Massive refactor.

Oh god. Oh god. Oh god. Oh god. Profiles removed.

config/common/default.nix

@@ -1,16 +1,12 @@
 { config, lib, pkgs, ... }:
 
 let
-  sources = import ../../../nix/sources.nix;
+  sources = import ../../nix/sources.nix;
   unstable = import sources.nixpkgs-unstable { };
 in {
   imports = [
-    ../../../modules
-    ../../users
-    ../development
-    ../gaming
-    ../network
-    ../yubikey
+    ../../modules
+    ../users
     (sources.home-manager + "/nixos")
   ];
 

config/hosts/athame/configuration.nix

@@ -4,14 +4,22 @@ let unstable = import <nixos-unstable> { };
 in {
   imports = [
     ./hardware-configuration.nix
+    # db 
+    ./services/postgres.nix
+    # nginx
+    ../../services/nginx.nix
+    ./services/virtualHosts.nix
+    # services
+    ./services/gitea.nix
+    ./services/nextcloud.nix
     ./services/bitwarden.nix
+    # comms services
     ./services/znc.nix
     ./services/weechat.nix
-    ./services/nginx.nix
     ./services/matrix.nix
-    ./services/postgres.nix
   ];
-  meta.deploy.ssh.host = "kittywit.ch";
+  
+  meta.deploy.ssh.host = "athame.kittywit.ch";
 
   boot.loader.grub.enable = true;
   boot.loader.grub.version = 2;
@@ -19,6 +27,8 @@ in {
 
   networking = {
     hostName = "athame";
+    domain = "kittywit.ch";
+    hostId = "7b0ac74e";
     useDHCP = false;
     interfaces.enp1s0.useDHCP = true;
   };

config/hosts/athame/services/bitwarden.nix

@@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 
-let secrets = (import ../secrets.nix);
+let secrets = (import ../../../../secrets.nix);
 in {
   services.bitwarden_rs = {
     enable = true;
@@ -8,7 +8,7 @@ in {
       rocketPort = 4000;
       websocketEnabled = true;
       signupsAllowed = false;
-      adminToken = secrets.bitwarden.token;
+      adminToken = secrets.hosts.athame.bitwarden_secret;
       domain = "https://vault.kittywit.ch";
     };
   };

config/hosts/athame/services/gitea.nix

@@ -1,10 +1,10 @@
 { config, pkgs, ... }:
 
 {
-  gitea = {
+  services.gitea = {
     enable = true;
     disableRegistration = true; # TODO change for initial setup
-    domain = "git.dork.dev";
-    rootUrl = "https://git.dork.dev";
+    domain = "git.kittywit.ch";
+    rootUrl = "https://git.kittywit.ch";
   };
 }

config/hosts/athame/services/matrix.nix

@@ -1,13 +1,14 @@
 { config, pkgs, ... }:
 
-let secrets = (import ../secrets.nix);
+let secrets = (import ../../../../secrets.nix);
 in {
   environment.systemPackages =
     [ pkgs.arc.pkgs.mx-puppet-discord pkgs.mautrix-whatsapp ];
 
   services.matrix-synapse = {
     enable = true;
-    registration_shared_secret = secrets.matrix.secret;
+    registration_shared_secret = secrets.hosts.athame.matrix_secret;
+    max_upload_size = "512M";
     server_name = "kittywit.ch";
     app_service_config_files = [
       "/var/lib/matrix-synapse/telegram-registration.yaml"

config/hosts/athame/services/nextcloud.nix

@@ -8,17 +8,22 @@
 
   services.nextcloud = {
     enable = true;
-    hostName = "fs.dork.dev";
+    hostName = "files.kittywit.ch";
+    package = pkgs.nextcloud20;
     https = true;
-    nginx.enable = true;
     config = {
       dbtype = "pgsql";
       dbuser = "nextcloud";
       dbhost = "/run/postgresql";
       dbname = "nextcloud";
       adminpassFile =
-        "/var/lib/nextcloud/admin_pass"; # TODO replace this with proper secrets management
+        "/var/lib/nextcloud/admin-pass"; # TODO replace this with proper secrets management
       adminuser = "root";
     };
   };
+
+  services.nginx.virtualHosts."files.kittywit.ch" = {
+    forceSSL = true;
+    enableACME = true;
+  };
 }

