From 60d941b40b6d37a3a58000d86d1170655f39d5d9 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 21 Nov 2023 00:15:02 +0100
Subject: [PATCH 001/169] flake: bump inputs

My tandoor-recipes fix was merged upstream, so remove the overlay.

And because of the recent postgres bump for 23.11, `ensureDBOwnership`
is the new way of dealing with DB permissions [1]. This means I had to
fix manually migrate my `gitea` DB and make it match the DB user.

[1]: https://github.com/NixOS/nixpkgs/pull/266270
---
 flake.lock                                    | 30 +++++++--------
 modules/nixos/services/gitea/default.nix      |  1 +
 .../bump-allauth.patch                        | 38 -------------------
 .../tandoor-recipes-bump-allauth/default.nix  |  9 -----
 4 files changed, 16 insertions(+), 62 deletions(-)
 delete mode 100644 overlays/tandoor-recipes-bump-allauth/bump-allauth.patch
 delete mode 100644 overlays/tandoor-recipes-bump-allauth/default.nix

diff --git a/flake.lock b/flake.lock
index d2f2e6d..63bc1f3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -70,11 +70,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1698579227,
-        "narHash": "sha256-KVWjFZky+gRuWennKsbo6cWyo7c/z/VgCte5pR9pEKg=",
+        "lastModified": 1698882062,
+        "narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "f76e870d64779109e41370848074ac4eaa1606ec",
+        "rev": "8c9fa2545007b49a5db5f650ae91f227672c3877",
         "type": "github"
       },
       "original": {
@@ -131,11 +131,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1698670511,
-        "narHash": "sha256-jQIu3UhBMPHXzVkHQO1O2gg8SVo5lqAVoC6mOaLQcLQ=",
+        "lastModified": 1700419052,
+        "narHash": "sha256-U6a5f9ynbzcp8PMIHULbHPkbwp7YfPKOYmTcLqlalD4=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "8e5416b478e465985eec274bc3a018024435c106",
+        "rev": "993fb02d20760067b8ee19c713d94cee07037759",
         "type": "github"
       },
       "original": {
@@ -147,11 +147,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1698611440,
-        "narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=",
+        "lastModified": 1700390070,
+        "narHash": "sha256-de9KYi8rSJpqvBfNwscWdalIJXPo8NjdIZcEJum1mH0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735",
+        "rev": "e4ad989506ec7d71f7302cc3067abd82730a4beb",
         "type": "github"
       },
       "original": {
@@ -163,11 +163,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1698745553,
-        "narHash": "sha256-Fdip7ewCtZTjOu7ATDFUAy3OqrgcyvzDElLXhr4YmmI=",
+        "lastModified": 1700477143,
+        "narHash": "sha256-43dtFRTcFxQJXmy0jvXGDttXD7fAuGIZ0D8frdIg84M=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "dfbf198236d40e9741db76936088f05107e19013",
+        "rev": "3a7dd170a152b8525e64e1a21b3f95d402ead2b8",
         "type": "github"
       },
       "original": {
@@ -192,11 +192,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1698227354,
-        "narHash": "sha256-Fi5H9jbaQLmLw9qBi/mkR33CoFjNbobo5xWdX4tKz1Q=",
+        "lastModified": 1700064067,
+        "narHash": "sha256-1ZWNDzhu8UlVCK7+DUN9dVQfiHX1bv6OQP9VxstY/gs=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "bd38df3d508dfcdff52cd243d297f218ed2257bf",
+        "rev": "e558068cba67b23b4fbc5537173dbb43748a17e8",
         "type": "github"
       },
       "original": {
diff --git a/modules/nixos/services/gitea/default.nix b/modules/nixos/services/gitea/default.nix
index 28a448d..00ba941 100644
--- a/modules/nixos/services/gitea/default.nix
+++ b/modules/nixos/services/gitea/default.nix
@@ -65,6 +65,7 @@ in
         database = {
           type = "postgres"; # Automatic setup
           user = "git"; # User needs to be the same as gitea user
+          name = "git"; # Name must be the same as user for `ensureDBOwnership`
         };
 
         # NixOS module uses `gitea dump` to backup repositories and the database,
diff --git a/overlays/tandoor-recipes-bump-allauth/bump-allauth.patch b/overlays/tandoor-recipes-bump-allauth/bump-allauth.patch
deleted file mode 100644
index 84dfaee..0000000
--- a/overlays/tandoor-recipes-bump-allauth/bump-allauth.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 8f66f5c3ca61751a80cc133ff4c59019d6fca406 Mon Sep 17 00:00:00 2001
-From: Bruno BELANYI <bruno@belanyi.fr>
-Date: Tue, 31 Oct 2023 12:15:30 +0000
-Subject: [PATCH] Bump django-allauth from 0.54.0 to 0.58.1
-
-See the backwards incompatible changes [1].
-
-[1]: https://docs.allauth.org/en/latest/release-notes/recent.html#id10
----
- recipes/settings.py | 1 +
- requirements.txt    | 2 +-
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/recipes/settings.py b/recipes/settings.py
-index df2c2b1de..b836ea656 100644
---- a/recipes/settings.py
-+++ b/recipes/settings.py
-@@ -218,6 +218,7 @@
-     'django.middleware.locale.LocaleMiddleware',
-     'django.middleware.clickjacking.XFrameOptionsMiddleware',
-     'cookbook.helper.scope_middleware.ScopeMiddleware',
-+    'allauth.account.middleware.AccountMiddleware',
- ]
- 
- if DEBUG_TOOLBAR:
-diff --git a/requirements.txt b/requirements.txt
-index 26d81b471..09ed2381a 100644
---- a/requirements.txt
-+++ b/requirements.txt
-@@ -29,7 +29,7 @@ microdata==0.8.0
- Jinja2==3.1.2
- django-webpack-loader==1.8.1
- git+https://github.com/BITSOLVER/django-js-reverse@071e304fd600107bc64bbde6f2491f1fe049ec82
--django-allauth==0.54.0
-+django-allauth==0.58.1
- recipe-scrapers==14.36.1
- django-scopes==2.0.0
- pytest==7.3.1
diff --git a/overlays/tandoor-recipes-bump-allauth/default.nix b/overlays/tandoor-recipes-bump-allauth/default.nix
deleted file mode 100644
index dfbfec9..0000000
--- a/overlays/tandoor-recipes-bump-allauth/default.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-_self: prev:
-{
-  tandoor-recipes = prev.tandoor-recipes.overrideAttrs (oa: {
-    patches = (oa.patches or [ ]) ++ [
-      # https://github.com/TandoorRecipes/recipes/pull/2706
-      ./bump-allauth.patch
-    ];
-  });
-}

From b48d81451d84176782752bcb0631e27fb49de779 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 21 Nov 2023 00:18:29 +0100
Subject: [PATCH 002/169] nixos: services: migrate to 'ensureDBOwnership'

`ensurePermissions` is deprecated, and doesn't work on PostgreSQL 15.
---
 modules/nixos/services/drone/server/default.nix      | 4 +---
 modules/nixos/services/nextcloud/default.nix         | 2 +-
 modules/nixos/services/paperless/default.nix         | 2 +-
 modules/nixos/services/quassel/default.nix           | 2 +-
 modules/nixos/services/tandoor-recipes/default.nix   | 2 +-
 modules/nixos/services/vikunja/default.nix           | 2 +-
 modules/nixos/services/woodpecker/server/default.nix | 4 +---
 7 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/modules/nixos/services/drone/server/default.nix b/modules/nixos/services/drone/server/default.nix
index 0f56d29..d651f85 100644
--- a/modules/nixos/services/drone/server/default.nix
+++ b/modules/nixos/services/drone/server/default.nix
@@ -41,9 +41,7 @@ in
       ensureDatabases = [ "drone" ];
       ensureUsers = [{
         name = "drone";
-        ensurePermissions = {
-          "DATABASE drone" = "ALL PRIVILEGES";
-        };
+        ensureDBOwnership = true;
       }];
     };
 
diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix
index 260e73e..65b7234 100644
--- a/modules/nixos/services/nextcloud/default.nix
+++ b/modules/nixos/services/nextcloud/default.nix
@@ -57,7 +57,7 @@ in
       ensureUsers = [
         {
           name = "nextcloud";
-          ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+          ensureDBOwnership = true;
         }
       ];
     };
diff --git a/modules/nixos/services/paperless/default.nix b/modules/nixos/services/paperless/default.nix
index 1ca1f66..90f6b0c 100644
--- a/modules/nixos/services/paperless/default.nix
+++ b/modules/nixos/services/paperless/default.nix
@@ -131,7 +131,7 @@ in
       ensureUsers = [
         {
           name = "paperless";
-          ensurePermissions."DATABASE paperless" = "ALL PRIVILEGES";
+          ensureDBOwnership = true;
         }
       ];
     };
diff --git a/modules/nixos/services/quassel/default.nix b/modules/nixos/services/quassel/default.nix
index ec686e1..695f9e0 100644
--- a/modules/nixos/services/quassel/default.nix
+++ b/modules/nixos/services/quassel/default.nix
@@ -39,7 +39,7 @@ in
       ensureUsers = [
         {
           name = "quassel";
-          ensurePermissions."DATABASE quassel" = "ALL PRIVILEGES";
+          ensureDBOwnership = true;
         }
       ];
       # Insecure, I don't care.
diff --git a/modules/nixos/services/tandoor-recipes/default.nix b/modules/nixos/services/tandoor-recipes/default.nix
index 83177c8..541e198 100644
--- a/modules/nixos/services/tandoor-recipes/default.nix
+++ b/modules/nixos/services/tandoor-recipes/default.nix
@@ -65,7 +65,7 @@ in
       ensureUsers = [
         {
           name = "tandoor_recipes";
-          ensurePermissions."DATABASE tandoor_recipes" = "ALL PRIVILEGES";
+          ensureDBOwnership = true;
         }
       ];
     };
diff --git a/modules/nixos/services/vikunja/default.nix b/modules/nixos/services/vikunja/default.nix
index 1cdef5f..8c051b0 100644
--- a/modules/nixos/services/vikunja/default.nix
+++ b/modules/nixos/services/vikunja/default.nix
@@ -109,7 +109,7 @@ in
       ensureUsers = [
         {
           name = "vikunja";
-          ensurePermissions = { "DATABASE vikunja" = "ALL PRIVILEGES"; };
+          ensureDBOwnership = true;
         }
       ];
     };
diff --git a/modules/nixos/services/woodpecker/server/default.nix b/modules/nixos/services/woodpecker/server/default.nix
index d9f723b..cebbc9b 100644
--- a/modules/nixos/services/woodpecker/server/default.nix
+++ b/modules/nixos/services/woodpecker/server/default.nix
@@ -48,9 +48,7 @@ in
       ensureDatabases = [ "woodpecker" ];
       ensureUsers = [{
         name = "woodpecker";
-        ensurePermissions = {
-          "DATABASE woodpecker" = "ALL PRIVILEGES";
-        };
+        ensureDBOwnership = true;
       }];
     };
 

From 3fb8734c5670559feec8a2ce46beee0723171708 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 27 Nov 2023 11:18:26 +0000
Subject: [PATCH 003/169] home: direnv: fix 'use_android'

Don't rely on `ANDROID_SDK_HOME` if it hasn't yet been defined.
---
 modules/home/direnv/lib/android.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/home/direnv/lib/android.sh b/modules/home/direnv/lib/android.sh
index b25d675..3f730c2 100644
--- a/modules/home/direnv/lib/android.sh
+++ b/modules/home/direnv/lib/android.sh
@@ -22,7 +22,7 @@ use_android() {
 
     # Default to the latest version found
     local ndk_version="$(_use_android_find_latest "$ANDROID_HOME/ndk" || return 1)"
-    local build_tools_version="$(_use_android_find_latest "$ANDROID_SDK_HOME/build-tools" || return 1)"
+    local build_tools_version="$(_use_android_find_latest "$ANDROID_HOME/build-tools" || return 1)"
 
     unset -f _use_android_find_latest
 
@@ -54,5 +54,5 @@ use_android() {
     export ANDROID_NDK_ROOT="$ANDROID_NDK_HOME"
 
     PATH_add "$ANDROID_NDK_HOME"
-    PATH_add "$ANDROID_SDK_HOME/build-tools/$build_tools_version"
+    PATH_add "$ANDROID_HOME/build-tools/$build_tools_version"
 }

From 302cb907efd08c56467e12df4c3e78a71a44f0ff Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 28 Nov 2023 20:28:12 +0000
Subject: [PATCH 004/169] home: wm: i3: make blueman device manager floating

---
 modules/home/wm/i3/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/home/wm/i3/default.nix b/modules/home/wm/i3/default.nix
index d1dbe2c..b9661f3 100644
--- a/modules/home/wm/i3/default.nix
+++ b/modules/home/wm/i3/default.nix
@@ -129,6 +129,7 @@ in
             { class = "^Thunderbird$"; instance = "Mailnews"; window_role = "filterlist"; }
             { class = "^Pavucontrol.*$"; }
             { class = "^Arandr$"; }
+            { class = ".?blueman-manager.*$"; }
           ];
         };
 

From 97f5bf504c1b67a3a1d82c1b889f31b227e0fc96 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 28 Nov 2023 09:28:12 +0000
Subject: [PATCH 005/169] hosts: homes: mousqueton: remove 'LD_PRELOAD'

It looks like this isn't needed anymore.
---
 hosts/homes/ambroisie@mousqueton/default.nix | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/hosts/homes/ambroisie@mousqueton/default.nix b/hosts/homes/ambroisie@mousqueton/default.nix
index 8294ff4..06ee817 100644
--- a/hosts/homes/ambroisie@mousqueton/default.nix
+++ b/hosts/homes/ambroisie@mousqueton/default.nix
@@ -4,15 +4,6 @@
   # Google specific configuration
   home.homeDirectory = "/usr/local/google/home/ambroisie";
 
-  # Some tooling (e.g: SSH) need to use this library
-  home.sessionVariables = {
-    LD_PRELOAD = "/usr/grte/v5/lib64/libnss_cache.so.2\${LD_PRELOAD:+:}$LD_PRELOAD";
-  };
-
-  systemd.user.sessionVariables = {
-    LD_PRELOAD = "/usr/grte/v5/lib64/libnss_cache.so.2\${LD_PRELOAD:+:}$LD_PRELOAD";
-  };
-
   programs.git.package = lib.mkForce pkgs.emptyDirectory;
 
   services.gpg-agent.enable = lib.mkForce false;

From ec79be2a451f9af5464778f54f662626021dbb7b Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 28 Nov 2023 14:35:12 +0000
Subject: [PATCH 006/169] home: xdg: set 'ANDROID_USER_HOME'

---
 modules/home/xdg/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/home/xdg/default.nix b/modules/home/xdg/default.nix
index af9ec18..3bba198 100644
--- a/modules/home/xdg/default.nix
+++ b/modules/home/xdg/default.nix
@@ -39,6 +39,7 @@ in
   # I want a tidier home
   config.home.sessionVariables = with config.xdg; lib.mkIf cfg.enable {
     ANDROID_HOME = "${dataHome}/android";
+    ANDROID_USER_HOME = "${configHome}/android";
     CARGO_HOME = "${dataHome}/cargo";
     DOCKER_CONFIG = "${configHome}/docker";
     GDBHISTFILE = "${dataHome}/gdb/gdb_history";

From f4cc63c711e69d2e07319d29b6f472c3128e3544 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 28 Nov 2023 14:39:48 +0000
Subject: [PATCH 007/169] home: direnv: remove 'ANDROID_SDK_HOME'

Turns out this is supposed to be used for configuration, and it makes
some tools error out due to a sanity check...

I'm not pleased about this, but whatever.
---
 modules/home/direnv/lib/android.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/home/direnv/lib/android.sh b/modules/home/direnv/lib/android.sh
index 3f730c2..fa2f856 100644
--- a/modules/home/direnv/lib/android.sh
+++ b/modules/home/direnv/lib/android.sh
@@ -47,10 +47,9 @@ use_android() {
         esac
     done
 
-    export ANDROID_SDK_HOME="$ANDROID_HOME"
     export ANDROID_NDK_HOME="$ANDROID_HOME/ndk/$ndk_version"
     export ANDROID_ROOT="$ANDROID_HOME"
-    export ANDROID_SDK_ROOT="$ANDROID_SDK_HOME"
+    export ANDROID_SDK_ROOT="$ANDROID_HOME"
     export ANDROID_NDK_ROOT="$ANDROID_NDK_HOME"
 
     PATH_add "$ANDROID_NDK_HOME"

From 15ca07bc6413046415db6847a1664000a8a13417 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 1 Dec 2023 19:13:32 +0000
Subject: [PATCH 008/169] home: wm: i3bar: remove redundant buttons

Turns out they're not needed, or at least not anymore?
---
 modules/home/wm/i3bar/default.nix | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/modules/home/wm/i3bar/default.nix b/modules/home/wm/i3bar/default.nix
index 05b0f50..645abeb 100644
--- a/modules/home/wm/i3bar/default.nix
+++ b/modules/home/wm/i3bar/default.nix
@@ -22,20 +22,6 @@ in
               block = "music";
               # This format seems to remove the block when not playing, somehow
               format = "{ $icon $combo.str(max_w:50,rot_interval:0.5)  $prev  $play  $next |}";
-              click = [
-                {
-                  button = "play";
-                  action = "music_play";
-                }
-                {
-                  button = "prev";
-                  action = "music_prev";
-                }
-                {
-                  button = "next";
-                  action = "music_next";
-                }
-              ];
             }
             (lib.optionalAttrs config.my.home.bluetooth.enable {
               block = "bluetooth";

From 2d532f35a9e7ae3591ec4f260c66807086c9a15a Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 30 Nov 2023 21:06:37 +0100
Subject: [PATCH 009/169] flake: bump inputs

---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index 63bc1f3..9ac3083 100644
--- a/flake.lock
+++ b/flake.lock
@@ -11,11 +11,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1696775529,
-        "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
+        "lastModified": 1701216516,
+        "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
+        "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247",
         "type": "github"
       },
       "original": {
@@ -131,11 +131,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700419052,
-        "narHash": "sha256-U6a5f9ynbzcp8PMIHULbHPkbwp7YfPKOYmTcLqlalD4=",
+        "lastModified": 1701071203,
+        "narHash": "sha256-lQywA7QU/vzTdZ1apI0PfgCWNyQobXUYghVrR5zuIeM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "993fb02d20760067b8ee19c713d94cee07037759",
+        "rev": "db1878f013b52ba5e4034db7c1b63e8d04173a86",
         "type": "github"
       },
       "original": {
@@ -147,11 +147,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1700390070,
-        "narHash": "sha256-de9KYi8rSJpqvBfNwscWdalIJXPo8NjdIZcEJum1mH0=",
+        "lastModified": 1701068326,
+        "narHash": "sha256-vmMceA+q6hG1yrjb+MP8T0YFDQIrW3bl45e7z24IEts=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e4ad989506ec7d71f7302cc3067abd82730a4beb",
+        "rev": "8cfef6986adfb599ba379ae53c9f5631ecd2fd9c",
         "type": "github"
       },
       "original": {
@@ -163,11 +163,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1700477143,
-        "narHash": "sha256-43dtFRTcFxQJXmy0jvXGDttXD7fAuGIZ0D8frdIg84M=",
+        "lastModified": 1701366548,
+        "narHash": "sha256-+cItrtt7Tfd9SM9aQ3lCZWahfxVzWpH5bVgRyz5QDnw=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "3a7dd170a152b8525e64e1a21b3f95d402ead2b8",
+        "rev": "d16468a8fc6ea13c030349f293e5958adc0e4a54",
         "type": "github"
       },
       "original": {
@@ -192,11 +192,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700064067,
-        "narHash": "sha256-1ZWNDzhu8UlVCK7+DUN9dVQfiHX1bv6OQP9VxstY/gs=",
+        "lastModified": 1700922917,
+        "narHash": "sha256-ej2fch/T584b5K9sk1UhmZF7W6wEfDHuoUYpFN8dtvM=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "e558068cba67b23b4fbc5537173dbb43748a17e8",
+        "rev": "e5ee5c5f3844550c01d2131096c7271cec5e9b78",
         "type": "github"
       },
       "original": {

From 55362b1db856dac93bba227b5fb30f4e025d79c8 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 1 Dec 2023 12:19:52 +0000
Subject: [PATCH 010/169] home: vim: add remove deprecated option

The plug-in now configures itself automatically.

I could also set `vim.g.skip_ts_context_commentstring_module = true`,
but that should be removed soon enough anyway, and I would forget to
remove it...
---
 modules/home/vim/plugin/settings/tree-sitter.lua | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/modules/home/vim/plugin/settings/tree-sitter.lua b/modules/home/vim/plugin/settings/tree-sitter.lua
index 0d84abd..5503857 100644
--- a/modules/home/vim/plugin/settings/tree-sitter.lua
+++ b/modules/home/vim/plugin/settings/tree-sitter.lua
@@ -8,9 +8,6 @@ ts_config.setup({
     indent = {
         enable = true,
     },
-    context_commentstring = {
-        enable = true,
-    },
     textobjects = {
         select = {
             enable = true,

From e41bacc2fc54cc2a16ef76ba459aaf22947f9fcd Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 2 Dec 2023 14:22:44 +0000
Subject: [PATCH 011/169] home: wm: i3: make 'rofi-bluetooth' ignore case

The options given to the script are piped straight to `rofi -dmenu`,
which apparently needs the `-i` switch to be case insensitive.
---
 modules/home/wm/i3/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/home/wm/i3/default.nix b/modules/home/wm/i3/default.nix
index b9661f3..69246f0 100644
--- a/modules/home/wm/i3/default.nix
+++ b/modules/home/wm/i3/default.nix
@@ -197,7 +197,7 @@ in
                 inherit (config.my.home.bluetooth) enable;
                 prog = lib.getExe pkgs.rofi-bluetooth;
               in
-              lib.mkIf enable "exec ${prog}";
+              lib.mkIf enable "exec ${prog} -i";
           })
           (
             # Changing container focus

From 093d7a3cb878a13467d7973c96fe16b788d0bf23 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 6 Dec 2023 22:18:46 +0100
Subject: [PATCH 012/169] flake: bump inputs

---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index 9ac3083..c2baaaf 100644
--- a/flake.lock
+++ b/flake.lock
@@ -70,11 +70,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1698882062,
-        "narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=",
+        "lastModified": 1701473968,
+        "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "8c9fa2545007b49a5db5f650ae91f227672c3877",
+        "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
         "type": "github"
       },
       "original": {
@@ -89,11 +89,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1694529238,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
         "type": "github"
       },
       "original": {
@@ -131,11 +131,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1701071203,
-        "narHash": "sha256-lQywA7QU/vzTdZ1apI0PfgCWNyQobXUYghVrR5zuIeM=",
+        "lastModified": 1701728041,
+        "narHash": "sha256-x0pyrI1vC8evVDxCxyO6olOyr4wlFg9+VS3C3p4xFYQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "db1878f013b52ba5e4034db7c1b63e8d04173a86",
+        "rev": "ac7216918cd65f3824ba7817dea8f22e61221eaf",
         "type": "github"
       },
       "original": {
@@ -147,11 +147,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1701068326,
-        "narHash": "sha256-vmMceA+q6hG1yrjb+MP8T0YFDQIrW3bl45e7z24IEts=",
+        "lastModified": 1701436327,
+        "narHash": "sha256-tRHbnoNI8SIM5O5xuxOmtSLnswEByzmnQcGGyNRjxsE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8cfef6986adfb599ba379ae53c9f5631ecd2fd9c",
+        "rev": "91050ea1e57e50388fa87a3302ba12d188ef723a",
         "type": "github"
       },
       "original": {
@@ -163,11 +163,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1701366548,
-        "narHash": "sha256-+cItrtt7Tfd9SM9aQ3lCZWahfxVzWpH5bVgRyz5QDnw=",
+        "lastModified": 1701895548,
+        "narHash": "sha256-ukg5+dJSa82+CpCNmca10wLjdzVN8thlkOfswsZqf+s=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "d16468a8fc6ea13c030349f293e5958adc0e4a54",
+        "rev": "52bf9b8e019cd6e9ec6ff604e7b06c82ad487867",
         "type": "github"
       },
       "original": {

From 8398c4350a70ae08b5614b6cf6737c11471b609f Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 7 Dec 2023 14:26:36 +0000
Subject: [PATCH 013/169] hosts: homes: add work laptop

---
 flake/home-manager.nix                  |  1 +
 hosts/homes/ambroisie@bazin/default.nix | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 hosts/homes/ambroisie@bazin/default.nix

diff --git a/flake/home-manager.nix b/flake/home-manager.nix
index 61c9f6e..557d5c6 100644
--- a/flake/home-manager.nix
+++ b/flake/home-manager.nix
@@ -40,6 +40,7 @@ let
   };
 
   hosts = {
+    "ambroisie@bazin" = "x86_64-linux";
     "ambroisie@mousqueton" = "x86_64-linux";
   };
 in
diff --git a/hosts/homes/ambroisie@bazin/default.nix b/hosts/homes/ambroisie@bazin/default.nix
new file mode 100644
index 0000000..235898a
--- /dev/null
+++ b/hosts/homes/ambroisie@bazin/default.nix
@@ -0,0 +1,17 @@
+# Google Cloudtop configuration
+{ lib, pkgs, ... }:
+{
+  programs.git.package = lib.mkForce pkgs.emptyDirectory;
+
+  services.gpg-agent.enable = lib.mkForce false;
+
+  my.home = {
+    tmux = {
+      # I use scripts that use the passthrough sequence often on this host
+      enablePassthrough = true;
+
+      # HTerm uses `xterm-256color` as its `$TERM`, so use that here
+      trueColorTerminals = [ "xterm-256color" ];
+    };
+  };
+}

From 0b9c2309da9f33a4be355ea3f005efb4b9f06aa6 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 7 Dec 2023 14:29:59 +0000
Subject: [PATCH 014/169] home: ssh: use 'mkMerge'

This will make it easier to add new options (e.g: for `mosh`).
---
 modules/home/ssh/default.nix | 86 +++++++++++++++++++-----------------
 1 file changed, 45 insertions(+), 41 deletions(-)

diff --git a/modules/home/ssh/default.nix b/modules/home/ssh/default.nix
index 123190f..b5bdf76 100644
--- a/modules/home/ssh/default.nix
+++ b/modules/home/ssh/default.nix
@@ -7,48 +7,52 @@ in
     enable = my.mkDisableOption "ssh configuration";
   };
 
-  config.programs.ssh = lib.mkIf cfg.enable {
-    enable = true;
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
+      programs.ssh = {
+        enable = true;
 
-    includes = [
-      # Local configuration, not-versioned
-      "config.local"
-    ];
+        includes = [
+          # Local configuration, not-versioned
+          "config.local"
+        ];
 
-    matchBlocks = {
-      "github.com" = {
-        hostname = "github.com";
-        identityFile = "~/.ssh/shared_rsa";
-        user = "git";
+        matchBlocks = {
+          "github.com" = {
+            hostname = "github.com";
+            identityFile = "~/.ssh/shared_rsa";
+            user = "git";
+          };
+
+          "gitlab.com" = {
+            hostname = "gitlab.com";
+            identityFile = "~/.ssh/shared_rsa";
+            user = "git";
+          };
+
+          "git.sr.ht" = {
+            hostname = "git.sr.ht";
+            identityFile = "~/.ssh/shared_rsa";
+            user = "git";
+          };
+
+          "git.belanyi.fr" = {
+            hostname = "git.belanyi.fr";
+            identityFile = "~/.ssh/shared_rsa";
+            user = "git";
+          };
+
+          porthos = {
+            hostname = "91.121.177.163";
+            identityFile = "~/.ssh/shared_rsa";
+            user = "ambroisie";
+          };
+        };
+
+        extraConfig = ''
+          AddKeysToAgent yes
+        '';
       };
-
-      "gitlab.com" = {
-        hostname = "gitlab.com";
-        identityFile = "~/.ssh/shared_rsa";
-        user = "git";
-      };
-
-      "git.sr.ht" = {
-        hostname = "git.sr.ht";
-        identityFile = "~/.ssh/shared_rsa";
-        user = "git";
-      };
-
-      "git.belanyi.fr" = {
-        hostname = "git.belanyi.fr";
-        identityFile = "~/.ssh/shared_rsa";
-        user = "git";
-      };
-
-      porthos = {
-        hostname = "91.121.177.163";
-        identityFile = "~/.ssh/shared_rsa";
-        user = "ambroisie";
-      };
-    };
-
-    extraConfig = ''
-      AddKeysToAgent yes
-    '';
-  };
+    }
+  ]);
 }

From 0164d120876cb1187d13797930ad8021faafbcc9 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 7 Dec 2023 14:31:32 +0000
Subject: [PATCH 015/169] home: ssh: move 'mosh' configuration

---
 modules/home/packages/default.nix |  1 -
 modules/home/ssh/default.nix      | 14 +++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/modules/home/packages/default.nix b/modules/home/packages/default.nix
index 0cfa3b3..be89503 100644
--- a/modules/home/packages/default.nix
+++ b/modules/home/packages/default.nix
@@ -20,7 +20,6 @@ in
   config.home.packages = with pkgs; lib.mkIf cfg.enable ([
     fd
     file
-    mosh
     ripgrep
   ] ++ cfg.additionalPackages);
 }
diff --git a/modules/home/ssh/default.nix b/modules/home/ssh/default.nix
index b5bdf76..674cf6a 100644
--- a/modules/home/ssh/default.nix
+++ b/modules/home/ssh/default.nix
@@ -1,10 +1,16 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.my.home.ssh;
 in
 {
   options.my.home.ssh = with lib; {
     enable = my.mkDisableOption "ssh configuration";
+
+    mosh = {
+      enable = my.mkDisableOption "mosh configuration";
+
+      package = mkPackageOption pkgs "mosh" { };
+    };
   };
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
@@ -54,5 +60,11 @@ in
         '';
       };
     }
+
+    (lib.mkIf cfg.mosh.enable {
+      home.packages = [
+        cfg.mosh.package
+      ];
+    })
   ]);
 }

From 792d997dc961193f6e5d1924e87f4fc4ee5175ec Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 7 Dec 2023 14:34:17 +0000
Subject: [PATCH 016/169] hosts: homes: bazin: disable 'mosh' package

---
 hosts/homes/ambroisie@bazin/default.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hosts/homes/ambroisie@bazin/default.nix b/hosts/homes/ambroisie@bazin/default.nix
index 235898a..193a6af 100644
--- a/hosts/homes/ambroisie@bazin/default.nix
+++ b/hosts/homes/ambroisie@bazin/default.nix
@@ -13,5 +13,11 @@
       # HTerm uses `xterm-256color` as its `$TERM`, so use that here
       trueColorTerminals = [ "xterm-256color" ];
     };
+
+    ssh = {
+      mosh = {
+        package = pkgs.emptyDirectory;
+      };
+    };
   };
 }

From afda437f49688307875b427dcb5ecee5170bbfea Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 7 Dec 2023 14:37:47 +0000
Subject: [PATCH 017/169] home: git: allow overriding default package

