diff --git a/flake.lock b/flake.lock index 926b68a..b2608c8 100644 --- a/flake.lock +++ b/flake.lock @@ -68,12 +68,12 @@ "rev": "16bbe8a0157d5aa669b2572cda7186a2f108e676", "revCount": 27, "type": "git", - "url": "ssh://gitlab@gitlab.ingolf-wagner.de/palo/nixos-secrets" + "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git" }, "original": { "ref": "main", "type": "git", - "url": "ssh://gitlab@gitlab.ingolf-wagner.de/palo/nixos-secrets" + "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git" } } }, diff --git a/flake.nix b/flake.nix index 826ff90..9bffc52 100644 --- a/flake.nix +++ b/flake.nix @@ -4,7 +4,7 @@ inputs = { secrets = { - url = "git+ssh://gitlab@gitlab.ingolf-wagner.de/palo/nixos-secrets?ref=main"; + url = "git+ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git?ref=main"; flake = false; }; nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05"; diff --git a/nixos/configs/pepe/configuration.nix b/nixos/configs/pepe/configuration.nix index 3655005..83434a0 100644 --- a/nixos/configs/pepe/configuration.nix +++ b/nixos/configs/pepe/configuration.nix @@ -51,9 +51,9 @@ # nix-shell -p speedtest_cli --run speedtest configuration.fireqos = { enable = true; - interface = "wlp3s0"; - input = 80000; - output = 2500; + interface = "enp0s25"; + input = 200000; + output = 2000; balance = false; }; diff --git a/nixos/configs/pepe/mpd.nix b/nixos/configs/pepe/mpd.nix index 239c236..d20ec4b 100644 --- a/nixos/configs/pepe/mpd.nix +++ b/nixos/configs/pepe/mpd.nix @@ -19,7 +19,10 @@ users.users."spotifyd" = { isSystemUser = true; + group = "spotifyd"; }; + users.groups.spotifyd = { }; + sops.secrets.spotify_pass = { owner = "spotifyd"; diff --git a/nixos/configs/pepe/syncthing.nix b/nixos/configs/pepe/syncthing.nix index d29fdb1..3a8b248 100644 --- a/nixos/configs/pepe/syncthing.nix +++ b/nixos/configs/pepe/syncthing.nix @@ -5,12 +5,12 @@ custom.samba-share = { enable = true; folders = { - movies = config.services.syncthing.declarative.folders.movies.path; - music = config.services.syncthing.declarative.folders.music-library.path; - samples = config.services.syncthing.declarative.folders.samples.path; - series = config.services.syncthing.declarative.folders.series.path; + movies = config.services.syncthing.folders.movies.path; + music = config.services.syncthing.folders.music-library.path; + samples = config.services.syncthing.folders.samples.path; + series = config.services.syncthing.folders.series.path; series2 = "/media/series"; - books = config.services.syncthing.declarative.folders.books.path; + books = config.services.syncthing.folders.books.path; }; #private.test = { # folder = ; @@ -24,99 +24,97 @@ services.syncthing = { enable = true; openDefaultPorts = true; - declarative = { - cert = toString config.sops.secrets.syncthing_cert.path; - key = toString config.sops.secrets.syncthing_key.path; + cert = toString config.sops.secrets.syncthing_cert.path; + key = toString config.sops.secrets.syncthing_key.path; - overrideFolders = true; - folders = { - - # on encrypted drive - # ------------------ - private = { - enable = true; - path = "/home/syncthing/private"; - }; - desktop = { - enable = true; - path = "/home/syncthing/desktop"; - }; - finance = { - enable = true; - path = "/home/syncthing/finance"; - }; - lost-fotos = { - enable = true; - path = "/home/syncthing/lost-fotos.ct"; - }; - fotos = { - enable = true; - path = "/home/syncthing/fotos"; - }; - zettlr = { - enable = true; - path = "/home/syncthing/zettlr"; - }; - - # no need to be encrypted - # ----------------------- - borg-mirror = { - enable = true; - path = "/media/syncthing/borg"; - rescanInterval = 36 * 3600; - type = "receiveonly"; - }; - books = { - enable = true; - path = "/media/syncthing/books"; - rescanInterval = 8 * 3600; - }; - movies = { - enable = true; - path = "/media/syncthing/movies"; - rescanInterval = 8 * 3600; - }; - music-projects = { - enable = true; - path = "/media/syncthing/music-projects"; - }; - music-library = { - enable = true; - path = "/media/syncthing/music-library"; - rescanInterval = 8 * 3600; - }; - music-library-free = { - enable = true; - path = "/media/syncthing/music-library-free"; - rescanInterval = 8 * 3600; - }; - samples = { - enable = true; - path = "/media/syncthing/samples"; - rescanInterval = 8 * 3600; - }; - series = { - enable = true; - path = "/media/syncthing/series"; - rescanInterval = 8 * 3600; - }; - smartphone-folder = { - enable = true; - path = "/media/syncthing/smartphone-folder"; - rescanInterval = 8 * 3600; - }; - video-material = { - enable = true; - path = "/media/syncthing/video-material"; - rescanInterval = 8 * 3600; - }; - processing = { - enable = true; - path = "/media/syncthing/sketchbook"; - rescanInterval = 8 * 3600; - }; + overrideFolders = true; + folders = { + # on encrypted drive + # ------------------ + private = { + enable = true; + path = "/home/syncthing/private"; }; + desktop = { + enable = true; + path = "/home/syncthing/desktop"; + }; + finance = { + enable = true; + path = "/home/syncthing/finance"; + }; + lost-fotos = { + enable = true; + path = "/home/syncthing/lost-fotos.ct"; + }; + fotos = { + enable = true; + path = "/home/syncthing/fotos"; + }; + zettlr = { + enable = true; + path = "/home/syncthing/zettlr"; + }; + + # no need to be encrypted + # ----------------------- + borg-mirror = { + enable = true; + path = "/media/syncthing/borg"; + rescanInterval = 36 * 3600; + type = "receiveonly"; + }; + books = { + enable = true; + path = "/media/syncthing/books"; + rescanInterval = 8 * 3600; + }; + movies = { + enable = true; + path = "/media/syncthing/movies"; + rescanInterval = 8 * 3600; + }; + music-projects = { + enable = true; + path = "/media/syncthing/music-projects"; + }; + music-library = { + enable = true; + path = "/media/syncthing/music-library"; + rescanInterval = 8 * 3600; + }; + music-library-free = { + enable = true; + path = "/media/syncthing/music-library-free"; + rescanInterval = 8 * 3600; + }; + samples = { + enable = true; + path = "/media/syncthing/samples"; + rescanInterval = 8 * 3600; + }; + series = { + enable = true; + path = "/media/syncthing/series"; + rescanInterval = 8 * 3600; + }; + smartphone-folder = { + enable = true; + path = "/media/syncthing/smartphone-folder"; + rescanInterval = 8 * 3600; + }; + video-material = { + enable = true; + path = "/media/syncthing/video-material"; + rescanInterval = 8 * 3600; + }; + processing = { + enable = true; + path = "/media/syncthing/sketchbook"; + rescanInterval = 8 * 3600; + }; + }; }; diff --git a/nixos/configs/pepe/taskwarrior-pushover.nix b/nixos/configs/pepe/taskwarrior-pushover.nix index b262bc3..e4bc405 100644 --- a/nixos/configs/pepe/taskwarrior-pushover.nix +++ b/nixos/configs/pepe/taskwarrior-pushover.nix @@ -1,7 +1,6 @@ { config, lib, pkgs, ... }: { - users.users."taskwarrior-pushover".isSystemUser = true; sops.secrets.pushoverApiToken.owner = "taskwarrior-pushover"; sops.secrets.pushoverUserKey.owner = "taskwarrior-pushover"; diff --git a/nixos/configs/pepe/tinc.nix b/nixos/configs/pepe/tinc.nix index 6563e05..4229928 100644 --- a/nixos/configs/pepe/tinc.nix +++ b/nixos/configs/pepe/tinc.nix @@ -18,4 +18,6 @@ with lib; sops.secrets.tinc_retiolum_ed25519_key = { }; sops.secrets.tinc_retiolum_rsa_key = { }; + users.users."tinc.retiolum".group = "tinc.retiolum"; + users.groups."tinc.retiolum" = { }; } diff --git a/nixos/configs/robi/bitwarden.nix b/nixos/configs/robi/bitwarden.nix index 24d0c2e..a32ffa8 100644 --- a/nixos/configs/robi/bitwarden.nix +++ b/nixos/configs/robi/bitwarden.nix @@ -1,6 +1,7 @@ { config, pkgs, lib, ... }: { - services.bitwarden_rs = { + services.vaultwarden = { enable = true; + # backupDir = config = { domain = "https://bitwarden.ingolf-wagner.de"; signupsAllowed = false; diff --git a/nixos/configs/robi/gitea.nix b/nixos/configs/robi/gitea.nix index b66eb7a..258b4b8 100644 --- a/nixos/configs/robi/gitea.nix +++ b/nixos/configs/robi/gitea.nix @@ -29,5 +29,7 @@ }; }; - #backup.dirs = [ config.services.gogs.repositoryRoot ]; + #backup.dirs = [ config.services.gogs.repositoryRoot ]; + }; + } diff --git a/nixos/configs/sterni/configuration.nix b/nixos/configs/sterni/configuration.nix index 9cf9243..50514b8 100644 --- a/nixos/configs/sterni/configuration.nix +++ b/nixos/configs/sterni/configuration.nix @@ -20,9 +20,6 @@ system.custom.wifi.interfaces = [ "wlp3s0" ]; - sops.secrets.tinc_retiolum_ed25519_key = { }; - sops.secrets.tinc_retiolum_rsa_key = { }; - security.wrappers = { pmount = { source = "${pkgs.pmount}/bin/pmount"; diff --git a/nixos/configs/sterni/tinc.nix b/nixos/configs/sterni/tinc.nix index b17ef47..9c97b1d 100644 --- a/nixos/configs/sterni/tinc.nix +++ b/nixos/configs/sterni/tinc.nix @@ -20,8 +20,13 @@ with lib; connectTo = [ "sputnik" ]; }; }; + + sops.secrets.tinc_retiolum_ed25519_key = { }; + sops.secrets.tinc_retiolum_rsa_key = { }; + users.users."tinc.retiolum".group = "tinc.retiolum"; users.groups."tinc.retiolum" = { }; + users.users."tinc.secret".group = "tinc.secret"; users.groups."tinc.secret" = { }; diff --git a/nixos/modules/services/samba-share.nix b/nixos/modules/services/samba-share.nix index 47f403c..665a083 100644 --- a/nixos/modules/services/samba-share.nix +++ b/nixos/modules/services/samba-share.nix @@ -95,7 +95,9 @@ in description = "smb guest user"; home = "/home/smbguest"; createHome = true; + group = "smbguest"; }; + users.groups.smbguest = { }; }) # todo : maybe better to have a parameter for this diff --git a/nixos/modules/services/taskwarrior-pushover.nix b/nixos/modules/services/taskwarrior-pushover.nix index 09e7fc9..ba39345 100644 --- a/nixos/modules/services/taskwarrior-pushover.nix +++ b/nixos/modules/services/taskwarrior-pushover.nix @@ -49,19 +49,27 @@ in }; config = mkIf cfg.enable { + + users.users.${name} = { + isSystemUser = true; + home = "/var/lib/${name}"; + group = name; + }; + users.groups.${name} = { }; + systemd.services.taskwarrior-pushover = { enable = true; serviceConfig = { - DynamicUser = true; + User = name; StateDirectory = name; }; script = let taskwarriorCommand = pkgs.writers.writeDash "taskwarrior-push" '' ${pkgs.taskwarrior}/bin/task \ - rc.recurrence=${cfg.recurrence} \ rc:/var/lib/${name}/.taskrc \ rc.data.location=/var/lib/${name}/${cfg.dataDir} \ + rc.recurrence=${cfg.recurrence} \ rc.taskd.ca=${cfg.caFile} \ rc.taskd.certificate=${cfg.certificateFile} \ rc.taskd.credentials="${cfg.credentials}" \ @@ -73,7 +81,7 @@ in '' if [ -d /var/lib/${name}/${cfg.dataDir} ] then - echo "synchronize {cfg.dataDir}" + echo "synchronize ${cfg.dataDir}" ${taskwarriorCommand} sync else echo "initialize ${cfg.dataDir}" diff --git a/nixos/system/all/syncthing.nix b/nixos/system/all/syncthing.nix index c01faf7..ffd07b4 100644 --- a/nixos/system/all/syncthing.nix +++ b/nixos/system/all/syncthing.nix @@ -10,8 +10,8 @@ with lib; { "${name}" = { name = name; id = id; - addresses = - [ "tcp://${name}.private:22000" ]; + #addresses = + # [ "tcp://${name}.private:22000" ]; }; }; in diff --git a/nixos/system/server/initssh.nix b/nixos/system/server/initssh.nix index 1775a3e..fecd15c 100644 --- a/nixos/system/server/initssh.nix +++ b/nixos/system/server/initssh.nix @@ -23,7 +23,7 @@ in }; port = mkOption { - default = 22; + default = 2222; type = with types; int; };