diff --git a/config/basic/users.nix b/config/basic/users.nix index 0a67e2a..8495664 100644 --- a/config/basic/users.nix +++ b/config/basic/users.nix @@ -31,7 +31,7 @@ mongodb = uidGid 221; authelia-main = uidGid 222; kanidm = uidGid 223; - oauth2_proxy = uidGid 224; + oauth2-proxy = uidGid 224; influxdb2 = uidGid 225; firefly-iii = uidGid 226; paperless = uidGid 315; diff --git a/config/services/adguardhome.nix b/config/services/adguardhome.nix index ce257a5..d2ff93b 100644 --- a/config/services/adguardhome.nix +++ b/config/services/adguardhome.nix @@ -5,14 +5,15 @@ }: { wireguard.elisabeth = { client.via = "elisabeth"; - firewallRuleForNode.elisabeth.allowedTCPPorts = [config.services.adguardhome.settings.bind_port]; + firewallRuleForNode.elisabeth.allowedTCPPorts = [config.services.adguardhome.port]; }; services.adguardhome = { enable = true; mutableSettings = false; + host = "0.0.0.0"; + port = 3000; + settings = { - bind_port = 3000; - bind_host = "0.0.0.0"; dns = { bind_hosts = [ (lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnetv4) diff --git a/config/services/netbird.nix b/config/services/netbird.nix index 62c8f38..a9e9474 100644 --- a/config/services/netbird.nix +++ b/config/services/netbird.nix @@ -56,7 +56,7 @@ Turns = [ { Proto = "udp"; - URI = "turn:${config.networking.netbird.server.managemen.turnDomain}:${builtins.toString config.networking.netbird.server.managemen.turnPort}"; + URI = "turn:${config.services.netbird.server.management.turnDomain}:${builtins.toString config.services.netbird.server.management.turnPort}"; Username = "netbird"; Password._secret = config.age.secrets.coturnPassword.path; diff --git a/config/services/oauth2-proxy.nix b/config/services/oauth2-proxy.nix index c6ef435..1fa579c 100644 --- a/config/services/oauth2-proxy.nix +++ b/config/services/oauth2-proxy.nix @@ -11,10 +11,10 @@ age.secrets.oauth2-cookie-secret = { rekeyFile = config.node.secretsDir + "/cookie-secret.age"; mode = "440"; - group = "oauth2_proxy"; + group = "oauth2-proxy"; }; - services.oauth2_proxy = { + services.oauth2-proxy = { enable = true; cookie.domain = ".${config.secrets.secrets.global.domains.web}"; cookie.secure = true; @@ -49,14 +49,14 @@ email.domains = ["*"]; }; - systemd.services.oauth2_proxy.serviceConfig = { + systemd.services.oauth2-proxy.serviceConfig = { RuntimeDirectory = "oauth2-proxy"; RuntimeDirectoryMode = "0750"; UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed RestartSec = "60"; # Retry every minute }; - systemd.services.oauth2_proxy.serviceConfig.EnvironmentFile = [ + systemd.services.oauth2-proxy.serviceConfig.EnvironmentFile = [ config.age.secrets.oauth2-cookie-secret.path config.age.secrets.oauth2-client-secret-env.path ]; @@ -64,7 +64,7 @@ age.secrets.oauth2-client-secret = { inherit (nodes.elisabeth-kanidm.config.age.secrets.oauth2-proxy) rekeyFile; mode = "440"; - group = "oauth2_proxy"; + group = "oauth2-proxy"; }; # Mirror the original oauth2 secret, but prepend OAUTH2_PROXY_CLIENT_SECRET= # so it can be used as an EnvironmentFile @@ -85,6 +85,6 @@ ${decrypt} ${lib.escapeShellArg (lib.head deps).file} ''; mode = "440"; - group = "oauth2_proxy"; + group = "oauth2-proxy"; }; } diff --git a/config/services/yourspotify.nix b/config/services/yourspotify.nix index 914e350..6550f02 100644 --- a/config/services/yourspotify.nix +++ b/config/services/yourspotify.nix @@ -7,7 +7,6 @@ client.via = "elisabeth"; firewallRuleForNode.elisabeth.allowedTCPPorts = [3000 80]; }; - imports = [../../modules/your_spotify.nix]; age.secrets.spotifySecret = { owner = "root"; mode = "440"; diff --git a/flake.lock b/flake.lock index 625e73a..6002f7a 100644 --- a/flake.lock +++ b/flake.lock @@ -12,11 +12,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1714136352, - "narHash": "sha256-BtWQ2Th/jamO1SlD+2ASSW5Jaf7JhA/JLpQHk0Goqpg=", + "lastModified": 1715290355, + "narHash": "sha256-2T7CHTqBXJJ3ZC6R/4TXTcKoXWHcvubKNj9SfomURnw=", "owner": "ryantm", "repo": "agenix", - "rev": "24a7ea390564ccd5b39b7884f597cfc8d7f6f44e", + "rev": "8d37c5bdeade12b6479c85acd133063ab53187a0", "type": "github" }, "original": { @@ -292,11 +292,11 @@ ] }, "locked": { - "lastModified": 1711099426, - "narHash": "sha256-HzpgM/wc3aqpnHJJ2oDqPBkNsqWbW0WfWUO8lKu8nGk=", + "lastModified": 1713532798, + "narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=", "owner": "numtide", "repo": "devshell", - "rev": "2d45b54ca4a183f2fdcf4b19c895b64fbf620ee8", + "rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40", "type": "github" }, "original": { @@ -356,11 +356,11 @@ ] }, "locked": { - "lastModified": 1714612856, - "narHash": "sha256-W7+rtMzRmdovzndN2NYUv5xzkbMudtQ3jbyFuGk0O1E=", + "lastModified": 1716291492, + "narHash": "sha256-Qvfoa99WdYIneGrrLFIKQCevLgB5vnxvwJe5aWbGYZY=", "owner": "nix-community", "repo": "disko", - "rev": "d57058eb09dd5ec00c746df34fe0a603ea744370", + "rev": "f1654e07728008d354c704d265fc710e3f5f42ee", "type": "github" }, "original": { @@ -561,11 +561,11 @@ ] }, "locked": { - "lastModified": 1712014858, - "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "lastModified": 1715865404, + "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9", "type": "github" }, "original": { @@ -574,6 +574,21 @@ "type": "github" } }, + "flake-root": { + "locked": { + "lastModified": 1713493429, + "narHash": "sha256-ztz8JQkI08tjKnsTpfLqzWoKFQF4JGu2LRz8bkdnYUk=", + "owner": "srid", + "repo": "flake-root", + "rev": "bc748b93b86ee76e2032eecda33440ceb2532fcd", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "flake-root", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems_3" @@ -592,24 +607,6 @@ "type": "github" } }, - "flake-utils_10": { - "inputs": { - "systems": "systems_12" - }, - "locked": { - "lastModified": 1685518550, - "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "flake-utils_2": { "inputs": { "systems": [ @@ -743,11 +740,11 @@ "systems": "systems_11" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1685518550, + "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", "type": "github" }, "original": { @@ -906,16 +903,16 @@ "gnome-shell": { "flake": false, "locked": { - "lastModified": 1698794309, - "narHash": "sha256-/TIkZ8y5Wv3QHLFp79Poao9fINurKs5pa4z0CRe+F8s=", + "lastModified": 1713702291, + "narHash": "sha256-zYP1ehjtcV8fo+c+JFfkAqktZ384Y+y779fzmR9lQAU=", "owner": "GNOME", "repo": "gnome-shell", - "rev": "a7c169c6c29cf02a4c392fa0acbbc5f5072823e7", + "rev": "0d0aadf013f78a7f7f1dc984d0d812971864b934", "type": "github" }, "original": { "owner": "GNOME", - "ref": "45.1", + "ref": "46.1", "repo": "gnome-shell", "type": "github" } @@ -927,11 +924,11 @@ ] }, "locked": { - "lastModified": 1714515075, - "narHash": "sha256-azMK7aWH0eUc3IqU4Fg5rwZdB9WZBvimOGG3piqvtsY=", + "lastModified": 