workhorse using flake

2021-10-31 17:49:44 +01:00 · 2021-10-31 17:49:44 +01:00 · 87be340dfa
parent 11d07f2dd8
commit 87be340dfa
17 changed files with 126 additions and 190 deletions
--- a/flake.lock
+++ b/flake.lock
@ -62,7 +62,7 @@
    "secrets": {
      "flake": false,
      "locked": {
-        "narHash": "sha256-7kNQHKkMjjTBPgRzHh34KqbcorqgEyGcu8UQfFxEvb8=",
+        "narHash": "sha256-tsXsKNsa6/AqhXV6YxsSweX++YlwzQuWt0KeaV3SMgQ=",
        "path": "/home/palo/dev/secrets",
        "type": "path"
      },
--- a/nixos/configs/pepe/taskwarrior-pushover.nix
+++ b/nixos/configs/pepe/taskwarrior-pushover.nix
@ -11,6 +11,7 @@

  services.taskwarrior-pushover = {
    enable = true;
+    recurrence="on";
    onCalendar = "06:30:00";
    server = "taskd.ingolf-wagner.de:53589";
    pushoverApiTokenFile = config.sops.secrets.pushoverApiToken.path;
--- a/nixos/configs/workhorse/configuration.nix
+++ b/nixos/configs/workhorse/configuration.nix
@ -4,43 +4,45 @@
    ../../system/server
    ./hardware-configuration.nix

+    ./mail-fetcher.nix
+    ./transmission.nix
+    ./nextcloud.nix
+
+    ./borg.nix
+    ./finance.nix
    ./gogs.nix
    ./grafana.nix
    ./graylog.nix
    ./jenkins.nix
    ./kibana.nix
-    ./mail-fetcher.nix
+    ./mysql.nix
    ./packages.nix
    ./prometheus.nix
    ./syncthing.nix
    ./taskserver.nix
    ./tinc.nix
-    ./transmission.nix
    ./weechat.nix
-    ./nextcloud.nix
-    ./borg.nix
-    #./metabase.nix
-    #./jupyter.nix
-    ./mysql.nix
-    #./property.nix flask sucks, find something else
-    ./finance.nix
-    #./mining.nix
+
+    #./property.nix # flask sucks, find something else
+
  ];

+  sops.defaultSopsFile = ../../secrets/workhorse.yaml;
+
  nixpkgs.config.permittedInsecurePackages =
-    [ "gogs-0.11.91" "nextcloud-19.0.6" ];
+    [ "gogs-0.11.91" ];

  # todo: add this to each file instead summing that here
-  on-failure.plans = {
-    gogs.name = "gogs";
-    jenkins.name = "jenkins";
-    graylog.name = "graylog";
-    prometheus.name = "prometheus";
-    taskserver.name = "taskserver";
-    weechat.name = "weechat";
-    transmission.name = "transmission";
-    mail-fetcher.name = "fetchmail";
-  };
+  #on-failure.plans = {
+  #  gogs.name = "gogs";
+  #  jenkins.name = "jenkins";
+  #  graylog.name = "graylog";
+  #  prometheus.name = "prometheus";
+  #  taskserver.name = "taskserver";
+  #  weechat.name = "weechat";
+  #  transmission.name = "transmission";
+  #  mail-fetcher.name = "fetchmail";
+  #};

  networking.hostName = "workhorse";

--- a/nixos/configs/workhorse/finance.nix
+++ b/nixos/configs/workhorse/finance.nix
@ -17,7 +17,7 @@ let
  # ];
  # results in
  # P 2020-01-30 GOOGL $123
-  stocks = import <secrets/finance/stocks>;
+  stocks = import ../../private_assets/finance/stocks;
  stocksFile = toString /home/syncthing/finance/hledger/stocks.journal;

 in {
@ -32,7 +32,7 @@ in {

    script = let
      command = { symbol, name, currency, ... }: ''
-        APIKEY=${lib.fileContents <secrets/finance/alphavantage/apikey>}
+        APIKEY=${lib.fileContents ../../private_assets/finance/alphavantage/apiKey}
        SYMBOL="${symbol}"
        ${pkgs.curl}/bin/curl --location --silent \
          "https://www.alphavantage.co/query?function=GLOBAL_QUOTE&symbol=$SYMBOL&apikey=$APIKEY" \
--- a/nixos/configs/workhorse/graylog.nix
+++ b/nixos/configs/workhorse/graylog.nix
@ -45,11 +45,11 @@ in {