---
 modules/home/git/default.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/modules/home/git/default.nix b/modules/home/git/default.nix
index 4dba01e..9c10257 100644
--- a/modules/home/git/default.nix
+++ b/modules/home/git/default.nix
@@ -7,6 +7,9 @@ in
 {
   options.my.home.git = with lib; {
     enable = my.mkDisableOption "git configuration";
+
+    # I want the full experience by default
+    package = mkPackageOption pkgs "git" { default = [ "gitFull" ]; };
   };
 
   config.home.packages = with pkgs; lib.mkIf cfg.enable [
@@ -22,8 +25,7 @@ in
     userEmail = mkMailAddress "bruno" "belanyi.fr";
     userName = "Bruno BELANYI";
 
-    # I want the full experience
-    package = pkgs.gitFull;
+    inherit (cfg) package;
 
     aliases = {
       git = "!git";

From 3a7f4d126d7fc0e04e04881f1078af791aa58fc0 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 7 Dec 2023 14:40:15 +0000
Subject: [PATCH 018/169] hosts: homes: mousqueton: migrate 'git.package'

---
 hosts/homes/ambroisie@mousqueton/default.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hosts/homes/ambroisie@mousqueton/default.nix b/hosts/homes/ambroisie@mousqueton/default.nix
index 06ee817..5c0a963 100644
--- a/hosts/homes/ambroisie@mousqueton/default.nix
+++ b/hosts/homes/ambroisie@mousqueton/default.nix
@@ -4,11 +4,13 @@
   # Google specific configuration
   home.homeDirectory = "/usr/local/google/home/ambroisie";
 
-  programs.git.package = lib.mkForce pkgs.emptyDirectory;
-
   services.gpg-agent.enable = lib.mkForce false;
 
   my.home = {
+    git = {
+      package = pkgs.emptyDirectory;
+    };
+
     tmux = {
       # I use scripts that use the passthrough sequence often on this host
       enablePassthrough = true;

From 20ab6795423903ac269bf318e9d3b64df00052f1 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 7 Dec 2023 14:40:21 +0000
Subject: [PATCH 019/169] hosts: homes: bazin: migrate 'git.package'

---
 hosts/homes/ambroisie@bazin/default.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hosts/homes/ambroisie@bazin/default.nix b/hosts/homes/ambroisie@bazin/default.nix
index 193a6af..4490c51 100644
--- a/hosts/homes/ambroisie@bazin/default.nix
+++ b/hosts/homes/ambroisie@bazin/default.nix
@@ -1,11 +1,13 @@
 # Google Cloudtop configuration
 { lib, pkgs, ... }:
 {
-  programs.git.package = lib.mkForce pkgs.emptyDirectory;
-
   services.gpg-agent.enable = lib.mkForce false;
 
   my.home = {
+    git = {
+      package = pkgs.emptyDirectory;
+    };
+
     tmux = {
       # I use scripts that use the passthrough sequence often on this host
       enablePassthrough = true;

From bdc3e63fff4442f7344c782c3cd023e0e5faf1ec Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 7 Dec 2023 20:30:35 +0000
Subject: [PATCH 020/169] flake: home-manager: refactor 'hosts' -> 'homes'

This makes more sense as a name.
---
 flake/home-manager.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/flake/home-manager.nix b/flake/home-manager.nix
index 557d5c6..34af375 100644
--- a/flake/home-manager.nix
+++ b/flake/home-manager.nix
@@ -39,7 +39,7 @@ let
     };
   };
 
-  hosts = {
+  homes = {
     "ambroisie@bazin" = "x86_64-linux";
     "ambroisie@mousqueton" = "x86_64-linux";
   };
@@ -50,13 +50,13 @@ in
     legacyPackages = {
       homeConfigurations =
         let
-          filteredHosts = lib.filterAttrs (_: v: v == system) hosts;
-          allHosts = filteredHosts // {
+          filteredHomes = lib.filterAttrs (_: v: v == system) homes;
+          allHomes = filteredHomes // {
             # Default configuration
             ambroisie = system;
           };
         in
-        lib.mapAttrs mkHome allHosts;
+        lib.mapAttrs mkHome allHomes;
     };
   };
 }

From 3ed2fac3db4553f5101125ce98959a9303377976 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 7 Dec 2023 21:22:09 +0000
Subject: [PATCH 021/169] flake: nixos: use module-provided 'lib'

I can't use `self.lib` to define options, that would result in infinite
recursion.
---
 flake/nixos.nix | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/flake/nixos.nix b/flake/nixos.nix
index fe124d7..b48b551 100644
--- a/flake/nixos.nix
+++ b/flake/nixos.nix
@@ -1,7 +1,5 @@
-{ self, inputs, ... }:
+{ self, inputs, lib, ... }:
 let
-  inherit (self) lib;
-
   defaultModules = [
     {
       # Let 'nixos-version --json' know about the Git revision
@@ -23,7 +21,7 @@ let
     ];
     specialArgs = {
       # Use my extended lib in NixOS configuration
-      inherit lib;
+      inherit (self) lib;
       # Inject inputs to use them in global registry
       inherit inputs;
     };

From 22fa05ca0c648c6a2652e653d13a35498e58ac8d Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 8 Dec 2023 11:49:52 +0000
Subject: [PATCH 022/169] home: packages: refactor config format

---
 modules/home/packages/default.nix | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/modules/home/packages/default.nix b/modules/home/packages/default.nix
index be89503..6e3efcd 100644
--- a/modules/home/packages/default.nix
+++ b/modules/home/packages/default.nix
@@ -17,9 +17,11 @@ in
     };
   };
 
-  config.home.packages = with pkgs; lib.mkIf cfg.enable ([
-    fd
-    file
-    ripgrep
-  ] ++ cfg.additionalPackages);
+  config = lib.mkIf cfg.enable {
+    home.packages = with pkgs; ([
+      fd
+      file
+      ripgrep
+    ] ++ cfg.additionalPackages);
+  };
 }

From 16fade92b4d5ef718e0c84a1b24d5478c4bd4b9e Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 8 Dec 2023 11:50:44 +0000
Subject: [PATCH 023/169] home: packages: add 'allowAliases', 'allowUnfree'

With [1], this should now be taken into account properly.

[1]: https://github.com/nix-community/home-manager/pull/4304
---
 modules/home/packages/default.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/home/packages/default.nix b/modules/home/packages/default.nix
index 6e3efcd..1362a06 100644
--- a/modules/home/packages/default.nix
+++ b/modules/home/packages/default.nix
@@ -6,6 +6,10 @@ in
   options.my.home.packages = with lib; {
     enable = my.mkDisableOption "user packages";
 
+    allowAliases = mkEnableOption "allow package aliases";
+
+    allowUnfree = my.mkDisableOption "allow unfree packages";
+
     additionalPackages = mkOption {
       type = with types; listOf package;
       default = [ ];
@@ -23,5 +27,9 @@ in
       file
       ripgrep
     ] ++ cfg.additionalPackages);
+
+    nixpkgs.config = {
+      inherit (cfg) allowAliases allowUnfree;
+    };
   };
 }

From f23e6251cef53dd00d512f36fb61ce0a92991ca7 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 12 Dec 2023 14:09:10 +0000
Subject: [PATCH 024/169] nixos: services: wireguard: add VPN conflicts

It's now easier to do the right thing when starting a VPN service,
whether the other one is running or not.
---
 modules/nixos/services/wireguard/default.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/modules/nixos/services/wireguard/default.nix b/modules/nixos/services/wireguard/default.nix
index fc5518d..a213e71 100644
--- a/modules/nixos/services/wireguard/default.nix
+++ b/modules/nixos/services/wireguard/default.nix
@@ -261,5 +261,17 @@ in
     (lib.mkIf (cfg.internal.enable && !cfg.internal.startAtBoot) {
       systemd.services."wg-quick-${cfg.internal.name}".wantedBy = lib.mkForce [ ];
     })
+
+    # Make systemd shut down one service when starting the other
+    (lib.mkIf (cfg.internal.enable) {
+      systemd.services."wg-quick-${cfg.iface}" = {
+        conflicts = [ "wg-quick-${cfg.internal.name}.service" ];
+        after = [ "wg-quick-${cfg.internal.name}.service" ];
+      };
+      systemd.services."wg-quick-${cfg.internal.name}" = {
+        conflicts = [ "wg-quick-${cfg.iface}.service" ];
+        after = [ "wg-quick-${cfg.iface}.service" ];
+      };
+    })
   ]);
 }

From 9ddd59eac8eab6b233372117cb36c7d2618b905a Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Dec 2023 11:08:15 +0000
Subject: [PATCH 025/169] nixos: system: add polkit

One nice thing is that it enables the prompts when using `systemctl`,
instead of requiring `sudo`.
---
 modules/nixos/system/default.nix        |  1 +
 modules/nixos/system/polkit/default.nix | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 modules/nixos/system/polkit/default.nix

diff --git a/modules/nixos/system/default.nix b/modules/nixos/system/default.nix
index e7a4dd3..e6fb25b 100644
--- a/modules/nixos/system/default.nix
+++ b/modules/nixos/system/default.nix
@@ -10,6 +10,7 @@
     ./nix
     ./packages
     ./podman
+    ./polkit
     ./printing
     ./users
   ];
diff --git a/modules/nixos/system/polkit/default.nix b/modules/nixos/system/polkit/default.nix
new file mode 100644
index 0000000..1e5b573
--- /dev/null
+++ b/modules/nixos/system/polkit/default.nix
@@ -0,0 +1,16 @@
+# Polkit settings
+{ config, lib, ... }:
+let
+  cfg = config.my.system.polkit;
+in
+{
+  options.my.system.polkit = with lib; {
+    enable = my.mkDisableOption "polkit configuration";
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.polkit = {
+      enable = true;
+    };
+  };
+}

From 1faa8d9acff1857537d3fb35768de2ede64e6b36 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Dec 2023 11:10:14 +0000
Subject: [PATCH 026/169] nixos: services: wireguard: add 'simpleManagement'

This makes it easier to manage the VPN services, as they don't require a
password prompt to be brought up/down.
---
 modules/nixos/services/wireguard/default.nix | 21 ++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/modules/nixos/services/wireguard/default.nix b/modules/nixos/services/wireguard/default.nix
index a213e71..26e54e0 100644
--- a/modules/nixos/services/wireguard/default.nix
+++ b/modules/nixos/services/wireguard/default.nix
@@ -100,6 +100,8 @@ in
   options.my.services.wireguard = with lib; {
     enable = mkEnableOption "Wireguard VPN service";
 
+    simpleManagement = my.mkDisableOption "manage units without password prompts";
+
     startAtBoot = mkEnableOption ''
       Should the VPN service be started at boot. Must be true for the server to
       work reliably.
@@ -273,5 +275,24 @@ in
         after = [ "wg-quick-${cfg.iface}.service" ];
       };
     })
+
+    # Make it possible to manage those units without using passwords, for admins
+    (lib.mkIf cfg.simpleManagement {
+      environment.etc."polkit-1/rules.d/50-wg-quick.rules".text = ''
+        polkit.addRule(function(action, subject) {
+          if (action.id == "org.freedesktop.systemd1.manage-units") {
+            var unit = action.lookup("unit")
+            if (unit == "wg-quick-${cfg.iface}.service" || unit == "wg-quick-${cfg.internal.name}.service") {
+              var verb = action.lookup("verb");
+              if (verb == "start" || verb == "stop" || verb == "restart") {
+                if (subject.isInGroup("wheel")) {
+                  return polkit.Result.YES;
+                }
+              }
+            }
+          }
+        });
+      '';
+    })
   ]);
 }

From 33b94a7f9d894daaeab4683433ae56f02c670cb0 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Dec 2023 11:41:25 +0000
Subject: [PATCH 027/169] home: wm: i3bar: add 'flatten' call

This makes it easier to declare multiple blocks at once, as will be done
in the next commit.
---
 modules/home/wm/i3bar/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/home/wm/i3bar/default.nix b/modules/home/wm/i3bar/default.nix
index 645abeb..50913a4 100644
--- a/modules/home/wm/i3bar/default.nix
+++ b/modules/home/wm/i3bar/default.nix
@@ -17,7 +17,7 @@ in
         top = {
           icons = "awesome5";
 
-          blocks = builtins.filter (attr: attr != { }) [
+          blocks = builtins.filter (attr: attr != { }) (lib.flatten [
             {
               block = "music";
               # This format seems to remove the block when not playing, somehow
@@ -92,7 +92,7 @@ in
               format = " $icon $timestamp.datetime(f:'%F %T') ";
               interval = 5;
             }
-          ];
+          ]);
         };
       };
     };

From 3a2f02f001cbc9b35d4b838088aef116ba25ca51 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Dec 2023 11:42:03 +0000
Subject: [PATCH 028/169] home: wm: i3bar: add VPN blocks

---
 modules/home/wm/default.nix       | 25 +++++++++++++++++++++++++
 modules/home/wm/i3bar/default.nix | 13 +++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/modules/home/wm/default.nix b/modules/home/wm/default.nix
index 6a615e5..449918a 100644
--- a/modules/home/wm/default.nix
+++ b/modules/home/wm/default.nix
@@ -36,6 +36,31 @@ in
 
     i3bar = {
       enable = mkRelatedOption "i3bar configuration" [ "i3" ];
+
+      vpn = {
+        enable = my.mkDisableOption "VPN configuration";
+
+        blockConfigs = mkOption {
+          type = with types; listOf (attrsOf str);
+          default = [
+            {
+              active_format = " VPN ";
+              service = "wg-quick-wg";
+            }
+            {
+              active_format = " VPN (LAN) ";
+              service = "wg-quick-lan";
+            }
+          ];
+          example = [
+            {
+              active_format = " WORK ";
+              service = "some-service-name";
+            }
+          ];
+          description = "list of block configurations, merged with the defauls";
+        };
+      };
     };
 
     rofi = {
diff --git a/modules/home/wm/i3bar/default.nix b/modules/home/wm/i3bar/default.nix
index 50913a4..5dbb505 100644
--- a/modules/home/wm/i3bar/default.nix
+++ b/modules/home/wm/i3bar/default.nix
@@ -59,6 +59,19 @@ in
             {
               block = "disk_space";
             }
+            (lib.optionals cfg.vpn.enable
+              (
+                let
+                  defaults = {
+                    block = "service_status";
+                    active_state = "Good";
+                    inactive_format = "";
+                    inactive_state = "Idle";
+                  };
+                in
+                builtins.map (block: defaults // block) cfg.vpn.blockConfigs
+              )
+            )
             {
               block = "net";
               format = " $icon{| $ssid|} $ip{| $signal_strength|} ";

From 90aed6b2cab3d74c4aea5d0e72d694acdae2456c Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Dec 2023 12:06:25 +0000
Subject: [PATCH 029/169] pkgs: lohr: 0.4.2. -> 0.4.5

---
 pkgs/lohr/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/lohr/default.nix b/pkgs/lohr/default.nix
index a83b092..ddeac7a 100644
--- a/pkgs/lohr/default.nix
+++ b/pkgs/lohr/default.nix
@@ -1,16 +1,16 @@
 { lib, fetchFromGitHub, rustPlatform }:
 rustPlatform.buildRustPackage rec {
   pname = "lohr";
-  version = "0.4.2";
+  version = "0.4.5";
 
   src = fetchFromGitHub {
     owner = "alarsyo";
     repo = "lohr";
     rev = "v${version}";
-    hash = "sha256-2pN/Me5fCdE++TzBUswPXzjuUIIB7Uck+Scp361JgE4=";
+    hash = "sha256-p6E/r+OxFTpxDpOKSlacOxvRLfHSKg1mHNAfTytfqDY=";
   };
 
-  cargoHash = "sha256-YHg4b6rKcnVJSDoWh9/o+p40NBog65Gd2/UwIDXiUe0=";
+  cargoHash = "sha256-hext0S0o9D9pN9epzXtD5dwAYMPCLpBBOBT4FX0mTMk=";
 
   meta = with lib; {
     description = "Git mirroring daemon";

From 401972cb42ea23af201327f52d6724e420f904cf Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Dec 2023 13:43:41 +0000
Subject: [PATCH 030/169] flake: bump inputs

---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index c2baaaf..adff398 100644
--- a/flake.lock
+++ b/flake.lock
@@ -131,11 +131,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1701728041,
-        "narHash": "sha256-x0pyrI1vC8evVDxCxyO6olOyr4wlFg9+VS3C3p4xFYQ=",
+        "lastModified": 1702538064,
+        "narHash": "sha256-At5GwJPu2tzvS9dllhBoZmqK6lkkh/sOp2YefWRlaL8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "ac7216918cd65f3824ba7817dea8f22e61221eaf",
+        "rev": "0e2e443ff24f9d75925e91b89d1da44b863734af",
         "type": "github"
       },
       "original": {
@@ -147,11 +147,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1701436327,
-        "narHash": "sha256-tRHbnoNI8SIM5O5xuxOmtSLnswEByzmnQcGGyNRjxsE=",
+        "lastModified": 1702312524,
+        "narHash": "sha256-gkZJRDBUCpTPBvQk25G0B7vfbpEYM5s5OZqghkjZsnE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "91050ea1e57e50388fa87a3302ba12d188ef723a",
+        "rev": "a9bf124c46ef298113270b1f84a164865987a91c",
         "type": "github"
       },
       "original": {
@@ -163,11 +163,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1701895548,
-        "narHash": "sha256-ukg5+dJSa82+CpCNmca10wLjdzVN8thlkOfswsZqf+s=",
+        "lastModified": 1702558663,
+        "narHash": "sha256-MHq/DdwsBwsTRqwFg1JuFtcoGArgvaH/XwbxgWQ4Zn0=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "52bf9b8e019cd6e9ec6ff604e7b06c82ad487867",
+        "rev": "b839a2bae27c0c14dd99dcc1f6d18f83b0af59bd",
         "type": "github"
       },
       "original": {
@@ -192,11 +192,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1700922917,
-        "narHash": "sha256-ej2fch/T584b5K9sk1UhmZF7W6wEfDHuoUYpFN8dtvM=",
+        "lastModified": 1702456155,
+        "narHash": "sha256-I2XhXGAecdGlqi6hPWYT83AQtMgL+aa3ulA85RAEgOk=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "e5ee5c5f3844550c01d2131096c7271cec5e9b78",
+        "rev": "007a45d064c1c32d04e1b8a0de5ef00984c419bc",
         "type": "github"
       },
       "original": {

From 373545ee3882f2024efa11352de49fe5862502fe Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Dec 2023 13:55:45 +0000
Subject: [PATCH 031/169] nixos: system: printing: migrate deprecated option

It's recommended to only enable the IPv4 option, as most mDNS responders
only register IPv4 addresses (therefore enabling IPv6 would lead to long
timeouts when checking for those addresses first).
---
 modules/nixos/system/printing/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nixos/system/printing/default.nix b/modules/nixos/system/printing/default.nix
index a4547ef..0dfab0f 100644
--- a/modules/nixos/system/printing/default.nix
+++ b/modules/nixos/system/printing/default.nix
@@ -63,7 +63,7 @@ in
       enable = true;
       openFirewall = true;
       # Allow resolution of '.local' addresses
-      nssmdns = true;
+      nssmdns4 = true;
     };
   };
 }

From e97f295470bab5accd22139aefacfdefdf833561 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Dec 2023 13:49:48 +0000
Subject: [PATCH 032/169] home: firefox: use upstream 'ff2mpv-go'

---
 modules/home/firefox/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/home/firefox/default.nix b/modules/home/firefox/default.nix
index 85a1d59..02c74f2 100644
--- a/modules/home/firefox/default.nix
+++ b/modules/home/firefox/default.nix
@@ -36,7 +36,7 @@ in
       nativeMessagingHosts = ([ ]
         ++ lib.optional cfg.tridactyl.enable pkgs.tridactyl-native
         # Watch videos using mpv
-        ++ lib.optional cfg.ff2mpv.enable pkgs.ambroisie.ff2mpv-go
+        ++ lib.optional cfg.ff2mpv.enable pkgs.ff2mpv-go
       );
     };
 

From 1d50844fa42550bbbf30ea1bcd74eacb0b631bf6 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Dec 2023 13:51:49 +0000
Subject: [PATCH 033/169] pkgs: remove 'ff2mpv-go'

I've (finally) packaged it upstream.
---
 pkgs/default.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkgs/default.nix b/pkgs/default.nix
index 664b5a4..1bf260c 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -16,8 +16,6 @@ pkgs.lib.makeScope pkgs.newScope (pkgs: {
 
   drone-scp = pkgs.callPackage ./drone-scp { };
 
-  ff2mpv-go = pkgs.callPackage ./ff2mpv-go { };
-
   i3-get-window-criteria = pkgs.callPackage ./i3-get-window-criteria { };
 
   lohr = pkgs.callPackage ./lohr { };

From 104bc05871e2ccee9de26a2a959048024c95a9dd Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Dec 2023 13:50:47 +0000
Subject: [PATCH 034/169] home: wm: use upstream 'vimix-cursors'

---
 modules/home/wm/cursor/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/home/wm/cursor/default.nix b/modules/home/wm/cursor/default.nix
index 9426232..3b58b7b 100644
--- a/modules/home/wm/cursor/default.nix
+++ b/modules/home/wm/cursor/default.nix
@@ -8,7 +8,7 @@ in
 {
   config = lib.mkIf cfg.enable {
     home.pointerCursor = {
-      package = pkgs.ambroisie.vimix-cursors;
+      package = pkgs.vimix-cursors;
       name = "Vimix-cursors";
 
       x11 = {

From c28959fe029fec43cbf210b64257024f0cde674d Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Dec 2023 13:53:17 +0000
Subject: [PATCH 035/169] pkgs: remove 'vimix-cursors'

Now that I've (finally) packaged it upstream.
---
 pkgs/default.nix               |  2 --
 pkgs/vimix-cursors/default.nix | 44 ----------------------------------
 2 files changed, 46 deletions(-)
 delete mode 100644 pkgs/vimix-cursors/default.nix

diff --git a/pkgs/default.nix b/pkgs/default.nix
index 1bf260c..f5036fe 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -32,8 +32,6 @@ pkgs.lib.makeScope pkgs.newScope (pkgs: {
 
   unified-hosts-lists = pkgs.callPackage ./unified-hosts-lists { };
 
-  vimix-cursors = pkgs.callPackage ./vimix-cursors { };
-
   wifi-qr = pkgs.callPackage ./wifi-qr { };
 
   zsh-done = pkgs.callPackage ./zsh-done { };
diff --git a/pkgs/vimix-cursors/default.nix b/pkgs/vimix-cursors/default.nix
deleted file mode 100644
index 80424de..0000000
--- a/pkgs/vimix-cursors/default.nix
+++ /dev/null
@@ -1,44 +0,0 @@
-{ lib, python3, fetchFromGitHub, inkscape, stdenvNoCC, xcursorgen }:
-let
-  py = python3.withPackages (ps: with ps; [ cairosvg ]);
-in
-stdenvNoCC.mkDerivation rec {
-  pname = "vimix-cursors";
-  version = "unstable-2020-04-28";
-
-  src = fetchFromGitHub {
-    owner = "vinceliuice";
-    repo = pname;
-    rev = "27ebb1935944bc986bf8ae85ee3343b8351d9823";
-    hash = "sha256-bIPRrKaNQ2Eo+T6zv7qeA1z7uRHXezM0yxh+uqA01Gs=";
-  };
-
-  nativeBuildInputs = [
-    inkscape
-    py
-    xcursorgen
-  ];
-
-  postPatch = ''
-    patchShebangs .
-  '';
-
-  buildPhase = ''
-    HOME="$NIX_BUILD_ROOT" ./build.sh
-  '';
-
-  installPhase = ''
-    install -dm 755 $out/share/icons
-    for color in "" "-white"; do
-      cp -pr dist''${color}/  "$out/share/icons/Vimix''${color}-cursors"
-    done
-  '';
-
-  meta = with lib; {
-    description = "An X cursor theme inspired by Materia design";
-    homepage = "https://github.com/vinceliuice/Vimix-cursors";
-    license = licenses.gpl3Only;
-    maintainers = with maintainers; [ ambroisie ];
-    platforms = platforms.linux;
-  };
-}

From ad40c1b1d2a63301a8884268876c2b96f56f2c1d Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Dec 2023 14:16:44 +0000
Subject: [PATCH 036/169] treewide: update to nix-direnv 3.0.0

---
 .envrc                     | 8 ++++----
 templates/c++-cmake/.envrc | 4 ++--
 templates/c++-meson/.envrc | 4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.envrc b/.envrc
index 9222bda..f5141c2 100644
--- a/.envrc
+++ b/.envrc
@@ -1,8 +1,8 @@
-if ! has nix_direnv_version || ! nix_direnv_version 2.4.0; then
-    source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.4.0/direnvrc" "sha256-XQzUAvL6pysIJnRJyR7uVpmUSZfc7LSgWQwq/4mBr1U="
+if ! has nix_direnv_version || ! nix_direnv_version 3.0.0; then
+    source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.0/direnvrc" "sha256-21TMnI2xWX7HkSTjFFri2UaohXVj854mgvWapWrxRXg="
 fi
 
-nix_direnv_watch_file ./flake/checks.nix
-nix_direnv_watch_file ./flake/dev-shells.nix
+watch_file ./flake/checks.nix
+watch_file ./flake/dev-shells.nix
 
 use flake
diff --git a/templates/c++-cmake/.envrc b/templates/c++-cmake/.envrc
index ccf325e..de77fcb 100644
--- a/templates/c++-cmake/.envrc
+++ b/templates/c++-cmake/.envrc
@@ -1,5 +1,5 @@
-if ! has nix_direnv_version || ! nix_direnv_version 2.4.0; then
-    source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.4.0/direnvrc" "sha256-XQzUAvL6pysIJnRJyR7uVpmUSZfc7LSgWQwq/4mBr1U="
+if ! has nix_direnv_version || ! nix_direnv_version 3.0.0; then
+    source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.0/direnvrc" "sha256-21TMnI2xWX7HkSTjFFri2UaohXVj854mgvWapWrxRXg="
 fi
 
 use flake
diff --git a/templates/c++-meson/.envrc b/templates/c++-meson/.envrc
index ccf325e..de77fcb 100644
--- a/templates/c++-meson/.envrc
+++ b/templates/c++-meson/.envrc
@@ -1,5 +1,5 @@
-if ! has nix_direnv_version || ! nix_direnv_version 2.4.0; then
-    source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.4.0/direnvrc" "sha256-XQzUAvL6pysIJnRJyR7uVpmUSZfc7LSgWQwq/4mBr1U="
+if ! has nix_direnv_version || ! nix_direnv_version 3.0.0; then
+    source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.0/direnvrc" "sha256-21TMnI2xWX7HkSTjFFri2UaohXVj854mgvWapWrxRXg="
 fi
 
 use flake

From 49742deb185f9c562de5259fdc3efa6f1444f66c Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Dec 2023 20:08:01 +0000
Subject: [PATCH 037/169] pkgs: unified-hosts-lists: 3.12.15 -> 3.14.37

---
 pkgs/unified-hosts-lists/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/unified-hosts-lists/default.nix b/pkgs/unified-hosts-lists/default.nix
index 06d24ac..6a71fdf 100644
--- a/pkgs/unified-hosts-lists/default.nix
+++ b/pkgs/unified-hosts-lists/default.nix
@@ -1,7 +1,7 @@
 { lib, fetchFromGitHub, stdenvNoCC }:
 stdenvNoCC.mkDerivation rec {
   pname = "unified-hosts-lists";
-  version = "3.12.15";
+  version = "3.14.37";
 
   src = fetchFromGitHub {
     owner = "StevenBlack";

From 49f695bf68c4fbc6f50a7fa6412334350e71e377 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 16 Dec 2023 12:51:05 +0000
Subject: [PATCH 038/169] pkgs: remove 'drone-scp'

I added it to upstream nixpkgs.
---
 pkgs/default.nix           |  2 --
 pkgs/drone-scp/default.nix | 25 -------------------------
 2 files changed, 27 deletions(-)
 delete mode 100644 pkgs/drone-scp/default.nix

diff --git a/pkgs/default.nix b/pkgs/default.nix
index f5036fe..294051c 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -14,8 +14,6 @@ pkgs.lib.makeScope pkgs.newScope (pkgs: {
 
   drone-rsync = pkgs.callPackage ./drone-rsync { };
 
-  drone-scp = pkgs.callPackage ./drone-scp { };
-
   i3-get-window-criteria = pkgs.callPackage ./i3-get-window-criteria { };
 
   lohr = pkgs.callPackage ./lohr { };
diff --git a/pkgs/drone-scp/default.nix b/pkgs/drone-scp/default.nix
deleted file mode 100644
index 7437b06..0000000
--- a/pkgs/drone-scp/default.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ lib, buildGoModule, fetchFromGitHub }:
-buildGoModule rec {
-  pname = "drone-scp";
-  version = "1.6.3";
-
-  src = fetchFromGitHub {
-    owner = "appleboy";
-    repo = "drone-scp";
-    rev = "v${version}";
-    hash = "sha256-ELjPqoRR4O6gmc/PgthQuSXuSTQNzBZoAUT80zVVbV0=";
-  };
-
-  vendorHash = "sha256-/c103hTJ/Qdz2KTkdl/ACvAaSSTKcl1DQY3+Us6OxaI=";
-
-  doCheck = false; # Needs a specific user...
-
-  meta = with lib; {
-    description = ''
-      Copy files and artifacts via SSH using a binary, docker or Drone CI
-    '';
-    homepage = "https://github.com/appleboy/drone-scp";
-    license = licenses.mit;
-    mainProgram = "drone-scp";
-  };
-}

From 7ccb8ea8b56a54d9e48ded3ff5c5a0b0858de9ba Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 16 Dec 2023 14:28:46 +0000
Subject: [PATCH 039/169] pkgs: unbound-zones-adblock: use upstream package

This is a slight regression, as the current version of
`stevenblack-blocklist` is 3.13.10 and the version I packaged is
3.14.37.