1715930644, + "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=", "owner": "nix-community", "repo": "home-manager", - "rev": "6d3b6dc9222c12b951169becdf4b0592ee9576ef", + "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d", "type": "github" }, "original": { @@ -948,11 +945,11 @@ ] }, "locked": { - "lastModified": 1714343445, - "narHash": "sha256-OzD1P0o46uD3Ix4ZI/g9z3YAeg+4g+W3qctB6bNOReo=", + "lastModified": 1715930644, + "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=", "owner": "nix-community", "repo": "home-manager", - "rev": "9fe79591c1005ce6f93084ae7f7dab0a2891440d", + "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d", "type": "github" }, "original": { @@ -969,11 +966,11 @@ ] }, "locked": { - "lastModified": 1711915616, - "narHash": "sha256-co6LoFA+j6BZEeJNSR8nZ4oOort5qYPskjrDHBaJgmo=", + "lastModified": 1714981474, + "narHash": "sha256-b3/U21CJjCjJKmA9WqUbZGZgCvospO3ArOUTgJugkOY=", "owner": "nix-community", "repo": "home-manager", - "rev": "820be197ccf3adaad9a8856ef255c13b6cc561a6", + "rev": "6ebe7be2e67be7b9b54d61ce5704f6fb466c536f", "type": "github" }, "original": { @@ -1030,11 +1027,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1714306226, - "narHash": "sha256-CA7bfnDt9TcFc7I8eKHf72DodYUEETDPgmBFXBRP9/E=", + "lastModified": 1716120557, + "narHash": "sha256-rvNq9YolMY1DRMgwdAti8qwNDjkhTsotSWa15/Ch7+A=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "49d9b510614b9bd137e067eb31445a8feca83313", + "rev": "5fa64b174daa22fe0d20ebbcc0ec2c7905b503f1", "type": "github" }, "original": { @@ -1067,11 +1064,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1714072181, - "narHash": "sha256-MOxTGzM8lgq8uo6zAy6e4ZUdzUpF/eSQPBXeH5G5BtE=", + "lastModified": 1715787097, + "narHash": "sha256-TPp2j0ttvBvkk4oXidvo8Y071zEab0BtcNsC3ZEkluI=", "owner": "astro", "repo": "microvm.nix", - "rev": "ac28e21ac336dbe01b1f1bcab01fd31db3855e40", + "rev": "fa673bf8656fe6f28253b83971a36999bc9995d2", "type": "github" }, "original": { @@ -1088,11 +1085,11 @@ ] }, "locked": { - "lastModified": 1713946171, - "narHash": "sha256-lc75rgRQLdp4Dzogv5cfqOg6qYc5Rp83oedF2t0kDp8=", + "lastModified": 1715901937, + "narHash": "sha256-eMyvWP56ZOdraC2IOvZo0/RTDcrrsqJ0oJWDC76JTak=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "230a197063de9287128e2c68a7a4b0cd7d0b50a7", + "rev": "ffc01182f90118119930bdfc528c1ee9a39ecef8", "type": "github" }, "original": { @@ -1109,11 +1106,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1713858845, - "narHash": "sha256-StJq7Zy+/iVBUAKFzhHWlsirFucZ3gNtzXhAYXAsNnw=", + "lastModified": 1715804156, + "narHash": "sha256-GtIHP86Cz1kD9xZO/cKbNQACHKdoT9WFbLJAq6W2EDY=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "7b6640f2a10701bf0db16aff048070f400e8ea7c", + "rev": "bb95091f6c6f38f6cfc215a1797a2dd466312c8b", "type": "github" }, "original": { @@ -1151,11 +1148,11 @@ ] }, "locked": { - "lastModified": 1714273701, - "narHash": "sha256-bmoeZ5zMSSO/e8P51yjrzaxA9uzA3SZAEFvih6S3LFo=", + "lastModified": 1716170277, + "narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "941c4973c824509e0356be455d89613611f76c8a", + "rev": "e0638db3db43b582512a7de8c0f8363a162842b9", "type": "github" }, "original": { @@ -1172,11 +1169,11 @@ "pre-commit-hooks": "pre-commit-hooks_2" }, "locked": { - "lastModified": 1714599875, - "narHash": "sha256-SfslRhyiKv7FRCZuYvLkd8hI4hKGqWhURMJiDaI/YJY=", + "lastModified": 