diff --git a/SwarselSystems.org b/SwarselSystems.org index 8e2dc65..41a67b2 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -371,19 +371,20 @@ In this section I am creating some attributes that define general concepts of my in { default = pkgs.mkShell { + # plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: { + # buildInputs = [pkgs.nixVersions.latest pkgs.boost]; + # patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ]; + # })}/lib/nix/plugins NIX_CONFIG = '' - plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: { - buildInputs = [pkgs.nixVersions.latest pkgs.boost]; - patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ]; - })}/lib/nix/plugins + plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins extra-builtins-file = ${self + /nix/extra-builtins.nix} ''; inherit (checks.pre-commit-check) shellHook; buildInputs = checks.pre-commit-check.enabledPackages; nativeBuildInputs = [ - # (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions. - pkgs.nix + (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions. + # pkgs.nix pkgs.home-manager pkgs.git pkgs.just @@ -1275,7 +1276,7 @@ This machine mainly acts as an external sync helper. It manages the following th All of these are processes that use little cpu but can take a lot of storage. For this I use a free Ampere instance from OCI with 50G of space. In case my account gets terminated, all of this data is easily replaceable or backed up regularly anyways. #+begin_src nix :tangle hosts/nixos/sync/default.nix - { lib, primaryUser, ... }: + { lib, config, primaryUser, ... }: let sharedOptions = { isBtrfs = false; @@ -1327,6 +1328,8 @@ This machine mainly acts as an external sync helper. It manages the following th system.stateVersion = "23.11"; + + node.secretsDir = ./secrets; services = { nginx = { virtualHosts = { @@ -4274,6 +4277,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a freshrss = lib.mkDefault true; jenkins = lib.mkDefault false; kanidm = lib.mkDefault true; + firefly = lib.mkDefault true; }; }; }; @@ -4293,7 +4297,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a modules = { general = lib.mkDefault true; nix-ld = lib.mkDefault true; - pii = lib.mkDefault true; + pii = lib.mkDefault true; home-manager = lib.mkDefault true; home-managerExtra = lib.mkDefault true; xserver = lib.mkDefault true; @@ -4576,6 +4580,15 @@ TODO } ); + # mkUser = name: { + # config.users.users.${name} = { + # group = name; + # isSystemUser = true; + # }; + + # config.users.groups.${name} = {}; + # }; + mkTrueOption = lib.mkOption { type = lib.types.bool; default = true; @@ -4849,29 +4862,30 @@ I usually use =mutableUsers = false= in my NixOS configuration. However, on a ne #+begin_src nix :tangle modules/nixos/common/sharedsetup.nix { lib, ... }: { - options.swarselsystems = { - withHomeManager = lib.mkOption { - type = lib.types.bool; - default = true; - }; - isSwap = lib.mkOption { - type = lib.types.bool; - default = true; - }; - swapSize = lib.mkOption { - type = lib.types.str; - default = "8G"; - }; - rootDisk = lib.mkOption { - type = lib.types.str; - default = ""; - }; - isCrypted = lib.mkEnableOption "uses full disk encryption"; - initialSetup = lib.mkEnableOption "initial setup (no sops keys available)"; - - isImpermanence = lib.mkEnableOption "use impermanence on this system"; - isSecureBoot = lib.mkEnableOption "use secure boot on this system"; + options = { + swarselsystems = { + withHomeManager = lib.mkOption { + type = lib.types.bool; + default = true; + }; + isSwap = lib.mkOption { + type = lib.types.bool; + default = true; + }; + swapSize = lib.mkOption { + type = lib.types.str; + default = "8G"; + }; + rootDisk = lib.mkOption { + type = lib.types.str; + default = ""; + }; + isCrypted = lib.mkEnableOption "uses full disk encryption"; + initialSetup = lib.mkEnableOption "initial setup (no sops keys available)"; + isImpermanence = lib.mkEnableOption "use impermanence on this system"; + isSecureBoot = lib.mkEnableOption "use secure boot on this system"; + }; globals = lib.mkOption { default = { }; type = lib.types.submodule { @@ -4895,10 +4909,15 @@ I usually use =mutableUsers = false= in my NixOS configuration. However, on a ne description = "My main domain."; }; }; - }; }; }; + # _globalsDefs = lib.mkOption { + # type = lib.types.unspecified; + # default = options.globals.definitions; + # readOnly = true; + # internal = true; + # }; }; } #+end_src @@ -7919,11 +7938,15 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= gotenberg = { enable = true; + package = pkgs.stable.gotenberg; port = 3002; bindIP = "127.0.0.1"; + timeout = "600s"; + chromium.package = pkgs.stable.chromium; }; }; + # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS systemd.services.paperless-web.script = lib.mkBefore '' oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path}) @@ -8623,7 +8646,7 @@ I am using this with CapyReader on my phone, set it up as a FreshRSS account wit enable = true; virtualHost = "signpost.swarsel.win"; baseUrl = "https://signpost.swarsel.win"; - authType = "none"; + authType = "form"; dataDir = "/Vault/data/tt-rss"; defaultUser = "Swarsel"; passwordFile = config.sops.secrets.fresh.path; @@ -8647,11 +8670,15 @@ I am using this with CapyReader on my phone, set it up as a FreshRSS account wit # pass information via X-User and X-Email headers to backend, # requires running with --set-xauthrequest flag (done by NixOS) - auth_request_set $user $upstream_http_x_auth_request_preferred_username; - # Set the email to our own domain in case user change their mail - auth_request_set $email "''${upstream_http_x_auth_request_preferred_username}@swarsel.win"; + auth_request_set $user $upstream_http_x_auth_request_user; + auth_request_set $email $upstream_http_x_auth_request_email; proxy_set_header X-User $user; proxy_set_header X-Email $email; + proxy_set_header Remote-User $user; + + # if you enabled --pass-access-token, this will pass the token to the backend + auth_request_set $token $upstream_http_x_auth_request_access_token; + proxy_set_header X-Access-Token $token; # if you enabled --cookie-refresh, this is needed for it to work with auth_request auth_request_set $auth_cookie $upstream_http_set_cookie; @@ -8980,6 +9007,7 @@ To get other URLs (token, etc.), use https:///oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid/ - + SwarselSystems: NixOS + Emacs Configuration @@ -263,9 +263,9 @@
  • 3.1.4.3. Home-manager only (default non-NixOS)
  • 3.1.4.4. ChaosTheatre (Demo Physical/VM)
    • @@ -305,8 +305,8 @@
  • 3.2.1.27. fhs
  • 3.2.1.28. swarsel-displaypower
  • 3.2.1.29. swarsel-mgba
    • -
  • 3.2.1.30. swarsel-deploy
    • -
  • 3.2.1.31. sshrm
    • +
  • 3.2.1.30. swarsel-deploy
    • +
  • 3.2.1.31. sshrm
  • 3.2.2. Overlays (additions, overrides, nixpkgs-stable)
    • @@ -314,37 +314,37 @@
  • 3.2.4. Library functions
    • -
  • 3.2.5. Auxiliary files +
  • 3.2.5. Auxiliary files
    • @@ -369,9 +369,9 @@
  • 3.3.1.14. Pipewire
  • 3.3.1.15. Common network settings
  • 3.3.1.16. Time, locale settings
    • -
  • 3.3.1.17. Meta options
    • +
  • 3.3.1.17. Meta options
  • 3.3.1.18. sops
    • -
  • 3.3.1.19. PII management
    • +
  • 3.3.1.19. PII management
  • 3.3.1.20. Theme (stylix)
  • 3.3.1.21. Programs (including zsh setup)
  • 3.3.1.23. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules @@ -438,7 +438,8 @@
  • 3.3.2.24. FreshRSS
  • 3.3.2.25. forgejo (git server)
  • 3.3.2.26. Anki Sync Server
    • -
  • 3.3.2.27. IDM (kanidm + oauth2-proxy)
    • +
  • 3.3.2.27. IDM (kanidm + oauth2-proxy)
    • +
  • 3.3.2.28. Firefly-III
  • 3.3.3. Darwin @@ -453,11 +454,11 @@
  • 3.3.4.3. VmWare
  • 3.3.4.4. Auto-login
  • 3.3.4.5. nswitch-rcm
    • -
  • 3.3.4.6. Framework
    • -
  • 3.3.4.7. AMD CPU
    • -
  • 3.3.4.8. AMD GPU
    • -
  • 3.3.4.9. Hibernation
    • -
  • 3.3.4.10. BTRFS
    • +
  • 3.3.4.6. Framework
    • +
  • 3.3.4.7. AMD CPU
    • +
  • 3.3.4.8. AMD GPU
    • +
  • 3.3.4.9. Hibernation
    • +
  • 3.3.4.10. BTRFS
  • 3.3.4.11. work
  • 3.3.4.12. Minimal Install
    • @@ -506,7 +507,7 @@
  • 3.4.1.29.1. gnome-keyring
  • 3.4.1.29.2. KDE Connect
  • 3.4.1.29.3. Mako
    • -
  • 3.4.1.29.4. SwayOSD
    • +
  • 3.4.1.29.4. SwayOSD
  • 3.4.1.29.5. yubikey-touch-detector
    • @@ -531,7 +532,7 @@ @@ -709,7 +710,7 @@ @@ -718,7 +719,7 @@