  # pwgen -N 1 -s 96
  services.graylog.passwordSecret =
-    lib.fileContents <secrets/graylog/password-secret>;
+    lib.fileContents ../../private_assets/graylog/password-secret;

  # echo -n yourpassword | shasum -a 256
  services.graylog.rootPasswordSha2 =
-    lib.fileContents <secrets/graylog/root-password-hash>;
+    lib.fileContents ../../private_assets/graylog/root-password-hash;

  services.graylog.plugins = [ pkgs.graylogPlugins.slack ];

--- a/nixos/configs/workhorse/jenkins.nix
+++ b/nixos/configs/workhorse/jenkins.nix
@ -36,9 +36,11 @@ in {
    };
  };

+  sops.secrets.jenkins_token = { };
+
  krops.userKeys."accessToken" = {
    user = "jenkins";
-    source = toString <secrets/jenkins/accessToken>;
+    source = config.sops.secrets.jenkins_token.path;
    requiredBy = [ "jenkins-job-builder.service" ];
  };

--- a/nixos/configs/workhorse/mail-fetcher.nix
+++ b/nixos/configs/workhorse/mail-fetcher.nix
@ -424,47 +424,20 @@ in {
    home = "/home/mailfetcher";
    openssh.authorizedKeys.keyFiles =
      config.users.users.root.openssh.authorizedKeys.keyFiles;
+    group = "mailfetcher";
  };

-  # configure passwords
-  krops.userKeys = {
-    "namecheap.terranix.org" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/namecheap/terranix.org>;
-      requiredBy = [ "fetchmail.service" ];
-    };
-    "gmail.palipalo9" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/gmail/palipalo9>;
-      requiredBy = [ "fetchmail.service" ];
-    };
-    "gmx.palo_van_dalo" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/gmx/palo_van_dalo>;
-      requiredBy = [ "fetchmail.service" ];
-    };
-    "gmx.ingolf_wagner" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/gmx/ingolf.wagner>;
-      requiredBy = [ "fetchmail.service" ];
-    };
-    "web.pali_palo" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/web.de/pali_palo>;
-      requiredBy = [ "fetchmail.service" ];
-    };
-    "siteground.contact" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/siteground/contact>;
-      requiredBy = [ "fetchmail.service" ];
-    };
-    "c-base.palo" = {
-      user = config.users.users.mailUser.name;
-      source = toString <secrets/mail/c-base/palo>;
-      requiredBy = [ "fetchmail.service" ];
-    };
+  users.groups.mailUser = {
+    name = "mailfetcher";
  };

+  sops.secrets.mail_terranix.owner = "mailUser";
+  sops.secrets.mail_gmail.owner = "mailUser";
+  sops.secrets.mail_gmx_palo.owner = "mailUser";
+  sops.secrets.mail_gmx_ingolf.owner = "mailUser";
+  sops.secrets.mail_web.owner = "mailUser";
+  sops.secrets.mail_siteground.owner = "mailUser";
+
  environment.systemPackages = [ pkgs.muchsync ];

  # configure accounts
@ -478,7 +451,7 @@ in {
        realName = "Ingolf Wagner";
        userName = "palo_van_dalo@gmx.de";
        passwordCommand =
-          "cat ${toString config.krops.userKeys."gmx.palo_van_dalo".target}";
+          "cat ${toString config.sops.secrets.mail_gmx_palo.path }";
        imap = {
          host = "imap.gmx.net";
          tls.enable = true;
@ -498,7 +471,7 @@ in {
        realName = "Ingolf Wagner";
        userName = "ingolf.wagner@gmx.de";
        passwordCommand =
-          "cat ${toString config.krops.userKeys."gmx.ingolf_wagner".target}";
+          "cat ${toString config.sops.secrets.mail_gmx_ingolf.path }";
        imap = {
          host = "imap.gmx.net";
          tls.enable = true;
@ -518,7 +491,7 @@ in {
        realName = "Ingolf Wagner";
        userName = "pali_palo@web.de";
        passwordCommand =
-          "cat ${toString config.krops.userKeys."web.pali_palo".target}";
+          "cat ${toString config.sops.secrets.mail_web.path }";
        imap = {
          host = "imap.web.de";
          tls.enable = true;
@ -531,57 +504,6 @@ in {
        notmuch.enable = true;
      };

