gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

Rework of the personal profile. Whittled down trusted.

Browse source
This commit is contained in:
kat witch 2021-08-29 01:15:00 +01:00
parent cee19f8d3b
commit a55342d0a4
No known key found for this signature in database
GPG key ID: 1B477797DCA5EC72
16 changed files with 338 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

2
config/hosts/samhain/nixos.nix
View file

@ -108,6 +108,8 @@ in
home.persistence."/persist/home" = {
allowOther = true;
directories = [
".cache/kat/secrets"
".cache/rbw"
".local/share/z"
".local/share/dino"
".local/share/weechat"

20
config/modules/home/secrets.nix
View file

@ -1,15 +1,33 @@
{ config, lib, ... }:
{ config, lib, nixos, ... }:
with lib;
let
secretType = types.submodule ({ name, ... }: {
options = {
source = mkOption {
type = types.path;
};
text = mkOption {
type = types.str;
};
};
});
in
{
options.kw = {
secrets = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
};
repoSecrets = mkOption {
type = types.nullOr (types.attrsOf secretType);
default = null;
};
};
config = mkIf (config.kw.secrets != null) {
deploy.tf.variables = genAttrs config.kw.secrets (n: { externalSecret = true; });
kw.repoSecrets = nixos.kw.repoSecrets;
};
}

16
config/modules/nixos/secrets.nix
View file

@ -2,12 +2,28 @@
with lib;
let
secretType = types.submodule ({ name, ... }: {
options = {
source = mkOption {
type = types.path;
};
text = mkOption {
type = types.str;
};
};
});
in
{
options.kw = {
secrets = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
};
repoSecrets = mkOption {
type = types.nullOr (types.attrsOf secretType);
default = null;
};
};
config = mkIf (config.kw.secrets != null) {
deploy.tf.variables = genAttrs config.kw.secrets (n: { externalSecret = true; });

4
config/services/nfs/default.nix
View file

@ -1,6 +1,10 @@
{ config, lib, kw, ... }:
{
imports = [
config.kw.repoSecrets.nfs.source
];
network.firewall = {
private.tcp.ports = [ 111 2049 ];
public.tcp.ports = [ 111 2049 ];

