patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

Compare commits

base: patrick:86b6d3e270483a94cae727908ebb38ec188f90c0
Branches Tags
patrick:master
...
compare: patrick:41e8f1e2a2eae5e2da3d9bbeb60982bbce258b60
Branches Tags
patrick:master

2 commits
86b6d3e270 ... 41e8f1e2a2

Author SHA1 Message Date
Patrick 41e8f1e2a2
fix: kanidm 2024-05-23 22:23:13 +02:00
Patrick fd792207d0
update 2024-05-22 18:24:04 +02:00
11 changed files with 150 additions and 338 deletions
Show stats Expand all files Collapse all files

2
config/basic/users.nix
View file

@ -31,7 +31,7 @@
mongodb = uidGid 221;
authelia-main = uidGid 222;
kanidm = uidGid 223;
oauth2_proxy = uidGid 224;
oauth2-proxy = uidGid 224;
influxdb2 = uidGid 225;
firefly-iii = uidGid 226;
paperless = uidGid 315;

7
config/services/adguardhome.nix
View file

@ -5,14 +5,15 @@
}: {
wireguard.elisabeth = {
client.via = "elisabeth";
firewallRuleForNode.elisabeth.allowedTCPPorts = [config.services.adguardhome.settings.bind_port];
firewallRuleForNode.elisabeth.allowedTCPPorts = [config.services.adguardhome.port];
};
services.adguardhome = {
enable = true;
mutableSettings = false;
host = "0.0.0.0";
port = 3000;
settings = {
bind_port = 3000;
bind_host = "0.0.0.0";
dns = {
bind_hosts = [
(lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnetv4)

2
config/services/netbird.nix
View file

@ -56,7 +56,7 @@
Turns = [
{
Proto = "udp";
URI = "turn:${config.networking.netbird.server.managemen.turnDomain}:${builtins.toString config.networking.netbird.server.managemen.turnPort}";
URI = "turn:${config.services.netbird.server.management.turnDomain}:${builtins.toString config.services.netbird.server.management.turnPort}";
Username = "netbird";
Password._secret = config.age.secrets.coturnPassword.path;

12
config/services/oauth2-proxy.nix
View file

@ -11,10 +11,10 @@
age.secrets.oauth2-cookie-secret = {
rekeyFile = config.node.secretsDir + "/cookie-secret.age";
mode = "440";
group = "oauth2_proxy";
group = "oauth2-proxy";
};
services.oauth2_proxy = {
services.oauth2-proxy = {
enable = true;
cookie.domain = ".${config.secrets.secrets.global.domains.web}";
cookie.secure = true;
@ -49,14 +49,14 @@
email.domains = ["*"];
};
systemd.services.oauth2_proxy.serviceConfig = {
systemd.services.oauth2-proxy.serviceConfig = {
RuntimeDirectory = "oauth2-proxy";
RuntimeDirectoryMode = "0750";
UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed
RestartSec = "60"; # Retry every minute
};
systemd.services.oauth2_proxy.serviceConfig.EnvironmentFile = [
systemd.services.oauth2-proxy.serviceConfig.EnvironmentFile = [
config.age.secrets.oauth2-cookie-secret.path
config.age.secrets.oauth2-client-secret-env.path
];
@ -64,7 +64,7 @@
age.secrets.oauth2-client-secret = {
inherit (nodes.elisabeth-kanidm.config.age.secrets.oauth2-proxy) rekeyFile;
mode = "440";
group = "oauth2_proxy";
group = "oauth2-proxy";
};
# Mirror the original oauth2 secret, but prepend OAUTH2_PROXY_CLIENT_SECRET=
# so it can be used as an EnvironmentFile
@ -85,6 +85,6 @@
${decrypt} ${lib.escapeShellArg (lib.head deps).file}
'';
mode = "440";
group = "oauth2_proxy";
group = "oauth2-proxy";
};
}

1
config/services/yourspotify.nix
View file

@ -7,7 +7,6 @@
client.via = "elisabeth";
firewallRuleForNode.elisabeth.allowedTCPPorts = [3000 80];
};
imports = [../../modules/your_spotify.nix];
age.secrets.spotifySecret = {
owner = "root";
mode = "440";

