project-wide: Cleanup and services + private overhaul

2026-02-10 04:49:19 -08:00 · 2021-04-28 04:01:11 +01:00 · 2021-04-28 04:01:11 +01:00 · f4b4ab2b28
commit f4b4ab2b28
parent 5f2309c773
36 changed files with 70 additions and 408 deletions
--- a/home.nix
+++ b/home.nix
@ -1,4 +1,4 @@
-{ pkgs, config, lib, witch, ... }:
+{ pkgs, config, lib, ... }:
 {
  imports = [ ./modules/home ./private/profile/home ];
--- a/hosts/athame/home/weechat.nix
+++ b/hosts/athame/home/weechat.nix
@ -1,4 +1,4 @@
-{ config, pkgs, witch, lib, superConfig, ... }:
+{ config, pkgs, lib, ... }:
 {
  programs.weechat = {
@ -16,7 +16,7 @@
      '')
      (lib.mkAfter "/matrix connect kat")
    ];
-    packageUnwrapped = pkgs.unstable.weechat-unwrapped;
+    packageUnwrapped = pkgs.weechat-unwrapped;
    homeDirectory = "${config.xdg.dataHome}/weechat";
    plugins.python = {
      enable = true;
@ -32,9 +32,11 @@
      vimode-git
      weechat-matrix
      weechat-notify-send
-      weechat-title
+      title
    ];
    config = {
      logger.level.irc = 0;
      logger.level.matrix = 0;
      weechat = {
        look = { mouse = true; };
        bar = {
@ -42,7 +44,6 @@
          nicklist = { size_max = 18; };
        };
      };
      relay.network.password = witch.secrets.unscoped.weechat.relay;
      urlgrab.default.copycmd = "${pkgs.wl-clipboard}/bin/wl-copy";
      plugins.var.python.vimode.copy_clipboard_cmd = "wl-copy";
      plugins.var.python.vimode.paste_clipboard_cmd = "wl-paste --no-newline";
@ -52,25 +53,7 @@
      plugins.var.python.title.title_suffix = " ]";
      plugins.var.python.notify_send.icon = "";
      plugins.var.python.go.short_name = true;
-      irc = {
+      irc = { look = { server_buffer = "independent"; }; };
        look = { server_buffer = "independent"; };
        server = {
          freenode = {
            address = "athame.kittywit.ch/5001";
            password = "kat/freenode:${witch.secrets.unscoped.weechat.znc}";
            ssl = true;
            ssl_verify = false;
            autoconnect = true;
          };
          espernet = {
            address = "athame.kittywit.ch/5001";
            password = "kat/espernet:${witch.secrets.unscoped.weechat.znc}";
            ssl = true;
            ssl_verify = false;
            autoconnect = true;
          };
        };
      };
      matrix = {
        network = {
          max_backlog_sync_events = 30;
@ -82,13 +65,6 @@
          server_buffer = "independent";
          redactions = "notice";
        };
        server.kat = {
          address = "kittywit.ch";
          device_name = "${superConfig.networking.hostName}/weechat";
          username = "kat";
          password = "${witch.secrets.unscoped.weechat.matrix}";
          autoconnect = true;
        };
      };
    };
  };
--- a/hosts/athame/nixos/default.nix
+++ b/hosts/athame/nixos/default.nix
@ -14,14 +14,12 @@ with lib;
    ../../../services/postgres.nix
    ../../../services/nginx.nix
    ../../../services/mail.nix
    ../../../services/asterisk.nix
    ../../../services/gitea
    ../../../services/syncplay.nix
    ../../../services/weechat.nix
    ../../../services/bitwarden.nix
    ../../../services/taskserver.nix
    ../../../services/murmur.nix
    ../../../services/znc.nix
    ../../../services/matrix.nix
    ../../../services/restic.nix
  ];
--- a/hosts/athame/nixos/virtualhosts.nix
+++ b/hosts/athame/nixos/virtualhosts.nix
@ -1,4 +1,6 @@
-{ config, pkgs, witch, ... }:
+{ config, lib, pkgs, ... }:
 with lib;
 let
  common = {
@ -10,7 +12,7 @@ in {
    "kittywit.ch" = { root = pkgs.kat-website; } // common;
    "athame.kittywit.ch" = { root = "/var/www/athame"; } // common;
    "files.kittywit.ch" = { root = "/var/www/files"; } // common;
-  } // witch.secrets.virtualHosts.athame;
+  };
  deploy.tf.dns.records.kittywitch_files = {
    tld = "kittywit.ch.";
--- a/hosts/ostara/nixos/default.nix
+++ b/hosts/ostara/nixos/default.nix
@ -1,8 +1,7 @@
 { config, pkgs, profiles, ... }:
 {
-  imports =
+  imports = [ ./hw.nix profiles.kat profiles.laptop ];
    [ ./hw.nix profiles.kat profiles.laptop ];
  deploy.target = "slow";
--- a/hosts/samhain/nixos/default.nix
+++ b/hosts/samhain/nixos/default.nix
@ -1,4 +1,4 @@
-{ tf, config, pkgs, lib, profiles, sources, witch, ... }:
+{ tf, config, pkgs, lib, profiles, sources, ... }:
 with lib;
@ -17,7 +17,6 @@ in {
    ../../../services/nginx.nix
    ./thermal
    ./vm
    ./nfs.nix
    ./transmission.nix
    ./jellyfin.nix
    ./virtualhosts.nix
--- a/hosts/samhain/nixos/jellyfin.nix
+++ b/hosts/samhain/nixos/jellyfin.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, witch, ... }:
+{ config, lib, pkgs, ... }:
 {
  katnet.public.tcp.ranges = [{
--- a/hosts/samhain/nixos/nfs.nix
+++ b/hosts/samhain/nixos/nfs.nix
@ -1,12 +0,0 @@
 { config, witch, lib, ... }:
 with lib;
 {
  katnet.private.tcp.ports = [ 111 2049 ];
  katnet.public.tcp.ports = [ 111 2049 ];
  services.nfs.server.enable = true;
  services.nfs.server.exports =
    "/mnt/zraw/media 192.168.1.0/24(rw) 200::/7(rw) ${witch.secrets.unscoped.ipv6_prefix}(rw)";
 }
--- a/hosts/samhain/nixos/vm/default.nix
+++ b/hosts/samhain/nixos/vm/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, sources, witch, ... }:
+{ config, pkgs, lib, ... }:
 {
  /* # libvirtd is used for our virtual machine
@ -113,8 +113,7 @@
      scream = {
        Unit = { Description = "Scream - Audio forwarding from the VM."; };
        Service = {
-          ExecStart =
+          ExecStart = "${pkgs.scream-arc}/bin/scream -i virbr0 -o pulse";
            "${pkgs.arc.pkgs.scream-arc}/bin/scream -i virbr0 -o pulse";
          Restart = "always";
        };
        Install = { WantedBy = [ "default.target" ]; };
--- a/lib/witch.nix
+++ b/lib/witch.nix
@ -3,6 +3,5 @@
 {
  style = import ./style.nix;
  colorhelpers = import ./colorhelpers.nix { inherit lib; };
  secrets = import ../private/secrets.nix;
  modList = import ./modules.nix;
 }
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -7,9 +7,9 @@ let
      inherit (super) dino;
    };
-    discord = unstable.discord.override { nss = self.nss; };
+    discord = super.discord.override { nss = self.nss; };
-    ncmpcpp = unstable.ncmpcpp.override {
+    ncmpcpp = super.ncmpcpp.override {
      visualizerSupport = true;
      clockSupport = true;
    };
@ -24,11 +24,7 @@ let
      pkgs = self;
    };
-    weechatScripts = super.weechatScripts // {
+    screenstub = super.callPackage ./screenstub { };
      weechat-title = (super.callPackage ./weechat-title { });
    };
    screenstub = unstable.callPackage ./screenstub { };
    buildFirefoxXpiAddon = { pname, version, addonId, url, sha256, meta, ... }:
      pkgs.stdenv.mkDerivation {
@ -54,7 +50,7 @@ let
    kat-vm = super.callPackage ./kat-vm { };
-    kat-glauca-dns = unstable.callPackage ./kat-glauca-dns { inherit sources; };
+    kat-glauca-dns = super.callPackage ./kat-glauca-dns { };
    kat-website = super.callPackage ./kat-website { };
@ -65,12 +61,6 @@ let
    kat-tw-export = super.callPackage ./kat-tw-export { };
    kat-scrot = super.callPackage ./kat-scrot { };
    linuxPackagesFor = kernel:
      (super.linuxPackagesFor kernel).extend (_: ksuper: {
        vendor-reset =
          (super.callPackage ./vendor-reset { kernel = ksuper.kernel; }).out;
      });
  };
 in (pkgs.extend (import (sources.arc-nixexprs + "/overlay.nix"))).extend overlay
--- a/pkgs/kat-glauca-dns/default.nix
+++ b/pkgs/kat-glauca-dns/default.nix
@ -1,7 +1,6 @@
-{ sources, pkgs, curl, coreutils, writeShellScriptBin }:
+{ pkgs, curl, coreutils, writeShellScriptBin }:
-let rbw-bitw = (import sources.arc-nixexprs { inherit pkgs; }).pkgs.rbw-bitw;
+writeShellScriptBin "kat-glauca-dns" ''
 in writeShellScriptBin "kat-glauca-dns" ''
  #!/usr/bin/env bash
  set -eu
--- a/pkgs/weechat-title/default.nix
+++ b/pkgs/weechat-title/default.nix
@ -1,21 +0,0 @@
 { lib, stdenv, fetchurl }:
 stdenv.mkDerivation rec {
  pname = "title.py";
  version = "2011-11-15";
  sha256 = "1h8mxpv47q3inhynlfjm3pdjxlr2fl06z4cdhr06kpm8f7xvz56p";
  src = fetchurl {
    name = pname;
    url = "https://weechat.org/files/scripts/title.py";
    sha256 = sha256;
  };
  unpackPhase = "true";
  installPhase = ''
    install -D $src $out/share/title.py
  '';
  passthru.scripts = [ pname ];
 }
--- a/profiles/common/nixos.nix
+++ b/profiles/common/nixos.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, sources, ... }:
+{ config, lib, pkgs, ... }:
 {
  imports = [ ./nixos ];
--- a/profiles/common/nixos/access.nix
+++ b/profiles/common/nixos/access.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, sources, ... }:
+{ config, lib, pkgs, ... }:
 {
  security.sudo.wheelNeedsPassword = lib.mkForce false;
--- a/profiles/common/nixos/default.nix
+++ b/profiles/common/nixos/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, sources, ... }:
+{ config, lib, pkgs, ... }:
 {
  imports = [
--- a/profiles/common/nixos/locale.nix
+++ b/profiles/common/nixos/locale.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, sources, ... }:
+{ config, pkgs, ... }:
 {
  i18n.defaultLocale = "en_GB.UTF-8";
--- a/profiles/common/nixos/system.nix
+++ b/profiles/common/nixos/system.nix
@ -1,8 +1,6 @@
-{ config, lib, pkgs, sources, ... }:
+{ config, lib, pkgs, ... }:
 {
  #imports = [ (sources.home-manager + "/nixos") ];
  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
  services.journald.extraConfig = "SystemMaxUse=512M";
 }
--- a/profiles/gui/home/firefox/default.nix
+++ b/profiles/gui/home/firefox/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, sources, superConfig, ... }:
+{ config, lib, pkgs, superConfig, ... }:
 let
  commonSettings = {
--- a/profiles/gui/home/gpg.nix
+++ b/profiles/gui/home/gpg.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, sources, ... }:
+{ config, lib, pkgs, ... }:
 {
  home.sessionVariables = {
--- a/profiles/gui/home/mpv.nix
+++ b/profiles/gui/home/mpv.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, witch, ... }:
+{ config, lib, pkgs, ... }:
 {
  programs.mpv = {
@ -38,10 +38,7 @@
    enable = false;
    username = "kat";
    defaultRoom = "lounge";
-    server = {
+    server = { host = "sync.kittywit.ch"; };
      host = "sync.kittywit.ch";
      password = witch.secrets.hosts.athame.syncplay.password;
    };
    # gui = false;
    config = {
      client_settings = {
--- a/profiles/gui/home/music.nix
+++ b/profiles/gui/home/music.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, witch, ... }:
+{ config, lib, pkgs, ... }:
 {
  programs.ncmpcpp = {
@ -51,7 +51,7 @@