162
config/services/znc/default.nix
View file

@ -1,6 +1,113 @@
{ config, pkgs, ... }:
{ config, tf, lib, pkgs, ... }:
with lib;
let
sortedAttrs = set: sort
(l: r:
if l == "extraConfig" then false # Always put extraConfig last
else if isAttrs set.${l} == isAttrs set.${r} then l < r
else isAttrs set.${r} # Attrsets should be last, makes for a nice config
# This last case occurs when any side (but not both) is an attrset
# The order of these is correct when the attrset is on the right
# which we're just returning
)
(attrNames set);
# Specifies an attrset that encodes the value according to its type
encode = name: value: {
null = [ ];
bool = [ "${name} = ${boolToString value}" ];
int = [ "${name} = ${toString value}" ];
# extraConfig should be inserted verbatim
string = [ (if name == "extraConfig" then value else "${name} = ${value}") ];
# Values like `Foo = [ "bar" "baz" ];` should be transformed into
# Foo=bar
# Foo=baz
list = concatMap (encode name) value;
# Values like `Foo = { bar = { Baz = "baz"; Qux = "qux"; Florps = null; }; };` should be transmed into
# <Foo bar>
# Baz=baz
# Qux=qux
# </Foo>
set = concatMap
(subname: optionals (value.${subname} != null) ([
"<${name} ${subname}>"
] ++ map (line: "\t${line}") (toLines value.${subname}) ++ [
"</${name}>"
]))
(filter (v: v != null) (attrNames value));
}.${builtins.typeOf value};
# One level "above" encode, acts upon a set and uses encode on each name,value pair
toLines = set: concatMap (name: encode name set.${name}) (sortedAttrs set);
in {
network.firewall.public.tcp.ports = singleton 5001;
kw.secrets = [ "znc-softnet-address" "znc-espernet-pass" "znc-liberachat-pass" "znc-savebuff-pass" "znc-espernet-cert" "znc-liberachat-cert" "znc-softnet-cert" ];
secrets.files.softnet-cert = {
text = tf.variables.znc-softnet-cert.ref;
owner = "znc";
group = "znc";
};
secrets.files.espernet-cert = {
text = tf.variables.znc-espernet-cert.ref;
owner = "znc";
group = "znc";
};
secrets.files.liberachat-cert = {
text = tf.variables.znc-liberachat-cert.ref;
owner = "znc";
group = "znc";
};
system.activationScripts = {
softnet-cert-deploy = {
text = ''
mkdir -p /var/lib/znc/users/kat/networks/softnet/moddata/cert
ln -fs ${config.secrets.files.softnet-cert.path} /var/lib/znc/users/kat/networks/softnet/moddata/cert/user.pem
'';
};
esperrnet-cert-deploy = {
text = ''
mkdir -p /var/lib/znc/users/kat/networks/espernet/moddata/cert
ln -fs ${config.secrets.files.espernet-cert.path} /var/lib/znc/users/kat/networks/espernet/moddata/cert/user.pem
'';
};
liberachat-cert-deploy = {
text = ''
mkdir -p /var/lib/znc/users/kat/networks/liberachat/moddata/cert
ln -fs ${config.secrets.files.liberachat-cert.path} /var/lib/znc/users/kat/networks/liberachat/moddata/cert/user.pem
'';
};
};
secrets.files.znc-config = {
text = concatStringsSep "\n" (toLines config.services.znc.config);
owner = "znc";
group = "znc";
};
services.nginx.virtualHosts."znc.${config.network.dns.domain}" = {
enableACME = true;
forceSSL = true;
locations = { "/".proxyPass = "http://127.0.0.1:5002"; };
};
deploy.tf.dns.records.services_znc = {
tld = config.network.dns.tld;
domain = "znc";
cname.target = "${config.networking.hostName}.${config.network.dns.tld}";
};
{
services.znc = {
enable = true;
mutable = false;
@ -9,6 +116,57 @@
modulePackages = with pkgs.zncModules; [
clientbuffer
clientaway
playback
privmsg
];
config = lib.mkMerge [
({
Version = lib.getVersion pkgs.znc;
Listener.l = {
Port = 5002;
SSL = false;
AllowWeb = true;
};
Listener.j = {
Port = 5001;
SSL = true;
AllowWeb = false;
};
modules = [ "webadmin" "adminlog" "cert" "clientbuffer" "clientaway" "savebuff" "playback" "privmsg" ];
User = {
kat = {
Admin = true;
Nick = "kat";
AltNick = "katrin";
AutoClearChanBuffer = false;
AutoClearQueryBuffer = false;
LoadModule = [ "clientbuffer autoadd" "clientaway" "savebuff ${tf.variables.znc-savebuff-pass.ref}" ];
Network.softnet = {
Server = "${tf.variables.znc-softnet-address.ref}";
Nick = "kat";
AltNick = "kat_";
JoinDelay = 2;
LoadModule = [ "simple_away" "cert" ];
};
Network.liberachat = {
Server = "irc.libera.chat +6697 ${tf.variables.znc-liberachat-pass.ref}";
Nick = "kat";
AltNick = "kat_";
JoinDelay = 2;
LoadModule = [ "cert" "simple_away" "nickserv" ];
};
Network.espernet = {
Server = "anarchy.esper.net +6697 ${tf.variables.znc-espernet-pass.ref}";
Nick = "kat";
AltNick = "katrin";
JoinDelay = 2;
LoadModule = [ "simple_away" "nickserv" "cert" ];
};
};
};
})
(import config.kw.repoSecrets.znc.source)
];
configFile = config.secrets.files.znc-config.path;
};
}

2
config/trusted

@ -1 +1 @@
Subproject commit 97ac097d39b25551fca668100774236ce3b24cc8
Subproject commit 8ac5f9b8fbabd49d3199cc61182c39ca389ca47d

1
config/users/kat/base/default.nix
View file

@ -13,7 +13,6 @@
./weechat.nix
./inputrc.nix
./rink.nix
./pass.nix
./secrets.nix
];

5
config/users/kat/base/weechat.nix
View file

@ -7,11 +7,13 @@ with lib;
init = lib.mkMerge [
(lib.mkBefore ''
/server add espernet athame.kittywit.ch/5001 -ssl -autoconnect
/server add softnet athame.kittywit.ch/5001 -ssl -autoconnect
/server add liberachat athame.kittywit.ch/5001 -ssl -autoconnect
/matrix server add kittywitch kittywit.ch
/key bind meta-g /go
/key bind meta-v /input jump_last_buffer_displayed
/key bind meta-c /buffer close
/key bind meta-n /bar toggle nicklist
/key bind meta-n /bar toggle nicklist
/key bind meta-b /bar toggle buflist
/relay add weechat 9000
'')
@ -42,6 +44,7 @@ with lib;
weechat-matrix
title
highmon
zncplayback
];
config = with mapAttrs (_: toString) pkgs.base16.shell.shell256; {
logger.level.irc = 0;