    -This file has 66327 words spanning 17467 lines and was last revised on 2025-06-11 21:36:46 +0200. +This file has 66782 words spanning 17613 lines and was last revised on 2025-06-13 02:34:40 +0200.

    @@ -771,7 +772,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry

    -My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-11 21:36:46 +0200) +My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-13 02:34:40 +0200)

    @@ -981,74 +982,75 @@ In outputs = inputs@ [...], the inputs@ makes it so th in { - inherit lib; + inherit lib; - # nixosModules = import ./modules/nixos { inherit lib; }; - # homeModules = import ./modules/home { inherit lib; }; - packages = lib.swarselsystems.forEachSystem (pkgs: import ./pkgs { inherit lib pkgs; }); - formatter = lib.swarselsystems.forEachSystem (pkgs: pkgs.nixpkgs-fmt); - overlays = import ./overlays { inherit self lib inputs; }; + # nixosModules = import ./modules/nixos { inherit lib; }; + # homeModules = import ./modules/home { inherit lib; }; + packages = lib.swarselsystems.forEachSystem (pkgs: import ./pkgs { inherit lib pkgs; }); + formatter = lib.swarselsystems.forEachSystem (pkgs: pkgs.nixpkgs-fmt); + overlays = import ./overlays { inherit self lib inputs; }; - apps = lib.swarselsystems.forAllSystems (system: - let - appNames = [ - "swarsel-bootstrap" - "swarsel-install" - "swarsel-rebuild" - "swarsel-postinstall" + apps = lib.swarselsystems.forAllSystems (system: + let + appNames = [ + "swarsel-bootstrap" + "swarsel-install" + "swarsel-rebuild" + "swarsel-postinstall" + ]; + appSet = lib.swarselsystems.mkApps system appNames self; + in + + appSet // { + default = appSet.swarsel-bootstrap; + } + ); + + devShells = lib.swarselsystems.forAllSystems (system: + let + pkgs = lib.swarselsystems.pkgsFor.${system}; + checks = self.checks.${system}; + in + { + default = pkgs.mkShell { + # plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: { + # buildInputs = [pkgs.nixVersions.latest pkgs.boost]; + # patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ]; + # })}/lib/nix/plugins + NIX_CONFIG = '' + plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins + extra-builtins-file = ${self + /nix/extra-builtins.nix} + ''; + inherit (checks.pre-commit-check) shellHook; + + buildInputs = checks.pre-commit-check.enabledPackages; + nativeBuildInputs = [ + (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions. + # pkgs.nix + pkgs.home-manager + pkgs.git + pkgs.just + pkgs.age + pkgs.ssh-to-age + pkgs.sops + pkgs.statix + pkgs.deadnix + pkgs.nixpkgs-fmt ]; - appSet = lib.swarselsystems.mkApps system appNames self; - in + }; + } + ); - appSet // { - default = appSet.swarsel-bootstrap; - } - ); + templates = import ./templates { inherit lib; }; - devShells = lib.swarselsystems.forAllSystems (system: - let - pkgs = lib.swarselsystems.pkgsFor.${system}; - checks = self.checks.${system}; - in - { - default = pkgs.mkShell { - NIX_CONFIG = '' - plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: { - buildInputs = [pkgs.nixVersions.latest pkgs.boost]; - patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ]; - })}/lib/nix/plugins - extra-builtins-file = ${self + /nix/extra-builtins.nix} - ''; - inherit (checks.pre-commit-check) shellHook; + checks = lib.swarselsystems.forAllSystems (system: + let + pkgs = lib.swarselsystems.pkgsFor.${system}; + in + import ./checks { inherit self inputs system pkgs; } + ); - buildInputs = checks.pre-commit-check.enabledPackages; - nativeBuildInputs = [ - # (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions. - pkgs.nix - pkgs.home-manager - pkgs.git - pkgs.just - pkgs.age - pkgs.ssh-to-age - pkgs.sops - pkgs.statix - pkgs.deadnix - pkgs.nixpkgs-fmt - ]; - }; - } - ); - - templates = import ./templates { inherit lib; }; - - checks = lib.swarselsystems.forAllSystems (system: - let - pkgs = lib.swarselsystems.pkgsFor.${system}; - in - import ./checks { inherit self inputs system pkgs; } - ); - - diskoConfigurations.default = import .templates/hosts/nixos/disk-config.nix; + diskoConfigurations.default = import .templates/hosts/nixos/disk-config.nix; nixosConfigurations = lib.swarselsystems.mkFullHostConfigs (lib.swarselsystems.readHosts "nixos") "nixos"; @@ -1289,74 +1291,75 @@ They are defined in Overlays (
    -
      inherit lib;
+
    inherit lib;
 
