treewide: replace stockholm/lib with stockholm.lib

2023-07-02 16:05:52 +02:00 · 2023-07-02 16:05:52 +02:00 · 777a2fe734
parent ecfa596670
commit 777a2fe734
47 changed files with 71 additions and 107 deletions
--- a/2configs/bepasty-dual.nix
+++ b/2configs/bepasty-dual.nix
@ -10,7 +10,7 @@
 #   wildcard.krebsco.de.key
 #   bepasty-secret.nix     <- contains single string

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  sec = toString <secrets>;
  # secKey is nothing worth protecting on a local machine
--- a/2configs/bgt/download.binaergewitter.de.nix
+++ b/2configs/bgt/download.binaergewitter.de.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  ident = (builtins.readFile ./auphonic.pub);
  bgtaccess = "/var/spool/nginx/logs/binaergewitter.access.log";
--- a/2configs/collectd/collectd-base.nix
+++ b/2configs/collectd/collectd-base.nix
@ -2,7 +2,7 @@

 # graphite-web on port 8080
 # carbon cache on port 2003 (tcp/udp)
-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  connect-time-cfg = with pkgs; writeText "collectd-connect-time.cfg" ''
    LoadPlugin python
--- a/2configs/dcpp/hub.nix
+++ b/2configs/dcpp/hub.nix
@ -2,7 +2,7 @@

 # search also generates ddclient entries for all other logs

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  ddclientUser = "ddclient";
  sec = toString <secrets>;
--- a/2configs/deployment/boot-euer.nix
+++ b/2configs/deployment/boot-euer.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 # more than just nginx config but not enough to become a module
-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  hostname = config.krebs.build.host.name;
  bootscript = pkgs.writeTextDir "runit" ''
--- a/2configs/deployment/graphs.nix
+++ b/2configs/deployment/graphs.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  external-ip = config.krebs.build.host.nets.internet.ip4.addr;
  internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
--- a/2configs/deployment/photostore.krebsco.de.nix
+++ b/2configs/deployment/photostore.krebsco.de.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 # more than just nginx config but not enough to become a module
-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  wsgi-sock = "${workdir}/uwsgi-photostore.sock";
  workdir = config.services.uwsgi.runDir;
--- a/2configs/elchos/irc-token.nix
+++ b/2configs/elchos/irc-token.nix
@ -1,5 +1,5 @@
 {pkgs, ...}:
-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  secret = (import <secrets/elchos-token.nix>);
 in {
--- a/2configs/elchos/search.nix
+++ b/2configs/elchos/search.nix
@ -2,7 +2,7 @@

 # search also generates ddclient entries for all other logs

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  #primary-itf = "eth0";
  #primary-itf = "wlp2s0";
--- a/2configs/elchos/stats.nix
+++ b/2configs/elchos/stats.nix
@ -4,7 +4,7 @@
 # graphite-web on port 8080
 # carbon cache on port 2003 (tcp/udp)

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 {

  networking.firewall = {
--- a/2configs/exim-retiolum.nix
+++ b/2configs/exim-retiolum.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 {
  networking.firewall.allowedTCPPorts = [ 25 ];

--- a/2configs/filepimp-share.nix
+++ b/2configs/filepimp-share.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  hostname = config.krebs.build.host.name;
 in {
--- a/2configs/fs/vm-single-partition.nix
+++ b/2configs/fs/vm-single-partition.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:

 # vda1 ext4 (label nixos) -> only root partition
-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 {
  imports = [
    ./single-partition-ext4.nix
--- a/2configs/git/cgit-retiolum.nix
+++ b/2configs/git/cgit-retiolum.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 # TODO: remove tv lib :)
-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let

  repos = pub-repos // priv-repos // krebs-repos // connector-repos // krebsroot-repos;
--- a/2configs/graphite-standalone.nix
+++ b/2configs/graphite-standalone.nix
@ -2,7 +2,7 @@

 # graphite-web on port 8080
 # carbon cache on port 2003 (tcp/udp)
-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 {
  imports = [ ];

--- a/2configs/home/metube.nix
+++ b/2configs/home/metube.nix
@ -1,6 +1,6 @@
 { pkgs, lib, ...}:
 # docker run -d -p 8081:8081 -v /path/to/downloads:/downloads --user 1001:1001 alexta69/metube
-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  port = "2348";
  dl-dir = "/media/cryptX/youtube/music";
--- a/2configs/home/photoprism.nix
+++ b/2configs/home/photoprism.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, ...}:
+{ pkgs, config, lib, ...}:
 # Start    | docker-compose up -d
 # Stop     | docker-compose stop
 # Update   | docker-compose pull
@ -19,9 +19,9 @@ let
  statedir = "/media/cryptX/lib/photoprism/appsrv";
  db-dir = "/media/cryptX/lib/photoprism/mysql";
  internal-ip = "192.168.111.11";
-  sec = import <secrets/photoprism.nix>;
 in
 {
+  sops.secrets."photoprism/envfile" = {};
  virtualisation.oci-containers.backend = "docker";

