataEnc.age new file mode 100644 index 0000000..d41e963 Binary files /dev/null and b/hosts/elisabeth/secrets/netbird/generated/dataEnc.age differ diff --git a/modules/fireflyIII.nix b/modules/fireflyIII.nix deleted file mode 100644 index 9f54e28..0000000 --- a/modules/fireflyIII.nix +++ /dev/null @@ -1,182 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: let - cfg = config.services.firefly-iii; - inherit - (lib) - mkIf - types - mkEnableOption - mkOption - mkPackageOption - mapAttrs - mkDefault - ; - - package = "${cfg.package.override { - inherit (cfg) dataDir; - }}/share/php/firefly-iii"; -in { - options.services.firefly-iii = { - enable = mkEnableOption "firefly-iii"; - dataDir = mkOption { - description = "The firefly-iii data directory."; - default = "/var/lib/firefly-iii"; - type = types.path; - }; - package = - mkPackageOption pkgs "firefly-iii" { - }; - phpPackage = mkPackageOption pkgs "php" { - example = "php82"; - default = "php83"; - }; - database = mkOption { - description = "Which database to use"; - default = "sqlite"; - type = types.enum ["sqlite" "mysql" "pgsql"]; - }; - dbCreateLocally = mkOption { - type = types.bool; - default = false; - description = "Create the database locally."; - }; - virtualHost = mkOption { - description = "The nginx virtualHost under which firefly-iii will be reachable"; - type = types.str; - }; - settings = mkOption { - type = with types; attrsOf (nullOr (oneOf [str path package])); - description = '' - The environment used by firefly-iii while running. - See [example](https://github.com/firefly-iii/firefly-iii/blob/main/.env.example) for value definitions. - ''; - default = { - LOG_CHANNEL = "syslog"; - }; - example = { - ALLOW_WEBHOOKS = false; - }; - }; - }; - config = mkIf cfg.enable { - services.firefly-iii.settings = { - DB_CONNECTION = cfg.database; - }; - - assertions = [ - { - assertion = cfg.dbCreateLocally -> cfg.database == "sqlite"; - message = "services.firefly-iii.dbCreateLocally is currently only supported for sqlite."; - } - ]; - - services.phpfpm = { - settings = { - error_log = "syslog"; - }; - pools.firefly-iii = { - inherit (cfg) phpPackage; - phpOptions = '' - log_errors = yes - error_reporting = E_ALL - ''; - user = "firefly-iii"; - group = "firefly-iii"; - phpEnv = cfg.settings; - settings = mapAttrs (_: mkDefault) { - catch_workers_output = "yes"; - "listen.mode" = "0660"; - "listen.owner" = config.services.nginx.user; - "listen.group" = config.services.nginx.group; - "pm" = "dynamic"; - "pm.max_children" = "32"; - "pm.start_servers" = "2"; - "pm.min_spare_servers" = "2"; - "pm.max_spare_servers" = "4"; - "pm.max_requests" = "500"; - }; - }; - }; - - users.users.firefly-iii = { - group = "firefly-iii"; - isSystemUser = true; - }; - users.groups.firefly-iii.members = ["firefly-iii" config.services.nginx.user]; - systemd.services.firefly-iii-setup = { - environment = cfg.settings; - description = "Preparation tasks for Firefly III"; - before = ["phpfpm-firefly-iii.service"]; - wantedBy = ["multi-user.target"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - User = "firefly-iii"; - WorkingDirectory = package; - }; - script = '' - set -euo pipefail - umask 077 - ${lib.optionalString cfg.dbCreateLocally '' - mkdir -p ${package}/storage/database/ - touch ${package}/storage/database/database.sqlite - ''} - - # migrate db - ${lib.getExe cfg.phpPackage} artisan migrate --force - ${lib.getExe cfg.phpPackage} artisan firefly-iii:upgrade-database - ${lib.getExe cfg.phpPackage} artisan firefly-iii:correct-database - ${lib.getExe cfg.phpPackage} artisan firefly-iii:report-integrity - ${lib.getExe cfg.phpPackage} artisan firefly-iii:laravel-passport-keys - ''; - }; - - # Data dir - systemd.tmpfiles.rules = [ - "d ${cfg.dataDir} 0750 firefly-iii firefly-iii - -" - "d ${cfg.dataDir}/bootstrap 0700 firefly-iii firefly-iii - -" - "d ${cfg.dataDir}/bootstrap/cache 0700 firefly-iii firefly-iii - -" - "d ${cfg.dataDir}/storage 0700 firefly-iii firefly-iii - -" - "d ${cfg.dataDir}/storage/app 0700 firefly-iii firefly-iii - -" - "d ${cfg.dataDir}/storage/database 0700 firefly-iii firefly-iii - -" - "d ${cfg.dataDir}/storage/export 0700 firefly-iii firefly-iii - -" - "d ${cfg.dataDir}/storage/framework 0700 firefly-iii firefly-iii - -" - "d ${cfg.dataDir}/storage/framework/cache 0700 firefly-iii firefly-iii - -" - "d ${cfg.dataDir}/storage/framework/sessions 0700 firefly-iii firefly-iii - -" - "d ${cfg.dataDir}/storage/framework/views 0700 firefly-iii firefly-iii - -" - "d ${cfg.dataDir}/storage/logs 0700 firefly-iii firefly-iii - -" - "d ${cfg.dataDir}/storage/upload 0700 firefly-iii firefly-iii - -" - ]; - - services.nginx = { - enable = mkDefault true; - recommendedTlsSettings = mkDefault true; - recommendedOptimisation = mkDefault true; - recommendedGzipSettings = mkDefault true; - virtualHosts.${cfg.virtualHost} = { - root = "${package}/public"; - locations = { - "/" = { - tryFiles = "$uri $uri/ /index.php?$query_string"; - index = "index.php"; - extraConfig = '' - sendfile off; - ''; - }; - "~ \.php$" = { - extraConfig = '' - include ${config.services.nginx.package}/conf/fastcgi_params ; - fastcgi_param SCRIPT_FILENAME $request_filename; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass unix:${config.services.phpfpm.pools.firefly-iii.socket}; - ''; - }; - }; - }; - }; - }; -} diff --git a/modules/netbird-dashboard.nix b/modules/netbird-dashboard.nix deleted file mode 100644 index b3d8814..0000000 --- a/modules/netbird-dashboard.nix +++ /dev/null @@ -1,118 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: let - inherit - (lib) - mkPackageOption - mkIf - mkEnableOption - mkOption - types - isBool - boolToString - ; - - toStringEnv = value: - if isBool value - then boolToString value - else toString value; - cfg = config.services.netbird-dashboard; -in { - options.services.netbird-dashboard = { - enable = mkEnableOption "the static netbird dashboard frontend"; - package = mkPackageOption pkgs "netbird-dashboard" {}; - enableNginx = mkEnableOption "Nginx as a webserver serving the backend"; - domain = mkOption { - type = types.str; - description = "The domain under which the dashboard runs."; - default = "localhost"; - }; - settings = mkOption { - description = '' - An attr set that will be used as environment to build the dashboard. - Any values that you set here will be templated into the frontend - and thas be freely available for anyone that can reach your website. - The exact values sadly aren't documented anywhere. An starting point - when searching for valid values is this [script](https://github.com/netbirdio/dashboard/blob/main/docker/init_react_envs.sh) - The only mandatory value is 'AUTH_AUTHORITY' as we cannot set a default value here. - ''; - type = types.submodule { - freeformType = types.attrsOf (types.oneOf [types.str types.bool]); - config = { - # Due to how the backend and frontend work this secret will be templated into the backend - # and then served statically from your website - # This enables you to login without the normally needed indirection through the backend - # but this also means anyone that can reach your website can - # fetch this secret, which is why there is no real need to put it into - # special options as its public anyway - # As far as I know leaking this secret is just - # an information leak as one can fetch some basic app - # informations from the IDP - # To actually do something one still needs to have login - # data and this secret so this being public will not - # suffice for anything just decreasing security - AUTH_CLIENT_SECRET = ""; - AUTH_CLIENT_ID = "netbird"; - # AUTH_AUDIENCE must be set for your devices to be able to log in - AUTH_AUDIENCE = "netbird"; - USE_AUTH0 = false; - AUTH_SUPPORTED_SCOPES = "openid profile email"; - - # While you could override this to use http I would recommend to not do that - # as it will greatly