-  # nixosModules = import ./modules/nixos { inherit lib; };
-  # homeModules = import ./modules/home { inherit lib; };
-  packages = lib.swarselsystems.forEachSystem (pkgs: import ./pkgs { inherit lib pkgs; });
-  formatter = lib.swarselsystems.forEachSystem (pkgs: pkgs.nixpkgs-fmt);
-  overlays = import ./overlays { inherit self lib inputs; };
+# nixosModules = import ./modules/nixos { inherit lib; };
+# homeModules = import ./modules/home { inherit lib; };
+packages = lib.swarselsystems.forEachSystem (pkgs: import ./pkgs { inherit lib pkgs; });
+formatter = lib.swarselsystems.forEachSystem (pkgs: pkgs.nixpkgs-fmt);
+overlays = import ./overlays { inherit self lib inputs; };
 
-  apps = lib.swarselsystems.forAllSystems (system:
-    let
-      appNames = [
-        "swarsel-bootstrap"
-        "swarsel-install"
-        "swarsel-rebuild"
-        "swarsel-postinstall"
+apps = lib.swarselsystems.forAllSystems (system:
+  let
+    appNames = [
+      "swarsel-bootstrap"
+      "swarsel-install"
+      "swarsel-rebuild"
+      "swarsel-postinstall"
+    ];
+    appSet = lib.swarselsystems.mkApps system appNames self;
+  in
+
+  appSet // {
+    default = appSet.swarsel-bootstrap;
+  }
+);
+
+devShells = lib.swarselsystems.forAllSystems (system:
+  let
+    pkgs = lib.swarselsystems.pkgsFor.${system};
+    checks = self.checks.${system};
+  in
+  {
+    default = pkgs.mkShell {
+        # plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
+        #   buildInputs = [pkgs.nixVersions.latest pkgs.boost];
+        #   patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ];
+        # })}/lib/nix/plugins
+      NIX_CONFIG = ''
+        plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
+        extra-builtins-file = ${self + /nix/extra-builtins.nix}
+      '';
+      inherit (checks.pre-commit-check) shellHook;
+
+      buildInputs = checks.pre-commit-check.enabledPackages;
+      nativeBuildInputs = [
+        (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
+        # pkgs.nix
+        pkgs.home-manager
+        pkgs.git
+        pkgs.just
+        pkgs.age
+        pkgs.ssh-to-age
+        pkgs.sops
+        pkgs.statix
+        pkgs.deadnix
+        pkgs.nixpkgs-fmt
       ];
-      appSet = lib.swarselsystems.mkApps system appNames self;
-    in
+    };
+  }
+);
 
-    appSet // {
-      default = appSet.swarsel-bootstrap;
-    }
-  );
+templates = import ./templates { inherit lib; };
 
-  devShells = lib.swarselsystems.forAllSystems (system:
-    let
-      pkgs = lib.swarselsystems.pkgsFor.${system};
-      checks = self.checks.${system};
-    in
-    {
-      default = pkgs.mkShell {
-        NIX_CONFIG = ''
-          plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
-            buildInputs = [pkgs.nixVersions.latest pkgs.boost];
-            patches = (o.patches or []) ++ [ "${self}/nix/nix-plugins.patch" ];
-          })}/lib/nix/plugins
-          extra-builtins-file = ${self + /nix/extra-builtins.nix}
-        '';
-        inherit (checks.pre-commit-check) shellHook;
+checks = lib.swarselsystems.forAllSystems (system:
+  let
+    pkgs = lib.swarselsystems.pkgsFor.${system};
+  in
+  import ./checks { inherit self inputs system pkgs; }
+);
 
-        buildInputs = checks.pre-commit-check.enabledPackages;
-        nativeBuildInputs = [
-# (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
-          pkgs.nix
-          pkgs.home-manager
-          pkgs.git
-          pkgs.just
-          pkgs.age
-          pkgs.ssh-to-age
-          pkgs.sops
-          pkgs.statix
-          pkgs.deadnix
-          pkgs.nixpkgs-fmt
-        ];
-      };
-    }
-  );
-
-  templates = import ./templates { inherit lib; };
-
-  checks = lib.swarselsystems.forAllSystems (system:
-    let
-      pkgs = lib.swarselsystems.pkgsFor.${system};
-    in
-    import ./checks { inherit self inputs system pkgs; }
-  );
-
-  diskoConfigurations.default = import .templates/hosts/nixos/disk-config.nix;
+diskoConfigurations.default = import .templates/hosts/nixos/disk-config.nix;
    @@ -2269,7 +2272,7 @@ All of these are processes that use little cpu but can take a lot of storage. Fo
    -
    { lib, primaryUser, ... }:
+
    { lib, config, primaryUser, ... }:
 let
   sharedOptions = {
     isBtrfs = false;
@@ -2321,6 +2324,8 @@ in
 
   system.stateVersion = "23.11";
 
+
+  node.secretsDir = ./secrets;
   services = {
     nginx = {
       virtualHosts = {
@@ -2903,8 +2908,8 @@ This is just a demo host. It applies all the configuration found in the common p
 I also set the WLR_RENDERER_ALLOW_SOFTWARE=1 to allow this configuration to run in a virtualized environment. I also enable qemuGuest for a smoother experience when testing on QEMU.
    -
    -
    3.1.4.4.1. Main configuration
    +
    +
    3.1.4.4.1. Main configuration
    { self, inputs, config, pkgs, lib, primaryUser, ... }:
@@ -2983,8 +2988,8 @@ in
    -
    -
    3.1.4.4.2. NixOS dummy options configuration
    +
    +
    3.1.4.4.2. NixOS dummy options configuration
    _:
@@ -2994,8 +2999,8 @@ in
    -
    -
    3.1.4.4.3. home-manager dummy options configuration
    +
    +
    3.1.4.4.3. home-manager dummy options configuration
    _:
@@ -4776,8 +4781,8 @@ appimageTools.wrapType2 {
    -
    -
    3.2.1.30. swarsel-deploy
    +
    +
    3.2.1.30. swarsel-deploy
    # heavily inspired from https://github.com/oddlama/nix-config/blob/d42cbde676001a7ad8a3cace156e050933a4dcc3/pkgs/deploy.nix
@@ -4908,8 +4913,8 @@ writeShellApplication {
    -
    -
    3.2.1.31. sshrm
    +
    +
    3.2.1.31. sshrm

