diff --git a/.github/workflows/niveum.yml b/.github/workflows/niveum.yml index cebaf6d1..aab14d08 100644 --- a/.github/workflows/niveum.yml +++ b/.github/workflows/niveum.yml @@ -11,4 +11,4 @@ jobs: steps: - uses: actions/checkout@v2 - uses: cachix/install-nix-action@v16 - - run: nix run .#build-${{matrix.system}} + - run: nix build --dry-run .#nixosConfigurations.${{matrix.system}}.config.system.build.toplevel diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 00000000..03497479 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "secrets"] + path = secrets + url = ssh://gitea@code.kmein.de:22022/kfm/niveum-secrets.git diff --git a/ci.nix b/ci.nix index 25d29d7e..9cd3fb83 100644 --- a/ci.nix +++ b/ci.nix @@ -3,7 +3,7 @@ system, name, }: let - nixpkgs = inputs.nixos-stable; + nixpkgs = inputs.nixpkgs; pkgs = nixpkgs.legacyPackages.${system}; ensureFiles = paths: pkgs.runCommand "directory" {} '' @@ -23,13 +23,7 @@ "nixos-config=${toString ./.}/systems/${name}/configuration.nix" "system-secrets=${systemSecrets}" "secrets=${sharedSecrets}" - "nixpkgs=${ - toString ( - if name == "kabsa" || name == "manakish" - then inputs.nixos-unstable - else inputs.nixos-stable - ) - }" + "nixpkgs=${toString (inputs.nixpkgs)}" ] ++ nixpkgs.lib.mapAttrsToList (name: value: "${name}=${value}") inputs); # cd ~/.password-store/shared && find * -type f | sed 's/.gpg$//' diff --git a/configs/aerc.nix b/configs/aerc.nix index d4fa5cf1..f729376f 100644 --- a/configs/aerc.nix +++ b/configs/aerc.nix @@ -16,8 +16,38 @@ smtp.port = 25; smtp.tls.useStartTls = true; }; - passwordCommandFrom = path: toString (pkgs.writers.writeDash "email-credentials" "echo ${lib.escapeShellArg (lib.strings.fileContents path)}"); in { + age.secrets = { + email-password-cock = { + file = ../secrets/email-password-cock.age; + owner = config.users.users.me.name; + }; + email-password-fysi = { + file = ../secrets/email-password-fysi.age; + owner = config.users.users.me.name; + }; + email-password-posteo = { + file = ../secrets/email-password-posteo.age; + owner = config.users.users.me.name; + }; + email-password-meinhark = { + file = ../secrets/email-password-meinhark.age; + owner = config.users.users.me.name; + }; + email-password-meinhaki = { + file = ../secrets/email-password-meinhaki.age; + owner = config.users.users.me.name; + }; + email-password-dslalewa = { + file = ../secrets/email-password-dslalewa.age; + owner = config.users.users.me.name; + }; + email-password-fsklassp = { + file = ../secrets/email-password-fsklassp.age; + owner = config.users.users.me.name; + }; + }; + home-manager.users.me = { accounts.email.accounts = rec { hu-student = @@ -27,7 +57,7 @@ in { userName = "meinhark"; address = "kieran.felix.meinhardt@hu-berlin.de"; aliases = ["${userName}@hu-berlin.de"]; - passwordCommand = passwordCommandFrom ; + passwordCommand = "cat ${config.age.secrets.email-password-meinhark.path}"; }); hu-student-cs = lib.recursiveUpdate defaults @@ -38,7 +68,7 @@ in { aliases = ["${userName}@informatik.hu-berlin.de"]; imap.host = "mailbox.informatik.hu-berlin.de"; smtp.host = "mailhost.informatik.hu-berlin.de"; - passwordCommand = passwordCommandFrom ; + passwordCommand = "cat ${config.age.secrets.email-password-meinhark.path}"; }); hu-employee = lib.recursiveUpdate defaults @@ -47,7 +77,7 @@ in { userName = "meinhaki"; address = "kieran.meinhardt@hu-berlin.de"; aliases = ["${userName}@hu-berlin.de"]; - passwordCommand = passwordCommandFrom ; + passwordCommand = "cat ${config.age.secrets.email-password-meinhaki.path}"; aerc.extraAccounts.signature-file = toString (pkgs.writeText "signature" signature.text); signature = { showSignature = "append"; @@ -69,7 +99,7 @@ in { userName = "dslalewa"; address = "admin.alew.vglsprwi@hu-berlin.de"; aliases = ["${userName}@hu-berlin.de"]; - passwordCommand = passwordCommandFrom ; + passwordCommand = "cat ${config.age.secrets.email-password-dslalewa.path}"; inherit (hu-employee) signature; aerc.extraAccounts.signature-file = toString (pkgs.writeText "signature" signature.text); }); @@ -78,7 +108,7 @@ in { (lib.recursiveUpdate hu-defaults rec { userName = "fsklassp"; - passwordCommand = passwordCommandFrom ; + passwordCommand = "cat ${config.age.secrets.email-password-fsklassp.path}"; address = "${userName}@hu-berlin.de"; realName = "FSI Klassische Philologie"; aerc.extraAccounts.signature-file = toString (pkgs.writeText "signature" signature.text); @@ -100,7 +130,7 @@ in { rec { address = "kieran@fysi.tech"; userName = address; - passwordCommand = passwordCommandFrom ; + passwordCommand = "cat ${config.age.secrets.email-password-fysi.path}"; flavor = "fastmail.com"; }; cock = @@ -108,7 +138,7 @@ in { rec { address = "2210@cock.li"; userName = address; - passwordCommand = passwordCommandFrom ; + passwordCommand = "cat ${config.age.secrets.email-password-cock.path}"; realName = ""; imap.host = "mail.cock.li"; smtp.host = imap.host; @@ -122,7 +152,7 @@ in { imap.host = "posteo.de"; smtp.host = imap.host; primary = true; - passwordCommand = passwordCommandFrom ; + passwordCommand = "cat ${config.age.secrets.email-password-posteo.path}"; # himalaya = { enable = true; backend = "imap"; sender = "smtp"; }; }; }; diff --git a/configs/alacritty.nix b/configs/alacritty.nix index 0b0e5b40..9861715c 100644 --- a/configs/alacritty.nix +++ b/configs/alacritty.nix @@ -47,7 +47,7 @@ alacritty-pkg = pkgs.symlinkJoin { name = "alacritty"; paths = [ - (pkgs.writeDashBin "alacritty" '' + (pkgs.writers.writeDashBin "alacritty" '' ${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yml msg create-window "$@" || ${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yml "$@" '') @@ -62,7 +62,7 @@ in { ]; environment.etc = { - "themes/dark/alacritty.yml".source = alacritty-cfg (import ); - "themes/light/alacritty.yml".source = alacritty-cfg (import ); + "themes/dark/alacritty.yml".source = alacritty-cfg (import ../lib/colours/papercolor-dark.nix); + "themes/light/alacritty.yml".source = alacritty-cfg (import ../lib/colours/papercolor-light.nix); }; } diff --git a/configs/backup.nix b/configs/backup.nix index fb40916a..551e5cae 100644 --- a/configs/backup.nix +++ b/configs/backup.nix @@ -3,7 +3,7 @@ config, ... }: let - inherit (import ) restic; + inherit (import ../lib) restic; in { services.restic.backups.niveum = { initialize = true; @@ -12,7 +12,7 @@ in { OnCalendar = "8:00"; RandomizedDelaySec = "1h"; }; - passwordFile = toString ; + passwordFile = config.age.secrets.restic.path; extraBackupArgs = [ "--exclude=/home/kfm/projects/nixpkgs/.git" "--exclude=node_modules" @@ -38,7 +38,7 @@ in { environment.systemPackages = [ (pkgs.writers.writeDashBin "restic-niveum" '' - ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${} "$@" + ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${config.age.secrets.restic.path} "$@" '') (pkgs.writers.writeDashBin "restic-mount" '' mountdir=$(mktemp -d) @@ -46,7 +46,7 @@ in { clean() { rm -r "$mountdir" } - ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${} mount "$mountdir" + ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${config.age.secrets.restic.path} mount "$mountdir" '') ]; } diff --git a/configs/cloud.nix b/configs/cloud.nix index 5b6febd4..9d16ec75 100644 --- a/configs/cloud.nix +++ b/configs/cloud.nix @@ -4,16 +4,8 @@ pkgs, ... }: let - inherit (import ) tmpfilesConfig; + inherit (import ../lib) tmpfilesConfig; in { - imports = [ - - ]; - - niveum = { - dropbox.enable = false; - }; - systemd.tmpfiles.rules = map tmpfilesConfig [ { type = "L+"; @@ -55,13 +47,13 @@ in { script = let kieran = { user = "kieran"; - password = lib.fileContents ; + passwordFile = config.age.secrets.nextcloud-password-kieran.path; endpoint = "https://cloud.xn--kiern-0qa.de"; target = "${config.users.users.me.home}/notes"; }; in '' mkdir -p ${lib.escapeShellArg kieran.target} - ${pkgs.nextcloud-client}/bin/nextcloudcmd --non-interactive --user ${kieran.user} --password ${lib.escapeShellArg kieran.password} --path /Notes ${lib.escapeShellArg kieran.target} ${kieran.endpoint} + ${pkgs.nextcloud-client}/bin/nextcloudcmd --non-interactive --user ${kieran.user} --password "$(cat ${kieran.passwordFile})" --path /Notes ${lib.escapeShellArg kieran.target} ${kieran.endpoint} ''; serviceConfig = { Type = "oneshot"; @@ -81,9 +73,9 @@ in { (let kieran = { user = "kieran.meinhardt@gmail.com"; - password = lib.fileContents ; + passwordFile = config.age.secrets.mega-password.path; }; - megatools = command: "${pkgs.megatools}/bin/megatools ${command} --username ${lib.escapeShellArg kieran.user} --password ${lib.escapeShellArg kieran.password}"; + megatools = command: ''${pkgs.megatools}/bin/megatools ${command} --username ${lib.escapeShellArg kieran.user} --password "$(cat ${kieran.passwordFile})"''; in pkgs.writers.writeDashBin "book-mega" '' set -efu @@ -104,6 +96,8 @@ in { '') ]; + age.secrets.mega-password.file = ../secrets/mega-password.age; + fileSystems."/media/moodle" = { device = "zaatar.r:/moodle"; fsType = "nfs"; @@ -120,9 +114,9 @@ in { openDefaultPorts = true; configDir = "/home/kfm/.config/syncthing"; dataDir = "/home/kfm/.config/syncthing"; - cert = toString ; - key = toString ; - inherit ((import ).syncthing) devices; + cert = config.age.secrets.syncthing-cert.path; + key = config.age.secrets.syncthing-key.path; + inherit ((import ../lib).syncthing) devices; folders = let cloud-dir = "${config.users.users.me.home}/cloud"; in { diff --git a/configs/default.nix b/configs/default.nix index 3bbf7e84..bf9002e7 100644 --- a/configs/default.nix +++ b/configs/default.nix @@ -6,13 +6,12 @@ ... }: let inherit (lib.strings) makeBinPath; - inherit (import ) localAddresses kieran; - scripts = import {inherit pkgs lib;}; - defaultApplications = (import ).defaultApplications {inherit pkgs;}; + inherit (import ../lib) localAddresses kieran; + scripts = import ../packages/scripts {inherit config pkgs lib;}; + defaultApplications = (import ../lib).defaultApplications {inherit pkgs;}; in { imports = [ - - + ../modules/system-dependent.nix { boot.supportedFilesystems = ["ntfs"]; } @@ -28,10 +27,10 @@ in { allowUnfree = true; packageOverrides = pkgs: { dmenu = pkgs.writers.writeDashBin "dmenu" ''exec ${pkgs.rofi}/bin/rofi -dmenu "$@"''; - gfs-fonts = pkgs.callPackage {}; - tocharian-font = pkgs.callPackage {}; - iolanguage = pkgs.callPackage {}; - ix = pkgs.callPackage {}; + gfs-fonts = pkgs.callPackage ../packages/gfs-fonts.nix {}; + tocharian-font = pkgs.callPackage ../packages/tocharian-font.nix {}; + iolanguage = pkgs.callPackage ../packages/iolanguage.nix {}; + ix = pkgs.callPackage ../packages/ix.nix {}; }; permittedInsecurePackages = [ "qtwebkit-5.212.0-alpha4" @@ -43,6 +42,9 @@ in { boot.cleanTmpDir = true; boot.loader.timeout = 1; } + { + age.secrets.di-fm-key.file = ../secrets/di-fm-key.age; + } { home-manager.users.me = { programs.zathura = { @@ -226,7 +228,6 @@ in { ./clipboard.nix ./cloud.nix ./direnv.nix - ./distrobump.nix ./docker.nix ./dunst.nix ./flix.nix @@ -244,7 +245,7 @@ in { ./neovim.nix ./nix.nix ./newsboat.nix - ./flameshot-once.nix + ./flameshot.nix ./packages.nix ./picom.nix ./stardict.nix @@ -262,7 +263,6 @@ in { ./sshd.nix ./sound.nix ./sudo.nix - ./nsxiv.nix ./themes.nix ./tmux.nix # ./traadfri.nix diff --git a/configs/dunst.nix b/configs/dunst.nix index aa4dc843..5ff7cb7e 100644 --- a/configs/dunst.nix +++ b/configs/dunst.nix @@ -3,7 +3,7 @@ pkgs, ... }: let - inherit (import ) defaultApplications colours theme; + inherit (import ../lib) defaultApplications colours theme; in { home-manager.users.me.services.dunst = { enable = true; diff --git a/configs/flameshot-once.nix b/configs/flameshot-once.nix deleted file mode 100644 index 0cb7d489..00000000 --- a/configs/flameshot-once.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - lib, - pkgs, - ... -}: let - inherit (import ) defaultApplications; - flameshot-once = pkgs.callPackage {}; -in { - environment.systemPackages = [ - (flameshot-once.override { - name = "flameshot-once-kmein"; - config = { - imgur = { - enable = true; - createUrl = "http://p.r/image"; - deleteUrl = "http://p.r/image/delete/%1"; - xdg-open.browser = (defaultApplications pkgs).browser; - }; - settings.General = { - autoCloseIdleDaemon = true; - drawColor = "#ff0000"; - drawThickness = 2; - checkForUpdates = false; - showDesktopNotification = true; - disabledTrayIcon = true; - showHelp = false; - squareMagnifier = true; - uploadWithoutConfirmation = true; - buttons = [ - "TYPE_ARROW" - "TYPE_CIRCLE" - "TYPE_CIRCLECOUNT" - "TYPE_COPY" - "TYPE_DRAWER" - "TYPE_EXIT" - "TYPE_IMAGEUPLOADER" - "TYPE_MARKER" - "TYPE_MOVESELECTION" - "TYPE_PENCIL" - "TYPE_PIXELATE" - "TYPE_RECTANGLE" - "TYPE_SAVE" - "TYPE_SELECTION" - # "TYPE_SELECTIONINDICATOR" - "TYPE_TEXT" - "TYPE_UNDO" - ]; - }; - }; - }) - ]; -} diff --git a/configs/flameshot.nix b/configs/flameshot.nix new file mode 100644 index 00000000..c5c2c8f5 --- /dev/null +++ b/configs/flameshot.nix @@ -0,0 +1,44 @@ +{ + lib, + pkgs, + ... +}: let + inherit (import ) defaultApplications; + flameshot-once = pkgs.callPackage {}; +in { + home-manager.users.me = { + services.flameshot = { + enable = true; + settings.General = { + autoCloseIdleDaemon = true; + drawColor = "#ff0000"; + drawThickness = 2; + checkForUpdates = false; + showDesktopNotification = true; + disabledTrayIcon = true; + showHelp = false; + squareMagnifier = true; + uploadWithoutConfirmation = true; + buttons = lib.concatStringsSep " " [ + "TYPE_ARROW" + "TYPE_CIRCLE" + "TYPE_CIRCLECOUNT" + "TYPE_COPY" + "TYPE_DRAWER" + "TYPE_EXIT" + "TYPE_IMAGEUPLOADER" + "TYPE_MARKER" + "TYPE_MOVESELECTION" + "TYPE_PENCIL" + "TYPE_PIXELATE" + "TYPE_RECTANGLE" + "TYPE_SAVE" + "TYPE_SELECTION" + # "TYPE_SELECTIONINDICATOR" + "TYPE_TEXT" + "TYPE_UNDO" + ]; + }; + }; + }; +} diff --git a/configs/flix.nix b/configs/flix.nix index 9287f982..f42377e1 100644 --- a/configs/flix.nix +++ b/configs/flix.nix @@ -8,7 +8,7 @@ indexFilename = "index"; flixUser = "flix"; flixGroup = "users"; - inherit (import ) tmpfilesConfig; + inherit (import ../lib) tmpfilesConfig; in { fileSystems.