further de-trustification

depot/hosts/athame/nixos.nix

@@ -8,6 +8,7 @@ with lib;
   imports = with meta; [
     profiles.hardware.hcloud-imperative
     users.kat.server
+    users.kat.services.weechat
     services.fail2ban
     services.filehost
     services.gitea

depot/services/grafana/default.nix

@@ -1,7 +1,20 @@
-{ config, ... }:
+{ config, tf, ... }:
 
 {
-  services.postgresql = {
+  kw.secrets = [
+    "grafana-admin-pass"
+  ];
+
+  secrets.files.grafana-admin-pass = {
+    text = "${tf.variables.grafana-admin-pass.ref}";
+    owner = "grafana";
+    group = "grafana";
+  };
+
+  services.grafana.security.adminPasswordFile =
+    config.secrets.files.grafana-admin-pass.path;
+
+    services.postgresql = {
     ensureDatabases = [ "grafana" ];
     ensureUsers = [{
       name = "grafana";

depot/services/matrix/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, tf, ... }:
 
 with lib;
 
@@ -13,6 +13,37 @@ with lib;
     LC_CTYPE = "C";
   '';
 
+  kw.secrets = [
+    "matrix-registration"
+    "mautrix-telegram-api-hash"
+    "mautrix-telegram-api-id"
+    "mautrix-telegram-as-token"
+    "mautrix-telegram-hs-token"
+  ];
+
+  secrets.files.mautrix-telegram-env = {
+    text = ''
+      MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${tf.variables.mautrix-telegram-api-id.ref}
+      MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${tf.variables.mautrix-telegram-api-hash.ref}
+      MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${tf.variables.mautrix-telegram-as-token.ref}
+      MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${tf.variables.mautrix-telegram-hs-token.ref}
+    '';
+  };
+
+  secrets.files.matrix-registration-secret = {
+    text = ''
+      registration_shared_secret: ${tf.variables.matrix-registration.ref}
+    '';
+    owner = "matrix-synapse";
+    group = "matrix-synapse";
+  };
+
+  services.matrix-synapse.extraConfigFiles = [
+    config.secrets.files.matrix-registration-secret.path
+  ];
+
+  services.mautrix-telegram.environmentFile =
+    config.secrets.files.mautrix-telegram-env.path;
   services.matrix-synapse = {
     enable = true;
     max_upload_size = "512M";

depot/services/vaultwarden/default.nix

@@ -1,6 +1,20 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, tf, ... }:
 
 {
+  kw.secrets = lib.singleton "vaultwarden-admin-token";
+
+  secrets.files.vaultwarden-env = {
+    text = ''
+      ADMIN_TOKEN=${tf.variables.vaultwarden-admin-token.ref}
+    '';
+    owner = "bitwarden_rs";
+    group = "bitwarden_rs";
+  };
+
+  services.vaultwarden = {
+    environmentFile = config.secrets.files.vaultwarden-env.path;
+  };
+
   services.postgresql = {
     ensureDatabases = [ "bitwarden_rs" ];
     ensureUsers = [{

depot/users/kat/default.nix

@@ -9,9 +9,11 @@ let katUser = { lib }: let
       (./. + "/${profile}")
     ];
   };
-}; profileNames = lib.folderList ./. ["base"];
+}; profileNames = lib.folderList ./. ["base" "services"];
+serviceNames = lib.folderList ./services [];
 userProfiles = with userProfiles;
   lib.genAttrs profileNames userImport // {
+  services = lib.genAttrs serviceNames userImport;
   base = { imports = [ ./nixos.nix (userImport "base") trustedImport ]; };
   server = { imports = [ personal ]; };
   guiFull = { imports = [ gui sway dev media personal ]; };

depot/users/kat/media/syncplay.nix

@@ -1,12 +1,20 @@
-{ config, ... }:
+{ config, lib, tf, ... }:
+
+with lib;
 
