Secrets fixes. Added Syncplay. New to-dos, Niv.

config/hosts/athame/asterisk.nix

@@ -1,7 +1,6 @@
-{ config, pkgs, ... }:
+{ config, pkgs, witch, ... }:
 
-let secrets = (import ../../../secrets.nix);
-in {
+{
   services.asterisk = {
     enable = true;
     confFiles = {
@@ -19,13 +18,13 @@ in {
         same  => n,Dial(SIP/1337,20)
 
         [from-internal]
-        exten => _1X.,1,Set(CALLERID(all)="kat" <+${secrets.hosts.athame.phone.number.us}>)
+        exten => _1X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.us}>)
         same  => n,Dial(PJSIP/''${EXTEN:1}@signalwire)
         same  => n(end),Hangup()
-        exten => _2X.,1,Set(CALLERID(all)="kat" <+${secrets.hosts.athame.phone.number.canada}>)
+        exten => _2X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.canada}>)
         same  => n,Dial(PJSIP/''${EXTEN:1}@signalwire)
         same  => n(end),Hangup()
-        exten => _3X.,1,Set(CALLERID(all)="kat" <+${secrets.hosts.athame.phone.number.uk}>)
+        exten => _3X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.uk}>)
         same  => n,Dial(PJSIP/+''${EXTEN:1}@twilio-ie)
         same  => n(end),Hangup()
       '';
@@ -81,7 +80,7 @@ in {
         type=friend
         context=from-internal
         host=dynamic
-        secret=${secrets.hosts.athame.phone.password}
+        secret=${witch.secrets.hosts.athame.phone.password}
         nat=force_rport,comedia
       '';
       "pjsip_wizard.conf" = ''
@@ -135,7 +134,7 @@ in {
         sends_registrations = no
         remote_hosts = kat-asterisk.pstn.dublin.twilio.com
         outbound_auth/username = asterisk
-        outbound_auth/password = ${secrets.hosts.athame.phone.endpoint.password.twilio}
+        outbound_auth/password = ${witch.secrets.hosts.athame.phone.endpoint.password.twilio}
         endpoint/context = from-twilio
         aor/qualify_frequency = 60
       '';
@@ -155,11 +154,11 @@ in {
         type=auth
         auth_type=userpass
         username=asterisk ; Your username
-        password=${secrets.hosts.athame.phone.endpoint.password.signalwire}
+        password=${witch.secrets.hosts.athame.phone.endpoint.password.signalwire}
 
         [signalwire]
         type=aor
-        contact=sip:${secrets.hosts.athame.phone.endpoint.url}
+        contact=sip:${witch.secrets.hosts.athame.phone.endpoint.url}
 
         [signalwire]
         type=endpoint
@@ -174,20 +173,20 @@ in {
         allow=gsm
         allow=g726
         from_user=asterisk
-        from_domain=${secrets.hosts.athame.phone.endpoint.url}
+        from_domain=${witch.secrets.hosts.athame.phone.endpoint.url}
         media_encryption=sdes ; Note that we are using encryption
         context=from-signalwire
 
         [signalwire]
         type=registration
-        server_uri=sip:${secrets.hosts.athame.phone.endpoint.url}
-        client_uri=sip:asterisk@${secrets.hosts.athame.phone.endpoint.url}; Your full SIP URI
+        server_uri=sip:${witch.secrets.hosts.athame.phone.endpoint.url}
+        client_uri=sip:asterisk@${witch.secrets.hosts.athame.phone.endpoint.url}; Your full SIP URI
         outbound_auth=signalwire
 
         [signalwire]
         type=identify
         endpoint=signalwire
-        match=${secrets.hosts.athame.phone.endpoint.url}
+        match=${witch.secrets.hosts.athame.phone.endpoint.url}
       '';
       "logger.conf" = ''
         [general]

config/hosts/athame/bitwarden.nix

@@ -1,14 +1,13 @@
-{ config, pkgs, ... }:
+{ config, pkgs, witch, ... }:
 
-let secrets = (import ../../../secrets.nix);
-in {
+{
   services.bitwarden_rs = {
     enable = true;
     config = {
       rocketPort = 4000;
       websocketEnabled = true;
       signupsAllowed = false;
-      adminToken = secrets.hosts.athame.bitwarden_secret;
+      adminToken = witch.secrets.hosts.athame.bitwarden_secret;
       domain = "https://vault.kittywit.ch";
     };
   };

config/hosts/athame/configuration.nix

@@ -14,6 +14,7 @@
     ./mail.nix
     ./asterisk.nix
     ./gitea.nix
+    ./syncplay.nix
     ./nextcloud.nix
     ./bitwarden.nix
     # comms
@@ -38,7 +39,7 @@
     interfaces.enp1s0.useDHCP = true;
   };
 
-  networking.firewall.allowedTCPPorts = [ 80 443 5160 5060 64738 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 5160 5060 8999 64738 ];
   networking.firewall.allowedUDPPorts = [ 5160 5060 64738 ];
   networking.firewall.allowedTCPPortRanges = [{
     from = 10000;

config/hosts/athame/mail.nix

@@ -1,8 +1,6 @@
-{ config, pkgs, ... }:
-let
-  sources = (import ../../../nix/sources.nix);
-  secrets = (import ../../../secrets.nix);
-in {
+{ config, pkgs, witch, sources, ... }:
+
+{
   imports = [ sources.nixos-mailserver.outPath ];
 
   mailserver = {
@@ -14,7 +12,7 @@ in {
     # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
     loginAccounts = {
       "kat@kittywit.ch" = {
-        hashedPassword = secrets.hosts.athame.mail.kat.password;
+        hashedPassword = witch.secrets.hosts.athame.mail.kat.password;
 
         aliases = [ "postmaster@kittywit.ch" ];
 

config/hosts/athame/matrix.nix

@@ -1,13 +1,12 @@
-{ config, pkgs, ... }:
+{ config, pkgs, witch, ... }:
 
-let secrets = (import ../../../secrets.nix);
-in {
+{
   environment.systemPackages =
     [ pkgs.arc.pkgs.mx-puppet-discord pkgs.mautrix-whatsapp ];
 
   services.matrix-synapse = {
     enable = true;
-    registration_shared_secret = secrets.hosts.athame.matrix_secret;
+    registration_shared_secret = witch.secrets.hosts.athame.matrix_secret;
     max_upload_size = "512M";
     server_name = "kittywit.ch";
     app_service_config_files = [

config/hosts/athame/murmur.nix

@@ -1,10 +1,9 @@
 { config, pkgs, ... }:
 
-let secrets = (import ../../../secrets.nix);
-in {
+{
   security.acme = { certs."kittywit.ch" = { group = "kittywit-ch"; }; };
 
-  users.groups."kittywit-ch".members = [ "murmur" "nginx" ];
+  users.groups."kittywit-ch".members = [ "murmur" "nginx" "syncplay" ];
 
   services.murmur = {
     enable = true;

config/hosts/athame/syncplay.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+  users.users.syncplay = { isSystemUser = true; };
+
+  services.syncplay = {
+    enable = true;
+    user = "syncplay";
+    group = "kittywit-ch";
+    certDir = "/var/lib/acme/kittywit.ch/";
+  };
+}

config/hosts/athame/virtualhosts.nix

@@ -1,14 +1,13 @@
-{ config, pkgs, ... }:
+{ config, pkgs, witch, ... }:
 
 let
   common = {
     enableACME = true;
     forceSSL = true;
   };
-  secrets = (import ../../../secrets.nix);
 in {
   services.nginx.virtualHosts = {
     "kittywit.ch" = { root = "/var/www/kittywitch"; } // common;
     "athame.kittywit.ch" = { root = "/var/www/athame"; } // common;
-  } // secrets.virtualHosts.athame;
+  } // witch.secrets.virtualHosts.athame;
 }

config/hosts/athame/znc.nix

@@ -1,7 +1,6 @@
-{ config, pkgs, ... }:
+{ config, pkgs, witch, ... }:
 
-let secrets = (import ../../../secrets.nix);
-in {
+{
   services.znc = {
     enable = true;
     mutable = false;
@@ -14,7 +13,7 @@ in {
         AllowWeb = true;
       };
       modules = [ "webadmin" "adminlog" ];
-      User = secrets.hosts.athame.znc;
+      User = witch.secrets.hosts.athame.znc;
     };
   };
 

config/profiles/gui/nixos/gpg.nix

@@ -4,5 +4,11 @@
   config = lib.mkIf config.deploy.profile.gui {
     services.pcscd.enable = true;
     services.udev.packages = [ pkgs.yubikey-personalization ];
+
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+      pinentryFlavor = "gtk2";
+    };
   };
 }

config/profiles/laptop/home.nix

@@ -1,3 +1,5 @@
-{ ... }:
+{ lib, ... }:
 
-{ }
+{
+  options = { deploy.profile.laptop = lib.mkEnableOption "lappytop"; };
+}

config/services/nginx.nix

@@ -1,7 +1,6 @@
-{ config, pkgs, ... }:
+{ config, pkgs, witch, ... }:
 
-let secrets = (import ../../secrets.nix);
-in {
+{
   services.nginx = {
     enable = true;
     recommendedGzipSettings = true;
@@ -24,7 +23,7 @@ in {
   };
 
   security.acme = {
-    email = secrets.unscoped.acme.email;
+    email = witch.secrets.unscoped.acme.email;
     acceptTerms = true;
   };
 }