1715634843, + "narHash": "sha256-YrECYhEXY7g8Ji5luq8mdRaLRGiwTPCSDEeVP91DyDY=", "owner": "oddlama", "repo": "nix-topology", - "rev": "e5fc96840cc758f7de9a7b8631c4e84b9962660b", + "rev": "9ed5c7b5c5cd5bed9e204e8b9d69f4be1954abd3", "type": "github" }, "original": { @@ -1232,11 +1229,11 @@ ] }, "locked": { - "lastModified": 1713783234, - "narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=", + "lastModified": 1716210724, + "narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e", + "rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94", "type": "github" }, "original": { @@ -1247,11 +1244,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1714465198, - "narHash": "sha256-ySkEJvS0gPz2UhXm0H3P181T8fUxvDVcoUyGn0Kc5AI=", + "lastModified": 1716173274, + "narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "68d680c1b7c0e67a9b2144d6776583ee83664ef4", + "rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191", "type": "github" }, "original": { @@ -1268,11 +1265,11 @@ ] }, "locked": { - "lastModified": 1709392539, - "narHash": "sha256-cZ7vOO5KmvVQMHnpi1hBX+bUJlVL6cK8I3m2SPHANtg=", + "lastModified": 1715521768, + "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", "owner": "thelegy", "repo": "nixos-nftables-firewall", - "rev": "412ea84967cd087fc668ef6994f419bd16ac1174", + "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", "type": "github" }, "original": { @@ -1283,11 +1280,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1711703276, - "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", + "lastModified": 1715266358, + "narHash": "sha256-doPgfj+7FFe9rfzWo1siAV2mVCasW+Bh8I1cToAXEE4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", + "rev": "f1010e0469db743d14519a1efd37e23f8513d714", "type": "github" }, "original": { @@ -1299,11 +1296,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1714265296, - "narHash": "sha256-jVnKiCOoFulPT1zDdA4jfG/lnEnngdth5CT6rVDXEJ4=", + "lastModified": 1716079763, + "narHash": "sha256-DGRfb7fO7c3XDS3twmuaV5NAGPPdU3W7Q35fjIZc8iY=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "ade4fb7bbf04cd52bc1705734d5dc67755d77ec9", + "rev": "0df131b5ee4d928a4b664b6d0cd99cf134d6ab6b", "type": "github" }, "original": { @@ -1402,11 +1399,11 @@ ] }, "locked": { - "lastModified": 1714634187, - "narHash": "sha256-3+Kze1qqCMTXfX1cXg0Sxx/84eEKlc4se4Rreh8UCmU=", + "lastModified": 1716308443, + "narHash": "sha256-vPJ4VnR1EyW4ft6XlwHst3BMVMqsjXmCtV8ze0+Ox9k=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "791ba445d6983d5164235e9de11f77c9e1685c4e", + "rev": "112d54c8a35e974ec03581e44f35d973a89446aa", "type": "github" }, "original": { @@ -1417,11 +1414,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1714253743, - "narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=", + "lastModified": 1716137900, + "narHash": "sha256-sowPU+tLQv8GlqtVtsXioTKeaQvlMz/pefcdwg8MvfM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "58a1abdbae3217ca6b702f03d3b35125d88a2994", + "rev": "6c0b7a92c30122196a761b440ac0d46d3d9954f1", "type": "github" }, "original": { @@ -1433,11 +1430,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1713805509, - "narHash": "sha256-YgSEan4CcrjivCNO5ZNzhg7/8ViLkZ4CB/GrGBVSudo=", + "lastModified": 1715037484, + "narHash": "sha256-OUt8xQFmBU96Hmm4T9tOWTu4oCswCzoVl+pxSq/kiFc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1e1dc66fe68972a76679644a5577828b6a7e8be4", + "rev": "ad7efee13e0d216bf29992311536fce1d3eefbef", "type": "github" }, "original": { @@ -1465,11 +1462,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1713596654, - "narHash": "sha256-LJbHQQ5aX1LVth2ST+Kkse/DRzgxlVhTL1rxthvyhZc=", + "lastModified": 1714912032, + "narHash": "sha256-clkcOIkg8G4xuJh+1onLG4HPMpbtzdLv4rHxFzgsH9c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fd16bb6d3bcca96039b11aa52038fafeb6e4f4be", + "rev": "ee4a6e0f566fe5ec79968c57a9c2c3c25f2cf41d", "type": "github" }, "original": { @@ -1484,19 +1481,21 @@ "devshell": "devshell_5", "flake-compat": "flake-compat_6", "flake-parts": "flake-parts_3", + "flake-root": "flake-root", "home-manager": "home-manager_2", "nix-darwin": "nix-darwin", "nixpkgs": [ "nixpkgs" ], - "pre-commit-hooks": "pre-commit-hooks_4" + "pre-commit-hooks": "pre-commit-hooks_4", + "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1714600955, - "narHash": "sha256-AHz9OVQeVlbhTboR5Wchjet9a2h+a8aPTDjEyVQLz/g=", + "lastModified": 1716294469, + "narHash": "sha256-1RdJkVa+axdzLhbeoWJoC3BPODxfx+/Rv7HE+e4CK/Y=", "owner": "nix-community", "repo": "nixvim", - "rev": "82a19581defe682ff9ca7cb8b1b980b6dc297cf2", + "rev": "1c9f2a23a6cb9406c35980f4af1a4356f56771e9", "type": "github" }, "original": { @@ -1579,11 +1578,11 @@ "nixpkgs-stable": "nixpkgs-stable_3" }, "locked": { - "lastModified": 1711981679, - "narHash": "sha256-pnbHEXJOdGkPrHBdkZLv/a2V09On+V3J4aPE/BfAJC8=", + "lastModified": 1714478972, + "narHash": "sha256-q//cgb52vv81uOuwz1LaXElp3XAe1TqrABXODAEF6Sk=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "f3bb95498eaaa49a93bacaf196cdb6cf8e872cdf", + "rev": "2849da033884f54822af194400f8dff435ada242", "type": "github" }, "original": { @@ -1623,7 +1622,6 @@ "pre-commit-hooks_4": { "inputs": { "flake-compat": "flake-compat_7", - "flake-utils": "flake-utils_9", "gitignore": "gitignore_5", "nixpkgs": [ "nixvim", @@ -1635,11 +1633,11 @@ ] }, "locked": { - "lastModified": 1713954846, - "narHash": "sha256-RWFafuSb5nkWGu8dDbW7gVb8FOQOPqmX/9MlxUUDguw=", + "lastModified": 1715870890, + "narHash": "sha256-nacSOeXtUEM77Gn0G4bTdEOeFIrkCBXiyyFZtdGwuH0=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "6fb82e44254d6a0ece014ec423cb62d92435336f", + "rev": "fa606cccd7b0ccebe2880051208e4a0f61bfc8c1", "type": "github" }, "original": { @@ -1651,9 +1649,6 @@ "pre-commit-hooks_5": { "inputs": { "flake-compat": "flake-compat_8", - "flake-utils": [ - "flake-utils" - ], "gitignore": "gitignore_6", "nixpkgs": [ "nixpkgs" @@ -1661,11 +1656,11 @@ "nixpkgs-stable": "nixpkgs-stable_5" }, "locked": { - "lastModified": 1714478972, - "narHash": "sha256-q//cgb52vv81uOuwz1LaXElp3XAe1TqrABXODAEF6Sk=", + "lastModified": 1716213921, + "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "2849da033884f54822af194400f8dff435ada242", + "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0", "type": "github" }, "original": { @@ -1697,7 +1692,7 @@ "pre-commit-hooks": "pre-commit-hooks_5", "spicetify-nix": "spicetify-nix", "stylix": "stylix", - "systems": "systems_13", + "systems": "systems_12", "templates": "templates" } }, @@ -1744,7 +1739,7 @@ }, "spicetify-nix": { "inputs": { - "flake-utils": "flake-utils_10", + "flake-utils": "flake-utils_9", "nixpkgs": "nixpkgs_4" }, "locked": { @@ -1776,11 +1771,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1714555012, - "narHash": "sha256-WVUrm3TGVj6c8g5aG20OjJRHMvUtAZjpHQgukDhyOT8=", + "lastModified": 