    This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually. @@ -5066,8 +5071,8 @@ in

    -
    -
    3.2.3.1.1. Personal
    +
    +
    3.2.3.1.1. Personal
    { lib, config, ... }:
@@ -5137,8 +5142,8 @@ in
    -
    -
    3.2.3.1.2. Chaostheatre
    +
    +
    3.2.3.1.2. Chaostheatre
    { lib, config, ... }:
@@ -5200,8 +5205,8 @@ in
    -
    -
    3.2.3.1.3. toto
    +
    +
    3.2.3.1.3. toto
    { lib, config, ... }:
@@ -5233,8 +5238,8 @@ in
    -
    -
    3.2.3.1.4. Work
    +
    +
    3.2.3.1.4. Work
    { lib, config, ... }:
@@ -5255,8 +5260,8 @@ in
    -
    -
    3.2.3.1.5. Framework
    +
    +
    3.2.3.1.5. Framework
    { lib, config, ... }:
@@ -5277,8 +5282,8 @@ in
    -
    -
    3.2.3.1.6. AMD CPU
    +
    +
    3.2.3.1.6. AMD CPU
    { lib, config, ... }:
@@ -5299,8 +5304,8 @@ in
    -
    -
    3.2.3.1.7. AMD GPU
    +
    +
    3.2.3.1.7. AMD GPU
    { lib, config, ... }:
@@ -5321,8 +5326,8 @@ in
    -
    -
    3.2.3.1.8. Hibernation
    +
    +
    3.2.3.1.8. Hibernation
    { lib, config, ... }:
@@ -5343,8 +5348,8 @@ in
    -
    -
    3.2.3.1.9. BTRFS
    +
    +
    3.2.3.1.9. BTRFS
    { lib, config, ... }:
@@ -5365,8 +5370,8 @@ in
    -
    -
    3.2.3.1.10. Local Server
    +
    +
    3.2.3.1.10. Local Server
    { lib, config, ... }:
@@ -5407,6 +5412,7 @@ in
           freshrss = lib.mkDefault true;
           jenkins = lib.mkDefault false;
           kanidm = lib.mkDefault true;
+          firefly = lib.mkDefault true;
         };
       };
     };
@@ -5418,8 +5424,8 @@ in
    -
    -
    3.2.3.1.11. OCI Sync Server
    +
    +
    3.2.3.1.11. OCI Sync Server
    { lib, config, ... }:
@@ -5430,7 +5436,7 @@ in
       modules = {
         general = lib.mkDefault true;
         nix-ld = lib.mkDefault true;
-      pii = lib.mkDefault true;
+        pii = lib.mkDefault true;
         home-manager = lib.mkDefault true;
         home-managerExtra = lib.mkDefault true;
         xserver = lib.mkDefault true;
@@ -5475,8 +5481,8 @@ in
    -
    -
    3.2.3.2.1. Personal
    +
    +
    3.2.3.2.1. Personal
    { lib, config, ... }:
@@ -5533,8 +5539,8 @@ in
    -
    -
    3.2.3.2.2. Chaostheatre
    +
    +
    3.2.3.2.2. Chaostheatre
    { lib, config, ... }:
@@ -5586,8 +5592,8 @@ in
    -
    -
    3.2.3.2.3. toto
    +
    +
    3.2.3.2.3. toto
    { lib, config, ... }:
@@ -5607,8 +5613,8 @@ in
    -
    -
    3.2.3.2.4. Work
    +
    +
    3.2.3.2.4. Work
    { lib, config, ... }:
@@ -5628,8 +5634,8 @@ in
    -
    -
    3.2.3.2.5. Framework
    +
    +
    3.2.3.2.5. Framework
    { lib, config, ... }:
@@ -5650,8 +5656,8 @@ in
    -
    -
    3.2.3.2.6. Darwin
    +
    +
    3.2.3.2.6. Darwin
    { lib, config, ... }:
@@ -5669,8 +5675,8 @@ in
    -
    -
    3.2.3.2.7. Local Server
    +
    +
    3.2.3.2.7. Local Server
    { lib, config, ... }:
@@ -5749,6 +5755,15 @@ in
     }
   );
 
+  # mkUser = name: {
+  #   config.users.users.${name} = {
+  #     group = name;
+  #     isSystemUser = true;
+  #   };
+
+  #   config.users.groups.${name} = {};
+  # };
+
   mkTrueOption = lib.mkOption {
     type = lib.types.bool;
     default = true;
@@ -5901,12 +5916,12 @@ in
    -
    -

    3.2.5. Auxiliary files

    +
    +

    3.2.5. Auxiliary files

    -
    -
    3.2.5.1. extra-builtins
    +
    +
    3.2.5.1. extra-builtins
    @@ -5941,8 +5956,8 @@ in
    -
    -
    3.2.5.2. sops-decrypt-and-cache
    +
    +
    3.2.5.2. sops-decrypt-and-cache
    #!/usr/bin/env bash
@@ -6040,29 +6055,30 @@ I usually use mutableUsers = false in my NixOS configuration. Howev
 
    
 
    { lib, ... }:
 {
-  options.swarselsystems = {
-    withHomeManager = lib.mkOption {
-      type = lib.types.bool;
-      default = true;
-    };
-    isSwap = lib.mkOption {
-      type = lib.types.bool;
-      default = true;
-    };
-    swapSize = lib.mkOption {
-      type = lib.types.str;
-      default = "8G";
-    };
-    rootDisk = lib.mkOption {
-      type = lib.types.str;
-      default = "";
-    };
-    isCrypted = lib.mkEnableOption "uses full disk encryption";
-    initialSetup = lib.mkEnableOption "initial setup (no sops keys available)";
-
-    isImpermanence = lib.mkEnableOption "use impermanence on this system";
-    isSecureBoot = lib.mkEnableOption "use secure boot on this system";
+  options = {
+    swarselsystems = {
+      withHomeManager = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+      };
+      isSwap = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+      };
+      swapSize = lib.mkOption {
+        type = lib.types.str;
+        default = "8G";
+      };
+      rootDisk = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+      };
+      isCrypted = lib.mkEnableOption "uses full disk encryption";
+      initialSetup = lib.mkEnableOption "initial setup (no sops keys available)";
 
+      isImpermanence = lib.mkEnableOption "use impermanence on this system";
+      isSecureBoot = lib.mkEnableOption "use secure boot on this system";
+    };
     globals = lib.mkOption {
       default = { };
       type = lib.types.submodule {
@@ -6086,10 +6102,15 @@ I usually use mutableUsers = false in my NixOS configuration. Howev
               description = "My main domain.";
             };
           };
-
         };
       };
     };
+    # _globalsDefs = lib.mkOption {
+    #   type = lib.types.unspecified;
+    #   default = options.globals.definitions;
+    #   readOnly = true;
+    #   internal = true;
+    # };
   };
 }
 
