diff --git a/2configs/bepasty-dual.nix b/2configs/bepasty-dual.nix index f63dbef..fd52d50 100644 --- a/2configs/bepasty-dual.nix +++ b/2configs/bepasty-dual.nix @@ -10,7 +10,7 @@ # wildcard.krebsco.de.key # bepasty-secret.nix <- contains single string -with import ; +with pkgs.stockholm.lib; let sec = toString ; # secKey is nothing worth protecting on a local machine diff --git a/2configs/bgt/download.binaergewitter.de.nix b/2configs/bgt/download.binaergewitter.de.nix index 31da31a..7664dac 100644 --- a/2configs/bgt/download.binaergewitter.de.nix +++ b/2configs/bgt/download.binaergewitter.de.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let ident = (builtins.readFile ./auphonic.pub); bgtaccess = "/var/spool/nginx/logs/binaergewitter.access.log"; diff --git a/2configs/collectd/collectd-base.nix b/2configs/collectd/collectd-base.nix index 9168d1f..3f41aa0 100644 --- a/2configs/collectd/collectd-base.nix +++ b/2configs/collectd/collectd-base.nix @@ -2,7 +2,7 @@ # graphite-web on port 8080 # carbon cache on port 2003 (tcp/udp) -with import ; +with pkgs.stockholm.lib; let connect-time-cfg = with pkgs; writeText "collectd-connect-time.cfg" '' LoadPlugin python diff --git a/2configs/dcpp/hub.nix b/2configs/dcpp/hub.nix index f0aac3f..7b5163d 100644 --- a/2configs/dcpp/hub.nix +++ b/2configs/dcpp/hub.nix @@ -2,7 +2,7 @@ # search also generates ddclient entries for all other logs -with import ; +with pkgs.stockholm.lib; let ddclientUser = "ddclient"; sec = toString ; diff --git a/2configs/deployment/boot-euer.nix b/2configs/deployment/boot-euer.nix index f890ea7..6d83d1e 100644 --- a/2configs/deployment/boot-euer.nix +++ b/2configs/deployment/boot-euer.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: # more than just nginx config but not enough to become a module -with import ; +with pkgs.stockholm.lib; let hostname = config.krebs.build.host.name; bootscript = pkgs.writeTextDir "runit" '' diff --git a/2configs/deployment/graphs.nix b/2configs/deployment/graphs.nix index 1f6deb1..286b730 100644 --- a/2configs/deployment/graphs.nix +++ b/2configs/deployment/graphs.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let external-ip = config.krebs.build.host.nets.internet.ip4.addr; internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; diff --git a/2configs/deployment/photostore.krebsco.de.nix b/2configs/deployment/photostore.krebsco.de.nix index 19a8df2..9e0c870 100644 --- a/2configs/deployment/photostore.krebsco.de.nix +++ b/2configs/deployment/photostore.krebsco.de.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: # more than just nginx config but not enough to become a module -with import ; +with pkgs.stockholm.lib; let wsgi-sock = "${workdir}/uwsgi-photostore.sock"; workdir = config.services.uwsgi.runDir; diff --git a/2configs/elchos/irc-token.nix b/2configs/elchos/irc-token.nix index 4844bf2..c8873c6 100644 --- a/2configs/elchos/irc-token.nix +++ b/2configs/elchos/irc-token.nix @@ -1,5 +1,5 @@ {pkgs, ...}: -with import ; +with pkgs.stockholm.lib; let secret = (import ); in { diff --git a/2configs/elchos/search.nix b/2configs/elchos/search.nix index e7b91e6..b9d4ed5 100644 --- a/2configs/elchos/search.nix +++ b/2configs/elchos/search.nix @@ -2,7 +2,7 @@ # search also generates ddclient entries for all other logs -with import ; +with pkgs.stockholm.lib; let #primary-itf = "eth0"; #primary-itf = "wlp2s0"; diff --git a/2configs/elchos/stats.nix b/2configs/elchos/stats.nix index 2036b39..12cce05 100644 --- a/2configs/elchos/stats.nix +++ b/2configs/elchos/stats.nix @@ -4,7 +4,7 @@ # graphite-web on port 8080 # carbon cache on port 2003 (tcp/udp) -with import ; +with pkgs.stockholm.lib; { networking.firewall = { diff --git a/2configs/exim-retiolum.nix b/2configs/exim-retiolum.nix index 1f433ab..172c527 100644 --- a/2configs/exim-retiolum.nix +++ b/2configs/exim-retiolum.