-      c-base = {
-        primary = false;
-        address = "palo@c-base.org";
-        aliases = [ ];
-        realName = "Ingolf Wagner";
-        userName = "palo";
-        passwordCommand =
-          "cat ${toString config.krops.userKeys."c-base.palo".target}";
-        imap = {
-          host = "c-mail.c-base.org";
-          port = 993;
-          # fetched using :  nix-shell -p openssl --run "openssl s_client -connect c-mail.c-base.org:993 -showcerts"
-          tls.certificatesFile = pkgs.writeText "c-base.pem" ''
-            -----BEGIN CERTIFICATE-----
-            MIIFKDCCAxCgAwIBAgIDAtwrMA0GCSqGSIb3DQEBDQUAMFQxFDASBgNVBAoTC0NB
-            Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
-            BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTkxMTA5MDgzMjUyWhcNMjExMTA4
-            MDgzMjUyWjBhMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQH
-            EwZCZXJsaW4xFDASBgNVBAoTC2MtYmFzZSBlLlYuMRowGAYDVQQDExFjLW1haWwu
-            Yy1iYXNlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKR3XBxJ
-            72MayCS0D5GCoHcY0TQLs1DQSohCCobRdSowFJzNQw/2lL6bb+Q2rmevZQXuM4vP
-            YbFytvTDmY5y5MNXEqGLfi8D5TcaP/RdXWQU++yUunE6yMdqZNheeXPjM//PnoXG
-            DyT236BovEi3YipUUsLXFiRj+cAjrQE7a2YUs3fjV3P6grMH0V06J6P6+JJvRgp2
-            K33uhKhnKyb3s1tbdbu1KeGozx2ws9lg79XV+Py6PXxP6jTZ2PCsaxs3BThSdmsl
-            vQyk/zoW7tA1m2ntRCoyFHZqfOHsN3UOS/HDRlXqgSf0ah8cPYPsl0ayXhgOv0Tu
-            1PSMt4Ve2GajX8MCAwEAAaOB9TCB8jAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQE
-            AwIDqDA0BgNVHSUELTArBggrBgEFBQcDAgYIKwYBBQUHAwEGCWCGSAGG+EIEAQYK
-            KwYBBAGCNwoDAzAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9v
-            Y3NwLmNhY2VydC5vcmcvMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuY2Fj
-            ZXJ0Lm9yZy9jbGFzczMtcmV2b2tlLmNybDAtBgNVHREEJjAkghFjLW1haWwuYy1i
-            YXNlLm9yZ4IPbWFpbC5jLWJhc2Uub3JnMA0GCSqGSIb3DQEBDQUAA4ICAQBjTIa1
-            xdhUYXJidv1U0qaqSV1DzumakFY20OM4QCV0Qvlq+SQUqroGBTIGodxhTnjG5o01
-            4xBAnsTcMRNycXHu0j6XYqDS4QhaFcGdFmXP0EQfAFbvhwZdbvgiRHuUTSGEbcLp
-            Vk8sP8dpzx+zMAZ6PL7XMwPFPTHm7vw40qmTyCuUcnhIwHgwGxu4yu0tdsU+VwRD
-            RVsdZO4V2GhFTz8oRcHvmC2wmx+Zwx0RXWPXSN5yRDDZWwY4WbECa2MvojH1HlJG
-            YJkokq7nbYJix/RipSkAXgurcgppVmM5cf7uYgSrltW8pm3IMMPrlaFrlzMMMtdq
-            SYFk+FDp296B7CDyWpQhDcVjnGQ70JfMWT5S3Lsi8DnI2pul9ljxPOt+Q8XFh1oz
-            Ofr7y5Qjm72YToOX1j7N8ppCh0RJH4lOsouTPVdp859ch9FxZdceq+nC744wv+Nt
-            TQPw15Gk3RY5mVYBE/Cw2T7j7qDmBaEUKxkfW7q8t287FXM4XX6C+cKYr6jYx6s1
-            5/2p4gCuOALYqJ7kD2xjci0VTWu77H4J2QKEZF8AgdI36dIYr7GY0e/+xb/CScwr
-            uvu2R9jfPOMVu6CiavPGUtcvju4A+qMUDqIyH9dNwkMQRffAtmsF6KR4nMYxhr45
-            nKY1BaufWLD1UWrjaR1IF6L5qDHOXeMJEChYkg==
-            -----END CERTIFICATE-----'';
-        };
-        mbsync = {
-          enable = false;
-          create = "both";
-        };
-        notmuch.enable = true;
-      };
-
      gmail = {
        # for google accounts you have to allow 'less secure apps' in accounts.google.com
        primary = true;
@ -590,7 +512,7 @@ in {
        realName = "Ingolf Wagner";
        userName = "palipalo9@googlemail.com";
        passwordCommand =
-          "cat ${toString config.krops.userKeys."gmail.palipalo9".target}";
+          "cat ${toString config.sops.secrets.mail_gmail.path }";
        imap = {
          host = "imap.gmail.com";
          tls.enable = true;
@ -609,9 +531,7 @@ in {
        aliases = [ ];
        realName = "Ingolf Wagner";
        userName = "palo@terranix.org";
-        passwordCommand = "cat ${
-            toString config.krops.userKeys."namecheap.terranix.org".target
-          }";
+        passwordCommand = "cat ${toString config.sops.secrets.mail_terranix.path }";
        imap = {
          host = "mail.privateemail.com";
          tls.enable = true;
@ -631,7 +551,7 @@ in {
        realName = "Ingolf Wagner";
        userName = "contact@ingolf-wagner.de";
        passwordCommand =
-          "cat ${toString config.krops.userKeys."siteground.contact".target}";
+          "cat ${toString config.sops.secrets.mail_siteground.path }";
        imap = {
          host = "securees5.sgcpanel.com";
          port = 993;
@ -715,9 +635,9 @@ in {
    enable = true;
    new.tags = [ "unread" "inbox" "new" ];
  };
-  home-manager.users.mailUser.home.file."notmuch" = {
-    source = "${config.users.users.mailUser.home}/.config/notmuch/notmuchrc";
-    target = ".notmuch-config";
-  };
+  #home-manager.users.mailUser.home.file."notmuch" = {
+  #  source = "${config.users.users.mailUser.home}/.config/notmuch/notmuchrc";
+  #  target = ".notmuch-config";
+  #};

