From 777a2fe7347e55450c63170db336cbe8518961bd Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 2 Jul 2023 16:05:52 +0200 Subject: treewide: replace stockholm/lib with stockholm.lib --- 2configs/bepasty-dual.nix | 2 +- 2configs/bgt/download.binaergewitter.de.nix | 2 +- 2configs/collectd/collectd-base.nix | 2 +- 2configs/dcpp/hub.nix | 2 +- 2configs/deployment/boot-euer.nix | 2 +- 2configs/deployment/graphs.nix | 2 +- 2configs/deployment/photostore.krebsco.de.nix | 2 +- 2configs/elchos/irc-token.nix | 2 +- 2configs/elchos/search.nix | 2 +- 2configs/elchos/stats.nix | 2 +- 2configs/exim-retiolum.nix | 2 +- 2configs/filepimp-share.nix | 2 +- 2configs/fs/vm-single-partition.nix | 2 +- 2configs/git/cgit-retiolum.nix | 2 +- 2configs/graphite-standalone.nix | 2 +- 2configs/home/metube.nix | 2 +- 2configs/home/photoprism.nix | 14 +++----- 2configs/home/zigbee2mqtt/default.nix | 51 +++------------------------ 2configs/hw/tp-x200.nix | 2 +- 2configs/lanparty/lancache-dns.nix | 2 +- 2configs/lanparty/lancache.nix | 2 +- 2configs/mail-client.nix | 2 +- 2configs/mattermost-docker.nix | 2 +- 2configs/minimal.nix | 2 +- 2configs/nginx/euer.blog.nix | 2 +- 2configs/nginx/euer.mon.nix | 2 +- 2configs/nginx/euer.test.nix | 2 +- 2configs/nginx/euer.wiki.nix | 2 +- 2configs/nginx/gold.krebsco.de.nix | 2 +- 2configs/nginx/gum.krebsco.de.nix | 2 +- 2configs/nginx/icecult.nix | 2 +- 2configs/nginx/public_html.nix | 2 +- 2configs/nginx/rompr.nix | 2 +- 2configs/nginx/update.connector.one.nix | 2 +- 2configs/nsupdate-data.nix | 2 +- 2configs/sabnzbd.nix | 2 +- 2configs/shack/events-publisher/default.nix | 2 +- 2configs/share/anon-sftp.nix | 2 +- 2configs/share/omo.nix | 2 +- 2configs/solr.nix | 2 +- 2configs/sshd-totp.nix | 6 ++-- 2configs/stats/external/weather2stats.nix | 2 +- 2configs/stats/server.nix | 2 +- 2configs/stats/telegraf/hamstats.nix | 7 ++-- 2configs/sync/default.nix | 8 +++-- 2configs/syncthing.nix | 2 +- 2configs/tinc/retiolum.nix | 10 ++++-- 47 files changed, 71 insertions(+), 107 deletions(-) diff --git a/2configs/bepasty-dual.nix b/2configs/bepasty-dual.nix index f63dbefd8..fd52d504a 100644 --- a/2configs/bepasty-dual.nix +++ b/2configs/bepasty-dual.nix @@ -10,7 +10,7 @@ # wildcard.krebsco.de.key # bepasty-secret.nix <- contains single string -with import ; +with pkgs.stockholm.lib; let sec = toString ; # secKey is nothing worth protecting on a local machine diff --git a/2configs/bgt/download.binaergewitter.de.nix b/2configs/bgt/download.binaergewitter.de.nix index 31da31a71..7664dacaa 100644 --- a/2configs/bgt/download.binaergewitter.de.nix +++ b/2configs/bgt/download.binaergewitter.de.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let ident = (builtins.readFile ./auphonic.pub); bgtaccess = "/var/spool/nginx/logs/binaergewitter.access.log"; diff --git a/2configs/collectd/collectd-base.nix b/2configs/collectd/collectd-base.nix index 9168d1fa9..3f41aa04f 100644 --- a/2configs/collectd/collectd-base.nix +++ b/2configs/collectd/collectd-base.nix @@ -2,7 +2,7 @@ # graphite-web on port 8080 # carbon cache on port 2003 (tcp/udp) -with import ; +with pkgs.stockholm.lib; let connect-time-cfg = with pkgs; writeText "collectd-connect-time.cfg" '' LoadPlugin python diff --git a/2configs/dcpp/hub.nix b/2configs/dcpp/hub.nix index f0aac3f32..7b5163d54 100644 --- a/2configs/dcpp/hub.nix +++ b/2configs/dcpp/hub.nix @@ -2,7 +2,7 @@ # search also generates ddclient entries for all other logs -with import ; +with pkgs.stockholm.lib; let ddclientUser = "ddclient"; sec = toString ; diff --git a/2configs/deployment/boot-euer.nix b/2configs/deployment/boot-euer.nix index f890ea7ad..6d83d1efc 100644 --- a/2configs/deployment/boot-euer.nix +++ b/2configs/deployment/boot-euer.