257
flake.lock
View file

@ -12,11 +12,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1714136352,
"narHash": "sha256-BtWQ2Th/jamO1SlD+2ASSW5Jaf7JhA/JLpQHk0Goqpg=",
"lastModified": 1715290355,
"narHash": "sha256-2T7CHTqBXJJ3ZC6R/4TXTcKoXWHcvubKNj9SfomURnw=",
"owner": "ryantm",
"repo": "agenix",
"rev": "24a7ea390564ccd5b39b7884f597cfc8d7f6f44e",
"rev": "8d37c5bdeade12b6479c85acd133063ab53187a0",
"type": "github"
},
"original": {
@ -292,11 +292,11 @@
]
},
"locked": {
"lastModified": 1711099426,
"narHash": "sha256-HzpgM/wc3aqpnHJJ2oDqPBkNsqWbW0WfWUO8lKu8nGk=",
"lastModified": 1713532798,
"narHash": "sha256-wtBhsdMJA3Wa32Wtm1eeo84GejtI43pMrFrmwLXrsEc=",
"owner": "numtide",
"repo": "devshell",
"rev": "2d45b54ca4a183f2fdcf4b19c895b64fbf620ee8",
"rev": "12e914740a25ea1891ec619bb53cf5e6ca922e40",
"type": "github"
},
"original": {
@ -356,11 +356,11 @@
]
},
"locked": {
"lastModified": 1714612856,
"narHash": "sha256-W7+rtMzRmdovzndN2NYUv5xzkbMudtQ3jbyFuGk0O1E=",
"lastModified": 1716291492,
"narHash": "sha256-Qvfoa99WdYIneGrrLFIKQCevLgB5vnxvwJe5aWbGYZY=",
"owner": "nix-community",
"repo": "disko",
"rev": "d57058eb09dd5ec00c746df34fe0a603ea744370",
"rev": "f1654e07728008d354c704d265fc710e3f5f42ee",
"type": "github"
},
"original": {
@ -561,11 +561,11 @@
]
},
"locked": {
"lastModified": 1712014858,
"narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
"lastModified": 1715865404,
"narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
"rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
"type": "github"
},
"original": {
@ -574,6 +574,21 @@
"type": "github"
}
},
"flake-root": {
"locked": {
"lastModified": 1713493429,
"narHash": "sha256-ztz8JQkI08tjKnsTpfLqzWoKFQF4JGu2LRz8bkdnYUk=",
"owner": "srid",
"repo": "flake-root",
"rev": "bc748b93b86ee76e2032eecda33440ceb2532fcd",
"type": "github"
},
"original": {
"owner": "srid",
"repo": "flake-root",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_3"
@ -592,24 +607,6 @@
"type": "github"
}
},
"flake-utils_10": {
"inputs": {
"systems": "systems_12"
},
"locked": {
"lastModified": 1685518550,
"narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": [
@ -743,11 +740,11 @@
"systems": "systems_11"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"lastModified": 1685518550,
"narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
"type": "github"
},
"original": {
@ -906,16 +903,16 @@
"gnome-shell": {
"flake": false,
"locked": {
"lastModified": 1698794309,
"narHash": "sha256-/TIkZ8y5Wv3QHLFp79Poao9fINurKs5pa4z0CRe+F8s=",
"lastModified": 1713702291,
"narHash": "sha256-zYP1ehjtcV8fo+c+JFfkAqktZ384Y+y779fzmR9lQAU=",
"owner": "GNOME",
"repo": "gnome-shell",
"rev": "a7c169c6c29cf02a4c392fa0acbbc5f5072823e7",
"rev": "0d0aadf013f78a7f7f1dc984d0d812971864b934",
"type": "github"
},
"original": {
"owner": "GNOME",
"ref": "45.1",
"ref": "46.1",
"repo": "gnome-shell",
"type": "github"
}
@ -927,11 +924,11 @@
]
},
"locked": {
"lastModified": 1714515075,
"narHash": "sha256-azMK7aWH0eUc3IqU4Fg5rwZdB9WZBvimOGG3piqvtsY=",
"lastModified": 1715930644,
"narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "6d3b6dc9222c12b951169becdf4b0592ee9576ef",
"rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
"type": "github"
},
"original": {
@ -948,11 +945,11 @@
]
},
"locked": {
"lastModified": 1714343445,
"narHash": "sha256-OzD1P0o46uD3Ix4ZI/g9z3YAeg+4g+W3qctB6bNOReo=",
"lastModified": 1715930644,
"narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "9fe79591c1005ce6f93084ae7f7dab0a2891440d",
"rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d",
"type": "github"
},
"original": {
@ -969,11 +966,11 @@
]
},
"locked": {
"lastModified": 1711915616,
"narHash": "sha256-co6LoFA+j6BZEeJNSR8nZ4oOort5qYPskjrDHBaJgmo=",
"lastModified": 1714981474,
"narHash": "sha256-b3/U21CJjCjJKmA9WqUbZGZgCvospO3ArOUTgJugkOY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "820be197ccf3adaad9a8856ef255c13b6cc561a6",
"rev": "6ebe7be2e67be7b9b54d61ce5704f6fb466c536f",
"type": "github"
},
"original": {
@ -1030,11 +1027,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1714306226,
"narHash": "sha256-CA7bfnDt9TcFc7I8eKHf72DodYUEETDPgmBFXBRP9/E=",
"lastModified": 1716120557,
"narHash": "sha256-rvNq9YolMY1DRMgwdAti8qwNDjkhTsotSWa15/Ch7+A=",
"owner": "nix-community",
"repo": "lib-aggregate",
"rev": "49d9b510614b9bd137e067eb31445a8feca83313",
"rev": "5fa64b174daa22fe0d20ebbcc0ec2c7905b503f1",
"type": "github"
},
"original": {
@ -1067,11 +1064,11 @@
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1714072181,
"narHash": "sha256-MOxTGzM8lgq8uo6zAy6e4ZUdzUpF/eSQPBXeH5G5BtE=",
"lastModified": 1715787097,
"narHash": "sha256-TPp2j0ttvBvkk4oXidvo8Y071zEab0BtcNsC3ZEkluI=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "ac28e21ac336dbe01b1f1bcab01fd31db3855e40",
"rev": "fa673bf8656fe6f28253b83971a36999bc9995d2",
"type": "github"
},
"original": {
@ -1088,11 +1085,11 @@
]
},
"locked": {
"lastModified": 1713946171,
"narHash": "sha256-lc75rgRQLdp4Dzogv5cfqOg6qYc5Rp83oedF2t0kDp8=",
"lastModified": 1715901937,
"narHash": "sha256-eMyvWP56ZOdraC2IOvZo0/RTDcrrsqJ0oJWDC76JTak=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "230a197063de9287128e2c68a7a4b0cd7d0b50a7",
"rev": "ffc01182f90118119930bdfc528c1ee9a39ecef8",
"type": "github"
},
"original": {
@ -1109,11 +1106,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1713858845,
"narHash": "sha256-StJq7Zy+/iVBUAKFzhHWlsirFucZ3gNtzXhAYXAsNnw=",
"lastModified": 1715804156,
"narHash": "sha256-GtIHP86Cz1kD9xZO/cKbNQACHKdoT9WFbLJAq6W2EDY=",
"owner": "nix-community",
"repo": "nix-eval-jobs",
"rev": "7b6640f2a10701bf0db16aff048070f400e8ea7c",
"rev": "bb95091f6c6f38f6cfc215a1797a2dd466312c8b",
"type": "github"
},
"original": {
@ -1151,11 +1148,11 @@
]
},
"locked": {
"lastModified": 1714273701,
"narHash": "sha256-bmoeZ5zMSSO/e8P51yjrzaxA9uzA3SZAEFvih6S3LFo=",
"lastModified": 1716170277,
"narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=",
"owner": "nix-community",
"repo": "nix-index-database",
"rev": "941c4973c824509e0356be455d89613611f76c8a",
"rev": "e0638db3db43b582512a7de8c0f8363a162842b9",
"type": "github"
},
"original": {
@ -1172,11 +1169,11 @@
"pre-commit-hooks": "pre-commit-hooks_2"
},
"locked": {
"lastModified": 1714599875,
"narHash": "sha256-SfslRhyiKv7FRCZuYvLkd8hI4hKGqWhURMJiDaI/YJY=",
"lastModified": 1715634843,
"narHash": "sha256-YrECYhEXY7g8Ji5luq8mdRaLRGiwTPCSDEeVP91DyDY=",
"owner": "oddlama",
"repo": "nix-topology",
"rev": "e5fc96840cc758f7de9a7b8631c4e84b9962660b",
"rev": "9ed5c7b5c5cd5bed9e204e8b9d69f4be1954abd3",
"type": "github"
},
"original": {
@ -1232,11 +1229,11 @@
]
},
"locked": {
"lastModified": 1713783234,
"narHash": "sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE+9ytRWxsA5aWtmyI=",
"lastModified": 1716210724,