  services.nginx.virtualHosts."photos" = {
@ -80,8 +80,6 @@ in
      PHOTOPRISM_DETECT_NSFW = "false";                # Flag photos as private that MAY be offensive (requires TensorFlow)
      PHOTOPRISM_UPLOAD_NSFW = "true";                 # Allow uploads that MAY be offensive
      PHOTOPRISM_AUTH_MODE = "password";
-      PHOTOPRISM_ADMIN_USER = "admin";
-      PHOTOPRISM_ADMIN_PASSWORD = "admin";

      #PHOTOPRISM_DATABASE_DRIVER = "postgres";
      #PHOTOPRISM_DATABASE_SERVER = "postgres-prism:5432";
@ -92,8 +90,6 @@ in
      PHOTOPRISM_DATABASE_DRIVER= "mysql";           # Use MariaDB (or MySQL) instead of SQLite for improved performance
      PHOTOPRISM_DATABASE_SERVER= "mysql-photoprism:3306" ;   # MariaDB database server (hostname:port)
      PHOTOPRISM_DATABASE_NAME= "photoprism";        # MariaDB database schema name
-      PHOTOPRISM_DATABASE_USER= sec.db.username;        # MariaDB database user name
-      PHOTOPRISM_DATABASE_PASSWORD= sec.db.password;      # MariaDB database user password

      PHOTOPRISM_SITE_URL = "http://localhost:2342/";  # Public PhotoPrism URL
      PHOTOPRISM_SITE_TITLE = "PhotoPrism";
@ -122,11 +118,11 @@ in
    #  "--innodb-lock-wait-timeout=50"
    #];
    volumes= [ "${db-dir}:/var/lib/mysql" ];
+    environmentFiles = [
+      config.sops.secrets."photoprism/envfile".path
+    ];
    environment = {
-      MYSQL_ROOT_PASSWORD = "dickidibutt";
      MYSQL_DATABASE= "photoprism";
-      MYSQL_USER = sec.db.username;
-      MYSQL_PASSWORD = sec.db.password;
    };
  };
  #virtualisation.oci-containers.containers.postgres-prism = {
--- a/2configs/home/zigbee2mqtt/default.nix
+++ b/2configs/home/zigbee2mqtt/default.nix
@ -2,11 +2,14 @@

 let
  dataDir = "/var/lib/zigbee2mqtt";
-  sec = import <secrets/zigbee2mqtt.nix>;
  internal-ip = "192.168.111.11";
  webport = 8521;
 in
-  {
+{
+  sops.secrets."zigbee2mqtt" = {
+    owner = "zigbee2mqtt";
+    path = "/var/lib/zigbee2mqtt/configuration.yaml";
+  };
  # symlink the zigbee controller
  #services.udev.extraRules = ''
  #  SUBSYSTEM=="tty", ATTRS{idVendor}=="0451", ATTRS{idProduct}=="16a8", SYMLINK+="cc2531", MODE="0660", GROUP="dialout"
@ -20,50 +23,6 @@ in
  services.zigbee2mqtt = {
    enable = true;
    inherit dataDir;
-    settings = {
-      permit_join = true;
-      serial.port = "/dev/cc2531";
-      homeassistant = true;
-      mqtt = {
-        server = "mqtt://omo.lan:1883";
-        base_topic = "/ham/zigbee";
-        user = sec.mqtt.username;
-        password = sec.mqtt.password;
-        include_device_information = true;
-        client_id = "zigbee2mqtt";
-      };
-      availability = {
-        active.timeout = 10;
-        passive.timeout = 1500;
-      };
-      frontend = {
-        port = webport;
-      };
-      advanced = {
-        log_level = "debug";
-        log_output = [ "console" ];
-        last_seen = "ISO_8601";
-        elapsed = true;
-        pan_id = 6755;
-        inherit (sec.zigbee) network_key;
-      };
-      map_options.graphviz.colors = {
-        fill = {
-          enddevice =  "#fff8ce" ;
-          coordinator = "#e04e5d";
-          router = "#4ea3e0";
-        };
-        font = {
-          coordinator= "#ffffff";
-          router = "#ffffff";
-          enddevice = "#000000";
-        };
-        line = {
-          active = "#009900";
-          inactive = "#994444";
-        };
-      };
-    };
  };

  services.nginx.recommendedProxySettings = true;
--- a/2configs/hw/tp-x200.nix
+++ b/2configs/hw/tp-x200.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 {