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: # more than just nginx config but not enough to become a module -with import ; +with pkgs.stockholm.lib; let hostname = config.krebs.build.host.name; bootscript = pkgs.writeTextDir "runit" '' diff --git a/2configs/deployment/graphs.nix b/2configs/deployment/graphs.nix index 1f6deb1bf..286b7301d 100644 --- a/2configs/deployment/graphs.nix +++ b/2configs/deployment/graphs.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let external-ip = config.krebs.build.host.nets.internet.ip4.addr; internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; diff --git a/2configs/deployment/photostore.krebsco.de.nix b/2configs/deployment/photostore.krebsco.de.nix index 19a8df235..9e0c870c3 100644 --- a/2configs/deployment/photostore.krebsco.de.nix +++ b/2configs/deployment/photostore.krebsco.de.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: # more than just nginx config but not enough to become a module -with import ; +with pkgs.stockholm.lib; let wsgi-sock = "${workdir}/uwsgi-photostore.sock"; workdir = config.services.uwsgi.runDir; diff --git a/2configs/elchos/irc-token.nix b/2configs/elchos/irc-token.nix index 4844bf29f..c8873c631 100644 --- a/2configs/elchos/irc-token.nix +++ b/2configs/elchos/irc-token.nix @@ -1,5 +1,5 @@ {pkgs, ...}: -with import ; +with pkgs.stockholm.lib; let secret = (import ); in { diff --git a/2configs/elchos/search.nix b/2configs/elchos/search.nix index e7b91e6a8..b9d4ed5de 100644 --- a/2configs/elchos/search.nix +++ b/2configs/elchos/search.nix @@ -2,7 +2,7 @@ # search also generates ddclient entries for all other logs -with import ; +with pkgs.stockholm.lib; let #primary-itf = "eth0"; #primary-itf = "wlp2s0"; diff --git a/2configs/elchos/stats.nix b/2configs/elchos/stats.nix index 2036b391f..12cce0507 100644 --- a/2configs/elchos/stats.nix +++ b/2configs/elchos/stats.nix @@ -4,7 +4,7 @@ # graphite-web on port 8080 # carbon cache on port 2003 (tcp/udp) -with import ; +with pkgs.stockholm.lib; { networking.firewall = { diff --git a/2configs/exim-retiolum.nix b/2configs/exim-retiolum.nix index 1f433ab44..172c5279b 100644 --- a/2configs/exim-retiolum.nix +++ b/2configs/exim-retiolum.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; { networking.firewall.allowedTCPPorts = [ 25 ]; diff --git a/2configs/filepimp-share.nix b/2configs/filepimp-share.nix index 850d432f3..cd6dc4279 100644 --- a/2configs/filepimp-share.nix +++ b/2configs/filepimp-share.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let hostname = config.krebs.build.host.name; in { diff --git a/2configs/fs/vm-single-partition.nix b/2configs/fs/vm-single-partition.nix index 26908c357..568d21af6 100644 --- a/2configs/fs/vm-single-partition.nix +++ b/2configs/fs/vm-single-partition.