feat: convert to flake

feat(zaatar): convert to flake

feat(tahina, tabula): convert to flake

feat(makanek): convert to flake

feat(manakish, zaatar): convert to flake

feat(ci): build flake systems

fix: ci build

feat: secrets via submodule

foo

foo

foo

.github/workflows/niveum.yml

@@ -11,4 +11,4 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - uses: cachix/install-nix-action@v16
-    - run: nix run .#build-${{matrix.system}}
+    - run: nix build --dry-run .#nixosConfigurations.${{matrix.system}}.config.system.build.toplevel

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "secrets"]
+	path = secrets
+	url = ssh://[email protected]:22022/kfm/niveum-secrets.git

ci.nix

@@ -3,7 +3,7 @@
   system,
   name,
 }: let
-  nixpkgs = inputs.nixos-stable;
+  nixpkgs = inputs.nixpkgs;
   pkgs = nixpkgs.legacyPackages.${system};
   ensureFiles = paths:
     pkgs.runCommand "directory" {} ''
@@ -23,13 +23,7 @@
       "nixos-config=${toString ./.}/systems/${name}/configuration.nix"
       "system-secrets=${systemSecrets}"
       "secrets=${sharedSecrets}"
-      "nixpkgs=${
-        toString (
-          if name == "kabsa" || name == "manakish"
-          then inputs.nixos-unstable
-          else inputs.nixos-stable
-        )
-      }"
+      "nixpkgs=${toString (inputs.nixpkgs)}"
     ]
     ++ nixpkgs.lib.mapAttrsToList (name: value: "${name}=${value}") inputs);
   # cd ~/.password-store/shared && find * -type f | sed 's/.gpg$//'

configs/aerc.nix

@@ -16,8 +16,38 @@
     smtp.port = 25;
     smtp.tls.useStartTls = true;
   };
-  passwordCommandFrom = path: toString (pkgs.writers.writeDash "email-credentials" "echo ${lib.escapeShellArg (lib.strings.fileContents path)}");
 in {
+  age.secrets = {
+    email-password-cock = {
+      file = ../secrets/email-password-cock.age;
+      owner = config.users.users.me.name;
+    };
+    email-password-fysi = {
+      file = ../secrets/email-password-fysi.age;
+      owner = config.users.users.me.name;
+    };
+    email-password-posteo = {
+      file = ../secrets/email-password-posteo.age;
+      owner = config.users.users.me.name;
+    };
+    email-password-meinhark = {
+      file = ../secrets/email-password-meinhark.age;
+      owner = config.users.users.me.name;
+    };
+    email-password-meinhaki = {
+      file = ../secrets/email-password-meinhaki.age;
+      owner = config.users.users.me.name;
+    };
+    email-password-dslalewa = {
+      file = ../secrets/email-password-dslalewa.age;
+      owner = config.users.users.me.name;
+    };
+    email-password-fsklassp = {
+      file = ../secrets/email-password-fsklassp.age;
+      owner = config.users.users.me.name;
+    };
+  };
+
   home-manager.users.me = {
     accounts.email.accounts = rec {
       hu-student =
@@ -27,7 +57,7 @@ in {
             userName = "meinhark";
             address = "[email protected]";
             aliases = ["${userName}@hu-berlin.de"];
-            passwordCommand = passwordCommandFrom <secrets/eduroam/password>;
+            passwordCommand = "cat ${config.age.secrets.email-password-meinhark.path}";
           });
       hu-student-cs =
         lib.recursiveUpdate defaults
@@ -38,7 +68,7 @@ in {
             aliases = ["${userName}@informatik.hu-berlin.de"];
             imap.host = "mailbox.informatik.hu-berlin.de";
             smtp.host = "mailhost.informatik.hu-berlin.de";
-            passwordCommand = passwordCommandFrom <secrets/eduroam/password>;
+            passwordCommand = "cat ${config.age.secrets.email-password-meinhark.path}";
           });
       hu-employee =
         lib.recursiveUpdate defaults
@@ -47,7 +77,7 @@ in {
             userName = "meinhaki";
             address = "[email protected]";
             aliases = ["${userName}@hu-berlin.de"];
-            passwordCommand = passwordCommandFrom <secrets/mail/meinhaki>;
+            passwordCommand = "cat ${config.age.secrets.email-password-meinhaki.path}";
             aerc.extraAccounts.signature-file = toString (pkgs.writeText "signature" signature.text);
             signature = {
               showSignature = "append";
@@ -69,7 +99,7 @@ in {
             userName = "dslalewa";
             address = "[email protected]";
             aliases = ["${userName}@hu-berlin.de"];
-            passwordCommand = passwordCommandFrom <secrets/mail/dslalewa>;
+            passwordCommand = "cat ${config.age.secrets.email-password-dslalewa.path}";
             inherit (hu-employee) signature;
             aerc.extraAccounts.signature-file = toString (pkgs.writeText "signature" signature.text);
           });
@@ -78,7 +108,7 @@ in {
         (lib.recursiveUpdate hu-defaults
           rec {
             userName = "fsklassp";
-            passwordCommand = passwordCommandFrom <secrets/mail/fsklassp>;
+            passwordCommand = "cat ${config.age.secrets.email-password-fsklassp.path}";
             address = "${userName}@hu-berlin.de";
             realName = "FSI Klassische Philologie";
             aerc.extraAccounts.signature-file = toString (pkgs.writeText "signature" signature.text);
@@ -100,15 +130,15 @@ in {
         rec {
           address = "[email protected]";
           userName = address;
-          passwordCommand = passwordCommandFrom <secrets/mail/fastmail>;
+          passwordCommand = "cat ${config.age.secrets.email-password-fysi.path}";
           flavor = "fastmail.com";
         };
       cock =
         lib.recursiveUpdate defaults
         rec {
           address = "[email protected]";
           userName = address;
-          passwordCommand = passwordCommandFrom <secrets/mail/cock>;
+          passwordCommand = "cat ${config.age.secrets.email-password-cock.path}";
           realName = "";
           imap.host = "mail.cock.li";
           smtp.host = imap.host;
@@ -122,7 +152,7 @@ in {
           imap.host = "posteo.de";
           smtp.host = imap.host;
           primary = true;
-          passwordCommand = passwordCommandFrom <secrets/mail/posteo>;
+          passwordCommand = "cat ${config.age.secrets.email-password-posteo.path}";
           # himalaya = { enable = true; backend = "imap"; sender = "smtp"; };
         };
     };