7
config/users/kat/default.nix
View file

@ -1,10 +1,5 @@
let katUser = { lib }:
let
trustedImport = {
config.home-manager.users.kat = {
imports = lib.optional (builtins.pathExists ../../trusted/users/kat) (import ../../trusted/users/kat/home.nix);
};
};
userImport = profile: { config, ... }: {
config.home-manager.users.kat = {
imports = [
@ -24,7 +19,7 @@ let katUser = { lib }:
userProfiles = with userProfiles;
lib.genAttrs profileNames userImport // {
services = lib.genAttrs serviceNames serviceImport;
base = { imports = [ ./nixos.nix (userImport "base") trustedImport ]; };
base = { imports = [ ./nixos.nix (userImport "base") ]; };
server = { imports = [ personal ]; };
guiFull = { imports = [ gui sway dev media personal ]; };
};

12
config/users/kat/personal/bitw.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, pkgs, lib, ... }: {
programs.rbw = {
enable = true;
package = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.kw.repoSecrets.bitw.source} "$@"'';
settings = {
email = "kat@kittywit.ch";
base_url = "https://vault.kittywit.ch";
identity_url = null;
lock_timeout = 3600;
};
};
}

10
config/users/kat/personal/default.nix
View file

@ -1,5 +1,13 @@
{ ... }:
{
imports = [ ./gpg.nix ./weechat.nix ./email.nix ./zsh.nix ];
imports = [
./gpg.nix
./weechat.nix
./email.nix
./zsh.nix
./pass.nix
./taskwarrior.nix
./bitw.nix
];
}