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: # vda1 ext4 (label nixos) -> only root partition -with import ; +with pkgs.stockholm.lib; { imports = [ ./single-partition-ext4.nix diff --git a/2configs/git/cgit-retiolum.nix b/2configs/git/cgit-retiolum.nix index 114febe8b..1fffebd21 100644 --- a/2configs/git/cgit-retiolum.nix +++ b/2configs/git/cgit-retiolum.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: # TODO: remove tv lib :) -with import ; +with pkgs.stockholm.lib; let repos = pub-repos // priv-repos // krebs-repos // connector-repos // krebsroot-repos; diff --git a/2configs/graphite-standalone.nix b/2configs/graphite-standalone.nix index 51c4c9561..1b39c648f 100644 --- a/2configs/graphite-standalone.nix +++ b/2configs/graphite-standalone.nix @@ -2,7 +2,7 @@ # graphite-web on port 8080 # carbon cache on port 2003 (tcp/udp) -with import ; +with pkgs.stockholm.lib; { imports = [ ]; diff --git a/2configs/home/metube.nix b/2configs/home/metube.nix index e6008d475..f9ad3ec09 100644 --- a/2configs/home/metube.nix +++ b/2configs/home/metube.nix @@ -1,6 +1,6 @@ { pkgs, lib, ...}: # docker run -d -p 8081:8081 -v /path/to/downloads:/downloads --user 1001:1001 alexta69/metube -with import ; +with pkgs.stockholm.lib; let port = "2348"; dl-dir = "/media/cryptX/youtube/music"; diff --git a/2configs/home/photoprism.nix b/2configs/home/photoprism.nix index 2f8a86430..096ad2979 100644 --- a/2configs/home/photoprism.nix +++ b/2configs/home/photoprism.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, ...}: +{ pkgs, config, lib, ...}: # Start | docker-compose up -d # Stop | docker-compose stop # Update | docker-compose pull @@ -19,9 +19,9 @@ let statedir = "/media/cryptX/lib/photoprism/appsrv"; db-dir = "/media/cryptX/lib/photoprism/mysql"; internal-ip = "192.168.111.11"; - sec = import ; in { + sops.secrets."photoprism/envfile" = {}; virtualisation.oci-containers.backend = "docker"; services.nginx.virtualHosts."photos" = { @@ -80,8 +80,6 @@ in PHOTOPRISM_DETECT_NSFW = "false"; # Flag photos as private that MAY be offensive (requires TensorFlow) PHOTOPRISM_UPLOAD_NSFW = "true"; # Allow uploads that MAY be offensive PHOTOPRISM_AUTH_MODE = "password"; - PHOTOPRISM_ADMIN_USER = "admin"; - PHOTOPRISM_ADMIN_PASSWORD = "admin"; #PHOTOPRISM_DATABASE_DRIVER = "postgres"; #PHOTOPRISM_DATABASE_SERVER = "postgres-prism:5432"; @@ -92,8 +90,6 @@ in PHOTOPRISM_DATABASE_DRIVER= "mysql"; # Use MariaDB (or MySQL) instead of SQLite for improved performance PHOTOPRISM_DATABASE_SERVER= "mysql-photoprism:3306" ; # MariaDB database server (hostname:port) PHOTOPRISM_DATABASE_NAME= "photoprism"; # MariaDB database schema name - PHOTOPRISM_DATABASE_USER= sec.db.username; # MariaDB database user name - PHOTOPRISM_DATABASE_PASSWORD= sec.db.password; # MariaDB database user password PHOTOPRISM_SITE_URL = "http://localhost:2342/"; # Public PhotoPrism URL PHOTOPRISM_SITE_TITLE = "PhotoPrism"; @@ -122,11 +118,11 @@ in # "--innodb-lock-wait-timeout=50" #]; volumes= [ "${db-dir}:/var/lib/mysql" ]; + environmentFiles = [ + config.sops.secrets."photoprism/envfile".path + ]; environment = { - MYSQL_ROOT_PASSWORD = "dickidibutt"; MYSQL_DATABASE= "photoprism"; - MYSQL_USER = sec.db.username; - MYSQL_PASSWORD = sec.db.password; }; }; #virtualisation.oci-containers.containers.postgres-prism = { diff --git a/2configs/home/zigbee2mqtt/default.nix