However I am lazy and want to avoid having to bump the version
manually...
---
 pkgs/unbound-zones-adblock/default.nix | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/pkgs/unbound-zones-adblock/default.nix b/pkgs/unbound-zones-adblock/default.nix
index b8392ae..642ac41 100644
--- a/pkgs/unbound-zones-adblock/default.nix
+++ b/pkgs/unbound-zones-adblock/default.nix
@@ -1,9 +1,9 @@
-{ lib, gawk, stdenvNoCC, unified-hosts-lists }:
+{ lib, gawk, stdenvNoCC, stevenblack-blocklist }:
 stdenvNoCC.mkDerivation {
   name = "unbound-zones-adblock";
-  version = unified-hosts-lists.version;
+  version = stevenblack-blocklist.rev;
 
-  src = unified-hosts-lists;
+  src = stevenblack-blocklist;
 
   dontUnpack = true;
 
@@ -18,9 +18,11 @@ stdenvNoCC.mkDerivation {
       ];
     in
     ''
-      mkdir -p $out
-      for file in $src/*; do
-          ${gawkCmd} $file | tr '[:upper:]' '[:lower:]' | sort -u > $out/$(basename $file)
+      shopt -s globstar
+      for file in $src/**/hosts; do
+          outFile="$out/''${file#$src}"
+          mkdir -p "$(dirname "$outFile")"
+          ${gawkCmd} $file | tr '[:upper:]' '[:lower:]' | sort -u > "$outFile"
       done
     '';
 

From 4aca698ac6179a626955a867094d49d539887ee8 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 16 Dec 2023 14:31:16 +0000
Subject: [PATCH 040/169] pkgs: remove 'unified-hosts-lists'

Instead make use of the upstream packaged host list.
---
 pkgs/default.nix                     |  2 --
 pkgs/unified-hosts-lists/default.nix | 34 ----------------------------
 2 files changed, 36 deletions(-)
 delete mode 100644 pkgs/unified-hosts-lists/default.nix

diff --git a/pkgs/default.nix b/pkgs/default.nix
index 294051c..3a8e812 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -28,8 +28,6 @@ pkgs.lib.makeScope pkgs.newScope (pkgs: {
 
   unbound-zones-adblock = pkgs.callPackage ./unbound-zones-adblock { };
 
-  unified-hosts-lists = pkgs.callPackage ./unified-hosts-lists { };
-
   wifi-qr = pkgs.callPackage ./wifi-qr { };
 
   zsh-done = pkgs.callPackage ./zsh-done { };
diff --git a/pkgs/unified-hosts-lists/default.nix b/pkgs/unified-hosts-lists/default.nix
deleted file mode 100644
index 6a71fdf..0000000
--- a/pkgs/unified-hosts-lists/default.nix
+++ /dev/null
@@ -1,34 +0,0 @@
-{ lib, fetchFromGitHub, stdenvNoCC }:
-stdenvNoCC.mkDerivation rec {
-  pname = "unified-hosts-lists";
-  version = "3.14.37";
-
-  src = fetchFromGitHub {
-    owner = "StevenBlack";
-    repo = "hosts";
-    rev = version;
-    hash = "sha256-HoNX57lCoIr36B/7HMuazWSWeAPPfWY1oZf6dXnxYIE=";
-  };
-
-  dontUnpack = true;
-
-  installPhase = ''
-    mkdir -p $out
-    cp -r $src/hosts $out
-    for file in $src/alternates/*/hosts; do
-        cp $file $out/$(basename $(dirname $file))
-    done
-  '';
-
-  meta = with lib; {
-    description = "Unified host lists";
-    longDescription = ''
-      Consolidating and extending hosts files from several well-curated sources.
-      Optionally pick extensions for porn, social media, and other categories.
-    '';
-    homepage = "https://github.com/StevenBlack/hosts";
-    license = licenses.mit;
-    maintainers = with maintainers; [ ambroisie ];
-    platforms = platforms.all;
-  };
-}

From 864e0a5ae63b9cd1f5fafdad0f9df93661f5d788 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 16 Dec 2023 16:23:04 +0000
Subject: [PATCH 041/169] home: firefox: tridactyl: fix Google mapping

---
 modules/home/firefox/tridactyl/tridactylrc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/home/firefox/tridactyl/tridactylrc b/modules/home/firefox/tridactyl/tridactylrc
index 31d3cb7..0401292 100644
--- a/modules/home/firefox/tridactyl/tridactylrc
+++ b/modules/home/firefox/tridactyl/tridactylrc
@@ -22,8 +22,8 @@ bind ;c hint -Jc [class*="expand"],[class*="togg"],[class="comment_folder"]
 bindurl reddit.com gu urlparent 3
 
 " Only hint search results on Google
-bindurl www.google.com f hint -Jc #search div:not(.action-menu) > a
-bindurl www.google.com F hint -Jbc #search div:not(.action-menu) > a
+bindurl www.google.com f hint -Jc #search a
+bindurl www.google.com F hint -Jbc #search a
 
 " Only hint search results on DuckDuckGo
 bindurl ^https://duckduckgo.com f hint -Jc [data-testid="result-title-a"]

From 066a33587debe4a4c8e9465882d39cb3160e7142 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 16 Dec 2023 20:24:38 +0000
Subject: [PATCH 042/169] home: mpv: add uosc script

---
 modules/home/mpv/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/home/mpv/default.nix b/modules/home/mpv/default.nix
index 9aef379..931c252 100644
--- a/modules/home/mpv/default.nix
+++ b/modules/home/mpv/default.nix
@@ -13,6 +13,7 @@ in
 
       scripts = [
         pkgs.mpvScripts.mpris # Allow controlling using media keys
+        pkgs.mpvScripts.uosc # Nicer UI
       ];
     };
   };

From a657a7742eec560caaca8d4925b83671490cb548 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 18 Dec 2023 09:41:35 +0000
Subject: [PATCH 043/169] home: wm: i3bar: fix 'net' block when disconnected

I still sometimes get the error message about not being able to format
the block, this should fix it.
---
 modules/home/wm/i3bar/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/home/wm/i3bar/default.nix b/modules/home/wm/i3bar/default.nix
index 5dbb505..5ae0e7d 100644
--- a/modules/home/wm/i3bar/default.nix
+++ b/modules/home/wm/i3bar/default.nix
@@ -74,7 +74,7 @@ in
             )
             {
               block = "net";
-              format = " $icon{| $ssid|} $ip{| $signal_strength|} ";
+              format = " $icon{| $ssid|}{| $ip|}{| $signal_strength|} ";
             }
             {
               block = "backlight";

From 13d85c30f98eacbc512fcf27bb76ede4dd30f7ef Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 19 Dec 2023 19:08:10 +0100
Subject: [PATCH 044/169] pkgs: remove 'wifi-qr'

Now that I added it to upstream, I can get rid of it.
---
 pkgs/default.nix         |  2 -
 pkgs/wifi-qr/default.nix | 81 ----------------------------------------
 2 files changed, 83 deletions(-)
 delete mode 100644 pkgs/wifi-qr/default.nix

diff --git a/pkgs/default.nix b/pkgs/default.nix
index 3a8e812..6b7fce1 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -28,7 +28,5 @@ pkgs.lib.makeScope pkgs.newScope (pkgs: {
 
   unbound-zones-adblock = pkgs.callPackage ./unbound-zones-adblock { };
 
-  wifi-qr = pkgs.callPackage ./wifi-qr { };
-
   zsh-done = pkgs.callPackage ./zsh-done { };
 })
diff --git a/pkgs/wifi-qr/default.nix b/pkgs/wifi-qr/default.nix
deleted file mode 100644
index 88164e5..0000000
--- a/pkgs/wifi-qr/default.nix
+++ /dev/null
@@ -1,81 +0,0 @@
-{ lib
-, fetchFromGitHub
-, gnome
-, installShellFiles
-, makeWrapper
-, networkmanager
-, qrencode
-, stdenvNoCC
-, xdg-utils
-, zbar
-}:
-stdenvNoCC.mkDerivation rec {
-  pname = "wifi-qr";
-  version = "unstable-2023-04-19";
-
-  outputs = [ "out" "man" ];
-
-  src = fetchFromGitHub {
-    owner = "kokoye2007";
-    repo = "wifi-qr";
-    rev = "b81d4a44257252f07e745464879aa5618ae3d434";
-    hash = "sha256-oGTAr+raJGpK4PV4GdBxX8fIUE8gcbXw7W0SvQJAee0=";
-  };
-
-  nativeBuildInputs = [
-    installShellFiles
-    makeWrapper
-  ];
-
-  dontBuild = true;
-
-  dontConfigure = true;
-
-  postPatch = ''
-    substituteInPlace wifi-qr.desktop \
-      --replace "Exec=sh -c 'wifi-qr g'" "Exec=$out/bin/wifi-qr g" \
-      --replace "Exec=sh -c 'wifi-qr q'" "Exec=$out/bin/wifi-qr q" \
-      --replace "Exec=sh -c 'wifi-qr p'" "Exec=$out/bin/wifi-qr p" \
-      --replace "Exec=sh -c 'wifi-qr c'" "Exec=$out/bin/wifi-qr c" \
-      --replace "Icon=wifi-qr.svg" "Icon=wifi-qr"
-  '';
-
-  installPhase = ''
-    runHook preInstall
-
-    install -Dm755 wifi-qr $out/bin/wifi-qr
-
-    install -Dm644 wifi-qr.desktop $out/share/applications/wifi-qr.desktop
-    install -Dm644 wifi-qr.svg $out/share/icons/hicolor/scalable/apps/wifi-qr.svg
-
-    installManPage wifi-qr.1
-
-    runHook postInstall
-  '';
-
-  wrapperPath = lib.makeBinPath [
-    gnome.zenity
-    networkmanager
-    qrencode
-    xdg-utils
-    zbar
-  ];
-
-  fixupPhase = ''
-    runHook preFixup
-
-    patchShebangs $out/bin/wifi-qr
-    wrapProgram $out/bin/wifi-qr --suffix PATH : "${wrapperPath}"
-
-    runHook postFixup
-  '';
-
-  meta = with lib; {
-    description = "WiFi password sharing via QR codes";
-    homepage = "https://github.com/kokoye2007/wifi-qr";
-    license = with licenses; [ gpl3Plus ];
-    mainProgram = "wifi-qr";
-    maintainers = with maintainers; [ ambroisie ];
-    platforms = platforms.linux;
-  };
-}

From 26950332c7176f98e3a35273d6e8bdd7118a1352 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 19 Dec 2023 22:00:32 +0100
Subject: [PATCH 045/169] home: keyboard: extract from X module

This deserves to be its own standalone module, as I would want to use it
in both X and Wayland, etc...
---
 modules/home/default.nix                  | 1 +
 modules/home/{x => }/keyboard/default.nix | 6 +++++-
 modules/home/x/default.nix                | 4 ----
 3 files changed, 6 insertions(+), 5 deletions(-)
 rename modules/home/{x => }/keyboard/default.nix (50%)

diff --git a/modules/home/default.nix b/modules/home/default.nix
index 8ba3a8d..4dcfc35 100644
--- a/modules/home/default.nix
+++ b/modules/home/default.nix
@@ -23,6 +23,7 @@
     ./gtk
     ./htop
     ./jq
+    ./keyboard
     ./mail
     ./mpv
     ./nix
diff --git a/modules/home/x/keyboard/default.nix b/modules/home/keyboard/default.nix
similarity index 50%
rename from modules/home/x/keyboard/default.nix
rename to modules/home/keyboard/default.nix
index 40af800..2216a08 100644
--- a/modules/home/x/keyboard/default.nix
+++ b/modules/home/keyboard/default.nix
@@ -1,8 +1,12 @@
 { config, lib, ... }:
 let
-  cfg = config.my.home.x;
+  cfg = config.my.home.keyboard;
 in
 {
+  options.my.home.keyboard = with lib; {
+    enable = my.mkDisableOption "keyboard configuration";
+  };
+
   config = lib.mkIf cfg.enable {
     home.keyboard = {
       layout = "fr";
diff --git a/modules/home/x/default.nix b/modules/home/x/default.nix
index 0312bc4..c320e52 100644
--- a/modules/home/x/default.nix
+++ b/modules/home/x/default.nix
@@ -3,10 +3,6 @@ let
   cfg = config.my.home.x;
 in
 {
-  imports = [
-    ./keyboard
-  ];
-
   options.my.home.x = with lib; {
     enable = mkEnableOption "X server configuration";
   };

From faa87743e5f54be48874282aa4d244a1482e6e72 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 25 Dec 2023 19:25:08 +0100
Subject: [PATCH 046/169] nixos: services: nginx: use attrset for vhosts

Attribute sets compose better than lists, it was a mistake to use a list
in the first place...
---
 modules/nixos/services/blog/default.nix       |  2 +-
 .../nixos/services/calibre-web/default.nix    |  8 ++--
 .../nixos/services/drone/server/default.nix   |  8 ++--
 modules/nixos/services/flood/default.nix      |  8 ++--
 modules/nixos/services/gitea/default.nix      | 12 +++---
 modules/nixos/services/indexers/default.nix   | 24 ++++++------
 modules/nixos/services/jellyfin/default.nix   |  8 ++--
 modules/nixos/services/lohr/default.nix       |  8 ++--
 modules/nixos/services/matrix/default.nix     | 20 +++++-----
 modules/nixos/services/miniflux/default.nix   |  8 ++--
 modules/nixos/services/monitoring/default.nix |  8 ++--
 modules/nixos/services/navidrome/default.nix  |  8 ++--
 modules/nixos/services/nginx/default.nix      | 38 +++++++++----------
 modules/nixos/services/nix-cache/default.nix  |  8 ++--
 modules/nixos/services/paperless/default.nix  |  8 ++--
 modules/nixos/services/pirate/default.nix     |  8 ++--
 modules/nixos/services/podgrab/default.nix    |  8 ++--
 modules/nixos/services/sabnzbd/default.nix    |  8 ++--
 .../services/tandoor-recipes/default.nix      |  8 ++--
 .../nixos/services/transmission/default.nix   |  8 ++--
 modules/nixos/services/vikunja/default.nix    |  8 ++--
 .../services/woodpecker/server/default.nix    | 12 +++---
 22 files changed, 118 insertions(+), 118 deletions(-)

diff --git a/modules/nixos/services/blog/default.nix b/modules/nixos/services/blog/default.nix
index 4b646c3..38ada5e 100644
--- a/modules/nixos/services/blog/default.nix
+++ b/modules/nixos/services/blog/default.nix
@@ -9,7 +9,7 @@ let
     root = "/var/www/${subdomain}";
   };
 
-  hostsInfo = map makeHostInfo [ "cv" "dev" "key" ];
+  hostsInfo = lib.flip lib.genAttrs makeHostInfo [ "cv" "dev" "key" ];
 in
 {
   options.my.services.blog = {
diff --git a/modules/nixos/services/calibre-web/default.nix b/modules/nixos/services/calibre-web/default.nix
index 858851c..fe53b7e 100644
--- a/modules/nixos/services/calibre-web/default.nix
+++ b/modules/nixos/services/calibre-web/default.nix
@@ -40,12 +40,12 @@ in
     # Set-up media group
     users.groups.media = { };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      library = {
         subdomain = "library";
         inherit (cfg) port;
-      }
-    ];
+      };
+    };
 
     my.services.backup = {
       paths = [
diff --git a/modules/nixos/services/drone/server/default.nix b/modules/nixos/services/drone/server/default.nix
index d651f85..2207765 100644
--- a/modules/nixos/services/drone/server/default.nix
+++ b/modules/nixos/services/drone/server/default.nix
@@ -45,11 +45,11 @@ in
       }];
     };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      drone = {
         subdomain = "drone";
         inherit (cfg) port;
-      }
-    ];
+      };
+    };
   };
 }
diff --git a/modules/nixos/services/flood/default.nix b/modules/nixos/services/flood/default.nix
index ff5d941..e227dde 100644
--- a/modules/nixos/services/flood/default.nix
+++ b/modules/nixos/services/flood/default.nix
@@ -40,11 +40,11 @@ in
       };
     };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      flood = {
         subdomain = "flood";
         inherit (cfg) port;
-      }
-    ];
+      };
+    };
   };
 }
diff --git a/modules/nixos/services/gitea/default.nix b/modules/nixos/services/gitea/default.nix
index 00ba941..4d5429e 100644
--- a/modules/nixos/services/gitea/default.nix
+++ b/modules/nixos/services/gitea/default.nix
@@ -116,18 +116,18 @@ in
     };
     users.groups.git = { };
 
-    my.services.nginx.virtualHosts = [
+    my.services.nginx.virtualHosts = {
       # Proxy to Gitea
-      {
+      git = {
         subdomain = "git";
         inherit (cfg) port;
-      }
+      };
       # Redirect `gitea.` to actual forge subdomain
-      {
+      gitea = {
         subdomain = "gitea";
         redirect = config.services.gitea.settings.server.ROOT_URL;
-      }
-    ];
+      };
+    };
 
     my.services.backup = {
       paths = [
diff --git a/modules/nixos/services/indexers/default.nix b/modules/nixos/services/indexers/default.nix
index fb06a0b..ff2d91c 100644
--- a/modules/nixos/services/indexers/default.nix
+++ b/modules/nixos/services/indexers/default.nix
@@ -28,12 +28,12 @@ in
         };
       };
 
-      my.services.nginx.virtualHosts = [
-        {
+      my.services.nginx.virtualHosts = {
+        jackett = {
           subdomain = "jackett";
           port = jackettPort;
-        }
-      ];
+        };
+      };
     })
 
     (lib.mkIf cfg.nzbhydra.enable {
@@ -41,12 +41,12 @@ in
         enable = true;
       };
 
-      my.services.nginx.virtualHosts = [
-        {
+      my.services.nginx.virtualHosts = {
+        nzbhydra = {
           subdomain = "nzbhydra";
           port = nzbhydraPort;
-        }
-      ];
+        };
+      };
     })
 
     (lib.mkIf cfg.prowlarr.enable {
@@ -54,12 +54,12 @@ in
         enable = true;
       };
 
-      my.services.nginx.virtualHosts = [
-        {
+      my.services.nginx.virtualHosts = {
+        prowlarr = {
           subdomain = "prowlarr";
           port = prowlarrPort;
-        }
-      ];
+        };
+      };
 
       services.fail2ban.jails = {
         prowlarr = ''
diff --git a/modules/nixos/services/jellyfin/default.nix b/modules/nixos/services/jellyfin/default.nix
index 2fcf51e..326dab3 100644
--- a/modules/nixos/services/jellyfin/default.nix
+++ b/modules/nixos/services/jellyfin/default.nix
@@ -17,8 +17,8 @@ in
     # Set-up media group
     users.groups.media = { };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      jellyfin = {
         subdomain = "jellyfin";
         port = 8096;
         extraConfig = {
@@ -33,7 +33,7 @@ in
             proxyWebsockets = true;
           };
         };
-      }
-    ];
+      };
+    };
   };
 }
diff --git a/modules/nixos/services/lohr/default.nix b/modules/nixos/services/lohr/default.nix
index 245567c..af292cc 100644
--- a/modules/nixos/services/lohr/default.nix
+++ b/modules/nixos/services/lohr/default.nix
@@ -98,11 +98,11 @@ in
     };
     users.groups.lohr = { };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      lohr = {
         subdomain = "lohr";
         inherit (cfg) port;
-      }
-    ];
+      };
+    };
   };
 }
diff --git a/modules/nixos/services/matrix/default.nix b/modules/nixos/services/matrix/default.nix
index 52b60c5..3328747 100644
--- a/modules/nixos/services/matrix/default.nix
+++ b/modules/nixos/services/matrix/default.nix
@@ -117,9 +117,9 @@ in
       };
     };
 
-    my.services.nginx.virtualHosts = [
+    my.services.nginx.virtualHosts = {
       # Element Web app deployment
-      {
+      chat = {
         subdomain = "chat";
         root = pkgs.element-web.override {
           conf = {
@@ -145,22 +145,22 @@ in
             };
           };
         };
-      }
+      };
       # Dummy VHosts for port collision detection
-      {
+      matrix-federation = {
         subdomain = "matrix-federation";
         port = federationPort.private;
-      }
-      {
+      };
+      matrix-client = {
         subdomain = "matrix-client";
         port = clientPort.private;
-      }
+      };
       # Sliding sync
-      {
+      matrix-sync = {
         subdomain = "matrix-sync";
         inherit (cfg.slidingSync) port;
-      }
-    ];
+      };
+    };
 
     # Those are too complicated to use my wrapper...
     services.nginx.virtualHosts = {
diff --git a/modules/nixos/services/miniflux/default.nix b/modules/nixos/services/miniflux/default.nix
index 6d9ffc8..07eb6f8 100644
--- a/modules/nixos/services/miniflux/default.nix
+++ b/modules/nixos/services/miniflux/default.nix
@@ -43,11 +43,11 @@ in
       };
     };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      reader = {
         subdomain = "reader";
         inherit (cfg) port;
-      }
-    ];
+      };
+    };
   };
 }
diff --git a/modules/nixos/services/monitoring/default.nix b/modules/nixos/services/monitoring/default.nix
index 829bfe0..2f23ff0 100644
--- a/modules/nixos/services/monitoring/default.nix
+++ b/modules/nixos/services/monitoring/default.nix
@@ -125,11 +125,11 @@ in
       ];
     };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      monitoring = {
         subdomain = "monitoring";
         inherit (cfg.grafana) port;
-      }
-    ];
+      };
+    };
   };
 }
diff --git a/modules/nixos/services/navidrome/default.nix b/modules/nixos/services/navidrome/default.nix
index 6c001fd..92f9fd2 100644
--- a/modules/nixos/services/navidrome/default.nix
+++ b/modules/nixos/services/navidrome/default.nix
@@ -47,11 +47,11 @@ in
       };
     };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      music = {
         subdomain = "music";
         inherit (cfg) port;
-      }
-    ];
+      };
+    };
   };
 }
diff --git a/modules/nixos/services/nginx/default.nix b/modules/nixos/services/nginx/default.nix
index 6ca2e42..53c947b 100644
--- a/modules/nixos/services/nginx/default.nix
+++ b/modules/nixos/services/nginx/default.nix
@@ -97,19 +97,19 @@ in
     };
 
     virtualHosts = mkOption {
-      type = types.listOf virtualHostOption;
-      default = [ ];
+      type = types.attrsOf virtualHostOption;
+      default = { };
       example = litteralExample ''
-        [
-          {
-            subdomain = "gitea";
+        {
+          gitea = {
+            subdomain = "git";
             port = 8080;
-          }
-          {
+          };
+          dev = {
             subdomain = "dev";
             root = "/var/www/dev";
-          }
-          {
+          };
+          jellyfin = {
             subdomain = "jellyfin";
             port = 8096;
             extraConfig = {
@@ -118,8 +118,8 @@ in
                 proxyWebsockets = true;
               };
             };
-          }
-        ]
+          };
+        }
       '';
       description = ''
         List of virtual hosts to set-up using default settings.
@@ -190,7 +190,7 @@ in
 
   config = lib.mkIf cfg.enable {
     assertions = [ ]
-      ++ (lib.flip builtins.map cfg.virtualHosts ({ subdomain, ... } @ args:
+      ++ (lib.flip lib.mapAttrsToList cfg.virtualHosts (_: { subdomain, ... } @ args:
       let
         conflicts = [ "port" "root" "socket" "redirect" ];
         optionsNotNull = builtins.map (v: args.${v} != null) conflicts;
@@ -209,7 +209,7 @@ in
         ports = lib.my.mapFilter
           (v: v != null)
           ({ port, ... }: port)
-          cfg.virtualHosts;
+          (lib.attrValues cfg.virtualHosts);
         portCounts = lib.my.countValues ports;
         nonUniquesCounts = lib.filterAttrs (_: v: v != 1) portCounts;
         nonUniques = builtins.attrNames nonUniquesCounts;
@@ -221,7 +221,7 @@ in
       map mkAssertion nonUniques
     ) ++ (
       let
-        subs = map ({ subdomain, ... }: subdomain) cfg.virtualHosts;
+        subs = lib.mapAttrsToList (_: { subdomain, ... }: subdomain) cfg.virtualHosts;
         subsCounts = lib.my.countValues subs;
         nonUniquesCounts = lib.filterAttrs (_: v: v != 1) subsCounts;
         nonUniques = builtins.attrNames nonUniquesCounts;
@@ -325,7 +325,7 @@ in
             ])
           );
         in
-        lib.my.genAttrs' cfg.virtualHosts mkVHost;
+        lib.my.genAttrs' (lib.attrValues cfg.virtualHosts) mkVHost;
 
       sso = {
         enable = true;
@@ -403,12 +403,12 @@ in
       };
     };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      login = {
         subdomain = "login";
         inherit (cfg.sso) port;
-      }
-    ];
+      };
+    };
 
     networking.firewall.allowedTCPPorts = [ 80 443 ];
 
diff --git a/modules/nixos/services/nix-cache/default.nix b/modules/nixos/services/nix-cache/default.nix
index b3bdbf3..5517a78 100644
--- a/modules/nixos/services/nix-cache/default.nix
+++ b/modules/nixos/services/nix-cache/default.nix
@@ -43,11 +43,11 @@ in
       signKeyPath = cfg.secretKeyFile;
     };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      cache = {
         subdomain = "cache";
         inherit (cfg) port;
-      }
-    ];
+      };
+    };
   };
 }
diff --git a/modules/nixos/services/paperless/default.nix b/modules/nixos/services/paperless/default.nix
index 90f6b0c..87a816a 100644
--- a/modules/nixos/services/paperless/default.nix
+++ b/modules/nixos/services/paperless/default.nix
@@ -143,8 +143,8 @@ in
       extraGroups = [ "media" ];
     };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      paperless = {
         subdomain = "paperless";
         inherit (cfg) port;
         sso = {
@@ -155,8 +155,8 @@ in
         extraConfig = {
           locations."/".proxyWebsockets = true;
         };
-      }
-    ];
+      };
+    };
 
     my.services.backup = {
       paths = [
diff --git a/modules/nixos/services/pirate/default.nix b/modules/nixos/services/pirate/default.nix
index 59f9794..88a2250 100644
--- a/modules/nixos/services/pirate/default.nix
+++ b/modules/nixos/services/pirate/default.nix
@@ -21,12 +21,12 @@ let
   };
 
   mkRedirection = service: {
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      ${service} = {
         subdomain = service;
         port = ports.${service};
-      }
-    ];
+      };
+    };
   };
 
   mkFail2Ban = service: lib.mkIf cfg.${service}.enable {
diff --git a/modules/nixos/services/podgrab/default.nix b/modules/nixos/services/podgrab/default.nix
index 9793d60..e59b20d 100644
--- a/modules/nixos/services/podgrab/default.nix
+++ b/modules/nixos/services/podgrab/default.nix
@@ -31,11 +31,11 @@ in
       inherit (cfg) passwordFile port;
     };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      podgrab = {
         subdomain = "podgrab";
         inherit (cfg) port;
-      }
-    ];
+      };
+    };
   };
 }
diff --git a/modules/nixos/services/sabnzbd/default.nix b/modules/nixos/services/sabnzbd/default.nix
index 7ab145f..42058e7 100644
--- a/modules/nixos/services/sabnzbd/default.nix
+++ b/modules/nixos/services/sabnzbd/default.nix
@@ -18,12 +18,12 @@ in
     # Set-up media group
     users.groups.media = { };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      sabnzbd = {
         subdomain = "sabnzbd";
         inherit port;
-      }
-    ];
+      };
+    };
 
     services.fail2ban.jails = {
       sabnzbd = ''
diff --git a/modules/nixos/services/tandoor-recipes/default.nix b/modules/nixos/services/tandoor-recipes/default.nix
index 541e198..353fac3 100644
--- a/modules/nixos/services/tandoor-recipes/default.nix
+++ b/modules/nixos/services/tandoor-recipes/default.nix
@@ -70,11 +70,11 @@ in
       ];
     };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      recipes = {
         subdomain = "recipes";
         inherit (cfg) port;
-      }
-    ];
+      };
+    };
   };
 }
diff --git a/modules/nixos/services/transmission/default.nix b/modules/nixos/services/transmission/default.nix
index 28df477..ce7f9e6 100644
--- a/modules/nixos/services/transmission/default.nix
+++ b/modules/nixos/services/transmission/default.nix
@@ -80,12 +80,12 @@ in
 
     # Default transmission webui, I prefer combustion but its development
     # seems to have stalled
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      transmission = {
         subdomain = "transmission";
         inherit (cfg) port;
-      }
-    ];
+      };
+    };
 
     networking.firewall = {
       allowedTCPPorts = [ cfg.peerPort ];
diff --git a/modules/nixos/services/vikunja/default.nix b/modules/nixos/services/vikunja/default.nix
index 8c051b0..425698d 100644
--- a/modules/nixos/services/vikunja/default.nix
+++ b/modules/nixos/services/vikunja/default.nix
@@ -59,8 +59,8 @@ in
     };
 
     # This is a weird setup
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      vikunja = {
         inherit subdomain;
         # Serve the root for the web-ui
         root = config.services.vikunja.package-frontend;
@@ -80,8 +80,8 @@ in
             };
           };
         };
-      }
-    ];
+      };
+    };
 
     systemd.services.vikunja-api = {
       serviceConfig = {
diff --git a/modules/nixos/services/woodpecker/server/default.nix b/modules/nixos/services/woodpecker/server/default.nix
index cebbc9b..b5ec0d8 100644
--- a/modules/nixos/services/woodpecker/server/default.nix
+++ b/modules/nixos/services/woodpecker/server/default.nix
@@ -52,16 +52,16 @@ in
       }];
     };
 
-    my.services.nginx.virtualHosts = [
-      {
+    my.services.nginx.virtualHosts = {
+      woodpecker = {
         subdomain = "woodpecker";
         inherit (cfg) port;
-      }
+      };
       # I might want to be able to RPC from other hosts in the future
-      {
+      woodpecker-rpc = {
         subdomain = "woodpecker-rpc";
         port = cfg.rpcPort;
-      }
-    ];
+      };
+    };
   };
 }

From b7a4bc063fb6b26064c1f626aa3bd1b3960c85b5 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 25 Dec 2023 19:28:53 +0100
Subject: [PATCH 047/169] nixos: services: nginx: add default subdomain

In almost all cases, the subdomain should be the same as the attribute
name...
---
 modules/nixos/services/nginx/default.nix | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/modules/nixos/services/nginx/default.nix b/modules/nixos/services/nginx/default.nix
index 53c947b..e916c9c 100644
--- a/modules/nixos/services/nginx/default.nix
+++ b/modules/nixos/services/nginx/default.nix
@@ -5,10 +5,11 @@ let
 
   domain = config.networking.domain;
 
-  virtualHostOption = with lib; types.submodule {
+  virtualHostOption = with lib; types.submodule ({ name, ... }: {
     options = {
       subdomain = mkOption {
         type = types.str;
+        default = name;
         example = "dev";
         description = ''
           Which subdomain, under config.networking.domain, to use
@@ -72,7 +73,7 @@ let
         '';
       };
     };
-  };
+  });
 in
 {
   imports = [
@@ -106,11 +107,9 @@ in
             port = 8080;
           };
           dev = {
-            subdomain = "dev";
             root = "/var/www/dev";
           };
           jellyfin = {
-            subdomain = "jellyfin";
             port = 8096;
             extraConfig = {
               locations."/socket" = {

From 6948424b81e41c4335c9ff13d95ce1534703d644 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 25 Dec 2023 19:42:20 +0100
Subject: [PATCH 048/169] nixos: services: remove redundant subdomains

See previous commit for the defaults.
---
 modules/nixos/services/blog/default.nix              | 1 -
 modules/nixos/services/calibre-web/default.nix       | 1 -
 modules/nixos/services/drone/server/default.nix      | 1 -
 modules/nixos/services/flood/default.nix             | 1 -
 modules/nixos/services/gitea/default.nix             | 2 --
 modules/nixos/services/indexers/default.nix          | 3 ---
 modules/nixos/services/jellyfin/default.nix          | 1 -
 modules/nixos/services/lohr/default.nix              | 1 -
 modules/nixos/services/matrix/default.nix            | 4 ----
 modules/nixos/services/miniflux/default.nix          | 1 -
 modules/nixos/services/monitoring/default.nix        | 1 -
 modules/nixos/services/navidrome/default.nix         | 1 -
 modules/nixos/services/nginx/default.nix             | 1 -
 modules/nixos/services/nix-cache/default.nix         | 1 -
 modules/nixos/services/paperless/default.nix         | 1 -
 modules/nixos/services/pirate/default.nix            | 1 -
 modules/nixos/services/podgrab/default.nix           | 1 -
 modules/nixos/services/sabnzbd/default.nix           | 1 -
 modules/nixos/services/tandoor-recipes/default.nix   | 1 -
 modules/nixos/services/transmission/default.nix      | 1 -
 modules/nixos/services/vikunja/default.nix           | 3 +--
 modules/nixos/services/woodpecker/server/default.nix | 2 --
 22 files changed, 1 insertion(+), 30 deletions(-)

diff --git a/modules/nixos/services/blog/default.nix b/modules/nixos/services/blog/default.nix
index 38ada5e..3e68df2 100644
--- a/modules/nixos/services/blog/default.nix
+++ b/modules/nixos/services/blog/default.nix
@@ -5,7 +5,6 @@ let
   domain = config.networking.domain;
 
   makeHostInfo = subdomain: {
-    inherit subdomain;
     root = "/var/www/${subdomain}";
   };
 
diff --git a/modules/nixos/services/calibre-web/default.nix b/modules/nixos/services/calibre-web/default.nix
index fe53b7e..b7bf9df 100644
--- a/modules/nixos/services/calibre-web/default.nix
+++ b/modules/nixos/services/calibre-web/default.nix
@@ -42,7 +42,6 @@ in
 
     my.services.nginx.virtualHosts = {
       library = {
-        subdomain = "library";
         inherit (cfg) port;
       };
     };
diff --git a/modules/nixos/services/drone/server/default.nix b/modules/nixos/services/drone/server/default.nix
index 2207765..a3a1e49 100644
--- a/modules/nixos/services/drone/server/default.nix
+++ b/modules/nixos/services/drone/server/default.nix
@@ -47,7 +47,6 @@ in
 
     my.services.nginx.virtualHosts = {
       drone = {
-        subdomain = "drone";
         inherit (cfg) port;
       };
     };
diff --git a/modules/nixos/services/flood/default.nix b/modules/nixos/services/flood/default.nix
index e227dde..155e73d 100644
--- a/modules/nixos/services/flood/default.nix
+++ b/modules/nixos/services/flood/default.nix
@@ -42,7 +42,6 @@ in
 
     my.services.nginx.virtualHosts = {
       flood = {
-        subdomain = "flood";
         inherit (cfg) port;
       };
     };
diff --git a/modules/nixos/services/gitea/default.nix b/modules/nixos/services/gitea/default.nix
index 4d5429e..4a8a3bb 100644
--- a/modules/nixos/services/gitea/default.nix
+++ b/modules/nixos/services/gitea/default.nix
@@ -119,12 +119,10 @@ in
     my.services.nginx.virtualHosts = {
       # Proxy to Gitea
       git = {
-        subdomain = "git";
         inherit (cfg) port;
       };
       # Redirect `gitea.` to actual forge subdomain
       gitea = {
-        subdomain = "gitea";
         redirect = config.services.gitea.settings.server.ROOT_URL;
       };
     };
diff --git a/modules/nixos/services/indexers/default.nix b/modules/nixos/services/indexers/default.nix
index ff2d91c..8a42345 100644
--- a/modules/nixos/services/indexers/default.nix
+++ b/modules/nixos/services/indexers/default.nix
@@ -30,7 +30,6 @@ in
 
       my.services.nginx.virtualHosts = {
         jackett = {
-          subdomain = "jackett";
           port = jackettPort;
         };
       };
@@ -43,7 +42,6 @@ in
 
       my.services.nginx.virtualHosts = {
         nzbhydra = {
-          subdomain = "nzbhydra";
           port = nzbhydraPort;
         };
       };
@@ -56,7 +54,6 @@ in
 
       my.services.nginx.virtualHosts = {
         prowlarr = {
-          subdomain = "prowlarr";
           port = prowlarrPort;
         };
       };
diff --git a/modules/nixos/services/jellyfin/default.nix b/modules/nixos/services/jellyfin/default.nix
index 326dab3..9efe11e 100644
--- a/modules/nixos/services/jellyfin/default.nix
+++ b/modules/nixos/services/jellyfin/default.nix
@@ -19,7 +19,6 @@ in
 
     my.services.nginx.virtualHosts = {
       jellyfin = {
-        subdomain = "jellyfin";
         port = 8096;
         extraConfig = {
           locations."/" = {
diff --git a/modules/nixos/services/lohr/default.nix b/modules/nixos/services/lohr/default.nix
index af292cc..dd4eea8 100644
--- a/modules/nixos/services/lohr/default.nix
+++ b/modules/nixos/services/lohr/default.nix
@@ -100,7 +100,6 @@ in
 
     my.services.nginx.virtualHosts = {
       lohr = {
-        subdomain = "lohr";
         inherit (cfg) port;
       };
     };
diff --git a/modules/nixos/services/matrix/default.nix b/modules/nixos/services/matrix/default.nix
index 3328747..bd2a017 100644
--- a/modules/nixos/services/matrix/default.nix
+++ b/modules/nixos/services/matrix/default.nix
@@ -120,7 +120,6 @@ in
     my.services.nginx.virtualHosts = {
       # Element Web app deployment
       chat = {
-        subdomain = "chat";
         root = pkgs.element-web.override {
           conf = {
             default_server_config = {
@@ -148,16 +147,13 @@ in
       };
       # Dummy VHosts for port collision detection
       matrix-federation = {
-        subdomain = "matrix-federation";
         port = federationPort.private;
       };
       matrix-client = {
-        subdomain = "matrix-client";
         port = clientPort.private;
       };
       # Sliding sync
       matrix-sync = {
-        subdomain = "matrix-sync";
         inherit (cfg.slidingSync) port;
       };
     };
diff --git a/modules/nixos/services/miniflux/default.nix b/modules/nixos/services/miniflux/default.nix
index 07eb6f8..5104c8b 100644
--- a/modules/nixos/services/miniflux/default.nix
+++ b/modules/nixos/services/miniflux/default.nix
@@ -45,7 +45,6 @@ in
 
     my.services.nginx.virtualHosts = {
       reader = {
-        subdomain = "reader";
         inherit (cfg) port;
       };
     };
diff --git a/modules/nixos/services/monitoring/default.nix b/modules/nixos/services/monitoring/default.nix
index 2f23ff0..49919c1 100644
--- a/modules/nixos/services/monitoring/default.nix
+++ b/modules/nixos/services/monitoring/default.nix
@@ -127,7 +127,6 @@ in
 
     my.services.nginx.virtualHosts = {
       monitoring = {
-        subdomain = "monitoring";
         inherit (cfg.grafana) port;
       };
     };
diff --git a/modules/nixos/services/navidrome/default.nix b/modules/nixos/services/navidrome/default.nix
index 92f9fd2..944a97a 100644
--- a/modules/nixos/services/navidrome/default.nix
+++ b/modules/nixos/services/navidrome/default.nix
@@ -49,7 +49,6 @@ in
 
     my.services.nginx.virtualHosts = {
       music = {
-        subdomain = "music";
         inherit (cfg) port;
       };
     };
diff --git a/modules/nixos/services/nginx/default.nix b/modules/nixos/services/nginx/default.nix
index e916c9c..ae6c0dc 100644
--- a/modules/nixos/services/nginx/default.nix
+++ b/modules/nixos/services/nginx/default.nix
@@ -404,7 +404,6 @@ in
 
     my.services.nginx.virtualHosts = {
       login = {
-        subdomain = "login";
         inherit (cfg.sso) port;
       };
     };
diff --git a/modules/nixos/services/nix-cache/default.nix b/modules/nixos/services/nix-cache/default.nix
index 5517a78..1ce3161 100644
--- a/modules/nixos/services/nix-cache/default.nix
+++ b/modules/nixos/services/nix-cache/default.nix
@@ -45,7 +45,6 @@ in
 
     my.services.nginx.virtualHosts = {
       cache = {
-        subdomain = "cache";
         inherit (cfg) port;
       };
     };
diff --git a/modules/nixos/services/paperless/default.nix b/modules/nixos/services/paperless/default.nix
index 87a816a..c40e895 100644
--- a/modules/nixos/services/paperless/default.nix
+++ b/modules/nixos/services/paperless/default.nix
@@ -145,7 +145,6 @@ in
 
     my.services.nginx.virtualHosts = {
       paperless = {
-        subdomain = "paperless";
         inherit (cfg) port;
         sso = {
           enable = true;
diff --git a/modules/nixos/services/pirate/default.nix b/modules/nixos/services/pirate/default.nix
index 88a2250..e500b54 100644
--- a/modules/nixos/services/pirate/default.nix
+++ b/modules/nixos/services/pirate/default.nix
@@ -23,7 +23,6 @@ let
   mkRedirection = service: {
     my.services.nginx.virtualHosts = {
       ${service} = {
-        subdomain = service;
         port = ports.${service};
       };
     };
diff --git a/modules/nixos/services/podgrab/default.nix b/modules/nixos/services/podgrab/default.nix
index e59b20d..5ceebb6 100644
--- a/modules/nixos/services/podgrab/default.nix
+++ b/modules/nixos/services/podgrab/default.nix
@@ -33,7 +33,6 @@ in
 
     my.services.nginx.virtualHosts = {
       podgrab = {
-        subdomain = "podgrab";
         inherit (cfg) port;
       };
     };
diff --git a/modules/nixos/services/sabnzbd/default.nix b/modules/nixos/services/sabnzbd/default.nix
index 42058e7..9e0d9c3 100644
--- a/modules/nixos/services/sabnzbd/default.nix
+++ b/modules/nixos/services/sabnzbd/default.nix
@@ -20,7 +20,6 @@ in
 
     my.services.nginx.virtualHosts = {
       sabnzbd = {
-        subdomain = "sabnzbd";
         inherit port;
       };
     };
diff --git a/modules/nixos/services/tandoor-recipes/default.nix b/modules/nixos/services/tandoor-recipes/default.nix
index 353fac3..f5dc2db 100644
--- a/modules/nixos/services/tandoor-recipes/default.nix
+++ b/modules/nixos/services/tandoor-recipes/default.nix
@@ -72,7 +72,6 @@ in
 
     my.services.nginx.virtualHosts = {
       recipes = {
-        subdomain = "recipes";
         inherit (cfg) port;
       };
     };
diff --git a/modules/nixos/services/transmission/default.nix b/modules/nixos/services/transmission/default.nix
index ce7f9e6..aeb88b7 100644
--- a/modules/nixos/services/transmission/default.nix
+++ b/modules/nixos/services/transmission/default.nix
@@ -82,7 +82,6 @@ in
     # seems to have stalled
     my.services.nginx.virtualHosts = {
       transmission = {
-        subdomain = "transmission";
         inherit (cfg) port;
       };
     };
diff --git a/modules/nixos/services/vikunja/default.nix b/modules/nixos/services/vikunja/default.nix
index 425698d..9767d00 100644
--- a/modules/nixos/services/vikunja/default.nix
+++ b/modules/nixos/services/vikunja/default.nix
@@ -60,8 +60,7 @@ in
 
     # This is a weird setup
     my.services.nginx.virtualHosts = {
-      vikunja = {
-        inherit subdomain;
+      ${subdomain} = {
         # Serve the root for the web-ui
         root = config.services.vikunja.package-frontend;
 
diff --git a/modules/nixos/services/woodpecker/server/default.nix b/modules/nixos/services/woodpecker/server/default.nix
index b5ec0d8..f02a5c5 100644
--- a/modules/nixos/services/woodpecker/server/default.nix
+++ b/modules/nixos/services/woodpecker/server/default.nix
@@ -54,12 +54,10 @@ in
 
     my.services.nginx.virtualHosts = {
       woodpecker = {
-        subdomain = "woodpecker";
         inherit (cfg) port;
       };
       # I might want to be able to RPC from other hosts in the future
       woodpecker-rpc = {
-        subdomain = "woodpecker-rpc";
         port = cfg.rpcPort;
       };
     };

From 71ee178510edc5d66b07bd53b58ba85a7591bbfe Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 25 Dec 2023 19:43:44 +0100
Subject: [PATCH 049/169] nixos: services: nginx: fix SSO subdomain

---
 modules/nixos/services/nginx/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nixos/services/nginx/default.nix b/modules/nixos/services/nginx/default.nix
index ae6c0dc..7980ad9 100644
--- a/modules/nixos/services/nginx/default.nix
+++ b/modules/nixos/services/nginx/default.nix
@@ -403,7 +403,7 @@ in
     };
 
     my.services.nginx.virtualHosts = {
-      login = {
+      ${cfg.sso.subdomain} = {
         inherit (cfg.sso) port;
       };
     };

From 932717b7548ae5f7a7fdec3e7e2d78d0fca6ef68 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 26 Dec 2023 15:17:03 +0100
Subject: [PATCH 050/169] nixos: services: jellyfin: loosen umask

I just noticed that all the metadata files Jellyfin stores have very
restrictive ACLs.

The whole point of the `media` group is to make my HTPC eco-system work
together. In particular this should allow Sonarr and friends to delete
folders without manual intervention.
---
 modules/nixos/services/jellyfin/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/nixos/services/jellyfin/default.nix b/modules/nixos/services/jellyfin/default.nix
index 9efe11e..f5aaa99 100644
--- a/modules/nixos/services/jellyfin/default.nix
+++ b/modules/nixos/services/jellyfin/default.nix
@@ -17,6 +17,13 @@ in
     # Set-up media group
     users.groups.media = { };
 
+    systemd.services.jellyfin = {
+      serviceConfig = {
+        # Loose umask to make Jellyfin metadata more broadly readable
+        UMask = lib.mkForce "0002";
+      };
+    };
+
     my.services.nginx.virtualHosts = {
       jellyfin = {
         port = 8096;

From 39eba647acacdf2bb2aafb00be694fa5c2e0726f Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 3 Jan 2024 14:15:42 +0000
Subject: [PATCH 051/169] hosts: nixos: aramis: home: use 'pinentry-qt'

The GTK2 variant has been removed [1].

I may revise this in the future if [2] is merged (I'd like to try
`pinentry-rofi` [3]).

[1]: https://github.com/NixOS/nixpkgs/pull/270266
[2]: https://github.com/NixOS/nixpkgs/pull/277221
[3]: https://github.com/plattfot/pinentry-rofi
---
 hosts/nixos/aramis/home.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hosts/nixos/aramis/home.nix b/hosts/nixos/aramis/home.nix
index 66a0892..dfe9dbe 100644
--- a/hosts/nixos/aramis/home.nix
+++ b/hosts/nixos/aramis/home.nix
@@ -2,7 +2,7 @@
 {
   my.home = {
     # Use graphical pinentry
-    bitwarden.pinentry = "gtk2";
+    bitwarden.pinentry = "qt";
     # Ebook library
     calibre.enable = true;
     # Some amount of social life
@@ -14,7 +14,7 @@
     # Blue light filter
     gammastep.enable = true;
     # Use a small popup to enter passwords
-    gpg.pinentry = "gtk2";
+    gpg.pinentry = "qt";
     # Machine specific packages
     packages.additionalPackages = with pkgs; [
       element-desktop # Matrix client

From a93dc2935bd81f3583182c34e74231b4a1fb960f Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 3 Jan 2024 14:00:58 +0000
Subject: [PATCH 052/169] flake: add explicit 'systems' input

---
 flake.lock |  8 ++++++--
 flake.nix  | 10 ++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/flake.lock b/flake.lock
index adff398..ef07b15 100644
--- a/flake.lock
+++ b/flake.lock
@@ -86,7 +86,9 @@
     },
     "futils": {
       "inputs": {
-        "systems": "systems"
+        "systems": [
+          "systems"
+        ]
       },
       "locked": {
         "lastModified": 1701680307,
@@ -214,7 +216,8 @@
         "home-manager": "home-manager",
         "nixpkgs": "nixpkgs",
         "nur": "nur",
-        "pre-commit-hooks": "pre-commit-hooks"
+        "pre-commit-hooks": "pre-commit-hooks",
+        "systems": "systems"
       }
     },
     "systems": {
@@ -228,6 +231,7 @@
       },
       "original": {
         "owner": "nix-systems",
+        "ref": "main",
         "repo": "default",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index 8e46ea3..85fafbb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -27,6 +27,9 @@
       owner = "numtide";
       repo = "flake-utils";
       ref = "main";
+      inputs = {
+        systems.follows = "systems";
+      };
     };
 
     home-manager = {
@@ -64,6 +67,13 @@
         nixpkgs-stable.follows = "nixpkgs";
       };
     };
+
+    systems = {
+      type = "github";
+      owner = "nix-systems";
+      repo = "default";
+      ref = "main";
+    };
   };
 
   # Can't eta-reduce a flake outputs...

From e02da7ec693b1a5f9e0119fed1f564ec01025c50 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 3 Jan 2024 14:05:46 +0000
Subject: [PATCH 053/169] flake: bump inputs

---
 flake.lock | 45 ++++++++++++++++++++++++---------------------
 flake.nix  |  1 +
 2 files changed, 25 insertions(+), 21 deletions(-)

diff --git a/flake.lock b/flake.lock
index ef07b15..5e4a413 100644
--- a/flake.lock
+++ b/flake.lock
@@ -8,14 +8,17 @@
         ],
         "nixpkgs": [
           "nixpkgs"
+        ],
+        "systems": [
+          "systems"
         ]
       },
       "locked": {
-        "lastModified": 1701216516,
-        "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=",
+        "lastModified": 1703433843,
+        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247",
+        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
         "type": "github"
       },
       "original": {
@@ -33,11 +36,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1673295039,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
         "type": "github"
       },
       "original": {
@@ -70,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1701473968,
-        "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
+        "lastModified": 1704152458,
+        "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
+        "rev": "88a2cd8166694ba0b6cb374700799cec53aef527",
         "type": "github"
       },
       "original": {
@@ -133,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1702538064,
-        "narHash": "sha256-At5GwJPu2tzvS9dllhBoZmqK6lkkh/sOp2YefWRlaL8=",
+        "lastModified": 1704276313,
+        "narHash": "sha256-4eD4RaAKHLj0ztw5pQcNFs3hGpxrsYb0e9Qir+Ute+w=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0e2e443ff24f9d75925e91b89d1da44b863734af",
+        "rev": "4d8f90205c6c90be2e81d94d0e5eedf71c1ba34e",
         "type": "github"
       },
       "original": {
@@ -149,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1702312524,
-        "narHash": "sha256-gkZJRDBUCpTPBvQk25G0B7vfbpEYM5s5OZqghkjZsnE=",
+        "lastModified": 1703961334,
+        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a9bf124c46ef298113270b1f84a164865987a91c",
+        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
         "type": "github"
       },
       "original": {
@@ -165,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1702558663,
-        "narHash": "sha256-MHq/DdwsBwsTRqwFg1JuFtcoGArgvaH/XwbxgWQ4Zn0=",
+        "lastModified": 1704289500,
+        "narHash": "sha256-SMoojjdEMgf6GtPh5vzofdeev4nyM+vBi2J6Z/Sufco=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "b839a2bae27c0c14dd99dcc1f6d18f83b0af59bd",
+        "rev": "a18213c74e43dd6e941c41d77382377938c77caf",
         "type": "github"
       },
       "original": {
@@ -194,11 +197,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1702456155,
-        "narHash": "sha256-I2XhXGAecdGlqi6hPWYT83AQtMgL+aa3ulA85RAEgOk=",
+        "lastModified": 1703939133,
+        "narHash": "sha256-Gxe+mfOT6bL7wLC/tuT2F+V+Sb44jNr8YsJ3cyIl4Mo=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "007a45d064c1c32d04e1b8a0de5ef00984c419bc",
+        "rev": "9d3d7e18c6bc4473d7520200d4ddab12f8402d38",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 85fafbb..9c29183 100644
--- a/flake.nix
+++ b/flake.nix
@@ -9,6 +9,7 @@
       inputs = {
         home-manager.follows = "home-manager";
         nixpkgs.follows = "nixpkgs";
+        systems.follows = "systems";
       };
     };
 

From bddcab110d2e85679b10ba6f7b058ac18e79bced Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 3 Jan 2024 15:58:34 +0000
Subject: [PATCH 054/169] pkgs: matrix-notifier: 0.3.0 -> 0.4.0

---
 pkgs/matrix-notifier/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/matrix-notifier/default.nix b/pkgs/matrix-notifier/default.nix
index a96cb61..aba093f 100644
--- a/pkgs/matrix-notifier/default.nix
+++ b/pkgs/matrix-notifier/default.nix
@@ -1,13 +1,13 @@
 { lib, curl, jq, fetchFromGitHub, makeWrapper, pandoc, stdenvNoCC }:
 stdenvNoCC.mkDerivation rec {
   pname = "matrix-notifier";
-  version = "0.3.0";
+  version = "0.4.0";
 
   src = fetchFromGitHub {
     owner = "ambroisie";
     repo = "matrix-notifier";
     rev = "v${version}";
-    hash = "sha256-NE9RO0ep2ibrT9EUPGTnUE3ofdNTCHwelxnX9tCflg0=";
+    hash = "sha256-6KHteQx0bHodpNp7cuUIGM7uBRPaj386n2t5yz6umpY=";
   };
 
   nativeBuildInputs = [

From 9546c00124edd4723ab1188d16c53ed3097b2d43 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 5 Jan 2024 10:59:45 +0000
Subject: [PATCH 055/169] home: vim: ftdetect: fix obsolete comment

---
 modules/home/vim/ftdetect/automake.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/home/vim/ftdetect/automake.lua b/modules/home/vim/ftdetect/automake.lua
index cfa15d2..68a30ed 100644
--- a/modules/home/vim/ftdetect/automake.lua
+++ b/modules/home/vim/ftdetect/automake.lua
@@ -1,4 +1,4 @@
--- Use Automake filetype for `local.am` files, explicit `set` to force override
+-- Use Automake filetype for `local.am` files
 vim.filetype.add({
     filename = {
         ["local.am"] = "automake",

From b8b64bed8e4b3d8d109e7dcf38f69a4242142ec3 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 5 Jan 2024 10:59:58 +0000
Subject: [PATCH 056/169] home: vim: ftdetect: add glsl

---
 modules/home/vim/ftdetect/glsl.lua | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 modules/home/vim/ftdetect/glsl.lua

diff --git a/modules/home/vim/ftdetect/glsl.lua b/modules/home/vim/ftdetect/glsl.lua
new file mode 100644
index 0000000..2f4f1dd
--- /dev/null
+++ b/modules/home/vim/ftdetect/glsl.lua
@@ -0,0 +1,7 @@
+-- Use GLSL filetype for common shader file extensions
+vim.filetype.add({
+    extension = {
+        frag = "glsl",
+        vert = "glsl",
+    },
+})

From e4f8214cb2edcb7edc188550bc1242ae79c377e6 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 3 Jan 2024 23:36:14 +0100
Subject: [PATCH 057/169] modules: services: nextcloud: bump to 28

---
 modules/nixos/services/nextcloud/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix
index 65b7234..4c0e6a8 100644
--- a/modules/nixos/services/nextcloud/default.nix
+++ b/modules/nixos/services/nextcloud/default.nix
@@ -31,7 +31,7 @@ in
   config = lib.mkIf cfg.enable {
     services.nextcloud = {
       enable = true;
-      package = pkgs.nextcloud27;
+      package = pkgs.nextcloud28;
       hostName = "nextcloud.${config.networking.domain}";
       home = "/var/lib/nextcloud";
       maxUploadSize = cfg.maxSize;

From 10a30551361cc81dfe7bc20590897713f053eff6 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 3 Jan 2024 23:36:59 +0100
Subject: [PATCH 058/169] nixos: services: nextcloud: fix deprecated option

---
 modules/nixos/services/nextcloud/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix
index 4c0e6a8..a962d12 100644
--- a/modules/nixos/services/nextcloud/default.nix
+++ b/modules/nixos/services/nextcloud/default.nix
@@ -41,6 +41,9 @@ in
         adminpassFile = cfg.passwordFile;
         dbtype = "pgsql";
         dbhost = "/run/postgresql";
+      };
+
+      extraOptions = {
         overwriteProtocol = "https"; # Nginx only allows SSL
       };
 

From 136bd342ff03526eccab877809087b249b0f339b Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 3 Jan 2024 23:37:27 +0100
Subject: [PATCH 059/169] nixos: services: matrix: fix deprecated option

---
 modules/nixos/services/matrix/default.nix | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/modules/nixos/services/matrix/default.nix b/modules/nixos/services/matrix/default.nix
index bd2a017..b958f76 100644
--- a/modules/nixos/services/matrix/default.nix
+++ b/modules/nixos/services/matrix/default.nix
@@ -104,17 +104,17 @@ in
       extraConfigFiles = [
         cfg.mailConfigFile
       ] ++ lib.optional (cfg.secretFile != null) cfg.secretFile;
+    };
 
-      sliding-sync = {
-        enable = true;
+    services.matrix-sliding-sync = {
+      enable = true;
 
-        settings = {
-          SYNCV3_SERVER = "https://${matrixDomain}";
-          SYNCV3_BINDADDR = "127.0.0.1:${toString cfg.slidingSync.port}";
-        };
-
-        environmentFile = cfg.slidingSync.secretFile;
+      settings = {
+        SYNCV3_SERVER = "https://${matrixDomain}";
+        SYNCV3_BINDADDR = "127.0.0.1:${toString cfg.slidingSync.port}";
       };
+
+      environmentFile = cfg.slidingSync.secretFile;
     };
 
     my.services.nginx.virtualHosts = {
@@ -181,7 +181,7 @@ in
 
             # Sliding sync
             "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
-              proxyPass = "http://${config.services.matrix-synapse.sliding-sync.settings.SYNCV3_BINDADDR}";
+              proxyPass = "http://${config.services.matrix-sliding-sync.settings.SYNCV3_BINDADDR}";
             };
           };
 

From a5c57333cf2c26c2746d4f109d72f484fd873e5e Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 15 Jan 2024 10:14:35 +0000
Subject: [PATCH 060/169] hosts: homes: bazin: fix typo

---
 hosts/homes/ambroisie@bazin/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/homes/ambroisie@bazin/default.nix b/hosts/homes/ambroisie@bazin/default.nix
index 4490c51..a969d8a 100644
--- a/hosts/homes/ambroisie@bazin/default.nix
+++ b/hosts/homes/ambroisie@bazin/default.nix
@@ -1,4 +1,4 @@
-# Google Cloudtop configuration
+# Google Laptop configuration
 { lib, pkgs, ... }:
 {
   services.gpg-agent.enable = lib.mkForce false;

From 629ec539c912bb3a35d7e90e8cbbdf8390338ccc Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 15 Jan 2024 16:50:38 +0000
Subject: [PATCH 061/169] nixos: services: nextcloud: fix typo

---
 modules/nixos/services/nextcloud/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix
index a962d12..f2ac8e3 100644
--- a/modules/nixos/services/nextcloud/default.nix
+++ b/modules/nixos/services/nextcloud/default.nix
@@ -44,7 +44,7 @@ in
       };
 
       extraOptions = {
-        overwriteProtocol = "https"; # Nginx only allows SSL
+        overwriteprotocol = "https"; # Nginx only allows SSL
       };
 
       notify_push = {

From dca6a9018bd0007426d3f95bda3ebd5b0a55880b Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 16 Jan 2024 17:17:43 +0000
Subject: [PATCH 062/169] home: vim: ftdetect: add gn

---
 modules/home/vim/ftdetect/gn.lua | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 modules/home/vim/ftdetect/gn.lua

diff --git a/modules/home/vim/ftdetect/gn.lua b/modules/home/vim/ftdetect/gn.lua
new file mode 100644
index 0000000..37d772e
--- /dev/null
+++ b/modules/home/vim/ftdetect/gn.lua
@@ -0,0 +1,7 @@
+-- Use GN filetype for Chromium Generate Ninja files
+vim.filetype.add({
+    extension = {
+        gn = "gn",
+        gni = "gn",
+    },
+})

From 13f20a28eb765b0daef11ec5af5ac3dffb46885e Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 16 Jan 2024 17:25:41 +0000
Subject: [PATCH 063/169] home: vim: add gn ftplugin

---
 modules/home/vim/after/ftplugin/gn.vim | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 modules/home/vim/after/ftplugin/gn.vim

diff --git a/modules/home/vim/after/ftplugin/gn.vim b/modules/home/vim/after/ftplugin/gn.vim
new file mode 100644
index 0000000..0cec9df
--- /dev/null
+++ b/modules/home/vim/after/ftplugin/gn.vim
@@ -0,0 +1,6 @@
+" Create the `b:undo_ftplugin` variable if it doesn't exist
+call ftplugined#check_undo_ft()
+
+" Set comment string, as it seems that no official GN support exists upstream
+setlocal commentstring=#\ %s
+let b:undo_ftplugin.='|setlocal commentstring<'

From 309c344a3431d710e73ca6fc92890c46afc48591 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 22 Jan 2024 17:50:38 +0100
Subject: [PATCH 064/169] flake: bump inputs

---
 flake.lock | 48 ++++++++++++++++++++++++------------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/flake.lock b/flake.lock
index 5e4a413..acf6c48 100644
--- a/flake.lock
+++ b/flake.lock
@@ -53,11 +53,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704152458,
-        "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=",
+        "lastModified": 1704982712,
+        "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "88a2cd8166694ba0b6cb374700799cec53aef527",
+        "rev": "07f6395285469419cf9d078f59b5b49993198c00",
         "type": "github"
       },
       "original": {
@@ -94,11 +94,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1701680307,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
         "type": "github"
       },
       "original": {
@@ -116,11 +116,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1660459072,
-        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "lastModified": 1703887061,
+        "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
         "owner": "hercules-ci",
         "repo": "gitignore.nix",
-        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704276313,
-        "narHash": "sha256-4eD4RaAKHLj0ztw5pQcNFs3hGpxrsYb0e9Qir+Ute+w=",
+        "lastModified": 1705879479,
+        "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "4d8f90205c6c90be2e81d94d0e5eedf71c1ba34e",
+        "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1703961334,
-        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
+        "lastModified": 1705856552,
+        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
+        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1704289500,
-        "narHash": "sha256-SMoojjdEMgf6GtPh5vzofdeev4nyM+vBi2J6Z/Sufco=",
+        "lastModified": 1705927265,
+        "narHash": "sha256-eUUIBb3qYMrQB0ONGEj2kzKN8yzqwDmR4+Ct5/dvJcs=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "a18213c74e43dd6e941c41d77382377938c77caf",
+        "rev": "a29c6f71063d0ce903e927fa7885651c00abd33b",
         "type": "github"
       },
       "original": {
@@ -197,11 +197,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703939133,
-        "narHash": "sha256-Gxe+mfOT6bL7wLC/tuT2F+V+Sb44jNr8YsJ3cyIl4Mo=",
+        "lastModified": 1705757126,
+        "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "9d3d7e18c6bc4473d7520200d4ddab12f8402d38",
+        "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc",
         "type": "github"
       },
       "original": {

From b33938e8251a17e298ea5fb36c575dcf0eb0df6c Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 22 Jan 2024 16:57:18 +0000
Subject: [PATCH 065/169] nixos: services: paperless: rename settings option

---
 modules/nixos/services/paperless/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nixos/services/paperless/default.nix b/modules/nixos/services/paperless/default.nix
index c40e895..f528ad7 100644
--- a/modules/nixos/services/paperless/default.nix
+++ b/modules/nixos/services/paperless/default.nix
@@ -52,7 +52,7 @@ in
 
       mediaDir = lib.mkIf (cfg.documentPath != null) cfg.documentPath;
 
-      extraConfig =
+      settings =
         let
           paperlessDomain = "paperless.${config.networking.domain}";
         in

From 5cb67cf040c8defbbbc03daf57f89a741c828ce5 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 26 Jan 2024 23:25:59 +0100
Subject: [PATCH 066/169] hosts: nixos: porthos: secrets: rekey secrets

Some of the secrets were using an invalid format due to (probably?)
being encrypted with a beta version of `age`.