config/hosts/athame/services/nginx.nix

@@ -1,107 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  common = {
-    enableACME = true;
-    forceSSL = true;
-  };
-  secrets = import ../secrets.nix;
-in {
-  services.nginx = {
-    enable = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    commonHttpConfig = ''
-      map $scheme $hsts_header {
-          https   "max-age=31536000; includeSubdomains; preload";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
-      #add_header X-Frame-Options DENY;
-      #add_header X-Content-Type-Options nosniff;
-      #add_header X-XSS-Protection "1; mode=block";
-      #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-    '';
-
-    virtualHosts = {
-      "beltane.dork.dev" = { root = "/var/www/beltane"; } // common;
-      "dork.dev" = {
-        root = "/var/www/dork";
-        /* locations = {
-               "/_matrix" = {
-                   proxyPass = "http://[::1]:8008";
-               };
-               "= /.well-known/matrix/server".extraConfig =
-                   let server = { "m.server" = "dork.dev:443"; }; in ''
-                       add_header Content-Type application/json;
-                       return 200 '${builtins.toJSON server}';
-                   '';
-               "= /.well-known/matrix/client".extraConfig =
-                   let client = {
-                       "m.homeserver" =  { "base_url" = "https://dork.dev"; };
-                       "m.identity_server" =  { "base_url" = "https://vector.im"; };
-                   }; in ''
-                       add_header Content-Type application/json;
-                       add_header Access-Control-Allow-Origin *;
-                       return 200 '${builtins.toJSON client}';
-                   '';
-           };
-        */
-      } // common;
-      "kittywit.ch" = {
-        locations = {
-          "/_matrix" = { proxyPass = "http://[::1]:8008"; };
-          "= /.well-known/matrix/server".extraConfig =
-            let server = { "m.server" = "kittywit.ch:443"; };
-            in ''
-              add_header Content-Type application/json;
-              return 200 '${builtins.toJSON server}';
-            '';
-          "= /.well-known/matrix/client".extraConfig = let
-            client = {
-              "m.homeserver" = { "base_url" = "https://kittywit.ch"; };
-              "m.identity_server" = { "base_url" = "https://vector.im"; };
-            };
-          in ''
-            add_header Content-Type application/json;
-            add_header Access-Control-Allow-Origin *;
-            return 200 '${builtins.toJSON client}';
-          '';
-        };
-      } // common;
-      "vault.kittywit.ch" = {
-        locations = {
-          "/".proxyPass = "http://127.0.0.1:4000";
-          "/notifications/hub".proxyPass = "http://127.0.0.1:3012";
-          "/notifications/hub/negotiate".proxyPass = "http://127.0.0.1:80";
-        };
-      } // common;
-      /* "git.dork.dev" = {
-             locations = {
-                 "/".proxyPass = "http://127.0.0.1:3000";
-             };
-         } // common;
-      */
-      "znc.dork.dev" = {
-        locations = { "/".proxyPass = "http://127.0.0.1:5000"; };
-      } // common;
-      "irc.dork.dev" = {
-        locations = {
-          "/" = { root = pkgs.glowing-bear; };
-          "^~ /weechat" = {
-            proxyPass = "http://127.0.0.1:9000";
-            proxyWebsockets = true;
-          };
-        };
-      } // common;
-    } // secrets.beltane-protected;
-  };
-
-  security.acme = {
-    email = secrets.acme.email;
-    acceptTerms = true;
-  };
-}