"narHash": "sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J+ve1w=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "722b512eb7e6915882f39fff0e4c9dd44f42b77e",
"rev": "d14b286322c7f4f897ca4b1726ce38cb68596c94",
"type": "github"
},
"original": {
@ -1247,11 +1244,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1714465198,
"narHash": "sha256-ySkEJvS0gPz2UhXm0H3P181T8fUxvDVcoUyGn0Kc5AI=",
"lastModified": 1716173274,
"narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "68d680c1b7c0e67a9b2144d6776583ee83664ef4",
"rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
"type": "github"
},
"original": {
@ -1268,11 +1265,11 @@
]
},
"locked": {
"lastModified": 1709392539,
"narHash": "sha256-cZ7vOO5KmvVQMHnpi1hBX+bUJlVL6cK8I3m2SPHANtg=",
"lastModified": 1715521768,
"narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=",
"owner": "thelegy",
"repo": "nixos-nftables-firewall",
"rev": "412ea84967cd087fc668ef6994f419bd16ac1174",
"rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8",
"type": "github"
},
"original": {
@ -1283,11 +1280,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1711703276,
"narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
"lastModified": 1715266358,
"narHash": "sha256-doPgfj+7FFe9rfzWo1siAV2mVCasW+Bh8I1cToAXEE4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
"rev": "f1010e0469db743d14519a1efd37e23f8513d714",
"type": "github"
},
"original": {
@ -1299,11 +1296,11 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1714265296,
"narHash": "sha256-jVnKiCOoFulPT1zDdA4jfG/lnEnngdth5CT6rVDXEJ4=",
"lastModified": 1716079763,
"narHash": "sha256-DGRfb7fO7c3XDS3twmuaV5NAGPPdU3W7Q35fjIZc8iY=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "ade4fb7bbf04cd52bc1705734d5dc67755d77ec9",
"rev": "0df131b5ee4d928a4b664b6d0cd99cf134d6ab6b",
"type": "github"
},
"original": {
@ -1402,11 +1399,11 @@
]
},
"locked": {
"lastModified": 1714634187,
"narHash": "sha256-3+Kze1qqCMTXfX1cXg0Sxx/84eEKlc4se4Rreh8UCmU=",
"lastModified": 1716308443,
"narHash": "sha256-vPJ4VnR1EyW4ft6XlwHst3BMVMqsjXmCtV8ze0+Ox9k=",
"owner": "nix-community",
"repo": "nixpkgs-wayland",
"rev": "791ba445d6983d5164235e9de11f77c9e1685c4e",
"rev": "112d54c8a35e974ec03581e44f35d973a89446aa",
"type": "github"
},
"original": {
@ -1417,11 +1414,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1714253743,
"narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=",
"lastModified": 1716137900,
"narHash": "sha256-sowPU+tLQv8GlqtVtsXioTKeaQvlMz/pefcdwg8MvfM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "58a1abdbae3217ca6b702f03d3b35125d88a2994",
"rev": "6c0b7a92c30122196a761b440ac0d46d3d9954f1",
"type": "github"
},
"original": {
@ -1433,11 +1430,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1713805509,
"narHash": "sha256-YgSEan4CcrjivCNO5ZNzhg7/8ViLkZ4CB/GrGBVSudo=",
"lastModified": 1715037484,
"narHash": "sha256-OUt8xQFmBU96Hmm4T9tOWTu4oCswCzoVl+pxSq/kiFc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1e1dc66fe68972a76679644a5577828b6a7e8be4",
"rev": "ad7efee13e0d216bf29992311536fce1d3eefbef",
"type": "github"
},
"original": {
@ -1465,11 +1462,11 @@
},
"nixpkgs_5": {
"locked": {
"lastModified": 1713596654,
"narHash": "sha256-LJbHQQ5aX1LVth2ST+Kkse/DRzgxlVhTL1rxthvyhZc=",
"lastModified": 1714912032,
"narHash": "sha256-clkcOIkg8G4xuJh+1onLG4HPMpbtzdLv4rHxFzgsH9c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fd16bb6d3bcca96039b11aa52038fafeb6e4f4be",
"rev": "ee4a6e0f566fe5ec79968c57a9c2c3c25f2cf41d",
