WIP

This is mostly so that I can add the XDG-compliant configuration.

.envrc

@@ -1,10 +1,8 @@
-if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then
-    source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.1/direnvrc" "sha256-zelF0vLbEl5uaqrfIzbgNzJWGmLzCmYAkInj/LNxvKs="
+if ! has nix_direnv_version || ! nix_direnv_version 3.0.0; then
+    source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.0/direnvrc" "sha256-21TMnI2xWX7HkSTjFFri2UaohXVj854mgvWapWrxRXg="
 fi
 
-use flake
-
 watch_file ./flake/checks.nix
 watch_file ./flake/dev-shells.nix
 
-eval "$shellHooks"
+use flake

.woodpecker/check.yml

@@ -1,7 +1,7 @@
 labels:
-  type: exec
+  backend: local
 
-pipeline:
+steps:
 - name: nix flake check
   image: bash
   commands:

bootstrap.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env nix-shell
 #! nix-shell -i bash -p bitwarden-cli git gnupg jq nix
+# shellcheck shell=bash
 
 # Command failure is script failure
 set -e
@@ -10,7 +11,6 @@ BOLD_GREEN="\e[0;1;32m"
 
 RESET="\e[0m"
 
-DEST="$HOME/.config/nixpkgs"
 BW_SESSION=""
 
 warn() {

flake.lock

@@ -8,14 +8,17 @@
         ],
         "nixpkgs": [
           "nixpkgs"
+        ],
+        "systems": [
+          "systems"
         ]
       },
       "locked": {
-        "lastModified": 1683866323,
-        "narHash": "sha256-M2bEuh2jr0Ec13GnP5f8unD8q0AcPt2fHSUynOZJ8No=",
+        "lastModified": 1703433843,
+        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "92197270a1eedd142a4aff853e4cc6d1e838c22f",
+        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
         "type": "github"
       },
       "original": {
@@ -33,11 +36,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1673295039,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
         "type": "github"
       },
       "original": {
@@ -50,11 +53,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -70,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1683560683,
-        "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=",
+        "lastModified": 1706830856,
+        "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "006c75898cf814ef9497252b022e91c946ba8e17",
+        "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
         "type": "github"
       },
       "original": {
@@ -86,14 +89,16 @@
     },
     "futils": {
       "inputs": {
-        "systems": "systems"
+        "systems": [
+          "systems"
+        ]
       },
       "locked": {
-        "lastModified": 1681202837,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
         "type": "github"
       },
       "original": {
@@ -111,11 +116,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1660459072,
-        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "lastModified": 1703887061,
+        "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
         "owner": "hercules-ci",
         "repo": "gitignore.nix",
-        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
         "type": "github"
       },
       "original": {
@@ -131,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1683883222,
-        "narHash": "sha256-Tow+8GKwNNk2NvXoBwS/VBP8lpOdqIeeJ46ZU2fw5QU=",
+        "lastModified": 1707175763,
+        "narHash": "sha256-0MKHC6tQ4KEuM5rui6DjKZ/VNiSANB4E+DJ/+wPS1PU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "a835096fd2bcc369f57b76b9b17cc00348f595f5",
+        "rev": "f99eace7c167b8a6a0871849493b1c613d0f1b80",
         "type": "github"
       },
       "original": {
@@ -147,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1683408522,
-        "narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=",
+        "lastModified": 1707092692,
+        "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7",
+        "rev": "faf912b086576fd1a15fca610166c98d47bc667e",
         "type": "github"
       },
       "original": {
@@ -163,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1683884754,
-        "narHash": "sha256-o3JF2SZJIwnz2YXwS0tb+CZqfXTABZDTdCjOG6fahIA=",
+        "lastModified": 1707234300,
+        "narHash": "sha256-D+LdA8g0Tq+KE9EmJMmn8EGRO5jZ2nLe/W0Fr5EIsdg=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "ee3497fa69c9c48ec7e4c0ffc1610ea543497633",
+        "rev": "59fceae769455455ef44c1dfb63bbae1ecddc41d",
         "type": "github"
       },
       "original": {
@@ -192,11 +197,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682596858,
-        "narHash": "sha256-Hf9XVpqaGqe/4oDGr30W8HlsWvJXtMsEPHDqHZA6dDg=",
+        "lastModified": 1706424699,
+        "narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "fb58866e20af98779017134319b5663b8215d912",
+        "rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf",
         "type": "github"
       },
       "original": {
@@ -214,7 +219,8 @@
         "home-manager": "home-manager",
         "nixpkgs": "nixpkgs",
         "nur": "nur",
-        "pre-commit-hooks": "pre-commit-hooks"
+        "pre-commit-hooks": "pre-commit-hooks",
+        "systems": "systems"
       }
     },
     "systems": {
@@ -228,6 +234,7 @@
       },
       "original": {
         "owner": "nix-systems",
+        "ref": "main",
         "repo": "default",
         "type": "github"
       }

flake.nix

@@ -9,6 +9,7 @@
       inputs = {
         home-manager.follows = "home-manager";
         nixpkgs.follows = "nixpkgs";
+        systems.follows = "systems";
       };
     };
 
@@ -27,6 +28,9 @@
       owner = "numtide";
       repo = "flake-utils";
       ref = "main";
+      inputs = {
+        systems.follows = "systems";
+      };
     };
 
     home-manager = {
@@ -64,6 +68,13 @@
         nixpkgs-stable.follows = "nixpkgs";
       };
     };
+
+    systems = {
+      type = "github";
+      owner = "nix-systems";
+      repo = "default";
+      ref = "main";
+    };
   };
 
   # Can't eta-reduce a flake outputs...

flake/dev-shells.nix

@@ -2,7 +2,7 @@
 {
   perSystem = { config, pkgs, ... }: {
     devShells = {
-      default = pkgs.mkShell {
+      default = pkgs.mkShellNoCC {
         name = "NixOS-config";
 
         nativeBuildInputs = with pkgs; [

flake/home-manager.nix

@@ -2,7 +2,7 @@
 let
   defaultModules = [
     # Include generic settings
-    "${self}/home"
+    "${self}/modules/home"
     {
       # Basic user information defaults
       home.username = lib.mkDefault "ambroisie";
@@ -39,8 +39,9 @@ let
     };
   };
 
-  hosts = {
-    "ambroisie@ambroisie" = "x86_64-linux"; # Unfortunate naming here...
+  homes = {
+    "ambroisie@bazin" = "x86_64-linux";
+    "ambroisie@mousqueton" = "x86_64-linux";
   };
 in
 {
@@ -49,13 +50,13 @@ in
     legacyPackages = {
       homeConfigurations =
         let
-          filteredHosts = lib.filterAttrs (_: v: v == system) hosts;
-          allHosts = filteredHosts // {
+          filteredHomes = lib.filterAttrs (_: v: v == system) homes;
+          allHomes = filteredHomes // {
             # Default configuration
             ambroisie = system;
           };
         in
-        lib.mapAttrs mkHome allHosts;
+        lib.mapAttrs mkHome allHomes;
     };
   };
 }

flake/nixos.nix

@@ -1,7 +1,5 @@
-{ self, inputs, ... }:
+{ self, inputs, lib, ... }:
 let
-  inherit (self) lib;
-
   defaultModules = [
     {
       # Let 'nixos-version --json' know about the Git revision
@@ -13,9 +11,7 @@ let
       ];
     }
     # Include generic settings
-    "${self}/modules"
-    # Include bundles of settings
-    "${self}/profiles"
+    "${self}/modules/nixos"
   ];
 
   buildHost = name: system: lib.nixosSystem {
@@ -25,7 +21,7 @@ let
     ];
     specialArgs = {
       # Use my extended lib in NixOS configuration
-      inherit lib;
+      inherit (self) lib;
       # Inject inputs to use them in global registry
       inherit inputs;
     };

home/comma/default.nix

@@ -1,29 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.my.home.comma;
-in
-{
-  options.my.home.comma = with lib; {
-    enable = my.mkDisableOption "comma configuration";
-
-    pkgsFlake = mkOption {
-      type = types.str;
-      default = "pkgs";
-      example = "nixpkgs";
-      description = ''
-        Which flake from the registry should be used with
-        <command>nix shell</command>.
-      '';
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    home.packages = with pkgs; [
-      ambroisie.comma
-    ];
-
-    home.sessionVariables = {
-      COMMA_PKGS_FLAKE = cfg.pkgsFlake;
-    };
-  };
-}