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; { networking.firewall.allowedTCPPorts = [ 25 ]; diff --git a/2configs/filepimp-share.nix b/2configs/filepimp-share.nix index 850d432..cd6dc42 100644 --- a/2configs/filepimp-share.nix +++ b/2configs/filepimp-share.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let hostname = config.krebs.build.host.name; in { diff --git a/2configs/fs/vm-single-partition.nix b/2configs/fs/vm-single-partition.nix index 26908c3..568d21a 100644 --- a/2configs/fs/vm-single-partition.nix +++ b/2configs/fs/vm-single-partition.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: # vda1 ext4 (label nixos) -> only root partition -with import ; +with pkgs.stockholm.lib; { imports = [ ./single-partition-ext4.nix diff --git a/2configs/git/cgit-retiolum.nix b/2configs/git/cgit-retiolum.nix index 114febe..1fffebd 100644 --- a/2configs/git/cgit-retiolum.nix +++ b/2configs/git/cgit-retiolum.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: # TODO: remove tv lib :) -with import ; +with pkgs.stockholm.lib; let repos = pub-repos // priv-repos // krebs-repos // connector-repos // krebsroot-repos; diff --git a/2configs/graphite-standalone.nix b/2configs/graphite-standalone.nix index 51c4c95..1b39c64 100644 --- a/2configs/graphite-standalone.nix +++ b/2configs/graphite-standalone.nix @@ -2,7 +2,7 @@ # graphite-web on port 8080 # carbon cache on port 2003 (tcp/udp) -with import ; +with pkgs.stockholm.lib; { imports = [ ]; diff --git a/2configs/home/metube.nix b/2configs/home/metube.nix index e6008d4..f9ad3ec 100644 --- a/2configs/home/metube.nix +++ b/2configs/home/metube.nix @@ -1,6 +1,6 @@ { pkgs, lib, ...}: # docker run -d -p 8081:8081 -v /path/to/downloads:/downloads --user 1001:1001 alexta69/metube -with import ; +with pkgs.stockholm.lib; let port = "2348"; dl-dir = "/media/cryptX/youtube/music"; diff --git a/2configs/home/photoprism.nix b/2configs/home/photoprism.nix index 2f8a864..096ad29 100644 --- a/2configs/home/photoprism.nix +++ b/2configs/home/photoprism.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, ...}: +{ pkgs, config, lib, ...}: # Start | docker-compose up -d # Stop | docker-compose stop # Update | docker-compose pull @@ -19,9 +19,9 @@ let statedir = "/media/cryptX/lib/photoprism/appsrv"; db-dir = "/media/cryptX/lib/photoprism/mysql"; internal-ip = "192.168.111.11"; - sec = import ; in { + sops.secrets."photoprism/envfile" = {}; virtualisation.oci-containers.backend = "docker"; services.nginx.virtualHosts."photos" = { @@ -80,8 +80,6 @@ in PHOTOPRISM_DETECT_NSFW = "false"; # Flag photos as private that MAY be offensive (requires TensorFlow) PHOTOPRISM_UPLOAD_NSFW = "true"; # Allow uploads that MAY be offensive PHOTOPRISM_AUTH_MODE = "password"; - PHOTOPRISM_ADMIN_USER = "admin"; - PHOTOPRISM_ADMIN_PASSWORD = "admin"; #PHOTOPRISM_DATABASE_DRIVER = "postgres"; #PHOTOPRISM_DATABASE_SERVER = "postgres-prism:5432"; @@ -92,8 +90,6 @@ in PHOTOPRISM_DATABASE_DRIVER= "mysql"; # Use MariaDB (or MySQL) instead of SQLite for improved performance PHOTOPRISM_DATABASE_SERVER= "mysql-photoprism:3306" ; # MariaDB