diff --git a/config/hosts/athame/asterisk.nix b/config/hosts/athame/asterisk.nix index a46808ab..638b65ff 100644 --- a/config/hosts/athame/asterisk.nix +++ b/config/hosts/athame/asterisk.nix @@ -1,7 +1,6 @@ -{ config, pkgs, ... }: +{ config, pkgs, witch, ... }: -let secrets = (import ../../../secrets.nix); -in { +{ services.asterisk = { enable = true; confFiles = { @@ -19,13 +18,13 @@ in { same => n,Dial(SIP/1337,20) [from-internal] - exten => _1X.,1,Set(CALLERID(all)="kat" <+${secrets.hosts.athame.phone.number.us}>) + exten => _1X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.us}>) same => n,Dial(PJSIP/''${EXTEN:1}@signalwire) same => n(end),Hangup() - exten => _2X.,1,Set(CALLERID(all)="kat" <+${secrets.hosts.athame.phone.number.canada}>) + exten => _2X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.canada}>) same => n,Dial(PJSIP/''${EXTEN:1}@signalwire) same => n(end),Hangup() - exten => _3X.,1,Set(CALLERID(all)="kat" <+${secrets.hosts.athame.phone.number.uk}>) + exten => _3X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.uk}>) same => n,Dial(PJSIP/+''${EXTEN:1}@twilio-ie) same => n(end),Hangup() ''; @@ -81,7 +80,7 @@ in { type=friend context=from-internal host=dynamic - secret=${secrets.hosts.athame.phone.password} + secret=${witch.secrets.hosts.athame.phone.password} nat=force_rport,comedia ''; "pjsip_wizard.conf" = '' @@ -135,7 +134,7 @@ in { sends_registrations = no remote_hosts = kat-asterisk.pstn.dublin.twilio.com outbound_auth/username = asterisk - outbound_auth/password = ${secrets.hosts.athame.phone.endpoint.password.twilio} + outbound_auth/password = ${witch.secrets.hosts.athame.phone.endpoint.password.twilio} endpoint/context = from-twilio aor/qualify_frequency = 60 ''; @@ -155,11 +154,11 @@ in { type=auth auth_type=userpass username=asterisk ; Your username - password=${secrets.hosts.athame.phone.endpoint.password.signalwire} + password=${witch.secrets.hosts.athame.phone.endpoint.password.signalwire} [signalwire] type=aor - contact=sip:${secrets.hosts.athame.phone.endpoint.url} + contact=sip:${witch.secrets.hosts.athame.phone.endpoint.url} [signalwire] type=endpoint @@ -174,20 +173,20 @@ in { allow=gsm allow=g726 from_user=asterisk - from_domain=${secrets.hosts.athame.phone.endpoint.url} + from_domain=${witch.secrets.hosts.athame.phone.endpoint.url} media_encryption=sdes ; Note that we are using encryption context=from-signalwire [signalwire] type=registration - server_uri=sip:${secrets.hosts.athame.phone.endpoint.url} - client_uri=sip:asterisk@${secrets.hosts.athame.phone.endpoint.url}; Your full SIP URI + server_uri=sip:${witch.secrets.hosts.athame.phone.endpoint.url} + client_uri=sip:asterisk@${witch.secrets.hosts.athame.phone.endpoint.url}; Your full SIP URI outbound_auth=signalwire [signalwire] type=identify endpoint=signalwire - match=${secrets.hosts.athame.phone.endpoint.url} + match=${witch.secrets.hosts.athame.phone.endpoint.url} ''; "logger.conf" = '' [general] diff --git a/config/hosts/athame/bitwarden.nix b/config/hosts/athame/bitwarden.nix index eaaa2017..4e40f948 100644 --- a/config/hosts/athame/bitwarden.nix +++ b/config/hosts/athame/bitwarden.nix @@ -1,14 +1,13 @@ -{ config, pkgs, ... }: +{ config, pkgs, witch, ... }: -let secrets = (import ../../../secrets.nix); -in { +{ services.bitwarden_rs = { enable = true; config = { rocketPort = 4000; websocketEnabled = true; signupsAllowed = false; - adminToken = secrets.hosts.athame.bitwarden_secret; + adminToken = witch.secrets.hosts.athame.bitwarden_secret; domain = "https://vault.kittywit.ch"; }; }; diff --git a/config/hosts/athame/configuration.nix b/config/hosts/athame/configuration.nix index d1b9200c..37a0a27f 100644 --- a/config/hosts/athame/configuration.nix +++ b/config/hosts/athame/configuration.nix @@ -14,6 +14,7 @@ ./mail.nix ./asterisk.nix ./gitea.nix + ./syncplay.nix ./nextcloud.nix ./bitwarden.nix # comms @@ -38,7 +39,7 @@ interfaces.enp1s0.useDHCP = true; }; - networking.firewall.allowedTCPPorts = [ 80 443 5160 5060 64738 ]; + networking.firewall.allowedTCPPorts = [ 80 443 5160 5060 8999 64738 ]; networking.firewall.allowedUDPPorts = [ 5160 5060 64738 ]; networking.firewall.allowedTCPPortRanges = [{ from = 10000; diff --git a/config/hosts/athame/mail.nix b/config/hosts/athame/mail.nix index 2da73b9c..27fa12ab 100644 --- a/config/hosts/athame/mail.nix +++ b/config/hosts/athame/mail.nix @@ -1,8 +1,6 @@ -{ config, pkgs, ... }: -let - sources = (import ../../../nix/sources.nix); - secrets = (import ../../../secrets.nix); -in { +{ config, pkgs, witch, sources, ... }: + +{ imports = [ sources.nixos-mailserver.outPath ]; mailserver = { @@ -14,7 +12,7 @@ in { # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 loginAccounts = { "kat@kittywit.ch" = { - hashedPassword = secrets.hosts.athame.mail.kat.password; + hashedPassword = witch.secrets.hosts.athame.mail.kat.password; aliases = [ "postmaster@kittywit.ch" ]; diff --git a/config/hosts/athame/matrix.nix b/config/hosts/athame/matrix.nix index 70e9ac95..99190c18 100644 --- a/config/hosts/athame/matrix.nix +++ b/config/hosts/athame/matrix.nix @@ -1,13 +1,12 @@ -{ config, pkgs, ... }: +{ config, pkgs, witch, ... }: -let secrets = (import ../../../secrets.nix); -in { +{ environment.systemPackages = [ pkgs.arc.pkgs.mx-puppet-discord pkgs.mautrix-whatsapp ]; services.matrix-synapse = { enable = true; - registration_shared_secret = secrets.hosts.athame.matrix_secret; + registration_shared_secret = witch.secrets.hosts.athame.matrix_secret; max_upload_size = "512M"; server_name = "kittywit.ch"; app_service_config_files = [ diff --git a/config/hosts/athame/murmur.nix b/config/hosts/athame/murmur.nix index f672ebef..46b2b849 100644 --- a/config/hosts/athame/murmur.nix +++ b/config/hosts/athame/murmur.nix @@ -1,10 +1,9 @@ { config, pkgs, ... }: -let secrets = (import ../../../secrets.nix); -in { +{ security.acme = { certs."kittywit.ch" = { group = "kittywit-ch"; }; }; - users.groups."kittywit-ch".members = [ "murmur" "nginx" ]; + users.groups."kittywit-ch".members = [ "murmur" "nginx" "syncplay" ]; services.murmur = { enable = true; diff --git a/config/hosts/athame/syncplay.nix b/config/hosts/athame/syncplay.nix new file mode 100644 index 00000000..d9919110 --- /dev/null +++ b/config/hosts/athame/syncplay.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: + +{ + users.users.syncplay = { isSystemUser = true; }; + + services.syncplay = { + enable = true; + user = "syncplay"; + group = "kittywit-ch"; + certDir = "/var/lib/acme/kittywit.ch/"; + }; +} diff --git a/config/hosts/athame/virtualhosts.nix b/config/hosts/athame/virtualhosts.nix index 8a6cdf39..b297d799 100644 --- a/config/hosts/athame/virtualhosts.nix +++ b/config/hosts/athame/virtualhosts.nix @@ -1,14 +1,13 @@ -{ config, pkgs, ... }: +{ config, pkgs, witch, ... }: let common = { enableACME = true; forceSSL = true; }; - secrets = (import ../../../secrets.nix); in { services.nginx.virtualHosts = { "kittywit.ch" = { root = "/var/www/kittywitch"; } // common; "athame.kittywit.ch" = { root = "/var/www/athame"; } // common; - } // secrets.virtualHosts.athame; + } // witch.secrets.virtualHosts.athame; } diff --git a/config/hosts/athame/znc.nix b/config/hosts/athame/znc.nix index 39b10ec7..518b4406 100644 --- a/config/hosts/athame/znc.nix +++ b/config/hosts/athame/znc.nix @@ -1,7 +1,6 @@ -{ config, pkgs, ... }: +{ config, pkgs, witch, ... }: -let secrets = (import ../../../secrets.nix); -in { +{ services.znc = { enable = true; mutable = false; @@ -14,7 +13,7 @@ in { AllowWeb = true; }; modules = [ "webadmin" "adminlog" ]; - User = secrets.hosts.athame.znc; + User = witch.secrets.hosts.athame.znc; }; }; diff --git a/config/profiles/gui/nixos/gpg.nix