"type": "github"
},
"original": {
@ -1484,19 +1481,21 @@
"devshell": "devshell_5",
"flake-compat": "flake-compat_6",
"flake-parts": "flake-parts_3",
"flake-root": "flake-root",
"home-manager": "home-manager_2",
"nix-darwin": "nix-darwin",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks": "pre-commit-hooks_4"
"pre-commit-hooks": "pre-commit-hooks_4",
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1714600955,
"narHash": "sha256-AHz9OVQeVlbhTboR5Wchjet9a2h+a8aPTDjEyVQLz/g=",
"lastModified": 1716294469,
"narHash": "sha256-1RdJkVa+axdzLhbeoWJoC3BPODxfx+/Rv7HE+e4CK/Y=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "82a19581defe682ff9ca7cb8b1b980b6dc297cf2",
"rev": "1c9f2a23a6cb9406c35980f4af1a4356f56771e9",
"type": "github"
},
"original": {
@ -1579,11 +1578,11 @@
"nixpkgs-stable": "nixpkgs-stable_3"
},
"locked": {
"lastModified": 1711981679,
"narHash": "sha256-pnbHEXJOdGkPrHBdkZLv/a2V09On+V3J4aPE/BfAJC8=",
"lastModified": 1714478972,
"narHash": "sha256-q//cgb52vv81uOuwz1LaXElp3XAe1TqrABXODAEF6Sk=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "f3bb95498eaaa49a93bacaf196cdb6cf8e872cdf",
"rev": "2849da033884f54822af194400f8dff435ada242",
"type": "github"
},
"original": {
@ -1623,7 +1622,6 @@
"pre-commit-hooks_4": {
"inputs": {
"flake-compat": "flake-compat_7",
"flake-utils": "flake-utils_9",
"gitignore": "gitignore_5",
"nixpkgs": [
"nixvim",
@ -1635,11 +1633,11 @@
]
},
"locked": {
"lastModified": 1713954846,
"narHash": "sha256-RWFafuSb5nkWGu8dDbW7gVb8FOQOPqmX/9MlxUUDguw=",
"lastModified": 1715870890,
"narHash": "sha256-nacSOeXtUEM77Gn0G4bTdEOeFIrkCBXiyyFZtdGwuH0=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "6fb82e44254d6a0ece014ec423cb62d92435336f",
"rev": "fa606cccd7b0ccebe2880051208e4a0f61bfc8c1",
"type": "github"
},
"original": {
@ -1651,9 +1649,6 @@
"pre-commit-hooks_5": {
"inputs": {
"flake-compat": "flake-compat_8",
"flake-utils": [
"flake-utils"
],
"gitignore": "gitignore_6",
"nixpkgs": [
"nixpkgs"
@ -1661,11 +1656,11 @@
"nixpkgs-stable": "nixpkgs-stable_5"
},
"locked": {
"lastModified": 1714478972,
"narHash": "sha256-q//cgb52vv81uOuwz1LaXElp3XAe1TqrABXODAEF6Sk=",
"lastModified": 1716213921,
"narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "2849da033884f54822af194400f8dff435ada242",
"rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
"type": "github"
},
"original": {
@ -1697,7 +1692,7 @@
"pre-commit-hooks": "pre-commit-hooks_5",
"spicetify-nix": "spicetify-nix",
"stylix": "stylix",
"systems": "systems_13",
"systems": "systems_12",
"templates": "templates"
}
},
@ -1744,7 +1739,7 @@
},
"spicetify-nix": {
"inputs": {
"flake-utils": "flake-utils_10",
"flake-utils": "flake-utils_9",
"nixpkgs": "nixpkgs_4"
},
"locked": {
@ -1776,11 +1771,11 @@
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1714555012,
"narHash": "sha256-WVUrm3TGVj6c8g5aG20OjJRHMvUtAZjpHQgukDhyOT8=",
"lastModified": 1716206302,
"narHash": "sha256-5Qc3aQGVyPEOuN82zVamStaV81HebHvLjk3fGfpyCPY=",
"owner": "danth",
"repo": "stylix",
"rev": "43d23b1609b87f6a4100db2a09bd118c52c78766",
"rev": "81df8443556335016d6f0bc22630a95776a56d8b",
"type": "github"
},
"original": {
@ -1849,21 +1844,6 @@
"type": "github"
}
},
"systems_13": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
@ -2020,6 +2000,27 @@
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1715940852,
"narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}
},
"root": "root",