database server (hostname:port) PHOTOPRISM_DATABASE_NAME= "photoprism"; # MariaDB database schema name - PHOTOPRISM_DATABASE_USER= sec.db.username; # MariaDB database user name - PHOTOPRISM_DATABASE_PASSWORD= sec.db.password; # MariaDB database user password PHOTOPRISM_SITE_URL = "http://localhost:2342/"; # Public PhotoPrism URL PHOTOPRISM_SITE_TITLE = "PhotoPrism"; @@ -122,11 +118,11 @@ in # "--innodb-lock-wait-timeout=50" #]; volumes= [ "${db-dir}:/var/lib/mysql" ]; + environmentFiles = [ + config.sops.secrets."photoprism/envfile".path + ]; environment = { - MYSQL_ROOT_PASSWORD = "dickidibutt"; MYSQL_DATABASE= "photoprism"; - MYSQL_USER = sec.db.username; - MYSQL_PASSWORD = sec.db.password; }; }; #virtualisation.oci-containers.containers.postgres-prism = { diff --git a/2configs/home/zigbee2mqtt/default.nix b/2configs/home/zigbee2mqtt/default.nix index 8bb8a92..ca68a15 100644 --- a/2configs/home/zigbee2mqtt/default.nix +++ b/2configs/home/zigbee2mqtt/default.nix @@ -2,11 +2,14 @@ let dataDir = "/var/lib/zigbee2mqtt"; - sec = import ; internal-ip = "192.168.111.11"; webport = 8521; in - { +{ + sops.secrets."zigbee2mqtt" = { + owner = "zigbee2mqtt"; + path = "/var/lib/zigbee2mqtt/configuration.yaml"; + }; # symlink the zigbee controller #services.udev.extraRules = '' # SUBSYSTEM=="tty", ATTRS{idVendor}=="0451", ATTRS{idProduct}=="16a8", SYMLINK+="cc2531", MODE="0660", GROUP="dialout" @@ -20,50 +23,6 @@ in services.zigbee2mqtt = { enable = true; inherit dataDir; - settings = { - permit_join = true; - serial.port = "/dev/cc2531"; - homeassistant = true; - mqtt = { - server = "mqtt://omo.lan:1883"; - base_topic = "/ham/zigbee"; - user = sec.mqtt.username; - password = sec.mqtt.password; - include_device_information = true; - client_id = "zigbee2mqtt"; - }; - availability = { - active.timeout = 10; - passive.timeout = 1500; - }; - frontend = { - port = webport; - }; - advanced = { - log_level = "debug"; - log_output = [ "console" ]; - last_seen = "ISO_8601"; - elapsed = true; - pan_id = 6755; - inherit (sec.zigbee) network_key; - }; - map_options.graphviz.colors = { - fill = { - enddevice = "#fff8ce" ; - coordinator = "#e04e5d"; - router = "#4ea3e0"; - }; - font = { - coordinator= "#ffffff"; - router = "#ffffff"; - enddevice = "#000000"; - }; - line = { - active = "#009900"; - inactive = "#994444"; - }; - }; - }; }; services.nginx.recommendedProxySettings = true; diff --git a/2configs/hw/tp-x200.nix b/2configs/hw/tp-x200.nix index f06425a..d9d30d5 100644 --- a/2configs/hw/tp-x200.nix +++ b/2configs/hw/tp-x200.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; { imports = [ ./tp-x2x0.nix ]; diff --git a/2configs/lanparty/lancache-dns.nix b/2configs/lanparty/lancache-dns.nix index c9da7c4..92dae1c 100644 --- a/2configs/lanparty/lancache-dns.nix +++ b/2configs/lanparty/lancache-dns.nix @@ -1,5 +1,5 @@ { pkgs, lib, config, ... }: -with import ; +with pkgs.stockholm.lib; let upstream-server = "8.8.8.8"; # make sure the router pins the ip address to the deployed host diff --git a/2configs/lanparty/lancache.nix b/2configs/lanparty/lancache.nix index bcacf2e..a0c3001 100644 --- a/2configs/lanparty/lancache.nix +++ b/2configs/lanparty/lancache.nix @@ -1,5 +1,5 @@ { pkgs, lib, config, ... }: -with import ; +with pkgs.stockholm.lib; let # see https://github.com/zeropingheroes/lancache for full docs lancache= pkgs.stdenv.mkDerivation rec { diff --git a/2configs/mail-client.nix b/2configs/mail-client.nix index e08aadc..ff8fc05 100644 --- a/2configs/mail-client.nix +++ b/2configs/mail-client.