    
@@ -6915,8 +6936,8 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
    -
    -
    3.3.1.17. Meta options
    +
    +
    3.3.1.17. Meta options
    { lib, ... }:
@@ -7004,8 +7025,8 @@ in
    -
    -
    3.3.1.19. PII management
    +
    +
    3.3.1.19. PII management
    { config, inputs, lib, ... }:
@@ -7397,8 +7418,8 @@ Most of the time I am using power-saver, however, it is good to be
    -
    -
    3.3.1.22.6. SwayOSD
    +
    +
    3.3.1.22.6. SwayOSD
    { lib, pkgs, config, ... }:
@@ -9247,11 +9268,15 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of 
 
       gotenberg = {
         enable = true;
+        package = pkgs.stable.gotenberg;
         port = 3002;
         bindIP = "127.0.0.1";
+        timeout = "600s";
+        chromium.package = pkgs.stable.chromium;
       };
     };
 
+
     # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
     systemd.services.paperless-web.script = lib.mkBefore ''
       oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path})
@@ -10230,8 +10255,8 @@ in
    -
    -
    3.3.2.27. IDM (kanidm + oauth2-proxy)
    +
    +
    3.3.2.27. IDM (kanidm + oauth2-proxy)

    The forgejo configuration is a little broken and will show a 500 error when signing in through kanidm. However, when pressing back and refreshing the page, I am logged in. Currently I cannot be bothered to fix this. @@ -10331,6 +10356,7 @@ in "nextcloud.admins" = { }; "navidrome.access" = { }; "freshrss.access" = { }; + "firefly.access" = { }; }; persons = { swarsel = { @@ -10345,6 +10371,7 @@ in "nextcloud.access" "freshrss.access" "navidrome.access" + "firefly.access" ]; displayName = "Swarsel"; }; @@ -10457,21 +10484,31 @@ in originUrl = "https://${oauth2ProxyDomain}/oauth2/callback"; originLanding = "https://${oauth2ProxyDomain}/"; basicSecretFile = config.sops.secrets.kanidm-oauth2-proxy.path; - scopeMaps."freshrss.access" = [ - "openid" - "email" - "profile" - ]; - scopeMaps."navidrome.access" = [ - "openid" - "email" - "profile" - ]; + scopeMaps = { + "freshrss.access" = [ + "openid" + "email" + "profile" + ]; + "navidrome.access" = [ + "openid" + "email" + "profile" + ]; + "firefly.access" = [ + "openid" + "email" + "profile" + ]; + }; preferShortUsername = true; claimMaps.groups = { joinType = "array"; - valuesByGroup."freshrss.access" = [ "ttrss_access" ]; - valuesByGroup."navidrome.access" = [ "navidrome_access" ]; + valuesByGroup = { + "freshrss.access" = [ "ttrss_access" ]; + "navidrome.access" = [ "navidrome_access" ]; + "firefly.access" = [ "firefly_access" ]; + }; }; }; }; @@ -10576,6 +10613,120 @@ in

    +
    +
    3.3.2.28. Firefly-III
    +
    +
    +
    { lib, config, ... }:
+let
+  cfg = config.services.firefly-iii;
+  fireflyDomain = "stonks.swarsel.win";
+  fireflyUser = "firefly-iii";
+in
+{
+  options.swarselsystems.modules.server.firefly = lib.mkEnableOption "enable firefly-iii on server";
+  config = lib.mkIf config.swarselsystems.modules.server.firefly {
+
+    users.users.firefly-iii = {
+      group = "nginx";
+      isSystemUser = true;
+    };
+
+    sops = {
+      secrets = {
+        "firefly-iii-app-key" = { owner = fireflyUser; group = "nginx"; mode = "0440"; };
+      };
+    };
+
+    services = {
+      firefly-iii = {
+        enable = true;
+        user = fireflyUser;
+        group = if cfg.enableNginx then "nginx" else fireflyUser;
+        dataDir = "/Vault/data/firefly-iii";
+        settings = {
+          TZ = config.repo.secrets.common.location.timezone;
+          APP_URL = "https://${fireflyDomain}";
+          APP_KEY_FILE = config.sops.secrets.firefly-iii-app-key.path;
+          APP_ENV = "local";
+          DB_CONNECTION = "sqlite";
+          # AUTHENTICATION_GUARD = "remote_user_guard";
+          # AUTHENTICATION_GUARD_HEADER = "X-User";
+          # AUTHENTICATION_GUARD_EMAIL = "X-Email";
+        };
+        enableNginx = true;
+        virtualHost = fireflyDomain;
+      };
+
+      nginx = {
+        virtualHosts = {
+          "${fireflyDomain}" = {
+            enableACME = true;
+            forceSSL = true;
+            acmeRoot = null;
+            # main config is automatically added by nixos firefly config.
+            # hence, only provide certificate
+            locations = {
+              "/" = {
+                extraConfig = ''
+                  auth_request /oauth2/auth;
+                  error_page 401 = /oauth2/sign_in;
+
+                  # pass information via X-User and X-Email headers to backend,
+                  # requires running with --set-xauthrequest flag (done by NixOS)
+                  auth_request_set $user   $upstream_http_x_auth_request_user;
+                  auth_request_set $email  $upstream_http_x_auth_request_email;
+                  proxy_set_header X-User  $user;
+                  proxy_set_header X-Email $email;
+
+                  # if you enabled --pass-access-token, this will pass the token to the backend
+                  auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                  proxy_set_header X-Access-Token $token;
+
+                  # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+                  auth_request_set $auth_cookie $upstream_http_set_cookie;
+                  add_header Set-Cookie $auth_cookie;
+                '';
+              };
+              "/oauth2/" = {
+                proxyPass = "http://oauth2-proxy";
+                extraConfig = ''
+
+                  proxy_set_header X-Scheme                $scheme;
+                  proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+                '';
+              };
+              "= /oauth2/auth" = {
+                proxyPass = "http://oauth2-proxy/oauth2/auth";
+                extraConfig = ''
+                  internal;
+
+                  proxy_set_header X-Scheme         $scheme;
+                  # nginx auth_request includes headers but not body
+                  proxy_set_header Content-Length   "";
+                  proxy_pass_request_body           off;
+                '';
+              };
+              "/api" = {
+                extraConfig = ''
+                  index index.php;
+                  try_files $uri $uri/ /index.php?$query_string;
+                  add_header Access-Control-Allow-Methods 'GET, POST, HEAD, OPTIONS';
+                  proxy_set_header X-User  "";
+                  proxy_set_header X-Email "";
+                '';
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
+
    +
    +
    +

    3.3.3. Darwin

    @@ -10788,8 +10939,8 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using.
    -
    -
    3.3.4.6. Framework
    +
    +
    3.3.4.6. Framework

    This holds configuration that is specific to framework laptops. @@ -10827,8 +10978,8 @@ This holds configuration that is specific to framework laptops.