impact the security of your application - NETBIRD_MGMT_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; - NETBIRD_MGMT_GRPC_API_ENDPOINT = "https://${config.services.netbird-server.domain}"; - NETBIRD_TOKEN_SOURCE = "idToken"; - }; - }; - }; - }; - config = let - deriv = pkgs.runCommand "template-netbird-dashboard" {} '' - cp -r ${cfg.package} ./temp - - - ${ - lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: ''export "${name}"="${toStringEnv value}"'') cfg.settings) - } - - # replace ENVs in the config - ENV_STR="\$\$USE_AUTH0 \$\$AUTH_AUDIENCE \$\$AUTH_AUTHORITY \$\$AUTH_CLIENT_ID \$\$AUTH_CLIENT_SECRET \$\$AUTH_SUPPORTED_SCOPES \$\$NETBIRD_MGMT_API_ENDPOINT \$\$NETBIRD_MGMT_GRPC_API_ENDPOINT \$\$NETBIRD_HOTJAR_TRACK_ID \$\$NETBIRD_GOOGLE_ANALYTICS_ID \$\$AUTH_REDIRECT_URI \$\$AUTH_SILENT_REDIRECT_URI \$\$NETBIRD_TOKEN_SOURCE \$\$NETBIRD_DRAG_QUERY_PARAMS" - - find temp -type d -exec chmod 755 {} \; - OIDC_TRUSTED_DOMAINS="./temp/OidcTrustedDomains.js" - ${pkgs.gettext}/bin/envsubst "$ENV_STR" < "$OIDC_TRUSTED_DOMAINS".tmpl > "$OIDC_TRUSTED_DOMAINS" - for f in $(grep -R -l AUTH_SUPPORTED_SCOPES ./); do - ${pkgs.gettext}/bin/envsubst "$ENV_STR" < "$f" > "$f".copy - mv -f "$f".copy "$f" - done - mkdir -p $out - cp -r ./temp/. $out/ - ''; - in - mkIf cfg.enable - { - services.nginx = mkIf cfg.enableNginx { - enable = true; - virtualHosts = { - ${cfg.domain} = { - locations = { - "/" = { - root = "${deriv}/"; - tryFiles = "$uri $uri.html $uri/ =404"; - }; - }; - extraConfig = '' - error_page 404 /404.html; - location = /404.html { - internal; - } - ''; - }; - }; - }; - }; -} diff --git a/modules/netbird-server.nix b/modules/netbird-server.nix deleted file mode 100644 index b0c2c6c..0000000 --- a/modules/netbird-server.nix +++ /dev/null @@ -1,333 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: let - inherit - (lib) - mkEnableOption - mkOption - types - mkPackageOption - mkIf - ; - cfg = config.services.netbird-server; - - configFile = formatType.generate "config.json" cfg.settings; - - formatType = pkgs.formats.json {}; -in { - options.services.netbird-server = { - enable = mkEnableOption "netbird, a self hosted wireguard VPN"; - package = mkPackageOption pkgs "netbird" {}; - enableCoturn = mkEnableOption "the coturn service for running the TURN/STUN server"; - domain = mkOption { - type = types.str; - description = "The domain of your netbird instance"; - }; - port = mkOption { - description = "The port the management interface will listen on"; - type = types.port; - default = 3000; - }; - oidcConfigEndpoint = mkOption { - type = types.str; - example = "https://example.eu.auth0.com/.well-known/openid-configuration"; - description = "The oidc discovery endpoint"; - }; - signalPort = mkOption { - description = "The listening port for the signal protocol"; - default = 3001; - type = types.port; - }; - - singleAccountModeDomain = mkOption { - description = "Optional domain for single account mode, set to null to disable singleAccountMode"; - type = types.nullOr types.str; - default = "netbird.selfhosted"; - example = null; - }; - - turn = { - domain = mkOption { - description = "The domain under which the TURN server is reachable"; - type = types.str; - example = "localhost"; - default = cfg.domain; - }; - port = mkOption { - description = "The port under which the TURN server is reachable"; - type = types.port; - default = 3478; - }; - userName = mkOption { - description = "The Username for logging into your turn server"; - type = types.str; - default = "netbird"; - }; - password = mkOption { - description = "The password for logging into your turn server"; - type = types.str; - default = lib.trace "should not be part of the final config" "netbird"; - }; - }; - settings = mkOption { - default = {}; - description = '' - This will be converted to json and used as the management config. - Sadly the exact configuration is undocumented there only exists - this [template](https://github.com/netbirdio/netbird/blob/main/infrastructure_files/management.json.tmpl) - The default values are usable, for a normal setup you don't need to set anything here. - Be advised that any secret you set in here will be in the nix store - and thus world readable. For compliant setups you don't need these secrets - as you should use a oidc public client, some client, e.g. google do not support - this without a secret, which is why you sometimes need to set a secret here. - This is not a problem as this secret will be exposed on your server publicly and only allows - client to initiate a authorization flow. - Even though the template contains oidc values you don't need to set any except for the - ConfigEndpoint as netbird will fetch the rest. - ''; - type = types.submodule { - freeformType = formatType.type; - config = { - Stuns = [ - { - Proto = "udp"; - Uri = "stun:${cfg.turn.domain}:${toString cfg.turn.port}"; - # TODO fairly certain with this config anyone can use your STUN server - Username = ""; - Password = null; - } - ]; - TURNConfig = { - Turns = [ - { - Proto = "udp"; - Uri = "turn:${cfg.turn.domain}:${toString cfg.turn.port}"; - Username = cfg.turn.userName; - Password = cfg.turn.password; - } - ]; - CredentialsTTL = "12h"; - # This is not used with the standard coturn configuration - Secret = "secret"; - TimeBasedCredentials = false; - }; - - Signal = { - Proto = "https"; - URI = "${cfg.domain}:443"; - Username = ""; - Password = null; - }; - ReverseProxy = { - TrustedHTTPProxies = []; - TrustedHTTPProxiesCount = 0; - TrustedPeers = [ - "0.0.0.0/0" - ]; - }; - Datadir = "/var/lib/netbird-mgmt"; - DataStoreEncryptionKey = lib.trace "uppsi wuppsi ich hab mein netbird unsiccccccher gemacht" "X4/obyAolDVhjGsz8NDb4TJqgCfwmCA7lOtJFHt9L3w="; - StoreConfig = { - Engine = "sqlite"; - }; - HttpConfig = { - Address = "0.0.0.0:${toString cfg.port}"; - AuthAudience = "netbird"; - AuthUserIDClaim = "preferred_username"; - OIDCConfigEndpoint = cfg.oidcConfigEndpoint; - }; - IdpManagerConfig = { - ManagerType = "none"; - }; - DeviceAuthorizationFlow = { - ProviderConfig = { - Audience = "netbird"; - Scope = "openid profile email"; - }; - }; - PKCEAuthorizationFlow = { - ProviderConfig = { - Audience = "netbird"; - ClientID = "netbird"; - ClientSecret = ""; - Domain = ""; - Scope = "openid profile email"; - RedirectURLs = ["http://localhost:53000"]; - UseIDToken = true; - }; - }; - }; - }; - }; - }; - config = mkIf cfg.enable { - services.coturn = mkIf cfg.enableCoturn { - enable = true; - - realm = cfg.domain; - lt-cred-mech = true; - no-cli = true; - - # Official documentation says that external-ip has to be - # an IP which is not true as [this](https://github.com/coturn/coturn/blob/9b1cca1fbe909e7cc7c7ac28865f9c190af3515b/src/client/ns_turn_ioaddr.c#L234) - # will resolve a dns name as well - extraConfig = '' - fingerprint - - user=${cfg.turn.userName}:${cfg.turn.password} - no-software-attribute - external-ip=${cfg.domain} - ''; - }; - systemd.services = { - netbird-signal = { - after = ["network.target"]; - wantedBy = ["netbird-management.service"]; - restartTriggers = [ - configFile - ]; - - serviceConfig = { - ExecStart = '' - ${cfg.package}/bin/netbird-signal run \ - --log-file console \ - --port ${builtins.toString cfg.signalPort} - ''; - Restart = "always"; - RuntimeDirectory = "netbird-mgmt"; - StateDirectory = "netbird-mgmt"; - WorkingDirectory = "/var/lib/netbird-mgmt"; - RestartSec = "60"; - - # hardening - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateMounts = true; - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = true; - RemoveIPC = true; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - - # Hardening - #CapabilityBoundingSet = ""; - #PrivateUsers = true; - #ProtectProc = "invisible"; - #ProcSubset = "pid"; - #RestrictAddressFamilies = [ - # "AF_INET" - # "AF_INET6" - # "AF_NETLINK" - #]; - #SystemCallArchitectures = "native"; - #SystemCallFilter = [ - # "@system-service" - # "@pkey" - #]; - UMask = "0077"; - }; - unitConfig = { - StartLimitInterval = 5; - StartLimitBurst = 10; - }; - stopIfChanged = false; - }; - - netbird-management = { - description = "The management server for Netbird, a wireguard VPN"; - documentation = ["https://netbird.io/docs/"]; - after = [ - "network.target" - "netbird-setup.service" - ]; - wantedBy = ["multi-user.target"]; - wants = [ - "netbird-signal.service" - "netbird-setup.service" - ]; - restartTriggers = [ - configFile - ]; - - serviceConfig = { - # Should we automatically disable metrics? - ExecStart = '' - ${cfg.package}/bin/netbird-mgmt management \ - --config ${configFile} \ - --datadir /var/lib/netbird-mgmt/data \ - --disable-anonymous-metrics=true \ - ${ - if cfg.singleAccountModeDomain == null - then "--disable-single-account-mode" - else "--single-account-mode-domain ${cfg.singleAccountModeDomain}" - } \ - --idp-sign-key-refresh-enabled \ - --port ${builtins.toString cfg.port} \ - --log-file console - ''; - # TODO add extraCommandLine option - Restart = "always"; - RuntimeDirectory = "netbird-mgmt"; - StateDirectory = [ - "netbird-mgmt" - "netbird-mgmt/data" - ]; - WorkingDirectory = "/var/lib/netbird-mgmt"; - - # hardening - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateMounts = true; - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = true; - RemoveIPC = true; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - - # Hardening - CapabilityBoundingSet = ""; - PrivateUsers = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_NETLINK" - ]; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "@pkey" - ]; - UMask = "0077"; - }; - unitConfig = { - StartLimitInterval = 5; - StartLimitBurst = 10; - }; - stopIfChanged = false; - }; - }; - }; -} diff --git a/pkgs/default.nix b/pkgs/default.nix index daa4e04..91c1443 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -6,9 +6,7 @@ your_spotify = super.callPackage ./your_spotify.nix {}; actual = super.callPackage ./actual.nix {}; deploy = super.callPackage ./deploy.nix {}; - netbird-dashboard = super.callPackage ./netbird-dashboard {}; minify = super.callPackage ./minify {}; - firefly-iii = super.callPackage ./firefly-iii.nix {}; mongodb-bin = super.callPackage ./mongodb-bin.nix {}; awakened-poe-trade = super.callPackage ./awakened-poe-trade.nix {}; neovim-clean = super.neovim-unwrapped.overrideAttrs (_neovimFinal: neovimPrev: { diff --git a/pkgs/firefly-iii.nix b/pkgs/firefly-iii.nix deleted file mode 100644 index ce706b3..0000000 --- a/pkgs/firefly-iii.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ - lib, - dataDir ? "/var/lib/firefly-iii", - php83, - fetchFromGitHub, - buildNpmPackage, -}: let - version = "6.1.13"; - src = fetchFromGitHub { - owner = "firefly-iii"; - repo = "firefly-iii"; - rev = "v${version}"; - hash = "sha256-85zI8uCyyoCflzxDkvba6FWa9B3kh179DJfQ2Um6MGM="; - }; - frontend = buildNpmPackage { - inherit src version; - pname = "firefly-iii"; - npmDepsHash = "sha256-wuPUE6XuzzgKjpxZVgwh2wGut15M61WSBFG+YIZwOFM="; - installPhase = '' - mkdir -p $out - rm -rf ./node_modules - cp -r ./ $out - mkdir -p $out/storage - cp -r ./ $out - rm -Rf $out/storage - ln -fs ${dataDir}/storage $out/storage - rm -Rf $out/bootstrap/cache - ln -fs ${dataDir}/bootstrap/cache $out/bootstrap/cache - ''; - }; -in - php83.buildComposerProject rec { - inherit version; - src = frontend; - pname = "firefly-iii"; - vendorHash = "sha256-CVGKyyLp5hjjpEulDNEYfljU4OgPBaFcYQQAUf6GeGs="; - - meta = with lib; { - description = "Firefly III: a personal finances manager"; - homepage = "https://github.com/firefly-iii/firefly-iii/"; - changelog = "https://github.com/firefly-iii/firefly-iii/releases/tag/v${version}"; - license = licenses.agpl3Only; - maintainers = with maintainers; [patrickdag]; - mainProgram = "firefly-iii"; - platforms = platforms.all; - }; - } diff --git a/pkgs/netbird-dashboard/0001-remove-buildtime-google-fonts.patch b/pkgs/netbird-dashboard/0001-remove-buildtime-google-fonts.patch deleted file mode 100644 index 8313933..0000000 --- a/pkgs/netbird-dashboard/0001-remove-buildtime-google-fonts.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/src/layouts/AppLayout.tsx b/src/layouts/AppLayout.tsx -index 86137fe..0339fb7 100644 ---- a/src/layouts/AppLayout.tsx -+++ b/src/layouts/AppLayout.tsx -@@ -6,7 +6,7 @@ import { cn } from "@utils/helpers"; - import dayjs from "dayjs"; - import relativeTime from "dayjs/plugin/relativeTime"; - import { Viewport } from "next/dist/lib/metadata/types/extra-types"; --import { Inter } from "next/font/google"; -+import localFont from "next/font/local"; - import React from "react"; - import { Toaster } from "react-hot-toast"; - import OIDCProvider from "@/auth/OIDCProvider"; -@@ -17,7 +17,7 @@ import ErrorBoundaryProvider from "@/contexts/ErrorBoundary"; - import { GlobalThemeProvider } from "@/contexts/GlobalThemeProvider"; - import { NavigationEvents } from "@/contexts/NavigationEvents"; - --const inter = Inter({ subsets: ["latin"] }); -+const inter = localFont({ src: "./inter.ttf" }); - - // Extend dayjs with relativeTime plugin - dayjs.extend(relativeTime); diff --git a/pkgs/netbird-dashboard/default.nix b/pkgs/netbird-dashboard/default.nix deleted file mode 100644 index 16f5bef..0000000 --- a/pkgs/netbird-dashboard/default.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - lib, - buildNpmPackage, - fetchFromGitHub, - inter, -}: -buildNpmPackage rec { - pname = "netbird-dashboard"; - version = "2.1.3"; - - src = fetchFromGitHub { - owner = "netbirdio"; - repo = "dashboard"; - rev = "v${version}"; - hash = "sha256-RxqGNIo7UdcVKz7UmupjsCzDpaSoz9UawiUc+h2tyTU="; - }; - patches = [ - ./0001-remove-buildtime-google-fonts.patch - ]; - - CYPRESS_INSTALL_BINARY = 0; - npmDepsHash = "sha256-ts3UuThIMf+wwSr3DpZ+k1i9RnHi/ltvhD/7lomVxQk="; - npmFlags = ["--legacy-peer-deps"]; - - preBuild = '' - cp ${inter}/share/fonts/truetype/InterVariable.ttf src/layouts/inter.ttf - ''; - - installPhase = '' - mkdir -p $out - cp -R out/* $out - ''; - - meta = with lib; { - description = "NetBird Management Service Web UI Panel"; - homepage = "https://github.com/netbirdio/dashboard"; - license = licenses.bsd3; - maintainers = with maintainers; [thubrecht]; - }; -} diff --git a/pkgs/your_spotify.nix b/pkgs/your_spotify.nix index b02da18..792e1dc 100644 --- a/pkgs/your_spotify.nix +++ b/pkgs/your_spotify.nix @@ -7,6 +7,7 @@ mkYarnPackage, nodejs, prefetch-yarn-deps, + fixup-yarn-lock, yarn, }: let version = "1.10.1"; @@ -53,7 +54,7 @@ in runHook postBuild ''; - nativeBuildInputs = [makeWrapper yarn prefetch-yarn-deps]; + nativeBuildInputs = [fixup-yarn-lock makeWrapper yarn prefetch-yarn-deps]; installPhase = '' mkdir -p $out/share/your_spotify cp -r node_modules $out/share/your_spotify/node_modules diff --git a/pkgs/your_spotify_client.nix b/pkgs/your_spotify_client.nix index e764023..789d944 100644 --- a/pkgs/your_spotify_client.nix +++ b/pkgs/your_spotify_client.nix @@ -4,6 +4,7 @@ your_spotify, mkYarnPackage, prefetch-yarn-deps, + fixup-yarn-lock, src, version, yarn, @@ -42,7 +43,7 @@ mkYarnPackage rec { popd runHook postBuild ''; - nativeBuildInputs = [yarn prefetch-yarn-deps]; + nativeBuildInputs = [fixup-yarn-lock yarn prefetch-yarn-deps]; installPhase = '' mkdir -p $out diff --git a/users/common/programs/nvim/nixvim/plugins.nix b/users/common/programs/nvim/nixvim/plugins.nix index 3b680f3..985a293 100644 --- a/users/common/programs/nvim/nixvim/plugins.nix +++ b/users/common/programs/nvim/nixvim/plugins.nix @@ -54,7 +54,7 @@ indent = true; nixvimInjections = true; }; - treesitter-context.enable = true; + #treesitter-context.enable = true; vim-matchup.enable = true; comment.enable = true; # Fzf picker for arbitrary stuff @@ -67,7 +67,6 @@ keymaps = { "gf" = { action = "git_files"; - desc = "Telescope Git Files"; }; "gg" = "live_grep"; };