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; { environment.systemPackages = with pkgs; [ abook diff --git a/2configs/mattermost-docker.nix b/2configs/mattermost-docker.nix index a887a6a..0957036 100644 --- a/2configs/mattermost-docker.nix +++ b/2configs/mattermost-docker.nix @@ -1,6 +1,6 @@ {config, lib, ...}: -with import ; +with pkgs.stockholm.lib; let sec = toString ; ssl_cert = "${sec}/wildcard.krebsco.de.crt"; diff --git a/2configs/minimal.nix b/2configs/minimal.nix index e24eae6..bc739bb 100644 --- a/2configs/minimal.nix +++ b/2configs/minimal.nix @@ -7,7 +7,7 @@ # the only true timezone (even after the the removal of DST) time.timeZone = "Europe/Berlin"; - # networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name; + networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name; # we use gpg if necessary (or nothing at all) programs.ssh.startAgent = false; diff --git a/2configs/nginx/euer.blog.nix b/2configs/nginx/euer.blog.nix index 24696ad..67150ed 100644 --- a/2configs/nginx/euer.blog.nix +++ b/2configs/nginx/euer.blog.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let sec = toString ; hostname = config.krebs.build.host.name; diff --git a/2configs/nginx/euer.mon.nix b/2configs/nginx/euer.mon.nix index c9db15b..daa745c 100644 --- a/2configs/nginx/euer.mon.nix +++ b/2configs/nginx/euer.mon.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let hostname = config.krebs.build.host.name; user = config.services.nginx.user; diff --git a/2configs/nginx/euer.test.nix b/2configs/nginx/euer.test.nix index 40c3761..519276d 100644 --- a/2configs/nginx/euer.test.nix +++ b/2configs/nginx/euer.test.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let hostname = config.krebs.build.host.name; user = config.services.nginx.user; diff --git a/2configs/nginx/euer.wiki.nix b/2configs/nginx/euer.wiki.nix index a925b9f..bd17443 100644 --- a/2configs/nginx/euer.wiki.nix +++ b/2configs/nginx/euer.wiki.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let sec = toString ; ext-dom = "wiki.euer.krebsco.de"; diff --git a/2configs/nginx/gold.krebsco.de.nix b/2configs/nginx/gold.krebsco.de.nix index 083c0f8..af467c9 100644 --- a/2configs/nginx/gold.krebsco.de.nix +++ b/2configs/nginx/gold.krebsco.de.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let gold = pkgs.fetchFromGitHub { owner = "krebs"; diff --git a/2configs/nginx/gum.krebsco.de.nix b/2configs/nginx/gum.krebsco.de.nix index 3e96e68..f722542 100644 --- a/2configs/nginx/gum.krebsco.de.nix +++ b/2configs/nginx/gum.krebsco.de.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let in { services.nginx = { diff --git a/2configs/nginx/icecult.nix b/2configs/nginx/icecult.nix index e817e55..4c7af7d 100644 --- a/2configs/nginx/icecult.nix +++ b/2configs/nginx/icecult.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -with import ; +with pkgs.stockholm.lib; let icecult = pkgs.fetchFromGitHub { diff --git a/2configs/nginx/public_html.nix b/2configs/nginx/public_html.nix index 676d1f1..167a477 100644 --- a/2configs/nginx/public_html.nix +++ b/2configs/nginx/public_html.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with import ; +with pkgs.stockholm.lib; { services.nginx = { diff --git a/2configs/nginx/rompr.nix b/2configs/nginx/rompr.nix index c7dc3ff..b7a7404 100644 --- a/2configs/nginx/rompr.nix +++ b/2configs/nginx/rompr.