  };
  programs.beets = {
    enable = true;
-    package = pkgs.unstable.beets;
+    package = pkgs.beets;
    settings = {
      directory = "~/media-share/music";
      library = "~/.local/share/beets.db";
--- a/profiles/gui/home/weechat.nix
+++ b/profiles/gui/home/weechat.nix
@ -20,7 +20,7 @@
      '')
      (lib.mkAfter "/matrix connect kat")
    ];
-    packageUnwrapped = pkgs.unstable.weechat-unwrapped;
+    packageUnwrapped = pkgs.weechat-unwrapped;
    homeDirectory = "${config.xdg.dataHome}/weechat";
    plugins.python = {
      enable = true;
@ -36,9 +36,11 @@
      vimode-git
      weechat-matrix
      weechat-notify-send
-      weechat-title
+      title
    ];
    config = {
      logger.level.irc = 0;
      logger.level.matrix = 0;
      weechat = {
        look = { mouse = true; };
        bar = {
--- a/profiles/gui/nixos/firefox.nix
+++ b/profiles/gui/nixos/firefox.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, witch, ... }:
+{ config, pkgs, ... }:
 {
  xdg = {
--- a/profiles/kat/home/git.nix
+++ b/profiles/kat/home/git.nix
@ -4,9 +4,9 @@
  home.packages = with pkgs; [
    git-crypt
    gitAndTools.gitRemoteGcrypt
-    unstable.gitAndTools.gitAnnex
+    gitAndTools.gitAnnex
    git-revise
-    arc.pkgs.gitAndTools.git-annex-remote-b2
+    gitAndTools.git-annex-remote-b2
  ];
  programs.git = {
--- a/profiles/kat/home/vim/default.nix
+++ b/profiles/kat/home/vim/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, witch, ... }:
+{ config, lib, pkgs, ... }:
 {
  home.sessionVariables.EDITOR = "vim";
--- a/profiles/sway/home/default.nix
+++ b/profiles/sway/home/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, sources, ... }:
+{ config, pkgs, ... }:
 {
  imports = [ ./waybar ./mako.nix ./sway.nix ./swayidle.nix ./gammastep.nix ];
--- a/profiles/sway/nixos/default.nix
+++ b/profiles/sway/nixos/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, sources, ... }:
+{ config, pkgs, ... }:
 {
  imports = [ ./sway.nix ];
--- a/profiles/sway/nixos/sway.nix
+++ b/profiles/sway/nixos/sway.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, sources, ... }:
+{ config, pkgs, lib, ... }:
 {
  programs.sway = {
--- a/services/asterisk.nix
+++ b/services/asterisk.nix
@ -1,224 +0,0 @@
 { config, pkgs, witch, ... }:
 {
  katnet.public.tcp.ports = [ 5160 5060 ];
  katnet.public.udp.ports = [ 5160 5060 ];
  katnet.public.tcp.ranges = [{
    from = 10000;
    to = 20000;
  }];
  katnet.public.udp.ranges = [{
    from = 10000;
    to = 20000;
  }];
  services.fail2ban.jails = {
    asterisk = ''
      enabled  = true
      filter   = asterisk
      action   = iptables-allports[name=ASTERISK, protocol=all]
      logpath  = /var/log/asterisk/messages
      maxretry = 4
    '';
  };
  services.asterisk = {
    enable = true;
    confFiles = {
      "rtp.conf" = ''
        [general]
        rtpstart=10000
        rtpend=20000
      '';
      "extensions.conf" = ''
        [from-twilio]
        exten => _.,1,Dial(SIP/1337,20)
        [from-signalwire]
        exten => s,1,Set(numb=''${CUT(CUT(PJSIP_HEADER(read,To),@,1),:,2)})
        same  => n,Dial(SIP/1337,20)
        [from-internal]
        exten => _1X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.us}>)
        same  => n,Dial(PJSIP/''${EXTEN:1}@signalwire)
        same  => n(end),Hangup()
        exten => _2X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.canada}>)
        same  => n,Dial(PJSIP/''${EXTEN:1}@signalwire)
        same  => n(end),Hangup()
        exten => _3X.,1,Set(CALLERID(all)="kat" <+${witch.secrets.hosts.athame.phone.number.uk}>)
        same  => n,Dial(PJSIP/+''${EXTEN:1}@twilio-ie)
        same  => n(end),Hangup()
      '';
      "pjproject.conf" = ''
        ; Common pjproject options
        ;
        ;========================LOG_MAPPINGS SECTION OPTIONS===============================
        ;[log_mappings]
        ;  SYNOPSIS: Provides pjproject to Asterisk log level mappings.
        ;  NOTES: The name of this section in the pjproject.conf configuration file must
        ;         remain log_mappings or the configuration will not be applied.
        ;         The defaults mentioned below only apply if this file or the 'log_mappings'
        ;         object can'tbe found.  If the object is found, there are no defaults. If
        ;         you don't specify an entry, nothing will be logged for that level.
        ;
        ;asterisk_error =    ; A comma separated list of pjproject log levels to map to
                            ; Asterisk errors.
                            ; (default: "0,1")
        ;asterisk_warning =  ; A comma separated list of pjproject log levels to map to
                            ; Asterisk warnings.
                            ; (default: "2")
        ;asterisk_notice =   ; A comma separated list of pjproject log levels to map to
                            ; Asterisk notices.
                            ; (default: "")
        ;asterisk_verbose =  ; A comma separated list of pjproject log levels to map to
                            ; Asterisk verbose.
                            ; (default: "")
        ;asterisk_debug =    ; A comma separated list of pjproject log levels to map to
                            ; Asterisk debug
                            ; (default: "3,4,5")
        ;type=               ; Must be of type log_mappings (default: "")
      '';
      "sip.conf" = ''
        [general]
        ;; Only uncomment this if you want to connect to a different SIP server and receive calls from it
        context=public
        allowguest=no
        udpbindaddr=0.0.0.0:5160
        tcpbindaddr=0.0.0.0:5160
        tcpenable=yes
        transport=udp,tcp
        disallow=all
        allow=speex32
        allow=g722
        allow=ulaw
        allow=alaw
        allow=gsm
        allow=g726
        [1337]
        type=friend
        context=from-internal
        host=dynamic
        secret=${witch.secrets.hosts.athame.phone.password}
        nat=force_rport,comedia
      '';
      "pjsip_wizard.conf" = ''
        [user_defaults](!)
        type = wizard
        accepts_registrations = yes
        sends_registrations = no
        accepts_auth = yes
        sends_auth = no
        endpoint/context = from-internal
        endpoint/tos_audio=ef
        endpoint/tos_video=af41
        endpoint/cos_audio=5
        endpoint/cos_video=4
        endpoint/allow = !all,ulaw
        endpoint/dtmf_mode= rfc4733
        endpoint/aggregate_mwi = yes
        endpoint/use_avpf = no
        endpoint/rtcp_mux = no
        endpoint/bundle = no
        endpoint/ice_support = no
        endpoint/media_use_received_transport = no
        endpoint/trust_id_inbound = yes
        endpoint/media_encryption = no
        endpoint/timers = yes
        endpoint/media_encryption_optimistic = no
        endpoint/send_pai = yes
        endpoint/rtp_symmetric = yes
        endpoint/rewrite_contact = yes
        endpoint/force_rport = yes
        endpoint/language = en
        [trunk_defaults](!)
        type = wizard
        endpoint/transport=0.0.0.0-udp
        endpoint/allow = !all,ulaw
        endpoint/t38_udptl=no
        endpoint/t38_udptl_ec=none
        endpoint/fax_detect=no
        endpoint/trust_id_inbound=no
        endpoint/t38_udptl_nat=no
        endpoint/direct_media=no
        endpoint/rewrite_contact=yes
        endpoint/rtp_symmetric=yes
        endpoint/dtmf_mode=rfc4733
        endpoint/allow_subscribe = no
        aor/qualify_frequency = 60
        [twilio-ie](trunk_defaults)
        sends_auth = yes
        sends_registrations = no
        remote_hosts = kat-asterisk.pstn.dublin.twilio.com
        outbound_auth/username = asterisk
        outbound_auth/password = ${witch.secrets.hosts.athame.phone.endpoint.password.twilio}
        endpoint/context = from-twilio
        aor/qualify_frequency = 60
      '';
      "pjsip.conf" = ''
        [global]
        type=global
        [0.0.0.0-udp]
        type=transport
        protocol=udp
        bind=0.0.0.0:5060
        allow_reload=no
        tos=cs3
        cos=3
        [signalwire]
        type=auth
        auth_type=userpass
        username=asterisk ; Your username
        password=${witch.secrets.hosts.athame.phone.endpoint.password.signalwire}
        [signalwire]
        type=aor
        contact=sip:${witch.secrets.hosts.athame.phone.endpoint.url}
        [signalwire]
        type=endpoint
        transport=transport-udp
        outbound_auth=signalwire ; Note that there is only an outbound_auth, as we do not challenge when a call arrives inbound
        aors=signalwire
        disallow=all
        allow=speex32
        allow=g722
        allow=ulaw
        allow=alaw
        allow=gsm
        allow=g726
        from_user=asterisk
        from_domain=${witch.secrets.hosts.athame.phone.endpoint.url}
        media_encryption=sdes ; Note that we are using encryption
        context=from-signalwire
        [signalwire]
        type=registration
        server_uri=sip:${witch.secrets.hosts.athame.phone.endpoint.url}
        client_uri=sip:asterisk@${witch.secrets.hosts.athame.phone.endpoint.url}; Your full SIP URI
        outbound_auth=signalwire
        [signalwire]
        type=identify
        endpoint=signalwire
        match=${witch.secrets.hosts.athame.phone.endpoint.url}
      '';
      "logger.conf" = ''
        [general]
        dateformat=%F %T
        [logfiles]
        ; Add debug output to log
        messages => security, notice,warning,error 
        syslog.local0 => notice,warning,error,debug
      '';
    };
  };
 }
--- a/services/bitwarden.nix
+++ b/services/bitwarden.nix
@ -1,4 +1,4 @@
-{ config, pkgs, witch, ... }:
+{ config, pkgs, ... }:
 {
  services.postgresql = {
@ -16,7 +16,6 @@
      rocketPort = 4000;
      websocketEnabled = true;
      signupsAllowed = false;
      adminToken = witch.secrets.hosts.athame.bitwarden_secret;
      domain = "https://vault.kittywit.ch";
      databaseUrl = "postgresql://bitwarden_rs@/bitwarden_rs";
    };
--- a/services/mail.nix
+++ b/services/mail.nix
@ -1,4 +1,4 @@
-{ config, lib, tf, pkgs, witch, sources, ... }:
+{ config, lib, tf, pkgs, sources, ... }:
 with lib;
@ -82,14 +82,6 @@ with lib;
    txt.value = tf.variables.domainkey_kitty.ref;
  };
  secrets.files = {
    kat_mail_hash = {
      source = ../private/files/mail/kat-pw-hash;
      owner = "kat";
      group = "users";
    };
  };
  mailserver = {
    enable = true;
    fqdn = "athame.kittywit.ch";
--- a/services/matrix.nix
+++ b/services/matrix.nix
@ -1,4 +1,4 @@
-{ config, pkgs, witch, ... }:
+{ config, pkgs, ... }:
 {
  environment.systemPackages = [ pkgs.mx-puppet-discord pkgs.mautrix-whatsapp ];
@ -13,7 +13,6 @@
  services.matrix-synapse = {
    enable = true;
    registration_shared_secret = witch.secrets.hosts.athame.matrix_secret;
    max_upload_size = "512M";
    server_name = "kittywit.ch";
    app_service_config_files = [
@ -34,10 +33,6 @@
    }];
  };
  secrets.files = {
    telegram-env = { source = ../private/files/matrix/mautrix-telegram.env; };
  };
  services.mautrix-telegram = {
    enable = true;
    settings = {
@ -62,7 +57,6 @@
        };
      };
    };
    environmentFile = config.secrets.files.telegram-env.path;
  };
  systemd.services.mx-puppet-discord = {
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, witch, tf, ... }:
+{ config, lib, pkgs, tf, ... }:
 with lib;
@ -37,7 +37,7 @@ with lib;
  };
  security.acme = {
-    email = witch.secrets.unscoped.acme.email;
+    email = "acme@kittywit.ch";
    acceptTerms = true;
  };
 }
--- a/services/syncplay.nix
+++ b/services/syncplay.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, witch, ... }:
+{ config, lib, pkgs, tf, ... }:
 with lib;
@ -21,16 +21,32 @@ with lib;
    cname.target = "athame.kittywit.ch.";
  };
  deploy.tf.variables.syncplay_pass = {
    type = "string";
    value.shellCommand = "bitw get infra/syncplay-server -f password";
  };
  deploy.tf.variables.syncplay_salt = {
    type = "string";
    value.shellCommand = "bitw get infra/syncplay-salt -f password";
  };
  secrets.files.syncplay-env = {
    text = ''
      SYNCPLAY_PASSWORD=${tf.variables.syncplay_pass.ref}
      SYNCPLAY_SALT=${tf.variables.syncplay_salt.ref}
    '';
    owner = "syncplay";
    group = "sync-cert";
  };
  systemd.services.syncplay = {
    environment = {
      SYNCPLAY_PASSWORD = witch.secrets.hosts.athame.syncplay.password;
      SYNCPLAY_SALT = witch.secrets.hosts.athame.syncplay.salt;
    };
    description = "Syncplay Service";
    wantedBy = singleton "multi-user.target";
    after = singleton "network-online.target";
    serviceConfig = {
      EnvironmentFile = config.secrets.files.syncplay-env.path;
      ExecStart =
        "${pkgs.syncplay}/bin/syncplay-server --port 8999 --tls /var/lib/acme/sync.kittywit.ch/ --disable-ready";
      User = "syncplay";
--- a/services/znc.nix
+++ b/services/znc.nix
@ -1,40 +0,0 @@
 { config, lib, pkgs, witch, ... }:
 with lib;
 {
  katnet.public.tcp.ports = singleton 5001;
  services.znc = {
    enable = true;
    mutable = false;
    useLegacyConfig = false;
    openFirewall = false;
    config = {
      Listener.l = {
        Port = 5000;
        SSL = false;
        AllowWeb = true;
      };
      Listener.j = {
        Port = 5001;
        SSL = true;
        AllowWeb = false;
      };
      modules = [ "webadmin" "adminlog" ];
      User = witch.secrets.hosts.athame.znc;
    };
  };
  services.nginx.virtualHosts."znc.kittywit.ch" = {
    enableACME = true;
    forceSSL = true;
    locations = { "/".proxyPass = "http://127.0.0.1:5000"; };
  };
  deploy.tf.dns.records.kittywitch_znc = {
    tld = "kittywit.ch.";
    domain = "znc";
    cname.target = "athame.kittywit.ch.";
  };
 }