diff --git a/config/optional/graphical.nix b/config/optional/graphical.nix index 37c97b8..24d8661 100644 --- a/config/optional/graphical.nix +++ b/config/optional/graphical.nix @@ -36,6 +36,7 @@ in { config = { common.default = [ "gtk" + "hyprland" ]; sway.default = [ "wlr" diff --git a/config/optional/wayland.nix b/config/optional/wayland.nix index 0f9f101..a5a4ff1 100644 --- a/config/optional/wayland.nix +++ b/config/optional/wayland.nix @@ -14,7 +14,6 @@ lib.optionalAttrs (!minimal) { enable = true; xdgOpenUsePortal = true; config.common = { - default = ["gtk" "hyprland"]; "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"]; "org.freedesktop.impl.portal.ScreenCast" = ["hyprland"]; "org.freedesktop.impl.portal.Screenshot" = ["hyprland"]; diff --git a/config/services/immich.nix b/config/services/immich.nix index f3edb3b..fefd138 100644 --- a/config/services/immich.nix +++ b/config/services/immich.nix @@ -5,11 +5,10 @@ config, ... }: let - version = "v1.105.1"; + version = "v1.106.4"; immichDomain = "immich.${config.secrets.secrets.global.domains.web}"; ipImmichMachineLearning = "10.89.0.10"; - ipImmichMicroservices = "10.89.0.11"; ipImmichPostgres = "10.89.0.12"; ipImmichRedis = "10.89.0.13"; ipImmichServer = "10.89.0.14"; @@ -70,9 +69,7 @@ }; url = "http://${ipImmichMachineLearning}:3003"; }; - # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to run: - # kanidm system oauth2 warning-insecure-client-disable-pkce immich - # kanidm system oauth2 warning-enable-legacy-crypto immich + # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to enable legacy crypto oauth = rec { enabled = true; autoLaunch = false; @@ -160,6 +157,12 @@ in { age.secrets.immichHetznerSsh = { generator.script = "ssh-ed25519"; }; + environment.persistence."/state".directories = [ + { + directory = "/var/lib/containers"; + mode = "0755"; + } + ]; services.restic.backups = { main = { user = "root"; @@ -272,36 +275,6 @@ in { }; systemd.services."podman-immich_machine_learning" = serviceConfig; - virtualisation.oci-containers.containers."immich_microservices" = { - image = "ghcr.io/immich-app/immich-server:${version}"; - inherit environment; - volumes = [ - "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro" - "/etc/localtime:/etc/localtime:ro" - "${upload_folder}:/usr/src/app/upload:rw" - "${environment.DB_PASSWORD_FILE}:${environment.DB_PASSWORD_FILE}:ro" - ]; - cmd = ["start.sh" "microservices"]; - dependsOn = [ - "immich_postgres" - "immich_redis" - ]; - log-driver = "journald"; - extraOptions = [ - "--network-alias=immich-microservices" - "--network=immich-default" - "--ip=${ipImmichMicroservices}" - ]; - }; - systemd.services."podman-immich_microservices" = - serviceConfig - // { - unitConfig.UpheldBy = [ - "podman-immich_postgres.service" - "podman-immich_redis.service" - ]; - }; - virtualisation.oci-containers.containers."immich_postgres" = { image = "tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0"; environment = { @@ -343,7 +316,6 @@ in { ports = [ "3000:3001/tcp" ]; - cmd = ["start.sh" "immich"]; dependsOn = [ "immich_postgres" "immich_redis" diff --git a/config/services/kanidm.nix b/config/services/kanidm.nix index a491141..229b860 100644 --- a/config/services/kanidm.nix +++ b/config/services/kanidm.nix @@ -116,6 +116,7 @@ in { originUrl = "https://immich.${config.secrets.secrets.global.domains.web}/"; basicSecretFile = config.age.secrets.oauth2-immich.path; allowInsecureClientDisablePkce = true; + enableLegacyCrypto = true; scopeMaps."immich.access" = ["openid" "email" "profile"]; preferShortUsername = true; }; diff --git a/users/common/programs/gpg.nix b/users/common/programs/gpg.nix index db7ba06..32981e7 100644 --- a/users/common/programs/gpg.nix +++ b/users/common/programs/gpg.nix @@ -1,9 +1,4 @@ -{ - pkgs, - lib, - nixosConfig, - ... -}: { +{pkgs, ...}: { services.gpg-agent = { enable = true; enableSshSupport = true; @@ -76,10 +71,4 @@ #list-options show-unusable-subkeys }; }; - # Make sure the keygrips exist, otherwise we'd need to run `gpg --card-status` - # before being able to use the yubikey. - home.activation.installKeygrips = lib.hm.dag.entryAfter ["writeBoundary"] '' - run mkdir -p "$HOME/.gnupg/private-keys-v1.d" - run ${lib.getExe pkgs.gnutar} xvf ${lib.escapeShellArg nixosConfig.age.secrets."my-gpg-yubikey-keygrip.tar".path} -C "$HOME/.gnupg/private-keys-v1.d/" - ''; } diff --git a/users/patrick/default.nix b/users/patrick/default.nix index 64858ab..e751966 100644 --- a/users/patrick/default.nix +++ b/users/patrick/default.nix @@ -48,6 +48,11 @@ lib.optionalAttrs (!minimal) { }; programs.dconf.enable = true; + age.secrets."my-gpg-yubikey-keygrip.tar" = { + rekeyFile = ./secrets/gpg-keygrip.tar.age; + group = "patrick"; + mode = "640"; + }; home-manager.users.patrick = { imports = diff --git a/users/patrick/patrick.nix b/users/patrick/patrick.nix index e3df1d8..e990f7c 100644 --- a/users/patrick/patrick.nix +++ b/users/patrick/patrick.nix @@ -1,4 +1,9 @@ -{pkgs, ...}: { +{ + pkgs, + lib, + nixosConfig, + ... +}: { images.enable = true; home = { packages = with pkgs; [ @@ -31,4 +36,10 @@ via ]; }; + # Make sure the keygrips exist, otherwise we'd need to run `gpg --card-status` + # before being able to use the yubikey. + home.activation.installKeygrips = lib.hm.dag.entryAfter ["writeBoundary"] '' + run mkdir -p "$HOME/.gnupg/private-keys-v1.d" + run ${lib.getExe pkgs.gnutar} xvf ${lib.escapeShellArg nixosConfig.age.secrets."my-gpg-yubikey-keygrip.tar".path} -C "$HOME/.gnupg/private-keys-v1.d/" + ''; } diff --git a/users/root/default.nix b/users/root/default.nix index 89215da..66e3602 100644 --- a/users/root/default.nix +++ b/users/root/default.nix @@ -19,9 +19,4 @@ home-manager.users.root.imports = lib.lists.optionals (!minimal) [ ../common ]; - age.secrets."my-gpg-yubikey-keygrip.tar" = { - rekeyFile = ./secrets/gpg-keygrip.tar.age; - group = "patrick"; - mode = "640"; - }; }