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let user = config.services.nginx.user; group = config.services.nginx.group; diff --git a/2configs/nginx/update.connector.one.nix b/2configs/nginx/update.connector.one.nix index 44345dc..dbbed03 100644 --- a/2configs/nginx/update.connector.one.nix +++ b/2configs/nginx/update.connector.one.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; { services.nginx = { enable = mkDefault true; diff --git a/2configs/nsupdate-data.nix b/2configs/nsupdate-data.nix index 3b6518f..c10916f 100644 --- a/2configs/nsupdate-data.nix +++ b/2configs/nsupdate-data.nix @@ -2,7 +2,7 @@ # search also generates ddclient entries for all other logs -with import ; +with pkgs.stockholm.lib; let #primary-itf = "eth0"; #primary-itf = "wlp2s0"; diff --git a/2configs/sabnzbd.nix b/2configs/sabnzbd.nix index 90a9f28..f050427 100644 --- a/2configs/sabnzbd.nix +++ b/2configs/sabnzbd.nix @@ -1,6 +1,6 @@ { pkgs, config, ... }: -with import ; +with pkgs.stockholm.lib; let web-port = 8080; in { diff --git a/2configs/shack/events-publisher/default.nix b/2configs/shack/events-publisher/default.nix index 964e5cc..0dcc49a 100644 --- a/2configs/shack/events-publisher/default.nix +++ b/2configs/shack/events-publisher/default.nix @@ -1,5 +1,5 @@ { pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let shack-announce = pkgs.callPackage (builtins.fetchTarball { url = "https://github.com/makefu/events-publisher/archive/419afdfe16ebf7f2360d2ba64b67ca88948832bd.tar.gz"; diff --git a/2configs/share/anon-sftp.nix b/2configs/share/anon-sftp.nix index 7cde931..47554c9 100644 --- a/2configs/share/anon-sftp.nix +++ b/2configs/share/anon-sftp.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; { services.openssh = { allowSFTP = true; diff --git a/2configs/share/omo.nix b/2configs/share/omo.nix index 16959bc..82df73e 100644 --- a/2configs/share/omo.nix +++ b/2configs/share/omo.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let hostname = config.krebs.build.host.name; # TODO local-ip from the nets config diff --git a/2configs/solr.nix b/2configs/solr.nix index 6fc02df..c75ee8f 100644 --- a/2configs/solr.nix +++ b/2configs/solr.nix @@ -2,7 +2,7 @@ # graphite-web on port 8080 # carbon cache on port 2003 (tcp/udp) -with import ; +with pkgs.stockholm.lib; let solrHome = "/var/db/solr"; in { diff --git a/2configs/sshd-totp.nix b/2configs/sshd-totp.nix index f9984e2..9ebbe0d 100644 --- a/2configs/sshd-totp.nix +++ b/2configs/sshd-totp.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: # Enables second factor for ssh password login ## Usage: @@ -6,12 +6,12 @@ ## scan the qrcode with google authenticator (or FreeOTP) ## copy last line into secrets//users.oath (chmod 700) { + sops.secrets."users.oath" = {}; security.pam.oath = { # enabling it will make it a requisite of `all` services # enable = true; digits = 6; - # TODO assert existing - usersFile = (toString ) + "/users.oath"; + usersFile = config.sops.secrets."users.oath".path; }; # I want TFA only active for sshd with password-auth security.pam.services.sshd.oathAuth = true; diff --git a/2configs/stats/external/weather2stats.nix b/2configs/stats/external/weather2stats.nix index 870db99..f882383 100644 --- a/2configs/stats/external/weather2stats.nix +++ b/2configs/stats/external/weather2stats.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ; +with pkgs.stockholm.lib; let pkg = pkgs.stdenv.mkDerivation { name = "aralast-master"; diff --git a/2configs/stats/server.nix b/2configs/stats/server.nix index 82ce31a..5229cd7 100644 --- a/2configs/stats/server.nix +++ b/2configs/stats/server.nix @@ -1,6 +1,6 @@ {pkgs, config, ...