 }
--- a/nixos/configs/workhorse/metabase.nix
+++ b/nixos/configs/workhorse/metabase.nix
@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }: {
+/{ pkgs, lib, config, ... }: {

  services.metabase = {
    listen.port = 3040;
--- a/nixos/configs/workhorse/nextcloud.nix
+++ b/nixos/configs/workhorse/nextcloud.nix
@ -7,20 +7,32 @@ let

 in {

+  sops.secrets.nextcloud_database_password = {};
+  sops.secrets.nextcloud_root_password = {};
+
  containers.nextcloud = {

    # mount host folders
    bindMounts = {
      rootpassword = {
-        hostPath = toString <secrets/nextcloud/root_password>;
-        mountPoint = toString <secrets/nextcloud/root_password>;
+        hostPath =
+                      "/run/secrets/nextcloud_root_password";
+          #toString <secrets/nextcloud/root_password>;
+        mountPoint =
+                      "/run/secrets/nextcloud_root_password";
+          #toString <secrets/nextcloud/root_password>;
        isReadOnly = true;
      };
      databasepassword = {
-        hostPath = toString <secrets/nextcloud/database_password>;
-        mountPoint = toString <secrets/nextcloud/database_password>;
+        hostPath =
+                      "/run/secrets/nextcloud_database_password";
+          #toString <secrets/nextcloud/database_password>;
+        mountPoint =
+                      "/run/secrets/nextcloud_database_password";
+          #toString <secrets/nextcloud/database_password>;
        isReadOnly = true;
      };
+
      home = {
        # make sure this folder exist on the host
        hostPath = toString "/home/nextcloud";
@ -33,17 +45,6 @@ in {
        mountPoint = "/var/lib/mysql";
        isReadOnly = false;
      };
-      krops-lib = {
-        mountPoint = toString <krops-lib>;
-        hostPath = toString <krops-lib>;
-        isReadOnly = true;
-      };
-      modules = {
-        mountPoint = toString <modules>;
-        hostPath = toString <modules>;
-        isReadOnly = true;
-      };
-      # shared folders
      samples = {
        mountPoint =
          toString config.services.syncthing.declarative.folders.samples.path;
@ -84,10 +85,7 @@ in {