b/2configs/home/zigbee2mqtt/default.nix index 8bb8a929b..ca68a1548 100644 --- a/2configs/home/zigbee2mqtt/default.nix +++ b/2configs/home/zigbee2mqtt/default.nix @@ -2,11 +2,14 @@ let dataDir = "/var/lib/zigbee2mqtt"; - sec = import ; internal-ip = "192.168.111.11"; webport = 8521; in - { +{ + sops.secrets."zigbee2mqtt" = { + owner = "zigbee2mqtt"; + path = "/var/lib/zigbee2mqtt/configuration.yaml"; + }; # symlink the zigbee controller #services.udev.extraRules = '' # SUBSYSTEM=="tty", ATTRS{idVendor}=="0451", ATTRS{idProduct}=="16a8", SYMLINK+="cc2531", MODE="0660", GROUP="dialout" @@ -20,50 +23,6 @@ in services.zigbee2mqtt = { enable = true; inherit dataDir; - settings = { - permit_join = true; - serial.port = "/dev/cc2531"; - homeassistant = true; - mqtt = { - server = "mqtt://omo.lan:1883"; - base_topic = "/ham/zigbee"; - user = sec.mqtt.username; - password = sec.mqtt.password; - include_device_information = true; - client_id = "zigbee2mqtt"; - }; - availability = { - active.timeout = 10; - passive.timeout = 1500; - }; - frontend = { - port = webport; - }; - advanced = { - log_level = "debug"; - log_output = [ "console" ]; - last_seen = "ISO_8601"; - elapsed = true; - pan_id = 6755; - inherit (sec.zigbee) network_key; - }; - map_options.graphviz.colors = { - fill = { - enddevice = "#fff8ce" ; - coordinator = "#e04e5d"; - router = "#4ea3e0"; - }; - font = { - coordinator= "#ffffff"; - router = "#ffffff"; - enddevice = "#000000"; - }; - line = { - active = "#009900"; - inactive = "#994444"; - }; - }; - }; }; services.nginx.recommendedProxySettings = true; diff --git a/2configs/hw/tp-x200.nix b/2configs/hw/tp-x200.nix index f06425aec..d9d30d591 100644 --- a/2configs/hw/tp-x200.nix +++ b/2configs/hw/tp-x200.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; { imports = [ ./tp-x2x0.nix ]; diff --git a/2configs/lanparty/lancache-dns.nix b/2configs/lanparty/lancache-dns.nix index c9da7c4c4..92dae1c7b 100644 --- a/2configs/lanparty/lancache-dns.nix +++ b/2configs/lanparty/lancache-dns.nix @@ -1,5 +1,5 @@ { pkgs, lib, config, ... }: -with import ; +with pkgs.stockholm.lib; let upstream-server = "8.8.8.8"; # make sure the router pins the ip address to the deployed host diff --git a/2configs/lanparty/lancache.nix b/2configs/lanparty/lancache.nix index bcacf2e15..a0c30016b 100644 --- a/2configs/lanparty/lancache.nix +++ b/2configs/lanparty/lancache.nix @@ -1,5 +1,5 @@ { pkgs, lib, config, ... }: -with import ; +with pkgs.stockholm.lib; let # see https://github.com/zeropingheroes/lancache for full docs lancache= pkgs.stdenv.mkDerivation rec { diff --git a/2configs/mail-client.nix b/2configs/mail-client.nix index e08aadc5e..ff8fc053a 100644 --- a/2configs/mail-client.nix +++ b/2configs/mail-client.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; { environment.systemPackages = with pkgs; [ abook diff --git a/2configs/mattermost-docker.nix b/2configs/mattermost-docker.nix index a887a6a8f..0957036a2 100644 --- a/2configs/mattermost-docker.nix +++ b/2configs/mattermost-docker.nix @@ -1,6 +1,6 @@ {config, lib, ...