${flixLocation} = { device = "prism.r:/export"; diff --git a/configs/git.nix b/configs/git.nix index 5f975ee3..5e904f51 100644 --- a/configs/git.nix +++ b/configs/git.nix @@ -4,7 +4,8 @@ lib, ... }: let - inherit (import ) kieran ignorePaths; + inherit (import ../lib) kieran ignorePaths; + git-preview = pkgs.callPackage ../packages/git-preview.nix {}; in { environment.systemPackages = [ pkgs.mr @@ -18,7 +19,7 @@ in { pkgs.gitstats pkgs.patch pkgs.patchutils - pkgs.git-preview + git-preview ]; environment.shellAliases = { diff --git a/configs/hledger.nix b/configs/hledger.nix index f2fab0df..42d8261f 100644 --- a/configs/hledger.nix +++ b/configs/hledger.nix @@ -3,7 +3,7 @@ pkgs, ... }: { - imports = []; + imports = [../modules/hledger.nix]; environment.systemPackages = let timeLedger = "$HOME/projects/ledger/time.timeclock"; diff --git a/configs/hu-berlin.nix b/configs/hu-berlin.nix index 53a8ab28..6d8c0687 100644 --- a/configs/hu-berlin.nix +++ b/configs/hu-berlin.nix @@ -5,7 +5,7 @@ ... }: let inherit (lib.strings) fileContents; - inherit (import ) sshPort; + inherit (import ../lib) sshPort; eduroam = { identity = fileContents ; password = fileContents ; @@ -15,8 +15,7 @@ "gid=${toString config.users.groups.users.gid}" "sec=ntlmv2" "workgroup=german" - "username=meinhaki" - "password=${lib.strings.fileContents }" + "credentials=${config.age.secrets.cifs-credentials-hu-berlin.path}" "noauto" "x-systemd.requires=hu-vpn.service" "x-systemd.automount" @@ -36,6 +35,8 @@ in { options = hu-berlin-cifs-options; }; + age.secrets.cifs-credentials-hu-berlin.file = ../secrets/cifs-credentials-hu-berlin.age; + home-manager.users.me.programs.ssh = { matchBlocks = { "alew.hu-berlin.de" = { @@ -65,14 +66,16 @@ in { systemd.services.hu-vpn = { enable = true; wants = ["network-online.target"]; + serviceConfig.LoadCredential = "password:${config.age.secrets.email-password-meinhark.path}"; script = '' - ${pkgs.openfortivpn}/bin/openfortivpn -c ${ + ${pkgs.openfortivpn}/bin/openfortivpn \ + --password="$(cat "$CREDENTIALS_DIRECTORY/password")" \ + --config=${ pkgs.writeText "hu-berlin.config" '' host = forti-ssl.vpn.hu-berlin.de port = 443 - trusted-cert = 42193a913d276d9eb86217612956e1e6464d6f07bed5393a4787c87adc4bd359 - username = ${eduroam.identity} - password = ${eduroam.password} + username = meinhark + trusted-cert = 9e5dea8e077970d245900839f437ef7fb9551559501c7defd70af70ea568573d '' } ''; diff --git a/configs/i3.nix b/configs/i3.nix index ad46680e..ce880478 100644 --- a/configs/i3.nix +++ b/configs/i3.nix @@ -4,9 +4,9 @@ lib, ... }: let - inherit (import ) defaultApplications colours; - scripts = import {inherit pkgs lib;}; - klem = import { + inherit (import ../lib) defaultApplications colours; + scripts = import ../packages/scripts {inherit config pkgs lib;}; + klem = import ../packages/scripts/klem.nix { inherit pkgs lib; config.scripts = { "p.r" = pkgs.writers.writeDash "p.r" '' @@ -57,6 +57,21 @@ i3-msg move container to workspace $(($(i3-msg -t get_workspaces | tr , '\n' | grep '"num":' | cut -d : -f 2 | sort -rn | head -1) + 1)) ''; in { + age.secrets = { + github-token-i3status-rust = { + file = ../secrets/github-token-i3status-rust.age; + owner = "kfm"; + group = "users"; + mode = "400"; + }; + openweathermap-api-key = { + file = ../secrets/openweathermap-api-key.age; + owner = "kfm"; + group = "users"; + mode = "400"; + }; + }; + services.xserver = { displayManager.defaultSession = "none+i3"; windowManager.i3 = { @@ -175,14 +190,17 @@ in { text = colours.foreground; }; }; - statusCommand = "env I3RS_GITHUB_TOKEN=${lib.strings.fileContents } ${pkgs.i3status-rust}/bin/i3status-rs ${ - (pkgs.formats.toml {}).generate "i3status-rust.toml" (import { - inherit (config.niveum) batteryName wirelessInterface; - inherit (config.home-manager.users.me.accounts.email) accounts; - inherit colours; - inherit pkgs; - }) - }"; + statusCommand = toString (pkgs.writers.writeDash "i3status-rust" '' + export I3RS_GITHUB_TOKEN="$(cat ${config.age.secrets.github-token-i3status-rust.path})" + export OPENWEATHERMAP_API_KEY="$(cat ${config.age.secrets.openweathermap-api-key.path})" + ${pkgs.i3status-rust}/bin/i3status-rs ${ + (pkgs.formats.toml {}).generate "i3status-rust.toml" (import ../lib/i3status-rust.nix { + inherit (config.niveum) batteryName wirelessInterface; + inherit (config.home-manager.users.me.accounts.email) accounts; + inherit colours; + inherit pkgs; + }) + }''); } ]; modes.resize = { diff --git a/configs/khal.nix b/configs/khal.nix index 0c1c1352..4e7eb4af 100644 --- a/configs/khal.nix +++ b/configs/khal.nix @@ -8,14 +8,19 @@ kmeinCloud = { davEndpoint = "https://cloud.xn--kiern-0qa.de/remote.php/dav"; username = "kieran"; - password = lib.fileContents ; + passwordFile = config.age.secrets.nextcloud-password-kieran.path; }; fysiCloud = { davEndpoint = "https://nextcloud.fysi.dev/remote.php/dav"; username = "kmein"; - password = lib.fileContents ; + passwordFile = config.age.secrets.nextcloud-password-fysi.path; }; in { + age.secrets = { + nextcloud-password-kieran.file = ../secrets/nextcloud-password-kieran.age; + nextcloud-password-fysi.file = ../secrets/nextcloud-password-fysi.age; + }; + environment.systemPackages = [ pkgs.khal pkgs.vdirsyncer @@ -167,19 +172,19 @@ in { type = "carddav" url = "${kmeinCloud.davEndpoint}/addressbooks/users/${kmeinCloud.username}/" username = "${kmeinCloud.username}" - password = "${kmeinCloud.password}" + password.fetch = ["cat", "${kmeinCloud.passwordFile}"] [storage kalender_cloud] type = "caldav" url = "${kmeinCloud.davEndpoint}/calendars/${kmeinCloud.username}/" username = "${kmeinCloud.username}" - password = "${kmeinCloud.password}" + password.fetch = ["cat", "${kmeinCloud.passwordFile}"] [storage fysi_cloud] type = "caldav" url = "${fysiCloud.davEndpoint}/calendars/${fysiCloud.username}/" username = "${fysiCloud.username}" - password = "${fysiCloud.password}" + password.fetch = ["cat", "${fysiCloud.passwordFile}"] ''; }; }; diff --git a/configs/mpv.nix b/configs/mpv.nix index d18938b4..36e9f952 100644 --- a/configs/mpv.nix +++ b/configs/mpv.nix @@ -4,7 +4,7 @@ config, ... }: let - scripts = import {inherit pkgs lib;}; + scripts = import ../packages/scripts {inherit config pkgs lib;}; swallow = command: "${scripts.swallow}/bin/swallow ${command}"; in { environment.shellAliases.smpv = swallow "mpv"; @@ -37,7 +37,7 @@ in { }; scripts = [ pkgs.mpvScripts.youtube-quality - (pkgs.callPackage {}) + (pkgs.callPackage ../packages/mpv-visualizer.nix {}) ]; }; }; diff --git a/configs/neovim.nix b/configs/neovim.nix index e62aad47..a1d2a584 100644 --- a/configs/neovim.nix +++ b/configs/neovim.nix @@ -8,15 +8,15 @@ vimPlugins = pkgs.vimPlugins // { - cheat-sh-vim = pkgs.callPackage {}; - vim-fetch = pkgs.callPackage {}; - vim-colors-paramount = pkgs.callPackage {}; - vim-256noir = pkgs.callPackage {}; - icalendar-vim = pkgs.callPackage {}; - jq-vim = pkgs.callPackage {}; - vim-fsharp = pkgs.callPackage {}; - vim-reason-plus = pkgs.callPackage {}; - vim-mail = pkgs.callPackage {}; + cheat-sh-vim = pkgs.callPackage ../packages/vimPlugins/cheat-sh.nix {}; + vim-fetch = pkgs.callPackage ../packages/vimPlugins/vim-fetch.nix {}; + vim-colors-paramount = pkgs.callPackage ../packages/vimPlugins/vim-colors-paramount.nix {}; + vim-256noir = pkgs.callPackage ../packages/vimPlugins/vim-256noir.nix {}; + icalendar-vim = pkgs.callPackage ../packages/vimPlugins/icalendar-vim.nix {}; + jq-vim = pkgs.callPackage ../packages/vimPlugins/jq-vim.nix {}; + vim-fsharp = pkgs.callPackage ../packages/vimPlugins/vim-fsharp.nix {}; + vim-reason-plus = pkgs.callPackage ../packages/vimPlugins/vim-reason-plus.nix {}; + vim-mail = pkgs.callPackage ../packages/vimPlugins/vim-mail.nix {}; }; }; @@ -24,7 +24,7 @@ (pkgs.writers.writeDashBin "vim" ''neovim "$@"'') (pkgs.neovim.override { configure = { - customRC = builtins.readFile ; + customRC = builtins.readFile ../lib/vim/init.vim; packages.nvim = with pkgs.vimPlugins; { start = [ ale diff --git a/configs/networkmanager.nix b/configs/networkmanager.nix index c4dc7607..7ba8e5d6 100644 --- a/configs/networkmanager.nix +++ b/configs/networkmanager.nix @@ -42,7 +42,7 @@ }; }; in { - imports = []; + imports = [../modules/networkmanager-declarative.nix]; programs.nm-applet.enable = true; @@ -55,39 +55,6 @@ in { wifi.macAddress = "random"; ethernet.macAddress = "random"; unmanaged = ["docker*"]; - profiles = lib.mapAttrs profile { - Aether = { - connection.uuid = "7138bb0f-1aeb-4905-890e-a6628427aa21"; - ipv6.addr-gen-mode = "stable"; - wifi.cloned-mac-address = "stable"; - wifi-security = { - psk = lib.strings.fileContents ; - auth-alg = "open"; - key-mgmt = "wpa-psk"; - }; - }; - FactoryCommunityGuest = { - connection.uuid = "fb1f2e52-651e-48b5-a72c-1accddf31afb"; - connection.timestamp = "1631885129"; - wifi.seen-bssids = "54:EC:2F:19:30:DC;54:EC:2F:19:5C:9C;54:EC:2F:58:E4:3C;"; - wifi-security = { - psk = "Factory4ever"; - auth-alg = "open"; - key-mgmt = "wpa-psk"; - }; - }; - o2-WLAN66 = { - connection.uuid = "c563aec3-f344-4ffb-8d1c-60a6cdac8fe0"; - wifi-security = { - psk = "PK3468KV488T934U"; - auth-alg = "open"; - key-mgmt = "wpa-psk"; - }; - }; - "WIFI@DB".connection.uuid = "4eff4e94-8850-4e9f-a338-1787d0d90479"; - eduroam = eduroamProfile; - eduroam_5GHz = eduroamProfile; - }; }; users.users.me.extraGroups = ["networkmanager"]; diff --git a/configs/nix.nix b/configs/nix.nix index 942fd4a9..a8cad1f9 100644 --- a/configs/nix.nix +++ b/configs/nix.nix @@ -1,13 +1,9 @@ {pkgs, ...}: { nixpkgs = { config.allowUnfree = true; - overlays = [ - (import ) - (import ) - ]; }; nix = { - package = pkgs.nixUnstable; + package = pkgs.nixFlakes; extraOptions = "experimental-features = nix-command flakes"; }; } diff --git a/configs/nsxiv.nix b/configs/nsxiv.nix deleted file mode 100644 index c9b68a79..00000000 --- a/configs/nsxiv.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ - pkgs, - lib, - ... -}: let - important-directories = pkgs.writeText "directories" '' - h ~/ - d ~/cloud/Dropbox/ - g ~/cloud/gdrive/ - s ~/cloud/Seafile/ - kk ~/cloud/keybase/private/kmein/ - kp ~/cloud/keybase/public/kmein/ - t /tmp - D ~/Downloads - cf ''${XDG_CONFIG_HOME:-$HOME/.config} - ''; -in { - environment.systemPackages = [pkgs.nsxiv]; - - # TODO fix - home-manager.users.me.xdg.configFile."nsxiv/exec/key-handler".source = pkgs.writers.writeDash "key-handler" '' - PATH=$PATH:${ - lib.makeBinPath [ - pkgs.gnused - pkgs.gawk - pkgs.dmenu - pkgs.coreutils - pkgs.libnotify - pkgs.imagemagick - pkgs.xclip - ] - } - - echo >&2 key "$1" pressed - while read file; do - case "$1" in - "c") - [ -z "$destdir" ] && destdir="$(sed "s/\s.*#.*$//;/^\s*$/d" ${important-directories} | awk '{print $2}' | dmenu -l 20 -i -p "Copy file(s) to where?" | sed "s|~|$HOME|g")" - [ -z "$destdir" ] && exit - [ ! -d "$destdir" ] && notify-send "$destdir is not a directory, cancelled." && exit - cp "$file" "$destdir" && notify-send -i "$(readlink -f "$file")" "$file copied to $destdir." & - ;; - "m") - [ -z "$destdir" ] && destdir="$(sed "s/\s.*#.*$//;/^\s*$/d" ${important-directories} | awk '{print $2}' | dmenu -l 20 -i -p "Move file(s) to where?" | sed "s|~|$HOME|g")" - [ -z "$destdir" ] && exit - [ ! -d "$destdir" ] && notify-send "$destdir is not a directory, cancelled." && exit - mv "$file" "$destdir" && notify-send -i "$(readlink -f "$file")" "$file moved to $destdir." & - ;; - "r") - convert -rotate 90 "$file" "$file" ;; - "R") - convert -rotate -90 "$file" "$file" ;; - "f") - convert -flop "$file" "$file" ;; - "y") - echo -n "$file" | xclip -selection clipboard && - notify-send "$file copied to clipboard" & ;; - "Y") - readlink -f "$file" | xclip -selection clipboard && - notify-send "$(readlink -f "$file") copied to clipboard" & ;; - "d") - [ "$(printf "No\\nYes" | dmenu -i -p "Really delete $file?")" = "Yes" ] && rm "$file" && notify-send "$file deleted." ;; - esac - done - ''; -} diff --git a/configs/packages.nix b/configs/packages.nix index e309fe4f..66c73685 100644 --- a/configs/packages.nix +++ b/configs/packages.nix @@ -1,14 +1,19 @@ { + config, pkgs, lib, + inputs, ... }: let - hc = pkgs.callPackage {utillinux = pkgs.util-linux;}; - worldradio = pkgs.callPackage {}; - menstruation = pkgs.callPackage {}; - pandoc-doc = pkgs.callPackage {}; + hc = pkgs.callPackage ../packages/hc.nix {}; + worldradio = pkgs.callPackage ../packages/worldradio.nix {}; + pandoc-doc = pkgs.callPackage ../packages/man/pandoc.nix {}; + dic = pkgs.callPackage ../packages/dic.nix {}; + untilport = pkgs.callPackage ../packages/untilport.nix {}; + cyberlocker-tools = pkgs.callPackage ../packages/cyberlocker-tools.nix {}; + kpaste = pkgs.callPackage ../packages/kpaste.nix {}; - scripts = import {inherit pkgs lib;}; + scripts = import ../packages/scripts {inherit config pkgs lib;}; zoteroStyle = { name, @@ -56,7 +61,7 @@ ''; }); - recht = pkgs.callPackage {}; + recht = pkgs.callPackage inputs.recht.outPath {}; in { home-manager.users.me.home.file = { ".csl".source = cslDirectory; @@ -79,6 +84,7 @@ in { ffmpeg imagemagick exiftool + nsxiv # ARCHIVE TOOLS unzip unrar @@ -173,7 +179,6 @@ in { scripts.interdimensional-cable scripts.dmenubluetooth scripts.manual-sort - scripts.much-scripts scripts.dns-sledgehammer ts scripts.vg @@ -198,7 +203,7 @@ in { par qrencode - menstruation + inputs.menstruation-backend (pkgs.writers.writeDashBin "worldradio" '' shuf ${worldradio} | ${pkgs.findutils}/bin/xargs ${pkgs.mpv}/bin/mpv --no-video @@ -208,8 +213,8 @@ in { ${pkgs.openssh}/bin/ssh makanek "cd /var/lib/weechat/logs && grep --ignore-case --color=always --recursive $@" | ${pkgs.less}/bin/less --raw-control-chars '') - (pkgs.writers.writeDashBin "ncmpcpp-zaatar" ''MPD_HOST=${(import ).zaatar} exec ${pkgs.ncmpcpp}/bin/ncmpcpp "$@"'') - (pkgs.writers.writeDashBin "mpc-zaatar" ''MPD_HOST=${(import ).zaatar} exec ${pkgs.mpc_cli}/bin/mpc "$@"'') + (pkgs.writers.writeDashBin "ncmpcpp-zaatar" ''MPD_HOST=${(import ../lib/local-network.nix).zaatar} exec ${pkgs.ncmpcpp}/bin/ncmpcpp "$@"'') + (pkgs.writers.writeDashBin "mpc-zaatar" ''MPD_HOST=${(import ../lib/local-network.nix).zaatar} exec ${pkgs.mpc_cli}/bin/mpc "$@"'') spotify ncspot @@ -223,9 +228,7 @@ in { cyberlocker-tools untilport kpaste - irc-announce - git-preview - ircaids + config.nur.repos.mic92.ircsink (python3.withPackages (py: [ py.black @@ -270,11 +273,12 @@ in { shellcheck (pkgs.writers.writeDashBin "hass-cli" '' - HASS_SERVER=http://zaatar.r:8123 HASS_TOKEN=${lib.strings.fileContents } exec ${pkgs.home-assistant-cli}/bin/hass-cli "$@" + HASS_SERVER=http://zaatar.r:8123 HASS_TOKEN="$(cat ${config.age.secrets.home-assistant-token.path})" exec ${pkgs.home-assistant-cli}/bin/hass-cli "$@" '') - scripts.rofi-hass ]; + age.secrets.home-assistant-token.file = ../secrets/home-assistant-token.age; + home-manager.users.me.xdg.configFile."pycodestyle".text = '' [pycodestyle] max-line-length = 110 diff --git a/configs/power-action.nix b/configs/power-action.nix index 7006442b..593e7c38 100644 --- a/configs/power-action.nix +++ b/configs/power-action.nix @@ -5,15 +5,15 @@ }: let suspend = pkgs.writers.writeDash "suspend" "${pkgs.systemd}/bin/systemctl suspend"; in { - imports = []; + imports = [../modules/power-action.nix]; - krebs.power-action = { + services.power-action = { enable = true; plans.suspend = { upperLimit = 7; lowerLimit = 0; charging = false; - action = pkgs.writeDash "suspend-wrapper" '' + action = pkgs.writers.writeDash "suspend-wrapper" '' /run/wrappers/bin/sudo ${suspend} ''; }; @@ -21,6 +21,6 @@ in { }; security.sudo.extraConfig = '' - ${config.krebs.power-action.user} ALL= (root) NOPASSWD: ${suspend} + ${config.services.power-action.user} ALL= (root) NOPASSWD: ${suspend} ''; } diff --git a/configs/printing.nix b/configs/printing.nix index 129e39c9..3e474c5a 100644 --- a/configs/printing.nix +++ b/configs/printing.nix @@ -1,5 +1,5 @@ {pkgs, ...