    config = { config, pkgs, lib, ... }: {

-      imports = [ <modules> <krops-lib> ];
-
      services.nginx = {
-
        # Use recommended settings
        recommendedGzipSettings = lib.mkDefault true;
        recommendedOptimisation = lib.mkDefault true;
@ -214,27 +212,20 @@ in {
        https = true;
        config = {
          adminpassFile =
-            toString config.krops.userKeys."nextcloud_root".target;
+            #config.sops.secrets.nextcloud_root_password.path;
+            "/run/secrets/nextcloud_root_password";
          overwriteProtocol = "https";
          trustedProxies = [ "195.201.134.247" hostAddress ];
          dbtype = "mysql";
          dbpassFile =
-            toString config.krops.userKeys."nextcloud_database".target;
+            #config.sops.secrets.nextcloud_database_password.path;
+            "/run/secrets/nextcloud_database_password";
          dbport = 3306;
        };
      };

-      # provide password file for database with proper rights
-      krops.userKeys."nextcloud_database" = {
-        user = "nextcloud";
-        source = toString <secrets/nextcloud/database_password>;
-        requiredBy = [ "nginx.service" "nextcloud-setup.service" ];
-      };
-      krops.userKeys."nextcloud_root" = {
-        user = "nextcloud";
-        source = toString <secrets/nextcloud/root_password>;
-        requiredBy = [ "nginx.service" "nextcloud-setup.service" ];
-      };
+      #sops.secrets.nextcloud_database_password = {};
+      #sops.secrets.nextcloud_root_password = {};

      environment.systemPackages = [ pkgs.smbclient ];

@ -340,7 +331,8 @@ in {
      doInit = true;
      encryption = {
        mode = "repokey-blake2";
-        passCommand = "cat ${toString <secrets/backup/repo>}";
+            passCommand =
+              "cat ${config.sops.secrets.backup_repository_passphrase.path}";
      };
      startAt = "0/3:00:00";
      prune.keep = {
--- a/nixos/configs/workhorse/prometheus.nix
+++ b/nixos/configs/workhorse/prometheus.nix
@ -84,23 +84,23 @@
          };
        }];
      }
-      {
-        job_name = "home-assistant";
-        scrape_interval = "60s";
-        metrics_path = "/api/prometheus";
-        # you can create this token on your user profile page
-        # http://pepe.private:8123/profile
-        bearer_token =
-          lib.fileContents <secrets/prometheus/home-assistant/api_token>;
-        static_configs = [{
-          targets = [ "pepe.private:8123" ];
-          labels = {
-            service = "hass";
-            server = "pepe";
-            city = "essen";
-          };
-        }];
-      }
+      #{
+      #  job_name = "home-assistant";
+      #  scrape_interval = "60s";
+      #  metrics_path = "/api/prometheus";
+      #  # you can create this token on your user profile page
+      #  # http://pepe.private:8123/profile
+      #  bearer_token =
+      #    lib.fileContents <secrets/prometheus/home-assistant/api_token>;
+      #  static_configs = [{
+      #    targets = [ "pepe.private:8123" ];
+      #    labels = {
+      #      service = "hass";
+      #      server = "pepe";
+      #      city = "essen";
+      #    };
+      #  }];
+      #}
    ];
  };
 }
--- a/nixos/configs/workhorse/syncthing.nix
+++ b/nixos/configs/workhorse/syncthing.nix
@ -11,14 +11,18 @@
    };
  };