}: -with import ; +with pkgs.stockholm.lib; let sec = toString ; ssl_cert = "${sec}/wildcard.krebsco.de.crt"; diff --git a/2configs/minimal.nix b/2configs/minimal.nix index e24eae61b..bc739bbf6 100644 --- a/2configs/minimal.nix +++ b/2configs/minimal.nix @@ -7,7 +7,7 @@ # the only true timezone (even after the the removal of DST) time.timeZone = "Europe/Berlin"; - # networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name; + networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name; # we use gpg if necessary (or nothing at all) programs.ssh.startAgent = false; diff --git a/2configs/nginx/euer.blog.nix b/2configs/nginx/euer.blog.nix index 24696adf2..67150edfc 100644 --- a/2configs/nginx/euer.blog.nix +++ b/2configs/nginx/euer.blog.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let sec = toString ; hostname = config.krebs.build.host.name; diff --git a/2configs/nginx/euer.mon.nix b/2configs/nginx/euer.mon.nix index c9db15b73..daa745cf2 100644 --- a/2configs/nginx/euer.mon.nix +++ b/2configs/nginx/euer.mon.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let hostname = config.krebs.build.host.name; user = config.services.nginx.user; diff --git a/2configs/nginx/euer.test.nix b/2configs/nginx/euer.test.nix index 40c376130..519276dd0 100644 --- a/2configs/nginx/euer.test.nix +++ b/2configs/nginx/euer.test.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let hostname = config.krebs.build.host.name; user = config.services.nginx.user; diff --git a/2configs/nginx/euer.wiki.nix b/2configs/nginx/euer.wiki.nix index a925b9f78..bd1744325 100644 --- a/2configs/nginx/euer.wiki.nix +++ b/2configs/nginx/euer.wiki.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let sec = toString ; ext-dom = "wiki.euer.krebsco.de"; diff --git a/2configs/nginx/gold.krebsco.de.nix b/2configs/nginx/gold.krebsco.de.nix index 083c0f8d7..af467c94b 100644 --- a/2configs/nginx/gold.krebsco.de.nix +++ b/2configs/nginx/gold.krebsco.de.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let gold = pkgs.fetchFromGitHub { owner = "krebs"; diff --git a/2configs/nginx/gum.krebsco.de.nix b/2configs/nginx/gum.krebsco.de.nix index 3e96e6826..f722542a1 100644 --- a/2configs/nginx/gum.krebsco.de.nix +++ b/2configs/nginx/gum.krebsco.de.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let in { services.nginx = { diff --git a/2configs/nginx/icecult.nix b/2configs/nginx/icecult.nix index e817e55d8..4c7af7d91 100644 --- a/2configs/nginx/icecult.nix +++ b/2configs/nginx/icecult.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -with import ; +with pkgs.stockholm.lib; let icecult = pkgs.fetchFromGitHub { diff --git a/2configs/nginx/public_html.nix b/2configs/nginx/public_html.nix index 676d1f110..167a47776 100644 --- a/2configs/nginx/public_html.nix +++ b/2configs/nginx/public_html.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with import ; +with pkgs.stockholm.lib; { services.nginx = { diff --git a/2configs/nginx/rompr.nix b/2configs/nginx/rompr.nix index c7dc3ff17..b7a74048e 100644 --- a/2configs/nginx/rompr.nix +++ b/2configs/nginx/rompr.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let user = config.services.nginx.user; group = config.services.nginx.group; diff --git a/2configs/nginx/update.connector.one.nix b/2configs/nginx/update.connector.one.nix index 44345dcd8..dbbed03fc 100644 --- a/2configs/nginx/update.connector.one.nix +++ b/2configs/nginx/update.connector.one.