1
flake.nix
View file

@ -58,7 +58,6 @@
pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
nixos-nftables-firewall = {

5
modules/kanidm.nix
View file

@ -169,13 +169,16 @@
# Wait for the kanidm server to come online
count=0
main_pid_existed=false
while ! test -e /run/kanidmd/sock; do
sleep 0.1
if [[ "$count" -eq 600 ]]; then
echo "Tried for 60 seconds, giving up..."
exit 1
fi
if [[ ! -d "/proc/$MAINPID" ]]; then
if [[ -d "/proc/$MAINPID" ]]; then
main_pid_existed=true
elif [[ "$main_pid_existed" == true ]]; then
echo "Main server died, giving up..."
exit 1
fi

191
modules/your_spotify.nix
View file

@ -1,191 +0,0 @@
{
pkgs,
config,
lib,
...
}: let
inherit
(lib)
boolToString
concatMapAttrs
concatStrings
isBool
mapAttrsToList
mkEnableOption
mkIf
mkOption
mkPackageOption
optionalAttrs
types
mkDefault
;
cfg = config.services.your_spotify;
configEnv = concatMapAttrs (name: value:
optionalAttrs (value != null) {
${name} =
if isBool value
then boolToString value
else toString value;
})
cfg.settings;
configFile = pkgs.writeText "your_spotify.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv));
in {
options.services.your_spotify = let
inherit (types) nullOr port str path package;
in {
enable = mkEnableOption "your_spotify";
enableLocalDB = mkEnableOption "a local mongodb instance";
nginxVirtualHost = mkOption {
type = nullOr str;
default = null;
description = ''
If set creates an nginx virtual host for the client.
In most cases this should be the CLIENT_ENDPOINT without
protocol prefix.
'';
};
package = mkPackageOption pkgs "your_spotify" {};
clientPackage = mkOption {
type = package;
description = "Client package to use.";
};
spotifySecretFile = mkOption {
type = path;
description = ''
A file containing the secret key of your Spotify application.
Refer to: [Creating the Spotify Application](https://github.com/Yooooomi/your_spotify#creating-the-spotify-application).
'';
};
settings = mkOption {
description = ''
Your Spotify Configuration. Refer to [Your Spotify](https://github.com/Yooooomi/your_spotify) for definitions and values.
'';
example = lib.literalExpression ''
{
CLIENT_ENDPOINT = "https://example.com";
API_ENDPOINT = "https://api.example.com";
SPOTIFY_PUBLIC = "spotify_client_id";
}
'';
type = types.submodule {
freeformType = types.attrsOf types.str;
options = {
CLIENT_ENDPOINT = mkOption {
type = str;
description = ''
The endpoint of your web application.
Has to include a protocol Prefix (e.g. `http://`)
'';
example = "https://your_spotify.example.org";
};
API_ENDPOINT = mkOption {
type = str;
description = ''
The endpoint of your server
This api has to be reachable from the device you use the website from not from the server.
This means that for example you may need two nginx virtual hosts if you want to expose this on the
internet.
Has to include a protocol Prefix (e.g. `http://`)