1716206302, + "narHash": "sha256-5Qc3aQGVyPEOuN82zVamStaV81HebHvLjk3fGfpyCPY=", "owner": "danth", "repo": "stylix", - "rev": "43d23b1609b87f6a4100db2a09bd118c52c78766", + "rev": "81df8443556335016d6f0bc22630a95776a56d8b", "type": "github" }, "original": { @@ -1849,21 +1844,6 @@ "type": "github" } }, - "systems_13": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "systems_2": { "locked": { "lastModified": 1681028828, @@ -2020,6 +2000,27 @@ "repo": "treefmt-nix", "type": "github" } + }, + "treefmt-nix_2": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715940852, + "narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "2fba33a182602b9d49f0b2440513e5ee091d838b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 3f003b7..ce04ff8 100644 --- a/flake.nix +++ b/flake.nix @@ -58,7 +58,6 @@ pre-commit-hooks = { url = "github:cachix/pre-commit-hooks.nix"; inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-utils.follows = "flake-utils"; }; nixos-nftables-firewall = { diff --git a/modules/your_spotify.nix b/modules/your_spotify.nix deleted file mode 100644 index 3eb2ffe..0000000 --- a/modules/your_spotify.nix +++ /dev/null @@ -1,191 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: let - inherit - (lib) - boolToString - concatMapAttrs - concatStrings - isBool - mapAttrsToList - mkEnableOption - mkIf - mkOption - mkPackageOption - optionalAttrs - types - mkDefault - ; - cfg = config.services.your_spotify; - - configEnv = concatMapAttrs (name: value: - optionalAttrs (value != null) { - ${name} = - if isBool value - then boolToString value - else toString value; - }) - cfg.settings; - - configFile = pkgs.writeText "your_spotify.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv)); -in { - options.services.your_spotify = let - inherit (types) nullOr port str path package; - in { - enable = mkEnableOption "your_spotify"; - - enableLocalDB = mkEnableOption "a local mongodb instance"; - nginxVirtualHost = mkOption { - type = nullOr str; - default = null; - description = '' - If set creates an nginx virtual host for the client. - In most cases this should be the CLIENT_ENDPOINT without - protocol prefix. - ''; - }; - - package = mkPackageOption pkgs "your_spotify" {}; - - clientPackage = mkOption { - type = package; - description = "Client package to use."; - }; - - spotifySecretFile = mkOption { - type = path; - description = '' - A file containing the secret key of your Spotify application. - Refer to: [Creating the Spotify Application](https://github.com/Yooooomi/your_spotify#creating-the-spotify-application). - ''; - }; - - settings = mkOption { - description = '' - Your Spotify Configuration. Refer to [Your Spotify](https://github.com/Yooooomi/your_spotify) for definitions and values. - ''; - example = lib.literalExpression '' - { - CLIENT_ENDPOINT = "https://example.com"; - API_ENDPOINT = "https://api.example.com"; - SPOTIFY_PUBLIC = "spotify_client_id"; - } - ''; - type = types.submodule { - freeformType = types.attrsOf types.str; - options = { - CLIENT_ENDPOINT = mkOption { - type = str; - description = '' - The endpoint of your web application. - Has to include a protocol Prefix (e.g. `http://`) - ''; - example = "https://your_spotify.example.org"; - }; - API_ENDPOINT = mkOption { - type = str; - description = '' - The endpoint of your server - This api has to be reachable from the device you use the website from not from the server. - This means that for example you may need two nginx virtual hosts if you want to expose this