}: -with import ; +with pkgs.stockholm.lib; let irc-server = "irc.r"; irc-nick = "m-alarm"; diff --git a/2configs/stats/telegraf/hamstats.nix b/2configs/stats/telegraf/hamstats.nix index 99cb0cd..a0ea66a 100644 --- a/2configs/stats/telegraf/hamstats.nix +++ b/2configs/stats/telegraf/hamstats.nix @@ -1,10 +1,10 @@ -{ pkgs, lib, ...}: +{ pkgs, config, lib, ...}: let genTopic_zigbee = name: tags: { servers = [ "tcp://localhost:1883" ]; username = "stats"; - password = lib.removeSuffix "\n" (builtins.readFile ); + passwordFile = config.sops.secrets."mqtt/stats".path; qos = 0; connection_timeout = "30s"; topics = [ "/ham/zigbee/${name}" ]; @@ -19,7 +19,7 @@ let genTopic_plain = name: topic: tags: { servers = [ "tcp://localhost:1883" ]; username = "stats"; - password = lib.removeSuffix "\n" (builtins.readFile ); + passwordFile = config.sops.secrets."mqtt/stats".path; qos = 0; connection_timeout = "30s"; topics = [ topic ]; @@ -56,6 +56,7 @@ let (esensor room name ''${room}_${name}_pressure'') ]; in { + sops.secrets."mqtt/stats" = {}; services.telegraf.extraConfig.inputs.mqtt_consumer = (zigbee_temphum "Wohnzimmer" "temp1") ++ (zigbee_temphum "Badezimmer" "temp2") diff --git a/2configs/sync/default.nix b/2configs/sync/default.nix index 6928daf..c3880be 100644 --- a/2configs/sync/default.nix +++ b/2configs/sync/default.nix @@ -1,16 +1,18 @@ -{ config, pkgs, ... }: with import ; let +{ config, pkgs, ... }: with pkgs.stockholm.lib; let mk_peers = mapAttrs (n: v: { id = v.syncthing.id; }); all_peers = filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts; used_peer_names = unique (flatten (mapAttrsToList (n: v: v.devices) config.services.syncthing.folders)); used_peers = filterAttrs (n: v: elem n used_peer_names) all_peers; in { + sops.secrets."syncthing.key" = {}; + sops.secrets."syncthing.cert" = {}; services.syncthing = { enable = true; configDir = "/var/lib/syncthing"; devices = mk_peers used_peers; - key = toString ; - cert = toString ; + key = config.sops.secrets."syncthing.key".path; + cert = config.sops.secrets."syncthing.cert".path; }; services.syncthing.folders.the_playlist = { path = "/home/lass/tmp/the_playlist"; diff --git a/2configs/syncthing.nix b/2configs/syncthing.nix index bc7413a..0615f06 100644 --- a/2configs/syncthing.nix +++ b/2configs/syncthing.nix @@ -1,6 +1,6 @@ { config, ... }: -with import ; { +with pkgs.stockholm.lib; { services.syncthing = { enable = true; openDefaultPorts = true; diff --git a/2configs/tinc/retiolum.nix b/2configs/tinc/retiolum.nix index d1cfc2f..2ba5473 100644 --- a/2configs/tinc/retiolum.nix +++ b/2configs/tinc/retiolum.nix @@ -3,13 +3,19 @@ imports = [ ../binary-cache/lass.nix ]; - krebs.tinc.retiolum.enable = true; - krebs.tinc.retiolum.extraConfig = '' + sops.secrets."retiolum.rsa_key.priv" = {}; + sops.secrets."retiolum.ed25519_key.priv" = {}; + krebs.tinc.retiolum = { + enable = true; + extraConfig = '' StrictSubnets = yes ${lib.optionalString (config.krebs.build.host.nets.retiolum.via != null) '' LocalDiscovery = no ''} ''; + privkey = config.sops.secrets."retiolum.rsa_key.priv".path; + privkey_ed25519 = config.sops.secrets."retiolum.ed25519_key.priv".path; + }; environment.systemPackages = [ pkgs.tinc ]; networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ]; networking.firewall.allowedUDPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ];