Secrets fixes. Added Syncplay. New to-dos, Niv.

2026-02-09 12:29:19 -08:00 · 2021-03-05 02:18:04 +00:00 · 2021-03-05 02:18:04 +00:00 · 22df081eee
commit 22df081eee
parent 5845debc95
14 changed files with 71 additions and 54 deletions
--- a/config/hosts/athame/asterisk.nix
+++ b/config/hosts/athame/asterisk.nix
@ -1,7 +1,6 @@
-{ config, pkgs, ... }:
+{ config, pkgs, witch, ... }:

-let secrets = (import ../../../secrets.nix);
-in {
+{
  services.asterisk = {
    enable = true;
    confFiles = {
@ -19,13 +18,13 @@ in {
        same  => n,Dial(SIP/1337,20)

        [from-internal]
-        exten => _1X.,1,Set(CALLERID(all)="kat" <+${secrets.hosts.athame.phone.number.us}>)
+        exten => _1X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.us}>)
        same  => n,Dial(PJSIP/''${EXTEN:1}@signalwire)
        same  => n(end),Hangup()
-        exten => _2X.,1,Set(CALLERID(all)="kat" <+${secrets.hosts.athame.phone.number.canada}>)
+        exten => _2X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.canada}>)
        same  => n,Dial(PJSIP/''${EXTEN:1}@signalwire)
        same  => n(end),Hangup()
-        exten => _3X.,1,Set(CALLERID(all)="kat" <+${secrets.hosts.athame.phone.number.uk}>)
+        exten => _3X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.uk}>)
        same  => n,Dial(PJSIP/+''${EXTEN:1}@twilio-ie)
        same  => n(end),Hangup()
      '';
@ -81,7 +80,7 @@ in {
        type=friend
        context=from-internal
        host=dynamic
-        secret=${secrets.hosts.athame.phone.password}
+        secret=${witch.secrets.hosts.athame.phone.password}
        nat=force_rport,comedia
      '';
      "pjsip_wizard.conf" = ''
@ -135,7 +134,7 @@ in {
        sends_registrations = no
        remote_hosts = kat-asterisk.pstn.dublin.twilio.com
        outbound_auth/username = asterisk
-        outbound_auth/password = ${secrets.hosts.athame.phone.endpoint.password.twilio}
+        outbound_auth/password = ${witch.secrets.hosts.athame.phone.endpoint.password.twilio}
        endpoint/context = from-twilio
        aor/qualify_frequency = 60
      '';
@ -155,11 +154,11 @@ in {
        type=auth
        auth_type=userpass
        username=asterisk ; Your username
-        password=${secrets.hosts.athame.phone.endpoint.password.signalwire}
+        password=${witch.secrets.hosts.athame.phone.endpoint.password.signalwire}

        [signalwire]
        type=aor
-        contact=sip:${secrets.hosts.athame.phone.endpoint.url}
+        contact=sip:${witch.secrets.hosts.athame.phone.endpoint.url}

        [signalwire]
        type=endpoint
@ -174,20 +173,20 @@ in {
        allow=gsm
        allow=g726
        from_user=asterisk
-        from_domain=${secrets.hosts.athame.phone.endpoint.url}
+        from_domain=${witch.secrets.hosts.athame.phone.endpoint.url}
        media_encryption=sdes ; Note that we are using encryption
        context=from-signalwire

        [signalwire]
        type=registration
-        server_uri=sip:${secrets.hosts.athame.phone.endpoint.url}
-        client_uri=sip:asterisk@${secrets.hosts.athame.phone.endpoint.url}; Your full SIP URI
+        server_uri=sip:${witch.secrets.hosts.athame.phone.endpoint.url}
+        client_uri=sip:asterisk@${witch.secrets.hosts.athame.phone.endpoint.url}; Your full SIP URI
        outbound_auth=signalwire

        [signalwire]
        type=identify
        endpoint=signalwire
-        match=${secrets.hosts.athame.phone.endpoint.url}
+        match=${witch.secrets.hosts.athame.phone.endpoint.url}
      '';
      "logger.conf" = ''
        [general]
--- a/config/hosts/athame/bitwarden.nix
+++ b/config/hosts/athame/bitwarden.nix
@ -1,14 +1,13 @@
-{ config, pkgs, ... }:
+{ config, pkgs, witch, ... }:

-let secrets = (import ../../../secrets.nix);
-in {
+{
  services.bitwarden_rs = {
    enable = true;
    config = {
      rocketPort = 4000;
      websocketEnabled = true;
      signupsAllowed = false;
-      adminToken = secrets.hosts.athame.bitwarden_secret;
+      adminToken = witch.secrets.hosts.athame.bitwarden_secret;
      domain = "https://vault.kittywit.ch";
    };
  };
--- a/config/hosts/athame/configuration.nix
+++ b/config/hosts/athame/configuration.nix
@ -14,6 +14,7 @@
    ./mail.nix
    ./asterisk.nix
    ./gitea.nix
+    ./syncplay.nix
    ./nextcloud.nix
    ./bitwarden.nix
    # comms
@ -38,7 +39,7 @@
    interfaces.enp1s0.useDHCP = true;
  };

-  networking.firewall.allowedTCPPorts = [ 80 443 5160 5060 64738 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 5160 5060 8999 64738 ];
  networking.firewall.allowedUDPPorts = [ 5160 5060 64738 ];
  networking.firewall.allowedTCPPortRanges = [{
    from = 10000;
--- a/config/hosts/athame/mail.nix
+++ b/config/hosts/athame/mail.nix
@ -1,8 +1,6 @@
-{ config, pkgs, ... }:
-let
-  sources = (import ../../../nix/sources.nix);
-  secrets = (import ../../../secrets.nix);
-in {
+{ config, pkgs, witch, sources, ... }:
+
+{
  imports = [ sources.nixos-mailserver.outPath ];

  mailserver = {
@ -14,7 +12,7 @@ in {
    # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
    loginAccounts = {
      "kat@kittywit.ch" = {
-        hashedPassword = secrets.hosts.athame.mail.kat.password;
+        hashedPassword = witch.secrets.hosts.athame.mail.kat.password;

        aliases = [ "postmaster@kittywit.ch" ];

--- a/config/hosts/athame/matrix.nix
+++ b/config/hosts/athame/matrix.nix
@ -1,13 +1,12 @@
-{ config, pkgs, ... }:
+{ config, pkgs, witch, ... }:

-let secrets = (import ../../../secrets.nix);
-in {
+{
  environment.systemPackages =
    [ pkgs.arc.pkgs.mx-puppet-discord pkgs.mautrix-whatsapp ];

  services.matrix-synapse = {
    enable = true;
-    registration_shared_secret = secrets.hosts.athame.matrix_secret;
+    registration_shared_secret = witch.secrets.hosts.athame.matrix_secret;
    max_upload_size = "512M";
    server_name = "kittywit.ch";
    app_service_config_files = [
--- a/config/hosts/athame/murmur.nix
+++ b/config/hosts/athame/murmur.nix
@ -1,10 +1,9 @@
 { config, pkgs, ... }:

-let secrets = (import ../../../secrets.nix);
-in {
+{
  security.acme = { certs."kittywit.ch" = { group = "kittywit-ch"; }; };

-  users.groups."kittywit-ch".members = [ "murmur" "nginx" ];
+  users.groups."kittywit-ch".members = [ "murmur" "nginx" "syncplay" ];

  services.murmur = {
    enable = true;
--- a/config/hosts/athame/syncplay.nix
+++ b/config/hosts/athame/syncplay.nix
@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+  users.users.syncplay = { isSystemUser = true; };
+
+  services.syncplay = {
+    enable = true;
+    user = "syncplay";
+    group = "kittywit-ch";
+    certDir = "/var/lib/acme/kittywit.ch/";
+  };
+}
--- a/config/hosts/athame/virtualhosts.nix
+++ b/config/hosts/athame/virtualhosts.nix
@ -1,14 +1,13 @@
-{ config, pkgs, ... }:
+{ config, pkgs, witch, ... }:

 let
  common = {
    enableACME = true;
    forceSSL = true;
  };
-  secrets = (import ../../../secrets.nix);
 in {
  services.nginx.virtualHosts = {
    "kittywit.ch" = { root = "/var/www/kittywitch"; } // common;
    "athame.kittywit.ch" = { root = "/var/www/athame"; } // common;
-  } // secrets.virtualHosts.athame;
+  } // witch.secrets.virtualHosts.athame;
 }
--- a/config/hosts/athame/znc.nix
+++ b/config/hosts/athame/znc.nix
@ -1,7 +1,6 @@
-{ config, pkgs, ... }:
+{ config, pkgs, witch, ... }:

-let secrets = (import ../../../secrets.nix);
-in {
+{
  services.znc = {
    enable = true;
    mutable = false;
@ -14,7 +13,7 @@ in {
        AllowWeb = true;
      };
      modules = [ "webadmin" "adminlog" ];
-      User = secrets.hosts.athame.znc;
+      User = witch.secrets.hosts.athame.znc;
    };
  };