I didn't need to rekey *all* the secrets, but I might as well
---
 hosts/nixos/porthos/secrets/acme/dns-key.age  |  16 +++++++---------
 .../porthos/secrets/backup/credentials.age    | Bin 453 -> 409 bytes
 .../nixos/porthos/secrets/backup/password.age |  13 ++++++-------
 hosts/nixos/porthos/secrets/drone/gitea.age   | Bin 575 -> 494 bytes
 hosts/nixos/porthos/secrets/drone/secret.age  |  14 ++++++--------
 .../porthos/secrets/drone/ssh/private-key.age | Bin 3799 -> 3703 bytes
 .../porthos/secrets/gitea/mail-password.age   |  14 ++++++--------
 hosts/nixos/porthos/secrets/lohr/secret.age   | Bin 438 -> 367 bytes
 hosts/nixos/porthos/secrets/lohr/ssh-key.age  | Bin 839 -> 733 bytes
 hosts/nixos/porthos/secrets/matrix/mail.age   |  16 ++++++++--------
 hosts/nixos/porthos/secrets/matrix/secret.age | Bin 478 -> 417 bytes
 .../secrets/matrix/sliding-sync-secret.age    |  15 +++++++--------
 .../porthos/secrets/miniflux/credentials.age  | Bin 477 -> 395 bytes
 .../porthos/secrets/monitoring/password.age   |  17 ++++++++---------
 .../porthos/secrets/monitoring/secret-key.age | Bin 507 -> 355 bytes
 .../porthos/secrets/nextcloud/password.age    | Bin 440 -> 355 bytes
 .../porthos/secrets/nix-cache/cache-key.age   | Bin 501 -> 428 bytes
 .../porthos/secrets/paperless/password.age    |  16 +++++++---------
 .../porthos/secrets/paperless/secret-key.age  |  15 ++++++---------
 .../porthos/secrets/podgrab/password.age      |  14 ++++++--------
 .../secrets/sso/ambroisie/password-hash.age   | Bin 459 -> 383 bytes
 .../secrets/sso/ambroisie/totp-secret.age     | Bin 442 -> 375 bytes
 hosts/nixos/porthos/secrets/sso/auth-key.age  | Bin 483 -> 451 bytes
 .../secrets/tandoor-recipes/secret-key.age    | Bin 496 -> 398 bytes
 .../secrets/transmission/credentials.age      |  16 +++++++---------
 hosts/nixos/porthos/secrets/vikunja/mail.age  | Bin 740 -> 579 bytes
 .../porthos/secrets/wireguard/private-key.age |  16 +++++++---------
 .../porthos/secrets/woodpecker/gitea.age      | Bin 543 -> 464 bytes
 .../porthos/secrets/woodpecker/secret.age     |  15 ++++++---------
 .../secrets/woodpecker/ssh/private-key.age    | Bin 3799 -> 3703 bytes
 30 files changed, 87 insertions(+), 110 deletions(-)

diff --git a/hosts/nixos/porthos/secrets/acme/dns-key.age b/hosts/nixos/porthos/secrets/acme/dns-key.age
index 97d397c..fce2a84 100644
--- a/hosts/nixos/porthos/secrets/acme/dns-key.age
+++ b/hosts/nixos/porthos/secrets/acme/dns-key.age
@@ -1,10 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg 0bz3W8QcGaulxy+kDmM717jTthQpFOCwV9HkenFJEyo
-NKeh1/JkX4WAWbOjUeKLMbsyCevnDf3a70FfYUav26c
--> ssh-ed25519 jPowng Q59ybJMMteOSB6hZ5m6UPP0N2p8jrDSu5vBYwPgGcRw
-j420on2jSsfMsv4MDtiOTMIFjaXV7sIsrS+g4iab+68
--> z}.q-grease s2W<qM_Z t
-n1Yfs/gmNsl/n9HtuKBIIT8iwIjYca2yxlh7Q1XAT1B+RZ8oGjW8yCPj1unbDGZL
-e5BfLO3zgkEZnQ
---- FSgNKEdDeeTjCx9jN9UtOFl58mC/Lbu1PAYRGK0CZW4
-U€¿+æ©jïÝ{gø`GŽ›ÆàˆR¾Qk]šóïdÐ6å˜ú‚y5T²$Äñs~Ùh‰Ä£òÔ�Fº¢ç%°vöÌm�
\ No newline at end of file
+-> ssh-ed25519 cKojmg bQFr9oAnbo1rI/MpUV8wQz/Xj7iZY4ZU+Swf0nSIQFw
+zama2XJ0gdvUlD2GHMhmZqHSxHe+dKSfXnHoWDcSw7Y
+-> ssh-ed25519 jPowng gitUwSKTNKWLSxnwa185O7x/u0ul93g8wPESdZaKRk8
+uvBIfAUkZp5sg6rfeEGvL5ZDV8m2uSEotW02kjPN3Hw
+--- SZxe5f/CUZBvPQa2Sz/UBY3L68rMkIGGRuZPk7YE+Vg
+¾r ú
&…¥‹{~v?¨}=Ä
+}+
¿SQ’M[²]Œ±kMÒAàtŒÃmMë/£µLsü|Þ…m©CÀñiYC}ƒŽ‡çxŽ€
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/backup/credentials.age b/hosts/nixos/porthos/secrets/backup/credentials.age
index b8ea008eda49f6750b99423cfb329a69e2012b89..63f0d32c783d7ab230a0a3f156d80a92a69d5621 100644
GIT binary patch
delta 374
zcmX@gJd=5XPQ7Pnp;?Z;yJ3jAONNW1pK*ASTbOoIL{3CeQd*_Cub+Xoe}s2Zj=5Ks
zBUf5PsY_m^L9S<_e_@45s<ByWdRe8Dwr6UXw!f#PQB+=Kc%G9{p0Sf_IhU@TLUD11
zZfc5=si~o*LRLV2d0x7LN1%~&sk5<5o=Hkll5a(-OTB+eL9nG;iMNSqKuLvLURkDZ
zP?}+2aGFslSAnmmn^C%vpKGCSRECdtQj}vzWtqO8ccqbYYOqCMc6xbEu(!6WS9ysq
zm#(g^LXu}#m~pvLZkfMts*#&>Kv`*ck#j|%c~O?LTZD6}c6vmjfn#}Cs8gr~ms7x#
z=c%tYOXM3YPZV4~d27+C6?L26Jz67RmDlxl!nsA~rZAfqGQ1ABk?9^K(#gC~XMxr<
zjeOzhjkDP-_opxW_ABYXb+gm&LppaklEgO}RyrCubr*bR&(P3#Xjh?N_WpSm2W!@X
XufN+AGps__uzBhkEfnRl*nJ%U8{LQ&

delta 419
zcmbQqe3W^DPJLvKOKFy6dAXB!u!l!kpnpbMNv2_9hNWp)g-e)ml8>vlyK9b9c4df@
z0hf2NZ)J+HkBNI?V4^{)OJG5<c9K^_mUePMr9oAwUzuA(sD+<nZb?XnCzr0BLUD11
zZfc5=si~o*LRLV2d0x7Lmy=0oiC<+@Vv<Q>l1V^nLA`Nea;0xpxpPuZX{l>Ksi#?_
zf1tjBiK$yYSAb<<UQvLHdx3|Sk6}oqUtwg5Us_>yijiStR-V3TZcct#eo=U(nL(Bb
z$hvs5oSI_Y^rF<n;#37+g;=9P-{M5|a)p3cg)9SCSFUhl=aBr+kaR9xU0nr>#PG<_
zOk?BvTvtzTw`8}Zf{YxOsM6d#r&7y^q%7?$LyMHaB-fk@!!iplW0hQuAB|5Ag?LMD
zlzg{+N~&YjBX+x#JbrO2-L;qAHZ7ItIGUk1TcdwlsMIFKqBj+sF2-NlO>S5k*PYm%
zR?YXPd6v(PbKL)qEk1n1?%w^lve`M)7oO9#ZF#$1=E>p-CqvaA?beXj*(#=N&9r2d
P$H!w1e7>qRr<MT#6vvth

diff --git a/hosts/nixos/porthos/secrets/backup/password.age b/hosts/nixos/porthos/secrets/backup/password.age
index 3af9fbe..db3c2fa 100644
--- a/hosts/nixos/porthos/secrets/backup/password.age
+++ b/hosts/nixos/porthos/secrets/backup/password.age
@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg dgS4bezgtDi44R1A8am+J6zh80kUVYTo1heaxJCtzX4
-F3w/62xwtqYa40NU7OvF9pnZzYz/5hACAGJfMA4e2zw
--> ssh-ed25519 jPowng lx81CK3yeNp9RjHCUFJeKYZlRzxBmXuADVBvRc13zCI
-P7e75t8xU+ZkYmeQ8mmMfyZZsRdG1J8yrvSUkiWzkFQ
--> *z4/`-grease S/)a{e sFd";=
---- 15FVhqRTkoPFEeETRRyFQhsv4Fn19Ozlax0u8Zy9mNA
-õ#+¥àÎvøSÈ4èá}�§Rì%‹Î¯F4fnDœ˜J¹¤Z‹¸A¥Û™,_
\ No newline at end of file
+-> ssh-ed25519 cKojmg O3DMSSPQP9/ehXmzs0xcCGllu7VSzhd6b4Pii8t2vWQ
+Ys1nMv2384elWWGW9C8HabvwUeWu52VsQpxx9L/4/dM
+-> ssh-ed25519 jPowng ft/9SX5fpG7+7gHMubaFtb+50/gfNgmaofOVq5UjRUE
+xMwdFjFdkH0Li+PikaFt0WAZbFUu5daHgkfN8aQQumo
+--- 7DVINvXIXdE1MRwIkeajonYsy1cp4HugCxfTeub5SXU
+<¥ö¡Ãñ<ýØ{VÇ?ñfk/¤áI®"�ï×/5K"Š¸(ì¢ùiÃÔôìñ
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/drone/gitea.age b/hosts/nixos/porthos/secrets/drone/gitea.age
index 90ff83b15b50479b8c0c7a0c174ef6410a8907cb..6b68503af75d0ecf3778dac866e0b86258b1fbea 100644
GIT binary patch
delta 467
zcmdnb@{W0eYJIYIepYU}La;@kfu);oikU~2wr6>Ec|?SPNxrGSk#T6HkF#HSS%`Z|
zUR7yHW`vV3muXJ6w{fC(UbaO*rcarhQDj(lqGM{ReqM=rzE`22c9x@=bBcM6V@09~
zm#&>cadC!jYKoDmsiCDpRzQAvUb=!|U`Dn<h@o>pQGI@4cDY|to_C;!fp3nJvxQMa
zQIeBWsHb6(Q<P(xQBWk8wn<S@golZ*ub*~AN_kqYOKEOprAKPExnp8faFth@N3MaT
zV_HyhrD-ykuCA^^QGtI%Vxo72TT-ZNcuH7?d#Xi+Q(jSCX@H4qR$6v$N?MX(mXU8#
zMs_h*VST55@1>5;`h_2-t<H&B>~SPs`SEGS1^mV(GbL`O#@9bS;>5coMSsJ53Gcnz
zgR5#cbleUO+IV;VUKx?=*0+A_)emI8X<)x<eQuh|N@tc0E$_nL)D?;`Y;avZ;iK^^
zw-2uc&x8y858=|UnCau^-TLa;mm?1Ai<bVLm#Mn){1(1>K9(zYi=-d?c;x}#irJ>h
z5vzjd==HArds}RO$MWe*^w&)Z&pdqho}#%({n<waPb@M{oYGh~!RUrgz411)N3Wg;
TUfTL$)6^Ns#~#*)nR);KN$bCN

delta 549
zcmaFIyq{%)YJFBfetBNHg0V+diKkzvfl*~zWm!RDen^S4yS}?|a(ZR1TbXxwnsH&8
zetJ>4zP6DGm%Fxio<~VhiK(M;sG+BGNI`INYQC$sn^$m_S%zbhNp4nwkxO=(OL&n1
zm#&>cadC!jYKoDmsiCDpvUh$~Zn}bVL{YJGg;zzmU%h8WSy_2xR+M2;QE+5PxsRW3
zka2c+N<g-$YlVkvnwuk+zgMPliCc1BL5h1>MY4r!NV0p0NlucRS7vCac21D7W1*i(
zq(y*diAy%fx&qzwqSVCVR0VSd$3XvT7muneg)9{(HEo5IWUfH-s*Fmr4F9xj*9^0W
z^hm#YkH8`i<Eq?5Lnoh#JXdd*{DJ^S|2(Js0JosDO!H(eU0q#;sA3<}sx))`EHAUl
zfczrMEW<E^%rO0=h>CQ_;)<Mz;tH3@a_7P#pWtjRM}M_PRShim-PSRNOVhM$)n9K`
z)cYLvcKZ~;umg8&&+T0G<NI96vZ~vWN&%d`o9a(lZ{Yc)x$l#=puy{Vf=>0twHduZ
zB2u>B{JZu%w<-Us(Uaxy{206BXT2S!4^EbBTh#yJ_`efXIjbjUc5iff@ZPh!)Us7$
z#kXZSksh4osje}bWV=M&;-_pj{JU5ByXOa!ofoYy{;OQcY&nB*{vB13psOhh)xK^j
tSTG^;n1Pg(-0a-P`!`>3Vr}2WamMHj*J3+S5jiPgt#`ivjq>OG1puG-(}n;5

diff --git a/hosts/nixos/porthos/secrets/drone/secret.age b/hosts/nixos/porthos/secrets/drone/secret.age
index c529200..d6e7330 100644
--- a/hosts/nixos/porthos/secrets/drone/secret.age
+++ b/hosts/nixos/porthos/secrets/drone/secret.age
@@ -1,9 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg 1+cLlzctgcM0FnVDwMPOAqBkvMcDBRg8SvCw4djI93Y
-oV2XI4f1AvM9P591kZZ6NgJXa+SDtqGzCSgc4psOmxM
--> ssh-ed25519 jPowng Ufjfh1p350XxRPg95+/DHdmnl4lC0bbzUUlaxd1Bmxc
-/RHwFDSn2ov+60r1uHUigrsn99+GmmKmlk4h4T2gbA0
--> *Lc$@-grease
-pzVJAHy1qRq3jUrnFV0DDO7/hwV1US4Ogf0RsrVfX0xzbr73uJ003YjieVB25LqN
---- ME7/iVevyiguyhXugbkVFGzJV0yDccyKNlWbEZa/FmY
-YžŠXjb2uþnd;i0íýX]…§é0–þjé’L„PÔT~óú ƒÙ^kc”$D×ÚÛr¹úu³¶fr€e¸OÕ¸þ�+p•¨��&ãw®öϨ
\ No newline at end of file
+-> ssh-ed25519 cKojmg 0J8FMcVRf78LYG+dTOFzu3luXwhOjdOg0sx4Jxdccj4
+tdrCcfcYbTZYhL18RG3goiqtyhu3NTn+fJhdIAnU5uA
+-> ssh-ed25519 jPowng qlF8nkSEg5fZgai0VP5eTSlZOHyj5IcalTf+QNWITVo
+O5aiZX0AJD76ixsu6i9xnnFBQANdsu3h6XzdTQ6KtKU
+--- ByMQt9bnbzd8YO0Y93FIYF/lmdbYcOydkYdKxpRQujM
++Ü¢6JNmÑq¶Ý[Eb1p)vD¾¿�öPL9’Í€zåÒùªìÔ!¿€»ß‡…'‡TéaíÚd5©U:[¿Ød¿Ï�R“×M’pŽñzj“
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/drone/ssh/private-key.age b/hosts/nixos/porthos/secrets/drone/ssh/private-key.age
index 0211701ba0ee3d8ef341b6d69d70ccaa25b8379b..737777dfa116dbe553768de3ade7df9d423661ec 100644
GIT binary patch
literal 3703
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn_Ri1BO;<3qFz_->
z^6@MWG&IRA2?%y~$xq5iH+4@6H%W>JNz2I!Dm5zeaxx6ah~&!jOQ|rAaJ0xXGRiJX
z4fYC5iwY|94l>UO^fYiuHqrM9)Xz@$PD=_;^hCEUD<Ho-FI~Yu$tgX@FFn!F+*dm|
zBPq%#Rlm@+%+fi%#N5%?KP=J9AkR6xs5~+v#Dc5XJU=p{)VR{p#LV5L(lE2a&9F@0
zqsS#E%Phn&CpV+QqcSL8-z%@wG@DCTS69IzsKBfu)IG{DJ=x2@!otrmF{&s$Kflze
zq^Q!vGO{W;y(-f!v&t+YES>9so89*#`RNbVKRg!Xla^@sJi&rHl6fO{(|V3Wp0kB+
z3#8=xhUj+JyKP{}`5l?DJUeagy%pUlKOKTMP5b$_MVQ}Md)=A3MhmyurYsGa{@TvF
zpY9jFKil`tb@%WEJ9~eJ9H>0`-0S2c7VW9`AL~fAyg!o0_g<p^)$$FYjV*<DRrY4y
zZjdT|Yq<7x-x=FTAwKoF4_@82-x@x7L$JKV5l6+t((CTVx&2vQJb8(tjoVD4?a^T&
z+Y9xzAK7{(2uZR`R^Ky0dgqh$d1AKzLW;l1u9#&vWBXDS*Hu$j?#^NTskqPk*4@P!
zhpbG#H6Gh9=e_Szs^E^!-Q5N2|Gk;1Xuz~oaeoHa!Pn1Ui2ThfJ6baHl=uhf_bVCC
zeO>v7^`4LNs@4k5WgPrmcf|W5UMOu@b0WIFpoKC2&8B@?ec3y!p4Z<NxcK9R?CZ;4
zYL$xr`K!M9tZL={KzG@+^Cf>K%PlerdDr{O)BmK7!i%D~wLQufI(xcHZkgZPS5cQV
z-S5t^s2vq5)BUxU%!$a`cWj-r;I+bsJ65#)-1AkxzqBPY_I9mEKRf#*zar^ty$ZMP
zmz?_co}poacA0q4w2d5c6IY+Jy;=TcT72LdZk3DIGcp&pn22ZhDi>_{Hgi{h)QZaJ
zRon&hGbYVEddTzv@7*~sqLx>?bw#{5c2+R3AxJ+=Ju}E`@%pNN8^crI9^q}<lkKBk
zxxme!>-x`!h7R+MMZAyBb$+OPb-~&4fV_wh+uifL+%;u*=AQmBDaUU6QMtHzlFBQt
zCv!aZH%qr%I%kpf<@0hvkE@dAd^27xmEwNzis9@9@6R#+wq5?>^300FUtLEcO>)-G
z54ofuR%CX6nbB-}-hV7==2hN>H>N5-Qc^0*UuC3vE1cobjrltxKiD4LKljG6CuXbn
zwXLgCH7R7Z4VAv47V9x%<EEl}b@z0yu2b%RfAH8e&zX|uoNZmtCGO>YH*AnIi`<x=
zvSZ@D*DuT1nkQAyue{ZnI77Ux?A7m?o_4{X<i9_8Jg?7pf0DEG4F|(^|JBOYFOEg>
zEsD^~<&KXPartxZRQ1;h=@WK7EST`YNhwHAI+OF}l}#7l?w*+NVDF#D)4AV9Nllu6
zZtvoNA19to=nwU_kd5U1p0@8Eqff{A#es{~ZDek3S?Hb0+7$5j@qUSe?woSLiywWu
zvUU0IYr+%X844e`)qA5vaf$x17Yn&-RS(})Pj%(J;CN-?vFb1Bw}l>CSWEjnFj~<5
zN;Ov{Q&KvH?VIUr{WX(%jW;}5T|GBeiM4W;c;1Y2?^#XwmMBg6l)B_#=H<xssXvsQ
zr)GN0OmSJ>|G}-qfAyX}m$gql-1S~Mt5K$Fk@0tyM=MxgEoG>^l|29Ws;up)lC0f2
zKOIYV3)Pu%tTaf8@OmP2ZT{pd2cp-R^ow6z%zvo%b6M<+(~i}A*5%*Rr36kUFFFt$
zdf=AHrOT(+@B2`CZQbU7j?H^oPWu-{L^<5L?VA;!p|bh+{(JA%`*(K~1v-W{&1!V`
zG^HW$jLhm2hKs#FsQUexRM(v1{VKL%)ts&R^16Y+=H3OyB0KM$m1nd_sbRhE5Sn(M
zfBvFNA^Ufko#OcKn5lR%P}{VUzc}FCvvXBH^XhX}8pN=(oa(HeB~v2*`O4mxFQdLM
zdOhuZr{`Qf>s?hhelOSK_;hDYjN+-Iou7qPE$6x*m-@&#^QFbvKgX2$WA2=}XS6WM
zn7c~a>7>`p%6D6&c-(8&ox8O%WhwtA9)*Rsj!m^Y#>=s-%wlt|f@<!atv}jCHEg_B
z)Ytxvdh%L!>gzIp{|-6EWA}G|krYYRDh%lFv$l&7Hh%0}ns8WZ$v$ttE|Dj3d&@6;
zc(wQ6&2Kw6B1Ga=*?tn<7;HAp(&t2$o_}5NHh~{=BfQN_XFaa@y~{aD{HFHZQvHgM
z)om^JRHru<?8%EaE9z8}-1zbS^fOLf8o#fdUD)vc*|}*eDmh!sS6VJnp0j3B^{;<D
zJAV{BJR5rFq|?N=`!4+}T7KSdLZm)RQ<9tAriOF3B2!n$n)rt^uQ|`}aMt(U)@AQj
ztZJR`<jwrmPh&o?EwAW*awq(cWsudS&09Ij3gWV>qdxR>ForK(ec`iNZfak`@)t!F
zn_qu;C^oe$Ve6+_@j#{DZ@aACKNB)l5dKssyl0{yNAK=~LTzy!`+m<i;4=9VdtJP$
z;mnKRH?C!Tad)2XzOreSkoK294@(!n)I5=IBUYTw^^4KyfgkhD$=weAS&ZR6^Ht`*
z_||5y_CJG`WEz9>6e-Kk-#*RU&?Gpw&|pcI(N&9-huh{&JaLHo^a?-k?dQTw1$HG#
zGJ9Y1RLcuBIJ+YG?PHFU@h@sGMf~<&qov-&7QLWuX@HX2?=71*%w>3||K!}M4Aq46
zd5yo=&n>g&xG!n=TC?jy^dZAr&vH0Kaw9AS+g_dZH2k;ybJB|S@rNs`;-s~G76?2z
zc;?ox?N6SnEOJmz5V-kgOYFLD;(H!FZT{kSnYU$XMpmr3+_G$w{eS*xKC|DsWX;r<
z+I8=>8#K@7s~-*CBQb0D``cS3`2T4AI=0AtKS%u3KWW#d?KgI0X;zgjeRg>h*Oixo
z4a+4aEUNu)a{Kq^pVnrxWwoT$r$`1GduU3}(n~d4*dRVtMV-mMyj5tz(|JDLg6(~_
zX?3O-AM!2gb@!NdRlsRka%DyB$~_Cy>!zE(xVB!2KeP2$O7pb$Z`GehO)L`f+_!wi
z&jouzcHi7wl;r&=X#d2+<u!>?Nh)_&-zeFjbM?ypvZz&4^Z#Dg)l@M$z_+z*f#x>x
zAnA-7mv>%SnIh{{lA>OF<ygp@r0`c>pOUxkFuLmU&Hc8h;%@J{)5#IHnK$OWQeyh9
zWw+|s*@~BEQ#xjyxVL_K+q<tmB}t)OdU0=?&M(ipe17fMuM#Y$s$Q`BB<6n$VCgf>
zZ#|OuK6vZuFLhInxRkJL+bNi?f5-J~uW5nt%q{9`-L?J(Eh&_~^0m01qf5))Ou$Yu
z(D|v_B!S~6o6pX%{iC8Ktk^&MYI5(Kn~y$Rxo^j_W!p>s%eTw7*gZ4azTnmTtnd2+
z^G?<`$jK{sP1vwzKU3T!h7wh+?Txq2&wl@V`=do!dv%R1UVN+gt-ODC+iIP?E0pI4
zEvTK9l6Gvy>2t~XyR5eUnw@m@#dRj*cFl|NdnO+c;5K%gw!}(_x$(*4P@#tt-ZZS5
z%)8#~<#OhneCdM93Eve2E=fL6UOIzqQM7@~!lQEU-L|GxmcL#UaoHo~a@q5v5^n0O
zVaGRYTQcwe!eSAZuNsqdmwi8H^25j4aAJMn@>5d&k6%og_P6iRo>g0`<Y#^r<k<e8
z@8m^JLAkisogWTf_}Nt5{kW%pi{G6q31TPKsk+}=!F0;J$SwZnn#7B7l@p9w&b0h`
zxslV%J?LxC@vz$sJ!=*8D}}BepS0nUK`-B%kX_9Y&&-P-6ff$$koa#~$Mu4`cJ6Gq
zY3?x-{LI|SU7uFpu-o%tj^)|qs#8y&XMc0aQ|G_f4$)+}>(&fDTVF^2+@Nm#$X<Mn
z(4-~rW>)Wbm9pjaegB>~5wV*lI}JYs9GEQT8nAuh*7D-2w;VG&H=bU7)I-rza-Z;r
za+b1${YDp`*mz|-Z8O_+Xq$QYt;@p7CzKq|t=Yl7?!%&hOW#6HTL~6y4`j7*>|CpA
zbJDM4vh%e5Z#&js{*qVoE?;oJ>x04smAf?_K}zoWjwM?-kFasQ-u&yKheE-OV_7fP
zY@NFPO3bVa?S^@)9Jb8#EIG<x{wrjujeyh-Z`SNI$JJZ;es2A_^xyRdSznk`Jq7Ny
zl>M49^X+EI>n$!hIdh+~T;sOse4)2`?n?7)-xvQDy)RdpV>P)aYq^OFqlE#pQH$z>
zS=ZTR;urfLW?OJ<_S>|BbD2^kzv|!9NbJy?-aB3DmP*B1&JUI*SKOXBTm2}Cn|!x=
zcgB~GwZb#fBh<6F|6flk)2cHmTy%=}sNpP`kIz3G`d}Wj$3!8Khq;;6D>Q@K>*}Lf
zvWEH{C3R<Px{s#+e)C!=h0&A0@!taeIs@K!osYCi;tX@U7oIDWUC+e#@{_1vi)vVw
zp!X-$*t6zGRklRryxer+y^!;f%Uaxj=6FhY9+umxnW(!~?6vgU0`8lBCwPCYV|9;W
z5s8U;D5adf%T<#-?`Yzq_Lq@gVlxwU|Ae{Tm)@qfQm1j+?*&DgN=NtdPFOvOpZE2Z
z6XHIncYL3-Wbd^%?)(l+E9U5>NPJs(N_EbX`@1buzOOg0W?jOyi{HS&+#`724CBMI
zXCCj+nlGg#ckewn@BHwm@}IT+;u>Ct9$7VGhM1;PW}Iwyc%ik;vuhJp@m~J5yl*>K
z=~1~W%agvDIL+vM-(UQ|OHp$3?OC@B{XAK+mE1nPd+749lvAneugo<@o6^nlcWx|_
znR4>fnwE?IRTbv{(mJwn_j6l!^SV1<996n*ul_t`gMIS4^rV-8XJ5~hyL3j<yT8t)
zuGIW@;}&=SlKW}rK4nMfG|DabkiEP5Oz+=75w>XVum1(|>U{njHhk8pvtYf=G$Dhw
z?#+b>7cQ6N-Pb)HzCGdkZl*~$*`1a4wB)^UVhj{r8C3td<>kR8C28zE>Fif}C(JiL
n#{NMvHgj&i<NG~{d-^1qFEa0_TDg0{1qVNF$FCYp_e$#kUz`!o

literal 3799
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn_Ri1BO;@NW2`?`+
zPsvL6@G|jp@hZ%UO3L;q%Zo4!s&bAj3-wF$O?S>MaP@c3%;t(nPc}*Rbj)*&2-45?
zt<rYO^YyDV%`&JcHz=@($o0zb3iht5bkDT(GeEa3D<Ho-FI}P7#nM^7Ft5znBc&oS
z$u!Y5C_ErJ*~r5nIJ2PCFC#qEq#(Vtz}GCm*^?_GJF6_QD$PQ>$}K!Jt=vC5xwJIW
zA|k`2FfTVh!ptQ@Kg1<FqogduHy>nMm~MJeYGQG!LVTr>LU~SJgonL}f|{R~t%47i
zuTO=UkCS(1s;R4!M{bIDZc2V+MpAKpl!u|CpIMcUaam5TV^ErRS&nbENkv*vWk5<;
zepp^|kcE-AYd}>lm#(g^LXd?~nR`)WzGJ3&MqX;Fe@I1;WkF!6nY&M+ziEzJc$sUk
zn`LpaftPt8*MVa{E@+%JKU2KHS^m_5%||zQ+rRbaOg>X{_QmSIrWLO5UFA-5ewp!)
zOSUxdeO!O3NZE|HhgF(a%uR4S^y^miX_>(81G^Qr{f;d;`E1?RdpiFwWGnh7Ik?^b
zA7v8hwmQ0f%F*Rsd=ghVa?P9$OxSnP;KuPCEw3#;>xx?5SikVx7T*ekph=ADtS4~Z
zm@#RKQbNz+i-%r*opJY{hDwJ`(}tv~n+*aL7cVq=<XPUh_9RF|?}F7tv7YT}?q?Y$
zzC3BSZwKFngI}eLc{~`7U1WJNfhi%x!aD8TTK>nU-)u;2o$>Y^_xHqCU%njTxvV#L
z$-CKi&g%5PmY){KuuP$l<EH5YJ7%_WUV~V^Kieh?w1nvRC?4Iq<I&N3*Y1XXn6dR@
zK+=bL*+|82+=c=xB(+$7tl#i8)uC+qw^Pz-vTa^(^Aj657c#fsXnb9l^LDpt<cgYO
z3Lk`G)mc1l|LUyG2wwAA>0hj~oKM@6Ir&!WrZZ=xDL&ccq58q`$HUlI`4vV{jc3Ca
zyFc#{-0;lLuHcDJmf^wGXH3E^j@|5>E_i1(ukpb^VX1%}0`K4T-&_3t+(n*~Z=)ht
z-l*kS<EZ6l6Q-S1m2ufOc-d@=6-zW7*FHG4S>>QsK-T%UQ}#VHy0ABRbwMY4{ulX|
zDG9711~R9oZsXgc_O+HjIrz|a=QfMm-<Op}^UJ6o(*I!dalx!$0nVnKlHt}TJ$|z<
z+j(iR`Cb3wHF>oi_j~>BZT__>%&v0J^c(V(dQ(}JtXUYoZV4kVd#>D!z_qN~1i5}1
zCa}!d!Lf+lFwt6(FWP>4{-=9qR&8_<_cXJd=$N)M{)@j#WkY<R>-;~-%VQlvpG}G9
z%oYqkb^rde_D{3=QY}-I7%bPDZiu|MC1B|lwWYT2rmxz$t0i+s{F3jk(V4T2qE4Q?
zS-=`SeYRqO_SeXJ7x)%P3!JF?xaTCd{yGiUzBghMV}8B+zbZqn$oRtAyM|J;I$o)*
zWi`kQoI5q<&duZNPO$~v<Cp3;5f6QxdxvAS&863={sF;BM<>T03$dSm^7+q~PbXQs
zglQ~w`}5iP;+-QMPqxYhBuudPdiN+;f!`=^p2^C0o4%gcvDl_Kjm>0f2kSDHNw*{Q
zzr0tre-$>%{)pi3z&+(@%%QU4*7mG69~GGs8|Kg7{wVnPtOduKCU4%bO3H8T@8Fc{
z@`qkskKty$QTBABk%e1`$#>?G+Vbh|zVP;*{~T%}ulitu)C!iSna>>`<Q;$2Z|-BU
z)gW`@M#stTROdWWU^pdOVDSC)_f;0hMDo<POzfR>u<qzCza?!?H^$tbuJ_&0eEBP{
zb@r7nD-~{=TOPP+{m^)e_riG>cF0{jn)F{jQ&(xL;JY1+n?LzDPm-}q`26+29KlTv
z+iJ27d(2v~b}rY4KgL19M+}{F;y&b<nNRaP<Y9BYezrQBzfs9bep!)ZiEqwl9Syeb
zXq6Y*%vR14qq%AJx{RciiEbC#KXPtkS+-~C-DP5~`(;i(D}A}Bf7*qHq#ebn1t;Ct
z>%4yZJ+Juj!;(il|Lj@c32ezbZ(e@-YEI3kd-Y-S_eFbgSq4tnFIL&{J?dlL*8R4z
zWs4&Y1sT;Uv^f8jHQmG-=#(7YxcU@pr|`*s-lDA^&VLZ86XGrSDXOpWc%_P^-@B;^
z@>NV`*X>_g|7)4L{@(OFVY^vHrvztqd~$Jp_|`Im?Y&lSgWTfq|2tL*Z&>;G(yyzU
zk-7^EX2+>b<=FJ`e1@QHU;DqD9V%6}Dy|uK?k1f1cX`RCh_;o!KWkR#Zq><<x$gdQ
z^V4m@0xn0Na?AK-)a-JYDbKO|en7xcrgG=_ch3*yXBD<72F#mblo_!1EsOUv=i0Yj
zH8;OiDX$RG=zG7aqAu`~%6*ZajkDGm#|NkdxfH*bnQ+ym{imh^WA*1bPc7&8=SOH|
zAFmYH$Nuo!>YC%-|0chgCFCW)chikSi&s@CWj?kNZ762H_}nSsUiqA?t38|A^tGED
zX1%hhnpAad?X!rJsSi$BhhN@y_uzW_Sw6a%52Y_eKMQvj-oVqWY@ws6bn+%&F6-y-
zJLXudoPGMg56?Y6jf*}vB+r<ih~k&CU!iNZcvkdX2c^=9g;DYk<*xYGFirZrzson`
z=(<N8%{`(!4*lXv<g8xEY4<NqFsJ*^x6hmNpIE6bS<L%J;Ig68J^eR*U6%VA#7<4l
z-`Mih`TPD;p~<lwIq{FDypk2Ic=skhlx=rs+kq^vgNcHYB@8uhW=1|r3hoT9{B^y2
zMN-G#rhe(j)}+f?TNE?&O<z?O#V((16_K>wK5Xj0;HLHOm#%RCeR93@>%8zIt?7NX
zdAF*qcI>KNdTOJ}*6Vx^8dg`XogTHo-!D;p*_?CA39d@7XZI8bKCks_UnLe}+VFJF
z<?xP43)Z&pzddP1L}Wt!tG^RoeXKUr<epJociU#gHpgYLcb-V_Yt2ki3ERam;mem9
zwo>byuKKUow{pwXSqqutuZYP!y{pru+@kb2nQhPfh)u04KZaRv+tXt6#eh$lu`BY5
z+H&4W3Z6UcdXA+&@^t<!xidSDMS$&d|4Fu@S9%B6*Sa?>o^Z^lM=*HZ{s`MmH4|Bu
zEqU*%{7Gu&nN;5I{U>6+O;p^vZP(<$OQ-Trtuy@3)GBJ6aH_DUeaDuJ`TO5A_uUZ|
z^Z8gcQDfK7qmEyn-L+QmGS6QoyudoOwQ%0<8NFR|`}u9#ORvXy{!Gb_4!&T=byGxp
z#pMaMbJj*YT)28m%+f!yH#wA35+g&r8QlJrZ<<l^u72G?cFx}kj~?b7?mH%@*?!gh
zzRIUgk+!17L&g(s)qlCR|KPHjXHRHpa9&dT<sH5wy7gUqV9581e`j85t&>#h=#EwT
z{4P(QujkSWzFFGt{dY?K+J0oVx_;GpM?rj~xu!;l?H})Askg2FPCK+F75mw8FqW~i
zdCPc|Zk%iR{{`ov5BJTMWkkKsGj+6Y{IS7Tq<VYhZMLk`^54f}e&l$*k8zNgTDds$
zQ~ZW0pZU*AJ6~e{A9H%of$MW4o|{)lG9_j?3dv9Dim9EI?6`{KTF~#1)=Bf7UYWD8
z&hTQJlI<yK*VHh7=e^#O?K~<=)pjZ@=DwA)d;YF<UFx40Hzj>9*vawA`e5MOYZWXr
zimX?k2{lyR!9TC^$<M@`z0DU@<@)uD*6ZD!`uAsgA@iv(n-yOPD&3j9Bg*EBK)Y}H
z{QnKhes2ERr@S#zdQ(VMgs!~o_59X3k!c&kJs0=h<2$o0CAhV$r8{m8$H}f)5eMh7
zE>>K>f@6hNrt(_5>&F7*^s{&5oH<su=(V6x=if(fD|DBqT#(DYEd0ak&CP;Kt8Y$U
z(0=O9MJ1l&Yb-_QZ+cTN$Y`IeKSg1}jywMSvlp*&@{tZ+pl$DBbMmi}+Jkyg=CHLk
z!KU5?-&bkJ*axQk)~tN@J;7uyPl$A1-rvU4K0Q|rjA!V~pVguIeM)%AshPj|7AEfT
z_?-S|!bizhGrH?%q=!9@-Z!Iq#<N`Mh|(6mEscxIB5%2RSl2C0?*7iaN&kCM+9SUm
zYx>0ceA4gRW~Z{w<bR%a_1VdFH$5&zZInOe6%t}@S?<Pl<}06Ju9vB2-%Z2CPSYpM
z?74m{<-=V5itq*Xc`c87%3VXJyyi?={$J5Te%k-)zjklURLwMV<mSJhIN@H_r7Me$
z+>4s#wkN0SaJBrpb!9J<c^I}|l$Ki&^Qdft-m3lCtMm<*htK=1pe?0yJTPAH@VQre
z-CK9F-Ds&O<=$sF$(Y56|A(^jKh-6F+XAh+ny3C@oD#Ea0(bwF_cx#I^)PWdcbmJH
zr$Sc#`oFDjCf?X2_k8OC>E!ul;pMLGZktQz=Sjam{-E_rO={(K_Z$1Zd}v#B;isfd
z_0jZqPH#WyYc4<27T5E?Yn7a>(>j&+<=mbTGd)E07aB?J^Im#<Qbc^boYq~HMYSg@
z9>1-RJr<er<Z(iCTyITo(}zp`k*3|L9=~3v_m?^*@4n{H$^I(g)zbJ=-)|(`SSPYK
zZJ+Lz<b~p9lFPLEpG=Bo`JAxGx!n0??xD`YU9;0AW!|zW|5&r&_S7?_*EtM2)-UpF
zS+`aHckV~oMf;C#n7dQ^^^Hxhbfml=9-P3U*#5qjH@fZdwK}IAv*%h>zcl2Ycle|9
zs#n`57i7QAUU+FC<5N3}vsVS~owWXuy4cw4_;l+=`9+t-?yvD?nJKpR+kvxR%IC&(
zRo+`#KX3Q3r(dqW5&5PS<FD{v`((MfagXDQWsd@PKjll`|M+O<?|(=9cs`#{U3TS&
z-U;_upIs_-js-8i9Gj+Gu_N9`@p+<lRFbGmGw<<dGxgu^E$n#xRc66yi-KkC_wpKE
zi)V=}o56apyt<(0+w&z4o$tPv(hEu~4!CkQLh_45#-HU$-7eEwRQdl&KHa)P@X@N%
z0p8oUT%V`LWq#z*<>U>AGfhI4PWHFk;;Yqk-Egks>qE8v-Ul*&M6+!d5WDH0C-7p{
zqED@F&#l^X?s*mSOYRv>9l5pK;ft2O@D2F(_w9wnoEgcj)6YD;I@5D&(%i~h!E@iA
zDZamFs&mQw#gCdly47-v9S_fPOyIm9J^kzvuf0-h93+cBpLr*Jc6sj7&86CAHIJ?*
dKeP;5bk>p0qW`T_@y>laN{U{!uw>4i0{~1wH){X@

diff --git a/hosts/nixos/porthos/secrets/gitea/mail-password.age b/hosts/nixos/porthos/secrets/gitea/mail-password.age
index 915f8e9..e2e70ac 100644
--- a/hosts/nixos/porthos/secrets/gitea/mail-password.age
+++ b/hosts/nixos/porthos/secrets/gitea/mail-password.age
@@ -1,9 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 jPowng BkIjie2KrwDLaZYYIguCs7TPA/wQy+YPguikuhfye0M
-7viTA/EGYB/jRKQm6fFd86DMd4j+Jxsaw/xQ1T8ZKNo
--> ssh-ed25519 cKojmg t1Y8bZvPccNAX8vWQLTfCyOJIBXN515vyfFrEI2EVww
-bJEjpIWrKeQrA/JfY7FRdB6hpHwR/aG4Vya1ChFNBKs
--> jK/-grease Oz.R ?;)G ],
-AuHk9TcC9kl0dg8/L6UfHIk3e9fgGwSTJAJpVgInhok
---- 47z9lol5MtpX0IsO/0ggLDMcNVfl4lNNvoHUSwOU/18
-)gЪeuÞ!œš-
ÞTì¥YAðM+ˆãGbMe@­|A,è&ãÆE!܆p=P²=û9¹ÙP¹!Üö’Q|Ðä r
\ No newline at end of file
+-> ssh-ed25519 cKojmg 46BI3ItrXRWMivmd/K8bmkKlrYFSr8cbehAkmwCskig
+gTjYquH1hDEZ2zWD5P7gN/ejTCH8JJb8bC/VLZ3koeg
+-> ssh-ed25519 jPowng 5MqfJlasDbbqlI0dX98NZzHxmYmnnpveyBxa4z48V0o
+r7Yiv4+SZiDncD0Xzp5eFSP4f2yjGBOILKxEO1iT3Os
+--- l43+JtT28i1YDhNX3hE3Qb7swskOBc5ghDqiyh3rU2s
+Ž+)´”¯ÛPô¢nåWT,.�‹²e
ÚNW€Îñ YƱkç
ÿF4Ê#=˜)üîò™6Ö±ÛmȵîJ‹�ª#
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/lohr/secret.age b/hosts/nixos/porthos/secrets/lohr/secret.age
index fa310b481b361a28d6cfef8a3a387796460ed1f4..1d9c5ba21388406d6991ba35f31c99325ee29e6b 100644
GIT binary patch
delta 332
zcmdnS{GMroPQ6n~o_j!4QBhimhp%U_XHbPxg^O=hRbWP0gjczXwn<2-vzbd^a<-p~
z1($b{ua{Y&yJL86im9=aSD=?kUQ%{MnsJ_EW<_vVR;pi!MN+V#sc}HQFPE;JLUD11
zZfc5=si~o*LRLV2d0x7LwwHfJSiWh9QMN&Zqk)S>UcITSwuh&ox2KC=c0{hBL6~J)
zsCQ{tqMt!ImuF~kLAp<drGbaDvv<CSVYz#7RAEZ0e?&xZwugnAzF|gWUZh)~frpbL
zm#(g^f`M6~UqPv}uX%WZV{vIkV5qyZUx}x4g+Ziws%J=|cc@o*VSuxnX^K}lSK_*B
zeJ*!;SG(SNsB>s#Rp-{}jADJOzpp+0vFvjR`?^gtYiB2%ey4wh#Y6C$<-T7xxF$4S
gn3>wA`TO~aPBx*w$@(hW`0le#KEm+WU2CZo0G{x8>Hq)$

delta 404
zcmaFQw2gU!PQ8b7SW>p9k(pOkwo`hpp^s5=L1|uCX{JFynum{HT3&@&SaOwXk(;rj
z372t}t4CUhS$SxopPyTlTVhyhrk_)2MzD8OZmD;2PC#yHl8bL~N}{R11(&X!LUD11
zZfc5=si~o*LRLV2d0x6gaHVrjnPs+nNmh_|a70RGdcBc(NoHYznOV7uVTeUwu}7-E
zi;-7gj!B>+mqk@dNm{U%Ylf+QQd+5LNs^hbg;#o|sdH37X1I$*h)<wPK~;fSa!8Q@
z$U5U9Bi;0()WqUcE}wLLcS}RV)Tpe~sE~5gij2anR3o!8mo%^J<lv%w?R4)z)8Npg
z{0g6X-@L@kB)?3<!jRM;pCB$>U0sDhQ~k8e?2NF0d~a<(x6-VT;(XIE^W>6BlWhHz
zz?>?#oGQ~QOPB1b$ZRg2A0_%d;oXkDr5#F=_oQEa*djcA?q^*^76+c$D_jlNPwAIX
xcoGzy+BYfV+HYgt*F7gM1SjX;<#Q@A4EcK_X$9|-1ID@E0<MQ7FG))c0079akIeu8

diff --git a/hosts/nixos/porthos/secrets/lohr/ssh-key.age b/hosts/nixos/porthos/secrets/lohr/ssh-key.age
index 30a5e254eb0031110173e2d83b1ad9fba44a8255..477a4d107fcf2627646628c9ea9b06d6fff8c500 100644
GIT binary patch
delta 701
zcmX@kc9(U6PQ6EPkzt}`Qf@(Rrm3rQPMUr}o|Ct>n|W4wetxM_W{{a>Mrv?om1#w$
z0asK}T9ucvX=SB<X<&q3Ze><gx^qyHhjC(_nNy`jc37}skV}!7iEEB!GMBEMLUD11
zZfc5=si~o*LRLV2d0x7LNw#)rvT0~=W{{J!Q+QNTd3~sNNJc@naiUXcm}5weaY&JA
zdQe)qwog?kmr1s3S!t5LX=P+Vm8o}0S&EBgNN#GTQBr8Kk*jlXrG-;aPDFWmrfEPZ
zm#(g^f^&dnMYvOdg@2HHfWLD^fVqWVYDuMMUYNO~d$~crtD|$6VTiL+qGOdS*QLol
z-zJtGNw3$>II%qFD9gK;UmAsfjDF7YvA2&@TYBI9N5jpcB<Z<Xry|q1ye>Vw*!g?$
zA=f!~%66wb2#V4RD%bGZBDVaw$(zGZ6eY|SKiRQH;L2MSA-0EsIyN^<7T@f7Gj&z#
z@%sWQ>Bo}$zM0-mRBO4uWcIuMl3gzx6!boKRwccc$UIymTi-0vIQ8D5DXgALg|Ek~
z61&^5aicr8r0B~xflnE~R|tIXUms!9qZD>>b64^X&l8-@28m7ImWb!aWEvm(dO>qr
z`X>F*)YEtOZdWnq4R>VWdA~M-D{klRTn2f`uq8_$#e__pW;*N2^l#?=U9a2%(pZaD
z_cY$^PT-f?Xu0rc$8Ed%m{ZJUR;T85YE2bc@NJu*^S-}&b^iGY_D{U`OIa;0{9kZS
z_MecXi@L^{lwDb~Ex#|mx#(#|$etO7dAbcj0V)OGZz{fwWvxDz)!y0ibnm9?f!zAb
z<L=+O>gTn4X3G>wL%-XTkK~+rr&_g4ApVKs)?!Z0CNF_y0Y@YceehpnAY^7P=l|&9
zg8RMcwud7w2z@o1S7@^Q*{_?YOVdvr=qOm>$^7`atyBqbT<_k{gdLl{aDQ2T&f=0g
E0N^<?9smFU

delta 808
zcmcc1dYo;7PJNbpN<>(BNN7+<YDiUPiCeyYSwV7MVw9y*W^iU%nQ>I2tD|X@c78#Y
z37183e!h8jk+W-%iMK~^lwXE>afx4+xo@(8NmPNWPkL@iXilJaREVQnF_*5LLUD11
zZfc5=si~o*LRLV2d0x6gii@eKX+W@(i@A?>Qc+@<Z+%68VYX3Kh)bDIfRS;aN0gay
zh*5e<K)F#eSFul+OIB)jzEg@@X_1pxx|>r<Mu|zHXK`p?WV%nNabB6PTSQ4prFT_6
z$T|bv^rF<n;#36<_afyqPXn%WbHhv{zpS*JD(wuTtOCdEM8{Gii;}W*rxf>;lJL|L
z)9}1{b7PNCSI4BP5>pH9<cQSrpyVQNM{Os^<irSlE>Dw+iX6kj(6XGQ)U-&)$k3F`
zJT6^bU4>#(?_`&NKzGkVlSCgsmk0wB?_dv)s7fRK^qkDhU`Nm5EK@h%&=f=Ca;`fK
z{+Db|+*xsKQa7vI^>aMae;+Eo7j<l1vB8~R&h_hrbJoAUsAYURhuii{=oxvgu2(jb
zZ~2+|Mr%3EaCkcNQ)2Czx$Bw#&6jz2Eb8CGPOjvyyWeFn>sdbJ*tB+fPsx+>JHkKS
zTQ=|Wto9qh#V=}N<=h%<T`qoCJ$7(iedgv5U!&H&{PnolQQ+J43LEhnyPkNbc!${*
z@%9%33~Xm9)Ss8Tld-a^K!2zIbwTeYuf*?tahmUEPgr7|&sD3h@9DkrckEVSPZ>eM
z@B>yJM*eOaZ?~N}DUj0ifxqGz@1rwLG7YkO<ZRDvQ-1!=A}w~mUH#WjS?<yvJKL;y
z&hE_p?%no?SI%VCYx8@5R%!(-k<@Ov%GJy(U?r@nSs}z|w7uT$wd!`i8w!z;86E!5
zs?82;m=Zo~!=~?<x-R_&E1%!(6V=^*!_I#BXEv>{y`R~1MDvc$RVdc0IAf^zCs|D4
zfPqw?U`or{^Gc=)S)wlt`Z*rHdz&|b<w}{IPL7E2woAba{;plUZ<XYEJ%0vUooD_I
zViN1T&bkLIxUVw1C~aS@Vw{0Nfoo7eMwj8E$S>AgloU66=k4QO-`ZU3eBF9VRT>`v
DuWd<K

diff --git a/hosts/nixos/porthos/secrets/matrix/mail.age b/hosts/nixos/porthos/secrets/matrix/mail.age
index 1fe3a71..94ddf8c 100644
--- a/hosts/nixos/porthos/secrets/matrix/mail.age
+++ b/hosts/nixos/porthos/secrets/matrix/mail.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg lmu3MinmydRHD0A/YVRRtopermfoBC8M8cTHfVanY1s
-ygrtpZZJ7aeQTblNazpoP7DdifmDxHsE3DFJsIrWX5M
--> ssh-ed25519 jPowng X0cihOc+fBtmtrkEivIHQngdYIobezXEF1x+pHqNzAw
-/+sw9x1NWY0anZhDMpAywBPrR0F4XCHaF9e8j/Yo/kI
--> 32;%1s-grease
-JafjuSZty6a4NSO/y4y5wHWL8Mw
---- dwCl66vdpsL0MR5NWWvg3JUnQ2QZQBeW0Dj0l5tvOKY
-oi,`ÓÜ#uÄwW%PoubÚ­cy8�ó
ƒÃÉ><¿F‰Ååq…ÂKÂÇk0Çk/�hÀ¥Ÿ5势ÝF+ýu‡ •e€�¾Ÿ²óôbãè>1QŠ2®ñwn˜WbÖ–B˜âî�iŸ^xurâ†-/llùÒÀÀ-ã=°7;jã0»I×%Fi¼�í€ø‹™A;Y†ìUd]KÅI0(½ ”øAg£Ðóž^†uG:äpkJ’Ÿ:q�¢šWSaLw¯¿Ô!ïM
³4ã L/ùZŇ®¢D¶-XéUb»‘vÊbP‚ó›0ÇÅfÂ9êú� †âJ`ÃX°ôÐOÅ!s›{ÙÄQAšc€c;ÏÃÑ‹4öMíچݹlxH&ïéöé{é}ÁäÛzZ¦œ‚9ûÊXžÜ“g‰]Vϱ•0gt¡¿…žw·
\ No newline at end of file
+-> ssh-ed25519 cKojmg u+5VWUy7eFq4boAIOhuKXZYD4mhczaUAcjz4+coVggA
+QlBHHgz7uY3TVgex59yZA0XgsIeHi2WN2S+UleC7bMg
+-> ssh-ed25519 jPowng IyeI6WUjF8wxe92xD3xY++4ZqXtY8divB39eLWfAtm8
+eGj8w5X2ydS1LJvNSmo56xzRVoUB0iAKKs2NHX968Yc
+--- hsYH9lUl3wIErJmBKzlWV+gIR5v6vgPIcNDgd0hiRGc
+¹Ã@Úl�ôQûsÈ„ÿ×£©Dƒ}^{ºžá¾X)¸nYóJhXhg8wƒž´ ­ “ú°˜Ó¨Ç‚Çw–‡y(œ–aè¸ìê.0>|ÚPSlOÃ|ÈÊE‰õÂÙé°€¡�BWó_ˆ³ÜÌ)|x4©„šºë\_F¶
+ZÒo0=dts –j�[ùŽõ0O+ÑÕRž8±‡ÕiüËçŽÜ»ˆõŒæÆdÀ«ß8j»â©ê
+‚g¹©‘–$xŒÿò¥Æbâ÷í�­˜äX·¢gÂ^¼íùG¼Êô¤Ž$UÏûB*ö°é²¡£ÈÔ)[t¶ÃHa•vŸ7�ÌÑj£âD.z¸+¬[~–õÁÃé9Ùý�àz¼øô`sé¶,_!^YÓïʯ2H¹øS‹¿¼©øÅ�øý*âñó@êj
Z^ˆôæÎv~غ¶@ò�
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/matrix/secret.age b/hosts/nixos/porthos/secrets/matrix/secret.age
index 539c33e136a17f9caf49f42d65bbb528d78d7158..2c8852de12162394b78cd99ba47006d8a6cc4c0b 100644
GIT binary patch
delta 389
zcmcb|ypVZ<YJIYIepYU}f~8}TyP>0xQNBr7KyaZ?nNz-LUSe)yVwsbdTUJnzNk&Ri
zvW35Qu69N_SFS<1Yni3HXL^!fzDJ;sMP!zHWlDLTsk?cYc}RwjOK^^5MP^8nxkXVn
zm#&>cadC!jYKoDmsiCDpRzQAvUb=#IexSdHzDKFQQ+<__fpbAsu3?#}pI?4Sd6lV|
zMV_mvMV_H!o`-2lpob@yOR=$Km5WiZOSyr5kbZtypmUj9NLWCbZ;qK^X`YXxWrcIT
zXGKbtOIReAuCA^^Zc?dRTA-1mzJ7{9aB*%_UPwuhUz%gSscA}uYf*7>seZ6`cBpfT
zb5=Ij=ekL`OdlS;{Bead<Iz>`eT!c8-#!0*iBx#YiK&Kx5{0wBCiz);@$5U?K1cE4
zy~UR{F<$=kJdxwG%VCx~jvwzt9;!K3*?Y(O?P&plq>eik@rRnVs#@J9YikO2orvE*
oYk#1U<A(XBrxtR|dA2L&{luWRQSC003ZAb__LOC&hAyiC0Jlh(MF0Q*

delta 451
zcmZ3;e2;m8YJFBfetBNHLQ-N{sHs6ng`=ranNhK)X-H_ekyEi@h`Fg#N?JyGh?`?X
zZhmr-nR9MBmy4yNYngjwQI2U@Zc%=Lk*85WkxQ0weqvN`p`(|+kEwTArJufqkG^vt
zm#&>cadC!jYKoDmsiCDpvUh$~Zn{Exrn{MWVvw_Ae!XE<UWQw)i)mSbUsa)xpIef<
zTS20`pHa4}n}wl%RIUk^Yhs~An5njZu~BNOX+>UYNqM@5M|OsPnPX|FwpUefa%re}
zQki2_Rb)QMy4;K!KV9AQqSVCVR0Y-QI^*IT{dg|R2*Z3+SI=Z;gFwq-{VZQEKSxVn
zU&Eq$0}tm=ePhc+!;DZaU0q#;0)qmxB1aSLutcMD{lFYg567s~f}kv?${b7oB%@N3
zl5+nLS6A(dBJ+H%Z0Fdc^8#Aa7CicsZ6<JX-JCx;&$;)#PhYTI$GAH{AopQeUAn_T
zR&Tv8wHBY9-@bX&lCq4`%(mtC4UYBVwcGN&p9$Oic3o;x|28e`$eX&`o9?7NYK%C$
vizoin-x-EU+H*O=k}@R(pKO@&jiKtx&GUuwS6?J?U4DF!=e8hcsls~zbG@i4

diff --git a/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age
index d375a35..e938cfa 100644
--- a/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age
+++ b/hosts/nixos/porthos/secrets/matrix/sliding-sync-secret.age
@@ -1,9 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg N182xey8TWRVUWTRP16rT0zlhYZNr/pOZVR7YRnlIkk
-HVqAag55z1cKLgjR3WsUj2wvaVjxm169JcDRJGRvCVU
--> ssh-ed25519 jPowng Dc+aaUTxDsMTY+oOst0SC3ldq1e6zX8F5A5uBL5RHhc
-JWZou6+VaFc5f2OLRIrmFFWg3Er6WSY+TloXU0mP1K8
--> |9_9Aqh%-grease $ X8Mn|5 aKnl' fl<D{T-
-+fAc0cajqxhYWu55HCY
---- SrmtWXQXGYxNTabSrb5tBRXHnK1F22Qoiy7hKYrrF+0
-ñD·û²:,õn0i�½Àß^ÆŠ`üÔ2Æ#y'ý9ÖñÓÒŽéÿæ�r]ÀØ›¹x“³S=ú°ˆôuJéEÛóc€lH Ê~eÅ‚›ŸKtévo'êv+
\ No newline at end of file
+-> ssh-ed25519 cKojmg xRtF3XVc7yPicAV/E4U7mn0itvD0h1BWBTjwunuoe2E
+OkB9sjGB3ulH4Feuyj3Ed0DBG4+mghW/Qpum9oXL/8c
+-> ssh-ed25519 jPowng 1r8drqhz1yZdTq0Kvqya+ArU1C2fkN7Gg9LiWWfeUFg
+cjbxntVwHvqLaJpiKs/Y8ojeb6e3/cLFcsoeuoobfFg
+--- B1qA2PylJBrdZxZtCzlU2kRPvxLM+IrXTvR+ERxVtTY
+"W9�Äbg¸©~Ì/áÕb4ãÕ†ú³ÜÔIÊ
+Û}ð
§ËÅË-³²ªNó±”ÑC7vWœbºØ?¦8=œÉwÆBÃUpJClï²OÈ™³œnOÁ\
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/miniflux/credentials.age b/hosts/nixos/porthos/secrets/miniflux/credentials.age
index 979015965f433e63c6451fefcfa5511c614dc814..00d89a4b03c4b440ba1e77750fc8ab10cbe7b03a 100644
GIT binary patch
delta 360
zcmcc1+|4{er`|o&GcYgEJ;Wq1%O%s>G%D9KCCo9kFvlPys4yiwFU>1YJJZWGztS_b
zoXa<?GS@xPEU&`9%-OQiyvQUZB&;emGA%FJ+rY>#wZN&=-^|yqQa>}?fJ@g-p}06h
zH#Nn`)YQ;YAuAxiJTF}#ygb;zz`&?9*drw*B01I2x!$PCJlM-9#XCPUDkH?l)GakV
zHP<U5r_?Q(E88zA#3v;z!zCpz)yyd}DnPp;KReR0Ft9LOKfuf+qR`LHJT<(y#3<Q>
zOIKG{!BsolGt;yzI6EVv%rVN>!{6N7G&m(aIN7oy+cem-+{3`a(m%xABR$WTE8u$F
z!^uzhc@qUoeyR$aR$E`6xZrm1H;1)9;-BTICwnWYE<FDIPC%I)2j44>P4x-o?`wW+
z-!SQ$MxX8qoA0SNW<9zeY4QKtZ7+vTNAs8!Lb{p1v;*%5L^Q_bebAbc^Y_?dd5$^G
JwnqQ=0sz;4hcEyD

delta 443
zcmeBXzRNs8r{35s$;HX3pwQ5>*et5Rq{P5CCAlohGPg9O(ydrOz05rz+tMsK(K(~s
zm&+*4JHRU~*xS|HH?=s?r!vRK&$YnY-#w=y%rUYuza+}tBGJ?$z$3@kmrK`9p}06h
zH#Nn`)YQ;YAuAxiJTF}#DA+5?)Fa2y)H5h5DZ@3<sov3`BG@UrJm1}-BEr}w*wimE
zH&NTEA|=9rOFzRiA}h4epggFmB-q(CD$v-|&{I3Y*d;7IAlWp+Bh}5%vcfPVL)$zZ
zWSw(HN<_7#ZhBE_VsWZMsC`wfQJtcKlV4u7f{8tsabciguv4*bn7OH2qQ7=(Vo;e`
znNN6qxPEzJgo&fOX{beZl97IdMR0gzW~ha8B$uwPu7W|itB1B_Rz*m;VX>iadT2&f
zS#qU?t3hgUZkbPkQCe_TNU(WIR#v2k0oTqAPBzI21<zfk`l!CI{}<&|65kYZnDMUv
z`dd?!trP0EGKBOm&AFwMv4VH`>6{s?H|Ld{+-<VMLt8l7D1T<o%q_LXciqz;H|Lq3
l^Rj&Z^}<c-mzuR{L6g>qnpKzY@;PN%{gpHLZ|nS@e*q?7pI!g}