}: let - inherit (import ) localAddresses; + inherit (import ../lib) localAddresses; hp-driver = pkgs.hplip; in { services.printing = { diff --git a/configs/retiolum.nix b/configs/retiolum.nix index 230d027c..180b274d 100644 --- a/configs/retiolum.nix +++ b/configs/retiolum.nix @@ -3,14 +3,10 @@ pkgs, ... }: { - imports = [ - - ]; - networking.hosts = {"42:0:ca48:f98f:63d7:31ce:922b:245d" = ["go"];}; services.tinc.networks.retiolum = { - rsaPrivateKeyFile = toString ; - ed25519PrivateKeyFile = toString ; + rsaPrivateKeyFile = config.age.secrets.retiolum-rsa.path; + ed25519PrivateKeyFile = config.age.secrets.retiolum-ed25519.path; }; } diff --git a/configs/ssh.nix b/configs/ssh.nix index a0228400..36f14488 100644 --- a/configs/ssh.nix +++ b/configs/ssh.nix @@ -4,11 +4,13 @@ lib, ... }: let - inherit (import ) sshPort kieran; - externalNetwork = import ; + inherit (import ../lib) sshPort kieran; + externalNetwork = import ../lib/external-network.nix; sshIdentity = name: "${config.users.users.me.home}/.ssh/${name}"; ssh-passphrase = lib.strings.fileContents ; in { + /* + TODO how do I do this? services.xserver.displayManager.sessionCommands = toString (pkgs.writeScript "ssh-add" '' #!${pkgs.expect}/bin/expect -f spawn ${pkgs.openssh}/bin/ssh-add @@ -17,6 +19,7 @@ in { expect "Identity added: *" interact ''); + */ programs.ssh.startAgent = true; diff --git a/configs/sshd.nix b/configs/sshd.nix index d04c89e4..8bc71bb6 100644 --- a/configs/sshd.nix +++ b/configs/sshd.nix @@ -4,7 +4,7 @@ pkgs, ... }: let - inherit (import ) sshPort kieran; + inherit (import ../lib) sshPort kieran; in { users.motd = "Welcome to ${config.networking.hostName}!"; diff --git a/configs/stardict.nix b/configs/stardict.nix index 2948ec20..d3ecfe37 100644 --- a/configs/stardict.nix +++ b/configs/stardict.nix @@ -169,7 +169,7 @@ exec ${pkgs.sdcv}/bin/sdcv --color --only-data-dir --data-dir ${makeStardictDataDir dicts} "$@" ''; - sdcvPager = pkgs.writeDash "sdcvPager" '' + sdcvPager = pkgs.writers.writeDash "sdcvPager" '' export PATH=${lib.makeBinPath [pkgs.gnused pkgs.ncurses pkgs.less]} sed " s!1!¹!gI diff --git a/configs/telegram-bots/astrology.nix b/configs/telegram-bots/astrology.nix index 9a4dc6ae..fe096cee 100644 --- a/configs/telegram-bots/astrology.nix +++ b/configs/telegram-bots/astrology.nix @@ -4,8 +4,6 @@ lib, ... }: let - unstable = import {inherit (config.nixpkgs) config;}; - toSymbols = pkgs.writers.writeDash "to-symbols" '' ${pkgs.gnused}/bin/sed ' s/\bTri\b/△/; @@ -46,14 +44,14 @@ in { niveum.telegramBots.transits = { enable = true; time = "*:0/1"; - token = lib.strings.fileContents ; + tokenFile = config.age.secrets.telegram-token-kmein.path; chatIds = ["-1001796440545"]; command = toString (pkgs.writers.writeDash "common-transits" '' now=$(${pkgs.coreutils}/bin/date +%_H:%M | ${pkgs.gnused}/bin/sed 's/^\s*//') date=$(${pkgs.coreutils}/bin/date +'%m %d %Y') { - ${unstable.astrolog}/bin/astrolog -qd $date -zN Berlin -Yt -Yd -d -R Uranus Neptune Pluto "North Node" -A 2 - ${unstable.astrolog}/bin/astrolog -Yt -Yd -q 10 22 1999 6:32 -zN Kassel -td $date -R Uranus Neptune Pluto "North Node" + ${pkgs.astrolog}/bin/astrolog -qd $date -zN Berlin -Yt -Yd -d -R Uranus Neptune Pluto "North Node" -A 2 + ${pkgs.astrolog}/bin/astrolog -Yt -Yd -q 10 22 1999 6:32 -zN Kassel -td $date -R Uranus Neptune Pluto "North Node" } | ${toSymbols} | ${pkgs.coreutils}/bin/sort -n | ${pkgs.gnugrep}/bin/grep "^$now" || : ''); }; diff --git a/configs/telegram-bots/autorenkalender.nix b/configs/telegram-bots/autorenkalender.nix index 97480b6c..4e9eeb57 100644 --- a/configs/telegram-bots/autorenkalender.nix +++ b/configs/telegram-bots/autorenkalender.nix @@ -1,6 +1,7 @@ { pkgs, lib, + config, ... }: let autorenkalender-package = pkgs.fetchFromGitHub { @@ -15,12 +16,14 @@ in { niveum.telegramBots.autorenkalender = { enable = true; time = "07:00"; - token = lib.strings.fileContents ; + tokenFile = config.age.secrets.telegram-token-kmein.path; chatIds = ["@autorenkalender"]; parseMode = "Markdown"; command = "${autorenkalender}/bin/autorenkalender"; }; + age.secrets.telegram-token-kmein.file = ../../secrets/telegram-token-kmein.age; + niveum.passport.services = [ { title = "Autorenkalender"; diff --git a/configs/telegram-bots/celan.nix b/configs/telegram-bots/celan.nix index 0070c329..15fd8e6e 100644 --- a/configs/telegram-bots/celan.nix +++ b/configs/telegram-bots/celan.nix @@ -1,6 +1,7 @@ { pkgs, lib, + config, ... }: let celan = pkgs.fetchzip { @@ -11,7 +12,7 @@ in { niveum.telegramBots.celan = { enable = true; time = "08:00"; - token = lib.strings.fileContents ; + tokenFile = config.age.secrets.telegram-token-kmein.path; chatIds = ["@PaulCelan"]; command = toString (pkgs.writers.writeDash "random-celan" '' cd ${celan} diff --git a/configs/telegram-bots/default.nix b/configs/telegram-bots/default.nix index 9131db7b..6f15ae7a 100644 --- a/configs/telegram-bots/default.nix +++ b/configs/telegram-bots/default.nix @@ -2,17 +2,13 @@ config, pkgs, lib, + inputs, ... }: let - nixpkgs-21-11 = import (builtins.fetchTarball "https://github.com/NixOS/nixpkgs/archive/nixos-21.11.tar.gz") { - config.permittedInsecurePackages = [ - "python3.9-poetry-1.1.12" - ]; - }; - telebots = nixpkgs-21-11.callPackage {}; + telebots = inputs.telebots.defaultPackage.x86_64-linux; reverseDirectory = "/run/telegram-reverse"; proverbDirectory = "/run/telegram-proverb"; - inherit (import ) tmpfilesConfig; + inherit (import ../../lib) tmpfilesConfig; in { imports = [ ./literature-quote.nix @@ -23,7 +19,7 @@ in { ./nachtischsatan.nix ./tlg-wotd.nix ./celan.nix - + ../../modules/telegram-bot.nix ]; systemd.tmpfiles.rules = map (path: @@ -52,33 +48,45 @@ in { } ]; + age.secrets = { + telegram-token-reverse.file = ../../secrets/telegram-token-reverse.age; + telegram-token-betacode.file = ../../secrets/telegram-token-betacode.age; + telegram-token-proverb.file = ../../secrets/telegram-token-proverb.age; + }; + systemd.services.telegram-reverse = { wantedBy = ["multi-user.target"]; description = "Telegram reverse bot"; path = [pkgs.ffmpeg]; - environment.TELEGRAM_BOT_TOKEN = lib.strings.fileContents ; enable = true; - script = "${telebots}/bin/telegram-reverse"; + script = '' + TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${telebots}/bin/telegram-reverse + ''; serviceConfig.Restart = "always"; serviceConfig.WorkingDirectory = reverseDirectory; + serviceConfig.LoadCredential = "token:${config.age.secrets.telegram-token-reverse.path}"; }; systemd.services.telegram-betacode = { wantedBy = ["multi-user.target"]; description = "Telegram beta code bot"; - environment.TELEGRAM_BOT_TOKEN = lib.strings.fileContents ; enable = true; - script = "${telebots}/bin/telegram-betacode"; + script = '' + TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${telebots}/bin/telegram-betacode + ''; serviceConfig.Restart = "always"; + serviceConfig.LoadCredential = "token:${config.age.secrets.telegram-token-betacode.path}"; }; systemd.services.telegram-proverb = { wantedBy = ["multi-user.target"]; description = "Telegram proverb bot"; - environment.TELEGRAM_BOT_TOKEN = lib.strings.fileContents ; enable = true; - script = "${telebots}/bin/telegram-proverb"; + script = '' + TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${telebots}/bin/telegram-proverb + ''; serviceConfig.Restart = "always"; serviceConfig.WorkingDirectory = proverbDirectory; + serviceConfig.LoadCredential = "token:${config.age.secrets.telegram-token-proverb.path}"; }; } diff --git a/configs/telegram-bots/hesychius.nix b/configs/telegram-bots/hesychius.nix index fa2112d5..53e55edc 100644 --- a/configs/telegram-bots/hesychius.nix +++ b/configs/telegram-bots/hesychius.nix @@ -1,14 +1,16 @@ { pkgs, + config, + inputs, lib, ... }: let - hesychius = + "/hesychius/hesychius.txt"; + hesychius = inputs.scripts.outPath + "/hesychius/hesychius.txt"; in { niveum.telegramBots.hesychius = { enable = true; time = "08:00"; - token = lib.strings.fileContents ; + tokenFile = config.age.secrets.telegram-token-kmein.path; chatIds = ["@HesychiosAlexandreus"]; command = "${pkgs.coreutils}/bin/shuf -n1 ${hesychius}"; }; diff --git a/configs/telegram-bots/literature-quote.nix b/configs/telegram-bots/literature-quote.nix index 77602da6..67fb7f5a 100644 --- a/configs/telegram-bots/literature-quote.nix +++ b/configs/telegram-bots/literature-quote.nix @@ -1,15 +1,16 @@ { pkgs, + config, lib, ... }: let - scripts = import {inherit pkgs lib;}; + scripts = import ../../packages/scripts {inherit config pkgs lib;}; inherit (scripts) literature-quote; in { niveum.telegramBots.quotebot = { enable = true; time = "08/6:00"; - token = lib.strings.fileContents ; + tokenFile = config.age.secrets.telegram-token-kmein.path; chatIds = ["-1001760262519"]; command = "${literature-quote}/bin/literature-quote"; parseMode = "Markdown"; diff --git a/configs/telegram-bots/nachtischsatan.nix b/configs/telegram-bots/nachtischsatan.nix index 02a7b3bb..c274ef9c 100644 --- a/configs/telegram-bots/nachtischsatan.nix +++ b/configs/telegram-bots/nachtischsatan.nix @@ -1,9 +1,10 @@ { pkgs, + config, lib, ... }: let - nachtischsatan-bot = {token}: + nachtischsatan-bot = {tokenFile}: pkgs.writers.writePython3 "nachtischsatan-bot" { libraries = [pkgs.python3Packages.python-telegram-bot]; } '' @@ -18,11 +19,12 @@ update.message.reply_text("*flubberflubber*") - updater = Updater('${token}') + with open('${tokenFile}', 'r') as tokenFile: + updater = Updater(tokenFile.read().strip()) - updater.dispatcher.add_handler(MessageHandler(Filters.all, flubber)) - updater.start_polling() - updater.idle() + updater.dispatcher.add_handler(MessageHandler(Filters.all, flubber)) + updater.start_polling() + updater.idle() ''; in { systemd.services.telegram-nachtischsatan = { @@ -30,11 +32,13 @@ in { description = "*flubberflubber*"; enable = true; script = toString (nachtischsatan-bot { - token = lib.strings.fileContents ; + tokenFile = config.age.secrets.telegram-token-nachtischsatan.path; }); serviceConfig.Restart = "always"; }; + age.secrets.telegram-token-nachtischsatan.file = ../../secrets/telegram-token-nachtischsatan.age; + niveum.passport.services = [ { title = "Nachtischsatan-Bot"; diff --git a/configs/telegram-bots/smyth.nix b/configs/telegram-bots/smyth.nix index cfd80169..5f1d52d5 100644 --- a/configs/telegram-bots/smyth.nix +++ b/configs/telegram-bots/smyth.nix @@ -1,4 +1,5 @@ { + config, pkgs, lib, ... @@ -6,7 +7,7 @@ niveum.telegramBots.smyth = { enable = true; time = "08:00"; - token = lib.strings.fileContents ; + tokenFile = config.age.secrets.telegram-token-kmein.path; chatIds = ["@HerbertWeirSmyth"]; command = toString (pkgs.writers.writeDash "random-smyth" '' set -efu diff --git a/configs/telegram-bots/tlg-wotd.nix b/configs/telegram-bots/tlg-wotd.nix index 65d6ac95..fe418287 100644 --- a/configs/telegram-bots/tlg-wotd.nix +++ b/configs/telegram-bots/tlg-wotd.nix @@ -1,13 +1,14 @@ { pkgs, lib, + config, ... }: { niveum.telegramBots.tlg-wotd = { enable = true; time = "9:30"; - token = lib.strings.fileContents ; chatIds = ["@tlgwotd"]; + tokenFile = config.age.secrets.telegram-token-kmein.path; command = toString (pkgs.writers.writeDash "tlg-wotd" '' ${pkgs.curl}/bin/curl -sSL http://stephanus.tlg.uci.edu/Iris/Wotd \ | ${pkgs.recode}/bin/recode html..utf8 \ diff --git a/configs/wallpaper.nix b/configs/wallpaper.nix index e9de2d75..cea29f42 100644 --- a/configs/wallpaper.nix +++ b/configs/wallpaper.nix @@ -2,18 +2,27 @@ pkgs, lib, ... -}: { - imports = []; +}: let + url = "http://prism.r/realwallpaper-krebs-stars-berlin.png"; + stateDir = "~/.cache/wallpaper"; +in { + systemd.user.services.wallpaper = { + wantedBy = ["graphical-session.target"]; + after = ["network.target"]; + script = '' + set -euf - krebs.fetchWallpaper = { - enable = true; - url = "http://prism.r/realwallpaper-krebs-stars-berlin.png"; - }; - - users.users.fetchWallpaper.isSystemUser = true; - - services.xserver = { - display = lib.mkForce 0; # needed for fetchWallpaper to find the X display - displayManager.sessionCommands = "${pkgs.xorg.xhost}/bin/xhost +LOCAL:"; + mkdir -p ${stateDir} + chmod o+rx ${stateDir} + cd ${stateDir} + (${pkgs.curl}/bin/curl -s -o wallpaper.tmp -z wallpaper.tmp ${lib.escapeShellArg url} && cp wallpaper.tmp wallpaper) || : + ${pkgs.feh}/bin/feh --no-fehbg --bg-scale wallpaper + ''; + startAt = "*:00,10,20,30,40,50"; + serviceConfig = { + Restart = "always"; + RestartSec = "15s"; + StartLimitBurst = 0; + }; }; } diff --git a/flake.lock b/flake.lock index 0e69b739..216ba884 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,48 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1677021463, + "narHash": "sha256-K6mqm0VP9eOxNxKpFVI3MEiwZPOlN2TWtscsnLOWox0=", + "owner": "ryantm", + "repo": "agenix", + "rev": "0c50bbe60e907c9a3a7512c591adc8e66f0393a0", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1676283394, @@ -15,24 +58,99 @@ "type": "github" } }, + "flake-utils_2": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "locked": { + "lastModified": 1676283394, + "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "locked": { + "lastModified": 1676283394, + "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_6": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ - "nixos-unstable" + "nixpkgs" ], "utils": "utils" }, "locked": { - "lastModified": 1676367705, - "narHash": "sha256-un5UbRat9TwruyImtwUGcKF823rCEp4fQxnsaLFL7CM=", + "lastModified": 1676257154, + "narHash": "sha256-eW3jymNLpdxS5fkp9NWKyNtgL0Gqtgg1vCTofKXDF1g=", "owner": "nix-community", "repo": "home-manager", - "rev": "da72e6fc6b7dc0c3f94edbd310aae7cd95c678b5", + "rev": "2cb27c79117a2a75ff3416c3199a2dc57af6a527", "type": "github" }, "original": { "owner": "nix-community", - "ref": "master", + "ref": "release-22.11", "repo": "home-manager", "type": "github" } @@ -43,7 +161,7 @@ "flake-utils" ], "nixpkgs": [ - "nixos-stable" + "nixpkgs" ] }, "locked": { @@ -61,13 +179,53 @@ } }, "menstruation-backend": { - "flake": false, + "inputs": { + "flake-utils": [ + "menstruation-backend", + "rust-overlay", + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1677075142, + "narHash": "sha256-0RXVZcK2YtPckd/3+jb+yLpeXZ6jnQe25w9idztDXi8=", + "owner": "kmein", + "repo": "menstruation.rs", + "rev": "e34af4393963cdbadb456b7b9ae2e95e6db7b8a3", + "type": "github" + }, + "original": { + "owner": "kmein", + "repo": "menstruation.rs", + "type": "github" + } + }, + "menstruation-backend_2": { + "inputs": { + "flake-utils": [ + "menstruation-telegram", + "menstruation-backend", + "rust-overlay", + "flake-utils" + ], + "nixpkgs": [ + "menstruation-telegram", + "menstruation-backend", + "rust-overlay", + "nixpkgs" + ], + "rust-overlay": "rust-overlay_2" + }, "locked": { - "lastModified": 1667816906, - "narHash": "sha256-VdckYVSQZfqThPb06Y5TGSI+kkibgM/G9pH5SQHIybI=", + "lastModified": 1677075142, + "narHash": "sha256-0RXVZcK2YtPckd/3+jb+yLpeXZ6jnQe25w9idztDXi8=", "owner": "kmein", "repo": "menstruation.rs", - "rev": "95c495d453c35f20a6a5641a88a862c668404acf", + "rev": "e34af4393963cdbadb456b7b9ae2e95e6db7b8a3", "type": "github" }, "original": { @@ -77,13 +235,17 @@ } }, "menstruation-telegram": { - "flake": false, + "inputs": { + "flake-utils": "flake-utils_3", + "menstruation-backend": "menstruation-backend_2", + "nixpkgs": "nixpkgs_3" + }, "locked": { - "lastModified": 1667816918, - "narHash": "sha256-yQSl0iKqHm7qFLELY8e7OzRRdnqSBbzJmQIYgkXlJpQ=", + "lastModified": 1677075205, + "narHash": "sha256-2+xuAhsS3y2qB0ObVPCHXrmnTsIZ8uI5HFI4+Ash8PY=", "owner": "kmein", "repo": "menstruation-telegram", - "rev": "828872cf9c425442705a95019eceee397bc1c03f", + "rev": "f7ddb6d9610aacb50ec66a3ce1bdc49fe4664a49", "type": "github" }, "original": { @@ -92,62 +254,159 @@ "type": "github" } }, - "nix-writers": { - "flake": false, + "nixinate": { + "inputs": { + "nixpkgs": "nixpkgs_4" + }, "locked": { - "lastModified": 1675197881, - "narHash": "sha256-gYtduNF59yqv4BgW4fC+tZHKE7cpOkZf+Y34psyFO5U=", - "ref": "refs/heads/master", - "rev": "d1424777b5f2e12cbd80efd1b55335dcba7c32bd", - "revCount": 38, - "type": "git", - "url": "https://cgit.krebsco.de/nix-writers" + "lastModified": 1671116920, + "narHash": "sha256-QmDGsUUmAGn77UTR7eQJmebl8f3IIUCtmbbAdJqKA3s=", + "owner": "matthewcroughan", + "repo": "nixinate", + "rev": "b4d17b8e2a4abc47e93e1a1c466e0286a63640d8", + "type": "github" }, "original": { - "type": "git", - "url": "https://cgit.krebsco.de/nix-writers" + "owner": "matthewcroughan", + "repo": "nixinate", + "type": "github" } }, - "nixos-stable": { + "nixpkgs": { "locked": { - "lastModified": 1676375384, - "narHash": "sha256-6HI3jZiuJX+KLz05cocYy2mBAWlISEKHU84ftYfxHZ8=", + "lastModified": 1665296151, + "narHash": "sha256-uOB0oxqxN9K7XGF1hcnY+PQnlQJ+3bP2vCn/+Ru/bbc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c43f676c938662072772339be6269226c77b51b8", + "rev": "14ccaaedd95a488dd7ae142757884d8e125b3363", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.11", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1665296151, + "narHash": "sha256-uOB0oxqxN9K7XGF1hcnY+PQnlQJ+3bP2vCn/+Ru/bbc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "14ccaaedd95a488dd7ae142757884d8e125b3363", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, - "nixos-unstable": { + "nixpkgs_3": { "locked": { - "lastModified": 1676300157, - "narHash": "sha256-1HjRzfp6LOLfcj/HJHdVKWAkX9QRAouoh6AjzJiIerU=", + "lastModified": 1669418739, + "narHash": "sha256-T86oFvcUIRwHWBWUt7WjaP4BP/3lDGbv5AppQSI1FkI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "545c7a31e5dedea4a6d372712a18e00ce097d462", + "rev": "695b3515251873e0a7e2021add4bba643c56cde3", "type": "github" }, "original": { "owner": "NixOS", + "repo": "nixpkgs", + "rev": "695b3515251873e0a7e2021add4bba643c56cde3", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1653060744, + "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "dfd82985c273aac6eced03625f454b334daae2e8", + "type": "github" + }, + "original": { + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, + "nixpkgs_5": { + "locked": { + "lastModified": 1676895851, + "narHash": "sha256-xdhBKw2el790G+88tZYpRWlP9VjQC9OLR5Jx84VPe08=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e19f25b587f15871d26442cfa1abe4418a815d7d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { + "locked": { + "lastModified": 1659446231, + "narHash": "sha256-hekabNdTdgR/iLsgce5TGWmfIDZ86qjPhxDg/8TlzhE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "eabc38219184cc3e04a974fe31857d8e0eac098d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-21.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_7": { + "locked": { + "lastModified": 1665296151, + "narHash": "sha256-uOB0oxqxN9K7XGF1hcnY+PQnlQJ+3bP2vCn/+Ru/bbc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "14ccaaedd95a488dd7ae142757884d8e125b3363", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nur": { + "locked": { + "lastModified": 1677062856, + "narHash": "sha256-WE2OZupfe+ciV0axRdI4ch2Jk+V2pGgFoxuwTbETvDo=", + "owner": "nix-community", + "repo": "NUR", + "rev": "0418d68eef55022e6f50a5a0401bfdc21fbec8bd", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, "recht": { "flake": false, "locked": { - "lastModified": 1669719044, - "narHash": "sha256-WsLWlTM2Hrurj9kVajybIOavV9QPYiJweMCOQR6h+YI=", + "lastModified": 1677161248, + "narHash": "sha256-/yEG92y5ukwjoGrw++VEnis8Qw/tW/CkcE+mA8ufjGM=", "owner": "kmein", "repo": "recht", - "rev": "7c15b13328fb5cee01012c488ff235ee730cac70", + "rev": "a8a2f2a2c244ef052f54cc45149895a591da3231", "type": "github" }, "original": { @@ -173,22 +432,78 @@ }, "root": { "inputs": { + "agenix": "agenix", "flake-utils": "flake-utils", "home-manager": "home-manager", "krops": "krops", "menstruation-backend": "menstruation-backend", "menstruation-telegram": "menstruation-telegram", - "nix-writers": "nix-writers", - "nixos-stable": "nixos-stable", - "nixos-unstable": "nixos-unstable", + "nixinate": "nixinate", + "nixpkgs": "nixpkgs_5", + "nur": "nur", "recht": "recht", "retiolum": "retiolum", "scripts": "scripts", - "stockholm": "stockholm", "telebots": "telebots", "tinc-graph": "tinc-graph", - "traadfri": "traadfri", - "tuna": "tuna" + "traadfri": "traadfri" + } + }, + "rust-overlay": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1677033035, + "narHash": "sha256-w6XsKaW46kZNEk2vVfuoNIBEq/YzDy9kNk8cU0xJZEQ=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "6c9e8ea3ba73a9fed29ddc1cc52ade8e5c946a8d", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_2": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1677033035, + "narHash": "sha256-w6XsKaW46kZNEk2vVfuoNIBEq/YzDy9kNk8cU0xJZEQ=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "6c9e8ea3ba73a9fed29ddc1cc52ade8e5c946a8d", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_3": { + "inputs": { + "flake-utils": "flake-utils_6", + "nixpkgs": "nixpkgs_7" + }, + "locked": { + "lastModified": 1677119371, + "narHash": "sha256-L0Da4eKzDZrsy8ysOS1lhgDjAgEqGvYGf/lXaRd5/YQ=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "c67c79ea25664d66e74ae91a6fa0d6c65d12d3a7", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" } }, "scripts": { @@ -207,30 +522,17 @@ "type": "github" } }, - "stockholm": { - "flake": false, - "locked": { - "lastModified": 1676206058, - "narHash": "sha256-httLH/By88YYpnfYAEnke2gnLiayMlcznia0aDNqK28=", - "ref": "refs/heads/master", - "rev": "5234e1c7eaf478bc4ebd0edb48547168e91eba02", - "revCount": 11364, - "type": "git", - "url": "https://cgit.krebsco.de/stockholm" - }, - "original": { - "type": "git", - "url": "https://cgit.krebsco.de/stockholm" - } - }, "telebots": { - "flake": false, + "inputs": { + "flake-utils": "flake-utils_5", + "nixpkgs": "nixpkgs_6" + }, "locked": { - "lastModified": 1623510321, - "narHash": "sha256-MxYNNL81RXZkYLd4IgiNTSo1X80kTuDzsdGNSA0f1y8=", + "lastModified": 1677156381, + "narHash": "sha256-OMhqYJO2bWtL6osTMpQhA4ySUl4gvJTI13m1agipHJ0=", "owner": "kmein", "repo": "telebots", - "rev": "22931c9457e092c4e413555dbe61819d77844246", + "rev": "5527e359e8394f2f66067de7f61587eb65055209", "type": "github" }, "original": { @@ -240,13 +542,23 @@ } }, "tinc-graph": { - "flake": false, + "inputs": { + "flake-utils": [ + "tinc-graph", + "rust-overlay", + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay_3" + }, "locked": { - "lastModified": 1666162569, - "narHash": "sha256-7ebWs/ryDebUMONkn6dPckNnUGrEuPQScoY+O/+vo+Q=", + "lastModified": 1677154877, + "narHash": "sha256-Kj+DirWozvH6q9CeNZJKKsAwZaUFAQYMswQqr5FsbcY=", "owner": "kmein", "repo": "tinc-graph", - "rev": "72a4b305fcb49cfd6d456103cda45888a6b34bbe", + "rev": "19035dda75f30586f93be0a0bcef8d48cde83797", "type": "github" }, "original": { @@ -271,22 +583,6 @@ "type": "github" } }, - "tuna": { - "flake": false, - "locked": { - "lastModified": 1627117248, - "narHash": "sha256-OfqbWLblJY4BJlrCpn8EkHoP3baNJSDTbw45SPaX+0Q=", - "owner": "kmein", - "repo": "tuna", - "rev": "1cbed44069a3009738afdafecefe0a05316039a6", - "type": "github" - }, - "original": { - "owner": "kmein", - "repo": "tuna", - "type": "github" - } - }, "utils": { "locked": { "lastModified": 1667395993, diff --git a/flake.nix b/flake.nix index 4b001e31..85f8cb34 100644 --- a/flake.nix +++ b/flake.nix @@ -2,193 +2,161 @@ description = "niveum: packages, modules, systems"; inputs = { - nixos-stable.url = "github:NixOS/nixpkgs/nixos-22.11"; - nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; - + agenix.url = "github:ryantm/agenix"; flake-utils.url = "github:numtide/flake-utils"; - home-manager = { - url = "github:nix-community/home-manager/master"; - inputs.nixpkgs.follows = "nixos-unstable"; - }; - krops = { - url = "github:kmein/krops"; - inputs.nixpkgs.follows = "nixos-stable"; - inputs.flake-utils.follows = "flake-utils"; - }; + home-manager.url = "github:nix-community/home-manager/release-22.11"; + krops.url = "github:kmein/krops"; + menstruation-backend.url = "github:kmein/menstruation.rs"; + menstruation-telegram.url = "github:kmein/menstruation-telegram"; + nixinate.url = "github:matthewcroughan/nixinate"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11"; + nur.url = "github:nix-community/NUR"; + recht.url = "github:kmein/recht"; retiolum.url = "git+https://git.thalheim.io/Mic92/retiolum"; + telebots.url = "github:kmein/telebots"; + tinc-graph.url = "github:kmein/tinc-graph"; + + agenix.inputs.nixpkgs.follows = "nixpkgs"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + krops.inputs.flake-utils.follows = "flake-utils"; + krops.inputs.nixpkgs.follows = "nixpkgs"; + menstruation-backend.inputs.flake-utils.follows = "flake-utils"; + menstruation-backend.inputs.nixpkgs.follows = "nixpkgs"; + menstruation-telegram.inputs.flake-utils.follows = "flake-utils"; + menstruation-telegram.inputs.nixpkgs.follows = "nixpkgs"; + nixinate.inputs.nixpkgs.follows = "nixpkgs"; + recht.inputs.flake-utils.follows = "flake-utils"; + recht.inputs.nixpkgs.follows = "nixpkgs"; + retiolum.inputs.nixpkgs.follows = "nixpkgs"; + tinc-graph.inputs.flake-utils.follows = "flake-utils"; + tinc-graph.inputs.nixpkgs.follows = "nixpkgs"; # legacy - menstruation-backend = { - url = "github:kmein/menstruation.rs"; - flake = false; - }; - menstruation-telegram = { - url = "github:kmein/menstruation-telegram"; - flake = false; - }; - nix-writers = { - url = "git+https://cgit.krebsco.de/nix-writers"; - flake = false; - }; - recht = { - url = "github:kmein/recht"; - flake = false; - }; scripts = { url = "github:kmein/scripts"; flake = false; }; - stockholm = { - url = "git+https://cgit.krebsco.de/stockholm"; - flake = false; - }; - telebots = { - url = "github:kmein/telebots"; - flake = false; - }; - tinc-graph = { - url = "github:kmein/tinc-graph"; - flake = false; - }; traadfri = { url = "github:kmein/traadfri"; flake = false; }; - tuna = { - url = "github:kmein/tuna"; - flake = false; - }; }; - outputs = { + outputs = inputs @ { self, - flake-utils, + nixpkgs, + nur, home-manager, - krops, - menstruation-backend, - menstruation-telegram, - nix-writers, - nixos-unstable, - nixos-stable, - recht, + nixinate, + agenix, retiolum, - scripts, - stockholm, - telebots, - tinc-graph, - traadfri, - tuna, - } @ inputs: let - system = "x86_64-linux"; - pkgs = nixos-stable.legacyPackages.${system}; - home = - if nixos-stable.lib.inPureEvalMode or false - then _: /nonexistent - else import lib/home.nix; - source = { - sources, - unstable, - name, - }: - { - niveum.file = toString ./.; - nixos-config.symlink = "niveum/systems/${name}/configuration.nix"; - system-secrets.pass = { - dir = toString (home /.password-store); - name = "systems/${name}"; - }; - secrets.pass = { - dir = toString (home /.password-store); - name = "shared"; - }; - nixpkgs.git = { - url = "https://github.com/NixOS/nixpkgs"; - ref = - ( - if unstable - then inputs.nixos-unstable - else inputs.nixos-stable - ) - .rev; - shallow = true; - }; - } - // nixos-stable.lib.mapAttrs' (name: value: { - inherit name; - value.git = { - url = let - github = x: "https://github.com/${x}"; - in - { - home-manager = github "nix-community/home-manager"; - menstruation-backend = github "kmein/menstruation.rs"; - menstruation-telegram = github "kmein/menstruation-telegram"; - nixos-unstable = github "NixOS/nixpkgs"; - nix-writers = "https://cgit.krebsco.de/nix-writers"; - recht = github "kmein/recht"; - retiolum = "https://git.thalheim.io/Mic92/retiolum"; - stockholm = "https://cgit.krebsco.de/stockholm"; - scripts = github "kmein/scripts"; - telebots = github "kmein/telebots"; - tinc-graph = github "kmein/tinc-graph"; - traadfri = github "kmein/traadfri"; - } - .${name}; - ref = value.rev; - shallow = true; - }; - }) (nixos-stable.lib.filterAttrs (name: _: builtins.elem name sources) inputs); - deployScriptFor = { - name, - user ? "root", - host, - unstable ? false, - sshPort ? (import ./lib/default.nix).sshPort, - sources, - }: - toString (krops.packages.${system}.writeDeploy "deploy-${name}" { - source = krops.lib.evalSource [(source {inherit sources unstable name;})]; - target = "${user}@${host}:${toString sshPort}"; - useNixOutputMonitor = true; - }); + ... + }: let in { - apps.