--- a/config/profiles/gui/nixos/gpg.nix
+++ b/config/profiles/gui/nixos/gpg.nix
@ -4,5 +4,11 @@
  config = lib.mkIf config.deploy.profile.gui {
    services.pcscd.enable = true;
    services.udev.packages = [ pkgs.yubikey-personalization ];
+
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+      pinentryFlavor = "gtk2";
+    };
  };
 }
--- a/config/profiles/laptop/home.nix
+++ b/config/profiles/laptop/home.nix
@ -1,3 +1,5 @@
-{ ... }:
+{ lib, ... }:

-{ }
+{
+  options = { deploy.profile.laptop = lib.mkEnableOption "lappytop"; };
+}
--- a/config/services/nginx.nix
+++ b/config/services/nginx.nix
@ -1,7 +1,6 @@
-{ config, pkgs, ... }:
+{ config, pkgs, witch, ... }:

-let secrets = (import ../../secrets.nix);
-in {
+{
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
@ -24,7 +23,7 @@ in {
  };

  security.acme = {
-    email = secrets.unscoped.acme.email;
+    email = witch.secrets.unscoped.acme.email;
    acceptTerms = true;
  };
 }
--- a/nix/sources.json
+++ b/nix/sources.json
@ -5,10 +5,10 @@
        "homepage": "https://nur.nix-community.org/",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "43f5287f2cf6f045c4fe5c6c84df25aa609f65f0",
-        "sha256": "19gx1vrpg65hmga6rnazrz50i3frffyaxa909zpvri4frrf29lrx",
+        "rev": "1e426b00352d686ed9f9b94910b54b0036474bdd",
+        "sha256": "0gb5arxjm9shilvg0h410gwppbmf7l3bijrc0ydnlki70ab40v8k",
        "type": "tarball",
-        "url": "https://github.com/nix-community/NUR/archive/43f5287f2cf6f045c4fe5c6c84df25aa609f65f0.tar.gz",
+        "url": "https://github.com/nix-community/NUR/archive/1e426b00352d686ed9f9b94910b54b0036474bdd.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "arc-nixexprs": {
@ -74,10 +74,10 @@
        "homepage": "",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "df8e3bd110921621d175fad88c9e67909b7cb3d3",
-        "sha256": "1z20y0lblb452h2gghgds34g7lrj7v8gfhz66w687ws8jqdm3bzz",
+        "rev": "d284abb4df2ed8903cc8133de89cc327fb42b50b",
+        "sha256": "0hpdx2lc6cs5yl7qa1w55g4w1d492ga9xm0qsn42r2lm89d628ym",
        "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/df8e3bd110921621d175fad88c9e67909b7cb3d3.tar.gz",
+        "url": "https://github.com/nixos/nixpkgs/archive/d284abb4df2ed8903cc8133de89cc327fb42b50b.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixpkgs-mozilla": {
@ -98,10 +98,10 @@
        "homepage": "",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "77e75f1ed1db9c658cb63ca253b84b13551f9ef8",
-        "sha256": "044kl1d7w300l97iivqb3774ig0hn5z6h1y3abvqa10mjq67382k",
+        "rev": "e061350a361df9667490c5914fb72a58dd927bca",
+        "sha256": "04lqpi25fkyzqflih3hixrrrbjv733mh1izgw4n03ar08w6dnm4k",
        "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/77e75f1ed1db9c658cb63ca253b84b13551f9ef8.tar.gz",
+        "url": "https://github.com/nixos/nixpkgs/archive/e061350a361df9667490c5914fb72a58dd927bca.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "pbb-nixfiles": {
--- a/todo.org
+++ b/todo.org
@ -6,8 +6,13 @@
 ** TODO Move network config away from network manager.
 ** TODO Separate home-manager closure
 ** TODO Nixfiles working outside of NixOS, e.g. Fedora + macOS
+** TODO Refactor Sway config for separate input/outputs on different systems
+** TODO Refactor waybar config for separate modules on different systems
+** TODO Refactor Sway config for separate wallpapers on different systems as a result of the prior outputs change
 ** TODO Investigate nix-darwin
 ** TODO Investigate pipewire
+** TODO Fix function parameter headers
+** TODO Syncplay server
 ** TODO Investigate audio source switching (Arctis 5, integrated front, integrated back)

 * Secrets handling