diff --git a/flake.lock b/flake.lock index 5ffff1e..43c20a6 100644 --- a/flake.lock +++ b/flake.lock @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1770260404, - "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=", + "lastModified": 1772985280, + "narHash": "sha256-FdrNykOoY9VStevU4zjSUdvsL9SzJTcXt4omdEDZDLk=", "owner": "nix-community", "repo": "home-manager", - "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b", + "rev": "8f736f007139d7f70752657dff6a401a585d6cbc", "type": "github" }, "original": { @@ -76,11 +76,11 @@ ] }, "locked": { - "lastModified": 1767634391, - "narHash": "sha256-owcSz2ICqTSvhBbhPP+1eWzi88e54rRZtfCNE5E/wwg=", + "lastModified": 1772129556, + "narHash": "sha256-Utk0zd8STPsUJPyjabhzPc5BpPodLTXrwkpXBHYnpeg=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "08585aacc3d6d6c280a02da195fdbd4b9cf083c2", + "rev": "ebec37af18215214173c98cf6356d0aca24a2585", "type": "github" }, "original": { @@ -112,11 +112,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1771208521, - "narHash": "sha256-X01Q3DgSpjeBpapoGA4rzKOn25qdKxbPnxHeMLNoHTU=", + "lastModified": 1772822230, + "narHash": "sha256-yf3iYLGbGVlIthlQIk5/4/EQDZNNEmuqKZkQssMljuw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fa56d7d6de78f5a7f997b0ea2bc6efd5868ad9e8", + "rev": "71caefce12ba78d84fe618cf61644dce01cf3a96", "type": "github" }, "original": { @@ -128,27 +128,27 @@ }, "nixpkgs-darwin": { "locked": { - "lastModified": 1771352457, - "narHash": "sha256-CCItBNMyLmtWqxTVaDAeeaIigbuaiZuN3WO8PZNkGBc=", + "lastModified": 1766129819, + "narHash": "sha256-crNRwvsbH2XSV8IwBjX6Tm+uWmYwhYyRuNVJ9/ZwlmA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f8a68d8ce473ec59300d9fb510a1b545c1290939", + "rev": "eedcb27bf99430e51f83d896cd1149b828290d20", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixpkgs-25.11-darwin", "repo": "nixpkgs", + "rev": "eedcb27bf99430e51f83d896cd1149b828290d20", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1771177547, - "narHash": "sha256-trTtk3WTOHz7hSw89xIIvahkgoFJYQ0G43IlqprFoMA=", + "lastModified": 1772771118, + "narHash": "sha256-xWzaTvmmACR/SRWtABgI/Z97lcqwJAeoSd5QW1KdK1s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ac055f38c798b0d87695240c7b761b82fc7e5bc2", + "rev": "e38213b91d3786389a446dfce4ff5a8aaf6012f2", "type": "github" }, "original": { @@ -166,11 +166,11 @@ ] }, "locked": { - "lastModified": 1771425294, - "narHash": "sha256-owiQE9oINf1cgaulbrr2sMjelk2cmR8rkxLRPYYL6Kg=", + "lastModified": 1773029295, + "narHash": "sha256-xmHhVHbaA5hR3dCEoGwqAgL6HTTJ0KEMRUTLdJuVtGM=", "owner": "nix-community", "repo": "NUR", - "rev": "242d44cd6af365da2dfa77422263b29d0ac9f39f", + "rev": "bf45b24de2134f1488f7a6c135f4b0420ccec6fe", "type": "github" }, "original": { @@ -189,11 +189,11 @@ ] }, "locked": { - "lastModified": 1770766818, - "narHash": "sha256-12RCFLyAedyMOdenUi7cN3ioJPEGjA/ZG1BLjugfUVs=", + "lastModified": 1772361940, + "narHash": "sha256-B1Cz+ydL1iaOnGlwOFld/C8lBECPtzhiy/pP93/CuyY=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "44b928068359b7d2310a34de39555c63c93a2c90", + "rev": "a4b33606111c9c5dcd10009042bb710307174f51", "type": "github" }, "original": { @@ -240,11 +240,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1771301023, - "narHash": "sha256-0XauSmXBLOqn8SYHRWOL7Z9O7m5qtF0Yw6rqXVHkEnw=", + "lastModified": 