home/default.nix

@@ -1,53 +0,0 @@
-{ ... }:
-{
-  imports = [
-    ./aliases
-    ./atuin
-    ./bat
-    ./bluetooth
-    ./comma
-    ./dircolors
-    ./direnv
-    ./discord
-    ./documentation
-    ./feh
-    ./firefox
-    ./flameshot
-    ./fzf
-    ./gammastep
-    ./gdb
-    ./git
-    ./gpg
-    ./gtk
-    ./htop
-    ./jq
-    ./mail
-    ./mpv
-    ./nix
-    ./nix-index
-    ./nm-applet
-    ./packages
-    ./pager
-    ./power-alert
-    ./secrets
-    ./ssh
-    ./terminal
-    ./tmux
-    ./udiskie
-    ./vim
-    ./wm
-    ./x
-    ./xdg
-    ./zathura
-    ./zsh
-  ];
-
-  # First sane reproducible version
-  home.stateVersion = "20.09";
-
-  # Who am I?
-  home.username = "ambroisie";
-
-  # Start services automatically
-  systemd.user.startServices = "sd-switch";
-}

home/direnv/lib/nix.sh

@@ -1,32 +0,0 @@
-#shellcheck shell=bash
-
-use_pkgs() {
-    if ! has nix; then
-        # shellcheck disable=2016
-        log_error 'use_pkgs: `nix` is not in PATH'
-        return 1
-    fi
-
-    # Use user-provided default value, or fallback to nixpkgs
-    local DEFAULT_FLAKE="${DIRENV_DEFAULT_FLAKE:-nixpkgs}"
-
-    # Allow changing the default flake through a command line switch
-    if [ "$1" = "-f" ] || [ "$1" = "--flake" ]; then
-        DEFAULT_FLAKE="$2"
-        shift 2
-    fi
-
-
-    # Allow specifying a full installable, or just a package name and use the default flake
-    local packages=()
-    for pkg; do
-        if [[ $pkg =~ .*#.* ]]; then
-            packages+=("$pkg")
-        else
-            packages+=("$DEFAULT_FLAKE#$pkg")
-        fi
-    done
-
-    # shellcheck disable=2154
-    direnv_load nix shell "${packages[@]}" --command "$direnv" dump
-}

home/secrets/secrets.nix

@@ -1,10 +0,0 @@
-# Common secrets
-let
-  keys = import ../../keys;
-
-  # deadnix: skip
-  all = keys.users;
-in
-{
-  # Add secrets here
-}

home/ssh/default.nix

@@ -1,54 +0,0 @@
-{ config, lib, ... }:
-let
-  cfg = config.my.home.ssh;
-in
-{
-  options.my.home.ssh = with lib; {
-    enable = my.mkDisableOption "ssh configuration";
-  };
-
-  config.programs.ssh = lib.mkIf cfg.enable {
-    enable = true;
-
-    includes = [
-      # Local configuration, not-versioned
-      "config.local"
-    ];
-
-    matchBlocks = {
-      "github.com" = {
-        hostname = "github.com";
-        identityFile = "~/.ssh/shared_rsa";
-        user = "git";
-      };
-
-      "gitlab.com" = {
-        hostname = "gitlab.com";
-        identityFile = "~/.ssh/shared_rsa";
-        user = "git";
-      };
-
-      "git.sr.ht" = {
-        hostname = "git.sr.ht";
-        identityFile = "~/.ssh/shared_rsa";
-        user = "git";
-      };
-
-      "git.belanyi.fr" = {
-        hostname = "git.belanyi.fr";
-        identityFile = "~/.ssh/shared_rsa";
-        user = "git";
-      };
-
-      porthos = {
-        hostname = "91.121.177.163";
-        identityFile = "~/.ssh/shared_rsa";
-        user = "ambroisie";
-      };
-    };
-
-    extraConfig = ''
-      AddKeysToAgent yes
-    '';
-  };
-}

hosts/homes/ambroisie@ambroisie/default.nix

@@ -1,15 +0,0 @@
-# Google Cloudtop configuration
-{ ... }:
-{
-  # Google specific configuration
-  home.homeDirectory = "/usr/local/google/home/ambroisie";
-
-  # Some tooling (e.g: SSH) need to use this library
-  home.sessionVariables = {
-    LD_PRELOAD = "/lib/x86_64-linux-gnu/libnss_cache.so.2\${LD_PRELOAD:+:}$LD_PRELOAD";
-  };
-
-  systemd.user.sessionVariables = {
-    LD_PRELOAD = "/lib/x86_64-linux-gnu/libnss_cache.so.2\${LD_PRELOAD:+:}$LD_PRELOAD";
-  };
-}

hosts/homes/ambroisie@bazin/default.nix

@@ -0,0 +1,25 @@
+# Google Laptop configuration
+{ lib, pkgs, ... }:
+{
+  services.gpg-agent.enable = lib.mkForce false;
+
+  my.home = {
+    git = {
+      package = pkgs.emptyDirectory;
+    };
+
+    tmux = {
+      # I use scripts that use the passthrough sequence often on this host
+      enablePassthrough = true;
+
+      # HTerm uses `xterm-256color` as its `$TERM`, so use that here
+      trueColorTerminals = [ "xterm-256color" ];
+    };
+
+    ssh = {
+      mosh = {
+        package = pkgs.emptyDirectory;
+      };
+    };
+  };
+}

hosts/homes/ambroisie@mousqueton/default.nix

@@ -0,0 +1,22 @@
+# Google Cloudtop configuration
+{ lib, pkgs, ... }:
+{
+  # Google specific configuration
+  home.homeDirectory = "/usr/local/google/home/ambroisie";
+
+  services.gpg-agent.enable = lib.mkForce false;
+
+  my.home = {
+    git = {
+      package = pkgs.emptyDirectory;
+    };
+
+    tmux = {
+      # I use scripts that use the passthrough sequence often on this host
+      enablePassthrough = true;
+
+      # HTerm uses `xterm-256color` as its `$TERM`, so use that here
+      trueColorTerminals = [ "xterm-256color" ];
+    };
+  };
+}

hosts/nixos/aramis/default.nix

@@ -15,6 +15,7 @@
     ./secrets
     ./services.nix
     ./sound.nix
+    ./system.nix
   ];
 
   # Set your time zone.

hosts/nixos/aramis/hardware.nix

@@ -26,6 +26,12 @@
     firmware = {
       cpuFlavor = "intel";
     };
+
+    graphics = {
+      enable = true;
+
+      gpuFlavor = "intel";
+    };
   };
 
   hardware = {

hosts/nixos/aramis/home.nix

@@ -1,6 +1,10 @@
 { pkgs, ... }:
 {
   my.home = {
+    # Use graphical pinentry
+    bitwarden.pinentry = "gtk2";
+    # Ebook library
+    calibre.enable = true;
     # Some amount of social life
     discord.enable = true;
     # Image viewver
@@ -16,7 +20,6 @@
       element-desktop # Matrix client
       jellyfin-media-player # Wraps the webui and mpv together
       pavucontrol # Audio mixer GUI
-      quasselClient # IRC client
       transgui # Transmission remote
     ];
     # Minimal video player

hosts/nixos/aramis/profiles.nix

@@ -9,8 +9,6 @@
     gtk.enable = true;
     # Laptop specific configuration
     laptop.enable = true;
-    # Printers are hell, but so is the unability to print
-    printing.enable = true;
     # i3 configuration
     wm.windowManager = "i3";
     # X configuration

hosts/nixos/aramis/system.nix

@@ -0,0 +1,10 @@
+# Core system configuration
+{ ... }:
+{
+  my.system = {
+    # Printers are hell, but so is the unability to print
+    printing = {
+      enable = true;
+    };
+  };
+}

hosts/nixos/porthos/boot.nix

@@ -6,9 +6,8 @@
     # Use the GRUB 2 boot loader.
     loader.grub = {
       enable = true;
-      version = 2;
       # Define on which hard drive you want to install Grub.
-      device = "/dev/sda";
+      device = "/dev/disk/by-id/ata-HGST_HUS724020ALA640_PN2181P6J58M1P";
     };
 
     initrd = {

hosts/nixos/porthos/default.nix

@@ -9,6 +9,7 @@
     ./networking.nix
     ./secrets
     ./services.nix
+    ./system.nix
     ./users.nix
   ];
 

hosts/nixos/porthos/home.nix

@@ -1,6 +1,12 @@
 { ... }:
 {
   my.home = {
+    # Allow using 24bit color when SSH-ing from various clients
+    tmux.trueColorTerminals = [
+      # My usual terminal, e.g: on laptop
+      "alacritty"
+    ];
+
     # Always start a tmux session when opening a shell session
     zsh.launchTmux = true;
   };

hosts/nixos/porthos/install.sh

@@ -30,6 +30,7 @@ swapon /dev/sda2
 
 apt install sudo
 useradd -m -G sudo setupuser
+# shellcheck disable=2117
 su setupuser
 
 cat << EOF
@@ -37,7 +38,7 @@ cat << EOF
 curl -L https://nixos.org/nix/install | sh
 . $HOME/.nix-profile/etc/profile.d/nix.sh
 nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs
-sudo `which nixos-generate-config` --root /mnt
+sudo "$(which nixos-generate-config)" --root /mnt
 
 # Change uuids to labels
 vim /mnt/etc/nixos/hardware-configuration.nix

hosts/nixos/porthos/secrets/acme/dns-key.age

@@ -1,10 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg 0bz3W8QcGaulxy+kDmM717jTthQpFOCwV9HkenFJEyo
-NKeh1/JkX4WAWbOjUeKLMbsyCevnDf3a70FfYUav26c
--> ssh-ed25519 jPowng Q59ybJMMteOSB6hZ5m6UPP0N2p8jrDSu5vBYwPgGcRw
-j420on2jSsfMsv4MDtiOTMIFjaXV7sIsrS+g4iab+68
--> z}.q-grease s2W<qM_Z t
-n1Yfs/gmNsl/n9HtuKBIIT8iwIjYca2yxlh7Q1XAT1B+RZ8oGjW8yCPj1unbDGZL
-e5BfLO3zgkEZnQ
---- FSgNKEdDeeTjCx9jN9UtOFl58mC/Lbu1PAYRGK0CZW4
-U€¿+æ©jïÝ{gø`GŽ›ÆàˆR¾Qk]šóïdÐ6å˜ú‚y5T²$Äñs~Ùh‰Ä£òÔ<C3B2>Fº¢ç%°vöÌm<C38C>
+-> ssh-ed25519 cKojmg bQFr9oAnbo1rI/MpUV8wQz/Xj7iZY4ZU+Swf0nSIQFw
+zama2XJ0gdvUlD2GHMhmZqHSxHe+dKSfXnHoWDcSw7Y
+-> ssh-ed25519 jPowng gitUwSKTNKWLSxnwa185O7x/u0ul93g8wPESdZaKRk8
+uvBIfAUkZp5sg6rfeEGvL5ZDV8m2uSEotW02kjPN3Hw
+--- SZxe5f/CUZBvPQa2Sz/UBY3L68rMkIGGRuZPk7YE+Vg
+¾r ú
&…¥‹{~v?¨}=Ä
+}+
¿SQ’M[²]Œ±kMÒAàtŒÃmMë/£µLsü|Þ…m©CÀñiYC}ƒŽ‡çxŽ€

hosts/nixos/porthos/secrets/aria/rpc-token.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg fpiyZo1AR5hCfk/KtbgWCTzz+05/VOUnnaHhWgXQRwc
+d2w9IX/kq/T6OwQ1zImsCmzIX2yfFD8hQDbs0IW3ZIA
+-> ssh-ed25519 jPowng E9R7p9NCubUQrymjnrNfEjSNIIAXrBQLogNkWsOx8xc
+MrWEE5LNtOqAjnwA6byfSa1udnbUtqBy4FhdxipuA+g
+--- fKgerjgGs+brvNKnrWdpmOadl34LipMT6Msqse2g3E0
+Œ¡E9³ï¬‚KYRL-‡„°¡Ç·\E–ŸK{ÃÜ7âço»ïò²XÂGx<0E>ÍT’Î)Ëœôä<C3B4>6°%ˆ­LO€Tðÿ*‰™*8\£É@G

hosts/nixos/porthos/secrets/backup/password.age

@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg dgS4bezgtDi44R1A8am+J6zh80kUVYTo1heaxJCtzX4
-F3w/62xwtqYa40NU7OvF9pnZzYz/5hACAGJfMA4e2zw
--> ssh-ed25519 jPowng lx81CK3yeNp9RjHCUFJeKYZlRzxBmXuADVBvRc13zCI
-P7e75t8xU+ZkYmeQ8mmMfyZZsRdG1J8yrvSUkiWzkFQ
--> *z4/`-grease S/)a{e sFd";=
---- 15FVhqRTkoPFEeETRRyFQhsv4Fn19Ozlax0u8Zy9mNA
-õ#+¥àÎvøSÈ4èá}<7D>§Rì%‹Î¯F4fnDœ˜J¹¤Z‹¸A¥Û™,_
+-> ssh-ed25519 cKojmg O3DMSSPQP9/ehXmzs0xcCGllu7VSzhd6b4Pii8t2vWQ
+Ys1nMv2384elWWGW9C8HabvwUeWu52VsQpxx9L/4/dM
+-> ssh-ed25519 jPowng ft/9SX5fpG7+7gHMubaFtb+50/gfNgmaofOVq5UjRUE
+xMwdFjFdkH0Li+PikaFt0WAZbFUu5daHgkfN8aQQumo
+--- 7DVINvXIXdE1MRwIkeajonYsy1cp4HugCxfTeub5SXU
+<¥ö¡Ãñ<ýØ{VÇ?ñfk/¤áI®"<22>ï×/5K"Š¸(ì¢ùiÃÔôìñ

hosts/nixos/porthos/secrets/drone/secret.age

@@ -1,9 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg 1+cLlzctgcM0FnVDwMPOAqBkvMcDBRg8SvCw4djI93Y
-oV2XI4f1AvM9P591kZZ6NgJXa+SDtqGzCSgc4psOmxM
--> ssh-ed25519 jPowng Ufjfh1p350XxRPg95+/DHdmnl4lC0bbzUUlaxd1Bmxc
-/RHwFDSn2ov+60r1uHUigrsn99+GmmKmlk4h4T2gbA0
--> *Lc$@-grease
-pzVJAHy1qRq3jUrnFV0DDO7/hwV1US4Ogf0RsrVfX0xzbr73uJ003YjieVB25LqN
---- ME7/iVevyiguyhXugbkVFGzJV0yDccyKNlWbEZa/FmY
-YžŠXjb2uþnd;i0íýX]…§é0–þjé’L„PÔT~óú ƒÙ^kc”$D×ÚÛr¹úu³¶fr€e¸OÕ¸þ<C2B8>+p•¨<E280A2><C2A8>&ãw®öϨ
+-> ssh-ed25519 cKojmg 0J8FMcVRf78LYG+dTOFzu3luXwhOjdOg0sx4Jxdccj4
+tdrCcfcYbTZYhL18RG3goiqtyhu3NTn+fJhdIAnU5uA
+-> ssh-ed25519 jPowng qlF8nkSEg5fZgai0VP5eTSlZOHyj5IcalTf+QNWITVo
+O5aiZX0AJD76ixsu6i9xnnFBQANdsu3h6XzdTQ6KtKU
+--- ByMQt9bnbzd8YO0Y93FIYF/lmdbYcOydkYdKxpRQujM
++堍6JNm裶遁[Eb1p)vD究侖PL9捦€z逡<7A>煸!縺贿噮'嘥閍顖卷赿5︰:[控d肯峈撟M抪庱zj<7A>

hosts/nixos/porthos/secrets/gitea/mail-password.age

@@ -1,9 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 jPowng BkIjie2KrwDLaZYYIguCs7TPA/wQy+YPguikuhfye0M
-7viTA/EGYB/jRKQm6fFd86DMd4j+Jxsaw/xQ1T8ZKNo
--> ssh-ed25519 cKojmg t1Y8bZvPccNAX8vWQLTfCyOJIBXN515vyfFrEI2EVww
-bJEjpIWrKeQrA/JfY7FRdB6hpHwR/aG4Vya1ChFNBKs
--> jK/-grease Oz.R ?;)G ],
-AuHk9TcC9kl0dg8/L6UfHIk3e9fgGwSTJAJpVgInhok
---- 47z9lol5MtpX0IsO/0ggLDMcNVfl4lNNvoHUSwOU/18
-)gЪeuÞ!œš-
ÞTì¥YAðM+ˆãGbMe@­|A,è&ãÆE!܆p=P²=û9¹ÙP¹!Üö’Q|Ðä r
+-> ssh-ed25519 cKojmg 46BI3ItrXRWMivmd/K8bmkKlrYFSr8cbehAkmwCskig
+gTjYquH1hDEZ2zWD5P7gN/ejTCH8JJb8bC/VLZ3koeg
+-> ssh-ed25519 jPowng 5MqfJlasDbbqlI0dX98NZzHxmYmnnpveyBxa4z48V0o
+r7Yiv4+SZiDncD0Xzp5eFSP4f2yjGBOILKxEO1iT3Os
+--- l43+JtT28i1YDhNX3hE3Qb7swskOBc5ghDqiyh3rU2s
+Ž+)´”¯ÛPô¢nåWT,.<2E>‹²e
ÚNW€Îñ YƱkç
ÿF4Ê#=˜)üîò™6Ö±ÛmȵîJ‹<4A>ª#

hosts/nixos/porthos/secrets/matrix/mail.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg lmu3MinmydRHD0A/YVRRtopermfoBC8M8cTHfVanY1s
-ygrtpZZJ7aeQTblNazpoP7DdifmDxHsE3DFJsIrWX5M
--> ssh-ed25519 jPowng X0cihOc+fBtmtrkEivIHQngdYIobezXEF1x+pHqNzAw
-/+sw9x1NWY0anZhDMpAywBPrR0F4XCHaF9e8j/Yo/kI
--> 32;%1s-grease
-JafjuSZty6a4NSO/y4y5wHWL8Mw
---- dwCl66vdpsL0MR5NWWvg3JUnQ2QZQBeW0Dj0l5tvOKY
-oi,`ÓÜ#uÄwW%PoubÚ­cy8<79>ó
ƒÃÉ><¿F‰Ååq…ÂKÂÇk0Çk/<2F>hÀ¥Ÿ5势ÝF+ýu‡ •e€<06>¾Ÿ²óôbãè>1QŠ2®ñwn˜WbÖ–B˜âî<C3A2>iŸ^xurâ†-/llùÒÀÀ-ã=°7;jã0»I×%Fi¼<69>í€ø‹™A;Y†ìUd]KÅI0(½ ”øAg£Ðóž^†uG:äpkJ’Ÿ:q<>¢šWSaLw¯¿Ô!ïM
³4ã L/ùZŇ®¢D¶-XéUb»‘vÊbP‚ó›0ÇÅfÂ9êú<08> †âJ`ÃX°ôÐOÅ!s›{ÙÄQAšc€c;ÏÃÑ‹4öMíچݹlxH&ïéöé{é}ÁäÛzZ¦œ‚9ûÊXžÜ“g‰]Vϱ•0gt¡¿…žw·
+-> ssh-ed25519 cKojmg u+5VWUy7eFq4boAIOhuKXZYD4mhczaUAcjz4+coVggA
+QlBHHgz7uY3TVgex59yZA0XgsIeHi2WN2S+UleC7bMg
+-> ssh-ed25519 jPowng IyeI6WUjF8wxe92xD3xY++4ZqXtY8divB39eLWfAtm8
+eGj8w5X2ydS1LJvNSmo56xzRVoUB0iAKKs2NHX968Yc
+--- hsYH9lUl3wIErJmBKzlWV+gIR5v6vgPIcNDgd0hiRGc
+¹Ã@Úl<C39A>ôQûsÈ„ÿ×£©Dƒ}^{ºžá¾X)¸nYóJhXhg8wƒž´ ­ “ú°˜Ó¨Ç‚Çw–‡y(œ–aè¸ìê.0>|ÚPSlOÃ|ÈÊE‰õÂÙé°€¡<E282AC>BWó_ˆ³ÜÌ)|x4©„šºë\_F¶
+ZÒo0=dts –j<E28093>[ùŽõ0O+ÑÕRž8±‡ÕiüËçŽÜ»ˆõŒæÆdÀ«ß8j»â©ê
+‚g¹©‘–$xŒÿò¥Æbâ÷í<C3B7>­˜äX·¢gÂ^¼íùG¼Êô¤Ž$UÏûB*ö°é²¡£ÈÔ)[t¶ÃHa•vŸ7<>ÌÑj£âD.z¸+¬[~–õÁÃé9Ùý<C399>àz¼øô`sé¶,_!^YÓïʯ2H¹øS‹¿¼©øÅ<C3B8>øý*âñó@êj
Z^ˆôæÎv~غ¶@ò<>

hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg xRtF3XVc7yPicAV/E4U7mn0itvD0h1BWBTjwunuoe2E
+OkB9sjGB3ulH4Feuyj3Ed0DBG4+mghW/Qpum9oXL/8c
+-> ssh-ed25519 jPowng 1r8drqhz1yZdTq0Kvqya+ArU1C2fkN7Gg9LiWWfeUFg
+cjbxntVwHvqLaJpiKs/Y8ojeb6e3/cLFcsoeuoobfFg
+--- B1qA2PylJBrdZxZtCzlU2kRPvxLM+IrXTvR+ERxVtTY
+"W9<57>Äbg¸©~Ì/áÕb4ãÕ†ú³ÜÔIÊ
+Û}ð
§ËÅË-³²ªNó±”ÑC7vWœbºØ?¦8=œÉwÆBÃUpJClï²OÈ™³œnOÁ\

hosts/nixos/porthos/secrets/monitoring/password.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg OdLtFHbHbc28rUn47vgsVvXxFNg9nF+9y9R6XOK390Y
-yQQYUPQGjN2+xrSqqBYa7/zS618KrVjX5Amw2MFuSLg
--> ssh-ed25519 jPowng NwUjiLtiXVi6XFmht5l1CxEs3gm0oN4vHYwDZyda7Q4
-di6znVjNRO6QdqteVNkeot5Ko2NwWLe6v+zVR3f+o10
--> 4Vx%\(-grease ^^Z>EC91 R 2BJ d48Wip*s
-yPiBgChRF31XgxccQFLO3MzRL7+5s29sfRoF3W1yUX6Bu59MpxD4D+n/jhLcxSH/
-CxW7KaiOctNmPm5tWh6qjmgQ+V4bcAji5vo4FKs40l56cfyueEJj+Q
---- WUGF28zqK9E1AlOeeCtSHxFg6ikRy85gOoLtBd4m0y0
-.|…rr>©†ðìì1ÅÆ2SÉž.×hw<12>wqºš%i˜øé	‚*U^­)Öè'qžµ›O2ÓœümòQÝ7˜¯m`
+-> ssh-ed25519 cKojmg l5lOlGnbvQ4D2kaSj1dd8Xr+btlNbTkT0SxSz02Vr1E
+Cjy73yKL1N8LnjRXXLpxX+wIOFCa8wrG44VjXUND1lI
+-> ssh-ed25519 jPowng nYHfkP9dRkxu4Fqh8MgrbdZAc8gk+VGDyxIV6RsSeEM
+rKKi1NDoKMMzQ+kUs5ZX4zMqRBI0QwGY7q6K/L9+dLI
+--- Umv3UCtXlApug7uuqmwbQN38i8Lx9/b0uhLgbc3OdZM
+äBLsś ‹?ÖsÓ“s<E2809C>2Îy
+R0ą‘!<fü9txB7dň<13>™ÚŠň^©ô É‡LJ&ń
W
€<©e]
+ţ/$$

hosts/nixos/porthos/secrets/monitoring/secret-key.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg uz/Zf2uv+q7f3CVEoDuThHdqKE12lgHMDaORjZR/R2M
+HqsqZouRxocuHOic08c2oURw2I95BM9CzgEv7FPsWwM
+-> ssh-ed25519 jPowng N0HG0fB19MUa2fOIdpKxOZOWjdUgEmKOjIP4hkx1JFo
+MAgTWh9d5d75iuzfA2eQ5P8ltSXZJ42dAT82YLGy0hs
+--- g9KaXbUtmB05NWkGDSyWxEzo9woQaHHb+TtpvXfcpM4
+cÓX× ȧ˜5	b2¡•¬-€‹Ñ"•›RSÒI¦&ÌÍQøtÒ[QZ¨F¦kô.POè	’?Lü¤StãÖ-Kj

hosts/nixos/porthos/secrets/nix-cache/cache-key.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg 8hV+BAKLsq8H/cxsklzuK2Q0/CqwjW6q8xMMJ0EaMDI
+LUjA2/qZAAeYjW6TtvmifBUo/WGigKwed6p7RnGjRyA
+-> ssh-ed25519 jPowng wrJBGPfY2a8HLoqO12/YIzCB40tZmbAlFTVrDrxrCnE
+9ARASO4ZPEyQoBIrs/u8FovkzugQ4fIrZObUVBZ+UAs
+--- WKMVJ4dhRAUelxXc7bJ6+UNOSrHxI4LhPo3i0RaHk7A
+ˆÌ˯®9QŸ5
J‡i£¾)¦TS<54>¶8õ+ú®3ñŽ|“&ç"qFF+…í¬ vÉ‚’WjÏË–äÂMOßV×'¾\«àvK$„52˜î¥Ú¾í,lû,̹O§gßÚ¬L78!îQðR$«iöćͰ8>°ñ
BФbÑ„•ÌÃfDc/qWDÅ'›g9

hosts/nixos/porthos/secrets/paperless/password.age

@@ -1,10 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg zhpo89xef68JoeOFWzhdFshrj2BXXUCFPMLVJzv6EyE
-fmJxJi5rmyai9qGwDo7iHg4BrObGre96KCpl+g91O6I
--> ssh-ed25519 jPowng INA6EZdy4J1p3QY5mfVOQXiLdOjIDaZR+CZMP+GfkXM
-8Nf5soaxY5SEzeJca5kaJkx7ByOvc4NkJVetB7wpEmo
--> xjK'w-grease
-f5v0cvlt4JbHlAwDOob86qOInWdlN/oohTg
---- NTGv4rr+MhJ/YeZhVHOjoS1V+zCHFf2itJYfK36R+wE
-š×—®JÚ dő– oŞę'YFUź@
-r7”ă“_N$‰˙Ź–č‡>‚ˇę]hq»-¨FŰ°qX˙?Î|?µĘ
+-> ssh-ed25519 cKojmg 1hbRAuAGrTy6nmkAq+UWua8weywphZsTIGF68YQEOlQ
+92Q7uIKv1EiO73wMh53jrTuEkzP6ziBmX9SWXCl4d3w
+-> ssh-ed25519 jPowng aPb9v/S/mLW95Qom+swvasqY878RxpxxOkMJA2wb6nY
+qu/dzcqciqKzNc28HqFMHA1XnrJy+/wWgbfM1+BrlkE
+--- 8PXOozvZzNZQD2OT4a+0XuIQauzUGSvovdfDugmp+bc
+x²Ž‚ê Ã>ùý²ç¦©ðóÁÇ_ÏC9d™T5ŸûKzЄqØcZ©°É¾pŒš¾¡ ใºv
+)Œ³õ²¥

hosts/nixos/porthos/secrets/paperless/secret-key.age

@@ -1,10 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg tZwn2usN6K62oS4vBa6boh9zEp/+cS4chP8boXG6SH4
-Fr3kV8gUDoiDqMxPYWsHyww8umYhQEKhqbVBiVw5NeI
--> ssh-ed25519 jPowng wRbJl4G85obH/GluQBBsXE7MOvooEui65eqHfurvuQs
-KqVZMBSyHhkayEdwI6ocmA4qhHY9zYJvg1CEKM1SOa0
--> 2E"/OFW-grease o Qp3HFe^
-bGhCNicPqt7txqxUiEWXCFs1OuQLqOqHmjHSqYQv919dqYep/xBXzi/aRf3dsdvh
-TCJCTvZG31Qxvikp
---- xKJGbdVp+Z5h0vCBleSF2zYYYd2S5i0y4szNqjRwrDY
-Tª
/N¯<4E>¨¹i7m4‚#³MhiñP¹šÒÞ›Á¥-ÏgI÷ñ±%@E†(›i
ÿ7·ý©ýYg¦k±´"+㸠Àª(þ]o¨¸–ý†ð<E280A0>@báÊÞ§+Ï[‚Y"ÿ‘ÌBóóCR[ >-Ë.4d…¤b9v
+-> ssh-ed25519 cKojmg r3ZUTfSNcHc1TS2fVtk99Y2xJMMunkwkcR0dQIdiCi4
+LICSnzAaooGy6x4wt0vNM6YtQ4S17QohZNt7lfVrD6Q
+-> ssh-ed25519 jPowng KLU68ws4lemr0wWHxm8H8pf1SQAoUZTN4QSPzk2PyHk
+6pjH1pI956oaf9ZIHPPq8p3g/mZC5GxWhWkT54Wohf0
+--- cAQbniTwwtTftfXU/dGtA69yF/hh8iB97vHxvkIZMMo
+°c#Ž=^Ì~?5ú-w—NT†Ì¡<C38C>¨+¶¨Ä!z¥<7A> "’ Zö"2ºëðù×M!pž5×V¬ÈÛjçΡѡŽâ¥âL¹ÁÌyóÐŹúš›n÷ÄŠ8zQö°+¨ËÁØ©9WSµ§<C2B5>Æ0¨u}YÚ

hosts/nixos/porthos/secrets/podgrab/password.age

@@ -1,9 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg 8rcBI7fYHuA3jO6EzJNFaAj2niIApKDt1HQEv61AKTs
-ANxkIX/CeI7t7Zqp6wmjt/D194Z+xpeiidb+qvYzoQU
--> ssh-ed25519 jPowng oruewwTM9X/HjjcmOPcQVdp02rQBlgJPdzvlAffs3T0
-MrO0kaNhjgOkNHuz3NrIMWXNrXOHH9dT/Fk6hoQNKyY
--> COK%H7-grease
-6yfI90QurOKlM+kgpW8KZ/iBzDYD9yhNmjG1LQ
---- uArz8eHg8sLO0sdlkM6cELFh+FHiI5BrM0+iXJxxiDo
-¿vývû´ÊNÊbæ@Ÿ¡Â<C2A1>FÛMMíYËÆíÌ&‰’/%¤¹Ñm¨®ØtÁÖ“ªd†h„­|¡ðŒß©8¼Ž Ú½¨9‚®<11>Cã¯/Å
+-> ssh-ed25519 cKojmg bICZUDqk/C2divEZu2lxUDsrtS1inSbDbS8hxJSJfHc
+FsfueyP6WCesAu5EcXIxxtvbb8RX09qNTN9GvuhYuTw
+-> ssh-ed25519 jPowng Uujsu6c+QTXqCNi6c+zxk5tf0UQcG+Qm/SZF4dzSKCY
+RPVNNNauz73A8kWA0VSQiMWCerUkxPoXG2MUrFly3Bc
+--- 8h4hGasOwZxk+i5aQfg6AzdA1G4wROhxz2rmM9u41b8
+{Rﾜ<>ﾗ=42<34>
y<>咨ｯ眺ﾃj嚀廁<E59A80>WQ▽隯%畊ｽ宅	顕褜返<E8A49C>弁K<E5BC81>ﾄ蘊ﾏFｮﾓ?埴膕K歯｢

hosts/nixos/porthos/secrets/pyload/credentials.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg nJbOfp0/wmFOZLzcWjoGB7wEB8e56aO1NntSmn5KomU
+/Vio4Z/t7IPJrdzdwUPidVH3wrouSkwRzNHP0T4z3x0
+-> ssh-ed25519 jPowng QXg/xqs7/VfkYQg3X77w4i53q64bL9oYeTxqb9NVhiQ
+sMHIXlmrIxtIr+s0X4lBqev/PPd3AKD5P7AP5K4NeJg
+--- gzTn+6+aa4Ptic1lsvSt+r3IEBysHrvMMIyONogMDF0
+<EFBFBD>ÏÂ<EFBFBD>Ë®UE_í</¯çQ·Ü+U“AГMÄÿ/kï×dAL/”úÕįÍoæ\XïEDÇÑfã\ièÄ‘½àpF„`#¬n4è–x1î<31>ûÞèDëàÂË5CéЦ&fòB»q${Gg…Aqˆ³@üVu!Cc…R\ªÖ¨

hosts/nixos/porthos/secrets/secrets.nix

@@ -12,6 +12,8 @@ in
 {
   "acme/dns-key.age".publicKeys = all;
 
+  "aria/rpc-token.age".publicKeys = all;
+
   "backup/password.age".publicKeys = all;
   "backup/credentials.age".publicKeys = all;
 
@@ -35,6 +37,9 @@ in
     owner = "matrix-synapse";
     publicKeys = all;
   };
+  "matrix/sliding-sync-secret.age" = {
+    publicKeys = all;
+  };
 
   "miniflux/credentials.age".publicKeys = all;
 
@@ -42,25 +47,35 @@ in
     owner = "grafana";
     publicKeys = all;
   };
+  "monitoring/secret-key.age" = {
+    owner = "grafana";
+    publicKeys = all;
+  };
 
   "nextcloud/password.age" = {
     owner = "nextcloud";
     publicKeys = all;
   };
 
-  "nix-serve/cache-key.age".publicKeys = all;
+  "nix-cache/cache-key.age".publicKeys = all;
 
   "paperless/password.age".publicKeys = all;
   "paperless/secret-key.age".publicKeys = all;
 
   "podgrab/password.age".publicKeys = all;
 
+  "pyload/credentials.age".publicKeys = all;
+
   "sso/auth-key.age".publicKeys = all;
   "sso/ambroisie/password-hash.age".publicKeys = all;
   "sso/ambroisie/totp-secret.age".publicKeys = all;
 
+  "tandoor-recipes/secret-key.age".publicKeys = all;
+
   "transmission/credentials.age".publicKeys = all;
 
+  "vikunja/mail.age".publicKeys = all;
+
   "wireguard/private-key.age".publicKeys = all;
 
   "woodpecker/gitea.age".publicKeys = all;

hosts/nixos/porthos/secrets/transmission/credentials.age

@@ -1,10 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg mP2H3PWJN6Pv3q6C2wci3KnXjtFAIiuGy0YH0sGIy2g
-f43QqyUQfTYznszub47kgc2Mz95zVScTDkwnG3INi9U
--> ssh-ed25519 jPowng fENbu7+FZ1mnQQHQCLm1spLHmsQGlRoJResUJtGzYkY
-hX+AqCkLCca6m/aKtGCThi7/mCCz/TZQNJNOlOmlqyA
--> J<-grease
-n7+CPRr4oazWnE7yzpJN2ZAI4QrGsAerloP4wNeebjQDx8+IxJq1JE0g3Yi0RxzN
-chDccuSPLYk45Ov+SD/qqqFZlQ
---- p81HYw3LFj+qz2kiZsDcevM4ZBfvN743P9Jdi7J9XkM
-‚¢ìÛ±S·7 <EFBFBD>‘ý£÷ÜãV»»Bðßâø±³ˆ¶ïO‰lEt˜‹Á…šqý</Ç—Ø©9²ã(ØP†$Wƒ0h;÷‰±àJy¯feø‚ >·_D,PºVFp\æ"AM}èg?<3F>ÿ<EFBFBD>Ý/\²Ä;ùy’¬Óš(<28>ÑSñKË
+-> ssh-ed25519 cKojmg Froxrdh4H2Bsj4X2xicyBXHPRlbkRJAOztoTfzxItSM
+FnsLS2QYm8mJUO+c152FieLCFkALxxwQLnY4PAj8zsU
+-> ssh-ed25519 jPowng pKl4p02M+U5JsiOnM2wXL5bkPwsI3IHjlTutlvez3zM
+NSuOFsyV8JqtTq97lNzacJnJ3YZgWp53XxU3mjUlcMQ
+--- 2TK2ViFblmDheaYdat/GF0ze1wVsla1EPLaeRdMM4Gs
+®àµÕ¨ENÜžäm›Û2uÂ~Ju¼b´´t[Ý$Tñþ^‘2–°<E28093>½jœÙÜi@xªÒ¸*Ä°
g[MÞH½½Xš!”‰6Áez¼…¥DW]ÓÕ<‰–`XÛâêÁÜÄPóéý÷ÃÞ›
+¶¥q*Îo¼½ÃÑ$‚åÓ<²

hosts/nixos/porthos/secrets/vikunja/mail.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg o5UoCsI4rvzJ84AQsumbyEngllUcSQB0lZw9F0zK82A
+xRcqV+QOqvpeMZiNCdWVhiRaEBayf3cv65xcrIKTfyI
+-> ssh-ed25519 jPowng zFZTStqeaFy+HJGN3EV29+Qtf+oaXTKsZNnhetvlNz4
+5dsAyBzbJ3If1KO9vvrO5UHvFfKq154xTvQbu50TFGc
+--- /MjYRy6PXkzAcTMMqt84/+SkKFcuGbdFZ3BXHZ15yzY
+/\œËÃQ'K0
+‚¨5]QzO·\à®ÿÞ•›L<06>úf“^—÷©<˜+ÌC<C38C>ø¼Þvƒ ì†)"‚6Ú·?ésoÀô§ÂÐH<C390>ŠÿÔûxÇ÷7}õ³–Èv¸ûû’1&Ð"	¨¦FËåÙ%Á%ÕÖ|îä'„õŽ#ÛdV<64>€žUî)?€þ÷ÿ—ýð¸pþÑÅ}¬odS×Á§|ø¹T‚þ;É‹]fM˜®xä°>h3ÛÚÓ{·Wí.²1&ºLö)õß±=k0ÖSSbœ|ÊV™‹)Tìû©ïBý:ŽÅë𗯾».‹½lrI“fè8ø!~ËJe§<·3?;—òk$H¾šÈk	+å6¼¤Â¯“ÿ`’#V˜ÒO<C392>»tî0à
+Ó

hosts/nixos/porthos/secrets/wireguard/private-key.age

@@ -1,10 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg +WwRpd2MzycutQFXyLsr2+GzSgF67Z6UuvyqYZaLd3w
-sppt8HzaZP3yxnvnhzjl18Trnz8g3VyXJ6CaVBWd7jA
--> ssh-ed25519 jPowng wanoqGB7T8bim/WZ4IAYViFQoGzaIZSgeoTr3YKpeTY
-ihDAdGa1XVW/qQz40V1v7a7iK7tu0EHMa7ayIogpcRw
--> l-grease |PIcZ NIr >0;*
-4o8o0bevQZ6uDSx1WxxlDCURbFCM+yK1XPdrb9aztCSvG2a+ne78E42l5rBcoH7I
-m51A8uWS4nSj36N/76v6K4kelxKzWUg
---- O6cGbTAVbDcdmPHf7UzfZiyiRtu1yfL4sBI+CkJA1qw
-ý
qýŐ$ň`żw'čS“X¸]Ąá÷ř®úî…?¤6‹Đ/ĆN(Bžň N«a”.˙ HŽ7żí•I<E280A2>ú÷Ŕoz‡/4:sK",7J
+-> ssh-ed25519 cKojmg KslHl4v8yCsKZn5TduLgpTfpTi1uOInC9N2e8Ow83FI
+NzcJJr8kw1ykAdWRZOeWdNhx0BTgE7FwTKcge+yLJ/w
+-> ssh-ed25519 jPowng YGWcOai0A9l2HDZyV0GtD8kEbY/xTUssODFBcseWAkA
+nJaHXkipFSHdyektoKV5y1jQrjkvnU7pwZwAymiQm7M
+--- IgWkDulol1jRa+pcx7DbEy5pvC+2nrRJHsdQVPvPur0
+Bb<ÅŒb!ÏëE?:ÇÓô=÷srJC<4A>œüKz5ø®Ô{–Æ4`¾&N0€ÕÈö¹57ñüví’©+´1
++(d§á¡{ìQŠÙ

hosts/nixos/porthos/secrets/woodpecker/secret.age

@@ -1,10 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 jPowng yz0I+AazPmamF7NOnwYNrPE/ArarU01jd2mVDJUPSTY
-6Y/YQ7gb8cAZf3zT9SKOorvfUnU7kYff+gHh8fG2mY8
--> ssh-ed25519 cKojmg 0FZU9v8eHsVeE+EoX9Y4IgfIj/8+45waPaSnSDb961I
-L6SzJoh5xqai45scoVAa6v9zslBGFYNnZY044d470uQ
--> I[G-grease p
-AMRQY1alSzHi/PLL80kcvnM1Z9YNfoUo9u5alWXYMyzrRsg+vXjMuBvAXg3fmnzr
-wdOowTYMRV+jEG8vzkcQTsv+f7JIyo4DvOOaPyGfWMl1
---- ih3IAFPcN1JP3FP1vcRGnPrfk91yrnIX0m/Szkbcf7Q
-ÑmW„r‚µœ_\)Í°]QŠ¦xMÃs/݃Îݪäœó‚Í6óº“k±äÅY§xïMy¶ J¿¸‹GßÃ)i2_'ÖœHF€þ.âg_Îe5³#uätñØÕ 7j„ŽPñ²'TÞ¥8´•\IàW«UùäK­°1Úº9½è
+-> ssh-ed25519 cKojmg tAW2hbBSxsael6cdbN+vI4h1/PMNrWYct8cppCAasn0
+cex/wBTviSIXc8clNm5PGltTYa1Q5PwqlX4BGsNHiyU
+-> ssh-ed25519 jPowng YxfhtpytvuhIARQAaJ0w94aOZiGNUOBR0pF+Sp80D2k
+nMon/VdYUQTs6LFccDGeIKWeNYib1wwtFmEYZkDZxg0
+--- giL477X0+uZ2Ocvbixt5f5kNc1laj5P79oW8P9XsNP0
+¨›Ãd>ò±cE?nb¹vš_²'2ûûà³<1B>Õµ¥_6P›u:ÊusºE“8õ“ØÏ“xuڶ̪…Îxù̧ïžC[†®°
ˆÁ.õêŽ6‰¯  qÌÀÍîJ°Ä5GäKÌ)N<ÊyYÉ¥tX=l7
T´2­¨ùRÙ

hosts/nixos/porthos/services.nix

@@ -28,12 +28,6 @@ in
       enable = true;
       libraryPath = "/data/media/library";
     };
-    drone = {
-      enable = true;
-      runners = [ "docker" "exec" ];
-      secretFile = secrets."drone/gitea".path;
-      sharedSecretFile = secrets."drone/secret".path;
-    };
     # Auto-ban spammy bots and incorrect logins
     fail2ban = {
       enable = true;
@@ -70,6 +64,9 @@ in
       mailConfigFile = secrets."matrix/mail".path;
       # Only necessary when doing the initial registration
       secretFile = secrets."matrix/secret".path;
+      slidingSync = {
+        secretFile = secrets."matrix/sliding-sync-secret".path;
+      };
     };
     miniflux = {
       enable = true;
@@ -80,6 +77,7 @@ in
       enable = true;
       grafana = {
         passwordFile = secrets."monitoring/password".path;
+        secretKeyFile = secrets."monitoring/secret-key".path;
       };
     };
     # FLOSS music streaming server
@@ -92,9 +90,9 @@ in
       enable = true;
       passwordFile = secrets."nextcloud/password".path;
     };
-    nix-serve = {
+    nix-cache = {
       enable = true;
-      secretKeyFile = secrets."nix-serve/cache-key".path;
+      secretKeyFile = secrets."nix-cache/cache-key".path;
     };
     nginx = {
       enable = true;
@@ -121,7 +119,13 @@ in
       secretKeyFile = secrets."paperless/secret-key".path;
     };
     # The whole *arr software suite
-    pirate.enable = true;
+    pirate = {
+      enable = true;
+      # ... But not Lidarr because I don't care for music that much
+      lidarr = {
+        enable = false;
+      };
+    };
     # Podcast automatic downloader
     podgrab = {
       enable = true;
@@ -130,17 +134,34 @@ in
     };
     # Regular backups
     postgresql-backup.enable = true;
+    pyload = {
+      enable = true;
+      credentialsFile = secrets."pyload/credentials".path;
+    };
     # RSS provider for websites that do not provide any feeds
     rss-bridge.enable = true;
     # Usenet client
     sabnzbd.enable = true;
     # Because I stilll need to play sysadmin
     ssh-server.enable = true;
+    # Recipe manager
+    tandoor-recipes = {
+      enable = true;
+      secretKeyFile = secrets."tandoor-recipes/secret-key".path;
+    };
     # Torrent client and webui
     transmission = {
       enable = true;
       credentialsFile = secrets."transmission/credentials".path;
     };
+    # Self-hosted todo app
+    vikunja = {
+      enable = true;
+      mail = {
+        enable = true;
+        configFile = secrets."vikunja/mail".path;
+      };
+    };
     # Simple, in-kernel VPN
     wireguard = {
       enable = true;

hosts/nixos/porthos/system.nix

@@ -0,0 +1,12 @@
+# Core system configuration
+{ ... }:
+{
+  my.system = {
+    nix = {
+      cache = {
+        # This server is the one serving the cache, don't try to query it
+        selfHosted = false;
+      };
+    };
+  };
+}

lib/lists.nix

@@ -24,4 +24,10 @@ in
   #   (any -> value)
   #   [ any ]
   mapFilter = pred: f: attrs: filter pred (map f attrs);
+
+  # Transform a nullable value into a list of zero/one element.
+  #
+  # nullableToList ::
+  #   (nullable a) -> [ a ]
+  nullableToList = x: if x != null then [ x ] else [ ];
 }

modules/home/bitwarden/default.nix

@@ -0,0 +1,27 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.home.bitwarden;
+in
+{
+  options.my.home.bitwarden = with lib; {
+    enable = my.mkDisableOption "bitwarden configuration";
+
+    pinentry = mkOption {
+      type = types.str;
+      default = "tty";
+      example = "gtk2";
+      description = "Which pinentry interface to use";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    programs.rbw = {
+      enable = true;
+
+      settings = {
+        email = lib.my.mkMailAddress "bruno" "belanyi.fr";
+        inherit (cfg) pinentry;
+      };
+    };
+  };
+}

modules/home/calibre/default.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.home.calibre;
+in
+{
+  options.my.home.calibre = with lib; {
+    enable = mkEnableOption "calibre configuration";
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.packages = with pkgs; [
+      calibre
+    ];
+  };
+}

modules/home/comma/default.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.home.comma;
+in
+{
+  options.my.home.comma = with lib; {
+    enable = my.mkDisableOption "comma configuration";
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.packages = with pkgs; [
+      ambroisie.comma
+    ];
+  };
+}

modules/home/default.nix

@@ -1,29 +1,58 @@
-{ config, inputs, lib, ... }:
-let
-  actualPath = [ "home-manager" "users" config.my.user.name "my" "home" ];
-  aliasPath = [ "my" "home" ];
-
-  cfg = config.my.user.home;
-in
+{ ... }:
 {
   imports = [
-    inputs.home-manager.nixosModules.home-manager # enable home-manager options
-    (lib.mkAliasOptionModule aliasPath actualPath) # simplify setting home options
+    ./aliases
+    ./atuin
+    ./bat
+    ./bitwarden
+    ./bluetooth
+    ./calibre
+    ./comma
+    ./dircolors
+    ./direnv
+    ./discord
+    ./documentation
+    ./feh
+    ./firefox
+    ./flameshot
+    ./fzf
+    ./gammastep
+    ./gdb
+    ./git
+    ./gpg
+    ./gtk
+    ./htop
+    ./jq
+    ./keyboard
+    ./mail
+    ./mpv
+    ./nix
+    ./nix-index
+    ./nixpkgs
+    ./nm-applet
+    ./packages
+    ./pager
+    ./power-alert
+    ./secrets
+    ./ssh
+    ./terminal
+    ./tmux
+    ./udiskie
+    ./vim
+    ./wget
+    ./wm
+    ./x
+    ./xdg
+    ./zathura
+    ./zsh
   ];
 
-  config = lib.mkIf cfg.enable {
-    home-manager = {
-      # Not a fan of out-of-directory imports, but this is a good exception
-      users.${config.my.user.name} = import ../../home;
+  # First sane reproducible version
+  home.stateVersion = "20.09";
 
-      # Nix Flakes compatibility
-      useGlobalPkgs = true;
-      useUserPackages = true;
+  # Who am I?
+  home.username = "ambroisie";
 