    -
    -
    3.3.4.7. AMD CPU
    +
    +
    3.3.4.7. AMD CPU
    { lib, config, ... }:
@@ -10844,8 +10995,8 @@ This holds configuration that is specific to framework laptops.
    -
    -
    3.3.4.8. AMD GPU
    +
    +
    3.3.4.8. AMD GPU
    { lib, config, ... }:
@@ -10867,8 +11018,8 @@ This holds configuration that is specific to framework laptops.
    -
    -
    3.3.4.9. Hibernation
    +
    +
    3.3.4.9. Hibernation
    { lib, config, ... }:
@@ -10899,8 +11050,8 @@ This holds configuration that is specific to framework laptops.
    -
    -
    3.3.4.10. BTRFS
    +
    +
    3.3.4.10. BTRFS
    { lib, config, ... }:
@@ -13838,8 +13989,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
    -
    -
    3.4.1.29.4. SwayOSD
    +
    +
    3.4.1.29.4. SwayOSD
    { lib, config, ... }:
@@ -15085,8 +15236,8 @@ in
    -
    -
    3.4.4.3. Framework
    +
    +
    3.4.4.3. Framework

    This holds configuration that is specific to framework laptops. @@ -18926,8 +19077,8 @@ autocmd DocStart vc-impimba-1.m.imp.ac.at/ui/webconsole mode ignore

    -
    -

    6.3. tridactyl theme

    +
    +

    6.3. tridactyl theme

    @@ -19424,7 +19575,7 @@ sync USER HOST:

    Author: Leon Schwarzäugl

    -

    Created: 2025-06-11 Mi 21:36

    +

    Created: 2025-06-13 Fr 02:34

    Validate

    diff --git a/lib/default.nix b/lib/default.nix index b3a6b25..740bcdf 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -26,6 +26,15 @@ in } ); + # mkUser = name: { + # config.users.users.${name} = { + # group = name; + # isSystemUser = true; + # }; + + # config.users.groups.${name} = {}; + # }; + mkTrueOption = lib.mkOption { type = lib.types.bool; default = true; diff --git a/modules/nixos/common/sharedsetup.nix b/modules/nixos/common/sharedsetup.nix index 3ceb19e..f253d23 100644 --- a/modules/nixos/common/sharedsetup.nix +++ b/modules/nixos/common/sharedsetup.nix @@ -1,28 +1,29 @@ { lib, ... }: { - options.swarselsystems = { - withHomeManager = lib.mkOption { - type = lib.types.bool; - default = true; - }; - isSwap = lib.mkOption { - type = lib.types.bool; - default = true; - }; - swapSize = lib.mkOption { - type = lib.types.str; - default = "8G"; - }; - rootDisk = lib.mkOption { - type = lib.types.str; - default = ""; - }; - isCrypted = lib.mkEnableOption "uses full disk encryption"; - initialSetup = lib.mkEnableOption "initial setup (no sops keys available)"; - - isImpermanence = lib.mkEnableOption "use impermanence on this system"; - isSecureBoot = lib.mkEnableOption "use secure boot on this system"; + options = { + swarselsystems = { + withHomeManager = lib.mkOption { + type = lib.types.bool; + default = true; + }; + isSwap = lib.mkOption { + type = lib.types.bool; + default = true; + }; + swapSize = lib.mkOption { + type = lib.types.str; + default = "8G"; + }; + rootDisk = lib.mkOption { + type = lib.types.str; + default = ""; + }; + isCrypted = lib.mkEnableOption "uses full disk encryption"; + initialSetup = lib.mkEnableOption "initial setup (no sops keys available)"; + isImpermanence = lib.mkEnableOption "use impermanence on this system"; + isSecureBoot = lib.mkEnableOption "use secure boot on this system"; + }; globals = lib.mkOption { default = { }; type = lib.types.submodule { @@ -46,9 +47,14 @@ description = "My main domain."; }; }; - }; }; }; + # _globalsDefs = lib.mkOption { + # type = lib.types.unspecified; + # default = options.globals.definitions; + # readOnly = true; + # internal = true; + # }; }; } diff --git a/modules/nixos/server/firefly-iii.nix b/modules/nixos/server/firefly-iii.nix new file mode 100644 index 0000000..edaaa13 --- /dev/null +++ b/modules/nixos/server/firefly-iii.nix @@ -0,0 +1,106 @@ +{ lib, config, ... }: +let + cfg = config.services.firefly-iii; + fireflyDomain = "stonks.swarsel.win"; + fireflyUser = "firefly-iii"; +in +{ + options.swarselsystems.modules.server.firefly = lib.mkEnableOption "enable firefly-iii on server"; + config = lib.mkIf config.swarselsystems.modules.server.firefly { + + users.users.firefly-iii = { + group = "nginx"; + isSystemUser = true; + }; + + sops = { + secrets = { + "firefly-iii-app-key" = { owner = fireflyUser; group = "nginx"; mode = "0440"; }; + }; + }; + + services = { + firefly-iii = { + enable = true; + user = fireflyUser; + group = if cfg.enableNginx then "nginx" else fireflyUser; + dataDir = "/Vault/data/firefly-iii"; + settings = { + TZ = config.repo.secrets.common.location.timezone; + APP_URL = "https://${fireflyDomain}"; + APP_KEY_FILE = config.sops.secrets.firefly-iii-app-key.path; + APP_ENV = "local"; + DB_CONNECTION = "sqlite"; + # AUTHENTICATION_GUARD = "remote_user_guard"; + # AUTHENTICATION_GUARD_HEADER = "X-User"; + # AUTHENTICATION_GUARD_EMAIL = "X-Email"; + }; + enableNginx = true; + virtualHost = fireflyDomain; + }; + + nginx = { + virtualHosts = { + "${fireflyDomain}" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + # main config is automatically added by nixos firefly config. + # hence, only provide certificate + locations = { + "/" = { + extraConfig = '' + auth_request /oauth2/auth; + error_page 401 = /oauth2/sign_in; + + # pass information via X-User and X-Email headers to backend, + # requires running with --set-xauthrequest flag (done by NixOS) + auth_request_set $user $upstream_http_x_auth_request_user; + auth_request_set $email $upstream_http_x_auth_request_email; + proxy_set_header X-User $user; + proxy_set_header X-Email $email; + + # if you enabled --pass-access-token, this will pass the token to the backend + auth_request_set $token $upstream_http_x_auth_request_access_token; + proxy_set_header X-Access-Token $token; + + # if you enabled --cookie-refresh, this is needed for it to work with auth_request + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + ''; + }; + "/oauth2/" = { + proxyPass = "http://oauth2-proxy"; + extraConfig = '' + + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; + ''; + }; + "= /oauth2/auth" = { + proxyPass = "http://oauth2-proxy/oauth2/auth"; + extraConfig = '' + internal; + + proxy_set_header X-Scheme $scheme; + # nginx auth_request includes headers but not body + proxy_set_header Content-Length ""; + proxy_pass_request_body off; + ''; + }; + "/api" = { + extraConfig = '' + index index.php; + try_files $uri $uri/ /index.php?$query_string; + add_header Access-Control-Allow-Methods 'GET, POST, HEAD, OPTIONS'; + proxy_set_header X-User ""; + proxy_set_header X-Email ""; + ''; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix index 4926573..f0da1dd 100644 --- a/modules/nixos/server/kanidm.nix +++ b/modules/nixos/server/kanidm.nix @@ -82,6 +82,7 @@ in "nextcloud.admins" = { }; "navidrome.access" = { }; "freshrss.access" = { }; + "firefly.access" = { }; }; persons = { swarsel = { @@ -96,6 +97,7 @@ in "nextcloud.access" "freshrss.access" "navidrome.access" + "firefly.access" ]; displayName = "Swarsel"; }; @@ -208,21 +210,31 @@ in originUrl = "https://${oauth2ProxyDomain}/oauth2/callback"; originLanding = "https://${oauth2ProxyDomain}/"; basicSecretFile = config.sops.secrets.kanidm-oauth2-proxy.path; - scopeMaps."freshrss.access" = [ - "openid" - "email" - "profile" - ]; - scopeMaps."navidrome.access" = [ - "openid" - "email" - "profile" - ]; + scopeMaps = { + "freshrss.access" = [ + "openid" + "email" + "profile" + ]; + "navidrome.access" = [ + "openid" + "email" + "profile" + ]; + "firefly.access" = [ + "openid" + "email" + "profile" + ]; + }; preferShortUsername = true; claimMaps.groups = { joinType = "array"; - valuesByGroup."freshrss.access" = [ "ttrss_access" ]; - valuesByGroup."navidrome.access" = [ "navidrome_access" ]; + valuesByGroup = { + "freshrss.access" = [ "ttrss_access" ]; + "navidrome.access" = [ "navidrome_access" ]; + "firefly.access" = [ "firefly_access" ]; + }; }; }; }; diff --git a/modules/nixos/server/paperless.nix b/modules/nixos/server/paperless.nix index 72a1cdf..90d6eb0 100644 --- a/modules/nixos/server/paperless.nix +++ b/modules/nixos/server/paperless.nix @@ -65,11 +65,15 @@ gotenberg = { enable = true; + package = pkgs.stable.gotenberg; port = 3002; bindIP = "127.0.0.1"; + timeout = "600s"; + chromium.package = pkgs.stable.chromium; }; }; + # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS systemd.services.paperless-web.script = lib.mkBefore '' oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path}) diff --git a/profiles/nixos/localserver/default.nix b/profiles/nixos/localserver/default.nix index 8bd793c..456b52f 100644 --- a/profiles/nixos/localserver/default.nix +++ b/profiles/nixos/localserver/default.nix @@ -36,6 +36,7 @@ freshrss = lib.mkDefault true; jenkins = lib.mkDefault false; kanidm = lib.mkDefault true; + firefly = lib.mkDefault true; }; }; }; diff --git a/secrets/repo/pii.nix.enc b/secrets/repo/pii.nix.enc index 49f0016..a6f95c6 100644 --- a/secrets/repo/pii.nix.enc +++ b/secrets/repo/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:t46tqCQNV0Anyt3ZhfoFA6HnSC7ECCjbsdMAGQ+Xno4BjBFXBJdhcKuEdfqqKylBberfQ5zpS7PI9TWUrhjJdQJq8uC7pMcLK652OjAJAdxHaHAt2eBPq2+UXAHvwzXwEauEZ78m7iv0VuFvN9pLbUBVDGFRdWLrt32DD2xVASLSscn/wpYnXhBrd+fi9nKtt41mhe8UvAEIxdYtIEh4/ylL3PjvCEJBBEci7Fe/UuokNxhlMNc2xV0AVo25aM3mQbXny8LPF5++PVteVr4RWHm9R1qtRR8cKmJI/j2ObwS5WSsnRAJHgO6b6Wq9F4SNdEFscqW7d8/WWBPTvv+H3VSQ3K0xxaOrbnJYxBbSAboTDZogkbYSrY41SXqXh1Gorvh92eCvYCSxTFLnbkKVx3F35+3NKYK8RQ0OYsIl+k8qE9kK35kNjXrm3gl7p/WjyDXJ2mhHmt5ZQSleseh4meOhg73kJFC+VeUlI5no+kDeaYwn5EM/pi/ZzsAQwq/wGqVrPgSVnTbyfBAD1FRqeUxNCo2ceTGW12ZvOvm+XxUJ8tVef2PvUuqKvg1Xx4TN3hRQUcYhXwZWzKgseiAonRA4Euzs/BKA5K233uP22t8klCy23Ngti0LJt5tbmsNeBBwb2f5Wcs4oDn2YIFTm9Bg9QLbfkYyZf/ZkbA0U7HfbvhlIKANmzy1G8+MYlpS4ZED36wT1fEDcEBVygzyHVx9sXEZuj6Nm1ekxSGgJciVL,iv:PBwZiNQjDguQF/GFegm1oVYHF0lG6fjK0vxBuQN1HFo=,tag:VH2pH+rKgyBSIzGo8py6bw==,type:str]", + "data": "ENC[AES256_GCM,data:lLLUOryVRlriVc94mUX486tGhdg3yO6MkVf43hQIfo9mmYks0NbvCb05VeN/zzVP5fZU4kX/KKA5gfpK8lPKnnE0eN0Tv98hfkAExH1zTowUaj+XcXOPmCyRydeKm04sITDPsuhH7c6jkk2RNXBF/3ER8VZ3uho0K1gqokJlQUcA3QPCDFh6t5jlJakB2AX0rQYBtlG/QfLMf1YqU+hMsOFSrEXkPL7B1FwTkOHlU3oefpia1h4OJBJEjXQW+e57zgPRqc7z9lT8sOsXKRldWXgb1bhQM6MTDbSnEkSE44EtsFefkrmU34riu0KjQMcDbDFH3NpNibtKammlHBaKEWrxyFsgEEnFtqpMrr/ageW+DIttHIEbO170PHyaExo2pw1if0x/kRMe9/aPdDbG4oXtoZ9WqqB/ziBVTy+rau/aeuBU5XOEF+iQGwlkdQcjaUv55VVaCrT1DLSLdfWj5bmlls2pgu3SRkqhRFa+QveFu8i80rLQT9KcELuGpx7AB8U7gz8Oz4pU0iZkH3A1Cw9sO2vjwPd2AnPi8YQsqCIGQtZp/Y/OJa/7GfPFmmJlWZFiFbKGUfZg6sPsLPyTqTzES0erf67dwpXaBtuz7iS1yS58HQwhT0ZdrRJdMsrg0j+rejYHdIbZeeRVRLoPastyHjVKTarrYtAeT3MuqKbqjQRTdoaNlOQovG8WBlPNRJ93qOWh0wLVYuD2ou3epDlwGbwIuJ8D/DbW5mWNw5gpbI50LC1+SM6/flb3iG7bJ5DmkA1c2+fm8Jm5me5SCCE=,iv:8VSsznbOJyV/ZYCP9hKuAprtjssYTQEjW0Z/P5fgYqw=,tag:Tc/N0KgF9sNHuTXjWKksUw==,type:str]", "sops": { "age": [ { @@ -23,8 +23,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bFIrQjZ5cUFBQUp4dTRW\ndEdaZys0OHE5L3BPaVNic3ZZRDQ5N09SaGdZCllhWnY4T2lLZzVUMlp5VjMvQ2lP\ndGFNSTBqbjNMaUcwbVRaWFVCazU3OEUKLS0tIHBIWUZCYjFDVDgzbUUxMC9TNzdp\naFdiWmV6TGIva0RNUDNHWmdJZGgzNHMKiIzjo6sH/SP12cAXTvXiP0X9EE/A8Qw1\nIfgZfyEHdf/Mxd/iNzlWb2Nb0MLerYYw/qZ/+L5eDpUr4Vl051qOXA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-06-11T12:35:26Z", - "mac": "ENC[AES256_GCM,data:qySqNhw1CPbilUmJPSOsLGG3mbLrvPMXzkzUGIj5l1EBLl//BVfAqvkgc06AhjDexr708CyUU5tiW0JydFBkEcByxDK21JhnZGVTdiTidBUl5lS392bCxdnrWgNCm6BnIznLsF3UpuqStsztOgjRJa2pawC2b5i6VCm4asif2lQ=,iv:M0JEy5+8g2wesVMpfhl0OZOKh4MFnh6RwUm9tteSYJ4=,tag:2zxRZLab6Z5XDsh9MMHSlg==,type:str]", + "lastmodified": "2025-06-12T22:56:18Z", + "mac": "ENC[AES256_GCM,data:KnewBjWIibq08JjmotKuJWJS6zqBWH7akh7a5nI3Sq6ae+QINN8M7ueTjdpbq1PqK9leiubbdECT4F/qHwpwmIKEB2vKY8eSsDsmjSmbtVFdYEv4UaOPEJAGr/8u3t7q97m+Ad2P+tLH/jIDc0BXGXYfQYogSiaHqKqytJK9cQo=,iv:8U6m1+00n1Aip08kO2Q0cdX/TnRy7Bpig7b23H6Plgg=,tag:UPskdkeO/qO7RkninZ4jow==,type:str]", "pgp": [ { "created_at": "2025-06-11T01:05:00Z", diff --git a/secrets/winters/secrets.yaml b/secrets/winters/secrets.yaml index 8ace1fd..94caa53 100644 --- a/secrets/winters/secrets.yaml +++ b/secrets/winters/secrets.yaml @@ -63,6 +63,8 @@ kanidm-freshrss: ENC[AES256_GCM,data:4y0X3sSOfs5pKNCmZGJhxlAKH7GD1UACdw==,iv:LuQ #ENC[AES256_GCM,data:8eDo+FQoBEKMTRY2,iv:ZSrV+Z+1S5AoW+jq49LBFzSwd/NJl3aZYHe7oUvGriU=,tag:3cw3hUigrPViQ+XsuMiksg==,type:comment] oauth2-cookie-secret: ENC[AES256_GCM,data:l8BPYA7t9NG9MPFs/LDlFHqwbnwsvie7FM5v613358E+jLf2wD+tipyUb6c=,iv:1kZ6G6Z0cSQS53kc/hygh/1Ke491agWDlYHR9Yq0jT0=,tag:mi7Un2JBnrq1dnP3jZX4ng==,type:str] kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:+mcA/sz3AZuw+I44iIdOEfDmtjEVdxi2fg==,iv:m4NpieUicS7xsR+F5AgPqkcUFRF+CGOA8IK6GeS9tgM=,tag:1wypxpiHPdQBD8Td/PSdMw==,type:str] +#ENC[AES256_GCM,data:Y1BVSKrxqnK/8yk=,iv:Bg8OSExGPV9kwkuDb/69BXMyDnzbr1TAnVZEOxNWljo=,tag:Cq76DQ1g26pFLHwZP3pqYQ==,type:comment] +firefly-iii-app-key: ENC[AES256_GCM,data:hzgl8eRL0irNRP5TO7G1rNtNM7fXCkmbcaX4QoTsM0xA1rgyKwiy6a4lYDjoXZyOMy5p,iv:q5eepIELwIecyQ56A6THUOu+rebK3irKVYb7/gNHlU8=,tag:+M/KTX1JzPzXeK4TRzW42w==,type:str] sops: age: - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 @@ -74,8 +76,8 @@ sops: MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-09T19:50:17Z" - mac: ENC[AES256_GCM,data:Cx7bI5HRkVVmZTcs/Q3uPtLZaaGd28ZqUsyPRcqd8yEaRxNN0JU6EcQ2ZjU5Zi9jLRLDiR/PxuWsWcmDWH8vW0UZGh6ao75Cw3UO7QhKZHfM5cHqnleo/RIIl5d/Q0hnS9EQmcEPA3qKLQUIrOa+MAgMCkti50ZuNcZnkywLn54=,iv:QPDj4K22G6Go6RDE5ZGbCntmC+mn/5mMyH6ohyQYNuY=,tag:NJ3mjmo2LRmJRXKrYIJZKg==,type:str] + lastmodified: "2025-06-12T18:54:27Z" + mac: ENC[AES256_GCM,data:5SPDEOz+PBoavltKbVCAAFOexS3In1+jOUdP3V59ssWevKnxX09ALENfwQW4DkL/U4wrryKp9zQ1qmg43SPK2cWrbswsIhzupYE+VvhR3pORiCk/k3GhtE9jnQPD3W7WvNz29rMthgyo5AY/QERfd+YiuMLGmKofoqaWWpKnhRA=,iv:FTDBDKlRgUja5zRIzpO8d6IfCjvmMq1RDRSi3AfmB3A=,tag:zV0boAnx98PxgK1H3jRWOA==,type:str] pgp: - created_at: "2024-12-17T16:24:32Z" enc: |-