diff --git a/flake.lock b/flake.lock index 072bb06..423e50b 100644 --- a/flake.lock +++ b/flake.lock @@ -86,11 +86,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1753035671, - "narHash": "sha256-F1EAebqC+De5rog6rK/jVTetEGrCKHR7q8wQHx3VqAM=", + "lastModified": 1753146705, + "narHash": "sha256-WzmXODUzg8jeEsAhpmp55zk5I2fmv3kv+RofZ/+FYlg=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "57509273a21933c184eb1985efc06381879c09f1", + "rev": "02b3c2a45f6ddbd704f797c5730bc2d161f10ce0", "type": "github" }, "original": { @@ -504,11 +504,11 @@ ] }, "locked": { - "lastModified": 1752783339, - "narHash": "sha256-RXxejsGIWtJ5rJKLAm8Kh159euZHPMi7CtbOoHLsm2c=", + "lastModified": 1753132348, + "narHash": "sha256-0i3jU9AHuNXb0wYGzImnVwaw+miE0yW13qfjC0F+fIE=", "owner": "nix-community", "repo": "home-manager", - "rev": "7c78e592a895f2f1921f0024848fe193e2f8518e", + "rev": "e4bf85da687027cfc4a8853ca11b6b86ce41d732", "type": "github" }, "original": { @@ -524,11 +524,11 @@ ] }, "locked": { - "lastModified": 1753056897, - "narHash": "sha256-AVVMBFcuOXqIgmShvRv9TED3fkiZhQ0ZvlhsPoFfkNE=", + "lastModified": 1753180535, + "narHash": "sha256-KEtlzMs2O7FDvciFtjk9W4hyau013Pj9qZNK9a0PxEc=", "owner": "nix-community", "repo": "home-manager", - "rev": "13a83d1b6545b7f0e8f7689bad62e7a3b1d63771", + "rev": "847711c7ffa9944b0c5c39a8342ac8eb6a9f9abc", "type": "github" }, "original": { @@ -540,11 +540,11 @@ "homebrew-cask": { "flake": false, "locked": { - "lastModified": 1753115487, - "narHash": "sha256-3uZaS9DHqZxfE57aAPDAsepLRU140RV6FYDUREXK47c=", + "lastModified": 1753192390, + "narHash": "sha256-B/MI7F4IliXNY6QEKCmIEsO4A0Qt9jUZXfMfrX9/5hE=", "owner": "homebrew", "repo": "homebrew-cask", - "rev": "3b67ce4096f29acf817bf666b5a4dfc98733ed6b", + "rev": "4f64bf7953d412b473d1f459208c725861646a6d", "type": "github" }, "original": { @@ -556,11 +556,11 @@ "homebrew-core": { "flake": false, "locked": { - "lastModified": 1753113580, - "narHash": "sha256-lKbdUt+//YX4bC5OpLTY6dGKb4Z84Gbr2sMB6V6TuRk=", + "lastModified": 1753194897, + "narHash": "sha256-jo7SLfGCgQbLKK9kbHXgLJY8bbzESn1K6Sr2x7EFzKY=", "owner": "homebrew", "repo": "homebrew-core", - "rev": "551941d43131806a6c9332ac1a1d85d28ecc52c9", + "rev": "a427a5a802b98591899d4bda471a7a14ed5ff2fd", "type": "github" }, "original": { @@ -764,11 +764,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1753064291, - "narHash": "sha256-SthlGBO9W1NXCAHBxV5DrWOt3daYXlSR8lAtOaKWCPw=", + "lastModified": 1753150460, + "narHash": "sha256-q2dkvuIfEb5fWBF6TJePJbcP1hqxARAUddfPGVGvD38=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "9648256bb966f178586cb96cc397985c82e514b8", + "rev": "d13827556415f4050b510e9cfb9873c1ce9aaec4", "type": "github" }, "original": { @@ -802,11 +802,11 @@ "nixpkgs": "nixpkgs_10" }, "locked": { - "lastModified": 1753029310, - "narHash": "sha256-GqH4hhdpWnaKR2Zl1rYXXdX2acw6pGQH65VCWF3D6Uc=", + "lastModified": 1753175937, + "narHash": "sha256-DtDt87Gld0RCI2qHb7uUb1eWB16FFC4aNDfxZpic/Nw=", "owner": "nix-community", "repo": "nixos-apple-silicon", - "rev": "fe61e1be8f134efe47b290c26e8496a3a03ae8ec", + "rev": "5ddfff8387edf7c92ce36effb06fb2c52624fece", "type": "github" }, "original": { @@ -817,11 +817,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1752666637, - "narHash": "sha256-P8J72psdc/rWliIvp8jUpoQ6qRDlVzgSDDlgkaXQ0Fw=", + "lastModified": 1753122741, + "narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "d1bfa8f6ccfb5c383e1eba609c1eb67ca24ed153", + "rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22", "type": "github" }, "original": { @@ -942,11 +942,11 @@ }, "nixpkgs-stable_3": { "locked": { - "lastModified": 1752866191, - "narHash": "sha256-NV4S2Lf2hYmZQ3Qf4t/YyyBaJNuxLPyjzvDma0zPp/M=", + "lastModified": 1753115646, + "narHash": "sha256-yLuz5cz5Z+sn8DRAfNkrd2Z1cV6DaYO9JMrEz4KZo/c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f01fe91b0108a7aff99c99f2e9abbc45db0adc2a", + "rev": "92c2e04a475523e723c67ef872d8037379073681", "type": "github" }, "original": { @@ -990,11 +990,11 @@ }, "nixpkgs_12": { "locked": { - "lastModified": 1752950548, - "narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=", + "lastModified": 1752427638, + "narHash": "sha256-ANNyaXW/cnZLszjXB4LXGxaWZ2cRz7Ar06WjYoawgFo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c87b95e25065c028d31a94f06a62927d18763fdf", + "rev": "b2e5044b3e79793df83d01c9983c054cae5ea6ff", "type": "github" }, "original": { @@ -1298,11 +1298,11 @@ ] }, "locked": { - "lastModified": 1752720268, - "narHash": "sha256-XCiJdtXIN09Iv0i1gs5ajJ9CVHk537Gy1iG/4nIdpVI=", + "lastModified": 1753066249, + "narHash": "sha256-j2UBrfDRIePGx3532Bbb9UeosNX2F73hfOAHtmACfnM=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "dc221f842e9ddc8c0416beae8d77f2ea356b91ae", + "rev": "0751b65633a1785743ca44fd7c14a633c54c1f91", "type": "github" }, "original": { diff --git a/modules/nixos/impermanence/default.nix b/modules/nixos/impermanence/default.nix index 9300e92..fe54e7f 100755 --- a/modules/nixos/impermanence/default.nix +++ b/modules/nixos/impermanence/default.nix @@ -31,6 +31,34 @@ group = "root"; mode = "u=rwx,g=rx,o=rx"; } + { + directory = "/var/lib/private/authentik/media"; + user = "authentik"; + group = "authentik"; + mode = "u=rwx,g=,o="; + } + { + directory = "/var/lib/private"; + mode = "u=rwx,g=rx,o="; + } + { + directory = "/media/nas"; + user = "nas-apps"; + group = "jallen-nas"; + mode = "u=rwx,g=rx,o=rx"; + } + { + directory = "/var/lib/crowdsec"; + user = "crowdsec"; + group = "crowdsec"; + mode = "u=rwx,g=rwx,o=rx"; + } + { + directory = "/plugins-storage"; + user = "traefik"; + group = "traefik"; + mode = "u=rwx,g=rwx,o=rx"; + } ]; files = [ "/etc/machine-id" diff --git a/systems/x86_64-linux/deck/sops.nix b/systems/x86_64-linux/deck/sops.nix index 775c515..15dafa1 100755 --- a/systems/x86_64-linux/deck/sops.nix +++ b/systems/x86_64-linux/deck/sops.nix @@ -1,6 +1,6 @@ -{ config, ... }: +{ config, lib, namespace, ... }: let - user = "deck"; + user = config.