0
config/users/kat/base/pass.nix → config/users/kat/personal/pass.nix
View file

97
config/users/kat/personal/taskwarrior.nix Normal file
View file

@ -0,0 +1,97 @@
{ config, pkgs, tf, lib, ... }:
{
kw.secrets = [ "taskwarrior-key" "taskwarrior-creds" ];
secrets.files = {
taskw_key = {
text = "${tf.variables.taskwarrior-key.ref}";
owner = "kat";
group = "users";
};
taskw_config = {
text = ''
taskd.credentials=${tf.variables.taskwarrior-creds.ref}
'';
owner = "kat";
group = "users";
};
};
programs.taskwarrior = {
enable = true;
config = {
taskd = {
certificate = "${pkgs.writeText "taskd_cert.pem" ''
-----BEGIN CERTIFICATE-----
MIIFRzCCAy+gAwIBAgIULP2UcJYZuZqRI505UwRf+RWdc7gwDQYJKoZIhvcNAQEM
BQAwFjEUMBIGA1UEAxMLa2l0dHl3aXQuY2gwIBcNMjEwMzE0MDA1MjUxWhgPOTk5
OTEyMzEyMzU5NTlaMCsxFDASBgNVBAMTC2tpdHR5d2l0LmNoMRMwEQYDVQQKEwpr
aXR0eXdpdGNoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvVZZgWRA
XHWzWVkGb/go1ynVYY9U/AItgc0DuKt/9glb/bGA+VkFYknd3djM0NrUqLWwR3Ln
pUBH95SVOzJTkF4Sri6vCG6r9YjyIw22iwQQeYcnR9MRy5BuTRsLhwPJWl1pJVHC
tdqDLUqaP1P6UAlYXYxtZDFN3Y8iW22xe+8+/Ew1GiXGdeFrfRgo3TAp9PbKy0wq
Kqe1V/mcCcDcUEFrujL+6soeSZAs2AffMPfl23kC8MB08DHRv06d97DlDGXd2tql
5OkJHZehwIiTBeJMXHyjRRXyam2DY4/ucVMbXgHi7nUn0FmfYPyljzU1kYiwUxxf
6/rIGXOYQJkq6AKsih8p1h5NmL0PRtd7E074Zh1ABvY79k6a+uawIKk+nhyu4Gil
IIvYbJqpXDHeZ4m/UBIjcxQZEcDgnR3jlqBZshB6hyaPRy0EBgcOJxOefLzOpcD+
tul39AIaK6InM4ftdb1W6GXiuXr+JBH0rNe52s8G7AiZZxjsQhIaRvsNcq+dX9fT
0NLOmCF8lqKCoEha50ELfSyUtfR/jKTvmiuxPT3mUgqP5DeDErgTJ+x1Hr6nqH7g
VL0jrYhf7UcmmVC236H8yjkad7rx70B5JVzA4yMcE1qoUXEAxJfXoVyjbyDPAg8P
VL3pSRYV+RIyQ9XevZiF6dFjlJsyIRUJlUkCAwEAAaN2MHQwDAYDVR0TAQH/BAIw
ADATBgNVHSUEDDAKBggrBgEFBQcDAjAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQW
BBRkudH4JVQy6akuhU0Me++nUknMWzAfBgNVHSMEGDAWgBRmz2varlp5iPH6DGES
WjtTVUs3jjANBgkqhkiG9w0BAQwFAAOCAgEATuASvWkbS0x3NJGRuxhHBF7svBdL
Gd72AbN2oiqPs0pRkRE/oar/osNRqCClv6GqWt/yGbFHCIeE+8UkmqBYYps8N5G0
mqaQU9okafoNqEvQUIxRtJByG9RNlEZD4qB0pw/QUTkCn77a75hyVy5/x9zi75Ya
XS5djO5zA7st1rBzvWVCWdFH4Mk00aZbh66IoWpG+YO6kuTdd8ZKAL+UO5Q5PBjM
/ZgwVyuQBTA5LbLLHPoCRhgWbSv/DRhDZUlWslRU/NkulE5ju4lX2Uuxj4yc2rT2
8b3hrHI6IC0hMYCrDynbws71LNEjG/lejBhOLnbBOHOGq+hl1CMNWaLedlH2xFa0
sJorShW5IarJ/Pthj/FEX7U8LcmnKkbNXL1qwfVU4NVXQSMkqSc+GOxDPYUeFgMt
atpIo3PjucdPpqqSly4yuZZJritVVpm0IvLdE2euDAuLPyQEhqBeMn50zS9seGhw
+heTRZjt0zhDU1MK790cYdWBqfttvOFF4pUTlWiIuBGl6Wn/bzZFatscSrj1r42y
rs819ej8Ey8Us9bRFJC21q712AIPetSM3BnmM4oT6mkQZ8e2Zn1K41GP0r7MLFaB
KpwGEQxfo+rAiUsnF/FS8a9pCmlYIFdfSN3eLh6c9WQdzWm76BFubYyN1g3WTtRh
kuLR6WeghnkGENo=
-----END CERTIFICATE-----
''}";
key = config.secrets.files.taskw_key.path;
ca = "${pkgs.writeText "taskd_ca.pem" ''
-----BEGIN CERTIFICATE-----
MIIE/zCCAuegAwIBAgIUO/FZVcMIwnusVeiMGNOHznpUH7UwDQYJKoZIhvcNAQEM
BQAwFjEUMBIGA1UEAxMLa2l0dHl3aXQuY2gwIBcNMjEwMzE0MDA1MjUwWhgPOTk5
OTEyMzEyMzU5NTlaMBYxFDASBgNVBAMTC2tpdHR5d2l0LmNoMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEA1ui/3U5yhyd2J2Z1ahq6uMyS8HHpuX8TSxNV
mbNPTc1D+jGHa3W7sp0GHRDM6Ct9A0BJkkWAjegWJBZRXAeryZg++xoPma4AK908
/8uq1WTgchy74Or6luTFKHhxkNXZcjNCjsVGeaogK1KvBLapP83L8mBVb1n5DjlN
I4XhREe4kTWhMJuoG1yUca3g2iIezKa+b1GYY/jOpEOQiciqxjcwgSZSpRTH2kC9
3d9JFzJBU+kTDVjuaC3SWgu9tqk2WiBRr3ERUdBvEIRq90xax1ChSAEZgrb3k3yS
vE5IsZ3F85piDbS7tBh6PgbaWf9Bxp4rVJ6FeypSNFyBwzgQP3jiKLJcgChjFIDx
imkJmdQJEmSNImgofkO5l3ZYwXal4G1qT1na+ashrQAbYdDdbgg0XDctVKQBY6oP
YSbyp1aJTed7I2Tm9xm/pSFwR5JrWv7qMB8/4XwziraRL13KGoCmWcfqcUWm6hKW
cTnaA6J5gbNQC3R0+yJXZE+lrUL2QBkM7QtLRHB8FIBQcwKxLmEIB702B+X41EAL
2gmzV8PpoQvUDQ8w0jZ3HB0f7R5MTYhv44qF4KM30i6gdUPFeiy6lnaqs17yfu8x
kNm2SD7NwmSrDUpAnmvuq7Iq7xvkdr0+qi2p7N7RolJOHw9jYJnU9YXj6CDS2ofg
ur+eWBsCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA
MB0GA1UdDgQWBBRmz2varlp5iPH6DGESWjtTVUs3jjANBgkqhkiG9w0BAQwFAAOC
AgEAATViuvVGa1p5CBTghmp51VfMOcQoAOiTe+tIOVJMRc379uPfESMJ5nsVlZCt
rP+XhDA6gGToEjcUBZIwfLzrKSmbmTpmVK+X5EMGldbytBkdbhQkUaLqD3LnxNNr
WnwhHKcMKAJlZ/523AjFURA3cGf7anhghJHJbr3En45jfrYabKX9gpBpmnOVrBNG
cd5ZmwLMJKrASQ14Px+XHX7+S5y6D2dM6qvXG4y6YMwlROqoy3gcG7j+uvdCzWuC
sSpOj0gVOcCdeOZuSD0lFXbh4WnrS2SDG6M2Zj2tLRsn8nq76RqxIKz9dWSV7nXM
xTSSZOs01rvyrwd1Ydez+qYg5db0ZcD4mF2b78QJU8gKevh53UvHv1PK8I1S6+1E
i5qnduRrX8FaKcD0+UkvLG9ZeE855K1cnquy9vAiuHgKp90R+yzyQfj7w1ofigCR
YSADxgw7w/s5OBIeUYw43SmkmL5nLCAETm36mr2l1g6ixtjN3qDJXnGWHvAHUdhY
4vhBNNwEtvLp73skkmj5+5qaxn5e8jR9WoNxr8ajoRFaH6LlpoI4/+fWhmfTCpXj
UkdGJClj76VuB1PAg0xCnuLDT2xCA6leF07bn+P8Xzhh21AR1oq2eTyUGkgA2oqi
kmKyccoP1SQXAZd96EFArlzalVt+h+fOuOxuulmqVskK+w0=
-----END CERTIFICATE-----
''}";
server = "${config.network.dns.domain}:53589";
};
};
extraConfig = ''
include ${config.secrets.files.taskw_config.path}
'';
};
}