${system} = let - forSystems = f: builtins.listToAttrs (map f (builtins.attrNames (builtins.readDir ./systems))); - externalNetwork = import ./lib/external-network.nix; - deployScripts = forSystems (name: { - name = "deploy-${name}"; - value = { - type = "app"; - program = deployScriptFor { - inherit name; - host = - if externalNetwork ? name - then externalNetwork.${name} - else "${name}.r"; - unstable = false; # name == "kabsa" || name == "manakish"; - sources = - ["nix-writers" "nixpkgs" "retiolum" "stockholm"] - ++ { - zaatar = ["traadfri" "nixos-unstable"]; - ful = []; - tahina = []; - tabula = []; - kabsa = ["traadfri" "nixos-unstable" "home-manager" "menstruation-backend" "recht"]; - manakish = ["traadfri" "nixos-unstable" "home-manager" "menstruation-backend" "recht"]; - makanek = ["nixos-unstable" "menstruation-telegram" "menstruation-backend" "scripts" "telebots" "tinc-graph"]; - } - .${name}; - }; - }; - }); - ciScripts = forSystems (name: { - name = "build-${name}"; - value = { - type = "app"; - program = import ./ci.nix {inherit name system inputs;}; - }; - }); - in - deployScripts // ciScripts; + apps = nixinate.nixinate.x86_64-linux self; + + nixosConfigurations = { + ful = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + modules = [ + systems/ful/configuration.nix + agenix.nixosModules.default + retiolum.nixosModules.retiolum + ]; + }; + zaatar = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + { + _module.args.nixinate = { + host = "zaatar"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + systems/zaatar/configuration.nix + agenix.nixosModules.default + retiolum.nixosModules.retiolum + ]; + }; + makanek = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + # for using inputs in other config files + specialArgs = {inherit inputs;}; + modules = [ + { + _module.args.nixinate = { + host = "makanek"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + systems/makanek/configuration.nix + agenix.nixosModules.default + retiolum.nixosModules.retiolum + nur.nixosModules.nur + ]; + }; + tahina = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + systems/tahina/configuration.nix + agenix.nixosModules.default + retiolum.nixosModules.retiolum + ]; + }; + tabula = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + systems/tabula/configuration.nix + agenix.nixosModules.default + retiolum.nixosModules.retiolum + ]; + }; + manakish = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = {inherit inputs;}; + modules = [ + { + _module.args.nixinate = { + host = "manakish"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + systems/manakish/configuration.nix + agenix.nixosModules.default + retiolum.nixosModules.retiolum + home-manager.nixosModules.home-manager + nur.nixosModules.nur + ]; + }; + kabsa = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = {inherit inputs;}; + modules = [ + { + _module.args.nixinate = { + host = "kabsa"; + sshUser = "root"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; + } + systems/kabsa/configuration.nix + agenix.nixosModules.default + retiolum.nixosModules.retiolum + home-manager.nixosModules.home-manager + nur.nixosModules.nur + ]; + }; + }; }; } diff --git a/lib/email.nix b/lib/email.nix index 933707ce..960c84dd 100644 --- a/lib/email.nix +++ b/lib/email.nix @@ -2,7 +2,6 @@ cock = rec { user = "2210@cock.li"; address = user; - password = lib.strings.fileContents ; imap = "mail.cock.li"; smtp = imap; smtpSettings = smtp: "smtp://${smtp}:587"; diff --git a/lib/i3status-rust.nix b/lib/i3status-rust.nix index 0f2c0edd..addb8d38 100644 --- a/lib/i3status-rust.nix +++ b/lib/i3status-rust.nix @@ -43,7 +43,6 @@ in { format = "{location}: {temp}C"; service = { name = "openweathermap"; - api_key = lib.strings.fileContents ; city_id = "2950159"; units = "metric"; }; @@ -52,7 +51,7 @@ in { block = "custom"; interval = 60 * 5; command = let - spacetime = import ; + spacetime = import ../configs/spacetime.nix; in pkgs.writers.writePython3 "sun.py" { libraries = [pkgs.python3Packages.astral]; diff --git a/modules/htgen.nix b/modules/htgen.nix new file mode 100644 index 00000000..6f1e0431 --- /dev/null +++ b/modules/htgen.nix @@ -0,0 +1,47 @@ +{ + config, + lib, + pkgs, + ... +}: let + htgen = pkgs.callPackage ../packages/htgen.nix {}; +in { + options.services.htgen = lib.mkOption { + default = {}; + type = lib.types.attrsOf (lib.types.submodule ({config, ...}: { + options = { + enable = lib.mkEnableOption "htgen-${config._module.args.name}"; + port = lib.mkOption { + type = lib.types.int; + }; + script = lib.mkOption { + type = lib.types.str; + }; + }; + })); + }; + config = { + systemd.services = + lib.mapAttrs' ( + name: cfg: + lib.nameValuePair "htgen-${name}" { + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + environment = { + HOME = "/var/lib/htgen-${name}"; + HTGEN_PORT = toString cfg.port; + HTGEN_SCRIPT = cfg.script; + }; + serviceConfig = { + SyslogIdentifier = "htgen-${name}"; + DynamicUser = true; + StateDirectory = "htgen-${name}"; + PrivateTmp = true; + Restart = "always"; + ExecStart = "${htgen}/bin/htgen --serve"; + }; + } + ) + config.services.htgen; + }; +} diff --git a/modules/moodle-dl.nix b/modules/moodle-dl.nix index 2ce45225..ca1c60f9 100644 --- a/modules/moodle-dl.nix +++ b/modules/moodle-dl.nix @@ -23,6 +23,13 @@ in { ''; }; + tokensFile = mkOption { + type = types.path; + description = '' + Path to a JSON file containing a "token" key and, optionally, a "telegram"."token" key. + ''; + }; + notifyOnly = mkOption { default = false; type = types.bool; @@ -74,7 +81,7 @@ in { Group = config.users.groups.moodle-dl.name; WorkingDirectory = cfg.directory; ExecStart = "${cfg.package}/bin/moodle-dl ${lib.optionalString cfg.notifyOnly "--without-downloading-files"}"; - ExecStartPre = "${pkgs.coreutils}/bin/ln -sfn ${toString moodle-dl-json} ${cfg.directory}/config.json"; + ExecStartPre = "${pkgs.jq}/bin/jq -s '.[0] *.[1]' ${toString moodle-dl-json} ${toString cfg.tokensFile} > ${cfg.directory}/config.json"; } (mkIf (cfg.directory == stateDirectoryDefault) {StateDirectory = "moodle-dl";}) ]; diff --git a/modules/power-action.nix b/modules/power-action.nix new file mode 100644 index 00000000..71fd8f14 --- /dev/null +++ b/modules/power-action.nix @@ -0,0 +1,94 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.services.power-action; + + out = { + options.services.power-action = api; + config = lib.mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "power-action"; + battery = mkOption { + type = types.str; + default = "BAT0"; + }; + user = mkOption { + type = types.str; + default = "power-action"; + }; + startAt = mkOption { + type = types.str; + default = "*:0/1"; + }; + plans = mkOption { + type = with types; + attrsOf (submodule { + options = { + charging = mkOption { + type = nullOr bool; + default = null; + description = '' + check for charging status. + null = don't care + true = only if system is charging or unknown + false = only if system is discharging + ''; + }; + upperLimit = mkOption { + type = int; + }; + lowerLimit = mkOption { + type = int; + }; + action = mkOption { + type = path; + }; + }; + }); + }; + }; + + imp = { + systemd.services.power-action = { + serviceConfig = rec { + ExecStart = startScript; + User = cfg.user; + }; + startAt = cfg.startAt; + }; + }; + + startScript = pkgs.writers.writeDash "power-action" '' + set -euf + + power="$(${powerlvl})" + state="$(${state})" + ${concatStringsSep "\n" (mapAttrsToList writeRule cfg.plans)} + ''; + charging_check = plan: + if (plan.charging == null) + then "" + else if plan.charging + then ''&& [ "$state" = "true" ]'' + else ''&& ! [ "$state" = "true" ]''; + + writeRule = _: plan: "if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi"; + + powerlvl = pkgs.writers.writeDash "powerlvl" '' + cat /sys/class/power_supply/${cfg.battery}/capacity + ''; + + state = pkgs.writers.writeDash "state" '' + if [ "$(cat /sys/class/power_supply/${cfg.battery}/status)" = "Discharging" ] + then echo "false" + else echo "true" + fi + ''; +in + out diff --git a/modules/telegram-bot.nix b/modules/telegram-bot.nix index 42d16648..9e233b2d 100644 --- a/modules/telegram-bot.nix +++ b/modules/telegram-bot.nix @@ -11,19 +11,27 @@ with lib; let nameValuePair "telegram-bot-${name}" { enable = bot.enable; startAt = bot.time; - serviceConfig.Type = "oneshot"; + serviceConfig = { + Type = "oneshot"; + LoadCredential = "token:${bot.tokenFile}"; + }; wants = ["network-online.target"]; - script = strings.concatStringsSep "\n" (["QUOTE=$(${bot.command})" "if [ -n \"$QUOTE\" ]; then" "echo $QUOTE >&2"] - ++ map (chatId: '' - ${pkgs.curl}/bin/curl -X POST "https://api.telegram.org/bot${bot.token}/sendMessage" \ - -d chat_id="${chatId}" \ - -d text="$QUOTE" ${ - lib.strings.optionalString (bot.parseMode != null) - "-d parse_mode=${bot.parseMode}" - } | ${pkgs.jq}/bin/jq -e .ok - '') - bot.chatIds - ++ ["fi"]); + script = '' + export TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" + QUOTE=$(${bot.command}) + if [ -n "$QUOTE" ]; then + echo $QUOTE >&2 + ${strings.concatStringsSep "\n" (map (chatId: '' + ${pkgs.curl}/bin/curl -X POST "https://api.telegram.org/bot''${TOKEN}/sendMessage" \ + -d chat_id="${chatId}" \ + -d text="$QUOTE" ${ + lib.strings.optionalString (bot.parseMode != null) + "-d parse_mode=${bot.parseMode}" + } | ${pkgs.jq}/bin/jq -e .ok + '') + bot.chatIds)} + fi + ''; }; in { options.niveum.telegramBots = mkOption { @@ -31,7 +39,7 @@ in { options = { enable = mkEnableOption "Telegram bot"; time = mkOption {type = types.str;}; - token = mkOption {type = types.strMatching "[0-9A-Za-z:-]+";}; + tokenFile = mkOption {type = types.path;}; chatIds = mkOption { type = types.listOf (types.strMatching "-?[0-9]+|@[A-Za-z0-9]+"); }; diff --git a/packages/cyberlocker-tools.nix b/packages/cyberlocker-tools.nix new file mode 100644 index 00000000..0c997eaf --- /dev/null +++ b/packages/cyberlocker-tools.nix @@ -0,0 +1,23 @@ +{pkgs}: +pkgs.symlinkJoin { + name = "cyberlocker-tools"; + paths = [ + (pkgs.writers.writeDashBin "cput" '' + set -efu + path=''${1:-$(hostname)} + path=$(echo "/$path" | sed -E 's:/+:/:') + url=http://c.r$path + + ${pkgs.curl}/bin/curl -fSs --data-binary @- "$url" + echo "$url" + '') + (pkgs.writers.writeDashBin "cdel" '' + set -efu + path=$1 + path=$(echo "/$path" | sed -E 's:/+:/:') + url=http://c.r$path + + ${pkgs.curl}/bin/curl -f -X DELETE "$url" + '') + ]; +} diff --git a/packages/dic.nix b/packages/dic.nix new file mode 100644 index 00000000..334a5fce --- /dev/null +++ b/packages/dic.nix @@ -0,0 +1,43 @@ +{ + fetchgit, + lib, + stdenv, + coreutils, + curl, + gnugrep, + gnused, + util-linux, +}: +stdenv.mkDerivation { + name = "dic"; + + src = fetchgit { + url = https://cgit.ni.krebsco.de/dic; + rev = "refs/tags/v1.1.1"; + sha256 = "1gbj967a5hj53fdkkxijqgwnl9hb8kskz0cmpjq7v65ffz3v6vag"; + }; + + phases = [ + "unpackPhase" + "installPhase" + ]; + + installPhase = let + path = lib.makeBinPath [ + coreutils + curl + gnused + gnugrep + util-linux + ]; + in '' + mkdir -p $out/bin + + sed \ + 's,^main() {$,&\n PATH=${path}; export PATH,' \ + < ./dic \ + > $out/bin/dic + + chmod +x $out/bin/dic + ''; +} diff --git a/packages/git-preview.nix b/packages/git-preview.nix new file mode 100644 index 00000000..cb2b6cdf --- /dev/null +++ b/packages/git-preview.nix @@ -0,0 +1,23 @@ +{ + coreutils, + git, + writers, +}: +writers.writeDashBin "git-preview" '' + set -efu + head_commit=$(${git}/bin/git log -1 --format=%H) + merge_commit=$1; shift + merge_message='Merge for git-preview' + preview_dir=$(${coreutils}/bin/mktemp --tmpdir -d git-preview.XXXXXXXX) + preview_name=$(${coreutils}/bin/basename "$preview_dir") + ${git}/bin/git worktree add --detach -f "$preview_dir" 2>/dev/null + ${git}/bin/git -C "$preview_dir" checkout -q "$head_commit" + ${git}/bin/git -C "$preview_dir" merge \ + ''${GIT_PREVIEW_MERGE_STRATEGY+-s "$GIT_PREVIEW_MERGE_STRATEGY"} \ + -m "$merge_message" \ + -q \ + "$merge_commit" + ${git}/bin/git -C "$preview_dir" diff "$head_commit.." "$@" + ${coreutils}/bin/rm -fR "$preview_dir" + ${coreutils}/bin/rm -R .git/worktrees/"$preview_name" +'' diff --git a/packages/hc.nix b/packages/hc.nix new file mode 100644 index 00000000..b481de8a --- /dev/null +++ b/packages/hc.nix @@ -0,0 +1,49 @@ +{ + fetchgit, + lib, + makeWrapper, + stdenv, + coreutils, + findutils, + gawk, + gnugrep, + qrencode, + texlive, + utillinux, + zbar, +}: +stdenv.mkDerivation rec { + name = "hc-${meta.version}"; + + src = fetchgit { + url = "https://cgit.krebsco.de/hc"; + rev = "refs/tags/v${meta.version}"; + sha256 = "09349gja22p0j3xs082kp0fnaaada14bafszn4r3q7rg1id2slfb"; + }; + + nativeBuildInputs = [makeWrapper]; + + buildPhase = null; + + installPhase = '' + mkdir -p $out/bin + + cp $src/bin/hc $out/bin/hc + + wrapProgram $out/bin/hc \ + --prefix PATH : ${lib.makeBinPath [ + coreutils + findutils + gawk + gnugrep + qrencode + texlive.combined.scheme-full + utillinux + zbar + ]} + ''; + + meta = { + version = "1.0.0"; + }; +} diff --git a/packages/htgen.nix b/packages/htgen.nix new file mode 100644 index 00000000..7d129b0e --- /dev/null +++ b/packages/htgen.nix @@ -0,0 +1,31 @@ +{ + fetchgit, + lib, + pkgs, + stdenv, +}: +stdenv.mkDerivation rec { + pname = "htgen"; + version = "1.3.1"; + + src = fetchgit { + url = "http://cgit.krebsco.de/htgen"; + rev = "refs/tags/${version}"; + sha256 = "0ml8kp89bwkrwy6iqclzyhxgv2qn9dcpwaafbmsr4mgcl70zx22r"; + }; + + installPhase = '' + mkdir -p $out/bin + { + echo '#! ${pkgs.dash}/bin/dash' + echo 'export PATH=${lib.makeBinPath [ + pkgs.coreutils + pkgs.jq + pkgs.ucspi-tcp + ]}''${PATH+":$PATH"}' + sed 's:^Server=htgen$:&/${version}:' htgen + } > $out/bin/htgen + chmod +x $out/bin/htgen + cp -r examples $out + ''; +} diff --git a/packages/kpaste.nix b/packages/kpaste.nix new file mode 100644 index 00000000..54d7f28a --- /dev/null +++ b/packages/kpaste.nix @@ -0,0 +1,9 @@ +{ + curl, + gnused, + writers, +}: +writers.writeDashBin "kpaste" '' + ${curl}/bin/curl -sS http://p.r --data-binary @"''${1:--}" | + ${gnused}/bin/sed '$ {p;s|http://p.r|https://p.krebsco.de|}' +'' diff --git a/packages/scripts/default.nix b/packages/scripts/default.nix index ce633ed4..a2ccd8a6 100644 --- a/packages/scripts/default.nix +++ b/packages/scripts/default.nix @@ -1,11 +1,12 @@ { pkgs, lib, + config, ... }: let kpaste = pkgs.callPackage {}; - opustags = pkgs.callPackage {}; - betacode = pkgs.callPackage {}; + opustags = pkgs.callPackage ../opustags.nix {}; + betacode = pkgs.callPackage ../python3Packages/betacode.nix {}; wrapScript = { packages ? [], name, @@ -73,33 +74,6 @@ in ${pkgs.coreutils}/bin/printf '%s\n' 'nameserver 1.1.1.1' 'options edns0' > /etc/resolv.conf ''; - much-scripts = let - much-current-query = wrapScript { - packages = [pkgs.curl]; - name = "much-current-query"; - script = ./much-current-query.sh; - }; - mail-send = wrapScript { - packages = [pkgs.notmuch pkgs.msmtp pkgs.jq]; - name = "mail-send"; - script = ./mail-send.sh; - }; - mail-reply = wrapScript { - packages = [much-current-query pkgs.notmuch pkgs.gnused pkgs.jq]; - name = "mail-reply"; - script = ./mail-reply.sh; - }; - mail-kill = wrapScript { - name = "mail-kill"; - script = ./mail-kill.sh; - packages = [pkgs.notmuch]; - }; - in - pkgs.symlinkJoin { - name = "much-scripts"; - paths = [mail-send much-current-query mail-reply mail-kill]; - }; - showkeys-toggle = pkgs.writers.writeDashBin "showkeys-toggle" '' if ${pkgs.procps}/bin/pgrep screenkey; then exec ${pkgs.procps}/bin/pkill screenkey @@ -205,7 +179,7 @@ in | ${pkgs.man}/bin/man --local-file --pager="${pkgs.bat}/bin/bat -p" - ''; - playlist = import ./pls.nix {inherit pkgs;}; + playlist = import ./pls.nix {inherit pkgs lib config;}; mpv-tv = import ./mpv-tv.nix {inherit pkgs lib;}; @@ -396,8 +370,8 @@ in unicodmenu = pkgs.callPackage ./unicodmenu.nix {}; mpv-radio = let - streams = import { - di-fm-key = lib.strings.fileContents ; + streams = import ../../lib/streams.nix { + di-fm-key = "%DI_FM_KEY%"; # lib.strings.fileContents ; }; streams-tsv = pkgs.writeText "streams.tsv" (lib.concatMapStringsSep "\n" ({ desc ? "", @@ -408,7 +382,12 @@ in streams); in pkgs.writers.writeDashBin "mpv-radio" '' - exec ${pkgs.mpv}/bin/mpv --force-window=yes "$(${pkgs.dmenu}/bin/dmenu -i -l 5 < ${streams-tsv} | ${pkgs.coreutils}/bin/cut -f3)" + export DI_FM_KEY=$(cat "${config.age.secrets.di-fm-key.path}") + exec ${pkgs.mpv}/bin/mpv --force-window=yes "$( + ${pkgs.dmenu}/bin/dmenu -i -l 5 < ${streams-tsv} \ + | ${pkgs.coreutils}/bin/cut -f3 \ + | ${pkgs.gnused}/bin/sed s/%DI_FM_KEY%/"$DI_FM_KEY"/ + )" ''; rfc = wrapScript { @@ -489,11 +468,11 @@ in ''; } // { - devour = pkgs.callPackage {}; - depp = pkgs.callPackage {}; - text2pdf = pkgs.callPackage {}; - vimv = pkgs.callPackage {}; - when = pkgs.callPackage {}; - mahlzeit = pkgs.haskellPackages.callPackage {}; + devour = pkgs.callPackage ../devour.nix {}; + depp = pkgs.callPackage ../depp.nix {}; + text2pdf = pkgs.callPackage ../text2pdf.nix {}; + vimv = pkgs.callPackage ../vimv.nix {}; + when = pkgs.callPackage ../when.nix {}; + mahlzeit = pkgs.haskellPackages.callPackage ../mahlzeit.nix {}; inherit opustags; } diff --git a/packages/scripts/mail-kill.sh b/packages/scripts/mail-kill.sh deleted file mode 100644 index 4d5a00a8..00000000 --- a/packages/scripts/mail-kill.sh +++ /dev/null @@ -1,20 +0,0 @@ -#! /bin/sh -set -efu - -if ! notmuch search --exclude=false tag:deleted | tac | grep .; then - echo 'No killed mail.' - exit 1 -fi - -printf 'want do rm these mail? [y/N] ' -read REPLY -case "$REPLY" in - y|Y) :;; # continue - *) - echo 'abort.' - exit 2 - ;; -esac - -notmuch search --output=files --exclude=false tag:deleted | xargs -l rm -v -notmuch new diff --git a/packages/scripts/mail-reply.sh b/packages/scripts/mail-reply.sh deleted file mode 100755 index 220e1dea..00000000 --- a/packages/scripts/mail-reply.sh +++ /dev/null @@ -1,47 +0,0 @@ -#! /bin/sh -set -efu - -reply_to=$(much-current-query) - -if ! test "$(notmuch search --output=messages "$reply_to" | wc -l)" = 1; then - echo "current query doesn't point to exactly one message. abort." >&2 - exit 1 -fi - -# TODO update headers - -notmuch reply "$reply_to" | -sed ' - /^Non-text part: /d - /^Attachment: /d -' | -jq -Rrs ' - # TODO dedup with mail-send - split("\n") | - index("") as $i | - .[:$i] as $head | - .[$i:] as $body | - - { - "MIME-Version": "1.0", - "Content-Type": "text/plain; charset=UTF-8; format=flowed", - "Content-Transfer-Encoding": "8bit" - } as $extra_head | - - ($extra_head | keys | join("|")) as $extra_head_regex | - ($extra_head | to_entries | map("\(.key): \(.value)")) as $extra_head_lines | - - # TODO each of these could be followed by multiple lines starting with spaces - ($head | map(select(test("^(\($extra_head_regex)):";"i") | not))) as $head | - - ($head + $extra_head_lines) as $head | - - ($head + $body) | join("\n") -' - - -# TODO fix From: -# TODO tune quote - -# TODO write draft -# TODO send mail diff --git a/packages/scripts/mail-send.sh b/packages/scripts/mail-send.sh deleted file mode 100755 index 35073005..00000000 --- a/packages/scripts/mail-send.sh +++ /dev/null @@ -1,56 +0,0 @@ -#! /bin/sh -# usage: mail-send < FILE -set -efu - -get_in_reply_to() { - sed -n '/^In-Reply-to:/I{s/In-Reply-to:\s*//I;h;:a;n;/^\s/{s/^\s*//;H;ba};x;p;q}' | - sed -n 's/^<\(.*\)>$/\1/p' | - grep . -} - -now=$(date --rfc-email) -id=$(whoami)+$(date +%s -d "$now")@$(hostname -f) - -# TODO check if mail with that ID already exists - -# TODO encode subject https://ncona.com/2011/06/using-utf-8-characters-on-an-e-mail-subject/ -# and maybe recipients - -# TODO use tmpfile instead? -mail=$( - env now="$now" id="$id" \ - jq -Rrs ' - # TODO dedup with mail-reply - split("\n") | - index("") as $i | - .[:$i] as $head | - .[$i:] as $body | - - # TODO each of these could be followed by multiple lines starting with spaces - ($head | map(select(test("^(Date|Message-ID|User-Agent):";"i") | not))) as $head | - - ($head + [ - "Date: \(env.now)", - "Message-ID: <\(env.id)>", - "User-Agent: much" - ]) as $head | - - ($head + $body) | join("\n") - ' -) - -printf %s "$mail" | msmtpq --read-recipients --read-envelope-from - -printf %s "$mail" | notmuch insert - -if in_reply_to=$(printf %s "$mail" | get_in_reply_to); then - if test "$(notmuch search --output=messages "id:$in_reply_to")" != "id:$in_reply_to"; then - echo "while trying to put replied tag, failed to find exactly one message" >&2 - echo " query = id:$in_reply_to" >&2 - exit 1 - fi - - notmuch tag +replied -unread -- "id:$in_reply_to" -fi - -echo "id:$id" diff --git a/packages/scripts/pls.nix b/packages/scripts/pls.nix index 7ad7c8a7..f21ba58a 100755 --- a/packages/scripts/pls.nix +++ b/packages/scripts/pls.nix @@ -1,10 +1,12 @@ -{pkgs}: let - inherit (pkgs) lib; - +{ + config, + pkgs, + lib, +}: let playlistAPI = "https://radio.lassul.us"; sendIRC = pkgs.writers.writeDash "send-irc" '' - ${pkgs.ircaids}/bin/ircsink \ + ${config.nur.repos.mic92.ircsink}/bin/ircsink \ --nick musikkritiker \ --server irc.hackint.org \ --port 6697 \ diff --git a/packages/untilport.nix b/packages/untilport.nix new file mode 100644 index 00000000..0db755f6 --- /dev/null +++ b/packages/untilport.nix @@ -0,0 +1,17 @@ +{pkgs, ...}: +pkgs.writers.writeDashBin "untilport" '' + set -euf + + usage() { + echo 'untiport $target $port' + echo 'Sleeps until the destinated port is reachable.' + echo 'ex: untilport google.de 80 && echo "google is now reachable"' + } + + + if [ $# -ne 2 ]; then + usage + else + until ${pkgs.libressl.nc}/bin/nc -z "$@"; do sleep 1; done + fi +'' diff --git a/packages/weechat-declarative.nix b/packages/weechat-declarative.nix new file mode 100644 index 00000000..b12eb9f6 --- /dev/null +++ b/packages/weechat-declarative.nix @@ -0,0 +1,177 @@ +{ + pkgs, + lib, + ... +} @ args: let + # config cannot be declared in the input attribute set because that would + # cause callPackage to inject the wrong config. Instead, get it from ... + # via args. + config = args.config or {}; + + lib = + args.lib + // rec { + attrPaths = let + recurse = path: value: + if builtins.isAttrs value + then lib.mapAttrsToList (name: recurse (path ++ [name])) value + else [(lib.nameValuePair path value)]; + in + attrs: lib.flatten (recurse [] attrs); + + attrPathsSep = sep: attrs: lib.listToAttrs (map (x: x // {name = lib.concatStringsSep sep x.name;}) (attrPaths attrs)); + + toWeechatValue = x: + { + bool = builtins.toJSON x; + string = x; + list = lib.concatMapStringsSep "," toWeechatValue x; + int = toString x; + } + .${builtins.typeOf x}; + + setCommand = name: value: "/set ${name} \"${toWeechatValue value}\""; + + filterAddreplace = name: filter: "/filter addreplace ${name} ${filter.buffer} ${toWeechatValue filter.tags} ${filter.regex}"; + }; + + cfg = eval.config; + + eval = lib.evalModules { + modules = lib.singleton { + _file = toString ./default.nix; + imports = lib.singleton config; + options = { + scripts = lib.mkOption { + type = lib.types.listOf lib.types.package; + default = []; + description = '' + some stuff from pkgs.weechatScripts + ''; + }; + settings = lib.mkOption { + type = (pkgs.formats.json {}).type; + description = '' + your weechat config in nix-style syntax. + secrets can be defined with \''${my.secret.value} + ''; + default = {}; + example = { + irc.server_default.nicks = "rick_\\\${sec.data.foo}"; + irc.server_default.msg_part = "ciao kakao"; + irc.server_default.msg_quit = "tschö mit \\\${sec.data.foo}"; + irc.look.color_nicks_in_nicklist = true; + matrix.server.nibbana = { + address = "nibbana.jp"; + }; + irc.server.hackint = { + address = "irc.hackint.org/6697"; + ssl = true; + autoconnect = true; + autojoin = ["#krebs"]; + }; + weechat.bar.buflist.hidden = true; + irc.server.hackint.command = lib.concatStringsSep "\\;" [ + "/msg nickserv IDENTIFY \\\${sec.data.hackint_password}" + "/msg nickserv SET CLOAK ON" + ]; + filters.playlist_topic = { + buffer = "irc.*.#the_playlist"; + tags = ["irc_topic"]; + regex = "*"; + }; + relay = { + port.weechat = 9000; + network.password = "hunter2"; + }; + alias.cmd.mod = "quote omode $channel +o $nick"; + secure.test.passphrase_command = "echo lol1234123124"; + }; + }; + extraCommands = lib.mkOption { + type = lib.types.lines; + default = ""; + }; + files = lib.mkOption { + type = lib.types.attrsOf lib.types.str; + default = {}; + example = lib.literalExpression '' + { + "sec.conf" = toString (pkgs.writeText "sec.conf" ''' + [crypt] + cipher = aes256 + hash_algo = sha256 + passphrase_command = "" + salt = on + + [data] + __passphrase__ = off + foo = "bar" + '''); + } + ''; + }; + }; + }; + }; + + setFile = pkgs.writeText "weechat.set" ( + lib.optionalString (cfg.settings != {}) + (lib.concatStringsSep "\n" ( + lib.optionals + (cfg.settings.irc or {} != {}) + (lib.mapAttrsToList + (name: server: "/server add ${name} ${lib.toWeechatValue server.addresses}") + cfg.settings.irc.server) + ++ lib.optionals + (cfg.settings.matrix or {} != {}) + (lib.mapAttrsToList + (name: server: "/matrix server add ${name} ${server.address}") + cfg.settings.matrix.server) + ++ lib.mapAttrsToList lib.setCommand (lib.attrPathsSep "." cfg.settings) + ++ lib.optionals + (cfg.settings.filters or {} != {}) + (lib.mapAttrsToList lib.filterAddreplace cfg.settings.filters) + ++ lib.singleton cfg.extraCommands + )) + ); + + weechat = pkgs.weechat.override { + configure = _: { + init = "/exec -oc cat ${setFile}"; + + scripts = cfg.scripts; + }; + }; + + wrapper = pkgs.writers.writeDashBin "weechat" '' + CONFDIR=''${XDG_CONFIG_HOME:-$HOME/.config}/weechat + ${pkgs.coreutils}/bin/mkdir -p "$CONFDIR" + ${ + lib.concatStringsSep "\n" + ( + lib.mapAttrsToList + (name: target: + /* + sh + */ + '' + ${pkgs.coreutils}/bin/cp ${lib.escapeShellArg target} "$CONFDIR"/${lib.escapeShellArg name} + ${pkgs.coreutils}/bin/chmod +w "$CONFDIR"/${lib.escapeShellArg name} + '') + cfg.files + ) + } + exec ${weechat}/bin/weechat "$@" + ''; +in + pkgs.symlinkJoin { + name = "weechat-configured"; + paths = [ + wrapper + pkgs.weechat + ]; + postBuild = '' + ln -s ${setFile} $out/weechat.set + ''; + } diff --git a/secrets b/secrets new file mode 160000 index 00000000..c7d15a91 --- /dev/null +++ b/secrets @@ -0,0 +1 @@ +Subproject commit c7d15a91747815e2ca9e89e8a9d52007059e2ee3 diff --git a/systems/ful/configuration.nix b/systems/ful/configuration.nix index 601a6455..128f0dc6 100644 --- a/systems/ful/configuration.nix +++ b/systems/ful/configuration.nix @@ -4,19 +4,26 @@ pkgs, ... }: let - inherit (import ) kieran retiolumAddresses restic; + inherit (import ../../lib) kieran retiolumAddresses restic; in { imports = [ ./hardware-configuration.nix ./matomo.nix - - - - - - + ../../configs/monitoring.nix + ../../configs/save-space.nix + ../../configs/spacetime.nix + ../../configs/retiolum.nix + ../../configs/sshd.nix + ../../configs/nix.nix ]; + age.secrets = { + retiolum-rsa.file = ../../secrets/ful-retiolum-privateKey-rsa.age; + retiolum-ed25519.file = ../../secrets/ful-retiolum-privateKey-rsa.age; + root.file = ../../secrets/ful-root.age; + restic.file = ../../secrets/restic.age; + }; + services.restic.backups.niveum = { initialize = true; inherit (restic) repository; @@ -24,14 +31,12 @@ in { OnCalendar = "daily"; RandomizedDelaySec = "1h"; }; - passwordFile = toString ; + passwordFile = config.age.secrets.restic.path; paths = [ config.services.mysqlBackup.location ]; }; - nix.nixPath = ["/var/src"]; - networking = { firewall.allowedTCPPorts = [80 443]; hostName = "ful"; @@ -56,7 +61,7 @@ in { defaults.email = kieran.email; }; - users.users.root.passwordFile = toString ; + users.users.root.passwordFile = config.age.secrets.root.path; environment.systemPackages = [pkgs.vim pkgs.git pkgs.tmux pkgs.python3]; diff --git a/systems/ful/hardware-configuration.nix b/systems/ful/hardware-configuration.nix index 9986355b..392a48da 100644 --- a/systems/ful/hardware-configuration.nix +++ b/systems/ful/hardware-configuration.nix @@ -2,9 +2,12 @@ config, lib, pkgs, + modulesPath, ... }: { - imports = []; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; boot = { loader = { diff --git a/systems/ful/matomo.nix b/systems/ful/matomo.nix index cf79ba45..dd69d848 100644 --- a/systems/ful/matomo.nix +++ b/systems/ful/matomo.nix @@ -1,5 +1,5 @@ {pkgs, ...