diff --git a/hosts/nixos/porthos/secrets/monitoring/password.age b/hosts/nixos/porthos/secrets/monitoring/password.age
index 410536f..67c75e6 100644
--- a/hosts/nixos/porthos/secrets/monitoring/password.age
+++ b/hosts/nixos/porthos/secrets/monitoring/password.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg OdLtFHbHbc28rUn47vgsVvXxFNg9nF+9y9R6XOK390Y
-yQQYUPQGjN2+xrSqqBYa7/zS618KrVjX5Amw2MFuSLg
--> ssh-ed25519 jPowng NwUjiLtiXVi6XFmht5l1CxEs3gm0oN4vHYwDZyda7Q4
-di6znVjNRO6QdqteVNkeot5Ko2NwWLe6v+zVR3f+o10
--> 4Vx%\(-grease ^^Z>EC91 R 2BJ d48Wip*s
-yPiBgChRF31XgxccQFLO3MzRL7+5s29sfRoF3W1yUX6Bu59MpxD4D+n/jhLcxSH/
-CxW7KaiOctNmPm5tWh6qjmgQ+V4bcAji5vo4FKs40l56cfyueEJj+Q
---- WUGF28zqK9E1AlOeeCtSHxFg6ikRy85gOoLtBd4m0y0
-.|…rr>©†ðìì1ÅÆ2SÉž.×hw�wqºš%i˜øé	‚*U^­)Öè'qžµ›O2ÓœümòQÝ7˜¯m`
\ No newline at end of file
+-> ssh-ed25519 cKojmg l5lOlGnbvQ4D2kaSj1dd8Xr+btlNbTkT0SxSz02Vr1E
+Cjy73yKL1N8LnjRXXLpxX+wIOFCa8wrG44VjXUND1lI
+-> ssh-ed25519 jPowng nYHfkP9dRkxu4Fqh8MgrbdZAc8gk+VGDyxIV6RsSeEM
+rKKi1NDoKMMzQ+kUs5ZX4zMqRBI0QwGY7q6K/L9+dLI
+--- Umv3UCtXlApug7uuqmwbQN38i8Lx9/b0uhLgbc3OdZM
+äBLsœ ‹?ÖsÓ“s�2Îy
+R0¹‘!<fü9txB7dòˆ™ÚŠò^©ô É‡LJ&ñ
W
€<©e]
+þ/$$
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/monitoring/secret-key.age b/hosts/nixos/porthos/secrets/monitoring/secret-key.age
index 4cef94fa385ae398c60f78536f661c35edf04631..6ea8c5442a7cda00d8eff218c06933826b82b42e 100644
GIT binary patch
delta 320
zcmey({FrHiPJL;WepH%KX_<DRd780vm}|aEX-I}gN};!_p;1n{hp$Vbe^6FbkbaPn
zFPBGQabZ+`X;4Lea;b-ZX0m}rvQd6$P`Qz(rKyvzrE^ufYni!QKyi4vFPE;JLUD11
zZfc5=si~o*LRLV2d0x7LpMi(FL7J1HrEh4WQJTMJN_~NMg@2TPcvebix@)etf0k!}
zNk(>sp_f}em#<@bNO*>2ifM|uX=Z6vnxj!_plN_bPDyY?l$VK7ierd{QKXN1r9nn9
zm#(g^Lb|1QVnkACNv@NDsb6@uyGw9oc!g_KzGZoSV4{adl6FW*L0Lpva)GZ2SMueE
z>k2|AmRrs+<xDb?TR3%%ZbSD)C4RoCvx9;!c`j2sb2jit$t96!?!c%OZp*U2=mq${
S;GAUd^JhtL$>VFf-dO;eVQ?n^

delta 473
zcmaFN^qYBtPQ8DKVS#Z#wx70>cZHutuBW?ip;3@on2U2#RdJQMg=d9ldT5w_Sw+4_
zHdjWnS!Jq4n45ovWrjyaWuQ}uzoVsPnzma-v3F2@UO-|+hEGzlV^*1aAeXM4LUD11
zZfc5=si~o*LRLV2d0x7Lw}rn)WJ<o7f2vnfXs%awVZBLkrAbtxyGgK{i%FJig@2lP
zgimFKuc1LCS7D)XgsZW3MT(hOL5R10Rb`~UTY0Weu)ls#kcVYtNKU15L14a5K$xW?
z$U1HFTpiu?qSVCVR0ZW)1=C=K%uri(b4PmvF3-aJ;G$9!17p9?^1|W>L+w;=C$mhy
z%CN$EOUH`r6jQ?zPdD!*_b>x(Hw#0<+)@)qw@g1@V}r!>2<OPW>>{p2<G=z(*Ah!#
z^MGQnh$_Rh;B2?Z0JGA_0AFV#mr!SSm#C_|MD3Kk{0J{Y(-M;iOQYP9#G))NU0q!T
zpF}^4^pqT<)DS0qcZ+bRtP=eSSJx0P^WxH=lJdfc@PgdZ)C$*#{8FEEuKhamr^Uxi
zW=M?M@AZbYQ%T~&&Dbjc3oIsEPX_1S6n%G0W_P3Zk{2S9?{*iym_B{&b)QDTYrMwc
O?^gVtnv(g2=K%mZ`=crV

diff --git a/hosts/nixos/porthos/secrets/nextcloud/password.age b/hosts/nixos/porthos/secrets/nextcloud/password.age
index 9fd3c53f866f5e1785e63ec681d2c37ca7762d10..9039eea5eb2d4050f05969a0339f232864189856 100644
GIT binary patch
delta 320
zcmdnN{FrHiPJLpat6`v}msg>Oi@TR!c79Hvn_*^dMVL!Tgm#K)L|9;?laYmCV2*Z%
z0hgs|Xqs7Bh;y)uhmUtfl)jmxwzH9Qpiip5cD8<GQn_(PM7d){WvO|AFPE;JLUD11
zZfc5=si~o*LRLV2d0x7LiBCwWQC65iq=`#uq=8?4Nxe^Kah|h&xo38;sfnq3rG-IA
zQe{<@r)Om`SBY<azGsqYnO9V%W1gQ^ZhAn3lTnqYcS@*xW`wD8W?q?DsiStde|CN(
zm#(g^LX=yCc3NOWYCyPSScZv5ahiE$khW)_V_ueNak*DiK&hpZzPC$8rBiA#S6;(Y
zyO+m4%(P6O9j!a>K+2}eo6d-(RQG7*&QP`Ew^_Kh)-vksm02?{RobyH{24Yuc*CjN
TtSw*pXGQX#o5*qErrQ?)a<6iJ

delta 406
zcmaFNw1atqPQ9x~WtF~JrDvjrQJ96fwtsM7T4G74i&H>SUS(EtP;qKTfmw;ZsbNr<
zFPBe1afqpVR&ipei+@47zEOU0l0|q}MX67jnMXxxl%;o=c}hsWk*Rk^B$uw8LUD11
zZfc5=si~o*LRLV2d0x6gmS3WCmA1P@PDQSTahQ2nT77<Ar9p+Er-_%ZTWFD!xw*D~
zQd*FUp?{DGSEW}_xS4)rfr*o0d0A3sxNlank-xX8e{h~(c|dkmzNe!_g`swZm#>8h
z$hyQ3TWu@H2;KCe)WqUc1=V<c?eKz1LxqfR1ueBe=aljou53%~AdlpT9Q|;Uq@vu6
zoFI$(97FerLbucsH^-8a0CSg;Fq5FFYy*$HD&y>OE?r$+g_1<Kic)PKM{N(U$f(k+
ze8-Y9f3q@e3#amw3J*h1uP~>4m$0a+v=oz2u6OtM>h6#0F4mY;dARhUPmRXx&A)2;
z=ej*={?X)beJz<Y;HRC-MXw6CEn67AJqYBPvXOtv<=)e~UmkMSV>Ou`A<+Q<^+k=o

diff --git a/hosts/nixos/porthos/secrets/nix-cache/cache-key.age b/hosts/nixos/porthos/secrets/nix-cache/cache-key.age
index e0fb5be786d9814da7c81edeea1e47b67a45c4c5..17732edf1ed61d9a02ad41eaefe29cb50634c4e6 100644
GIT binary patch
delta 394
zcmey$yoPy#PQ67&n6{Inw@-1Qg@=A}MR9gcRjId8pn<+~VR=@#S)oORudkPZYof1<
zCznrXmZOn=VU(j|YGhWpSx8A)Zf2TOXuf{9duF<Kd1{JTfq77#dsa}TBbTn7LUD11
zZfc5=si~o*LRLV2d0x6gd6Acsdq7&GQKE&1Pky1lVZD)lq-T}0lZin|RBn=Ej$24r
zkxNlUk#n9am!)HnW3azTRDf$`V7`-QQL%ohg<F1Ec2#M5ph=o%QIvmDXqZ!!cBo@9
zm#(g^Lb$hYn3qXPMv!A@YEDH&vU!r1nRck3e{hjUg{O&6MnJxCra@4mN4B{mSI3#t
z>(^NZir3FK<@IXMT)a<n8GlId+-(+LwSTP>HvZVhQ!`oZxl*B<n|ABlH4Dm4Hcbl8
zI)8fFlS97#68FQdtM7|h{h-WSrNz`}#=E7r_Py1~`K@zir~mTw`?uEkm|G~m3;Yno
trm{Noo5+#&vl}ezHpqNrWpui*B<W(y)H8?ET$1$*!(EQ5GtW-91OO@nmRA4(

delta 467
zcmZ3({FQlvPJM7hgps9xMPiacs&{FLYoJL)WLki>yGN3#WvGRDQdmijfp3t9Z$(sI
zBv(XfZjp&aTAFu&TegdNX_#43ZiQ!_QE7g$p=oe#aixD`a718KVT68eGMBEMLUD11
zZfc5=si~o*LRLV2d0x7LyLU#GnSN%KpJP>Un4^KSQ+<TLt6y?%RZ@U+m|;kWg-M{9
zhgn#PNq$x~S9y+^i=}UgfoYCOj)`e{ijS*BK)ywxN4`&TxuKt5q?vbNfJcRiWnMuf
z$hvYhzig!{-Snc=#Nt%0lmg#~(6TV|;xO-!B44k<<SKuc(4aCiL(3|C14F-@;z)xa
zgNpF_9RI4qs6h7$KeyEU&_d6AE?r$+g$iF!uL$pA1HZDI(26K?AOED#fUweJ_w=L!
z{c^vcjL2k9->AsqbbT{Nu1o*#Yc#nR7;}a=ES6tl)Np3uyMN+Qx4+u|*by&ZHGN*T
z+)1_XXA}0UD3_hT?r7+n-uoN&1PGiL`gNJ%U}T?9KgSF6KN)wtGELK&J};;~>b1}M
zRb*_>Z?}c%VudV0)3bKZzaY83--mtu>$BgJlQz^o6gnp%vv=p)tcPb0t_zC`bbMWB
M{UJ2#_Wv((06ti>3;+NC

diff --git a/hosts/nixos/porthos/secrets/paperless/password.age b/hosts/nixos/porthos/secrets/paperless/password.age
index 3fe76cb..8d545fd 100644
--- a/hosts/nixos/porthos/secrets/paperless/password.age
+++ b/hosts/nixos/porthos/secrets/paperless/password.age
@@ -1,10 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg zhpo89xef68JoeOFWzhdFshrj2BXXUCFPMLVJzv6EyE
-fmJxJi5rmyai9qGwDo7iHg4BrObGre96KCpl+g91O6I
--> ssh-ed25519 jPowng INA6EZdy4J1p3QY5mfVOQXiLdOjIDaZR+CZMP+GfkXM
-8Nf5soaxY5SEzeJca5kaJkx7ByOvc4NkJVetB7wpEmo
--> xjK'w-grease
-f5v0cvlt4JbHlAwDOob86qOInWdlN/oohTg
---- NTGv4rr+MhJ/YeZhVHOjoS1V+zCHFf2itJYfK36R+wE
-š×—®JÚ dõ– oªê'YFUŸ@
-r7”ã“_N$‰ÿ�–è‡>‚¡ê]hq»-¨FÛ°qXÿ?Î|?µÊ
\ No newline at end of file
+-> ssh-ed25519 cKojmg 1hbRAuAGrTy6nmkAq+UWua8weywphZsTIGF68YQEOlQ
+92Q7uIKv1EiO73wMh53jrTuEkzP6ziBmX9SWXCl4d3w
+-> ssh-ed25519 jPowng aPb9v/S/mLW95Qom+swvasqY878RxpxxOkMJA2wb6nY
+qu/dzcqciqKzNc28HqFMHA1XnrJy+/wWgbfM1+BrlkE
+--- 8PXOozvZzNZQD2OT4a+0XuIQauzUGSvovdfDugmp+bc
+x²Ž‚ê Ã>ùý²ç¦©ðóÁÇ_ÏC9d™T5ŸûKzЄqØcZ©°É¾pŒš¾¡ ใºv
+)Œ³õ²¥
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/paperless/secret-key.age b/hosts/nixos/porthos/secrets/paperless/secret-key.age
index eae5c56..70cb898 100644
--- a/hosts/nixos/porthos/secrets/paperless/secret-key.age
+++ b/hosts/nixos/porthos/secrets/paperless/secret-key.age
@@ -1,10 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg tZwn2usN6K62oS4vBa6boh9zEp/+cS4chP8boXG6SH4
-Fr3kV8gUDoiDqMxPYWsHyww8umYhQEKhqbVBiVw5NeI
--> ssh-ed25519 jPowng wRbJl4G85obH/GluQBBsXE7MOvooEui65eqHfurvuQs
-KqVZMBSyHhkayEdwI6ocmA4qhHY9zYJvg1CEKM1SOa0
--> 2E"/OFW-grease o Qp3HFe^
-bGhCNicPqt7txqxUiEWXCFs1OuQLqOqHmjHSqYQv919dqYep/xBXzi/aRf3dsdvh
-TCJCTvZG31Qxvikp
---- xKJGbdVp+Z5h0vCBleSF2zYYYd2S5i0y4szNqjRwrDY
-Tª
/N¯�¨¹i7m4‚#³MhiñP¹šÒÞ›Á¥-ÏgI÷ñ±%@E†(›i
ÿ7·ý©ýYg¦k±´"+㸠Àª(þ]o¨¸–ý†ð�@báÊÞ§+Ï[‚Y"ÿ‘ÌBóóCR[ >-Ë.4d…¤b9v
\ No newline at end of file
+-> ssh-ed25519 cKojmg r3ZUTfSNcHc1TS2fVtk99Y2xJMMunkwkcR0dQIdiCi4
+LICSnzAaooGy6x4wt0vNM6YtQ4S17QohZNt7lfVrD6Q
+-> ssh-ed25519 jPowng KLU68ws4lemr0wWHxm8H8pf1SQAoUZTN4QSPzk2PyHk
+6pjH1pI956oaf9ZIHPPq8p3g/mZC5GxWhWkT54Wohf0
+--- cAQbniTwwtTftfXU/dGtA69yF/hh8iB97vHxvkIZMMo
+°c#Ž=^Ì~?5ú-w—NT†Ì¡�¨+¶¨Ä!z¥� "’ Zö"2ºëðù×M!pž5×V¬ÈÛjçΡѡŽâ¥âL¹ÁÌyóÐŹúš›n÷ÄŠ8zQö°+¨ËÁØ©9WSµ§�Æ0¨u}YÚ
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/podgrab/password.age b/hosts/nixos/porthos/secrets/podgrab/password.age
index 90e2501..d50dc28 100644
--- a/hosts/nixos/porthos/secrets/podgrab/password.age
+++ b/hosts/nixos/porthos/secrets/podgrab/password.age
@@ -1,9 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg 8rcBI7fYHuA3jO6EzJNFaAj2niIApKDt1HQEv61AKTs
-ANxkIX/CeI7t7Zqp6wmjt/D194Z+xpeiidb+qvYzoQU
--> ssh-ed25519 jPowng oruewwTM9X/HjjcmOPcQVdp02rQBlgJPdzvlAffs3T0
-MrO0kaNhjgOkNHuz3NrIMWXNrXOHH9dT/Fk6hoQNKyY
--> COK%H7-grease
-6yfI90QurOKlM+kgpW8KZ/iBzDYD9yhNmjG1LQ
---- uArz8eHg8sLO0sdlkM6cELFh+FHiI5BrM0+iXJxxiDo
-¿vývû´ÊNÊbæ@Ÿ¡Â�FÛMMíYËÆíÌ&‰’/%¤¹Ñm¨®ØtÁÖ“ªd†h„­|¡ðŒß©8¼Ž Ú½¨9‚®�Cã¯/Å
\ No newline at end of file
+-> ssh-ed25519 cKojmg bICZUDqk/C2divEZu2lxUDsrtS1inSbDbS8hxJSJfHc
+FsfueyP6WCesAu5EcXIxxtvbb8RX09qNTN9GvuhYuTw
+-> ssh-ed25519 jPowng Uujsu6c+QTXqCNi6c+zxk5tf0UQcG+Qm/SZF4dzSKCY
+RPVNNNauz73A8kWA0VSQiMWCerUkxPoXG2MUrFly3Bc
+--- 8h4hGasOwZxk+i5aQfg6AzdA1G4wROhxz2rmM9u41b8
+{RÜ÷h×=42üé
yöЙü¯’­Ãjš†›øìMWQ�¤ûì%áX½‘î	Œ°ú]•ÔöJ•ÙK„ÒÄå]ÏF®Ó?�ûäQKŽ•¢
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/sso/ambroisie/password-hash.age b/hosts/nixos/porthos/secrets/sso/ambroisie/password-hash.age
index 10d9eaa37c8cc1c8795083db6f5b34d20a30b9db..efbd945037f705059145bbc665e1be54856efb6d 100644
GIT binary patch
delta 348
zcmX@j{GVxpPJLjBn_r?uMV_~LNS3EbSb2m~wokdIlaG6%YgtBeMt)&lpkt-KlW%gc
zBUf%gV3|vHVn9Vmct%;4ewtT$q=##`QAC)zMRBNirdxndM7T+KVz#G|FPE;JLUD11
zZfc5=si~o*LRLV2d0x6gu~Al~sYy~`MwxzMo>y>=X?<cuXoRVUc2Rbkdq{Cnc1DS}
zshdw#nOV3emuF>0SaG67iMwTlS4u&ozd?zGr*E>iK|y%ASz@SHm|0Gmv5~i*d$x8l
zm#(g^f{&$nxm#JGhfhv&WSCESXp(W5tFM7mc3_s1ak9H}if6GwglCYCU!t2Ym)hSn
z&mB%%7lmpaD*x%ox_ra_B`;1z^~4!Iw!i*m+AD^=YPa51hWzhcw)lr*RDIKJ?dP*^
xS~v2a%{4xs$`^G(?DeA6md~HJUE;3Z6n{Q2>FH+9^Fk^-$Gx384qf703IH<+gn<A6

delta 425
zcmey*beegBPJL9UV_1r-d1+FCscCwMb5wY+i*bdQwzFTbsezA&N0Fz2g=M~3p^u@V
z0auo>c2c;7Q*LrbVN^vxltq<6x}&36kZ+-zOG$CQc~XYHc2$yhS+18;D3`9CLUD11
zZfc5=si~o*LRLV2d0x7LX_!fPewm@4fm>#}U$SvQNqu^xnT1c7c1S_0t7(N(Qb@UH
zu#vH$evWfGS8}?kc9v^YMtDYXs6}F=XPQr9khZ_6TZLypesW26g=2VRmUC2Mo{?KV
z$U5^%uSnhWqSVCVR0VDAs6-u01?xZ+^<V|lf?_q(5H9_o#NgCyvmF1tl%T-SG?&C+
zkJ6y}9P`rf3{SJ*(){EwKiAAc16K<!U0q#;fF#$F5SMh%F!xIDsLEiM9LrMkEJIf(
zFR!wIoM4yW>{OquvH<TC3rkn7yGzRFHI&CVEdCL^o}(h^MCB>ll8n~|v2)jKIk>QS
z`MI|uTekf6wwH@~H8DZ*(&uBZwi$(N`%v|7%H=moE1d4?CI=h~?PW+>8M;VF%kO&B
U*E276<{P~f6P}c?U{=j807|!-kN^Mx

diff --git a/hosts/nixos/porthos/secrets/sso/ambroisie/totp-secret.age b/hosts/nixos/porthos/secrets/sso/ambroisie/totp-secret.age
index c5ce19b60a266757ce1389831e273adcd6b6abba..211bec374f0773a28906a9d0d52f0a1dbfb6dd92 100644
GIT binary patch
delta 340
zcmdnR{GDlnPQ7V>M@V^|W0{w$TZx;WPlZWdWN>D=VM=LLs<W}HzeQ1gv6HD;l2fHe
zI#-3iM`}@eU|Lpaxp#3@fO9}tscC9SW|qH8R(@EzXFyrHt7E2Vu5(C$BbTn7LUD11
zZfc5=si~o*LRLV2d0x7Lr)yQZQ&>evj<1JDXkuuhQN5p=QCM0=cvV_KZiK$0VPKk9
zx_e+!nsKl%SBA4&wnvVaVOm~5VR^WdwsB-gK%qyNg;7dcc$K4tUsOe&zel)blu@QD
zm#(g^f?t?{Wks5sr=LekZb4*Jq)%|Ld$xsPu)bGvuuD=_W~qg7K|x}+WkrxHmuu7Z
z!=g_QeD+<O8#?O^ule`4+ukm3X?Jzd$ysQ_e^%?r?}%3ka;v2Hz3y!G4%-{%bne9C
p%q30>Twl%b|9Q1z&XaTLhYqq#&DWjwcbfWnhfjHj8c(?u0su`GfyDp-

delta 408
zcmey)w2OIyPQ9CfbF!ODkb7W=OOa)HM1*BVKzLfIZ-IwXctk~3y1Ausj$1)tnwO<>
zIhSX;S7~Zdg=v79aj<EqMUk;_sBwv7UWSW{L9k;)glDOXze}ETfm^7DE0?aFLUD11
zZfc5=si~o*LRLV2d0x7LVQNyQM?h|lXJL|QNrt(8S-nTLUus^YN2P&FX@+5mYm`}<
zca(o#m~%)rS8{}TS%iCOg<Dp3l&7b5v5`k<K}l$Ouv=bnSWs?dj#qL;QDRkES%|qK
z$hw+3-Snc=#Nt#19fe}UavcQ+lK=<p=x8g2f;_IgqVimye6K>U4E>-GBUd-yC^r*x
z-}IDv@65zhcc=1D({wIfU0sEgGDn}JQ2!i*RFCXXV_y$nV{^-pOnswDck>GKNMnQW
z;FNTiU>~E%(nzk2tr1I7>?>Wrmd6|KmiujbBP8qEK7)P77QgWQHlJbX1ebeJ3cFr+
zUfj{Rb$zw5XU~NnNf`oGb5iZ=#JwUbCLeOVeKuB5s3>@*8`G9@Gn-v!ZXZd{SPTG_
CgOZj2

diff --git a/hosts/nixos/porthos/secrets/sso/auth-key.age b/hosts/nixos/porthos/secrets/sso/auth-key.age
index 4e05b15362db0aa4da54df2c747e5d4bd86d001e..1c1247026fd209d9cfaf58b8e786265c72cdc320 100644
GIT binary patch
delta 417
zcmaFNe3*HHPQ6h^S)hM-UWl`!o0++HMqoxnp1XcplC!ycL2`+Yc}|31VTQAZQDtaG
zAeWzegj<AhqKC0hUbdl&qhVQoM7ep6f2Bc6L1|HVdTNw&N?B-_NqR(-0hg|wLUD11
zZfc5=si~o*LRLV2d0x6gT4hvlVv><dxtYF~PllJLTfLWsi+hTbf1zneUZA$AMT(P?
zTVA?RVNgaWS6;eyRkm4PVQ^G{Q);kNmPv|7NLGY-Xo;a)jzvg8L6~QRdy%hcVwh7t
zm#(g^g1@VAkg0j1Nmyc#e}<c(w@-vgq`O5_a+0fWn2T$cS43rwe`S?<agbv^m;IZp
zg2qrL=Xzzw%|A@-ZHqfw?F|+_X82|69N&KT_S+g6gY!Sz)P5F;-FAPwVezZQ(Qh|T
z+J4#gLg<4Zj8|`LpBZJd!YaG(jj+;*758km>O{?a@$ZS@!fj{jJr*aoN%>BA*rPvr
zPG5{;%N+YJdqVpk#?Mnu_$0lD_0}Pkb<ZyC&^f32aPdu}gHnf&S+5KcPfT}c(Ov2>
Sc{Zcf>|YAJujjI7-vj{L;-y0X

delta 449
zcmX@i{Fr%yPQ6KLa-x4)qJF-Aq=CM%r(02)nQu^eSwyZ=SX6L`rMaJnWl5SxaGsyB
zBUgT=Ta~AwQHrmTZ&rDtVU>AOK}JrdVOWrBs++s3c5Y;)Yh|umq`R}D374*&LUD11
zZfc5=si~o*LRLV2d0x6grcYt6ws%%exT$Gio|k1&d3{o5c0gfhMunG$cY3&Qc2bU?
zzME;HSEQRKmr-F=u!)nuQAmiNdtqKta&bhCpLtHGS4M_Ys;fy^s#{b^W^hWjsi8|K
z$T~fz>?D&a-Snc=#Nt%0vVfrM^rQeo3*S=DvT`n6U0sDNAImDANaG-nkgS57Aj^zG
zU;Xm>LL*l*H&4TmGMB*O@H`8%vJ}${?ZkYp{g$C;4sOrxSUBmO`=-UdoyIGZE7@9Z
zUe7X%2>Lx`=jWVOhUsC~R$sV!^<>g*erXM-^tp`&ZfU<?%sH@cBA?OZ$2%`+n?3!R
zvuN+U&$mAZsJ}DcuxVxld+(PouMV$z@obGlQ_d;Hd$+CZA~wyI_@n-PL)M82W>YJ^
xes<)U`r7NKiH;)kwLAA^ZfK`jPDp>(_R{5$@^>rg_>_IWOw4<~GB!`R4gjazwKxC(

diff --git a/hosts/nixos/porthos/secrets/tandoor-recipes/secret-key.age b/hosts/nixos/porthos/secrets/tandoor-recipes/secret-key.age
index 2ec147d8edff2730442d1ae253609e27bd43bec4..d6db3710f922d6d3d4f9b65cd05c07f0858cccfd 100644
GIT binary patch
delta 370
zcmeys+{ZjYwLaN9KPxv~!OYk<H89IKB1=0vGOfrdSidUGI6pKc!aO-6H9R8AEHpRG
zHz&d;B)~nHtI|6^CAT6uJ1IXSJ=Z<m*C;B?$4KAQCoMHA$~8E*%plo4#K_yt*fYS9
zOV>`JxHv;MHO0u()X-8PD<Ho-FI~Z@tROicGsh)8xW2&8uq4$tG%>KSDj><-Bs?uI
zGG9O4%fhR|z{$hXH=~#<Da0bxw=&$=*|*Hyq%u9qGchS8I4IlSGs(ZGI6bf`FVZzk
zKRd&y(4d@4S65ddEj`5BIm{`j)YmPfGCQxx$Voe+GCicK(zwFYQ$MiKJuo~c(Ky4+
z*EEvrN4BWcIW0rYl(p$D8%qp66r70sduh_`AMSrE(ph_c6uy3)v(@xuU(|h{bB$5c
zEnP0%WVmpqbos2+#Zxqx)m(Ku*s?1OIb2fAFFsuo`|;xCkQts4(av4vPbOIhDSH(%
SExg@2X=g)p&K=<yD{}xm!i+`$

delta 469
zcmeBU{=hszwLU8#zdSEpA;P5G!qO+)*fLGOGR)H>(#XfzD<iwitIRmt$2=#{xWGTe
zG$g3NEUB`XOIyDxC9vG2DkUc>)zmR7CEL`g!qU}0(>Xgi#8N*pqcF;&C^^g^%{<bP
zOV>`JxHv;MHO0u()X-8P**iZgH(enj$KSOiIo&iPyWTH7FxxF9Ei6gfDKppDxY(yW
z$1K+@+uNtetH9aNJt&#0(8SEyG%_?j+q}HUB_PirJu)~uEZZf;tuQgt(7!NDJJ}%3
zvLq=qz`_J%ovTTXZhBE_VsWZMxV}QIs%wf)rmlj&LS7=5i(83-Sz3WXQl*cZV_HT;
zri*KRXrO;!zO#0^Wo}lPVV+x=wxd~&Pl2~*u7|skMM|1eKtQf<se7?^QL15PC0B7e
zm#(g^LRF%1O1f)ch`(d9x0iWJQfh9gzOT8dqf=5=Wr|0Nah0RHZ)A=^q<@|Tm(ii-
z9r<1!rmq-<_l8IAYdt+zFDhjI);VcYR&z|a=Xb;B&!bhghn#0An13~&t5+K;5R}t(
zucU~<pem>_tC7F+0_U6PnO_c6PEwfYHd8~|>*j}ULBIRVg&R|*-+r=fV_jZ7dxC8m
Lhh^qsx9}nW?r5cc

diff --git a/hosts/nixos/porthos/secrets/transmission/credentials.age b/hosts/nixos/porthos/secrets/transmission/credentials.age
index 4f407fa..16f90b6 100644
--- a/hosts/nixos/porthos/secrets/transmission/credentials.age
+++ b/hosts/nixos/porthos/secrets/transmission/credentials.age
@@ -1,10 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg mP2H3PWJN6Pv3q6C2wci3KnXjtFAIiuGy0YH0sGIy2g
-f43QqyUQfTYznszub47kgc2Mz95zVScTDkwnG3INi9U
--> ssh-ed25519 jPowng fENbu7+FZ1mnQQHQCLm1spLHmsQGlRoJResUJtGzYkY
-hX+AqCkLCca6m/aKtGCThi7/mCCz/TZQNJNOlOmlqyA
--> J<-grease
-n7+CPRr4oazWnE7yzpJN2ZAI4QrGsAerloP4wNeebjQDx8+IxJq1JE0g3Yi0RxzN
-chDccuSPLYk45Ov+SD/qqqFZlQ
---- p81HYw3LFj+qz2kiZsDcevM4ZBfvN743P9Jdi7J9XkM
-‚¢ìÛ±S·7 �‘ý£÷ÜãV»»Bðßâø±³ˆ¶ïO‰lEt˜‹Á…šqý</Ç—Ø©9²ã(ØP†$Wƒ0h;÷‰±àJy¯feø‚ >·_D,PºVFp\æ"AM}èg?�ÿ�Ý/\²Ä;ùy’¬Óš(�ÑSñKË
\ No newline at end of file
+-> ssh-ed25519 cKojmg Froxrdh4H2Bsj4X2xicyBXHPRlbkRJAOztoTfzxItSM
+FnsLS2QYm8mJUO+c152FieLCFkALxxwQLnY4PAj8zsU
+-> ssh-ed25519 jPowng pKl4p02M+U5JsiOnM2wXL5bkPwsI3IHjlTutlvez3zM
+NSuOFsyV8JqtTq97lNzacJnJ3YZgWp53XxU3mjUlcMQ
+--- 2TK2ViFblmDheaYdat/GF0ze1wVsla1EPLaeRdMM4Gs
+®àµÕ¨ENÜžäm›Û2uÂ~Ju¼b´´t[Ý$Tñþ^‘2–°�½jœÙÜi@xªÒ¸*Ä°
g[MÞH½½Xš!”‰6Áez¼…¥DW]ÓÕ<‰–`XÛâêÁÜÄPóéý÷ÃÞ›
+¶¥q*Îo¼½ÃÑ$‚åÓ<²
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/vikunja/mail.age b/hosts/nixos/porthos/secrets/vikunja/mail.age
index 4c83acd8586c808c5938889471406eeb283c550a..864e5be1b389dad8408ecef2710b33f6d632a9ce 100644
GIT binary patch
delta 546
zcmaFDdYEN`PJO;<Xufl?r%6#+m6wHyV_<P<Zc?RdUV2VWXmW6%lR-{Yxuu&ymA8eF
zBUeRGa$%TupnqXmL8@<5rk`_4cvwbeP@=0-Vr80fa+#TFMRJj+cSu^LCzr0BLUD11
zZfc5=si~o*LRLV2d0x6gm0MIua7kfmqFbf5hnKsbalLDpk)?KENt$+kVnm2{ag<+P
zMruh}j$f4tmuX6|W2IA7l9#b(nxVJ9Wm#E~ziFsPnOmB7p`ocsMMzm-QmLsyh?{#d
zm#(g^g1&E7WKgA9Kty(xV{(YEZ()griN1Dlwzpeyse4k2Ta>X=gh!O2X=PO;mwwEg
z(}x4qz3UCQnpT*`23GlRk9n|8<o~^?vwg&P*e3i+o6Hh7{rgIr8QN!@8##XLxmVV#
z@TN^usmV<K)^_`sBE|U!zAQg<!K1P3|CQer$0fg;GfUTg-8}6?*^b}8CmE_;P~u#%
z%<c5ko2my@uU@Np_e8zrYoGG%l(620d7<w#?Hm4m|3Cfjhx#1_|1KV_U6Y?88+`rX
z@|qtzLz@0si=OO`6-eXrow1Img89h?yA0#ox8yEYZx0t^f2+62P*81`&o|Al_cz*R
z8(a$xPMTA5Dr{!ACR@mx-z(oc{k7^l`uc<H^!598>viwVDe|10_QK+aV%=%4)aBwf
y+l@Kwt*3v=R`J+3>qIuEwDwc8JxdO;t)Ki~K4Fq_*o;g5b9a}#GkCxydKmyF>FIp{