configs/alacritty.nix

@@ -47,7 +47,7 @@
   alacritty-pkg = pkgs.symlinkJoin {
     name = "alacritty";
     paths = [
-      (pkgs.writeDashBin "alacritty" ''
+      (pkgs.writers.writeDashBin "alacritty" ''
         ${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yml msg create-window "$@" ||
         ${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yml "$@"
       '')
@@ -62,7 +62,7 @@ in {
   ];
 
   environment.etc = {
-    "themes/dark/alacritty.yml".source = alacritty-cfg (import <niveum/lib/colours/papercolor-dark.nix>);
-    "themes/light/alacritty.yml".source = alacritty-cfg (import <niveum/lib/colours/papercolor-light.nix>);
+    "themes/dark/alacritty.yml".source = alacritty-cfg (import ../lib/colours/papercolor-dark.nix);
+    "themes/light/alacritty.yml".source = alacritty-cfg (import ../lib/colours/papercolor-light.nix);
   };
 }

configs/backup.nix

@@ -3,7 +3,7 @@
   config,
   ...
 }: let
-  inherit (import <niveum/lib>) restic;
+  inherit (import ../lib) restic;
 in {
   services.restic.backups.niveum = {
     initialize = true;
@@ -12,7 +12,7 @@ in {
       OnCalendar = "8:00";
       RandomizedDelaySec = "1h";
     };
-    passwordFile = toString <secrets/restic/password>;
+    passwordFile = config.age.secrets.restic.path;
     extraBackupArgs = [
       "--exclude=/home/kfm/projects/nixpkgs/.git"
       "--exclude=node_modules"
@@ -38,15 +38,15 @@ in {
 
   environment.systemPackages = [
     (pkgs.writers.writeDashBin "restic-niveum" ''
-      ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${<secrets/restic/password>} "$@"
+      ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${config.age.secrets.restic.path} "$@"
     '')
     (pkgs.writers.writeDashBin "restic-mount" ''
       mountdir=$(mktemp -d)
       trap clean EXIT
       clean() {
         rm -r "$mountdir"
       }
-      ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${<secrets/restic/password>} mount "$mountdir"
+      ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${config.age.secrets.restic.path} mount "$mountdir"
     '')
   ];
 }

configs/cloud.nix

@@ -4,16 +4,8 @@
   pkgs,
   ...
 }: let
-  inherit (import <niveum/lib>) tmpfilesConfig;
+  inherit (import ../lib) tmpfilesConfig;
 in {
-  imports = [
-    <niveum/modules/dropbox.nix>
-  ];
-
-  niveum = {
-    dropbox.enable = false;
-  };
-
   systemd.tmpfiles.rules = map tmpfilesConfig [
     {
       type = "L+";
@@ -55,13 +47,13 @@ in {
     script = let
       kieran = {
         user = "kieran";
-        password = lib.fileContents <secrets/nextcloud/password>;
+        passwordFile = config.age.secrets.nextcloud-password-kieran.path;
         endpoint = "https://cloud.xn--kiern-0qa.de";
         target = "${config.users.users.me.home}/notes";
       };
     in ''
       mkdir -p ${lib.escapeShellArg kieran.target}
-      ${pkgs.nextcloud-client}/bin/nextcloudcmd --non-interactive --user ${kieran.user} --password ${lib.escapeShellArg kieran.password} --path /Notes ${lib.escapeShellArg kieran.target} ${kieran.endpoint}
+      ${pkgs.nextcloud-client}/bin/nextcloudcmd --non-interactive --user ${kieran.user} --password "$(cat ${kieran.passwordFile})" --path /Notes ${lib.escapeShellArg kieran.target} ${kieran.endpoint}
     '';
     serviceConfig = {
       Type = "oneshot";
@@ -81,9 +73,9 @@ in {
     (let
       kieran = {
         user = "[email protected]";
-        password = lib.fileContents <secrets/mega/password>;
+        passwordFile = config.age.secrets.mega-password.path;
       };
-      megatools = command: "${pkgs.megatools}/bin/megatools ${command} --username ${lib.escapeShellArg kieran.user} --password ${lib.escapeShellArg kieran.password}";
+      megatools = command: ''${pkgs.megatools}/bin/megatools ${command} --username ${lib.escapeShellArg kieran.user} --password "$(cat ${kieran.passwordFile})"'';
     in
       pkgs.writers.writeDashBin "book-mega" ''
         set -efu
@@ -104,6 +96,8 @@ in {
       '')
   ];
 