b/config/profiles/gui/nixos/gpg.nix index 8006e9de..79846f0c 100644 --- a/config/profiles/gui/nixos/gpg.nix +++ b/config/profiles/gui/nixos/gpg.nix @@ -4,5 +4,11 @@ config = lib.mkIf config.deploy.profile.gui { services.pcscd.enable = true; services.udev.packages = [ pkgs.yubikey-personalization ]; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryFlavor = "gtk2"; + }; }; } diff --git a/config/profiles/laptop/home.nix b/config/profiles/laptop/home.nix index 5bd3e36b..8f6de4d8 100644 --- a/config/profiles/laptop/home.nix +++ b/config/profiles/laptop/home.nix @@ -1,3 +1,5 @@ -{ ... }: +{ lib, ... }: -{ } +{ + options = { deploy.profile.laptop = lib.mkEnableOption "lappytop"; }; +} diff --git a/config/services/nginx.nix b/config/services/nginx.nix index 74cd12d0..f4f4192a 100644 --- a/config/services/nginx.nix +++ b/config/services/nginx.nix @@ -1,7 +1,6 @@ -{ config, pkgs, ... }: +{ config, pkgs, witch, ... }: -let secrets = (import ../../secrets.nix); -in { +{ services.nginx = { enable = true; recommendedGzipSettings = true; @@ -24,7 +23,7 @@ in { }; security.acme = { - email = secrets.unscoped.acme.email; + email = witch.secrets.unscoped.acme.email; acceptTerms = true; }; } diff --git a/nix/sources.json b/nix/sources.json index 610d686f..dbeb3a57 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -5,10 +5,10 @@ "homepage": "https://nur.nix-community.org/", "owner": "nix-community", "repo": "NUR", - "rev": "43f5287f2cf6f045c4fe5c6c84df25aa609f65f0", - "sha256": "19gx1vrpg65hmga6rnazrz50i3frffyaxa909zpvri4frrf29lrx", + "rev": "1e426b00352d686ed9f9b94910b54b0036474bdd", + "sha256": "0gb5arxjm9shilvg0h410gwppbmf7l3bijrc0ydnlki70ab40v8k", "type": "tarball", - "url": "https://github.com/nix-community/NUR/archive/43f5287f2cf6f045c4fe5c6c84df25aa609f65f0.tar.gz", + "url": "https://github.com/nix-community/NUR/archive/1e426b00352d686ed9f9b94910b54b0036474bdd.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "arc-nixexprs": { @@ -74,10 +74,10 @@ "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "df8e3bd110921621d175fad88c9e67909b7cb3d3", - "sha256": "1z20y0lblb452h2gghgds34g7lrj7v8gfhz66w687ws8jqdm3bzz", + "rev": "d284abb4df2ed8903cc8133de89cc327fb42b50b", + "sha256": "0hpdx2lc6cs5yl7qa1w55g4w1d492ga9xm0qsn42r2lm89d628ym", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/df8e3bd110921621d175fad88c9e67909b7cb3d3.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/d284abb4df2ed8903cc8133de89cc327fb42b50b.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs-mozilla": { @@ -98,10 +98,10 @@ "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "77e75f1ed1db9c658cb63ca253b84b13551f9ef8", - "sha256": "044kl1d7w300l97iivqb3774ig0hn5z6h1y3abvqa10mjq67382k", + "rev": "e061350a361df9667490c5914fb72a58dd927bca", + "sha256": "04lqpi25fkyzqflih3hixrrrbjv733mh1izgw4n03ar08w6dnm4k", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/77e75f1ed1db9c658cb63ca253b84b13551f9ef8.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/e061350a361df9667490c5914fb72a58dd927bca.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "pbb-nixfiles": { diff --git a/todo.org b/todo.org index 61f2deca..4c79dc7e 100644 --- a/todo.org +++ b/todo.org @@ -6,8 +6,13 @@ ** TODO Move network config away from network manager. ** TODO Separate home-manager closure ** TODO Nixfiles working outside of NixOS, e.g. Fedora + macOS +** TODO Refactor Sway config for separate input/outputs on different systems +** TODO Refactor waybar config for separate modules on different systems +** TODO Refactor Sway config for separate wallpapers on different systems as a result of the prior outputs change ** TODO Investigate nix-darwin ** TODO Investigate pipewire +** TODO Fix function parameter headers +** TODO Syncplay server ** TODO Investigate audio source switching (Arctis 5, integrated front, integrated back) * Secrets handling