11
config/users/kat/personal/weechat.nix
View file

@ -1,8 +1,9 @@
{ config, nixos, pkgs, lib, ... }:
{
home.file = {
".local/share/weechat/sec.conf".text = ''
home.file = let
bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.kw.repoSecrets.bitw.source} "$@"'';
in { ".local/share/weechat/sec.conf".text = ''
#
# weechat -- sec.conf
#
@ -17,7 +18,7 @@
[crypt]
cipher = aes256
hash_algo = sha512
passphrase_command = "${pkgs.pass}/bin/pass secrets/weechat-pass"
passphrase_command = "${bitw}/bin/bitw get comms/weechat"
salt = on
[data]
@ -29,10 +30,6 @@
programs.weechat = {
enable = true;
init = lib.mkBefore ''
/server add softnet athame.kittywit.ch/5001 -ssl -autoconnect
/server add liberachat athame.kittywit.ch/5001 -ssl -autoconnect
'';
scripts = with pkgs.weechatScripts; [
weechat-notify-send
];

24
config/users/kat/services/weechat/default.nix
View file

@ -39,32 +39,8 @@
services.weechat.enable = true;
systemd.user.services.weechat-tmux = let scfg = config.services.weechat; in
lib.mkForce {
Unit = {
Description = "Weechat tmux session";
After = [ "network.target" ];
};
Service = {
Type = "oneshot";
Environment = [
"TMUX_TMPDIR=%t"
"WEECHAT_HOME=${toString config.programs.weechat.homeDirectory}"
];
RemainAfterExit = true;
X-RestartIfChanged = false;
ExecStart = "${scfg.tmuxPackage}/bin/tmux -2 new-session -d -s ${scfg.sessionName} ${scfg.binary}";
ExecStop = "${scfg.tmuxPackage}/bin/tmux kill-session -t ${scfg.sessionName}";
};
Install.WantedBy = [ "default.target" ];
};
programs.weechat = {
enable = true;
init = lib.mkBefore ''
/server add softnet athame.kittywit.ch/5001 -ssl -autoconnect
/server add liberachat athame.kittywit.ch/5001 -ssl -autoconnect
'';
scripts = with pkgs.weechatScripts; [
weechat-notify-send
];

10
config/users/kat/sway/konawall.nix
View file

@ -1,7 +1,15 @@
{ config, pkgs, ... }:
{ config, lib, ... }:
with lib;
{
services.konawall = {
enable = true;
interval = "30m";
mode = "shuffle";
commonTags = [ "width:>=1600" ];
tagList = map (toList) [
"score:>=50"
];
};
}