${namespace}.user.name; in { # Permission modes are in octal representation (same as chmod), @@ -18,7 +18,7 @@ in # Either the group id or group name representation of the secret group # It is recommended to get the group name from `config.users.users..group` to avoid misconfiguration sops = { - defaultSopsFile = ../../../secrets/steamdeck-secrets.yaml; + defaultSopsFile = (lib.snowfall.fs.get-file "secrets/steamdeck-secrets.yaml"); age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # ------------------------------ @@ -33,7 +33,7 @@ in }; "wifi" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = (lib.snowfall.fs.get-file "secrets/secrets.yaml"); }; # ------------------------------ @@ -66,37 +66,37 @@ in # Secureboot keys # ------------------------------ "secureboot/GUID" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = (lib.snowfall.fs.get-file "secrets/secrets.yaml"); # path = "/etc/secureboot/GUID"; mode = "0600"; }; "secureboot/keys/db-key" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = (lib.snowfall.fs.get-file "secrets/secrets.yaml"); # path = "/etc/secureboot/keys/db/db.key"; mode = "0600"; }; "secureboot/keys/db-pem" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = (lib.snowfall.fs.get-file "secrets/secrets.yaml"); # path = "/etc/secureboot/keys/db/db.pem"; mode = "0600"; }; "secureboot/keys/KEK-key" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = (lib.snowfall.fs.get-file "secrets/secrets.yaml"); # path = "/etc/secureboot/keys/KEK/KEK.key"; mode = "0600"; }; "secureboot/keys/KEK-pem" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = (lib.snowfall.fs.get-file "secrets/secrets.yaml"); # path = "/etc/secureboot/keys/KEK/KEK.pem"; mode = "0600"; }; "secureboot/keys/PK-key" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = (lib.snowfall.fs.get-file "secrets/secrets.yaml"); # path = "/etc/secureboot/keys/PK/PK.key"; mode = "0600"; }; "secureboot/keys/PK-pem" = { - sopsFile = ../../../secrets/secrets.yaml; + sopsFile = (lib.snowfall.fs.get-file "secrets/secrets.yaml"); # path = "/etc/secureboot/keys/PK/PK.pem"; mode = "0600"; }; diff --git a/systems/x86_64-linux/nas/apps/nextcloud/default.nix b/systems/x86_64-linux/nas/apps/nextcloud/default.nix index b27c783..18affdc 100755 --- a/systems/x86_64-linux/nas/apps/nextcloud/default.nix +++ b/systems/x86_64-linux/nas/apps/nextcloud/default.nix @@ -6,14 +6,14 @@ let jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path; nextcloudUserId = config.users.users.nix-apps.uid; nextcloudGroupId = config.users.groups.jallen-nas.gid; - nextcloudPackage = pkgs.stable.nextcloud31; + nextcloudPackage = pkgs.nextcloud31; hostAddress = settings.hostAddress; localAddress = "10.0.2.18"; nextcloudPortExtHttp = 9988; nextcloudPortExtHttps = 9943; onlyofficePortExt = 9943; - systemPackages = with pkgs.stable; [ + systemPackages = with pkgs; [ cudaPackages.cudnn cudatoolkit ffmpeg diff --git a/systems/x86_64-linux/nas/default.nix b/systems/x86_64-linux/nas/default.nix index 3e15fd3..3b916f3 100755 --- a/systems/x86_64-linux/nas/default.nix +++ b/systems/x86_64-linux/nas/default.nix @@ -27,10 +27,6 @@ ./sops.nix ]; - snowfallorg.users.admin.home.config = { - mjallen.sops.enable = true; - }; - powerManagement.cpuFreqGovernor = "powersave"; ${namespace} = { @@ -43,6 +39,9 @@ nvidiaSettings = true; enableNvidiaDocker = true; }; + user = { + name = "admin"; + }; }; security.tpm2 = {