 {
+  kw.secrets = [
+    "syncplay-pass"
+  ];
 
   programs.syncplay = {
     enable = true;
     username = "kat";
     defaultRoom = "lounge";
-    server = { host = "sync.kittywit.ch"; };
+    server = {
+      host = "sync.kittywit.ch";
+      password = tf.variables.syncplay-pass.ref;
+    };
     playerArgs = [
       "--ytdl-format=bestvideo[height<=1080]+bestaudio/best[height<=1080]/bestvideo+bestaudio/best"
     ];
@@ -28,4 +36,12 @@
       };
     };
   };
+
+  secrets.files.syncplay-config = {
+    text = config.programs.syncplay.configIni;
+  };
+
+  xdg.configFile."syncplay.ini" = mkForce {
+    source = config.lib.file.mkOutOfStoreSymlink config.secrets.files.syncplay-config.path;
+  };
 }

depot/users/kat/personal/default.nix

@@ -1,5 +1,5 @@
 { ... }:
 
 {
-  imports = [ ./gpg.nix ./packages.nix ];
+  imports = [ ./gpg.nix ./packages.nix ./weechat.nix ./email.nix ./zsh.nix ];
 }

depot/users/kat/personal/email.nix

@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+{
+  config = {
+    programs.notmuch = {
+      enable = true;
+      hooks = { preNew = "mbsync --all"; };
+    };
+
+    programs.mbsync.enable = true;
+    programs.msmtp.enable = true;
+
+    programs.vim.plugins = [ pkgs.vimPlugins.notmuch-vim ];
+
+    accounts.email = {
+      maildirBasePath = "${config.home.homeDirectory}/mail";
+      accounts.kat = {
+        address = "kat@kittywit.ch";
+        primary = true;
+        realName = "kat witch";
+        userName = "kat@kittywit.ch";
+        msmtp.enable = true;
+        mbsync.enable = true;
+        mbsync.create = "maildir";
+        notmuch.enable = true;
+        imap.host = "athame.kittywit.ch";
+        smtp.host = "athame.kittywit.ch";
+        passwordCommand = "${pkgs.pass}/bin/pass email/kittywitch";
+          gpg = {
+            signByDefault = true;
+            key = "01F50A29D4AA91175A11BDB17248991EFA8EFBEE";
+          };
+        };
+      };
+    };
+}

depot/users/kat/personal/weechat.nix

@@ -0,0 +1,75 @@
+{ config, superConfig, pkgs, lib, ... }:
+
+{
+  home.file = {
+    ".local/share/weechat/sec.conf".text = ''
+          #
+          # weechat -- sec.conf
+          #
+          # WARNING: It is NOT recommended to edit this file by hand,
+          # especially if WeeChat is running.
+          #
+          # Use /set or similar command to change settings in WeeChat.
+          #
+          # For more info, see: https://weechat.org/doc/quickstart
+          #
+
+          [crypt]
+          cipher = aes256
+          hash_algo = sha512
+          passphrase_command = "${pkgs.pass}/bin/pass secrets/weechat-pass"
+          salt = on
+
+          [data]
+          __passphrase__ = on
+          znc = "552E98A5111B986C1003CF86C67DF2AF4B3FDE88E5762FC01EB4A00E31B8363ABFCBBE7A702CB72C298F61D4005D1C5AABB30602BBFCE9E4013CBE88D3D3DB66B18C551743D7816C4F0C9DA44B83DB5807BBB02A48B66D"
+          matrix = "CC989DF79CDAECC1CE32F10FA9B42B6AE9FA63B41C0B3FCCCD4A309AB798CDEE695E0B4A2E0C975C6364927C76D4FEB25BC84C7AF8989DC418A205A5D62E9330E142E4F11AB59E0720867915DEEFCA70E80102C639D35B"
+    '';
+  };
+
+  programs.weechat = {
+    enable = true;
+    init = lib.mkBefore ''
+          /server add softnet athame.kittywit.ch/5001 -ssl -autoconnect
+          /server add liberachat athame.kittywit.ch/5001 -ssl -autoconnect
+    '';
+    scripts = with pkgs.weechatScripts; [
+      weechat-notify-send
+    ];
+    config = {
+      irc = {
+        server = {
+          softnet = {
+            address = "athame.kittywit.ch/5001";
+            password = "kat@${superConfig.networking.hostName}/softnet:\${sec.data.znc}";
+            ssl = true;
+            ssl_verify = false;
+            autoconnect = true;
+          };
+          liberachat = {
+            address = "athame.kittywit.ch/5001";
+            password = "kat@${superConfig.networking.hostName}/liberachat:\${sec.data.znc}";
+            ssl = true;
+            ssl_verify = false;
+            autoconnect = true;
+          };
+          espernet = {
+            address = "athame.kittywit.ch/5001";
+            password = "kat@${superConfig.networking.hostName}/espernet:\${sec.data.znc}";
+            ssl = true;
+            ssl_verify = false;
+            autoconnect = true;
+          };
+        };
+      };
+      matrix = {
+        server.kittywitch = {
+          address = "kittywit.ch";
+          device_name = "${superConfig.networking.hostName}/weechat";
+          username = "kat";
+          password = "\${sec.data.matrix}";
+        };
+      };
+    };
+  };
+}