}: let - inherit (import ) kieran; + inherit (import ../../lib) kieran; in { services.nginx = { enable = true; diff --git a/systems/kabsa/configuration.nix b/systems/kabsa/configuration.nix index 5def9b64..4c54062c 100644 --- a/systems/kabsa/configuration.nix +++ b/systems/kabsa/configuration.nix @@ -4,13 +4,13 @@ lib, ... }: let - inherit (import ) retiolumAddresses; + inherit (import ../../lib) retiolumAddresses; in { imports = [ ./hardware-configuration.nix - - - + ../../configs/battery.nix + ../../configs/default.nix + ../../configs/networkmanager.nix # TODO how to get passwords into there? ]; niveum = { @@ -24,6 +24,14 @@ in { max-jobs = 2; }; + age.secrets = { + retiolum-rsa.file = ../../secrets/kabsa-retiolum-privateKey-rsa.age; + retiolum-ed25519.file = ../../secrets/kabsa-retiolum-privateKey-ed25519.age; + restic.file = ../../secrets/restic.age; + syncthing-cert.file = ../../secrets/kabsa-syncthing-cert.age; + syncthing-key.file = ../../secrets/kabsa-syncthing-key.age; + }; + environment.systemPackages = [pkgs.minecraft pkgs.zeroad]; networking = { diff --git a/systems/kabsa/hardware-configuration.nix b/systems/kabsa/hardware-configuration.nix index b16a81b0..3d12e08b 100644 --- a/systems/kabsa/hardware-configuration.nix +++ b/systems/kabsa/hardware-configuration.nix @@ -2,9 +2,10 @@ config, lib, pkgs, + modulesPath, ... }: { - imports = []; + imports = [(modulesPath + "/installer/scan/not-detected.nix")]; boot = { initrd = { diff --git a/systems/makanek/configuration.nix b/systems/makanek/configuration.nix index f6d528db..d2bbe45b 100644 --- a/systems/makanek/configuration.nix +++ b/systems/makanek/configuration.nix @@ -4,7 +4,7 @@ pkgs, ... }: let - inherit (import ) kieran retiolumAddresses restic; + inherit (import ../../lib) kieran retiolumAddresses restic; in { imports = [ ./gitea.nix @@ -13,7 +13,6 @@ in { ./menstruation.nix ./moinbot.nix ./monitoring - ./moodle-dl-borsfaye.nix ./names.nix ./nextcloud.nix ./radio-news.nix @@ -23,14 +22,14 @@ in { ./tt-rss.nix ./urlwatch.nix ./weechat.nix - - - - - - - - + ../../configs/monitoring.nix + ../../configs/nix.nix + ../../configs/save-space.nix + ../../configs/retiolum.nix + ../../configs/spacetime.nix + ../../configs/sshd.nix + ../../configs/telegram-bots + ../../modules/passport.nix ]; services.restic.backups.niveum = { @@ -40,7 +39,7 @@ in { OnCalendar = "daily"; RandomizedDelaySec = "1h"; }; - passwordFile = toString ; + passwordFile = config.age.secrets.restic.path; paths = [ "/var/lib/codimd" config.services.postgresqlBackup.location @@ -76,8 +75,6 @@ in { ]; }; - nix.nixPath = ["/var/src"]; - networking = { firewall.allowedTCPPorts = [80 443]; hostName = "makanek"; @@ -86,6 +83,12 @@ in { useDHCP = false; }; + age.secrets = { + retiolum-rsa.file = ../../secrets/makanek-retiolum-privateKey-rsa.age; + retiolum-ed25519.file = ../../secrets/makanek-retiolum-privateKey-ed25519.age; + restic.file = ../../secrets/restic.age; + }; + system.stateVersion = "20.03"; services.nginx = { diff --git a/systems/makanek/gitea.nix b/systems/makanek/gitea.nix index 59f62b0f..f08fac1e 100644 --- a/systems/makanek/gitea.nix +++ b/systems/makanek/gitea.nix @@ -1,5 +1,5 @@ let - inherit (import ) sshPort; + inherit (import ../../lib) sshPort; domain = "https://code.kmein.de"; in { services.gitea = { diff --git a/systems/makanek/hardware-configuration.nix b/systems/makanek/hardware-configuration.nix index 19d99fca..85068add 100644 --- a/systems/makanek/hardware-configuration.nix +++ b/systems/makanek/hardware-configuration.nix @@ -2,9 +2,10 @@ config, lib, pkgs, + modulesPath, ... }: { - imports = []; + imports = [(modulesPath + "/profiles/qemu-guest.nix")]; boot = { initrd = { diff --git a/systems/makanek/hedgedoc.nix b/systems/makanek/hedgedoc.nix index b74038f9..32d2c994 100644 --- a/systems/makanek/hedgedoc.nix +++ b/systems/makanek/hedgedoc.nix @@ -6,7 +6,7 @@ backupLocation = "/var/lib/codimd-backup"; stateLocation = "/var/lib/codimd/state.sqlite"; domain = "pad.kmein.de"; - inherit (import ) tmpfilesConfig; + inherit (import ../../lib) tmpfilesConfig; in { services.nginx.virtualHosts.${domain} = { enableACME = true; diff --git a/systems/makanek/menstruation.nix b/systems/makanek/menstruation.nix index 10a8bdd4..0b452605 100644 --- a/systems/makanek/menstruation.nix +++ b/systems/makanek/menstruation.nix @@ -1,16 +1,10 @@ { + config, pkgs, lib, + inputs, ... }: let - backend = pkgs.callPackage {}; - old-pkgs = import (pkgs.fetchFromGitHub { - owner = "NixOs"; - repo = "nixpkgs"; - rev = "695b3515251873e0a7e2021add4bba643c56cde3"; - hash = "sha256-T86oFvcUIRwHWBWUt7WjaP4BP/3lDGbv5AppQSI1FkI="; - }) {}; - telegram = old-pkgs.poetry2nix.mkPoetryApplication {projectDir = ;}; backendPort = 8000; in { services.redis.servers.menstruation = { @@ -36,24 +30,32 @@ in { ]; wantedBy = ["multi-user.target"]; environment = { - MENSTRUATION_TOKEN = lib.strings.fileContents ; MENSTRUATION_ENDPOINT = "http://localhost:${toString backendPort}"; MENSTRUATION_MODERATORS = "18980945"; }; + script = '' + set -efu + export MENSTRUATION_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/menstruation-token")" + ${inputs.menstruation-telegram.defaultPackage.x86_64-linux}/bin/menstruation-telegram + ''; serviceConfig = { Restart = "always"; DynamicUser = true; - ExecStart = "${telegram}/bin/menstruation-telegram"; + LoadCredential = [ + "menstruation-token:${config.age.secrets.telegram-token-menstruation.path}" + ]; }; }; + age.secrets.telegram-token-menstruation.file = ../../secrets/telegram-token-menstruation.age; + systemd.services.menstruation-backend = { wants = ["network-online.target"]; environment.ROCKET_PORT = toString backendPort; serviceConfig = { Restart = "always"; DynamicUser = true; - ExecStart = "${backend}/bin/menstruation_server"; + ExecStart = "${inputs.menstruation-backend.defaultPackage.x86_64-linux}/bin/menstruation_server"; }; }; } diff --git a/systems/makanek/moinbot.nix b/systems/makanek/moinbot.nix index acb434c5..ab6cfe50 100644 --- a/systems/makanek/moinbot.nix +++ b/systems/makanek/moinbot.nix @@ -1,4 +1,8 @@ -{pkgs, ...}: { +{ + pkgs, + config, + ... +}: { systemd.services.moinbot = { startAt = "7:00"; script = '' @@ -8,7 +12,7 @@ MOIN OI moi" | shuf -n1) - echo "$greeting" | ${pkgs.ircaids}/bin/ircsink \ + echo "$greeting" | ${config.nur.repos.mic92.ircsink}/bin/ircsink \ --nick "$greeting""bot" \ --server irc.hackint.org \ --port 6697 \ diff --git a/systems/makanek/monitoring/default.nix b/systems/makanek/monitoring/default.nix index fbb025bf..3e63992f 100644 --- a/systems/makanek/monitoring/default.nix +++ b/systems/makanek/monitoring/default.nix @@ -6,7 +6,7 @@ }: let lokiConfig = import ./loki.nix; blackboxConfig = import ./blackbox.nix; - inherit (import ) restic; + inherit (import ../../../lib) restic; in { services.grafana = { enable = true; @@ -17,12 +17,12 @@ in { http_addr = "127.0.0.1"; }; smtp = let - inherit (import {inherit lib;}) cock; + inherit (import ../../../lib/email.nix {inherit lib;}) cock; address = builtins.split "@" cock.user; in { enabled = true; from_address = cock.address; - password = cock.password; + password = "$__file{${config.age.secrets.email-password-cock.path}}"; user = cock.user; host = cock.smtpSettings cock.smtp; startTLS_policy = "MandatoryStartTLS"; @@ -30,7 +30,7 @@ in { dashboards.default_home_dashboard_path = toString ./grafana-dashboards/niveum.json; security = { admin_user = "admin"; - admin_password = lib.strings.fileContents ; + admin_password = "$__file{${config.age.secrets.grafana-password-admin.path}}"; }; }; provision = { @@ -196,6 +196,7 @@ in { enable = true; listenAddress = "localhost"; webExternalUrl = "http://alertmanager.kmein.r"; + environmentFile = config.age.secrets.alertmanager-token-reporters.path; configuration = { route = { group_wait = "30s"; @@ -207,7 +208,7 @@ in { name = "all"; telegram_configs = [ { - bot_token = lib.strings.fileContents ; + bot_token = "$TELEGRAM_TOKEN"; chat_id = 18980945; parse_mode = ""; api_url = "https://api.telegram.org"; @@ -220,8 +221,8 @@ in { } ]; email_configs = let - inherit (import ) kieran; - inherit (import {inherit lib;}) cock; + inherit (import ../../../lib) kieran; + inherit (import ../../../lib/email.nix {inherit lib;}) cock; in [ { send_resolved = true; @@ -230,7 +231,7 @@ in { smarthost = "${cock.smtp}:587"; auth_username = cock.user; auth_identity = cock.user; - auth_password = cock.password; + auth_password = "$EMAIL_PASSWORD"; } ]; } @@ -238,6 +239,27 @@ in { }; }; + age.secrets = { + email-password-cock = { + file = ../../../secrets/email-password-cock.age; + owner = "grafana"; + group = "grafana"; + mode = "440"; + }; + grafana-password-admin = { + file = ../../../secrets/grafana-password-admin.age; + owner = "grafana"; + group = "grafana"; + mode = "440"; + }; + alertmanager-token-reporters = { + file = ../../../secrets/alertmanager-token-reporters.age; + owner = "prometheus"; + group = "prometheus"; + mode = "440"; + }; + }; + services.prometheus.alertmanagers = [ { scheme = "http"; diff --git a/systems/makanek/names.nix b/systems/makanek/names.nix index 0a608cab..5db92939 100644 --- a/systems/makanek/names.nix +++ b/systems/makanek/names.nix @@ -1,10 +1,11 @@ { pkgs, lib, + inputs, ... }: let port = 5703; - onomap-src = "${}/onomastics-ng"; + onomap-src = inputs.scripts.outPath + "/onomastics-ng"; onomap = pkgs.haskellPackages.callCabal2nix "onomap" onomap-src {}; in { systemd.services.names = { diff --git a/systems/makanek/nextcloud.nix b/systems/makanek/nextcloud.nix index 115bca4f..6874ebb6 100644 --- a/systems/makanek/nextcloud.nix +++ b/systems/makanek/nextcloud.nix @@ -4,9 +4,23 @@ lib, ... }: let - passwordFile = path: toString (pkgs.writeText "password" (lib.strings.fileContents path)); - inherit (import ) localAddresses; + inherit (import ../../lib) localAddresses; in { + age.secrets = { + nextcloud-password-database = { + file = ../../secrets/nextcloud-password-database.age; + owner = "nextcloud"; + group = "nextcloud"; + mode = "440"; + }; + nextcloud-password-admin = { + file = ../../secrets/nextcloud-password-admin.age; + owner = "nextcloud"; + group = "nextcloud"; + mode = "440"; + }; + }; + services.nextcloud = { enable = true; package = pkgs.nextcloud25; @@ -30,8 +44,8 @@ in { dbuser = "nextcloud"; dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself dbname = "nextcloud"; - dbpassFile = passwordFile ; - adminpassFile = passwordFile ; + dbpassFile = config.age.secrets.nextcloud-password-database.path; + adminpassFile = config.age.secrets.nextcloud-password-admin.path; adminuser = "admin"; # extraTrustedDomains = [ "toum.r" ]; defaultPhoneRegion = "DE"; @@ -40,7 +54,7 @@ in { logLevel = 2; extraOptions = let - inherit (import {inherit lib;}) cock; + inherit (import ../../lib/email.nix {inherit lib;}) cock; address = builtins.split "@" cock.user; in { defaultapp = "files"; @@ -54,7 +68,7 @@ in { mail_smtpauthtype = "LOGIN"; mail_smtpauth = 1; mail_smtpname = cock.user; - mail_smtppassword = cock.password; + # mail_smtppassword = cock.password; # TODO how to do this? }; }; diff --git a/systems/makanek/radio-news.nix b/systems/makanek/radio-news.nix index 4f41fd66..20a073b3 100644 --- a/systems/makanek/radio-news.nix +++ b/systems/makanek/radio-news.nix @@ -3,10 +3,10 @@ lib, ... }: let - inherit (import ) serveHtml; + inherit (import ../../lib) serveHtml; remote = "https://cgit.lassul.us/stockholm"; in { - services.nginx.virtualHosts."redaktion.r".locations."/".extraConfig = serveHtml pkgs; + services.nginx.virtualHosts."redaktion.r".locations."/".extraConfig = serveHtml ../../lib/radio-news.html pkgs; niveum.passport.services = [ { diff --git a/systems/makanek/radio.nix b/systems/makanek/radio.nix index bc0b508d..14e5395b 100644 --- a/systems/makanek/radio.nix +++ b/systems/makanek/radio.nix @@ -4,7 +4,7 @@ config, ... }: let - inherit (import ) tmpfilesConfig; + inherit (import ../../lib) tmpfilesConfig; liquidsoapDirectory = "/var/cache/liquidsoap"; icecastPassword = "hackme"; lyrikline-poem = pkgs.writers.writeDash "lyrikline.sh" '' diff --git a/systems/makanek/retiolum-map.nix b/systems/makanek/retiolum-map.nix index 0b19a961..8e99d4b8 100644 --- a/systems/makanek/retiolum-map.nix +++ b/systems/makanek/retiolum-map.nix @@ -2,6 +2,7 @@ config, pkgs, lib, + inputs, ... }: let network = "retiolum"; @@ -11,7 +12,7 @@ geo-ip-database = "${lib.head config.services.geoipupdate.settings.EditionIDs}.mmdb"; geo-ip-database-path = "${config.services.geoipupdate.settings.DatabaseDirectory}/${geo-ip-database}"; - tinc-graph = pkgs.callPackage {}; + tinc-graph = inputs.tinc-graph.defaultPackage.x86_64-linux; in { systemd.services.retiolum-index = { description = "Retiolum indexing service"; @@ -39,11 +40,13 @@ in { enable = true; settings = { AccountID = 608777; - LicenseKey = toString ; + LicenseKey._secret = config.age.secrets.maxmind-license-key.path; EditionIDs = ["GeoLite2-City"]; }; }; + age.secrets.maxmind-license-key.file = ../../secrets/maxmind-license-key.age; + niveum.passport.services = [ { link = "http://graph.r"; @@ -71,9 +74,7 @@ in { systemd.services.geoip-share = { after = ["geoipupdate.service"]; wantedBy = ["geoipupdate.service"]; - script = let - cyberlocker-tools = pkgs.callPackage {}; - in "${cyberlocker-tools}/bin/cput ${geo-ip-database} < ${geo-ip-database-path}"; + script = "${pkgs.curl}/bin/curl -fSs --data-binary @${geo-ip-database-path} http://c.r/${geo-ip-database} "; serviceConfig = { Type = "oneshot"; DynamicUser = true; diff --git a/systems/makanek/tarot.nix b/systems/makanek/tarot.nix index 9010937c..5ce8fceb 100644 --- a/systems/makanek/tarot.nix +++ b/systems/makanek/tarot.nix @@ -15,35 +15,34 @@ sha256 = "1n2m53kjg2vj9dbr70b9jrsbqwdfrcb48l4wswn21549fi24g6dx"; }; in { - imports = []; + imports = [../../modules/htgen.nix]; - krebs.htgen.tarot = { + services.htgen.tarot = { port = tarotPort; - user.name = "radio"; - scriptFile = pkgs.writers.writeDash "tarot" '' - case "$Method $Request_URI" in - "GET /") - if item=$(${pkgs.findutils}/bin/find ${toString tarotFiles} -type f | ${pkgs.coreutils}/bin/shuf -n1); then - card=$(mktemp --tmpdir tarot.XXX) - trap 'rm $card' EXIT - reverse=$(${pkgs.coreutils}/bin/shuf -i0-1 -n1) - if [ "$reverse" -eq 1 ]; then - ${pkgs.imagemagick}/bin/convert -rotate 180 "$item" "$card" - else - ${pkgs.coreutils}/bin/cp "$item" "$card" + script = ''. ${pkgs.writers.writeDash "tarot" '' + case "$Method $Request_URI" in + "GET /") + if item=$(${pkgs.findutils}/bin/find ${toString tarotFiles} -type f | ${pkgs.coreutils}/bin/shuf -n1); then + card=$(mktemp --tmpdir tarot.XXX) + trap 'rm $card' EXIT + reverse=$(${pkgs.coreutils}/bin/shuf -i0-1 -n1) + if [ "$reverse" -eq 1 ]; then + ${pkgs.imagemagick}/bin/convert -rotate 180 "$item" "$card" + else + ${pkgs.coreutils}/bin/cp "$item" "$card" + fi + printf 'HTTP/1.1 200 OK\r\n' + printf 'Content-Type: %s\r\n' "$(${pkgs.file}/bin/file -ib "$card")" + printf 'Server: %s\r\n' "$Server" + printf 'Connection: close\r\n' + printf 'Content-Length: %d\r\n' $(${pkgs.coreutils}/bin/wc -c < "$card") + printf '\r\n' + cat "$card" + exit fi - printf 'HTTP/1.1 200 OK\r\n' - printf 'Content-Type: %s\r\n' "$(${pkgs.file}/bin/file -ib "$card")" - printf 'Server: %s\r\n' "$Server" - printf 'Connection: close\r\n' - printf 'Content-Length: %d\r\n' $(${pkgs.coreutils}/bin/wc -c < "$card") - printf '\r\n' - cat "$card" - exit - fi - ;; - esac - ''; + ;; + esac + ''}''; }; niveum.passport.services = [ diff --git