From 8360b2b0999f2b56a1264ee60e9998987f4233ee Mon Sep 17 00:00:00 2001 From: kat witch Date: Tue, 17 Aug 2021 05:28:07 +0100 Subject: [PATCH] further de-trustification --- depot/hosts/athame/nixos.nix | 1 + depot/services/grafana/default.nix | 17 ++- depot/services/matrix/default.nix | 33 +++++- depot/services/vaultwarden/default.nix | 16 ++- depot/users/kat/default.nix | 4 +- depot/users/kat/media/syncplay.nix | 20 +++- depot/users/kat/personal/default.nix | 2 +- depot/users/kat/personal/email.nix | 36 +++++++ depot/users/kat/personal/weechat.nix | 75 +++++++++++++ depot/users/kat/personal/zsh.nix | 9 ++ depot/users/kat/services/default.nix | 3 + depot/users/kat/services/weechat/default.nix | 106 +++++++++++++++++++ 12 files changed, 314 insertions(+), 8 deletions(-) create mode 100644 depot/users/kat/personal/email.nix create mode 100644 depot/users/kat/personal/weechat.nix create mode 100644 depot/users/kat/personal/zsh.nix create mode 100644 depot/users/kat/services/default.nix create mode 100644 depot/users/kat/services/weechat/default.nix diff --git a/depot/hosts/athame/nixos.nix b/depot/hosts/athame/nixos.nix index 8d796fed..a3b7f3f6 100644 --- a/depot/hosts/athame/nixos.nix +++ b/depot/hosts/athame/nixos.nix @@ -8,6 +8,7 @@ with lib; imports = with meta; [ profiles.hardware.hcloud-imperative users.kat.server + users.kat.services.weechat services.fail2ban services.filehost services.gitea diff --git a/depot/services/grafana/default.nix b/depot/services/grafana/default.nix index 4421a72d..2c1aea39 100644 --- a/depot/services/grafana/default.nix +++ b/depot/services/grafana/default.nix @@ -1,7 +1,20 @@ -{ config, ... }: +{ config, tf, ... }: { - services.postgresql = { + kw.secrets = [ + "grafana-admin-pass" + ]; + + secrets.files.grafana-admin-pass = { + text = "${tf.variables.grafana-admin-pass.ref}"; + owner = "grafana"; + group = "grafana"; + }; + + services.grafana.security.adminPasswordFile = + config.secrets.files.grafana-admin-pass.path; + + services.postgresql = { ensureDatabases = [ "grafana" ]; ensureUsers = [{ name = "grafana"; diff --git a/depot/services/matrix/default.nix b/depot/services/matrix/default.nix index b635b806..a417bb20 100644 --- a/depot/services/matrix/default.nix +++ b/depot/services/matrix/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, tf, ... }: with lib; @@ -13,6 +13,37 @@ with lib; LC_CTYPE = "C"; ''; + kw.secrets = [ + "matrix-registration" + "mautrix-telegram-api-hash" + "mautrix-telegram-api-id" + "mautrix-telegram-as-token" + "mautrix-telegram-hs-token" + ]; + + secrets.files.mautrix-telegram-env = { + text = '' + MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${tf.variables.mautrix-telegram-api-id.ref} + MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${tf.variables.mautrix-telegram-api-hash.ref} + MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${tf.variables.mautrix-telegram-as-token.ref} + MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${tf.variables.mautrix-telegram-hs-token.ref} + ''; + }; + + secrets.files.matrix-registration-secret = { + text = '' + registration_shared_secret: ${tf.variables.matrix-registration.ref} + ''; + owner = "matrix-synapse"; + group = "matrix-synapse"; + }; + + services.matrix-synapse.extraConfigFiles = [ + config.secrets.files.matrix-registration-secret.path + ]; + + services.mautrix-telegram.environmentFile = + config.secrets.files.mautrix-telegram-env.path; services.matrix-synapse = { enable = true; max_upload_size = "512M"; diff --git a/depot/services/vaultwarden/default.nix b/depot/services/vaultwarden/default.nix index be7a4d5b..4a36c2a8 100644 --- a/depot/services/vaultwarden/default.nix +++ b/depot/services/vaultwarden/default.nix @@ -1,6 +1,20 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, tf, ... }: { + kw.secrets = lib.singleton "vaultwarden-admin-token"; + + secrets.files.vaultwarden-env = { + text = '' + ADMIN_TOKEN=${tf.variables.vaultwarden-admin-token.ref} + ''; + owner = "bitwarden_rs"; + group = "bitwarden_rs"; + }; + + services.vaultwarden = { + environmentFile = config.secrets.files.vaultwarden-env.path; + }; + services.postgresql = { ensureDatabases = [ "bitwarden_rs" ]; ensureUsers = [{ diff --git a/depot/users/kat/default.nix