on the - internet. - Has to include a protocol Prefix (e.g. `http://`) - ''; - example = "https://localhost:3000"; - }; - SPOTIFY_PUBLIC = mkOption { - type = str; - description = '' - The public client ID of your Spotify application. - Refer to: [Creating the Spotify Application](https://github.com/Yooooomi/your_spotify#creating-the-spotify-application) - ''; - }; - MONGO_ENDPOINT = mkOption { - type = str; - description = ''The endpoint of the Mongo database.''; - default = "mongodb://localhost:27017/your_spotify"; - }; - PORT = mkOption { - type = port; - description = "The port of the api server"; - default = 3000; - }; - }; - }; - }; - }; - - config = mkIf cfg.enable { - services.your_spotify.clientPackage = mkDefault (cfg.package.client.override {apiEndpoint = cfg.settings.API_ENDPOINT;}); - systemd.services.your_spotify = { - after = ["network.target"]; - script = '' - export SPOTIFY_SECRET=$(< "$CREDENTIALS_DIRECTORY/SPOTIFY_SECRET") - ${lib.getExe' cfg.package "your_spotify_migrate"} - exec ${lib.getExe cfg.package} - ''; - serviceConfig = { - User = "your_spotify"; - Group = "your_spotify"; - DynamicUser = true; - EnvironmentFile = [configFile]; - StateDirectory = "your_spotify"; - LimitNOFILE = "1048576"; - PrivateTmp = true; - PrivateDevices = true; - StateDirectoryMode = "0700"; - Restart = "always"; - - LoadCredential = ["SPOTIFY_SECRET:${cfg.spotifySecretFile}"]; - - # Hardening - CapabilityBoundingSet = ""; - LockPersonality = true; - #MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - ProtectSystem = "strict"; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_NETLINK" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "@pkey" - ]; - UMask = "0077"; - }; - wantedBy = ["multi-user.target"]; - }; - services.nginx = mkIf (cfg.nginxVirtualHost != null) { - enable = true; - virtualHosts.${cfg.nginxVirtualHost} = { - root = cfg.clientPackage; - locations."/".extraConfig = '' - add_header Content-Security-Policy "frame-ancestors 'none';" ; - add_header X-Content-Type-Options "nosniff" ; - try_files = $uri $uri/ /index.html ; - ''; - }; - }; - services.mongodb = mkIf cfg.enableLocalDB { - enable = true; - }; - }; - meta.maintainers = with lib.maintainers; [patrickdag]; -} diff --git a/pkgs/default.nix b/pkgs/default.nix index 359da9e..3117250 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -22,8 +22,8 @@ provisionSrc = super.fetchFromGitHub { owner = "oddlama"; repo = "kanidm-provision"; - rev = "aa7a1c8ec04622745b385bd3b0462e1878f56b51"; - hash = "sha256-NRolS3l2kARjkhWP7FYUG//KCEiueh48ZrADdCDb9Zg="; + rev = "v1.1.0"; + hash = "sha256-pFOFFKh3la/sZGXj+pAM8x4SMeffvvbOvTjPeHS1XPU="; }; in { patches = diff --git a/pkgs/kanidm-provision.nix b/pkgs/kanidm-provision.nix index c3b5891..b076dbb 100644 --- a/pkgs/kanidm-provision.nix +++ b/pkgs/kanidm-provision.nix @@ -5,16 +5,16 @@ }: rustPlatform.buildRustPackage rec { pname = "kanidm-provision"; - version = "1.0.0"; + version = "1.1.0"; src = fetchFromGitHub { owner = "oddlama"; repo = "kanidm-provision"; rev = "v${version}"; - hash = "sha256-T6kiBUdOMHCWRUF/vepoPrvaULDQrUGYsd/3I11HCLY="; + hash = "sha256-pFOFFKh3la/sZGXj+pAM8x4SMeffvvbOvTjPeHS1XPU="; }; - cargoHash = "sha256-nHp3C6szJxOogH/kETIqcQQNhFqBCO0P66j7n3UHuwo="; + cargoHash = "sha256-oiKlKIL23xH67tCDbny9Gj97JQQm4mYt0IHXB5hzJ/A="; meta = with lib; { description = "A small utility to help with kanidm provisioning";