+
+  sops.secrets.syncthing_cert = { };
+  sops.secrets.syncthing_key = { };
+
  services.syncthing = {
    enable = true;
    openDefaultPorts = false;
    dataDir = "/home/syncthing";
    configDir = "/home/syncthing";
    declarative = {
-      cert = toString <secrets/syncthing/cert.pem>;
-      key = toString <secrets/syncthing/key.pem>;
+      cert = toString config.sops.secrets.syncthing_cert.path;
+      key = toString config.sops.secrets.syncthing_key.path;
      overrideFolders = true;

      folders = {
--- a/nixos/configs/workhorse/tinc.nix
+++ b/nixos/configs/workhorse/tinc.nix
@ -17,4 +17,7 @@
    };
  };

+  sops.secrets.tinc_retiolum_ed25519_key = { };
+  sops.secrets.tinc_retiolum_rsa_key = { };
+
 }
--- a/nixos/configs/workhorse/transmission.nix
+++ b/nixos/configs/workhorse/transmission.nix
@ -6,18 +6,20 @@ let

 in {

+  sops.secrets.nordvpn = {};
+
  containers.torrent = {

    # mount host folders
    bindMounts = {
-      password = {
-        hostPath = toString <secrets/transmission/password>;
-        mountPoint = toString <secrets/transmission/password>;
-        isReadOnly = true;
-      };
+      #password = {
+      #  hostPath = "/run/secrets/transmission_password";
+      #  mountPoint = "/run/secrets/transmission_password";
+      #  isReadOnly = true;
+      #};
      nordvpnPassword = {
-        hostPath = toString <secrets/transmission/nordvpn.txt>;
-        mountPoint = toString <secrets/transmission/nordvpn.txt>;
+        hostPath = "/run/secrets/nordvpn";
+        mountPoint = "/run/secrets/nordvpn";
        isReadOnly = true;
      };
      home = {
@ -183,7 +185,8 @@ in {

        remote-cert-tls server

-        auth-user-pass ${toString <secrets/transmission/nordvpn.txt>}
+        auth-user-pass /run/secrets/nordvpn.txt
+
        verb 3
        pull
        resolv-retry infinite
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@ -63,6 +63,11 @@
            })
          ];
        })
+        home-manager.nixosModules.home-manager
+        {
+          home-manager.useGlobalPkgs = true;
+          home-manager.useUserPackages = true;
+        }
      ];
      desktopModules = [
        home-manager.nixosModules.home-manager
--- a/nixos/krops.nix
+++ b/nixos/krops.nix
@ -5,7 +5,7 @@ let
  command = targetPath:
    let
      commandLine =
-        "TMPDIR=/tmp nixos-rebuild switch --flake ${targetPath} -L --keep-going";
+        "TMPDIR=/tmp nixos-rebuild build --flake ${targetPath} -L --keep-going";
    in ''
      echo '${commandLine}'
      nix-shell \
--- a/nixos/modules/services/taskwarrior-pushover.nix
+++ b/nixos/modules/services/taskwarrior-pushover.nix
@ -13,6 +13,10 @@ in
      type = str;
      default = "4:00:00";
    };
+    recurrence = mkOption {
+      type = enum["on" "off"];
+      default = "off";
+    };
    pushoverApiTokenFile = mkOption {
      type = path;
    };
@ -54,7 +58,7 @@ in
      script = let
        taskwarriorCommand = pkgs.writers.writeDash "taskwarrior-push" ''
         ${pkgs.taskwarrior}/bin/task \
-            rc.recurrence=off  \
+            rc.recurrence=${cfg.recurrence}  \
            rc:/var/lib/${name}/.taskrc \
            rc.data.location=/var/lib/${name}/${cfg.dataDir} \
            rc.taskd.ca=${cfg.caFile} \
--- a/nixos/system/desktop/mail-stuff.nix
+++ b/nixos/system/desktop/mail-stuff.nix
@ -118,7 +118,7 @@ in {
        enable = true;
        # msmtp --serverinfo --tls --tls-certcheck=off -a ingolf-wagner
        tls.fingerprint =
-          "F3:5C:9A:BF:82:35:78:AA:42:85:F5:D1:2A:08:B9:B4:56:6D:B7:BF:47:3B:37:B4:D8:B5:10:AE:0E:95:03:CD";
+          "16:94:47:E0:00:86:BB:F7:56:D3:81:F1:89:7B:CD:67:65:0B:EE:0B:A9:26:96:5E:0B:1F:56:AB:FD:DE:96:C5";
      };
      gpg = {
        encryptByDefault = true;