  imports = [ ./tp-x2x0.nix ];
--- a/2configs/lanparty/lancache-dns.nix
+++ b/2configs/lanparty/lancache-dns.nix
@ -1,5 +1,5 @@
 { pkgs, lib, config, ... }:
-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  upstream-server = "8.8.8.8";
  # make sure the router pins the ip address to the deployed host
--- a/2configs/lanparty/lancache.nix
+++ b/2configs/lanparty/lancache.nix
@ -1,5 +1,5 @@
 { pkgs, lib, config, ... }:
-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  # see https://github.com/zeropingheroes/lancache for full docs
  lancache= pkgs.stdenv.mkDerivation rec {
--- a/2configs/mail-client.nix
+++ b/2configs/mail-client.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 {
  environment.systemPackages = with pkgs; [
    abook
--- a/2configs/mattermost-docker.nix
+++ b/2configs/mattermost-docker.nix
@ -1,6 +1,6 @@
 {config, lib, ...}:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  sec = toString <secrets>;
  ssl_cert = "${sec}/wildcard.krebsco.de.crt";
--- a/2configs/minimal.nix
+++ b/2configs/minimal.nix
@ -7,7 +7,7 @@
  # the only true timezone (even after the the removal of DST)
  time.timeZone = "Europe/Berlin";

-  # networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name;
+  networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name;

  # we use gpg if necessary (or nothing at all)
  programs.ssh.startAgent = false;
--- a/2configs/nginx/euer.blog.nix
+++ b/2configs/nginx/euer.blog.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  sec = toString <secrets>;
  hostname = config.krebs.build.host.name;
--- a/2configs/nginx/euer.mon.nix
+++ b/2configs/nginx/euer.mon.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  hostname = config.krebs.build.host.name;
  user = config.services.nginx.user;
--- a/2configs/nginx/euer.test.nix
+++ b/2configs/nginx/euer.test.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  hostname = config.krebs.build.host.name;
  user = config.services.nginx.user;
--- a/2configs/nginx/euer.wiki.nix
+++ b/2configs/nginx/euer.wiki.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  sec = toString <secrets>;
  ext-dom = "wiki.euer.krebsco.de";
--- a/2configs/nginx/gold.krebsco.de.nix
+++ b/2configs/nginx/gold.krebsco.de.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  gold = pkgs.fetchFromGitHub {
    owner = "krebs";
--- a/2configs/nginx/gum.krebsco.de.nix
+++ b/2configs/nginx/gum.krebsco.de.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
 in {
  services.nginx = {
--- a/2configs/nginx/icecult.nix
+++ b/2configs/nginx/icecult.nix
@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;

 let
  icecult = pkgs.fetchFromGitHub {
--- a/2configs/nginx/public_html.nix
+++ b/2configs/nginx/public_html.nix
@ -1,6 +1,6 @@
 { config, lib, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;

 {
  services.nginx = {
--- a/2configs/nginx/rompr.nix
+++ b/2configs/nginx/rompr.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  user = config.services.nginx.user;
  group = config.services.nginx.group;
--- a/2configs/nginx/update.connector.one.nix
+++ b/2configs/nginx/update.connector.one.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 {
  services.nginx = {
    enable = mkDefault true;
--- a/2configs/nsupdate-data.nix
+++ b/2configs/nsupdate-data.nix
@ -2,7 +2,7 @@

 # search also generates ddclient entries for all other logs

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  #primary-itf = "eth0";
  #primary-itf = "wlp2s0";
--- a/2configs/sabnzbd.nix
+++ b/2configs/sabnzbd.nix
@ -1,6 +1,6 @@
 { pkgs, config, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  web-port = 8080;
 in {
--- a/2configs/shack/events-publisher/default.nix
+++ b/2configs/shack/events-publisher/default.nix
@ -1,5 +1,5 @@
 { pkgs, ... }:
-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  shack-announce = pkgs.callPackage (builtins.fetchTarball {
    url = "https://github.com/makefu/events-publisher/archive/419afdfe16ebf7f2360d2ba64b67ca88948832bd.tar.gz";
--- a/2configs/share/anon-sftp.nix
+++ b/2configs/share/anon-sftp.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 {
  services.openssh = {
    allowSFTP = true;
--- a/2configs/share/omo.nix
+++ b/2configs/share/omo.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  hostname = config.krebs.build.host.name;
  # TODO local-ip from the nets config
--- a/2configs/solr.nix
+++ b/2configs/solr.nix
@ -2,7 +2,7 @@

 # graphite-web on port 8080
 # carbon cache on port 2003 (tcp/udp)
-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  solrHome = "/var/db/solr";
 in {
--- a/2configs/sshd-totp.nix
+++ b/2configs/sshd-totp.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 # Enables second factor for ssh password login