config/hosts/athame/services/virtualHosts.nix

@@ -0,0 +1,58 @@
+{ config, pkgs, ... }:
+
+let
+  common = {
+    enableACME = true;
+    forceSSL = true;
+  };
+  secrets = (import ../../../../secrets.nix);
+in {
+  services.nginx.virtualHosts = {
+      "kittywit.ch" = {
+        root = "/var/www/kittywitch";
+        locations = {
+          "/_matrix" = { proxyPass = "http://[::1]:8008"; };
+          "= /.well-known/matrix/server".extraConfig =
+            let server = { "m.server" = "kittywit.ch:443"; };
+            in ''
+              add_header Content-Type application/json;
+              return 200 '${builtins.toJSON server}';
+            '';
+          "= /.well-known/matrix/client".extraConfig = let
+            client = {
+              "m.homeserver" = { "base_url" = "https://kittywit.ch"; };
+              "m.identity_server" = { "base_url" = "https://vector.im"; };
+            };
+          in ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON client}';
+          '';
+        };
+      } // common;
+      "vault.kittywit.ch" = {
+        locations = {
+          "/".proxyPass = "http://127.0.0.1:4000";
+          "/notifications/hub".proxyPass = "http://127.0.0.1:3012";
+          "/notifications/hub/negotiate".proxyPass = "http://127.0.0.1:80";
+        };
+      } // common;
+      "git.kittywit.ch" = {
+             locations = {
+                 "/".proxyPass = "http://127.0.0.1:3000";
+             };
+         } // common;
+      "znc.kittywit.ch" = {
+        locations = { "/".proxyPass = "http://127.0.0.1:5000"; };
+      } // common;
+      "irc.kittywit.ch" = {
+        locations = {
+          "/" = { root = pkgs.glowing-bear; };
+          "^~ /weechat" = {
+            proxyPass = "http://127.0.0.1:9000";
+            proxyWebsockets = true;
+          };
+        };
+      } // common;
+    } // secrets.virtualHosts.athame;
+}

config/hosts/athame/services/weechat.nix

@@ -1,15 +1,18 @@
 { config, pkgs, ... }:
 
-{
+let
+  sources = import ../../../../nix/sources.nix;
+  unstable = import sources.nixpkgs-unstable { inherit (pkgs) config; };
+in {
   services.weechat = {
     binary = let
-      new-weechat = pkgs.wrapWeechat pkgs.weechat-unwrapped {
+      new-weechat = pkgs.arc.pkgs.wrapWeechat pkgs.arc.pkgs.weechat-unwrapped {
         configure = { availablePlugins, ... }: {
-          scripts = [ pkgs.weechatScripts.weechat-matrix ];
+          scripts = [ pkgs.arc.pkgs.weechatScripts.weechat-matrix ];
           plugins = [
             availablePlugins.perl
             (availablePlugins.python.withPackages
-              (ps: [ ps.potr pkgs.weechatScripts.weechat-matrix ]))
+              (ps: [ ps.potr ps.weechat-matrix ]))
           ];
         };
       };

config/hosts/athame/services/znc.nix

@@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 
-let secrets = import ../secrets.nix;
+let secrets = (import ../../../../secrets.nix);
 in {
   services.znc = {
     enable = true;
@@ -16,28 +16,28 @@ in {
       modules = [ "webadmin" "adminlog" ];
       User.kat = {
         Admin = true;
-        Nick = secrets.znc.nick;
-        AltNick = secrets.znc.altNick;
+        Nick = secrets.hosts.athame.znc.nick;
+        AltNick = secrets.hosts.athame.znc.altNick;
         Network.freenode = {
-          Server = "chat.freenode.net +6697 ${secrets.znc.freenode.password}";
-          Chan = secrets.znc.freenode.channels;
-          Nick = secrets.znc.freenode.nick;
-          AltNick = secrets.znc.freenode.altNick;
+          Server = "chat.freenode.net +6697 ${secrets.hosts.athame.znc.freenode.password}";
+          Chan = secrets.hosts.athame.znc.freenode.channels;
+          Nick = secrets.hosts.athame.znc.freenode.nick;
+          AltNick = secrets.hosts.athame.znc.freenode.altNick;
           JoinDelay = 2;
           LoadModule = [ "simple_away" "nickserv" ];
         };
         Network.espernet = {
-          Server = "anarchy.esper.net +6697 ${secrets.znc.espernet.password}";
-          Chan = secrets.znc.espernet.channels;
-          Nick = secrets.znc.espernet.nick;
-          AltNick = secrets.znc.espernet.altNick;
+          Server = "anarchy.esper.net +6697 ${secrets.hosts.athame.znc.espernet.password}";
+          Chan = secrets.hosts.athame.znc.espernet.channels;
+          Nick = secrets.hosts.athame.znc.espernet.nick;
+          AltNick = secrets.hosts.athame.znc.espernet.altNick;
           JoinDelay = 2;
           LoadModule = [ "simple_away" "nickserv" ];
         };
         Pass.password = {
-          Method = secrets.znc.password.method;
-          Hash = secrets.znc.password.hash;
-          Salt = secrets.znc.password.salt;
+          Method = secrets.hosts.athame.znc.password.method;
+          Hash = secrets.hosts.athame.znc.password.hash;
+          Salt = secrets.hosts.athame.znc.password.salt;
         };
       };
     };

