chore: update flake

2026-04-14 21:29:12 +02:00 · 2026-03-05 23:09:50 +01:00 · 2026-03-05 23:09:50 +01:00 · 2ea5b9c764
commit 2ea5b9c764
parent c1a5cfa20c
25 changed files with 1527 additions and 1270 deletions
--- a/modules/nixos/server/kanidm.nix
+++ b/modules/nixos/server/kanidm.nix
@ -110,7 +110,7 @@ in
          };

          script = ''
-            set -eu
+                  set -eu

            ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
            ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""}
@ -205,23 +205,27 @@ in

    services = {
      ${serviceName} = {
-        package = pkgs.kanidmWithSecretProvisioning_1_8;
-        enableServer = true;
-        serverSettings = {
-          domain = serviceDomain;
-          origin = "https://${serviceDomain}";
-          # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
-          tls_chain = certPathBase;
-          # tls_key = config.sops.secrets.kanidm-self-signed-key.path;
-          tls_key = keyPathBase;
-          bindaddress = "0.0.0.0:${toString servicePort}";
-          # trust_x_forward_for = true;
+        package = pkgs.kanidmWithSecretProvisioning_1_9;
+        server = {
+          enable = true;
+          settings = {
+            domain = serviceDomain;
+            origin = "https://${serviceDomain}";
+            # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
+            tls_chain = certPathBase;
+            # tls_key = config.sops.secrets.kanidm-self-signed-key.path;
+            tls_key = keyPathBase;
+            bindaddress = "0.0.0.0:${toString servicePort}";
+            # trust_x_forward_for = true;
+          };
        };
-        enableClient = true;
-        clientSettings = {
-          uri = config.services.kanidm.serverSettings.origin;
-          verify_ca = true;
-          verify_hostnames = true;
+        client = {
+          enable = true;
+          settings = {
+            uri = config.services.kanidm.server.settings.origin;
+            verify_ca = true;
+            verify_hostnames = true;
+          };
        };
        provision = {
          enable = true;
@ -416,7 +420,7 @@ in
    nodes =
      let
        extraConfig = ''
-          allow ${globals.networks.home-lan.vlans.services.cidrv4};
+            allow ${globals.networks.home-lan.vlans.services.cidrv4};
          allow ${globals.networks.home-lan.vlans.services.cidrv6};
        '';
      in
--- a/modules/nixos/server/kavita.nix
+++ b/modules/nixos/server/kavita.nix
@ -1,4 +1,4 @@
-{ self, lib, config, pkgs, globals, dns, confLib, ... }:
+{ lib, config, globals, dns, confLib, ... }:
 let
  inherit (config.swarselsystems) sopsFile;

@ -8,9 +8,6 @@ in
 {
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
  config = lib.mkIf config.swarselmodules.server.${serviceName} {
-    environment.systemPackages = with pkgs; [
-      calibre
-    ];

    users = {
      persistentIds.kavita = confLib.mkIds 995;
--- a/modules/nixos/server/mailserver.nix
+++ b/modules/nixos/server/mailserver.nix
@ -1,7 +1,7 @@
 { self, lib, config, globals, dns, confLib, ... }:
 let
  inherit (config.swarselsystems) sopsFile;
-  inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 80; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6;
+  inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6;
  inherit (confLib.static) isHome webProxy homeWebProxy dnsServer homeServiceAddress nginxAccessRules;
  inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 alias2_2 alias2_3 user3;
  baseDomain = globals.domains.main;
@ -127,7 +127,7 @@ in
    };

    # the rest of the ports are managed by snm
-    networking.firewall.allowedTCPPorts = [ 80 servicePort ];
+    networking.firewall.allowedTCPPorts = [ 80 443 ];

    services.nginx = {
      virtualHosts = {
@ -158,8 +158,8 @@ in
          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host endpointAddress4 endpointAddress6;
          "${globals.services.roundcube.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
        };
-        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; maxBody = 0; };
-        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; protocol = "https"; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; protocol = "https"; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
      };

  };
--- a/modules/nixos/server/monitoring.nix
+++ b/modules/nixos/server/monitoring.nix
@ -124,7 +124,9 @@ in
          analytics.reporting_enabled = false;
          users.allow_sign_up = false;
          security = {
-            admin_password = "$__file{/run/secrets/grafana-admin-pw}";
+            # admin_password = "$__file{/run/secrets/grafana-admin-pw}";
+            disable_initial_admin_creation = true;
+            secret_key = "$__file{${config.sops.secrets.grafana-admin-pw.path}}";
            cookie_secure = true;
            disable_gravatar = true;
          };
--- a/modules/nixos/server/navidrome.nix
+++ b/modules/nixos/server/navidrome.nix
@ -82,7 +82,6 @@ in

    services.${serviceName} = {
      enable = true;
-      # openFirewall = true;
      settings = {
        LogLevel = "debug";
        Address = "0.0.0.0";
--- a/modules/nixos/server/nextcloud.nix
+++ b/modules/nixos/server/nextcloud.nix
@ -5,7 +5,7 @@ let
  inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
  inherit (confLib.static) isHome dnsServer webProxy homeWebProxy homeServiceAddress nginxAccessRules;

-  nextcloudVersion = "32";
+  nextcloudVersion = "33";
 in
 {
  options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
--- a/modules/nixos/server/paperless.nix
+++ b/modules/nixos/server/paperless.nix
@ -104,6 +104,7 @@ in
      gotenberg = {
        enable = true;
        package = pkgs.gotenberg;
+        libreoffice.package = pkgs.libreoffice;
        port = gotenbergPort;
        bindIP = "127.0.0.1";
        timeout = "600s";
@ -114,7 +115,7 @@ in

    # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
    systemd.services.paperless-web.script = lib.mkBefore ''
-      oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path})
+        oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path})
      export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
        ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
          --compact-output \
@ -125,7 +126,7 @@ in
    nodes =
      let
        extraConfigLoc = ''
-          proxy_connect_timeout   300;
+            proxy_connect_timeout   300;
          proxy_send_timeout      300;
          proxy_read_timeout      300;
          send_timeout            300;