+  age.secrets.mega-password.file = ../secrets/mega-password.age;
+
   fileSystems."/media/moodle" = {
     device = "zaatar.r:/moodle";
     fsType = "nfs";
@@ -120,9 +114,9 @@ in {
     openDefaultPorts = true;
     configDir = "/home/kfm/.config/syncthing";
     dataDir = "/home/kfm/.config/syncthing";
-    cert = toString <system-secrets/syncthing/cert.pem>;
-    key = toString <system-secrets/syncthing/key.pem>;
-    inherit ((import <niveum/lib>).syncthing) devices;
+    cert = config.age.secrets.syncthing-cert.path;
+    key = config.age.secrets.syncthing-key.path;
+    inherit ((import ../lib).syncthing) devices;
     folders = let
       cloud-dir = "${config.users.users.me.home}/cloud";
     in {

configs/default.nix

@@ -6,13 +6,12 @@
   ...
 }: let
   inherit (lib.strings) makeBinPath;
-  inherit (import <niveum/lib>) localAddresses kieran;
-  scripts = import <niveum/packages/scripts> {inherit pkgs lib;};
-  defaultApplications = (import <niveum/lib>).defaultApplications {inherit pkgs;};
+  inherit (import ../lib) localAddresses kieran;
+  scripts = import ../packages/scripts {inherit config pkgs lib;};
+  defaultApplications = (import ../lib).defaultApplications {inherit pkgs;};
 in {
   imports = [
-    <home-manager/nixos>
-    <niveum/modules/system-dependent.nix>
+    ../modules/system-dependent.nix
     {
       boot.supportedFilesystems = ["ntfs"];
     }
@@ -28,10 +27,10 @@ in {
           allowUnfree = true;
           packageOverrides = pkgs: {
             dmenu = pkgs.writers.writeDashBin "dmenu" ''exec ${pkgs.rofi}/bin/rofi -dmenu "$@"'';
-            gfs-fonts = pkgs.callPackage <niveum/packages/gfs-fonts.nix> {};
-            tocharian-font = pkgs.callPackage <niveum/packages/tocharian-font.nix> {};
-            iolanguage = pkgs.callPackage <niveum/packages/iolanguage.nix> {};
-            ix = pkgs.callPackage <niveum/packages/ix.nix> {};
+            gfs-fonts = pkgs.callPackage ../packages/gfs-fonts.nix {};
+            tocharian-font = pkgs.callPackage ../packages/tocharian-font.nix {};
+            iolanguage = pkgs.callPackage ../packages/iolanguage.nix {};
+            ix = pkgs.callPackage ../packages/ix.nix {};
           };
           permittedInsecurePackages = [
             "qtwebkit-5.212.0-alpha4"
@@ -43,6 +42,9 @@ in {
       boot.cleanTmpDir = true;
       boot.loader.timeout = 1;
     }
+    {
+      age.secrets.di-fm-key.file = ../secrets/di-fm-key.age;
+    }
     {
       home-manager.users.me = {
         programs.zathura = {
@@ -226,7 +228,6 @@ in {
     ./clipboard.nix
     ./cloud.nix
     ./direnv.nix
-    ./distrobump.nix
     ./docker.nix
     ./dunst.nix
     ./flix.nix
@@ -244,7 +245,7 @@ in {
     ./neovim.nix
     ./nix.nix
     ./newsboat.nix
-    ./flameshot-once.nix
+    ./flameshot.nix
     ./packages.nix
     ./picom.nix
     ./stardict.nix
@@ -262,7 +263,6 @@ in {
     ./sshd.nix
     ./sound.nix
     ./sudo.nix
-    ./nsxiv.nix
     ./themes.nix
     ./tmux.nix
     # ./traadfri.nix

configs/dunst.nix

@@ -3,7 +3,7 @@
   pkgs,
   ...
 }: let
-  inherit (import <niveum/lib>) defaultApplications colours theme;
+  inherit (import ../lib) defaultApplications colours theme;
 in {
   home-manager.users.me.services.dunst = {
     enable = true;