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; { services.nginx = { enable = mkDefault true; diff --git a/2configs/nsupdate-data.nix b/2configs/nsupdate-data.nix index 3b6518f60..c10916f8d 100644 --- a/2configs/nsupdate-data.nix +++ b/2configs/nsupdate-data.nix @@ -2,7 +2,7 @@ # search also generates ddclient entries for all other logs -with import ; +with pkgs.stockholm.lib; let #primary-itf = "eth0"; #primary-itf = "wlp2s0"; diff --git a/2configs/sabnzbd.nix b/2configs/sabnzbd.nix index 90a9f284f..f05042756 100644 --- a/2configs/sabnzbd.nix +++ b/2configs/sabnzbd.nix @@ -1,6 +1,6 @@ { pkgs, config, ... }: -with import ; +with pkgs.stockholm.lib; let web-port = 8080; in { diff --git a/2configs/shack/events-publisher/default.nix b/2configs/shack/events-publisher/default.nix index 964e5ccbb..0dcc49aed 100644 --- a/2configs/shack/events-publisher/default.nix +++ b/2configs/shack/events-publisher/default.nix @@ -1,5 +1,5 @@ { pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let shack-announce = pkgs.callPackage (builtins.fetchTarball { url = "https://github.com/makefu/events-publisher/archive/419afdfe16ebf7f2360d2ba64b67ca88948832bd.tar.gz"; diff --git a/2configs/share/anon-sftp.nix b/2configs/share/anon-sftp.nix index 7cde9317a..47554c971 100644 --- a/2configs/share/anon-sftp.nix +++ b/2configs/share/anon-sftp.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; { services.openssh = { allowSFTP = true; diff --git a/2configs/share/omo.nix b/2configs/share/omo.nix index 16959bc90..82df73edc 100644 --- a/2configs/share/omo.nix +++ b/2configs/share/omo.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let hostname = config.krebs.build.host.name; # TODO local-ip from the nets config diff --git a/2configs/solr.nix b/2configs/solr.nix index 6fc02df1f..c75ee8f54 100644 --- a/2configs/solr.nix +++ b/2configs/solr.nix @@ -2,7 +2,7 @@ # graphite-web on port 8080 # carbon cache on port 2003 (tcp/udp) -with import ; +with pkgs.stockholm.lib; let solrHome = "/var/db/solr"; in { diff --git a/2configs/sshd-totp.nix b/2configs/sshd-totp.nix index f9984e245..9ebbe0dc4 100644 --- a/2configs/sshd-totp.nix +++ b/2configs/sshd-totp.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: # Enables second factor for ssh password login ## Usage: @@ -6,12 +6,12 @@ ## scan the qrcode with google authenticator (or FreeOTP) ## copy last line into secrets//users.oath (chmod 700) { + sops.secrets."users.oath" = {}; security.pam.oath = { # enabling it will make it a requisite of `all` services # enable = true; digits = 6; - # TODO assert existing - usersFile = (toString ) + "/users.oath"; + usersFile = config.sops.secrets."users.oath".path; }; # I want TFA only active for sshd with password-auth security.pam.services.sshd.oathAuth = true; diff --git a/2configs/stats/external/weather2stats.nix b/2configs/stats/external/weather2stats.nix index 870db99a8..f88238395 100644 --- a/2configs/stats/external/weather2stats.nix +++ b/2configs/stats/external/weather2stats.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let pkg = pkgs.stdenv.mkDerivation { name = "aralast-master"; diff --git a/2configs/stats/server.nix b/2configs/stats/server.nix index 82ce31a62..5229cd798 100644 --- a/2configs/stats/server.nix +++ b/2configs/stats/server.nix @@ -1,6 +1,6 @@ {pkgs, config, ...