refactor(openwebrx): pull out common module config

systems/aya/nixos.nix

@@ -6,7 +6,7 @@
     nixos.base
     nixos.reisen-ct
     nixos.nixbld
-    #nixos.cross.aarch64
+    #nixos.cross.aarch64 # XXX: binfmt_misc namespaces not yet supported :<
     nixos.tailscale
     nixos.github-runner.zone
     nixos.minecraft.bedrock

systems/kasen/default.nix

@@ -9,10 +9,11 @@ _: {
     ./nixos.nix
   ];
   exports = {
-      services = {
-        nginx.enable = true;
-        sshd.enable = true;
-      };
+    services = {
+      nginx.enable = true;
+      sshd.enable = true;
+      openwebrx.enable = true;
+    };
   };
   network.networks = {
     local = {

systems/kasen/nixos.nix

@@ -2,18 +2,15 @@
   meta,
   config,
   lib,
-  pkgs,
   ...
-}: let
-  inherit (lib.modules) mkForce;
-  inherit (config.services) nginx;
-in {
+}: {
   imports = let
     inherit (meta) nixos;
   in [
-    #nixos.sops
+    nixos.sops
     nixos.base
     nixos.nginx
+    nixos.openwebrx
   ];
 
   boot.loader.grub.enable = false;
@@ -21,30 +18,7 @@ in {
 
   hardware.rtl-sdr.enable = true;
 
-  services.openwebrx = {
-    enable = true;
-    package = pkgs.openwebrxplus;
-  };
-  systemd.services.openwebrx.serviceConfig = {
-    DynamicUser = mkForce false;
-    User = "openwebrx";
-    Group = "openwebrx";
-  };
-
-  users.users.openwebrx = {
-        isSystemUser = true;
-        group = "openwebrx";
-        extraGroups = [
-          "plugdev"
-        ];
-  };
-  users.groups.openwebrx = {};
-
-  networking.firewall.interfaces.local.allowedTCPPorts = [
-    8073
-  ];
-
-  #sops.defaultSopsFile = ./secrets.yaml;
+  sops.defaultSopsFile = ./secrets.yaml;
 
   fileSystems."/" = {
     device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";

systems/kasen/secrets.yaml

@@ -0,0 +1,56 @@
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1fjcafp0j45sz03zq5srnxyq2mujndmn25vceg3wj2cgzymqm73ssmhdgku
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArUGdqR0lBTFNycWJFZW5m
+            YU5WY0dQc01HQ0N4ZjFHdDN5cW16TXFLWEhzCnc5cTJ3MHBQNlp0bE5HY1hRcnpi
+            bzF3eEIxMU1sL2N0R3hGNUhOZWdFQUUKLS0tIHhSQzNRZ3lwV0o2TEs4elBabDQy
+            VG9hNEpQeW5KNTBvSTBsN0NsQWxJbE0KvkUsGZhEQ7wwuYrW7R3HARtH0/XzWLoy
+            6S2cdIzeuXKogXujv+vd4zzkO1tKuwxhfrhK1EVX5LL7YuK0n66AkQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-13T20:06:41Z"
+    mac: ENC[AES256_GCM,data:CBVQ8xAuOniojJdAo/bNvdDwi2QdZ4IZ/cgBDTQBrxiRlsukTcqZ+PvtR2bvDZAgsHEGuL1m4qTWPlBnFYBONZ5akomZ4YRAzlUd3OcpnEQn3RVQyGhimc1D8ZJgTeSam6dykt/IFpnGwPDxgwGqgRP3WqmLJn/eKfI18ZZusMQ=,iv:9n0wiYBh02eXYEP8n7RBPOcK5UBxo6r3iKBZIJ7GN6w=,tag:QwT5PR1tvqlawSw99lR9kg==,type:str]
+    pgp:
+        - created_at: "2024-05-13T20:06:35Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UARAAwaLDkpKHWq5hTBp1DQ5mxDYosBnTHb43lh33k94vm4g2
+            6ut7B3gRImMaKdcJ3fbrg7tTVpaJkVA9qHuiiA9k/SjFKas1Zj1k9KJz+vqR0m6Q
+            sf5lgfUDL+eNeCMcuuo8zLMC5vDm3bkvffdj/2XOxKy0uGX/Rodm1yz7QUFSoUny
+            eYpJPXEX1zsQ4abK/Ck6q+3lCunHv5Df2Rw5U4piLC0e3kFc0NsQCNd2CavmzHkH
+            Us9nVZIlSgs6YeX4fFKxQwpvdDCg2dzuBnzkAgXu9LpxKBiAXPDZR6ymsUqtsFPk
+            wIIWVZablhVnEE2AeqzP1h8XLcS2gtBV/ikAlh8Q5stg8ZwynMYGUs4UctqNLr12
+            D7FzNBdQVgnAdYR3hJIHTmVbKl1sKUcSVdWDSEZS0iQEHht8AxRPpoq69ahb5sZG
+            g0swYM8CIzS7MZarf4xu5Se2Oc6XjFGZXne0m+o+FTlJwt0HMgQpT7QUsuI29rRt
+            PU2CbsZiNvBeG7DNa8PxmOcr+RqgRieCxO7sqnXEaLM5DLw7goB1t/O0RhFwbh0F
+            iFEhb4EiIqctU7ZsdL+LL/D/AhOX2bRxOLh8lOQNwgbcLZqNg3CozPutZTemgirI
+            Au6MWj51GwmUL3nPF1uGrA1bTInpBQYFzHcQXTvmBl7a+oEpsMTJXXFi3grPegrS
+            XgEPu3/ymGRBbSzcfDqOTvynw57Z2WuqZhpRkz8zKnLLZvKXkuoCXzaXwkKBH3Jl
+            8bymsNSnYsx9JSJRihQVDwCHnKL1nSJVRwweQTH7IwSDpy9tGRQ49K82daOIx98=
+            =f/a0
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+        - created_at: "2024-05-13T20:06:35Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA2W9MER3HLb7AQgArIaJ05lMr2k4v07xGpsE0yMAcOXcgVUWBu7frgml2Mj0
+            vUQzyODyHc/C4bgzPGorQjeQyDN2ZAS8tLS3gkRuze/tF74uU/7cA6AgOBQ07t2G
+            kCgogymIWKbaLUJF52cuZUyWsyZezZMBFZ6JXvrU3XpX9Xd4GCBt7lBWZHWaDxLc
+            Fj9wwYFjwSltBhd1lQrLZOCcwbY/aEWaqM/mKM/9eo3tLzDA6nIEK0n4vNyBho+5
+            jjN85/3t73su/aMQO27NWsiwseAxGwlgCz3G9ib2OMG8Dj1DxDj5SeGJDFEeGYu4
+            lC1OhLcBxReVnCb/0fva0SWqsXQWDi5zIOQoJoY+stJeAZ9lpq8aGM295eK9m+Yq
+            d4eLzgf+BKB0lwqAMxLkyLhWJMy+Wrxw6c/Pvej7lmIJnnMuJ6hOIcXYwTnj6DpA
+            cQR8DVJHLHS2Tp6RKxZ/05Y3Rhd1BCatvewBqbv3rA==
+            =bD1x
+            -----END PGP MESSAGE-----
+          fp: 65BD3044771CB6FB
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1