b/depot/users/kat/default.nix index 7a2c9a6b..ef97ee71 100644 --- a/depot/users/kat/default.nix +++ b/depot/users/kat/default.nix @@ -9,9 +9,11 @@ let katUser = { lib }: let (./. + "/${profile}") ]; }; -}; profileNames = lib.folderList ./. ["base"]; +}; profileNames = lib.folderList ./. ["base" "services"]; +serviceNames = lib.folderList ./services []; userProfiles = with userProfiles; lib.genAttrs profileNames userImport // { + services = lib.genAttrs serviceNames userImport; base = { imports = [ ./nixos.nix (userImport "base") trustedImport ]; }; server = { imports = [ personal ]; }; guiFull = { imports = [ gui sway dev media personal ]; }; diff --git a/depot/users/kat/media/syncplay.nix b/depot/users/kat/media/syncplay.nix index f6406bca..3a5725c6 100644 --- a/depot/users/kat/media/syncplay.nix +++ b/depot/users/kat/media/syncplay.nix @@ -1,12 +1,20 @@ -{ config, ... }: +{ config, lib, tf, ... }: + +with lib; { + kw.secrets = [ + "syncplay-pass" + ]; programs.syncplay = { enable = true; username = "kat"; defaultRoom = "lounge"; - server = { host = "sync.kittywit.ch"; }; + server = { + host = "sync.kittywit.ch"; + password = tf.variables.syncplay-pass.ref; + }; playerArgs = [ "--ytdl-format=bestvideo[height<=1080]+bestaudio/best[height<=1080]/bestvideo+bestaudio/best" ]; @@ -28,4 +36,12 @@ }; }; }; + + secrets.files.syncplay-config = { + text = config.programs.syncplay.configIni; + }; + + xdg.configFile."syncplay.ini" = mkForce { + source = config.lib.file.mkOutOfStoreSymlink config.secrets.files.syncplay-config.path; + }; } diff --git a/depot/users/kat/personal/default.nix b/depot/users/kat/personal/default.nix index f49a43e9..de1561a6 100644 --- a/depot/users/kat/personal/default.nix +++ b/depot/users/kat/personal/default.nix @@ -1,5 +1,5 @@ { ... }: { - imports = [ ./gpg.nix ./packages.nix ]; + imports = [ ./gpg.nix ./packages.nix ./weechat.nix ./email.nix ./zsh.nix ]; } diff --git a/depot/users/kat/personal/email.nix b/depot/users/kat/personal/email.nix new file mode 100644 index 00000000..e8582692 --- /dev/null +++ b/depot/users/kat/personal/email.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +{ + config = { + programs.notmuch = { + enable = true; + hooks = { preNew = "mbsync --all"; }; + }; + + programs.mbsync.enable = true; + programs.msmtp.enable = true; + + programs.vim.plugins = [ pkgs.vimPlugins.notmuch-vim ]; + + accounts.email = { + maildirBasePath = "${config.home.homeDirectory}/mail"; + accounts.kat = { + address = "kat@kittywit.ch"; + primary = true; + realName = "kat witch"; + userName = "kat@kittywit.ch"; + msmtp.enable = true; + mbsync.enable = true; + mbsync.create = "maildir"; + notmuch.enable = true; + imap.host = "athame.kittywit.ch"; + smtp.host = "athame.kittywit.ch"; + passwordCommand = "${pkgs.pass}/bin/pass email/kittywitch"; + gpg = { + signByDefault = true; + key = "01F50A29D4AA91175A11BDB17248991EFA8EFBEE"; + }; + }; + }; + }; +} diff --git a/depot/users/kat/personal/weechat.nix b/depot/users/kat/personal/weechat.nix new file mode 100644 index 00000000..eca9dc93 --- /dev/null +++ b/depot/users/kat/personal/weechat.nix @@ -0,0 +1,75 @@ +{ config, superConfig, pkgs, lib, ... }: + +{ + home.file = { + ".local/share/weechat/sec.conf".text = '' + # + # weechat -- sec.conf + # + # WARNING: It is NOT recommended to edit this file by hand, + # especially if WeeChat is running. + # + # Use /set or similar command to change settings in WeeChat. + # + # For more info, see: https://weechat.org/doc/quickstart + # + + [crypt] + cipher = aes256 + hash_algo = sha512 + passphrase_command = "${pkgs.pass}/bin/pass secrets/weechat-pass" + salt = on + + [data] + __passphrase__ = on + znc = "552E98A5111B986C1003CF86C67DF2AF4B3FDE88E5762FC01EB4A00E31B8363ABFCBBE7A702CB72C298F61D4005D1C5AABB30602BBFCE9E4013CBE88D3D3DB66B18C551743D7816C4F0C9DA44B83DB5807BBB02A48B66D" + matrix = "CC989DF79CDAECC1CE32F10FA9B42B6AE9FA63B41C0B3FCCCD4A309AB798CDEE695E0B4A2E0C975C6364927C76D4FEB25BC84C7AF8989DC418A205A5D62E9330E142E4F11AB59E0720867915DEEFCA70E80102C639D35B" + ''; + }; + + programs.weechat = { + enable = true; + init = lib.mkBefore '' + /server add softnet athame.kittywit.ch/5001 -ssl -autoconnect + /server add liberachat athame.kittywit.ch/5001 -ssl -autoconnect + ''; + scripts = with pkgs.weechatScripts; [ + weechat-notify-send + ]; + config = { + irc = { + server = { + softnet = { + address = "athame.kittywit.ch/5001"; + password = "kat@${superConfig.networking.hostName}/softnet:\${sec.data.znc}"; + ssl = true; + ssl_verify = false; + autoconnect = true; + }; + liberachat = { + address = "athame.kittywit.ch/5001"; + password = "kat@${superConfig.networking.hostName}/liberachat:\${sec.data.znc}"; + ssl = true; + ssl_verify = false; + autoconnect = true; + }; + espernet = { + address = "athame.kittywit.ch/5001"; + password = "kat@${superConfig.networking.hostName}/espernet:\${sec.data.znc}"; + ssl = true; + ssl_verify = false; + autoconnect = true; + }; + }; + }; + matrix = { + server.kittywitch = { + address = "kittywit.ch"; + device_name = "${superConfig.networking.hostName}/weechat"; + username = "kat"; + password = "\${sec.data.matrix}"; + }; + }; + }; + }; +} diff --git a/depot/users/kat/personal/zsh.nix b/depot/users/kat/personal/zsh.nix new file mode 100644 index 00000000..8bdc956a --- /dev/null +++ b/depot/users/kat/personal/zsh.nix @@ -0,0 +1,9 @@ +{ config, ... }: + +{ + programs.zsh = { + shellAliases = { + abbyradio = "mpv $(pass secrets/abbyradio)"; + }; + }; +} diff --git a/depot/users/kat/services/default.nix b/depot/users/kat/services/default.nix new file mode 100644 index 00000000..40bf67cb --- /dev/null +++ b/depot/users/kat/services/default.nix @@ -0,0 +1,3 @@ +{ + weechat = import ./weechat; +} diff --git a/depot/users/kat/services/weechat/default.nix b/depot/users/kat/services/weechat/default.nix new file mode 100644 index 00000000..8f4dc633 --- /dev/null +++ b/depot/users/kat/services/weechat/default.nix @@ -0,0 +1,106 @@ +{ config, lib, superConfig, pkgs, tf, ... }: + +{ + kw.secrets = [ + "matrix-pass" + "znc-pass" + ]; + + secrets.files.weechat-sec = { + text = '' + # + # weechat -- sec.conf + # + # WARNING: It is NOT recommended to edit this file by hand, + # especially if WeeChat is running. + # + # Use /set or similar command to change settings in WeeChat. + # + # For more info, see: https://weechat.org/doc/quickstart + # + + [crypt] + cipher = aes256 + hash_algo = sha512 + salt = off + + [data] + __passphrase__ = off + znc = "${tf.variables.znc-pass.ref}" + matrix = "${tf.variables.matrix-pass.ref}" + ''; + owner = "kat"; + group = "users"; + }; + + home.file = { + ".local/share/weechat/sec.conf".source = config.lib.file.mkOutOfStoreSymlink config.secrets.files.weechat-sec.path; + }; + + services.weechat.enable = true; + + systemd.user.services.weechat-tmux = let scfg = config.services.weechat; in lib.mkForce { + Unit = { + Description = "Weechat tmux session"; + After = [ "network.target" ]; + }; + Service = { + Type = "oneshot"; + Environment=[ + "TMUX_TMPDIR=%t" + "WEECHAT_HOME=${toString config.programs.weechat.homeDirectory}" + ]; + RemainAfterExit = true; + X-RestartIfChanged = false; + ExecStart = "${scfg.tmuxPackage}/bin/tmux -2 new-session -d -s ${scfg.sessionName} ${scfg.binary}"; + ExecStop = "${scfg.tmuxPackage}/bin/tmux kill-session -t ${scfg.sessionName}"; + }; + Install.WantedBy = [ "default.target" ]; + }; + + programs.weechat = { + enable = true; + init = lib.mkBefore '' + /server add softnet athame.kittywit.ch/5001 -ssl -autoconnect + /server add liberachat athame.kittywit.ch/5001 -ssl -autoconnect + ''; + scripts = with pkgs.weechatScripts; [ + weechat-notify-send + ]; + config = { + irc = { + server = { + softnet = { + address = "athame.kittywit.ch/5001"; + password = "kat@${superConfig.networking.hostName}/softnet:\${sec.data.znc}"; + ssl = true; + ssl_verify = false; + autoconnect = true; + }; + liberachat = { + address = "athame.kittywit.ch/5001"; + password = "kat@${superConfig.networking.hostName}/liberachat:\${sec.data.znc}"; + ssl = true; + ssl_verify = false; + autoconnect = true; + }; + espernet = { + address = "athame.kittywit.ch/5001"; + password = "kat@${superConfig.networking.hostName}/espernet:\${sec.data.znc}"; + ssl = true; + ssl_verify = false; + autoconnect = true; + }; + }; + }; + matrix = { + server.kittywitch = { + address = "kittywit.ch"; + device_name = "${superConfig.networking.hostName}/weechat"; + username = "kat"; + password = "\${sec.data.matrix}"; + }; + }; + }; + }; +}