-      # Forward inputs to home-manager configuration
-      extraSpecialArgs = {
-        inherit inputs;
-      };
-    };
-  };
+  # Start services automatically
+  systemd.user.startServices = "sd-switch";
 }

modules/home/direnv/lib/android.sh

@@ -0,0 +1,57 @@
+#shellcheck shell=bash
+
+# shellcheck disable=2155
+use_android() {
+    if [ -z "$ANDROID_HOME" ]; then
+        log_error "use_android: 'ANDROID_HOME' is not defined"
+        return 1
+    fi
+
+    _use_android_find_latest() {
+        local path="$1"
+        local version
+
+        version="$(semver_search "$path" "" "")"
+        if [ -z "$version" ]; then
+            log_error "use_android: did not find any version at '$path'"
+            return 1
+        fi
+
+        printf '%s' "$version"
+    }
+
+    # Default to the latest version found
+    local ndk_version="$(_use_android_find_latest "$ANDROID_HOME/ndk" || return 1)"
+    local build_tools_version="$(_use_android_find_latest "$ANDROID_HOME/build-tools" || return 1)"
+
+    unset -f _use_android_find_latest
+
+    # Allow changing the default version through a command line switch
+    while true; do
+        case "$1" in
+            -b|--build-tools)
+                build_tools_version="$2"
+                shift 2
+                ;;
+            -n|--ndk)
+                ndk_version="$2"
+                shift 2
+                ;;
+            --)
+                shift
+                break
+                ;;
+            *)
+                break
+                ;;
+        esac
+    done
+
+    export ANDROID_NDK_HOME="$ANDROID_HOME/ndk/$ndk_version"
+    export ANDROID_ROOT="$ANDROID_HOME"
+    export ANDROID_SDK_ROOT="$ANDROID_HOME"
+    export ANDROID_NDK_ROOT="$ANDROID_NDK_HOME"
+
+    PATH_add "$ANDROID_NDK_HOME"
+    PATH_add "$ANDROID_HOME/build-tools/$build_tools_version"
+}

modules/home/direnv/lib/nix.sh

@@ -0,0 +1,69 @@
+#shellcheck shell=bash
+
+use_pkgs() {
+    if ! has nix; then
+        # shellcheck disable=2016
+        log_error 'use_pkgs: `nix` is not in PATH'
+        return 1
+    fi
+
+    # Use user-provided default value, or fallback to nixpkgs
+    local DEFAULT_FLAKE="${DIRENV_DEFAULT_FLAKE:-nixpkgs}"
+    # Additional args that should be forwarded to `nix`
+    local args=()
+
+    # Allow changing the default flake through a command line switch
+    while true; do
+        case "$1" in
+            -b|--broken)
+                args+=(--impure)
+                export NIXPKGS_ALLOW_BROKEN=1
+                shift
+                ;;
+            -f|--flake)
+                DEFAULT_FLAKE="$2"
+                shift 2
+                ;;
+            -i|--impure)
+                args+=(--impure)
+                shift
+                ;;
+            -s|--insecure)
+                args+=(--impure)
+                export NIXPKGS_ALLOW_INSECURE=1
+                shift
+                ;;
+            -u|--unfree)
+                args+=(--impure)
+                export NIXPKGS_ALLOW_UNFREE=1
+                shift
+                ;;
+            --)
+                shift
+                break
+                ;;
+            *)
+                break
+                ;;
+        esac
+    done
+
+
+    # Allow specifying a full installable, or just a package name and use the default flake
+    local packages=()
+    for pkg; do
+        if [[ $pkg =~ .*#.* ]]; then
+            packages+=("$pkg")
+        else
+            packages+=("$DEFAULT_FLAKE#$pkg")
+        fi
+    done
+
+    # shellcheck disable=2154
+    direnv_load nix shell "${args[@]}" "${packages[@]}" --command "$direnv" dump
+
+    # Clean-up after ourselves (assumes the user does not set them before us)
+    unset NIXPKGS_ALLOW_BROKEN
+    unset NIXPKGS_ALLOW_INSECURE
+    unset NIXPKGS_ALLOW_UNFREE
+}

modules/home/firefox/default.nix

@@ -33,13 +33,10 @@ in
     enable = true;
 
     package = pkgs.firefox.override {
-      cfg = {
-        enableTridactylNative = cfg.tridactyl.enable;
-      };
-
-      extraNativeMessagingHosts = with pkgs; ([ ]
+      nativeMessagingHosts = ([ ]
+        ++ lib.optional cfg.tridactyl.enable pkgs.tridactyl-native
         # Watch videos using mpv
-        ++ lib.optional cfg.ff2mpv.enable ambroisie.ff2mpv-go
+        ++ lib.optional cfg.ff2mpv.enable pkgs.ff2mpv-go
       );
     };
 
@@ -57,8 +54,8 @@ in
           "browser.newtabpage.activity-stream.section.highlights.includePocket" = false; # Disable pocket
           "extensions.pocket.enabled" = false; # Disable pocket
           "media.eme.enabled" = true; # Enable DRM
-          "media.gmp-widevinecdm.visible" = true; # Enable DRM
           "media.gmp-widevinecdm.enabled" = true; # Enable DRM
+          "media.gmp-widevinecdm.visible" = true; # Enable DRM
           "signon.autofillForms" = false; # Disable built-in form-filling
           "signon.rememberSignons" = false; # Disable built-in password manager
           "ui.systemUsesDarkTheme" = true; # Dark mode

modules/home/firefox/tridactyl/tridactylrc

@@ -22,8 +22,8 @@ bind ;c hint -Jc [class*="expand"],[class*="togg"],[class="comment_folder"]
 bindurl reddit.com gu urlparent 3
 
 " Only hint search results on Google
-bindurl www.google.com f hint -Jc #search div:not(.action-menu) > a
-bindurl www.google.com F hint -Jbc #search div:not(.action-menu) > a
+bindurl www.google.com f hint -Jc #search a
+bindurl www.google.com F hint -Jbc #search a
 
 " Only hint search results on DuckDuckGo
 bindurl ^https://duckduckgo.com f hint -Jc [data-testid="result-title-a"]
@@ -69,8 +69,6 @@ unbind <C-f>
 " Redirections {{{
 " Always redirect Reddit to the old site
 autocmd DocStart ^http(s?)://www.reddit.com js tri.excmds.urlmodify("-t", "www", "old")
-" Use a better Twitter front-end
-autocmd DocStart ^http(s?)://twitter.com js tri.excmds.urlmodify("-t", "twitter.com", "nitter.net")
 " }}}
 
 " Disabled websites {{{

modules/home/gdb/default.nix

@@ -20,19 +20,19 @@ in
     };
   };
 
-  config = lib.mkMerge [
-    (lib.mkIf cfg.enable {
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
       home.packages = with pkgs; [
         gdb
       ];
 
       xdg.configFile."gdb/gdbinit".source = ./gdbinit;
-    })
+    }
 
     (lib.mkIf cfg.rr.enable {
       home.packages = [
         cfg.rr.package
       ];
     })
-  ];
+  ]);
 }

modules/home/git/default.nix

@@ -7,6 +7,9 @@ in
 {
   options.my.home.git = with lib; {
     enable = my.mkDisableOption "git configuration";
+
+    # I want the full experience by default
+    package = mkPackageOption pkgs "git" { default = [ "gitFull" ]; };
   };
 
   config.home.packages = with pkgs; lib.mkIf cfg.enable [
@@ -22,8 +25,7 @@ in
     userEmail = mkMailAddress "bruno" "belanyi.fr";
     userName = "Bruno BELANYI";
 
-    # I want the full experience
-    package = pkgs.gitFull;
+    inherit (cfg) package;
 
     aliases = {
       git = "!git";

modules/home/keyboard/default.nix

@@ -1,8 +1,12 @@
 { config, lib, ... }:
 let
-  cfg = config.my.home.x;
+  cfg = config.my.home.keyboard;
 in
 {
+  options.my.home.keyboard = with lib; {
+    enable = my.mkDisableOption "keyboard configuration";
+  };
+
   config = lib.mkIf cfg.enable {
     home.keyboard = {
       layout = "fr";

modules/home/mail/accounts/default.nix

@@ -8,7 +8,7 @@ let
     realName = lib.mkDefault "Bruno BELANYI";
     userName = lib.mkDefault (mkMailAddress address domain);
     passwordCommand =
-      lib.mkDefault [ "${pkgs.ambroisie.bw-pass}/bin/bw-pass" "Mail" passName ];
+      lib.mkDefault [ (lib.getExe pkgs.ambroisie.rbw-pass) "Mail" passName ];
 
     address = mkMailAddress address domain;
     aliases = builtins.map (lib.flip mkMailAddress domain) aliases;
@@ -18,8 +18,6 @@ let
     himalaya = {
       enable = cfg.himalaya.enable;
       # FIXME: try to actually configure it at some point
-      backend = "imap";
-      sender = "smtp";
     };
 
     msmtp = {

modules/home/mail/himalaya/default.nix

@@ -9,7 +9,7 @@ in
     settings = {
       notify-cmd =
         let
-          notify-send = "${pkgs.libnotify}/bin/notify-send";
+          notify-send = lib.getExe pkgs.libnotify;
         in
         pkgs.writeScript "mail-notifier" ''
           SENDER="$1"

modules/home/mpv/default.nix

@@ -13,6 +13,8 @@ in
 
       scripts = [
         pkgs.mpvScripts.mpris # Allow controlling using media keys
+        pkgs.mpvScripts.mpv-cheatsheet # Show some simple mappings on '?'
+        pkgs.mpvScripts.uosc # Nicer UI
       ];
     };
   };