'';
example = "https://localhost:3000";
};
SPOTIFY_PUBLIC = mkOption {
type = str;
description = ''
The public client ID of your Spotify application.
Refer to: [Creating the Spotify Application](https://github.com/Yooooomi/your_spotify#creating-the-spotify-application)
'';
};
MONGO_ENDPOINT = mkOption {
type = str;
description = ''The endpoint of the Mongo database.'';
default = "mongodb://localhost:27017/your_spotify";
};
PORT = mkOption {
type = port;
description = "The port of the api server";
default = 3000;
};
};
};
};
};
config = mkIf cfg.enable {
services.your_spotify.clientPackage = mkDefault (cfg.package.client.override {apiEndpoint = cfg.settings.API_ENDPOINT;});
systemd.services.your_spotify = {
after = ["network.target"];
script = ''
export SPOTIFY_SECRET=$(< "$CREDENTIALS_DIRECTORY/SPOTIFY_SECRET")
${lib.getExe' cfg.package "your_spotify_migrate"}
exec ${lib.getExe cfg.package}
'';
serviceConfig = {
User = "your_spotify";
Group = "your_spotify";
DynamicUser = true;
EnvironmentFile = [configFile];
StateDirectory = "your_spotify";
LimitNOFILE = "1048576";
PrivateTmp = true;
PrivateDevices = true;
StateDirectoryMode = "0700";
Restart = "always";
LoadCredential = ["SPOTIFY_SECRET:${cfg.spotifySecretFile}"];
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
#MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@pkey"
];
UMask = "0077";
};
wantedBy = ["multi-user.target"];
};
services.nginx = mkIf (cfg.nginxVirtualHost != null) {
enable = true;
virtualHosts.${cfg.nginxVirtualHost} = {
root = cfg.clientPackage;
locations."/".extraConfig = ''
add_header Content-Security-Policy "frame-ancestors 'none';" ;
add_header X-Content-Type-Options "nosniff" ;
try_files = $uri $uri/ /index.html ;
'';
};
};
services.mongodb = mkIf cfg.enableLocalDB {
enable = true;
};
};
meta.maintainers = with lib.maintainers; [patrickdag];
}

4
pkgs/default.nix
View file

@ -22,8 +22,8 @@
provisionSrc = super.fetchFromGitHub {
owner = "oddlama";
repo = "kanidm-provision";
rev = "aa7a1c8ec04622745b385bd3b0462e1878f56b51";
hash = "sha256-NRolS3l2kARjkhWP7FYUG//KCEiueh48ZrADdCDb9Zg=";
rev = "v1.1.0";
hash = "sha256-pFOFFKh3la/sZGXj+pAM8x4SMeffvvbOvTjPeHS1XPU=";
};
in {
patches =

6
pkgs/kanidm-provision.nix
View file

@ -5,16 +5,16 @@
}:
rustPlatform.buildRustPackage rec {
pname = "kanidm-provision";
version = "1.0.0";
version = "1.1.0";
src = fetchFromGitHub {
owner = "oddlama";
repo = "kanidm-provision";
rev = "v${version}";
hash = "sha256-T6kiBUdOMHCWRUF/vepoPrvaULDQrUGYsd/3I11HCLY=";
hash = "sha256-pFOFFKh3la/sZGXj+pAM8x4SMeffvvbOvTjPeHS1XPU=";
};
cargoHash = "sha256-nHp3C6szJxOogH/kETIqcQQNhFqBCO0P66j7n3UHuwo=";
cargoHash = "sha256-oiKlKIL23xH67tCDbny9Gj97JQQm4mYt0IHXB5hzJ/A=";
meta = with lib; {
description = "A small utility to help with kanidm provisioning";