feat: convert to flake

feat(zaatar): convert to flake feat(tahina, tabula): convert to flake feat(makanek): convert to flake feat(manakish, zaatar): convert to flake feat(ci): build flake systems fix: ci build feat: secrets via submodule foo foo foo
2026-03-20 12:01:06 +01:00 · 2023-02-22 10:02:55 +01:00
parent ba27e98297
commit d03c6bb0de
92 changed files with 1656 additions and 934 deletions
--- a/systems/makanek/configuration.nix
+++ b/systems/makanek/configuration.nix
@@ -4,7 +4,7 @@
  pkgs,
  ...
 }: let
-  inherit (import <niveum/lib>) kieran retiolumAddresses restic;
+  inherit (import ../../lib) kieran retiolumAddresses restic;
 in {
  imports = [
    ./gitea.nix
@@ -13,7 +13,6 @@ in {
    ./menstruation.nix
    ./moinbot.nix
    ./monitoring
-    ./moodle-dl-borsfaye.nix
    ./names.nix
    ./nextcloud.nix
    ./radio-news.nix
@@ -23,14 +22,14 @@ in {
    ./tt-rss.nix
    ./urlwatch.nix
    ./weechat.nix
-    <niveum/configs/monitoring.nix>
-    <niveum/configs/nix.nix>
-    <niveum/configs/save-space.nix>
-    <niveum/configs/spacetime.nix>
-    <niveum/configs/sshd.nix>
-    <niveum/configs/retiolum.nix>
-    <niveum/configs/telegram-bots>
-    <niveum/modules/passport.nix>
+    ../../configs/monitoring.nix
+    ../../configs/nix.nix
+    ../../configs/save-space.nix
+    ../../configs/retiolum.nix
+    ../../configs/spacetime.nix
+    ../../configs/sshd.nix
+    ../../configs/telegram-bots
+    ../../modules/passport.nix
  ];

  services.restic.backups.niveum = {
@@ -40,7 +39,7 @@ in {
      OnCalendar = "daily";
      RandomizedDelaySec = "1h";
    };
-    passwordFile = toString <secrets/restic/password>;
+    passwordFile = config.age.secrets.restic.path;
    paths = [
      "/var/lib/codimd"
      config.services.postgresqlBackup.location
@@ -76,8 +75,6 @@ in {
    ];
  };

-  nix.nixPath = ["/var/src"];
-
  networking = {
    firewall.allowedTCPPorts = [80 443];
    hostName = "makanek";
@@ -86,6 +83,12 @@ in {
    useDHCP = false;
  };

+  age.secrets = {
+    retiolum-rsa.file = ../../secrets/makanek-retiolum-privateKey-rsa.age;
+    retiolum-ed25519.file = ../../secrets/makanek-retiolum-privateKey-ed25519.age;
+    restic.file = ../../secrets/restic.age;
+  };
+
  system.stateVersion = "20.03";

  services.nginx = {
--- a/systems/makanek/gitea.nix
+++ b/systems/makanek/gitea.nix
@@ -1,5 +1,5 @@
 let
-  inherit (import <niveum/lib>) sshPort;
+  inherit (import ../../lib) sshPort;
  domain = "https://code.kmein.de";
 in {
  services.gitea = {
--- a/systems/makanek/hardware-configuration.nix
+++ b/systems/makanek/hardware-configuration.nix
@@ -2,9 +2,10 @@
  config,
  lib,
  pkgs,
+  modulesPath,
  ...
 }: {
-  imports = [<nixpkgs/nixos/modules/profiles/qemu-guest.nix>];
+  imports = [(modulesPath + "/profiles/qemu-guest.nix")];

  boot = {
    initrd = {
--- a/systems/makanek/hedgedoc.nix
+++ b/systems/makanek/hedgedoc.nix
@@ -6,7 +6,7 @@
  backupLocation = "/var/lib/codimd-backup";
  stateLocation = "/var/lib/codimd/state.sqlite";
  domain = "pad.kmein.de";
-  inherit (import <niveum/lib>) tmpfilesConfig;
+  inherit (import ../../lib) tmpfilesConfig;
 in {
  services.nginx.virtualHosts.${domain} = {
    enableACME = true;
--- a/systems/makanek/menstruation.nix
+++ b/systems/makanek/menstruation.nix
@@ -1,16 +1,10 @@
 {
+  config,
  pkgs,
  lib,
+  inputs,
  ...
 }: let
-  backend = pkgs.callPackage <menstruation-backend> {};
-  old-pkgs = import (pkgs.fetchFromGitHub {
-    owner = "NixOs";
-    repo = "nixpkgs";
-    rev = "695b3515251873e0a7e2021add4bba643c56cde3";
-    hash = "sha256-T86oFvcUIRwHWBWUt7WjaP4BP/3lDGbv5AppQSI1FkI=";
-  }) {};
-  telegram = old-pkgs.poetry2nix.mkPoetryApplication {projectDir = <menstruation-telegram>;};
  backendPort = 8000;
 in {
  services.redis.servers.menstruation = {
@@ -36,24 +30,32 @@ in {
    ];
    wantedBy = ["multi-user.target"];
    environment = {
-      MENSTRUATION_TOKEN = lib.strings.fileContents <system-secrets/telegram/menstruation.token>;
      MENSTRUATION_ENDPOINT = "http://localhost:${toString backendPort}";
      MENSTRUATION_MODERATORS = "18980945";
    };
+    script = ''
+      set -efu
+      export MENSTRUATION_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/menstruation-token")"
+      ${inputs.menstruation-telegram.defaultPackage.x86_64-linux}/bin/menstruation-telegram
+    '';
    serviceConfig = {
      Restart = "always";
      DynamicUser = true;
-      ExecStart = "${telegram}/bin/menstruation-telegram";
+      LoadCredential = [
+        "menstruation-token:${config.age.secrets.telegram-token-menstruation.path}"
+      ];
    };
  };

+  age.secrets.telegram-token-menstruation.file = ../../secrets/telegram-token-menstruation.age;
+
  systemd.services.menstruation-backend = {
    wants = ["network-online.target"];
    environment.ROCKET_PORT = toString backendPort;
    serviceConfig = {
      Restart = "always";
      DynamicUser = true;
-      ExecStart = "${backend}/bin/menstruation_server";
+      ExecStart = "${inputs.menstruation-backend.defaultPackage.x86_64-linux}/bin/menstruation_server";
    };
  };
 }
--- a/systems/makanek/moinbot.nix
+++ b/systems/makanek/moinbot.nix
@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  config,
+  ...
+}: {
  systemd.services.moinbot = {
    startAt = "7:00";
    script = ''
@@ -8,7 +12,7 @@
      MOIN
      OI
      moi" | shuf -n1)
-      echo "$greeting" | ${pkgs.ircaids}/bin/ircsink \
+      echo "$greeting" | ${config.nur.repos.mic92.ircsink}/bin/ircsink \
        --nick "$greeting""bot" \
        --server irc.hackint.org \
        --port 6697 \
--- a/systems/makanek/monitoring/default.nix
+++ b/systems/makanek/monitoring/default.nix
@@ -6,7 +6,7 @@
 }: let
  lokiConfig = import ./loki.nix;
  blackboxConfig = import ./blackbox.nix;
-  inherit (import <niveum/lib>) restic;
+  inherit (import ../../../lib) restic;
 in {
  services.grafana = {
    enable = true;
@@ -17,12 +17,12 @@ in {
        http_addr = "127.0.0.1";
      };
      smtp = let
-        inherit (import <niveum/lib/email.nix> {inherit lib;}) cock;
+        inherit (import ../../../lib/email.nix {inherit lib;}) cock;
        address = builtins.split "@" cock.user;
      in {
        enabled = true;
        from_address = cock.address;
-        password = cock.password;
+        password = "$__file{${config.age.secrets.email-password-cock.path}}";
        user = cock.user;
        host = cock.smtpSettings cock.smtp;
        startTLS_policy = "MandatoryStartTLS";
@@ -30,7 +30,7 @@ in {
      dashboards.default_home_dashboard_path = toString ./grafana-dashboards/niveum.json;
      security = {
        admin_user = "admin";
-        admin_password = lib.strings.fileContents <system-secrets/grafana/admin>;
+        admin_password = "$__file{${config.age.secrets.grafana-password-admin.path}}";
      };
    };
    provision = {
@@ -196,6 +196,7 @@ in {
    enable = true;
    listenAddress = "localhost";
    webExternalUrl = "http://alertmanager.kmein.r";
+    environmentFile = config.age.secrets.alertmanager-token-reporters.path;
    configuration = {
      route = {
        group_wait = "30s";
@@ -207,7 +208,7 @@ in {
          name = "all";
          telegram_configs = [
            {
-              bot_token = lib.strings.fileContents <system-secrets/telegram/prometheus.token>;
+              bot_token = "$TELEGRAM_TOKEN";
              chat_id = 18980945;
              parse_mode = "";
              api_url = "https://api.telegram.org";
@@ -220,8 +221,8 @@ in {
            }
          ];
          email_configs = let
-            inherit (import <niveum/lib>) kieran;
-            inherit (import <niveum/lib/email.nix> {inherit lib;}) cock;
+            inherit (import ../../../lib) kieran;
+            inherit (import ../../../lib/email.nix {inherit lib;}) cock;
          in [
            {
              send_resolved = true;
@@ -230,7 +231,7 @@ in {
              smarthost = "${cock.smtp}:587";
              auth_username = cock.user;
              auth_identity = cock.user;
-              auth_password = cock.password;
+              auth_password = "$EMAIL_PASSWORD";
            }
          ];
        }
@@ -238,6 +239,27 @@ in {
    };
  };

+  age.secrets = {
+    email-password-cock = {
+      file = ../../../secrets/email-password-cock.age;
+      owner = "grafana";
+      group = "grafana";
+      mode = "440";
+    };
+    grafana-password-admin = {
+      file = ../../../secrets/grafana-password-admin.age;
+      owner = "grafana";
+      group = "grafana";
+      mode = "440";
+    };
+    alertmanager-token-reporters = {
+      file = ../../../secrets/alertmanager-token-reporters.age;
+      owner = "prometheus";
+      group = "prometheus";
+      mode = "440";
+    };
+  };
+
  services.prometheus.alertmanagers = [
    {
      scheme = "http";
--- a/systems/makanek/names.nix
+++ b/systems/makanek/names.nix
@@ -1,10 +1,11 @@
 {
  pkgs,
  lib,
+  inputs,
  ...
 }: let
  port = 5703;
-  onomap-src = "${<scripts>}/onomastics-ng";
+  onomap-src = inputs.scripts.outPath + "/onomastics-ng";
  onomap = pkgs.haskellPackages.callCabal2nix "onomap" onomap-src {};
 in {
  systemd.services.names = {
--- a/systems/makanek/nextcloud.nix
+++ b/systems/makanek/nextcloud.nix
@@ -4,9 +4,23 @@
  lib,
  ...
 }: let
-  passwordFile = path: toString (pkgs.writeText "password" (lib.strings.fileContents path));
-  inherit (import <niveum/lib>) localAddresses;
+  inherit (import ../../lib) localAddresses;
 in {
+  age.secrets = {
+    nextcloud-password-database = {
+      file = ../../secrets/nextcloud-password-database.age;
+      owner = "nextcloud";
+      group = "nextcloud";
+      mode = "440";
+    };
+    nextcloud-password-admin = {
+      file = ../../secrets/nextcloud-password-admin.age;
+      owner = "nextcloud";
+      group = "nextcloud";
+      mode = "440";
+    };
+  };
+
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud25;
@@ -30,8 +44,8 @@ in {
      dbuser = "nextcloud";
      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
      dbname = "nextcloud";
-      dbpassFile = passwordFile <system-secrets/nextcloud/database>;
-      adminpassFile = passwordFile <system-secrets/nextcloud/admin>;
+      dbpassFile = config.age.secrets.nextcloud-password-database.path;
+      adminpassFile = config.age.secrets.nextcloud-password-admin.path;
      adminuser = "admin";
      # extraTrustedDomains = [ "toum.r" ];
      defaultPhoneRegion = "DE";
@@ -40,7 +54,7 @@ in {
    logLevel = 2;

    extraOptions = let
-      inherit (import <niveum/lib/email.nix> {inherit lib;}) cock;
+      inherit (import ../../lib/email.nix {inherit lib;}) cock;
      address = builtins.split "@" cock.user;
    in {
      defaultapp = "files";
@@ -54,7 +68,7 @@ in {
      mail_smtpauthtype = "LOGIN";
      mail_smtpauth = 1;
      mail_smtpname = cock.user;
-      mail_smtppassword = cock.password;
+      # mail_smtppassword = cock.password; # TODO how to do this?
    };
  };

--- a/systems/makanek/radio-news.nix
+++ b/systems/makanek/radio-news.nix
@@ -3,10 +3,10 @@
  lib,
  ...
 }: let
-  inherit (import <niveum/lib>) serveHtml;
+  inherit (import ../../lib) serveHtml;
  remote = "https://cgit.lassul.us/stockholm";
 in {
-  services.nginx.virtualHosts."redaktion.r".locations."/".extraConfig = serveHtml <niveum/lib/radio-news.html> pkgs;
+  services.nginx.virtualHosts."redaktion.r".locations."/".extraConfig = serveHtml ../../lib/radio-news.html pkgs;

  niveum.passport.services = [
    {
--- a/systems/makanek/radio.nix
+++ b/systems/makanek/radio.nix
@@ -4,7 +4,7 @@
  config,
  ...
 }: let
-  inherit (import <niveum/lib>) tmpfilesConfig;
+  inherit (import ../../lib) tmpfilesConfig;
  liquidsoapDirectory = "/var/cache/liquidsoap";
  icecastPassword = "hackme";
  lyrikline-poem = pkgs.writers.writeDash "lyrikline.sh" ''
--- a/systems/makanek/retiolum-map.nix
+++ b/systems/makanek/retiolum-map.nix
@@ -2,6 +2,7 @@
  config,
  pkgs,
  lib,
+  inputs,
  ...
 }: let
  network = "retiolum";
@@ -11,7 +12,7 @@
  geo-ip-database = "${lib.head config.services.geoipupdate.settings.EditionIDs}.mmdb";
  geo-ip-database-path = "${config.services.geoipupdate.settings.DatabaseDirectory}/${geo-ip-database}";

-  tinc-graph = pkgs.callPackage <tinc-graph> {};
+  tinc-graph = inputs.tinc-graph.defaultPackage.x86_64-linux;
 in {
  systemd.services.retiolum-index = {
    description = "Retiolum indexing service";
@@ -39,11 +40,13 @@ in {
    enable = true;
    settings = {
      AccountID = 608777;
-      LicenseKey = toString <system-secrets/maxmind/license.key>;
+      LicenseKey._secret = config.age.secrets.maxmind-license-key.path;
      EditionIDs = ["GeoLite2-City"];
    };
  };

+  age.secrets.maxmind-license-key.file = ../../secrets/maxmind-license-key.age;
+
  niveum.passport.services = [
    {
      link = "http://graph.r";
@@ -71,9 +74,7 @@ in {
  systemd.services.geoip-share = {
    after = ["geoipupdate.service"];
    wantedBy = ["geoipupdate.service"];
-    script = let
-      cyberlocker-tools = pkgs.callPackage <stockholm/krebs/5pkgs/simple/cyberlocker-tools> {};
-    in "${cyberlocker-tools}/bin/cput ${geo-ip-database} < ${geo-ip-database-path}";
+    script = "${pkgs.curl}/bin/curl -fSs --data-binary @${geo-ip-database-path} http://c.r/${geo-ip-database} ";
    serviceConfig = {
      Type = "oneshot";
      DynamicUser = true;
--- a/systems/makanek/tarot.nix
+++ b/systems/makanek/tarot.nix
@@ -15,35 +15,34 @@
    sha256 = "1n2m53kjg2vj9dbr70b9jrsbqwdfrcb48l4wswn21549fi24g6dx";
  };
 in {
-  imports = [<stockholm/krebs/3modules/htgen.nix>];
+  imports = [../../modules/htgen.nix];

-  krebs.htgen.tarot = {
+  services.htgen.tarot = {
    port = tarotPort;
-    user.name = "radio";
-    scriptFile = pkgs.writers.writeDash "tarot" ''
-      case "$Method $Request_URI" in
-        "GET /")
-          if item=$(${pkgs.findutils}/bin/find ${toString tarotFiles} -type f | ${pkgs.coreutils}/bin/shuf -n1); then
-            card=$(mktemp --tmpdir tarot.XXX)
-            trap 'rm $card' EXIT
-            reverse=$(${pkgs.coreutils}/bin/shuf -i0-1 -n1)
-            if [ "$reverse" -eq 1 ]; then
-              ${pkgs.imagemagick}/bin/convert -rotate 180 "$item" "$card"
-            else
-              ${pkgs.coreutils}/bin/cp "$item" "$card"
+    script = ''. ${pkgs.writers.writeDash "tarot" ''
+        case "$Method $Request_URI" in
+          "GET /")
+            if item=$(${pkgs.findutils}/bin/find ${toString tarotFiles} -type f | ${pkgs.coreutils}/bin/shuf -n1); then
+              card=$(mktemp --tmpdir tarot.XXX)
+              trap 'rm $card' EXIT
+              reverse=$(${pkgs.coreutils}/bin/shuf -i0-1 -n1)
+              if [ "$reverse" -eq 1 ]; then
+                ${pkgs.imagemagick}/bin/convert -rotate 180 "$item" "$card"
+              else
+                ${pkgs.coreutils}/bin/cp "$item" "$card"
+              fi
+              printf 'HTTP/1.1 200 OK\r\n'
+              printf 'Content-Type: %s\r\n' "$(${pkgs.file}/bin/file -ib "$card")"
+              printf 'Server: %s\r\n' "$Server"
+              printf 'Connection: close\r\n'
+              printf 'Content-Length: %d\r\n' $(${pkgs.coreutils}/bin/wc -c < "$card")
+              printf '\r\n'
+              cat "$card"
+              exit
            fi
-            printf 'HTTP/1.1 200 OK\r\n'
-            printf 'Content-Type: %s\r\n' "$(${pkgs.file}/bin/file -ib "$card")"
-            printf 'Server: %s\r\n' "$Server"
-            printf 'Connection: close\r\n'
-            printf 'Content-Length: %d\r\n' $(${pkgs.coreutils}/bin/wc -c < "$card")
-            printf '\r\n'
-            cat "$card"
-            exit
-          fi
-        ;;
-      esac
-    '';
+          ;;
+        esac
+      ''}'';
  };

  niveum.passport.services = [
--- a/systems/makanek/tt-rss.nix
+++ b/systems/makanek/tt-rss.nix
@@ -9,10 +9,7 @@
 in {
  services.miniflux = {
    enable = true;
-    adminCredentialsFile = pkgs.writeText "miniflux" ''
-      ADMIN_USERNAME='kfm'
-      ADMIN_PASSWORD='${lib.strings.fileContents <secrets/miniflux/password>}'
-    '';
+    adminCredentialsFile = config.age.secrets.miniflux-credentials.path;
    config = {
      FETCH_YOUTUBE_WATCH_TIME = "1";
      POLLING_FREQUENCY = "20";
@@ -22,6 +19,8 @@ in {
    };
  };

+  age.secrets.miniflux-credentials.file = ../../secrets/miniflux-credentials.age;
+
  services.postgresqlBackup = {
    enable = true;
    databases = ["miniflux"];
--- a/systems/makanek/urlwatch.nix
+++ b/systems/makanek/urlwatch.nix
@@ -4,7 +4,7 @@
  lib,
  ...
 }: let
-  inherit (import <niveum/lib>) kieran;
+  inherit (import ../../lib) kieran;

  urlwatchDir = "/var/lib/urlwatch";

@@ -141,14 +141,14 @@
          port = 587;
          starttls = true;
          auth = true;
-          insecure_password = lib.strings.fileContents <secrets/mail/cock>;
+          # insecure_password = lib.strings.fileContents <secrets/mail/cock>; TODO how?
        };
        subject = "{count} changes: {jobs}";
        to = kieran.email;
      };
      telegram = {
        enabled = false;
-        bot_token = lib.strings.fileContents <system-secrets/telegram/kmein.token>;
+        # bot_token = lib.strings.fileContents <system-secrets/telegram/kmein.token>; TODO how?
        chat_id = "-1001504043752";
      };
      html.diff = "unified";
@@ -165,7 +165,7 @@
    };
  };
  urlwatch = pkgs.urlwatch.overrideAttrs (attrs: {
-    patches = [<niveum/packages/urlwatch-insecure.patch>];
+    patches = [../../packages/urlwatch-insecure.patch];
  });
 in {
  users.extraUsers.urlwatch = {
--- a/systems/makanek/weechat.nix
+++ b/systems/makanek/weechat.nix
@@ -3,9 +3,9 @@
  pkgs,
  ...
 }: let
-  inherit (import <niveum/lib>) kieran;
-  relayPassword = lib.fileContents <system-secrets/weechat/relay>;
+  inherit (import ../../lib) kieran;
  weechatHome = "/var/lib/weechat";
+  weechat-declarative = pkgs.callPackage ../../packages/weechat-declarative.nix {};
 in {
  systemd.services.weechat = let
    tmux = pkgs.writers.writeDash "tmux" ''
@@ -26,13 +26,13 @@ in {
        ''
      } "$@"
    '';
-    weechat = pkgs.weechat-declarative.override {
+    weechat = weechat-declarative.override {
      config = {
        scripts = [
          pkgs.weechatScripts.weechat-autosort
          pkgs.weechatScripts.colorize_nicks
          pkgs.weechatScripts.weechat-matrix
-          (pkgs.callPackage <niveum/packages/weechatScripts/hotlist2extern.nix> {})
+          (pkgs.callPackage ../../packages/weechatScripts/hotlist2extern.nix {})
        ];
        settings = let
          nick = "kmein";
@@ -63,7 +63,7 @@ in {
                autojoin = ["#eloop" "#krebs" "#hsmr" "#hsmr-moin" "#nixos" "#the_playlist" "#flipdot-berlin" "#hackint"];
                sasl_mechanism = "plain";
                sasl_username = nick;
-                sasl_password = lib.strings.fileContents <system-secrets/irc/hackint>;
+                sasl_password = "\${sec.data.hackint_sasl}";
              };
              libera = {
                autoconnect = true;
@@ -72,7 +72,7 @@ in {
                autojoin = ["#flipdot" "#haskell" "#nixos" "#fysi" "#binaergewitter" "#vim" "#newsboat"];
                sasl_mechanism = "plain";
                sasl_username = nick;
-                sasl_password = lib.strings.fileContents <system-secrets/irc/libera>;
+                sasl_password = "\${sec.data.libera_sasl}";
              };
              oftc = {
                autoconnect = true;
@@ -80,7 +80,7 @@ in {
                ssl = true;
                ipv6 = true;
                command = lib.concatStringsSep "\\;" [
-                  "/msg nickserv identify ${lib.strings.fileContents <system-secrets/irc/oftc>}"
+                  "/msg nickserv identify  \${sec.data.oftc_account}"
                  "/msg nickserv set cloak on"
                ];
                autojoin = ["#home-manager"];
@@ -97,7 +97,7 @@ in {
                ];
                sasl_mechanism = "plain";
                sasl_username = nick;
-                sasl_password = lib.strings.fileContents <system-secrets/irc/retiolum>;
+                sasl_password = "\${sec.data.retiolum_sasl}";
              };
              news = {
                autoconnect = true;
@@ -121,13 +121,13 @@ in {
          matrix.server.nibbana = {
            address = "nibbana.jp";
            username = nick;
-            password = lib.strings.fileContents <system-secrets/matrix/nibbana>;
+            password = "\${sec.data.nibbana_account}";
            autoconnect = true;
          };
          alias.cmd.mod = "/quote omode $channel +o $nick";
          relay = {
            port.weechat = 9000;
-            network.password = relayPassword;
+            network.password = "\${sec.data.relay_password}";
          };
          filters = {
            zerocovid = {
@@ -202,6 +202,14 @@ in {
    packages = [pkgs.tmux];
  };

+  age.secrets.weechat-sec = {
+    file = ../../secrets/weechat-sec.conf.age;
+    path = "/var/lib/weechat/sec.conf";
+    owner = "weechat";
+    group = "weechat";
+    mode = "440";
+  };
+
  niveum.passport.services = [
    {
      title = "weechat bouncer";