1773028978, + "narHash": "sha256-4BjOTYhHP8ljHShQyZ1gUIdwgSLjvaGN2ueKfqp6CQk=", "owner": "rycee", "repo": "nur-expressions", - "rev": "1cf8b4f42720573ef35dcd7d2ba0fd80e40954e9", + "rev": "a6ed037ffc0b50a9bd0c92e20e31f270a03ca1e3", "type": "gitlab" }, "original": { diff --git a/flake.nix b/flake.nix index 3b4f7b7..21bbcca 100644 --- a/flake.nix +++ b/flake.nix @@ -4,7 +4,9 @@ inputs = { # Specify the source of Home Manager and Nixpkgs. nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; - nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-25.11-darwin"; + # Revert to a cached version of Julia for aarch64-darwin + nixpkgs-darwin.url = + "github:nixos/nixpkgs/eedcb27bf99430e51f83d896cd1149b828290d20"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable"; # Inputs for both darwin and linux systems diff --git a/programs/zed.nix b/programs/zed.nix index 8b4fc69..1aceb66 100644 --- a/programs/zed.nix +++ b/programs/zed.nix @@ -59,6 +59,10 @@ }; lsp = { nil = { settings.nix.flake.autoArchive = true; }; + nixd = { + settings.options.home-manager.expr = + "(builtins.getFlake (builtins.toString ./.)).homeConfigurations..options"; + }; texlab = { settings = { build = { diff --git a/secrets.nix b/secrets.nix index d6effcc..667dd30 100644 --- a/secrets.nix +++ b/secrets.nix @@ -48,4 +48,6 @@ in { ++ [ bosephus-host ]; "secrets/redis-password.age".publicKeys = system-administrators ++ [ mcentire-host ]; + "secrets/vaultwarden.toml.age".publicKeys = system-administrators + ++ [ mcentire-host ]; } diff --git a/secrets/vaultwarden.toml.age b/secrets/vaultwarden.toml.age new file mode 100644 index 0000000..b60bcd2 Binary files /dev/null and b/secrets/vaultwarden.toml.age differ diff --git a/services/fireflyiii.nix b/services/fireflyiii.nix index 4d2f24d..5174cc2 100644 --- a/services/fireflyiii.nix +++ b/services/fireflyiii.nix @@ -80,7 +80,7 @@ in { virtualisation.quadlet = let inherit (config.virtualisation.quadlet) containers; inherit (config.virtualisation.quadlet) networks; - secrets = osConfig.millironx.podman-secrets.freshrss; + secrets = osConfig.millironx.podman-secrets.fireflyiii; in { autoUpdate.enable = true; autoEscape = true; diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix new file mode 100644 index 0000000..42a87cd --- /dev/null +++ b/services/vaultwarden.nix @@ -0,0 +1,125 @@ +{ config, pkgs, home-manager-quadlet-nix, ... }: +let + user = "vaultwarden"; + port = "92858"; + containerPort = port; + authentikPort = "9000"; + stateDirectory = "/var/lib/${user}"; + servicePaths = [ "data" ]; + databasePaths = [ "database" ]; +in { + age.secrets."vaultwarden.toml" = { + file = ./../secrets/vaultwarden.toml.age; + owner = user; + }; + + millironx.podman-secrets.vaultwarden = { + inherit user; + secrets-files = [ config.age.secrets."vaultwarden.toml".path ]; + }; + + systemd.tmpfiles.rules = + map (d: "d ${stateDirectory}/${d} 1775 ${user} ${user} -") + ([ "" ] ++ servicePaths ++ databasePaths); + + services.borgmatic.configurations."${config.networking.hostName}" = { + source_directories = map (d: "${stateDirectory}/${d}") servicePaths; + postgresql_databases = [{ + name = user; + psql_command = + "/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${user}-db psql --username=${user}"; + pg_dump_command = + "/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${user}-db pg_dump --username=${user}"; + pg_restore_command = + "/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${user}-db pg_restore --username=${user}"; + }]; + }; + + services.caddy.virtualHosts."vault.millironx.com".extraConfig = '' + reverse_proxy http://127.0.0.1:${port} + ''; + + users.users."