a/systems/makanek/tt-rss.nix b/systems/makanek/tt-rss.nix index 1ac9362d..6ea2aa33 100644 --- a/systems/makanek/tt-rss.nix +++ b/systems/makanek/tt-rss.nix @@ -9,10 +9,7 @@ in { services.miniflux = { enable = true; - adminCredentialsFile = pkgs.writeText "miniflux" '' - ADMIN_USERNAME='kfm' - ADMIN_PASSWORD='${lib.strings.fileContents }' - ''; + adminCredentialsFile = config.age.secrets.miniflux-credentials.path; config = { FETCH_YOUTUBE_WATCH_TIME = "1"; POLLING_FREQUENCY = "20"; @@ -22,6 +19,8 @@ in { }; }; + age.secrets.miniflux-credentials.file = ../../secrets/miniflux-credentials.age; + services.postgresqlBackup = { enable = true; databases = ["miniflux"]; diff --git a/systems/makanek/urlwatch.nix b/systems/makanek/urlwatch.nix index 1fecc773..094e563d 100644 --- a/systems/makanek/urlwatch.nix +++ b/systems/makanek/urlwatch.nix @@ -4,7 +4,7 @@ lib, ... }: let - inherit (import ) kieran; + inherit (import ../../lib) kieran; urlwatchDir = "/var/lib/urlwatch"; @@ -141,14 +141,14 @@ port = 587; starttls = true; auth = true; - insecure_password = lib.strings.fileContents ; + # insecure_password = lib.strings.fileContents ; TODO how? }; subject = "{count} changes: {jobs}"; to = kieran.email; }; telegram = { enabled = false; - bot_token = lib.strings.fileContents ; + # bot_token = lib.strings.fileContents ; TODO how? chat_id = "-1001504043752"; }; html.diff = "unified"; @@ -165,7 +165,7 @@ }; }; urlwatch = pkgs.urlwatch.overrideAttrs (attrs: { - patches = []; + patches = [../../packages/urlwatch-insecure.patch]; }); in { users.extraUsers.urlwatch = { diff --git a/systems/makanek/weechat.nix b/systems/makanek/weechat.nix index 77eb48d4..14f1c028 100644 --- a/systems/makanek/weechat.nix +++ b/systems/makanek/weechat.nix @@ -3,9 +3,9 @@ pkgs, ... }: let - inherit (import ) kieran; - relayPassword = lib.fileContents ; + inherit (import ../../lib) kieran; weechatHome = "/var/lib/weechat"; + weechat-declarative = pkgs.callPackage ../../packages/weechat-declarative.nix {}; in { systemd.services.weechat = let tmux = pkgs.writers.writeDash "tmux" '' @@ -26,13 +26,13 @@ in { '' } "$@" ''; - weechat = pkgs.weechat-declarative.override { + weechat = weechat-declarative.override { config = { scripts = [ pkgs.weechatScripts.weechat-autosort pkgs.weechatScripts.colorize_nicks pkgs.weechatScripts.weechat-matrix - (pkgs.callPackage {}) + (pkgs.callPackage ../../packages/weechatScripts/hotlist2extern.nix {}) ]; settings = let nick = "kmein"; @@ -63,7 +63,7 @@ in { autojoin = ["#eloop" "#krebs" "#hsmr" "#hsmr-moin" "#nixos" "#the_playlist" "#flipdot-berlin" "#hackint"]; sasl_mechanism = "plain"; sasl_username = nick; - sasl_password = lib.strings.fileContents ; + sasl_password = "\${sec.data.hackint_sasl}"; }; libera = { autoconnect = true; @@ -72,7 +72,7 @@ in { autojoin = ["#flipdot" "#haskell" "#nixos" "#fysi" "#binaergewitter" "#vim" "#newsboat"]; sasl_mechanism = "plain"; sasl_username = nick; - sasl_password = lib.strings.fileContents ; + sasl_password = "\${sec.data.libera_sasl}"; }; oftc = { autoconnect = true; @@ -80,7 +80,7 @@ in { ssl = true; ipv6 = true; command = lib.concatStringsSep "\\;" [ - "/msg nickserv identify ${lib.strings.fileContents }" + "/msg nickserv identify \${sec.data.oftc_account}" "/msg nickserv set cloak on" ]; autojoin = ["#home-manager"]; @@ -97,7 +97,7 @@ in { ]; sasl_mechanism = "plain"; sasl_username = nick; - sasl_password = lib.strings.fileContents ; + sasl_password = "\${sec.data.retiolum_sasl}"; }; news = { autoconnect = true; @@ -121,13 +121,13 @@ in { matrix.server.nibbana = { address = "nibbana.jp"; username = nick; - password = lib.strings.fileContents ; + password = "\${sec.data.nibbana_account}"; autoconnect = true; }; alias.cmd.mod = "/quote omode $channel +o $nick"; relay = { port.weechat = 9000; - network.password = relayPassword; + network.password = "\${sec.data.relay_password}"; }; filters = { zerocovid = { @@ -202,6 +202,14 @@ in { packages = [pkgs.tmux]; }; + age.secrets.weechat-sec = { + file = ../../secrets/weechat-sec.conf.age; + path = "/var/lib/weechat/sec.conf"; + owner = "weechat"; + group = "weechat"; + mode = "440"; + }; + niveum.passport.services = [ { title = "weechat bouncer"; diff --git a/systems/manakish/configuration.nix b/systems/manakish/configuration.nix index 92adbff0..8e39a289 100644 --- a/systems/manakish/configuration.nix +++ b/systems/manakish/configuration.nix @@ -3,17 +3,25 @@ pkgs, ... }: let - inherit (import ) retiolumAddresses; + inherit (import ../../lib) retiolumAddresses; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ./hdmi.nix - - - + ../../configs/default.nix + ../../configs/battery.nix + ../../configs/wpa_supplicant.nix ]; + age.secrets = { + retiolum-rsa.file = ../../secrets/manakish-retiolum-privateKey-rsa.age; + retiolum-ed25519.file = ../../secrets/manakish-retiolum-privateKey-ed25519.age; + restic.file = ../../secrets/restic.age; + syncthing-cert.file = ../../secrets/manakish-syncthing-cert.age; + syncthing-key.file = ../../secrets/manakish-syncthing-key.age; + }; + niveum = { batteryName = "BAT0"; wirelessInterface = "wlp3s0"; diff --git a/systems/tabula/configuration.nix b/systems/tabula/configuration.nix index b6c85c11..2f62f689 100644 --- a/systems/tabula/configuration.nix +++ b/systems/tabula/configuration.nix @@ -3,16 +3,20 @@ pkgs, ... }: let - inherit (import ) retiolumAddresses; + inherit (import ../../lib) retiolumAddresses; in { imports = [ ./hardware-configuration.nix - - - + ../../configs/spacetime.nix + ../../configs/retiolum.nix + ../../configs/sshd.nix + ../../configs/nix.nix ]; - nix.nixPath = ["/var/src"]; + age.secrets = { + retiolum-rsa.file = ../../secrets/tabula-retiolum-privateKey-rsa.age; + retiolum-ed25519.file = ../../secrets/tabula-retiolum-privateKey-rsa.age; + }; services.xserver = { libinput.enable = true; diff --git a/systems/tahina/configuration.nix b/systems/tahina/configuration.nix index 25331f71..ed90f1c6 100644 --- a/systems/tahina/configuration.nix +++ b/systems/tahina/configuration.nix @@ -3,16 +3,20 @@ pkgs, ... }: let - inherit (import ) retiolumAddresses; + inherit (import ../../lib) retiolumAddresses; in { imports = [ ./hardware-configuration.nix - - - + ../../configs/spacetime.nix + ../../configs/sshd.nix + ../../configs/retiolum.nix + ../../configs/nix.nix ]; - nix.nixPath = ["/var/src"]; + age.secrets = { + retiolum-rsa.file = ../../secrets/tahina-retiolum-privateKey-rsa.age; + retiolum-ed25519.file = ../../secrets/tahina-retiolum-privateKey-rsa.age; + }; console.keyMap = "de"; i18n.defaultLocale = "de_DE.UTF-8"; diff --git a/systems/zaatar/atuin.nix b/systems/zaatar/atuin.nix index c78ce742..36e91b16 100644 --- a/systems/zaatar/atuin.nix +++ b/systems/zaatar/atuin.nix @@ -1,6 +1,9 @@ -{config, ...}: let - inherit (import ) tmpfilesConfig; - unstable = import {inherit (config.nixpkgs) config;}; +{ + config, + pkgs, + ... +}: let + inherit (import ../../lib) tmpfilesConfig; in { services.postgresql = { enable = true; @@ -47,7 +50,7 @@ in { }; serviceConfig = { User = "atuin"; - ExecStart = "${unstable.atuin}/bin/atuin server start"; + ExecStart = "${pkgs.atuin}/bin/atuin server start"; Restart = "on-failure"; }; }; diff --git a/systems/zaatar/backup.nix b/systems/zaatar/backup.nix index d60d87fd..b51f3cc9 100644 --- a/systems/zaatar/backup.nix +++ b/systems/zaatar/backup.nix @@ -1,9 +1,10 @@ { + config, pkgs, lib, ... }: let - niveumLib = import ; + niveumLib = import ../../lib; inherit (niveumLib) retiolumAddresses restic; firewall = niveumLib.firewall lib; dataDir = "/backup/restic"; @@ -19,7 +20,7 @@ in { environment.systemPackages = [ (pkgs.writers.writeDashBin "restic-niveum" '' - exec ${pkgs.util-linux}/bin/runuser -u restic -g restic -- ${pkgs.restic}/bin/restic -r ${toString dataDir} -p ${} "$@" + exec ${pkgs.util-linux}/bin/runuser -u restic -g restic -- ${pkgs.restic}/bin/restic -r ${toString dataDir} -p ${config.age.secrets.restic.path} "$@" '') ]; diff --git a/systems/zaatar/configuration.nix b/systems/zaatar/configuration.nix index cccb2798..3ffb7d8a 100644 --- a/systems/zaatar/configuration.nix +++ b/systems/zaatar/configuration.nix @@ -4,7 +4,7 @@ lib, ... }: let - inherit (import ) retiolumAddresses restic; + inherit (import ../../lib) retiolumAddresses restic; in { imports = [ ./atuin.nix @@ -18,18 +18,23 @@ in { ./mpd.nix ./grocy.nix ./spotifyd.nix - - - - - - - # - - - + ../../configs/keyboard.nix + ../../configs/monitoring.nix + ../../configs/retiolum.nix + ../../configs/printing.nix + ../../configs/spacetime.nix + ../../configs/sshd.nix + ../../configs/tmux.nix + ../../configs/wpa_supplicant.nix + ../../configs/nix.nix ]; + age.secrets = { + retiolum-rsa.file = ../../secrets/zaatar-retiolum-privateKey-rsa.age; + retiolum-ed25519.file = ../../secrets/zaatar-retiolum-privateKey-rsa.age; + restic.file = ../../secrets/restic.age; + }; + services.restic.backups.moodle-dl = { initialize = true; inherit (restic) repository; @@ -37,7 +42,7 @@ in { OnCalendar = "daily"; RandomizedDelaySec = "1h"; }; - passwordFile = toString ; + passwordFile = config.age.secrets.restic.path; paths = [ "/var/lib/moodle-dl" "/var/lib/containers/storage/volumes/home-assistant" @@ -56,7 +61,7 @@ in { services.illum.enable = true; environment.systemPackages = let - worldradio = pkgs.callPackage {}; + worldradio = pkgs.callPackage ../../packages/worldradio.nix {}; in [ (pkgs.writers.writeDashBin "mpv" ''${pkgs.mpv}/bin/mpv --no-video "$@"'') (pkgs.writers.writeDashBin "worldradio" '' diff --git a/systems/zaatar/hardware-configuration.nix b/systems/zaatar/hardware-configuration.nix index 4cf86713..f43a0e66 100644 --- a/systems/zaatar/hardware-configuration.nix +++ b/systems/zaatar/hardware-configuration.nix @@ -2,9 +2,10 @@ config, lib, pkgs, + modulesPath, ... }: { - imports = []; + imports = [(modulesPath + "/installer/scan/not-detected.nix")]; boot = { initrd.availableKernelModules = ["ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_acpi" "rtsx_usb_sdmmc"]; diff --git a/systems/zaatar/moodle-dl-meinhark.nix b/systems/zaatar/moodle-dl-meinhark.nix index 0d6fbd28..f012893d 100644 --- a/systems/zaatar/moodle-dl-meinhark.nix +++ b/systems/zaatar/moodle-dl-meinhark.nix @@ -7,22 +7,26 @@ moodle-dl-package = pkgs.moodle-dl.overrideAttrs (old: old // { - patches = []; + patches = [../../packages/moodle-dl/telegram-format.patch]; }); in { - imports = []; + imports = [../../modules/moodle-dl.nix]; + + age.secrets = { + moodle-dl-tokens.file = ../../secrets/zaatar-moodle-dl-tokens.json.age; + moodle-dl-basicAuth.file = ../../secrets/zaatar-moodle-dl-basicAuth.age; + }; services.moodle-dl = { enable = true; startAt = "hourly"; package = moodle-dl-package; + tokensFile = config.age.secrets.moodle-dl-tokens.path; settings = { telegram = { - token = lib.strings.fileContents ; chat_id = "18980945"; send_error_msg = false; }; - token = lib.strings.fileContents ; moodle_domain = "moodle.hu-berlin.de"; moodle_path = "/"; download_course_ids = [ @@ -103,11 +107,8 @@ in { services.nginx.enable = true; - services.nginx.virtualHosts."moodle.kmein.r" = let - identity = lib.strings.fileContents ; - password = lib.strings.fileContents ; - in { - basicAuth."${identity}" = password; + services.nginx.virtualHosts."moodle.kmein.r" = { + basicAuthFile = config.age.secrets.moodle-dl-basicAuth.path; locations."/" = { root = config.services.moodle-dl.directory; extraConfig = '' @@ -120,7 +121,7 @@ in { services.nfs.server = { enable = true; exports = let - machines = with (import ).retiolumAddresses; [kabsa manakish]; + machines = with (import ../../lib).retiolumAddresses; [kabsa manakish]; in '' /export ${lib.concatMapStringsSep " " (machine: "${machine.ipv4}(fsid=0)") machines} /export/moodle ${lib.concatMapStringsSep " " (machine: "${machine.ipv4}(insecure,rw)") machines} diff --git a/systems/zaatar/mpd.nix b/systems/zaatar/mpd.nix index ba4fadfd..70447810 100644 --- a/systems/zaatar/mpd.nix +++ b/systems/zaatar/mpd.nix @@ -4,19 +4,14 @@ lib, ... }: let - firewall = (import ).firewall lib; - inherit (import ) tmpfilesConfig; + firewall = (import ../../lib).firewall lib; + inherit (import ../../lib) tmpfilesConfig; - streams = import { - di-fm-key = lib.strings.fileContents ; + streams = import ../../lib/streams.nix { + di-fm-key = ""; # TODO lib.strings.fileContents ; }; multi-room-audio-port = 8000; - password = lib.strings.fileContents ; in { - imports = [ - - ]; - services.syncthing = let mpd-directory = config.services.mpd.dataDir; in { @@ -25,10 +20,10 @@ in { openDefaultPorts = true; configDir = "${mpd-directory}/.config/syncthing"; dataDir = "${mpd-directory}/.config/syncthing"; - cert = toString ; - key = toString ; + cert = config.age.secrets.syncthing-cert.path; + key = config.age.secrets.syncthing-key.path; devices = { - inherit ((import ).syncthing.devices) kabsa manakish heym; + inherit ((import ../../lib).syncthing.devices) kabsa manakish heym; }; folders.${config.services.mpd.musicDirectory} = { devices = ["heym" "kabsa" "manakish"]; @@ -105,6 +100,13 @@ in { mpd.port = config.services.mpd.network.port; }; + age.secrets = { + ympd-basicAuth.file = ../../secrets/zaatar-ympd-basicAuth.age; + syncthing-cert.file = ../../secrets/zaatar-syncthing-cert.age; + syncthing-key.file = ../../secrets/zaatar-syncthing-key.age; + di-fm-key.file = ../../secrets/di-fm-key.age; + }; + services.nginx = { enable = true; recommendedGzipSettings = true; @@ -112,7 +114,7 @@ in { recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts."radio.kmein.r" = { - basicAuth.dj = password; + basicAuthFile = config.age.secrets.ympd-basicAuth.path; locations."/" = { proxyPass = "http://127.0.0.1:${config.services.ympd.webPort}"; proxyWebsockets = true; diff --git a/systems/zaatar/spotifyd.nix b/systems/zaatar/spotifyd.nix index ce359e4c..cbd20acb 100644 --- a/systems/zaatar/spotifyd.nix +++ b/systems/zaatar/spotifyd.nix @@ -8,8 +8,8 @@ enable = true; settings = { global = { - username = lib.strings.fileContents ; - password = lib.strings.fileContents ; + username_cmd = "cat ${config.age.secrets.spotify-username.path}"; + password_cmd = "cat ${config.age.secrets.spotify-password.path}"; backend = "pulseaudio"; bitrate = 320; device_type = "s_t_b"; # set-top box @@ -18,6 +18,11 @@ }; }; + age.secrets = { + spotify-username.file = ../../secrets/spotify-username.age; + spotify-password.file = ../../secrets/spotify-password.age; + }; + # ref https://github.com/NixOS/nixpkgs/issues/71362#issuecomment-753461502 hardware.pulseaudio.extraConfig = '' unload-module module-native-protocol-unix