depot/users/kat/personal/zsh.nix

@@ -0,0 +1,9 @@
+{ config, ... }:
+
+{
+  programs.zsh = {
+    shellAliases = {
+      abbyradio = "mpv $(pass secrets/abbyradio)";
+    };
+  };
+}

depot/users/kat/services/default.nix

@@ -0,0 +1,3 @@
+{
+  weechat = import ./weechat;
+}

depot/users/kat/services/weechat/default.nix

@@ -0,0 +1,106 @@
+{ config, lib, superConfig, pkgs, tf, ... }:
+
+{
+  kw.secrets = [
+    "matrix-pass"
+    "znc-pass"
+  ];
+
+  secrets.files.weechat-sec = {
+    text = ''
+          #
+          # weechat -- sec.conf
+          #
+          # WARNING: It is NOT recommended to edit this file by hand,
+          # especially if WeeChat is running.
+          #
+          # Use /set or similar command to change settings in WeeChat.
+          #
+          # For more info, see: https://weechat.org/doc/quickstart
+          #
+
+          [crypt]
+          cipher = aes256
+          hash_algo = sha512
+          salt = off
+
+          [data]
+          __passphrase__ = off
+          znc = "${tf.variables.znc-pass.ref}"
+          matrix = "${tf.variables.matrix-pass.ref}"
+    '';
+    owner = "kat";
+    group = "users";
+  };
+
+  home.file = {
+    ".local/share/weechat/sec.conf".source = config.lib.file.mkOutOfStoreSymlink config.secrets.files.weechat-sec.path;
+  };
+
+  services.weechat.enable = true;
+
+  systemd.user.services.weechat-tmux = let scfg = config.services.weechat; in lib.mkForce {
+    Unit = {
+      Description = "Weechat tmux session";
+      After = [ "network.target" ];
+    };
+    Service = {
+      Type = "oneshot";
+      Environment=[
+        "TMUX_TMPDIR=%t"
+        "WEECHAT_HOME=${toString config.programs.weechat.homeDirectory}"
+      ];
+      RemainAfterExit = true;
+      X-RestartIfChanged = false;
+      ExecStart = "${scfg.tmuxPackage}/bin/tmux -2 new-session -d -s ${scfg.sessionName} ${scfg.binary}";
+      ExecStop = "${scfg.tmuxPackage}/bin/tmux kill-session -t ${scfg.sessionName}";
+    };
+    Install.WantedBy = [ "default.target" ];
+  };
+
+  programs.weechat = {
+    enable = true;
+    init = lib.mkBefore ''
+        /server add softnet athame.kittywit.ch/5001 -ssl -autoconnect
+        /server add liberachat athame.kittywit.ch/5001 -ssl -autoconnect
+    '';
+    scripts = with pkgs.weechatScripts; [
+      weechat-notify-send
+    ];
+    config = {
+      irc = {
+        server = {
+          softnet = {
+            address = "athame.kittywit.ch/5001";
+            password = "kat@${superConfig.networking.hostName}/softnet:\${sec.data.znc}";
+            ssl = true;
+            ssl_verify = false;
+            autoconnect = true;
+          };
+          liberachat = {
+            address = "athame.kittywit.ch/5001";
+            password = "kat@${superConfig.networking.hostName}/liberachat:\${sec.data.znc}";
+            ssl = true;
+            ssl_verify = false;
+            autoconnect = true;
+          };
+          espernet = {
+            address = "athame.kittywit.ch/5001";
+            password = "kat@${superConfig.networking.hostName}/espernet:\${sec.data.znc}";
+            ssl = true;
+            ssl_verify = false;
+            autoconnect = true;
+          };
+        };
+      };
+      matrix = {
+        server.kittywitch = {
+          address = "kittywit.ch";
+          device_name = "${superConfig.networking.hostName}/weechat";
+          username = "kat";
+          password = "\${sec.data.matrix}";
+        };
+      };
+    };
+  };
+}