${user}" = { + group = user; + isNormalUser = true; + home = stateDirectory; + createHome = true; + linger = true; + autoSubUidGidRange = true; + }; + users.groups."${user}" = { }; + + home-manager.users."${user}" = { config, osConfig, ... }: { + imports = [ home-manager-quadlet-nix ]; + + home.stateVersion = "25.05"; + + virtualisation.quadlet = let + inherit (config.virtualisation.quadlet) containers; + inherit (config.virtualisation.quadlet) networks; + secrets = osConfig.millironx.podman-secrets.vaultwarden; + in { + autoUpdate.enable = true; + autoEscape = true; + + networks."${user}" = { }; + + containers = { + "${user}-db" = { + autoStart = true; + containerConfig = { + image = "docker.io/library/postgres:16"; + environments = { + POSTGRES_DB = user; + POSTGRES_USER = user; + }; + secrets = [ + "POSTGRES_PASSWORD,type=env" + "POSTGRES_PASSWORD,type=env,target=PGPASSWORD" + ]; + healthCmd = "pg_isready -d $\${POSTGRES_DB} -U $\${POSTGRES_USER}"; + healthInterval = "30s"; + healthRetries = 5; + healthStartPeriod = "20s"; + volumes = + [ "${stateDirectory}/database:/var/lib/postgresql/data:U" ]; + networks = [ networks."${user}".ref ]; + }; + unitConfig.Requires = [ secrets.ref ]; + unitConfig.After = [ secrets.ref ]; + }; + + "${user}" = { + autoStart = true; + containerConfig = { + image = "ghcr.io/dani-garcia/vaultwarden:latest"; + environments = { + DOMAIN = "https://vault.millironx.com"; + ROCKET_PORT = port; + SIGNUPS_ALLOWED = "false"; + SMTP_FROM_NAME = "Milliron X Vault"; + }; + secrets = map (s: "${s},type=env") [ + "ADMIN_TOKEN" + "DATABASE_URL" + "SMTP_FROM" + "SMTP_HOST" + "SMTP_PORT" + "SMTP_PASSWORD" + "SMTP_USERNAME" + "YUBICO_CLIENT_ID" + "YUBICO_SECRET_KEY" + ]; + volumes = [ "${stateDirectory}/data:/data:U" ]; + networks = [ networks."${user}".ref ]; + publishPorts = [ "127.0.0.1:${port}:${containerPort}" ]; + }; + unitConfig.Requires = [ secrets.ref containers."${user}".ref ]; + unitConfig.After = [ secrets.ref containers."${user}".ref ]; + }; + }; + }; + + }; + +} diff --git a/systems/darwin/corianne.nix b/systems/darwin/corianne.nix index a029992..40d240b 100644 --- a/systems/darwin/corianne.nix +++ b/systems/darwin/corianne.nix @@ -32,9 +32,17 @@ in { automatic = true; interval = { Weekday = 1; }; options = '' - --delete-older-than 14d + --delete-older-than 90d ''; }; + settings = { + substituters = + [ "https://nix-community.cachix.org" "https://cache.nixos.org/" ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + # Needed for rosetta-builder, see # # @@ -184,15 +192,7 @@ in { no_quarantine = true; }; - taps = [ - "homebrew/services" - { - name = "millironx/millironx"; - clone_target = - "https://code.millironx.com/millironx/homebrew-millironx.git"; - } - "r-lib/rig" - ]; + taps = [ "r-lib/rig" ]; brews = [ "borgbackup/tap/borgbackup-fuse" "buildkit" @@ -207,6 +207,7 @@ in { ]; casks = [ "alt-tab" + "dash" "db-browser-for-sqlite" "firefox" "inkscape" diff --git a/systems/linux/mcentire.nix b/systems/linux/mcentire.nix index 94c4bd6..cf01a65 100644 --- a/systems/linux/mcentire.nix +++ b/systems/linux/mcentire.nix @@ -11,6 +11,7 @@ ./../../services/fireflyiii.nix ./../../services/freshrss.nix ./../../services/navidrome.nix + ./../../services/vaultwarden.nix ]; # Use the GRUB 2 boot loader.