}: -with import ; +with pkgs.stockholm.lib; let irc-server = "irc.r"; irc-nick = "m-alarm"; diff --git a/2configs/stats/telegraf/hamstats.nix b/2configs/stats/telegraf/hamstats.nix index 99cb0cd04..a0ea66aed 100644 --- a/2configs/stats/telegraf/hamstats.nix +++ b/2configs/stats/telegraf/hamstats.nix @@ -1,10 +1,10 @@ -{ pkgs, lib, ...}: +{ pkgs, config, lib, ...}: let genTopic_zigbee = name: tags: { servers = [ "tcp://localhost:1883" ]; username = "stats"; - password = lib.removeSuffix "\n" (builtins.readFile ); + passwordFile = config.sops.secrets."mqtt/stats".path; qos = 0; connection_timeout = "30s"; topics = [ "/ham/zigbee/${name}" ]; @@ -19,7 +19,7 @@ let genTopic_plain = name: topic: tags: { servers = [ "tcp://localhost:1883" ]; username = "stats"; - password = lib.removeSuffix "\n" (builtins.readFile ); + passwordFile = config.sops.secrets."mqtt/stats".path; qos = 0; connection_timeout = "30s"; topics = [ topic ]; @@ -56,6 +56,7 @@ let (esensor room name ''${room}_${name}_pressure'') ]; in { + sops.secrets."mqtt/stats" = {}; services.telegraf.extraConfig.inputs.mqtt_consumer = (zigbee_temphum "Wohnzimmer" "temp1") ++ (zigbee_temphum "Badezimmer" "temp2") diff --git a/2configs/sync/default.nix b/2configs/sync/default.nix index 6928daf87..c3880bead 100644 --- a/2configs/sync/default.nix +++ b/2configs/sync/default.nix @@ -1,16 +1,18 @@ -{ config, pkgs, ... }: with import ; let +{ config, pkgs, ... }: with pkgs.stockholm.lib; let mk_peers = mapAttrs (n: v: { id = v.syncthing.id; }); all_peers = filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts; used_peer_names = unique (flatten (mapAttrsToList (n: v: v.devices) config.services.syncthing.folders)); used_peers = filterAttrs (n: v: elem n used_peer_names) all_peers; in { + sops.secrets."syncthing.key" = {}; + sops.secrets."syncthing.cert" = {}; services.syncthing = { enable = true; configDir = "/var/lib/syncthing"; devices = mk_peers used_peers; - key = toString ; - cert = toString ; + key = config.sops.secrets."syncthing.key".path; + cert = config.sops.secrets."syncthing.cert".path; }; services.syncthing.folders.the_playlist = { path = "/home/lass/tmp/the_playlist"; diff --git a/2configs/syncthing.nix b/2configs/syncthing.nix index bc7413a0a..0615f06e2 100644 --- a/2configs/syncthing.nix +++ b/2configs/syncthing.nix @@ -1,6 +1,6 @@ { config, ... }: -with import ; { +with pkgs.stockholm.lib; { services.syncthing = { enable = true; openDefaultPorts = true; diff --git a/2configs/tinc/retiolum.nix b/2configs/tinc/retiolum.nix index d1cfc2f88..2ba547331 100644 --- a/2configs/tinc/retiolum.nix +++ b/2configs/tinc/retiolum.nix @@ -3,13 +3,19 @@ imports = [ ../binary-cache/lass.nix ]; - krebs.tinc.retiolum.enable = true; - krebs.tinc.retiolum.extraConfig = '' + sops.secrets."retiolum.rsa_key.priv" = {}; + sops.secrets."retiolum.ed25519_key.priv" = {}; + krebs.tinc.retiolum = { + enable = true; + extraConfig = '' StrictSubnets = yes ${lib.optionalString (config.krebs.build.host.nets.retiolum.via != null) '' LocalDiscovery = no ''} ''; + privkey = config.sops.secrets."retiolum.rsa_key.priv".path; + privkey_ed25519 = config.sops.secrets."retiolum.ed25519_key.priv".path; + }; environment.systemPackages = [ pkgs.tinc ]; networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ]; networking.firewall.allowedUDPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ]; -- cgit v1.2.3