config/hosts/boline/configuration.nix

@@ -13,16 +13,18 @@
   boot.loader.grub.version = 2;
   boot.loader.grub.device = "/dev/vda";
 
-  networking.hostId = "0417b551";
-  networking.hostName = "boline";
-
-  networking.useDHCP = false;
-  networking.interfaces.ens3.ipv4.addresses = [{
-    address = "104.244.73.10";
-    prefixLength = 24;
-  }];
-  networking.defaultGateway = "104.244.73.1";
-  networking.nameservers = [ "1.1.1.1" ];
+  networking = {
+    hostName = "boline";
+    domain = "kittywit.ch";
+    hostId = "0417b551";
+    useDHCP = false;
+      interfaces.ens3.ipv4.addresses = [{
+      address = "104.244.73.10";
+      prefixLength = 24;
+    }];
+    defaultGateway = "104.244.73.1";
+    nameservers = [ "1.1.1.1" ];
+  };
 
   system.stateVersion = "20.09";
 }

config/hosts/samhain/configuration.nix

@@ -4,13 +4,13 @@
   imports = [
     ../../services/zfs.nix
     ./hardware-configuration.nix
-    ./services/nginx.nix
+    ../../services/nginx.nix
     ./services/thermal/thermal.nix
     ./services/torrenting.nix
   ];
 
   meta.deploy.profiles =
-    [ "desktop" "development" "sway" "gaming" "network" "yubikey" ];
+    [ "desktop" "development" "sway" "gaming" "network" ];
   meta.deploy.ssh.host = "192.168.1.135";
 
   # libvirtd is used for our virtual machine

config/hosts/yule/configuration.nix

@@ -1,10 +1,13 @@
 { config, pkgs, ... }:
 
 {
-  imports = [ ./hardware-configuration.nix ];
+  imports = [
+    ./hardware-configuration.nix
+    ../../services/zfs.nix
+  ];
 
   meta.deploy.profiles =
-    [ "desktop" "development" "sway" "gaming" "network" "yubikey" ];
+    [ "desktop" "development" "sway" "gaming" "network" ];
   meta.deploy.ssh.host = "192.168.1.92";
 
   boot.loader.systemd-boot.enable = true;

config/profiles/development/default.nix

@@ -1,36 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  config = lib.mkIf (lib.elem "development" config.meta.deploy.profiles) {
-    environment.systemPackages = let
-      python-env = python-packages:
-        with pkgs.python38Packages; [
-          pip
-          setuptools
-          psutil
-        ];
-      python-with-env = pkgs.python3.withPackages python-env;
-    in [ pkgs.php pkgs.php74Packages.composer2 python-with-env ];
-
-    home-manager.users.kat = {
-      programs.go.enable = true;
-
-      programs.fish = {
-        interactiveShellInit = ''
-          set fish_user_paths $fish_user_paths $HOME/.config/composer/vendor/bin
-        '';
-      };
-
-      home.packages = [
-        pkgs.jetbrains.clion
-        pkgs.jetbrains.idea-ultimate
-        pkgs.jetbrains.goland
-        pkgs.jetbrains.phpstorm
-        pkgs.nixfmt
-        pkgs.carnix
-        pkgs.rustup
-        pkgs.gcc
-      ];
-    };
-  };
-}

config/profiles/yubikey/default.nix

@@ -1,12 +0,0 @@
-{ config, lib, pkgs, ... }: {
-  config = lib.mkIf (lib.elem "yubikey" config.meta.deploy.profiles) {
-    services.pcscd.enable = true;
-    services.udev.packages = [ pkgs.yubikey-personalization ];
-
-    programs.gnupg.agent = {
-      enable = true;
-      enableSSHSupport = true;
-      pinentryFlavor = "curses";
-    };
-  };
-}

config/services/nginx.nix

@@ -1,6 +1,7 @@
 { config, pkgs, ... }:
 
