introduce sops to the config to be able to use encrypted tokens and passwords, also use these in factorio

2024-04-27 20:39:13 +02:00 · 2024-04-27 20:39:13 +02:00 · d74f441506
commit d74f441506
parent fbbc59c2c2
9 changed files with 226 additions and 30 deletions
--- a/modules/nixos/apps/factorio-server/default.nix
+++ b/modules/nixos/apps/factorio-server/default.nix
@ -17,25 +17,40 @@ in

  config = mkIf cfg.enable {
    environment.systemPackages = with pkgs; [ factorio-headless ];
+    sops = {
+      secrets = {
+        factorio_token = { restartUnits = ["factorio.service"]; };
+        factorio_username = { restartUnits = ["factorio.service"]; };
+        factorio_game_password = { restartUnits = ["factorio.service"]; };
+      };
+      templates."extraSettingsFile.json".content = ''
+        {
+          "name": "Alles Nix!",
+          "description": "Trying to run a factorio-headless-server on my nix system",
+          "tags": ["vanilla"],
+          "max_players": 10,
+          "game_password": "${config.sops.placeholder.factorio_game_password}",
+          "allow_commands": "admins-only",
+          "autosave_slots": 5,
+          "ignore_player_limit_for_returning_players": true,
+          "username" : "${config.sops.placeholder.factorio_username}",
+          "admins": ["${config.sops.placeholder.factorio_username}"],
+          "token": "${config.sops.placeholder.factorio_token}"
+        }
+      '';
+      templates."extraSettingsFile.json".mode = "0444";
+    };

    services.factorio = {
      enable = true;
      openFirewall = true;
      public = true;
      lan = true;
-      admins = [
-        "DaHolli"
-        "Galbrain"
-      ];
      nonBlockingSaving = true;
      autosave-interval = 5;
      loadLatestSave = true;
-      username = "DaHolli";
-      token = "4d4624ca9a23396e1955c1b4b364ff";
-      game-name = "Alles Nix!";
-      game-password = "1234";
-      saveName = "Vanilla";
      bind = "192.168.178.34";
+      extraSettingsFile = config.sops.templates."extraSettingsFile.json".path;
    };
  };
 }
--- a/modules/nixos/security/sops/default.nix
+++ b/modules/nixos/security/sops/default.nix
@ -0,0 +1,32 @@
+{
+  options,
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+with lib;
+with lib.wyrdgard;
+let
+  cfg = config.wyrdgard.security.sops;
+in
+{
+  options.wyrdgard.security.sops = with types; {
+    enable = mkBoolOpt true "Enable sops (Default true)";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      sops
+      age
+    ];
+
+    sops = {
+      defaultSopsFile = ../../../../secrets/secrets.yaml;
+      defaultSopsFormat = "yaml";
+
+      age.keyFile = "/home/cholli/.config/sops/age/keys.txt";
+    };
+  };
+}
--- a/modules/nixos/security/syncthing/default.nix
+++ b/modules/nixos/security/syncthing/default.nix
@ -0,0 +1,58 @@
+{
+  options,
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+with lib;
+with lib.wyrdgard;
+let
+  cfg = config.wyrdgard.security.syncthing;
+  user = config.wyrdgard.user;
+in
+{
+  options.wyrdgard.security.syncthing = with types; {
+    enable = mkEnableOption "Enable Syncthing";
+  };
+
+  config = mkIf cfg.enable {
+    services.syncthing = {
+      enable = true;
+      user = user.name;
+      dataDir = "/home/" + user.name + "/Documents";
+      configDir = "/home/" + user.name + "/Documents/.config/syncthing";
+      settings = {
+        folders = {
+          "Documents" = {
+            # Name of folder in Syncthing, also the folder ID
+            path = "/home/" + user.name + "/Documents"; # Which folder to add to Syncthing
+          };
+          "Pictures" = {
+            path = "/home/" + user.name + "/Pictures";
+          };
+          "7vfj7-k83xj" = {
+            path = "/home/" + user.name + "/WhatsApp Documents";
+          };
+        };
+        gui = {
+          theme = "black";
+        };
+      };
+    };
+
+    # Syncthing ports: 8384 for remote access to GUI
+    # 22000 TCP and/or UDP for sync traffic
+    # 21027/UDP for discovery
+    # source: https://docs.syncthing.net/users/firewall.html
+    networking.firewall.allowedTCPPorts = [
+      8384
+      22000
+    ];
+    networking.firewall.allowedUDPPorts = [
+      22000
+      21027
+    ];
+  };
+}
--- a/modules/nixos/system/hardware/audio/default.nix
+++ b/modules/nixos/system/hardware/audio/default.nix
@ -32,13 +32,16 @@ in
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
-      extraConfig = {
-        "11-bluetooth-policy" = {
-          "bluetooth_policy.policy" = {
-            "media-role.use-headset-profile" = false;
-          };
-        };
-      };
+      wireplumber.configPackages = [
+        (pkgs.writeTextDir "share/wireplumber/wireplumber.conf.d/11-bluetooth-policy.conf" ''
+          wireplumber.settings = {	
+            bluetooth.autoswitch-to-headset-profile = false	
+          }
+        '')
+        (pkgs.writeTextDir "share/wireplumber/policy.lua.d/11-bluetooth-policy.conf" ''
+          bluetooth_policy.policy["media-role.use-headset-profile"] = false
+        '')
+      ];
    };
  };
 }