 ## Usage:
@ -6,12 +6,12 @@
 ## scan the qrcode with google authenticator (or FreeOTP)
 ## copy last line into secrets/<host>/users.oath (chmod 700)
 {
+  sops.secrets."users.oath" = {};
  security.pam.oath = {
    # enabling it will make it a requisite of `all` services
    # enable = true;
    digits = 6;
-    # TODO assert existing
-    usersFile = (toString <secrets>) + "/users.oath";
+    usersFile = config.sops.secrets."users.oath".path;
  };
  # I want TFA only active for sshd with password-auth
  security.pam.services.sshd.oathAuth = true;
--- a/2configs/stats/external/weather2stats.nix
+++ b/2configs/stats/external/weather2stats.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  pkg = pkgs.stdenv.mkDerivation {
    name = "aralast-master";
--- a/2configs/stats/server.nix
+++ b/2configs/stats/server.nix
@ -1,6 +1,6 @@
 {pkgs, config, ...}:

-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
  irc-server = "irc.r";
  irc-nick = "m-alarm";
--- a/2configs/stats/telegraf/hamstats.nix
+++ b/2configs/stats/telegraf/hamstats.nix
@ -1,10 +1,10 @@
-{ pkgs, lib, ...}:
+{ pkgs, config, lib, ...}:

 let
  genTopic_zigbee = name: tags: {
      servers = [ "tcp://localhost:1883" ];
      username = "stats";
-      password = lib.removeSuffix "\n" (builtins.readFile <secrets/mqtt/stats>);
+      passwordFile = config.sops.secrets."mqtt/stats".path;
      qos = 0;
      connection_timeout = "30s";
      topics = [ "/ham/zigbee/${name}" ];
@ -19,7 +19,7 @@ let
  genTopic_plain = name: topic: tags: {
      servers = [ "tcp://localhost:1883" ];
      username = "stats";
-      password = lib.removeSuffix "\n" (builtins.readFile <secrets/mqtt/stats>);
+      passwordFile = config.sops.secrets."mqtt/stats".path;
      qos = 0;
      connection_timeout = "30s";
      topics = [ topic ];
@ -56,6 +56,7 @@ let
      (esensor room name ''${room}_${name}_pressure'')
    ];
 in {
+  sops.secrets."mqtt/stats" = {};
  services.telegraf.extraConfig.inputs.mqtt_consumer =
       (zigbee_temphum "Wohnzimmer" "temp1")
    ++ (zigbee_temphum "Badezimmer" "temp2")
--- a/2configs/sync/default.nix
+++ b/2configs/sync/default.nix
@ -1,16 +1,18 @@
-{ config, pkgs, ... }: with import <stockholm/lib>; let
+{ config, pkgs, ... }: with pkgs.stockholm.lib; let
  mk_peers = mapAttrs (n: v: { id = v.syncthing.id; });

  all_peers = filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts;
  used_peer_names = unique (flatten (mapAttrsToList (n: v: v.devices) config.services.syncthing.folders));
  used_peers = filterAttrs (n: v: elem n used_peer_names) all_peers;
 in {
+  sops.secrets."syncthing.key" = {};
+  sops.secrets."syncthing.cert" = {};
  services.syncthing = {
    enable = true;
    configDir = "/var/lib/syncthing";
    devices = mk_peers used_peers;
-    key = toString <secrets/syncthing.key>;
-    cert = toString <secrets/syncthing.cert>;
+    key = config.sops.secrets."syncthing.key".path;
+    cert = config.sops.secrets."syncthing.cert".path;
  };
  services.syncthing.folders.the_playlist = {
    path = "/home/lass/tmp/the_playlist";
--- a/2configs/syncthing.nix
+++ b/2configs/syncthing.nix
@ -1,6 +1,6 @@
 { config, ... }:

-with import <stockholm/lib>; {
+with pkgs.stockholm.lib; {
  services.syncthing = {
    enable = true;
    openDefaultPorts = true;
--- a/2configs/tinc/retiolum.nix
+++ b/2configs/tinc/retiolum.nix
@ -3,13 +3,19 @@
  imports = [
    ../binary-cache/lass.nix
  ];
-  krebs.tinc.retiolum.enable = true;
-  krebs.tinc.retiolum.extraConfig = ''
+  sops.secrets."retiolum.rsa_key.priv" = {};
+  sops.secrets."retiolum.ed25519_key.priv" = {};
+  krebs.tinc.retiolum = {
+    enable = true;
+    extraConfig = ''
      StrictSubnets = yes
      ${lib.optionalString (config.krebs.build.host.nets.retiolum.via != null) ''
        LocalDiscovery = no
      ''}
    '';
+    privkey = config.sops.secrets."retiolum.rsa_key.priv".path;
+    privkey_ed25519 = config.sops.secrets."retiolum.ed25519_key.priv".path;
+  };
  environment.systemPackages = [ pkgs.tinc ];
  networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ];
  networking.firewall.allowedUDPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ];