feat: convert to flake

feat(zaatar): convert to flake feat(tahina, tabula): convert to flake feat(makanek): convert to flake feat(manakish, zaatar): convert to flake feat(ci): build flake systems fix: ci build feat: secrets via submodule foo foo foo
2026-03-16 10:11:08 +01:00 · 2023-02-22 10:02:55 +01:00
parent ba27e98297
commit d03c6bb0de
92 changed files with 1656 additions and 934 deletions
--- a/systems/zaatar/atuin.nix
+++ b/systems/zaatar/atuin.nix
@@ -1,6 +1,9 @@
-{config, ...}: let
-  inherit (import <niveum/lib>) tmpfilesConfig;
-  unstable = import <nixos-unstable> {inherit (config.nixpkgs) config;};
+{
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (import ../../lib) tmpfilesConfig;
 in {
  services.postgresql = {
    enable = true;
@@ -47,7 +50,7 @@ in {
    };
    serviceConfig = {
      User = "atuin";
-      ExecStart = "${unstable.atuin}/bin/atuin server start";
+      ExecStart = "${pkgs.atuin}/bin/atuin server start";
      Restart = "on-failure";
    };
  };
--- a/systems/zaatar/backup.nix
+++ b/systems/zaatar/backup.nix
@@ -1,9 +1,10 @@
 {
+  config,
  pkgs,
  lib,
  ...
 }: let
-  niveumLib = import <niveum/lib>;
+  niveumLib = import ../../lib;
  inherit (niveumLib) retiolumAddresses restic;
  firewall = niveumLib.firewall lib;
  dataDir = "/backup/restic";
@@ -19,7 +20,7 @@ in {

  environment.systemPackages = [
    (pkgs.writers.writeDashBin "restic-niveum" ''
-      exec ${pkgs.util-linux}/bin/runuser -u restic -g restic -- ${pkgs.restic}/bin/restic -r ${toString dataDir} -p ${<secrets/restic/password>} "$@"
+      exec ${pkgs.util-linux}/bin/runuser -u restic -g restic -- ${pkgs.restic}/bin/restic -r ${toString dataDir} -p ${config.age.secrets.restic.path} "$@"
    '')
  ];

--- a/systems/zaatar/configuration.nix
+++ b/systems/zaatar/configuration.nix
@@ -4,7 +4,7 @@
  lib,
  ...
 }: let
-  inherit (import <niveum/lib>) retiolumAddresses restic;
+  inherit (import ../../lib) retiolumAddresses restic;
 in {
  imports = [
    ./atuin.nix
@@ -18,18 +18,23 @@ in {
    ./mpd.nix
    ./grocy.nix
    ./spotifyd.nix
-    <niveum/configs/keyboard.nix>
-    <niveum/configs/monitoring.nix>
-    <niveum/configs/nix.nix>
-    <niveum/configs/printing.nix>
-    <niveum/configs/spacetime.nix>
-    <niveum/configs/sshd.nix>
-    # <niveum/configs/traadfri.nix>
-    <niveum/configs/tmux.nix>
-    <niveum/configs/retiolum.nix>
-    <niveum/configs/wpa_supplicant.nix>
+    ../../configs/keyboard.nix
+    ../../configs/monitoring.nix
+    ../../configs/retiolum.nix
+    ../../configs/printing.nix
+    ../../configs/spacetime.nix
+    ../../configs/sshd.nix
+    ../../configs/tmux.nix
+    ../../configs/wpa_supplicant.nix
+    ../../configs/nix.nix
  ];

+  age.secrets = {
+    retiolum-rsa.file = ../../secrets/zaatar-retiolum-privateKey-rsa.age;
+    retiolum-ed25519.file = ../../secrets/zaatar-retiolum-privateKey-rsa.age;
+    restic.file = ../../secrets/restic.age;
+  };
+
  services.restic.backups.moodle-dl = {
    initialize = true;
    inherit (restic) repository;
@@ -37,7 +42,7 @@ in {
      OnCalendar = "daily";
      RandomizedDelaySec = "1h";
    };
-    passwordFile = toString <secrets/restic/password>;
+    passwordFile = config.age.secrets.restic.path;
    paths = [
      "/var/lib/moodle-dl"
      "/var/lib/containers/storage/volumes/home-assistant"
@@ -56,7 +61,7 @@ in {
  services.illum.enable = true;

  environment.systemPackages = let
-    worldradio = pkgs.callPackage <niveum/packages/worldradio.nix> {};
+    worldradio = pkgs.callPackage ../../packages/worldradio.nix {};
  in [
    (pkgs.writers.writeDashBin "mpv" ''${pkgs.mpv}/bin/mpv --no-video "$@"'')
    (pkgs.writers.writeDashBin "worldradio" ''
--- a/systems/zaatar/hardware-configuration.nix
+++ b/systems/zaatar/hardware-configuration.nix
@@ -2,9 +2,10 @@
  config,
  lib,
  pkgs,
+  modulesPath,
  ...
 }: {
-  imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
+  imports = [(modulesPath + "/installer/scan/not-detected.nix")];

  boot = {
    initrd.availableKernelModules = ["ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_acpi" "rtsx_usb_sdmmc"];
--- a/systems/zaatar/moodle-dl-meinhark.nix
+++ b/systems/zaatar/moodle-dl-meinhark.nix
@@ -7,22 +7,26 @@
  moodle-dl-package = pkgs.moodle-dl.overrideAttrs (old:
    old
    // {
-      patches = [<niveum/packages/moodle-dl/telegram-format.patch>];
+      patches = [../../packages/moodle-dl/telegram-format.patch];
    });
 in {
-  imports = [<niveum/modules/moodle-dl.nix>];
+  imports = [../../modules/moodle-dl.nix];
+
+  age.secrets = {
+    moodle-dl-tokens.file = ../../secrets/zaatar-moodle-dl-tokens.json.age;
+    moodle-dl-basicAuth.file = ../../secrets/zaatar-moodle-dl-basicAuth.age;
+  };

  services.moodle-dl = {
    enable = true;
    startAt = "hourly";
    package = moodle-dl-package;
+    tokensFile = config.age.secrets.moodle-dl-tokens.path;
    settings = {
      telegram = {
-        token = lib.strings.fileContents <system-secrets/telegram/moodle-dl.token>;
        chat_id = "18980945";
        send_error_msg = false;
      };
-      token = lib.strings.fileContents <system-secrets/moodle.token>;
      moodle_domain = "moodle.hu-berlin.de";
      moodle_path = "/";
      download_course_ids = [
@@ -103,11 +107,8 @@ in {

  services.nginx.enable = true;

-  services.nginx.virtualHosts."moodle.kmein.r" = let
-    identity = lib.strings.fileContents <secrets/eduroam/identity>;
-    password = lib.strings.fileContents <secrets/eduroam/password>;
-  in {
-    basicAuth."${identity}" = password;
+  services.nginx.virtualHosts."moodle.kmein.r" = {
+    basicAuthFile = config.age.secrets.moodle-dl-basicAuth.path;
    locations."/" = {
      root = config.services.moodle-dl.directory;
      extraConfig = ''
@@ -120,7 +121,7 @@ in {
  services.nfs.server = {
    enable = true;
    exports = let
-      machines = with (import <niveum/lib>).retiolumAddresses; [kabsa manakish];
+      machines = with (import ../../lib).retiolumAddresses; [kabsa manakish];
    in ''
      /export        ${lib.concatMapStringsSep " " (machine: "${machine.ipv4}(fsid=0)") machines}
      /export/moodle ${lib.concatMapStringsSep " " (machine: "${machine.ipv4}(insecure,rw)") machines}
--- a/systems/zaatar/mpd.nix
+++ b/systems/zaatar/mpd.nix
@@ -4,19 +4,14 @@
  lib,
  ...
 }: let
-  firewall = (import <niveum/lib>).firewall lib;
-  inherit (import <niveum/lib>) tmpfilesConfig;
+  firewall = (import ../../lib).firewall lib;
+  inherit (import ../../lib) tmpfilesConfig;

-  streams = import <niveum/lib/streams.nix> {
-    di-fm-key = lib.strings.fileContents <secrets/di.fm/key>;
+  streams = import ../../lib/streams.nix {
+    di-fm-key = ""; # TODO lib.strings.fileContents <secrets/di.fm/key>;
  };
  multi-room-audio-port = 8000;
-  password = lib.strings.fileContents <system-secrets/mpd-web.key>;
 in {
-  imports = [
-    <niveum/modules/tuna.nix>
-  ];
-
  services.syncthing = let
    mpd-directory = config.services.mpd.dataDir;
  in {
@@ -25,10 +20,10 @@ in {
    openDefaultPorts = true;
    configDir = "${mpd-directory}/.config/syncthing";
    dataDir = "${mpd-directory}/.config/syncthing";
-    cert = toString <system-secrets/syncthing/cert.pem>;
-    key = toString <system-secrets/syncthing/key.pem>;
+    cert = config.age.secrets.syncthing-cert.path;
+    key = config.age.secrets.syncthing-key.path;
    devices = {
-      inherit ((import <niveum/lib>).syncthing.devices) kabsa manakish heym;
+      inherit ((import ../../lib).syncthing.devices) kabsa manakish heym;
    };
    folders.${config.services.mpd.musicDirectory} = {
      devices = ["heym" "kabsa" "manakish"];
@@ -105,6 +100,13 @@ in {
    mpd.port = config.services.mpd.network.port;
  };

+  age.secrets = {
+    ympd-basicAuth.file = ../../secrets/zaatar-ympd-basicAuth.age;
+    syncthing-cert.file = ../../secrets/zaatar-syncthing-cert.age;
+    syncthing-key.file = ../../secrets/zaatar-syncthing-key.age;
+    di-fm-key.file = ../../secrets/di-fm-key.age;
+  };
+
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
@@ -112,7 +114,7 @@ in {
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."radio.kmein.r" = {
-      basicAuth.dj = password;
+      basicAuthFile = config.age.secrets.ympd-basicAuth.path;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${config.services.ympd.webPort}";
        proxyWebsockets = true;
--- a/systems/zaatar/spotifyd.nix
+++ b/systems/zaatar/spotifyd.nix
@@ -8,8 +8,8 @@
    enable = true;
    settings = {
      global = {
-        username = lib.strings.fileContents <secrets/spotify/username>;
-        password = lib.strings.fileContents <secrets/spotify/password>;
+        username_cmd = "cat ${config.age.secrets.spotify-username.path}";
+        password_cmd = "cat ${config.age.secrets.spotify-password.path}";
        backend = "pulseaudio";
        bitrate = 320;
        device_type = "s_t_b"; # set-top box
@@ -18,6 +18,11 @@
    };
  };

+  age.secrets = {
+    spotify-username.file = ../../secrets/spotify-username.age;
+    spotify-password.file = ../../secrets/spotify-password.age;
+  };
+
  # ref https://github.com/NixOS/nixpkgs/issues/71362#issuecomment-753461502
  hardware.pulseaudio.extraConfig = ''
    unload-module module-native-protocol-unix