feat: convert to flake

feat(zaatar): convert to flake feat(tahina, tabula): convert to flake feat(makanek): convert to flake feat(manakish, zaatar): convert to flake feat(ci): build flake systems fix: ci build feat: secrets via submodule foo foo foo
2026-03-16 10:11:08 +01:00 · 2023-02-22 10:02:55 +01:00
parent ba27e98297
commit d03c6bb0de
92 changed files with 1656 additions and 934 deletions
--- a/systems/ful/configuration.nix
+++ b/systems/ful/configuration.nix
@@ -4,19 +4,26 @@
  pkgs,
  ...
 }: let
-  inherit (import <niveum/lib>) kieran retiolumAddresses restic;
+  inherit (import ../../lib) kieran retiolumAddresses restic;
 in {
  imports = [
    ./hardware-configuration.nix
    ./matomo.nix
-    <niveum/configs/monitoring.nix>
-    <niveum/configs/nix.nix>
-    <niveum/configs/save-space.nix>
-    <niveum/configs/spacetime.nix>
-    <niveum/configs/sshd.nix>
-    <niveum/configs/retiolum.nix>
+    ../../configs/monitoring.nix
+    ../../configs/save-space.nix
+    ../../configs/spacetime.nix
+    ../../configs/retiolum.nix
+    ../../configs/sshd.nix
+    ../../configs/nix.nix
  ];

+  age.secrets = {
+    retiolum-rsa.file = ../../secrets/ful-retiolum-privateKey-rsa.age;
+    retiolum-ed25519.file = ../../secrets/ful-retiolum-privateKey-rsa.age;
+    root.file = ../../secrets/ful-root.age;
+    restic.file = ../../secrets/restic.age;
+  };
+
  services.restic.backups.niveum = {
    initialize = true;
    inherit (restic) repository;
@@ -24,14 +31,12 @@ in {
      OnCalendar = "daily";
      RandomizedDelaySec = "1h";
    };
-    passwordFile = toString <secrets/restic/password>;
+    passwordFile = config.age.secrets.restic.path;
    paths = [
      config.services.mysqlBackup.location
    ];
  };

-  nix.nixPath = ["/var/src"];
-
  networking = {
    firewall.allowedTCPPorts = [80 443];
    hostName = "ful";
@@ -56,7 +61,7 @@ in {
    defaults.email = kieran.email;
  };

-  users.users.root.passwordFile = toString <system-secrets/root.password>;
+  users.users.root.passwordFile = config.age.secrets.root.path;

  environment.systemPackages = [pkgs.vim pkgs.git pkgs.tmux pkgs.python3];

--- a/systems/ful/hardware-configuration.nix
+++ b/systems/ful/hardware-configuration.nix
@@ -2,9 +2,12 @@
  config,
  lib,
  pkgs,
+  modulesPath,
  ...
 }: {
-  imports = [<nixpkgs/nixos/modules/profiles/qemu-guest.nix>];
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];

  boot = {
    loader = {
--- a/systems/ful/matomo.nix
+++ b/systems/ful/matomo.nix
@@ -1,5 +1,5 @@
 {pkgs, ...}: let
-  inherit (import <niveum/lib>) kieran;
+  inherit (import ../../lib) kieran;
 in {
  services.nginx = {
    enable = true;
--- a/systems/kabsa/configuration.nix
+++ b/systems/kabsa/configuration.nix
@@ -4,13 +4,13 @@
  lib,
  ...
 }: let
-  inherit (import <niveum/lib>) retiolumAddresses;
+  inherit (import ../../lib) retiolumAddresses;
 in {
  imports = [
    ./hardware-configuration.nix
-    <niveum/configs/battery.nix>
-    <niveum/configs/default.nix>
-    <niveum/configs/networkmanager.nix>
+    ../../configs/battery.nix
+    ../../configs/default.nix
+    ../../configs/networkmanager.nix # TODO how to get passwords into there?
  ];

  niveum = {
@@ -24,6 +24,14 @@ in {
    max-jobs = 2;
  };

+  age.secrets = {
+    retiolum-rsa.file = ../../secrets/kabsa-retiolum-privateKey-rsa.age;
+    retiolum-ed25519.file = ../../secrets/kabsa-retiolum-privateKey-ed25519.age;
+    restic.file = ../../secrets/restic.age;
+    syncthing-cert.file = ../../secrets/kabsa-syncthing-cert.age;
+    syncthing-key.file = ../../secrets/kabsa-syncthing-key.age;
+  };
+
  environment.systemPackages = [pkgs.minecraft pkgs.zeroad];

  networking = {
--- a/systems/kabsa/hardware-configuration.nix
+++ b/systems/kabsa/hardware-configuration.nix
@@ -2,9 +2,10 @@
  config,
  lib,
  pkgs,
+  modulesPath,
  ...
 }: {
-  imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
+  imports = [(modulesPath + "/installer/scan/not-detected.nix")];

  boot = {
    initrd = {
--- a/systems/makanek/configuration.nix
+++ b/systems/makanek/configuration.nix
@@ -4,7 +4,7 @@
  pkgs,
  ...
 }: let
-  inherit (import <niveum/lib>) kieran retiolumAddresses restic;
+  inherit (import ../../lib) kieran retiolumAddresses restic;
 in {
  imports = [
    ./gitea.nix
@@ -13,7 +13,6 @@ in {
    ./menstruation.nix
    ./moinbot.nix
    ./monitoring
-    ./moodle-dl-borsfaye.nix
    ./names.nix
    ./nextcloud.nix
    ./radio-news.nix
@@ -23,14 +22,14 @@ in {
    ./tt-rss.nix
    ./urlwatch.nix
    ./weechat.nix
-    <niveum/configs/monitoring.nix>
-    <niveum/configs/nix.nix>
-    <niveum/configs/save-space.nix>
-    <niveum/configs/spacetime.nix>
-    <niveum/configs/sshd.nix>
-    <niveum/configs/retiolum.nix>
-    <niveum/configs/telegram-bots>
-    <niveum/modules/passport.nix>
+    ../../configs/monitoring.nix
+    ../../configs/nix.nix
+    ../../configs/save-space.nix
+    ../../configs/retiolum.nix
+    ../../configs/spacetime.nix
+    ../../configs/sshd.nix
+    ../../configs/telegram-bots
+    ../../modules/passport.nix
  ];

  services.restic.backups.niveum = {
@@ -40,7 +39,7 @@ in {
      OnCalendar = "daily";
      RandomizedDelaySec = "1h";
    };
-    passwordFile = toString <secrets/restic/password>;
+    passwordFile = config.age.secrets.restic.path;
    paths = [
      "/var/lib/codimd"
      config.services.postgresqlBackup.location
@@ -76,8 +75,6 @@ in {
    ];
  };

-  nix.nixPath = ["/var/src"];
-
  networking = {
    firewall.allowedTCPPorts = [80 443];
    hostName = "makanek";
@@ -86,6 +83,12 @@ in {
    useDHCP = false;
  };

+  age.secrets = {
+    retiolum-rsa.file = ../../secrets/makanek-retiolum-privateKey-rsa.age;
+    retiolum-ed25519.file = ../../secrets/makanek-retiolum-privateKey-ed25519.age;
+    restic.file = ../../secrets/restic.age;
+  };
+
  system.stateVersion = "20.03";

  services.nginx = {
--- a/systems/makanek/gitea.nix
+++ b/systems/makanek/gitea.nix
@@ -1,5 +1,5 @@
 let
-  inherit (import <niveum/lib>) sshPort;
+  inherit (import ../../lib) sshPort;
  domain = "https://code.kmein.de";
 in {
  services.gitea = {
--- a/systems/makanek/hardware-configuration.nix
+++ b/systems/makanek/hardware-configuration.nix
@@ -2,9 +2,10 @@
  config,
  lib,
  pkgs,
+  modulesPath,
  ...
 }: {
-  imports = [<nixpkgs/nixos/modules/profiles/qemu-guest.nix>];
+  imports = [(modulesPath + "/profiles/qemu-guest.nix")];

  boot = {
    initrd = {
--- a/systems/makanek/hedgedoc.nix
+++ b/systems/makanek/hedgedoc.nix
@@ -6,7 +6,7 @@
  backupLocation = "/var/lib/codimd-backup";
  stateLocation = "/var/lib/codimd/state.sqlite";
  domain = "pad.kmein.de";
-  inherit (import <niveum/lib>) tmpfilesConfig;
+  inherit (import ../../lib) tmpfilesConfig;
 in {
  services.nginx.virtualHosts.${domain} = {
    enableACME = true;
--- a/systems/makanek/menstruation.nix
+++ b/systems/makanek/menstruation.nix
@@ -1,16 +1,10 @@
 {
+  config,
  pkgs,
  lib,
+  inputs,
  ...
 }: let
-  backend = pkgs.callPackage <menstruation-backend> {};
-  old-pkgs = import (pkgs.fetchFromGitHub {
-    owner = "NixOs";
-    repo = "nixpkgs";
-    rev = "695b3515251873e0a7e2021add4bba643c56cde3";
-    hash = "sha256-T86oFvcUIRwHWBWUt7WjaP4BP/3lDGbv5AppQSI1FkI=";
-  }) {};
-  telegram = old-pkgs.poetry2nix.mkPoetryApplication {projectDir = <menstruation-telegram>;};
  backendPort = 8000;
 in {
  services.redis.servers.menstruation = {
@@ -36,24 +30,32 @@ in {
    ];
    wantedBy = ["multi-user.target"];
    environment = {
-      MENSTRUATION_TOKEN = lib.strings.fileContents <system-secrets/telegram/menstruation.token>;
      MENSTRUATION_ENDPOINT = "http://localhost:${toString backendPort}";
      MENSTRUATION_MODERATORS = "18980945";
    };
+    script = ''
+      set -efu
+      export MENSTRUATION_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/menstruation-token")"
+      ${inputs.menstruation-telegram.defaultPackage.x86_64-linux}/bin/menstruation-telegram
+    '';
    serviceConfig = {
      Restart = "always";
      DynamicUser = true;
-      ExecStart = "${telegram}/bin/menstruation-telegram";
+      LoadCredential = [
+        "menstruation-token:${config.age.secrets.telegram-token-menstruation.path}"
+      ];
    };
  };

+  age.secrets.telegram-token-menstruation.file = ../../secrets/telegram-token-menstruation.age;
+
  systemd.services.menstruation-backend = {
    wants = ["network-online.target"];
    environment.ROCKET_PORT = toString backendPort;
    serviceConfig = {
      Restart = "always";
      DynamicUser = true;
-      ExecStart = "${backend}/bin/menstruation_server";
+      ExecStart = "${inputs.menstruation-backend.defaultPackage.x86_64-linux}/bin/menstruation_server";
    };
  };
 }
--- a/systems/makanek/moinbot.nix
+++ b/systems/makanek/moinbot.nix
@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  config,
+  ...
+}: {
  systemd.services.moinbot = {
    startAt = "7:00";
    script = ''
@@ -8,7 +12,7 @@
      MOIN
      OI
      moi" | shuf -n1)
-      echo "$greeting" | ${pkgs.ircaids}/bin/ircsink \
+      echo "$greeting" | ${config.nur.repos.mic92.ircsink}/bin/ircsink \
        --nick "$greeting""bot" \
        --server irc.hackint.org \
        --port 6697 \
--- a/systems/makanek/monitoring/default.nix
+++ b/systems/makanek/monitoring/default.nix
@@ -6,7 +6,7 @@
 }: let
  lokiConfig = import ./loki.nix;
  blackboxConfig = import ./blackbox.nix;
-  inherit (import <niveum/lib>) restic;
+  inherit (import ../../../lib) restic;
 in {
  services.grafana = {
    enable = true;
@@ -17,12 +17,12 @@ in {
        http_addr = "127.0.0.1";
      };
      smtp = let
-        inherit (import <niveum/lib/email.nix> {inherit lib;}) cock;
+        inherit (import ../../../lib/email.nix {inherit lib;}) cock;
        address = builtins.split "@" cock.user;
      in {
        enabled = true;
        from_address = cock.address;
-        password = cock.password;
+        password = "$__file{${config.age.secrets.email-password-cock.path}}";
        user = cock.user;
        host = cock.smtpSettings cock.smtp;
        startTLS_policy = "MandatoryStartTLS";
@@ -30,7 +30,7 @@ in {
      dashboards.default_home_dashboard_path = toString ./grafana-dashboards/niveum.json;
      security = {
        admin_user = "admin";
-        admin_password = lib.strings.fileContents <system-secrets/grafana/admin>;
+        admin_password = "$__file{${config.age.secrets.grafana-password-admin.path}}";
      };
    };
    provision = {
@@ -196,6 +196,7 @@ in {
    enable = true;
    listenAddress = "localhost";
    webExternalUrl = "http://alertmanager.kmein.r";
+    environmentFile = config.age.secrets.alertmanager-token-reporters.path;
    configuration = {
      route = {
        group_wait = "30s";
@@ -207,7 +208,7 @@ in {
          name = "all";
          telegram_configs = [
            {
-              bot_token = lib.strings.fileContents <system-secrets/telegram/prometheus.token>;
+              bot_token = "$TELEGRAM_TOKEN";
              chat_id = 18980945;
              parse_mode = "";
              api_url = "https://api.telegram.org";
@@ -220,8 +221,8 @@ in {
            }
          ];
          email_configs = let
-            inherit (import <niveum/lib>) kieran;
-            inherit (import <niveum/lib/email.nix> {inherit lib;}) cock;
+            inherit (import ../../../lib) kieran;
+            inherit (import ../../../lib/email.nix {inherit lib;}) cock;
          in [
            {
              send_resolved = true;
@@ -230,7 +231,7 @@ in {
              smarthost = "${cock.smtp}:587";
              auth_username = cock.user;
              auth_identity = cock.user;
-              auth_password = cock.password;
+              auth_password = "$EMAIL_PASSWORD";
            }
          ];
        }
@@ -238,6 +239,27 @@ in {
    };
  };

+  age.secrets = {
+    email-password-cock = {
+      file = ../../../secrets/email-password-cock.age;
+      owner = "grafana";
+      group = "grafana";
+      mode = "440";
+    };
+    grafana-password-admin = {
+      file = ../../../secrets/grafana-password-admin.age;
+      owner = "grafana";
+      group = "grafana";
+      mode = "440";
+    };
+    alertmanager-token-reporters = {
+      file = ../../../secrets/alertmanager-token-reporters.age;
+      owner = "prometheus";
+      group = "prometheus";
+      mode = "440";
+    };
+  };
+
  services.prometheus.alertmanagers = [
    {
      scheme = "http";
--- a/systems/makanek/names.nix
+++ b/systems/makanek/names.nix
@@ -1,10 +1,11 @@
 {
  pkgs,
  lib,
+  inputs,
  ...
 }: let
  port = 5703;
-  onomap-src = "${<scripts>}/onomastics-ng";
+  onomap-src = inputs.scripts.outPath + "/onomastics-ng";
  onomap = pkgs.haskellPackages.callCabal2nix "onomap" onomap-src {};
 in {
  systemd.services.names = {
--- a/systems/makanek/nextcloud.nix
+++ b/systems/makanek/nextcloud.nix
@@ -4,9 +4,23 @@
  lib,
  ...
 }: let
-  passwordFile = path: toString (pkgs.writeText "password" (lib.strings.fileContents path));
-  inherit (import <niveum/lib>) localAddresses;
+  inherit (import ../../lib) localAddresses;
 in {
+  age.secrets = {
+    nextcloud-password-database = {
+      file = ../../secrets/nextcloud-password-database.age;
+      owner = "nextcloud";
+      group = "nextcloud";
+      mode = "440";
+    };
+    nextcloud-password-admin = {
+      file = ../../secrets/nextcloud-password-admin.age;
+      owner = "nextcloud";
+      group = "nextcloud";
+      mode = "440";
+    };
+  };
+
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud25;
@@ -30,8 +44,8 @@ in {
      dbuser = "nextcloud";
      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
      dbname = "nextcloud";
-      dbpassFile = passwordFile <system-secrets/nextcloud/database>;
-      adminpassFile = passwordFile <system-secrets/nextcloud/admin>;
+      dbpassFile = config.age.secrets.nextcloud-password-database.path;
+      adminpassFile = config.age.secrets.nextcloud-password-admin.path;
      adminuser = "admin";
      # extraTrustedDomains = [ "toum.r" ];
      defaultPhoneRegion = "DE";
@@ -40,7 +54,7 @@ in {
    logLevel = 2;

    extraOptions = let
-      inherit (import <niveum/lib/email.nix> {inherit lib;}) cock;
+      inherit (import ../../lib/email.nix {inherit lib;}) cock;
      address = builtins.split "@" cock.user;
    in {
      defaultapp = "files";
@@ -54,7 +68,7 @@ in {
      mail_smtpauthtype = "LOGIN";
      mail_smtpauth = 1;
      mail_smtpname = cock.user;
-      mail_smtppassword = cock.password;
+      # mail_smtppassword = cock.password; # TODO how to do this?
    };
  };

--- a/systems/makanek/radio-news.nix
+++ b/systems/makanek/radio-news.nix
@@ -3,10 +3,10 @@
  lib,
  ...
 }: let
-  inherit (import <niveum/lib>) serveHtml;
+  inherit (import ../../lib) serveHtml;
  remote = "https://cgit.lassul.us/stockholm";
 in {
-  services.nginx.virtualHosts."redaktion.r".locations."/".extraConfig = serveHtml <niveum/lib/radio-news.html> pkgs;
+  services.nginx.virtualHosts."redaktion.r".locations."/".extraConfig = serveHtml ../../lib/radio-news.html pkgs;

  niveum.passport.services = [
    {
--- a/systems/makanek/radio.nix
+++ b/systems/makanek/radio.nix
@@ -4,7 +4,7 @@
  config,
  ...
 }: let
-  inherit (import <niveum/lib>) tmpfilesConfig;
+  inherit (import ../../lib) tmpfilesConfig;
  liquidsoapDirectory = "/var/cache/liquidsoap";
  icecastPassword = "hackme";
  lyrikline-poem = pkgs.writers.writeDash "lyrikline.sh" ''
--- a/systems/makanek/retiolum-map.nix
+++ b/systems/makanek/retiolum-map.nix
@@ -2,6 +2,7 @@
  config,
  pkgs,
  lib,
+  inputs,
  ...
 }: let
  network = "retiolum";
@@ -11,7 +12,7 @@
  geo-ip-database = "${lib.head config.services.geoipupdate.settings.EditionIDs}.mmdb";
  geo-ip-database-path = "${config.services.geoipupdate.settings.DatabaseDirectory}/${geo-ip-database}";

-  tinc-graph = pkgs.callPackage <tinc-graph> {};
+  tinc-graph = inputs.tinc-graph.defaultPackage.x86_64-linux;
 in {
  systemd.services.retiolum-index = {
    description = "Retiolum indexing service";
@@ -39,11 +40,13 @@ in {
    enable = true;
    settings = {
      AccountID = 608777;
-      LicenseKey = toString <system-secrets/maxmind/license.key>;
+      LicenseKey._secret = config.age.secrets.maxmind-license-key.path;
      EditionIDs = ["GeoLite2-City"];
    };
  };

+  age.secrets.maxmind-license-key.file = ../../secrets/maxmind-license-key.age;
+
  niveum.passport.services = [
    {
      link = "http://graph.r";
@@ -71,9 +74,7 @@ in {
  systemd.services.geoip-share = {
    after = ["geoipupdate.service"];
    wantedBy = ["geoipupdate.service"];
-    script = let
-      cyberlocker-tools = pkgs.callPackage <stockholm/krebs/5pkgs/simple/cyberlocker-tools> {};
-    in "${cyberlocker-tools}/bin/cput ${geo-ip-database} < ${geo-ip-database-path}";
+    script = "${pkgs.curl}/bin/curl -fSs --data-binary @${geo-ip-database-path} http://c.r/${geo-ip-database} ";
    serviceConfig = {
      Type = "oneshot";
      DynamicUser = true;
--- a/systems/makanek/tarot.nix
+++ b/systems/makanek/tarot.nix
@@ -15,35 +15,34 @@
    sha256 = "1n2m53kjg2vj9dbr70b9jrsbqwdfrcb48l4wswn21549fi24g6dx";
  };
 in {
-  imports = [<stockholm/krebs/3modules/htgen.nix>];
+  imports = [../../modules/htgen.nix];

-  krebs.htgen.tarot = {
+  services.htgen.tarot = {
    port = tarotPort;
-    user.name = "radio";
-    scriptFile = pkgs.writers.writeDash "tarot" ''
-      case "$Method $Request_URI" in
-        "GET /")
-          if item=$(${pkgs.findutils}/bin/find ${toString tarotFiles} -type f | ${pkgs.coreutils}/bin/shuf -n1); then
-            card=$(mktemp --tmpdir tarot.XXX)
-            trap 'rm $card' EXIT
-            reverse=$(${pkgs.coreutils}/bin/shuf -i0-1 -n1)
-            if [ "$reverse" -eq 1 ]; then
-              ${pkgs.imagemagick}/bin/convert -rotate 180 "$item" "$card"
-            else
-              ${pkgs.coreutils}/bin/cp "$item" "$card"
+    script = ''. ${pkgs.writers.writeDash "tarot" ''
+        case "$Method $Request_URI" in
+          "GET /")
+            if item=$(${pkgs.findutils}/bin/find ${toString tarotFiles} -type f | ${pkgs.coreutils}/bin/shuf -n1); then
+              card=$(mktemp --tmpdir tarot.XXX)
+              trap 'rm $card' EXIT
+              reverse=$(${pkgs.coreutils}/bin/shuf -i0-1 -n1)
+              if [ "$reverse" -eq 1 ]; then
+                ${pkgs.imagemagick}/bin/convert -rotate 180 "$item" "$card"
+              else
+                ${pkgs.coreutils}/bin/cp "$item" "$card"
+              fi
+              printf 'HTTP/1.1 200 OK\r\n'
+              printf 'Content-Type: %s\r\n' "$(${pkgs.file}/bin/file -ib "$card")"
+              printf 'Server: %s\r\n' "$Server"
+              printf 'Connection: close\r\n'
+              printf 'Content-Length: %d\r\n' $(${pkgs.coreutils}/bin/wc -c < "$card")
+              printf '\r\n'
+              cat "$card"
+              exit
            fi
-            printf 'HTTP/1.1 200 OK\r\n'
-            printf 'Content-Type: %s\r\n' "$(${pkgs.file}/bin/file -ib "$card")"
-            printf 'Server: %s\r\n' "$Server"
-            printf 'Connection: close\r\n'
-            printf 'Content-Length: %d\r\n' $(${pkgs.coreutils}/bin/wc -c < "$card")
-            printf '\r\n'
-            cat "$card"
-            exit
-          fi
-        ;;
-      esac
-    '';
+          ;;
+        esac
+      ''}'';
  };

  niveum.passport.services = [
--- a/systems/makanek/tt-rss.nix
+++ b/systems/makanek/tt-rss.nix
@@ -9,10 +9,7 @@
 in {
  services.miniflux = {
    enable = true;
-    adminCredentialsFile = pkgs.writeText "miniflux" ''
-      ADMIN_USERNAME='kfm'
-      ADMIN_PASSWORD='${lib.strings.fileContents <secrets/miniflux/password>}'
-    '';
+    adminCredentialsFile = config.age.secrets.miniflux-credentials.path;
    config = {
      FETCH_YOUTUBE_WATCH_TIME = "1";
      POLLING_FREQUENCY = "20";
@@ -22,6 +19,8 @@ in {
    };
  };

+  age.secrets.miniflux-credentials.file = ../../secrets/miniflux-credentials.age;
+
  services.postgresqlBackup = {
    enable = true;
    databases = ["miniflux"];
--- a/systems/makanek/urlwatch.nix
+++ b/systems/makanek/urlwatch.nix
@@ -4,7 +4,7 @@
  lib,
  ...
 }: let
-  inherit (import <niveum/lib>) kieran;
+  inherit (import ../../lib) kieran;

  urlwatchDir = "/var/lib/urlwatch";

@@ -141,14 +141,14 @@
          port = 587;
          starttls = true;
          auth = true;
-          insecure_password = lib.strings.fileContents <secrets/mail/cock>;
+          # insecure_password = lib.strings.fileContents <secrets/mail/cock>; TODO how?
        };
        subject = "{count} changes: {jobs}";
        to = kieran.email;
      };
      telegram = {
        enabled = false;
-        bot_token = lib.strings.fileContents <system-secrets/telegram/kmein.token>;
+        # bot_token = lib.strings.fileContents <system-secrets/telegram/kmein.token>; TODO how?
        chat_id = "-1001504043752";
      };
      html.diff = "unified";
@@ -165,7 +165,7 @@
    };
  };
  urlwatch = pkgs.urlwatch.overrideAttrs (attrs: {
-    patches = [<niveum/packages/urlwatch-insecure.patch>];
+    patches = [../../packages/urlwatch-insecure.patch];
  });
 in {
  users.extraUsers.urlwatch = {
--- a/systems/makanek/weechat.nix
+++ b/systems/makanek/weechat.nix
@@ -3,9 +3,9 @@
  pkgs,
  ...
 }: let
-  inherit (import <niveum/lib>) kieran;
-  relayPassword = lib.fileContents <system-secrets/weechat/relay>;
+  inherit (import ../../lib) kieran;
  weechatHome = "/var/lib/weechat";
+  weechat-declarative = pkgs.callPackage ../../packages/weechat-declarative.nix {};
 in {
  systemd.services.weechat = let
    tmux = pkgs.writers.writeDash "tmux" ''
@@ -26,13 +26,13 @@ in {
        ''
      } "$@"
    '';
-    weechat = pkgs.weechat-declarative.override {
+    weechat = weechat-declarative.override {
      config = {
        scripts = [
          pkgs.weechatScripts.weechat-autosort
          pkgs.weechatScripts.colorize_nicks
          pkgs.weechatScripts.weechat-matrix
-          (pkgs.callPackage <niveum/packages/weechatScripts/hotlist2extern.nix> {})
+          (pkgs.callPackage ../../packages/weechatScripts/hotlist2extern.nix {})
        ];
        settings = let
          nick = "kmein";
@@ -63,7 +63,7 @@ in {
                autojoin = ["#eloop" "#krebs" "#hsmr" "#hsmr-moin" "#nixos" "#the_playlist" "#flipdot-berlin" "#hackint"];
                sasl_mechanism = "plain";
                sasl_username = nick;
-                sasl_password = lib.strings.fileContents <system-secrets/irc/hackint>;
+                sasl_password = "\${sec.data.hackint_sasl}";
              };
              libera = {
                autoconnect = true;
@@ -72,7 +72,7 @@ in {
                autojoin = ["#flipdot" "#haskell" "#nixos" "#fysi" "#binaergewitter" "#vim" "#newsboat"];
                sasl_mechanism = "plain";
                sasl_username = nick;
-                sasl_password = lib.strings.fileContents <system-secrets/irc/libera>;
+                sasl_password = "\${sec.data.libera_sasl}";
              };
              oftc = {
                autoconnect = true;
@@ -80,7 +80,7 @@ in {
                ssl = true;
                ipv6 = true;
                command = lib.concatStringsSep "\\;" [
-                  "/msg nickserv identify ${lib.strings.fileContents <system-secrets/irc/oftc>}"
+                  "/msg nickserv identify  \${sec.data.oftc_account}"
                  "/msg nickserv set cloak on"
                ];
                autojoin = ["#home-manager"];
@@ -97,7 +97,7 @@ in {
                ];
                sasl_mechanism = "plain";
                sasl_username = nick;
-                sasl_password = lib.strings.fileContents <system-secrets/irc/retiolum>;
+                sasl_password = "\${sec.data.retiolum_sasl}";
              };
              news = {
                autoconnect = true;
@@ -121,13 +121,13 @@ in {
          matrix.server.nibbana = {
            address = "nibbana.jp";
            username = nick;
-            password = lib.strings.fileContents <system-secrets/matrix/nibbana>;
+            password = "\${sec.data.nibbana_account}";
            autoconnect = true;
          };
          alias.cmd.mod = "/quote omode $channel +o $nick";
          relay = {
            port.weechat = 9000;
-            network.password = relayPassword;
+            network.password = "\${sec.data.relay_password}";
          };
          filters = {
            zerocovid = {
@@ -202,6 +202,14 @@ in {
    packages = [pkgs.tmux];
  };

+  age.secrets.weechat-sec = {
+    file = ../../secrets/weechat-sec.conf.age;
+    path = "/var/lib/weechat/sec.conf";
+    owner = "weechat";
+    group = "weechat";
+    mode = "440";
+  };
+
  niveum.passport.services = [
    {
      title = "weechat bouncer";
--- a/systems/manakish/configuration.nix
+++ b/systems/manakish/configuration.nix
@@ -3,17 +3,25 @@
  pkgs,
  ...
 }: let
-  inherit (import <niveum/lib>) retiolumAddresses;
+  inherit (import ../../lib) retiolumAddresses;
 in {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./hdmi.nix
-    <niveum/configs/default.nix>
-    <niveum/configs/battery.nix>
-    <niveum/configs/wpa_supplicant.nix>
+    ../../configs/default.nix
+    ../../configs/battery.nix
+    ../../configs/wpa_supplicant.nix
  ];

+  age.secrets = {
+    retiolum-rsa.file = ../../secrets/manakish-retiolum-privateKey-rsa.age;
+    retiolum-ed25519.file = ../../secrets/manakish-retiolum-privateKey-ed25519.age;
+    restic.file = ../../secrets/restic.age;
+    syncthing-cert.file = ../../secrets/manakish-syncthing-cert.age;
+    syncthing-key.file = ../../secrets/manakish-syncthing-key.age;
+  };
+
  niveum = {
    batteryName = "BAT0";
    wirelessInterface = "wlp3s0";
--- a/systems/tabula/configuration.nix
+++ b/systems/tabula/configuration.nix
@@ -3,16 +3,20 @@
  pkgs,
  ...
 }: let
-  inherit (import <niveum/lib>) retiolumAddresses;
+  inherit (import ../../lib) retiolumAddresses;
 in {
  imports = [
    ./hardware-configuration.nix
-    <niveum/configs/spacetime.nix>
-    <niveum/configs/retiolum.nix>
-    <niveum/configs/sshd.nix>
+    ../../configs/spacetime.nix
+    ../../configs/retiolum.nix
+    ../../configs/sshd.nix
+    ../../configs/nix.nix
  ];

-  nix.nixPath = ["/var/src"];
+  age.secrets = {
+    retiolum-rsa.file = ../../secrets/tabula-retiolum-privateKey-rsa.age;
+    retiolum-ed25519.file = ../../secrets/tabula-retiolum-privateKey-rsa.age;
+  };

  services.xserver = {
    libinput.enable = true;
--- a/systems/tahina/configuration.nix
+++ b/systems/tahina/configuration.nix
@@ -3,16 +3,20 @@
  pkgs,
  ...
 }: let
-  inherit (import <niveum/lib>) retiolumAddresses;
+  inherit (import ../../lib) retiolumAddresses;
 in {
  imports = [
    ./hardware-configuration.nix
-    <niveum/configs/spacetime.nix>
-    <niveum/configs/retiolum.nix>
-    <niveum/configs/sshd.nix>
+    ../../configs/spacetime.nix
+    ../../configs/sshd.nix
+    ../../configs/retiolum.nix
+    ../../configs/nix.nix
  ];

-  nix.nixPath = ["/var/src"];
+  age.secrets = {
+    retiolum-rsa.file = ../../secrets/tahina-retiolum-privateKey-rsa.age;
+    retiolum-ed25519.file = ../../secrets/tahina-retiolum-privateKey-rsa.age;
+  };

  console.keyMap = "de";
  i18n.defaultLocale = "de_DE.UTF-8";
--- a/systems/zaatar/atuin.nix
+++ b/systems/zaatar/atuin.nix
@@ -1,6 +1,9 @@
-{config, ...}: let
-  inherit (import <niveum/lib>) tmpfilesConfig;
-  unstable = import <nixos-unstable> {inherit (config.nixpkgs) config;};
+{
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (import ../../lib) tmpfilesConfig;
 in {
  services.postgresql = {
    enable = true;
@@ -47,7 +50,7 @@ in {
    };
    serviceConfig = {
      User = "atuin";
-      ExecStart = "${unstable.atuin}/bin/atuin server start";
+      ExecStart = "${pkgs.atuin}/bin/atuin server start";
      Restart = "on-failure";
    };
  };
--- a/systems/zaatar/backup.nix
+++ b/systems/zaatar/backup.nix
@@ -1,9 +1,10 @@
 {
+  config,
  pkgs,
  lib,
  ...
 }: let
-  niveumLib = import <niveum/lib>;
+  niveumLib = import ../../lib;
  inherit (niveumLib) retiolumAddresses restic;
  firewall = niveumLib.firewall lib;
  dataDir = "/backup/restic";
@@ -19,7 +20,7 @@ in {

  environment.systemPackages = [
    (pkgs.writers.writeDashBin "restic-niveum" ''
-      exec ${pkgs.util-linux}/bin/runuser -u restic -g restic -- ${pkgs.restic}/bin/restic -r ${toString dataDir} -p ${<secrets/restic/password>} "$@"
+      exec ${pkgs.util-linux}/bin/runuser -u restic -g restic -- ${pkgs.restic}/bin/restic -r ${toString dataDir} -p ${config.age.secrets.restic.path} "$@"
    '')
  ];

--- a/systems/zaatar/configuration.nix
+++ b/systems/zaatar/configuration.nix
@@ -4,7 +4,7 @@
  lib,
  ...
 }: let
-  inherit (import <niveum/lib>) retiolumAddresses restic;
+  inherit (import ../../lib) retiolumAddresses restic;
 in {
  imports = [
    ./atuin.nix
@@ -18,18 +18,23 @@ in {
    ./mpd.nix
    ./grocy.nix
    ./spotifyd.nix
-    <niveum/configs/keyboard.nix>
-    <niveum/configs/monitoring.nix>
-    <niveum/configs/nix.nix>
-    <niveum/configs/printing.nix>
-    <niveum/configs/spacetime.nix>
-    <niveum/configs/sshd.nix>
-    # <niveum/configs/traadfri.nix>
-    <niveum/configs/tmux.nix>
-    <niveum/configs/retiolum.nix>
-    <niveum/configs/wpa_supplicant.nix>
+    ../../configs/keyboard.nix
+    ../../configs/monitoring.nix
+    ../../configs/retiolum.nix
+    ../../configs/printing.nix
+    ../../configs/spacetime.nix
+    ../../configs/sshd.nix
+    ../../configs/tmux.nix
+    ../../configs/wpa_supplicant.nix
+    ../../configs/nix.nix
  ];

+  age.secrets = {
+    retiolum-rsa.file = ../../secrets/zaatar-retiolum-privateKey-rsa.age;
+    retiolum-ed25519.file = ../../secrets/zaatar-retiolum-privateKey-rsa.age;
+    restic.file = ../../secrets/restic.age;
+  };
+
  services.restic.backups.moodle-dl = {
    initialize = true;
    inherit (restic) repository;
@@ -37,7 +42,7 @@ in {
      OnCalendar = "daily";
      RandomizedDelaySec = "1h";
    };
-    passwordFile = toString <secrets/restic/password>;
+    passwordFile = config.age.secrets.restic.path;
    paths = [
      "/var/lib/moodle-dl"
      "/var/lib/containers/storage/volumes/home-assistant"
@@ -56,7 +61,7 @@ in {
  services.illum.enable = true;

  environment.systemPackages = let
-    worldradio = pkgs.callPackage <niveum/packages/worldradio.nix> {};
+    worldradio = pkgs.callPackage ../../packages/worldradio.nix {};
  in [
    (pkgs.writers.writeDashBin "mpv" ''${pkgs.mpv}/bin/mpv --no-video "$@"'')
    (pkgs.writers.writeDashBin "worldradio" ''
--- a/systems/zaatar/hardware-configuration.nix
+++ b/systems/zaatar/hardware-configuration.nix
@@ -2,9 +2,10 @@
  config,
  lib,
  pkgs,
+  modulesPath,
  ...
 }: {
-  imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
+  imports = [(modulesPath + "/installer/scan/not-detected.nix")];

  boot = {
    initrd.availableKernelModules = ["ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_acpi" "rtsx_usb_sdmmc"];
--- a/systems/zaatar/moodle-dl-meinhark.nix
+++ b/systems/zaatar/moodle-dl-meinhark.nix
@@ -7,22 +7,26 @@
  moodle-dl-package = pkgs.moodle-dl.overrideAttrs (old:
    old
    // {
-      patches = [<niveum/packages/moodle-dl/telegram-format.patch>];
+      patches = [../../packages/moodle-dl/telegram-format.patch];
    });
 in {
-  imports = [<niveum/modules/moodle-dl.nix>];
+  imports = [../../modules/moodle-dl.nix];
+
+  age.secrets = {
+    moodle-dl-tokens.file = ../../secrets/zaatar-moodle-dl-tokens.json.age;
+    moodle-dl-basicAuth.file = ../../secrets/zaatar-moodle-dl-basicAuth.age;
+  };

  services.moodle-dl = {
    enable = true;
    startAt = "hourly";
    package = moodle-dl-package;
+    tokensFile = config.age.secrets.moodle-dl-tokens.path;
    settings = {
      telegram = {
-        token = lib.strings.fileContents <system-secrets/telegram/moodle-dl.token>;
        chat_id = "18980945";
        send_error_msg = false;
      };
-      token = lib.strings.fileContents <system-secrets/moodle.token>;
      moodle_domain = "moodle.hu-berlin.de";
      moodle_path = "/";
      download_course_ids = [
@@ -103,11 +107,8 @@ in {

  services.nginx.enable = true;

-  services.nginx.virtualHosts."moodle.kmein.r" = let
-    identity = lib.strings.fileContents <secrets/eduroam/identity>;
-    password = lib.strings.fileContents <secrets/eduroam/password>;
-  in {
-    basicAuth."${identity}" = password;
+  services.nginx.virtualHosts."moodle.kmein.r" = {
+    basicAuthFile = config.age.secrets.moodle-dl-basicAuth.path;
    locations."/" = {
      root = config.services.moodle-dl.directory;
      extraConfig = ''
@@ -120,7 +121,7 @@ in {
  services.nfs.server = {
    enable = true;
    exports = let
-      machines = with (import <niveum/lib>).retiolumAddresses; [kabsa manakish];
+      machines = with (import ../../lib).retiolumAddresses; [kabsa manakish];
    in ''
      /export        ${lib.concatMapStringsSep " " (machine: "${machine.ipv4}(fsid=0)") machines}
      /export/moodle ${lib.concatMapStringsSep " " (machine: "${machine.ipv4}(insecure,rw)") machines}
--- a/systems/zaatar/mpd.nix
+++ b/systems/zaatar/mpd.nix
@@ -4,19 +4,14 @@
  lib,
  ...
 }: let
-  firewall = (import <niveum/lib>).firewall lib;
-  inherit (import <niveum/lib>) tmpfilesConfig;
+  firewall = (import ../../lib).firewall lib;
+  inherit (import ../../lib) tmpfilesConfig;

-  streams = import <niveum/lib/streams.nix> {
-    di-fm-key = lib.strings.fileContents <secrets/di.fm/key>;
+  streams = import ../../lib/streams.nix {
+    di-fm-key = ""; # TODO lib.strings.fileContents <secrets/di.fm/key>;
  };
  multi-room-audio-port = 8000;
-  password = lib.strings.fileContents <system-secrets/mpd-web.key>;
 in {
-  imports = [
-    <niveum/modules/tuna.nix>
-  ];
-
  services.syncthing = let
    mpd-directory = config.services.mpd.dataDir;
  in {
@@ -25,10 +20,10 @@ in {
    openDefaultPorts = true;
    configDir = "${mpd-directory}/.config/syncthing";
    dataDir = "${mpd-directory}/.config/syncthing";
-    cert = toString <system-secrets/syncthing/cert.pem>;
-    key = toString <system-secrets/syncthing/key.pem>;
+    cert = config.age.secrets.syncthing-cert.path;
+    key = config.age.secrets.syncthing-key.path;
    devices = {
-      inherit ((import <niveum/lib>).syncthing.devices) kabsa manakish heym;
+      inherit ((import ../../lib).syncthing.devices) kabsa manakish heym;
    };
    folders.${config.services.mpd.musicDirectory} = {
      devices = ["heym" "kabsa" "manakish"];
@@ -105,6 +100,13 @@ in {
    mpd.port = config.services.mpd.network.port;
  };

+  age.secrets = {
+    ympd-basicAuth.file = ../../secrets/zaatar-ympd-basicAuth.age;
+    syncthing-cert.file = ../../secrets/zaatar-syncthing-cert.age;
+    syncthing-key.file = ../../secrets/zaatar-syncthing-key.age;
+    di-fm-key.file = ../../secrets/di-fm-key.age;
+  };
+
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
@@ -112,7 +114,7 @@ in {
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."radio.kmein.r" = {
-      basicAuth.dj = password;
+      basicAuthFile = config.age.secrets.ympd-basicAuth.path;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${config.services.ympd.webPort}";
        proxyWebsockets = true;
--- a/systems/zaatar/spotifyd.nix
+++ b/systems/zaatar/spotifyd.nix
@@ -8,8 +8,8 @@
    enable = true;
    settings = {
      global = {
-        username = lib.strings.fileContents <secrets/spotify/username>;
-        password = lib.strings.fileContents <secrets/spotify/password>;
+        username_cmd = "cat ${config.age.secrets.spotify-username.path}";
+        password_cmd = "cat ${config.age.secrets.spotify-password.path}";
        backend = "pulseaudio";
        bitrate = 320;
        device_type = "s_t_b"; # set-top box
@@ -18,6 +18,11 @@
    };
  };

+  age.secrets = {
+    spotify-username.file = ../../secrets/spotify-username.age;
+    spotify-password.file = ../../secrets/spotify-password.age;
+  };
+
  # ref https://github.com/NixOS/nixpkgs/issues/71362#issuecomment-753461502
  hardware.pulseaudio.extraConfig = ''
    unload-module module-native-protocol-unix