From 9b7a1745aa028a15c60f4349689a6bba1a02f7f5 Mon Sep 17 00:00:00 2001
From: kalipso <kalipso@c3d2.de>
Date: Tue, 24 Oct 2023 18:47:12 +0200
Subject: [PATCH] [lucia] working certs and mpd

---
 machines/lucia/configuration.nix | 121 +++++++++++++++++++------------
 machines/lucia/secrets.yaml      |   6 +-
 2 files changed, 78 insertions(+), 49 deletions(-)

diff --git a/machines/lucia/configuration.nix b/machines/lucia/configuration.nix
index cd4b846b..10965ac4 100644
--- a/machines/lucia/configuration.nix
+++ b/machines/lucia/configuration.nix
@@ -8,8 +8,19 @@
       ../modules/malobeo_user.nix
     ];
 
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets.njala_api_key = {};
+
   # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
   boot.loader.grub.enable = false;
+  boot.loader.raspberryPi.enable = false;
+  boot.loader.raspberryPi.version = 3;
+  boot.loader.raspberryPi.uboot.enable = true;
+  boot.loader.raspberryPi.firmwareConfig = ''
+    dtparam=audio=on
+    hdmi_ignore_edid_audio=1
+    audio_pwm_mode=2
+  '';
 
   # Enables the generation of /boot/extlinux/extlinux.conf
   boot.loader.generic-extlinux-compatible.enable = true;
@@ -21,6 +32,9 @@
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
 
+  # hardware audio support:
+  sound.enable = true;
+
   services = {
   dokuwiki.sites."wiki.malobeo.org" = {
     enable = true;
@@ -50,29 +64,69 @@
     };
   };
 
-    mpd = {
-      enable = true;
-      musicDirectory = "/var/lib/mpd/music";
-      extraConfig = ''
-          audio_output {
-            type "alsa"
-            name "My ALSA"
-            device			"hw:0,0"	# optional 
-            format			"44100:16:2"	# optional
-            mixer_type		"hardware"
-            mixer_device	"default"
-            mixer_control	"PCM"
-          }
-      '';
-    
-      # Optional:
-      network.listenAddress = "any"; # if you want to allow non-localhost connections
-      startWhenNeeded = true; # systemd feature: only start MPD service upon connection to its socket
-    };
 
-    ympd = {
-      enable = true;
+  mpd = {
+    enable = true;
+    musicDirectory = "/var/lib/mpd/music";
+    extraConfig = ''
+      audio_output {
+        type "alsa"
+        name "My ALSA"
+        device			"hw:0,0"	# optional 
+        format			"44100:16:2"	# optional
+        mixer_type		"hardware"
+        mixer_device	"default"
+        mixer_control	"PCM"
+      }
+    '';
+  
+    # Optional:
+    network.listenAddress = "any"; # if you want to allow non-localhost connections
+    startWhenNeeded = true; # systemd feature: only start MPD service upon connection to its socket
+  };
+
+  ympd = {
+    enable = true;
+  };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "malobeo@systemli.org";
+    defaults = {
+      dnsProvider = "njalla";
+      credentialsFile = config.sops.secrets.njala_api_key.path;
+      dnsPropagationCheck = false;
     };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."music.malobeo.org" = {
+      enableACME = true;
+      forceSSL = true;
+      acmeRoot = null;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8080";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 6680 80 443 ];
+
+  environment.systemPackages = with pkgs; [
+    vim
+    htop
+    wget
+    git
+    pciutils
+    nix-tree
+  ];
+
+  system.stateVersion = "23.05";
+}
+
     #mopidy = {
     #  enable = true;
     #  configuration = ''
@@ -127,28 +181,3 @@
     #  '';
     #  extensionPackages = with pkgs; [ mopidy-iris mopidy-youtube python3Packages.yt-dlp ];
     #};
-  };
-
-  services.nginx = {
-    enable = true;
-    virtualHosts."music.malobeo.org" = {
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:8080";
-        proxyWebsockets = true;
-      };
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 6680 80 ];
-
-  environment.systemPackages = with pkgs; [
-    vim
-    htop
-    wget
-    git
-    pciutils
-    nix-tree
-  ];
-
-  system.stateVersion = "23.05";
-}
diff --git a/machines/lucia/secrets.yaml b/machines/lucia/secrets.yaml
index 9da6c87e..f25764de 100644
--- a/machines/lucia/secrets.yaml
+++ b/machines/lucia/secrets.yaml
@@ -1,13 +1,13 @@
 hello: ENC[AES256_GCM,data:3VuyuX7MaLSmor4W22F3FUCGp8SUq4pE6z5nuiZenH07+zEeMAllVCP6g/j1fQ==,iv:A3Oh99AchsmrkMEb4ZRSIigb8Cr+3WlQtsgyZJGpLY8=,tag:TOHF9BaydkRD6cJAndryTg==,type:str]
-njala_api_key: ENC[AES256_GCM,data:cFngyUfg+hATbqK+nizeKGgzriyhqQ+C2cACgvxYX8mbc5BcXSomiw==,iv:c4W9Ow1yQ3F+MG8QLOSbTCJ55+BadtpAZSsB+eEo8cs=,tag:wTeT+feLbx8rYfUEJgfepA==,type:str]
+njala_api_key: ENC[AES256_GCM,data:qXGngMJaAOk2Gb8B4nwMTht9Vp/OEhGmKS5vh1kpi0MyqcsmwuwpWuUz+RWD6NDFn2w/35M=,iv:lsZyCrmcT1xJcLjzK4zkcRYmbKUeLUFYZ7oDfCVJV8c=,tag:WK+aF3XGBRDQuvL87Qdusw==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-10-24T14:43:15Z"
-    mac: ENC[AES256_GCM,data:GginYeOix/N5Y5SfKYJPAWlrRYWNPRaoqwKkSCIiAhtpTSC6GBXUkbx3a465YP60MIb5e43MhQcpxUN9pOd49yt2Jka9zphBUElitHniRj1NPsFRQxtZIM6bRsrFG3frUT0+1YYNd0x+Nbz+scm+MnZmKuk6+ZnQRMYyJvcb1UQ=,iv:kh/zbW2UGpow6QuUp/9juqKKi2uxwAa/kfhu8hmz0+I=,tag:+E/eJhWgvslvzxorq5KyNQ==,type:str]
+    lastmodified: "2023-10-24T15:09:51Z"
+    mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str]
     pgp:
         - created_at: "2023-10-24T14:42:18Z"
           enc: |