-{
+let secrets = (import ../../secrets.nix);
+in {
   services.nginx = {
     enable = true;
     recommendedGzipSettings = true;
@@ -19,5 +20,11 @@
       #add_header X-XSS-Protection "1; mode=block";
       #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
     '';
+    clientMaxBodySize = "512m";
+  };
+
+  security.acme = {
+    email = secrets.unscoped.acme.email;
+    acceptTerms = true;
   };
 }

config/users/kat/default.nix

@@ -1,7 +1,7 @@
 { config, pkgs, ... }:
 
 {
-  imports = [ ./desktop.nix ./sway.nix ./waybar.nix ./kitty.nix ./emacs.nix ];
+  imports = [ ./desktop.nix ./gaming.nix ./network.nix ./sway.nix ./waybar.nix ./kitty.nix ./emacs.nix ];
 
   users.users.kat = {
     uid = 1000;

config/users/kat/desktop.nix

@@ -11,8 +11,6 @@ in {
       pulseaudio = true;
     };
 
-    environment.systemPackages = [ pkgs.redshift ];
-
     services.xserver.enable = true;
     services.xserver.displayManager.lightdm.enable = true;
     programs.light.enable = true;
@@ -41,6 +39,7 @@ in {
         unstable.discord
         pkgs.tdesktop
         pkgs.dino
+        pkgs.nextcloud-client
         pkgs.vegur
         pkgs.nitrogen
         pkgs.terminator
@@ -56,6 +55,8 @@ in {
         pkgs.htop
       ];
 
+      services.nextcloud-client.enable = true;
+
       programs.fish = { interactiveShellInit = "set -g fish_greeting ''"; };
 
       programs.firefox = { enable = true; };
@@ -78,6 +79,15 @@ in {
       };
     };
 
+    services.pcscd.enable = true;
+    services.udev.packages = [ pkgs.yubikey-personalization ];
+
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+      pinentryFlavor = "curses";
+    };
+
     fonts.fontconfig.enable = true;
     fonts.fonts = [ pkgs.nerdfonts pkgs.corefonts ];
 

config/users/kat/gaming.nix

@@ -1,5 +1,6 @@
-{ config, lib, pkgs, ... }: {
+{ config, lib, pkgs, ... }: 
 
+{
   config = lib.mkIf (lib.elem "gaming" config.meta.deploy.profiles) {
     hardware.opengl.driSupport32Bit = true;
     hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];

config/users/kat/sway.nix

@@ -35,7 +35,7 @@ in {
         config = let
           dmenu =
             "${pkgs.bemenu}/bin/bemenu --fn '${style.font.name} ${style.font.size}' --nb '${style.base16.color0}' --nf '${style.base16.color7}' --sb '${style.base16.color1}' --sf '${style.base16.color7}' -l 5 -m -1 -i";
-          lockCommand = "swaylock -i ${./wallpapers/main.jpg} -s fill";
+          lockCommand = "swaylock -i ${./wallpapers/main.png} -s fill";
           cfg = config.home-manager.users.kat.wayland.windowManager.sway.config;
         in {
           bars = [{ command = "${pkgs.waybar}/bin/waybar"; }];
@@ -49,7 +49,7 @@ in {
             middle = {
               res = "1920x1080";
               pos = "1920 0";
-              bg = "${./wallpapers/main.jpg} fill";
+              bg = "${./wallpapers/main.png} fill";
             };
             right = {
               res = "1920x1080";
@@ -59,7 +59,7 @@ in {
             laptop = {
               res = "1920x1080";
               pos = "0 0";
-              bg = "${./wallpapers/main.jpg} fill";
+              bg = "${./wallpapers/main.png} fill";
             };
           in {
             "DP-1" = left;

lib/hosts.nix

@@ -1,5 +1,5 @@
 { pkgs, hostsDir ? ../config/hosts
-, commonImports ? [ ../config/profiles/common ../modules ], pkgsPath ? ../pkgs
+, commonImports ? [ ../config/common ../modules ], pkgsPath ? ../pkgs
 }:
 
 with pkgs.lib;