delta 708
zcmX@i@`QDQPQ8&!s;75asj-=Vc$A@2PL+#MWKwcYXryzpNkmFTZbfL4Z-84_NUm9k
zBUh%Sca>X7Qe?23pG8@DxS><3fsdt|wrO#mr=drfcA%$IWO9k2rDe8XK9{bYLUD11
zZfc5=si~o*LRLV2d0x7Le`sQ+e`G<SdxT$@V^CFye|@@XRA6zgeuSG@xwA=_SCxx<
zaj1Dtx<z(2S9n!OMxH@MWo~(Zv0qM9nO~BLZ$@~PQ+h_8PjFdqSz549W@(tEWom{2
z$hsg!r&`_gqSVCVRE3xjC51d^18XNE1v|ww5BKPrd<9GExYEL4s{$^g?0{keS7YBq
zBk$Du<TSr5Q^QE(i14rs=M??Isti9b&!{4=Y&SFQFr(1aiqbOA^fYa!VmCuyr<}s7
z(o%B|uCU_5%8DXSe+%bC6TeDFXFpSSmymET{lKKCq7e6TmpngjqfC#m63>)0(~Oc3
zZEep;E?r$+1;;4Atn7Tl49A?ZM17~yygak|((Fjr@KO^$pJ2zZw4kaq{amNiirkdK
zWUkNZ1+0;p>Ib}ojQ;IZdbeZw#r~f=9XTW7lzR7Ed|2&b{4r|Hmi({!tEa7F;<VFh
z3jJ7|`{>TmJN;|_@7-8x@VdfxmwBsZ2*>4+LryKP_L++w`d_h=W&76W_b=AUT)Mtw
zzRRX1zv?q2+<tgY`{$XH+xDj7-l^F?vwc6+xHsMMws>>p#iqwxTlMxD%U+q!=*4@_
z#B<-aa53o_mtS_;?%ycyG2x1KDZ`_W+#8EyzC99-w@BSC&A!3EQ`aUSqi5&ZlFX|e
z&(`}*OX=T}c2qFX$~W*riC|V}tIft0vv*&Ts-J2scHx(y?W9*8FGB++yso`EA;x^Q
zkJBn%rJs6Y6(Uz8Pw~oLw`9Aq>SXj)!-xN0h>6XesnnUXhI#I`jqguSa5;5DVJ84Q
C^c&{@

diff --git a/hosts/nixos/porthos/secrets/wireguard/private-key.age b/hosts/nixos/porthos/secrets/wireguard/private-key.age
index 4abe1e5..d7e292e 100644
--- a/hosts/nixos/porthos/secrets/wireguard/private-key.age
+++ b/hosts/nixos/porthos/secrets/wireguard/private-key.age
@@ -1,10 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg +WwRpd2MzycutQFXyLsr2+GzSgF67Z6UuvyqYZaLd3w
-sppt8HzaZP3yxnvnhzjl18Trnz8g3VyXJ6CaVBWd7jA
--> ssh-ed25519 jPowng wanoqGB7T8bim/WZ4IAYViFQoGzaIZSgeoTr3YKpeTY
-ihDAdGa1XVW/qQz40V1v7a7iK7tu0EHMa7ayIogpcRw
--> l-grease |PIcZ NIr >0;*
-4o8o0bevQZ6uDSx1WxxlDCURbFCM+yK1XPdrb9aztCSvG2a+ne78E42l5rBcoH7I
-m51A8uWS4nSj36N/76v6K4kelxKzWUg
---- O6cGbTAVbDcdmPHf7UzfZiyiRtu1yfL4sBI+CkJA1qw
-ý
qýÕ$ò`¿w'èS“X¸]¥á÷ø®úî…?¤6‹Ð/ÆN(Bžò N«a”.ÿ HŽ7¿í•I�ú÷Àoz‡/4:sK",7J
\ No newline at end of file
+-> ssh-ed25519 cKojmg KslHl4v8yCsKZn5TduLgpTfpTi1uOInC9N2e8Ow83FI
+NzcJJr8kw1ykAdWRZOeWdNhx0BTgE7FwTKcge+yLJ/w
+-> ssh-ed25519 jPowng YGWcOai0A9l2HDZyV0GtD8kEbY/xTUssODFBcseWAkA
+nJaHXkipFSHdyektoKV5y1jQrjkvnU7pwZwAymiQm7M
+--- IgWkDulol1jRa+pcx7DbEy5pvC+2nrRJHsdQVPvPur0
+Bb<ÅŒb!ÏëE?:ÇÓô=÷srJC�œüKz5ø®Ô{–Æ4`¾&N0€ÕÈö¹57ñüví’©+´1
++(d§á¡{ìQŠÙ
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/woodpecker/gitea.age b/hosts/nixos/porthos/secrets/woodpecker/gitea.age
index e6ede6cc39553e75fd77dee696e90dd193a3daf0..11817ff5ec8bfb3860c5ef36305a12ecc012e668 100644
GIT binary patch
delta 437
zcmbQwa)Eh*YJIYIepYU}f=`IMM}?trVrErPsb7juVxf6hg{y03QF4}Bj%9vOuxp^c
zNlK|(RZ+MBSB_Ifie;XDx<N>=nP*zKQHXP~bDo>NL1>akRH>m+NP4MxM1GW4qP~AJ
zm#&>cadC!jYKoDmsiCDpRzQAvUb=!sN_L`0a9FxwVtr+>afnx%nTv_Jr(s!8foFMz
zc3Eh!rAc~zSaC*9X;3+rXMR|DWsY-6g-L)}ma#!#XpyUXZd9;ePF}J{U{+O`p^veP
zeu{Qrs-p#$uCA_vvv-w2j&GE2j$2h(vAaP)l2@{`bE<b`etv<sfn#NnuXea$N?}QI
zs*f*MNd51S`Dr|ssZY<A?KJ<d5&kE2?p)u;sZ#L^=G?sLJ*(bNcW>L5GqrOrI^5G?
zKbd-W*F;N)qce})x)eLByZ!Zo^m)aX*VM=Sbr0(^3ZF68Hpcl9!@+acTwnh=;<izc
zP5G|#tjmkbPo=g`u}oWI`c}tghE>qVy?IY9+MQ1;T`>&I){{FKD)MMviu1F@aneS=
m=SB#H8p>Hntu=hu&c<JzBg%j1%iqb3zoyF1zWP;#?G^wdkgekY

delta 516
zcmcb>JfCHPYJFBfetBNHLWWmSMOCOvzG11iSB9razF~S%g=L0?d6`?Fzh!DbXpW~x
zRiJi-iC3j7SB|e+VUVd~R*<`yWne^QvTt^3R)DupZl;B!Z;-RUS(;CFntq9~i+fTa
zm#&>cadC!jYKoDmsiCDpvUh$~Zn}cGpTD<RuA@<rN4-~Igno%(R7ha5TUlb7c6o4$
zg}a$$hN)#mKt)KZg=0QfNr0(GrFNP{RdTvnvRkTANQk?uNko)$fJJsiMvh;xr-^@R
zO14Rqmr*guIx~Gk-?Wk(-Snc=#Nt#1Ggtk>a#w{kD+OJJA}-fTf3wnHU&|6Fzv2j!
zq=@u-(~_*5qyiKDq9A?!^dJvI;~>l6{7~;=kG!DDKrUTfU4<z3yr4Y8d}oWuERUqh
z;3Dtju%t*I(~>}c=j?#IH1n_|uQaEmLbFgOPp+(t`Z<=o&zq(+7@5aM)KAiUa3*)7
z+c#aI)%h<}qyzr$7jD0?H{p%fm294h9U(pwoN7PJe(}}r+iUx@?x!ZA+zRiazVTge
zx@4cE_%*+BcI3nI-jf`RLQ;q3p4Ck`tIHM;zwU9J;W>9x#uf6meep9-o@I#2*n8qZ
zcI)<s>RY#WeDR9zxIBSN)8({f8ZWz}XW~Cs^{?lSS55i(XAZy2PQCMT(*J9;7Oh;l
KFmi{|!;=7;aKaz}

diff --git a/hosts/nixos/porthos/secrets/woodpecker/secret.age b/hosts/nixos/porthos/secrets/woodpecker/secret.age
index 63a4862..89bcb6b 100644
--- a/hosts/nixos/porthos/secrets/woodpecker/secret.age
+++ b/hosts/nixos/porthos/secrets/woodpecker/secret.age
@@ -1,10 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 jPowng yz0I+AazPmamF7NOnwYNrPE/ArarU01jd2mVDJUPSTY
-6Y/YQ7gb8cAZf3zT9SKOorvfUnU7kYff+gHh8fG2mY8
--> ssh-ed25519 cKojmg 0FZU9v8eHsVeE+EoX9Y4IgfIj/8+45waPaSnSDb961I
-L6SzJoh5xqai45scoVAa6v9zslBGFYNnZY044d470uQ
--> I[G-grease p
-AMRQY1alSzHi/PLL80kcvnM1Z9YNfoUo9u5alWXYMyzrRsg+vXjMuBvAXg3fmnzr
-wdOowTYMRV+jEG8vzkcQTsv+f7JIyo4DvOOaPyGfWMl1
---- ih3IAFPcN1JP3FP1vcRGnPrfk91yrnIX0m/Szkbcf7Q
-ÑmW„r‚µœ_\)Í°]QŠ¦xMÃs/݃Îݪäœó‚Í6óº“k±äÅY§xïMy¶ J¿¸‹GßÃ)i2_'ÖœHF€þ.âg_Îe5³#uätñØÕ 7j„ŽPñ²'TÞ¥8´•\IàW«UùäK­°1Úº9½è
\ No newline at end of file
+-> ssh-ed25519 cKojmg tAW2hbBSxsael6cdbN+vI4h1/PMNrWYct8cppCAasn0
+cex/wBTviSIXc8clNm5PGltTYa1Q5PwqlX4BGsNHiyU
+-> ssh-ed25519 jPowng YxfhtpytvuhIARQAaJ0w94aOZiGNUOBR0pF+Sp80D2k
+nMon/VdYUQTs6LFccDGeIKWeNYib1wwtFmEYZkDZxg0
+--- giL477X0+uZ2Ocvbixt5f5kNc1laj5P79oW8P9XsNP0
+¨›Ãd>ò±cE?nb¹vš_²'2ûûà³�Õµ¥_6P›u:ÊusºE“8õ“ØÏ“xuڶ̪…Îxù̧ïžC[†®°
ˆÁ.õêŽ6‰¯  qÌÀÍîJ°Ä5GäKÌ)N<ÊyYÉ¥tX=l7
T´2­¨ùRÙ
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/woodpecker/ssh/private-key.age b/hosts/nixos/porthos/secrets/woodpecker/ssh/private-key.age
index 0211701ba0ee3d8ef341b6d69d70ccaa25b8379b..b0b7b46ea02749ddeed2e60237daf1972b7be672 100644
GIT binary patch
literal 3703
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn_Ri1BO;<3lbd5?k
zDD*1LHLx@<sPuF<^iQ&=h%!tGGV(1oFwF}uN{=uM%BnI?59JDVGY!hluQW6cFb?p@
zNDW8}adV6+O;2?<FSK-YbMtibGtMmYPcrg$GeNg4D<Ho-FI^!ZtT;7LJ1Z+U*EKAt
z&^SB7sH)t_CpfIo-^i=nygWbGpwzD@G(0pkCz;D6KiJPZ+ao(EH#H;It;##i#M2_f
zr^rk{EyN%-*T2L)(L&$N-!MHXIGIaVS689JJS8a4)wMV?%-^`M+|x3=$U8XI)F&w2
z(J?zJFT&Ktyu{1fEz->?EuU*cROc){PW#eVe+?#YjV~<pP@T2f-0S(j?uNV<5_St;
z2nycY_2|sCqpJn32yS^A@TKYVq(h2(pCn9rc1`H&@<jzlmVDk_7LqS~;9Bg`)TK{8
zX76`h{cs)cQDgIVjij?{BcF0a?N};WHZ6*wqHj@8NI{>YT+GJCEKy-`5$>Y0vnjLE
zZJj%BbaH<x<enCx`(W1INGlb29`&aiqQCdQ+30sj!*0R$k5QZ6eJq?|GH;LU;ee-`
zv=z3uN@*VIp4*?e=i3}M`7ho1mqK#?eDl&iyFr36A<?nqV9(@DN9KlTzm2ZrX4%@d
z@#+rF+Wh$0Qy+@&j6c`5X5%W^6D}1WYt<$M+tuH<UApAm)HKOevz5LFR89<wJpKRS
zp8MJJbTnu0)%!N_OwC5eTSslA=CMRX-BM~!|6*f#^zC{T-96L3uBdtDI_HN^Q^uRw
zAH^?j+T(pI*+<dm5O3_gk3Y+je{MPTwf6X}!s5ACOnfff>uY&%C%-!I^3U(SuQOTp
z2T%K~y6TSlYRAwSd*(&2Y@IlD!~DPtf73d4*gie6S>^a=U*&b7+k6<@SFDjbtZmtG
zE!}q(>z7l4F52ZaS-)*v&g#znP`-9ow`@i0p4(h670qoD4<#u#v<hr5+va}Zl|B2P
zRxvTN2P|5@TyxW7-}H1#F>tSMYi{K*Dc`_y@cf0#F{>3HKZ}?)?}6j@=}mg?yuSVW
zT=`^j;~{Q)kIRbd^cPOi+_>cF&3A#{6t`B-Tlv$S!>ar08Ot6<dAqq?5>KmcOy9I5
zWM8|9HEaHUAE&c?hmXY_;+8ag$u>Lf&!0^l-M{U>7*5-xJy}5NuX?+X#>&|J^Ikda
znh>9G&+Ua=60@D&Tc*v+<rW@GPAU)PT&i<<i~DuIm4CV;pM)}q?tGThd9WyIjmyEJ
z{rrwCJ(?_!_lZ7M?OFWcuVZz`>41HiuN$XmvV>lnAF7nQ*C}|eYh+8!`g4(c*NJ?)
z9WTtRFMZ^6{6^m%qrF1kigr((?sj;(((E07udn=c=tz3As={J}tXuznBsjG8mfh0+
zc{}lwPQKaerC)k`F8eZV-N=5gK=b_J?KiBRs~yRgQMR?75c+7!gS%`u-`RZ(%$;p?
z_v8H4%=u!8Dn47)r|)m`^fdTVdgR>4DeF|H%u?NJ?|a3mb!%GxE`tU&w&v^ioy_$F
zt{o4%+kLs=(NPUPofiI$E50?q&AiY2*fikPLw=6j{cp7|dOehIY*I)`w^9*HpDB3h
z+t<~J&YN`?yfuifZrrc-a#4kKrJcaam?-V{iaeiAC?tDcmdX^5Z*yZS?OFBv(3k(3
z!kW#gOZX<OshYc#^Sg+_*EZ389}GOA<!tv|SML8Ld5`Ugi~g^(M>dsgTg@+ZpFuZ7
z+uf#h&1OH17xG75M?QLUV(lc>vj?lK+(WOetK?H;JCgN2_perj;Vz9W?e>m;mY!R^
z=l12tCuVxp^Ctz1864GdFJCsXvS{{-tCKty6<&Ux?b!KimY8)@a`-auZS|89&h-Cb
z-m6vIy?4!z5}g$`p*A7n`}B0*JYK)>@_oy$o1N-z)h#dNe|K<R;{9Mdd&0C`;ZfUM
z1uso*+BK!~&nJtGf6i)pU*bJuSQUS&#p|#39xaok`5FJGUu6HWX!_fj<5kl(?0V>F
zZsHJLR-kol_mx_Uqkr4l{6(h8s(-xuB%{mW#i>~1DOFMnrPNoX&c14FsT?F(AaeUh
z!okdW2eTyIM7Q<*pC>qRpWDTc8y+`bc8l99sJ+8d%Dlx;xL;!PLNN`4JxlmDEjQeI
z&&$DCxny~C)v;&)KQ682HCh*Q?7R4si&MK61&er|?RDhd|6|?K+n>MAY|Cb|y*Blp
zT+>%87KZ{sgNB{;zZNDvQw!1hQtlgX{PIOqQte6B=I^gn;$I$iC`o-G;ct0GmBnFc
z_@rs2#``j#xrlt3_|%}2$G!W(mB~G?WNzM36z6{|_fja%tM(}i|MGJQ`%+i1^q+AL
zh~s#r`D0ZLYo)r|PiMgcyKgW0ZN1ktdTC`0-`cAlrWH(&etbQ-`e(uXO^d=R{={%3
z8vkE9tM=;0J^u>XK0V@pv9s}ux#stOCs+NJH#k}woGVrpx-7?Y^Xan+JD<;qc4ZZD
zowDZ8an2VLBe@$KY)U;sZEaNp4jNvsOBVUL=UI@#v)ls)67LtdMri+jQBio|ifygw
zB$3kv@|zB5O;tRg=Q8bWqgZ0jx3BZ+CD){Fy6jT(Wz*hO*>jIyPcwX*BVWhZt18B_
zbjH&3vnT(}`yo~OIh%czz0Bb)(;rT#5|)!x+aTk-y<RVJ&AwoXGs6Dm4i~awvl%uA
zT<QHD`z1qnt<kg2(l_lXJUM#5X4JDBwQOE;=!C0B%aQw&*bgMUd$RP+!A*~)mOm6Z
zm3i>|KDnf>+fr|Tu&y^@KX3ERD9G>a$zRX;E>97R6Di(dBx}+8c!%T)MnmO8l83|}
z)jVu^H|dkFDc8XdQw+Dexv%&&UC=Z6$H}(Tv$>zo9Iq-fk>j3ufZ2SP5x@QQ6Nhhz
zS;)2>T2t7vYEx0ae}l|@H>0Xc+`ad{G8o?3#PFVx_s=x9MumVW7LQ*aT)50|hwj;j
zpA#RZg_S><k<R$n;dR-8=!;sXxjqZ#Z98$0y?@Fk@xAg^5$`uM{uYoD_};s4lchtJ
zub*~vUdXRCEr&OkoLhF`j(Yi?O$Rs<J@i($H{SW>6&IJcNm=XJrhwN>?jJ&TDOEq}
zpSJL-)4?g`S!{VrB#d6QYi~T?mYTU~)qy^hjfOkA{m#kn@a(8J2)J5pw`7s|AG=9O
z2Q`eEZxuaHy5I8Xr*+0j@9&Zx>$!@=Hg9-)LoI3U)lc`=uD_^#^rE*v*G)bvll|LQ
z9Fu&*!9IWUQk%?0Yp(_9d{W{#yMp87wnCN#X6~kULocwJURnQ!t#_;U<hduyFHg?@
z{9WF#F>j^nx#Qs`^9;Xw{dyt5<0CqAvVp`)pPTa^zilo5VdVPk-z?wVOU-;Hr1Tw2
zD~wsOZ(T$}^ua7+m1Qmy>g{!ZIOU&`lYHmg@^zxmQPw}!)AlQ!UVP8%!S5Ck<LTTL
z7mh?mR343c-Ti-I+k%*{4`)v4n<ZSxB9rH);#alc`nMe`CzpL#_-8}BTAs~Qd$pSB
zecOItG&`JoV!pD#q3Scdp7F_Vnic*S*chs-r|eFf`i1pVk~*hHN=C}WFMOV-<}_}P
zsZO2mzHG|flG;-Fqsu%Vtdf=OZoacB`Zvq1%Cy$~XB$dp{68R?zizrlv9nW8(#>7}
z-V2u-9pcFQ>5+B+++&uF^|5WguAHfeJ@Gbb%HHjNg7>DL-J^Zsl!En%Wi3;<=A1wA
z>cHygKp&IO;jIUPCVB|XHZ{s&*Z#X?Yy5{*XY5>UFV@)@ALm_sqSI(Q=WSJu?e7<e
z$FjH{P>5G-nvv79_hOilpe9du+tmo8u6N%Koo2~9p10z})Cgmj$hP%U+fGbYcb*@~
zb!ER&*U3M>qpNI|ZfPv3iD9&vbLx$E<n<r^%Uwl2{eL>Qs-H>aon(1(%^}_66+6Dv
z_s?i>>f1a;xGKP?Z{-d9Id?w==6|``+<kMu#a*Kdxh|&yHUAum-n-<ba8$#KX>;W{
zp4Fb@t90*JGxN*xBF+67l1tlaxXVl{R$OBau6P`6aLvV<Yx&wM!MctiC6kOLPgpA-
z+Pt9r+ku{sE%tGy0-HkT`YSxqH7l|e+YxwVZ`_t!%CcYMu05UHm|`WlNbXE!+Ej^M
zI~o$oC(N^4s$?6nGXCyTmHWGHnA%IqndaRxm)c~%qs8{rPv;G{_D48xdVK4In33MS
zWk%_JjyrY5b_z<$^4D!m$@*>NbK9+V>&+PpBc&8?8;gInT<W&v`n}N8MI{PWTGnn&
zA0F<^<`Yt9)MfeoitC2!qth)hIT5e5R4?=uGJ2|)ew;HyG5ILhi6=ZyLtCaYT?@Xb
z{d4nC&*aG!kxN#D9($qs(jsHw(=XHdwH8(Cd%FLP2zrxbVEKHZZS0ig_u@FURywkq
zNM3Ddc0abI=?UXe#x>c6GlfI?&dF8wPXERe&C{T$R`+|Kj7IfC!|flr=Ql1b|G&lN
ziloVbz!%lK!?(x8r?_QQt<$#JB|k6Y>Vywh&99!^x${CzPM=#z*43R;w)Qh0^gh?D
zW3zXi;i)(Ct_m`hXn(6x2zmW_#_rwMIlfJd-BDUUbxT+2qb!}bv*O~TCv>ze(aUE1
zzi`EzY>DVk8T}uG583REXHXPb?^Sb&*X~=mbJ(M$h7r6SQ#G$}l^t86W_)nNkqr}H
zWIi}$S8_ts=!<7<dQR-q&{OXMyVq4+J7lr7<i(SD=a1jt8vlFhi~ZB%KPQSFUbSU!
zjj2AzgH4$MA<au3?6^Op-gZgbY+*k&mV?Q6OeBR4ddeFZ_dT7<{y}?tmC?g9hG|k)
z4=xJJDw_5Cs@DG)mU(h#Uj}>L3^*Xo+$M9~QF3$Wf$OhyqmO?pZF-w7F)@`TKh|ur
zqCsiVg*VyGr~W4Pp1!c{PWAokPWSj$XjYf}Z!~$rv+w9J)mO_`{$YLJbxi8B+J+yw
z`k%CpCR$eat>T!h!lWL{?loCMd*hoE$I3LW@8@P{o%lWU*u(1)2K%DkoH%fzv+Jv)
q<@6&*=M`tpd;46faLUp6xpM`+Upc4nW_kO^D+e9sR2UuoUJC#v#vv#G

literal 3799
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn_Ri1BO;@NW2`?`+
zPsvL6@G|jp@hZ%UO3L;q%Zo4!s&bAj3-wF$O?S>MaP@c3%;t(nPc}*Rbj)*&2-45?
zt<rYO^YyDV%`&JcHz=@($o0zb3iht5bkDT(GeEa3D<Ho-FI}P7#nM^7Ft5znBc&oS
z$u!Y5C_ErJ*~r5nIJ2PCFC#qEq#(Vtz}GCm*^?_GJF6_QD$PQ>$}K!Jt=vC5xwJIW
zA|k`2FfTVh!ptQ@Kg1<FqogduHy>nMm~MJeYGQG!LVTr>LU~SJgonL}f|{R~t%47i
zuTO=UkCS(1s;R4!M{bIDZc2V+MpAKpl!u|CpIMcUaam5TV^ErRS&nbENkv*vWk5<;
zepp^|kcE-AYd}>lm#(g^LXd?~nR`)WzGJ3&MqX;Fe@I1;WkF!6nY&M+ziEzJc$sUk
zn`LpaftPt8*MVa{E@+%JKU2KHS^m_5%||zQ+rRbaOg>X{_QmSIrWLO5UFA-5ewp!)
zOSUxdeO!O3NZE|HhgF(a%uR4S^y^miX_>(81G^Qr{f;d;`E1?RdpiFwWGnh7Ik?^b
zA7v8hwmQ0f%F*Rsd=ghVa?P9$OxSnP;KuPCEw3#;>xx?5SikVx7T*ekph=ADtS4~Z
zm@#RKQbNz+i-%r*opJY{hDwJ`(}tv~n+*aL7cVq=<XPUh_9RF|?}F7tv7YT}?q?Y$
zzC3BSZwKFngI}eLc{~`7U1WJNfhi%x!aD8TTK>nU-)u;2o$>Y^_xHqCU%njTxvV#L
z$-CKi&g%5PmY){KuuP$l<EH5YJ7%_WUV~V^Kieh?w1nvRC?4Iq<I&N3*Y1XXn6dR@
zK+=bL*+|82+=c=xB(+$7tl#i8)uC+qw^Pz-vTa^(^Aj657c#fsXnb9l^LDpt<cgYO
z3Lk`G)mc1l|LUyG2wwAA>0hj~oKM@6Ir&!WrZZ=xDL&ccq58q`$HUlI`4vV{jc3Ca
zyFc#{-0;lLuHcDJmf^wGXH3E^j@|5>E_i1(ukpb^VX1%}0`K4T-&_3t+(n*~Z=)ht
z-l*kS<EZ6l6Q-S1m2ufOc-d@=6-zW7*FHG4S>>QsK-T%UQ}#VHy0ABRbwMY4{ulX|
zDG9711~R9oZsXgc_O+HjIrz|a=QfMm-<Op}^UJ6o(*I!dalx!$0nVnKlHt}TJ$|z<
z+j(iR`Cb3wHF>oi_j~>BZT__>%&v0J^c(V(dQ(}JtXUYoZV4kVd#>D!z_qN~1i5}1
zCa}!d!Lf+lFwt6(FWP>4{-=9qR&8_<_cXJd=$N)M{)@j#WkY<R>-;~-%VQlvpG}G9
z%oYqkb^rde_D{3=QY}-I7%bPDZiu|MC1B|lwWYT2rmxz$t0i+s{F3jk(V4T2qE4Q?
zS-=`SeYRqO_SeXJ7x)%P3!JF?xaTCd{yGiUzBghMV}8B+zbZqn$oRtAyM|J;I$o)*
zWi`kQoI5q<&duZNPO$~v<Cp3;5f6QxdxvAS&863={sF;BM<>T03$dSm^7+q~PbXQs
zglQ~w`}5iP;+-QMPqxYhBuudPdiN+;f!`=^p2^C0o4%gcvDl_Kjm>0f2kSDHNw*{Q
zzr0tre-$>%{)pi3z&+(@%%QU4*7mG69~GGs8|Kg7{wVnPtOduKCU4%bO3H8T@8Fc{
z@`qkskKty$QTBABk%e1`$#>?G+Vbh|zVP;*{~T%}ulitu)C!iSna>>`<Q;$2Z|-BU
z)gW`@M#stTROdWWU^pdOVDSC)_f;0hMDo<POzfR>u<qzCza?!?H^$tbuJ_&0eEBP{
zb@r7nD-~{=TOPP+{m^)e_riG>cF0{jn)F{jQ&(xL;JY1+n?LzDPm-}q`26+29KlTv
z+iJ27d(2v~b}rY4KgL19M+}{F;y&b<nNRaP<Y9BYezrQBzfs9bep!)ZiEqwl9Syeb
zXq6Y*%vR14qq%AJx{RciiEbC#KXPtkS+-~C-DP5~`(;i(D}A}Bf7*qHq#ebn1t;Ct
z>%4yZJ+Juj!;(il|Lj@c32ezbZ(e@-YEI3kd-Y-S_eFbgSq4tnFIL&{J?dlL*8R4z
zWs4&Y1sT;Uv^f8jHQmG-=#(7YxcU@pr|`*s-lDA^&VLZ86XGrSDXOpWc%_P^-@B;^
z@>NV`*X>_g|7)4L{@(OFVY^vHrvztqd~$Jp_|`Im?Y&lSgWTfq|2tL*Z&>;G(yyzU
zk-7^EX2+>b<=FJ`e1@QHU;DqD9V%6}Dy|uK?k1f1cX`RCh_;o!KWkR#Zq><<x$gdQ
z^V4m@0xn0Na?AK-)a-JYDbKO|en7xcrgG=_ch3*yXBD<72F#mblo_!1EsOUv=i0Yj
zH8;OiDX$RG=zG7aqAu`~%6*ZajkDGm#|NkdxfH*bnQ+ym{imh^WA*1bPc7&8=SOH|
zAFmYH$Nuo!>YC%-|0chgCFCW)chikSi&s@CWj?kNZ762H_}nSsUiqA?t38|A^tGED
zX1%hhnpAad?X!rJsSi$BhhN@y_uzW_Sw6a%52Y_eKMQvj-oVqWY@ws6bn+%&F6-y-
zJLXudoPGMg56?Y6jf*}vB+r<ih~k&CU!iNZcvkdX2c^=9g;DYk<*xYGFirZrzson`
z=(<N8%{`(!4*lXv<g8xEY4<NqFsJ*^x6hmNpIE6bS<L%J;Ig68J^eR*U6%VA#7<4l
z-`Mih`TPD;p~<lwIq{FDypk2Ic=skhlx=rs+kq^vgNcHYB@8uhW=1|r3hoT9{B^y2
zMN-G#rhe(j)}+f?TNE?&O<z?O#V((16_K>wK5Xj0;HLHOm#%RCeR93@>%8zIt?7NX
zdAF*qcI>KNdTOJ}*6Vx^8dg`XogTHo-!D;p*_?CA39d@7XZI8bKCks_UnLe}+VFJF
z<?xP43)Z&pzddP1L}Wt!tG^RoeXKUr<epJociU#gHpgYLcb-V_Yt2ki3ERam;mem9
zwo>byuKKUow{pwXSqqutuZYP!y{pru+@kb2nQhPfh)u04KZaRv+tXt6#eh$lu`BY5
z+H&4W3Z6UcdXA+&@^t<!xidSDMS$&d|4Fu@S9%B6*Sa?>o^Z^lM=*HZ{s`MmH4|Bu
zEqU*%{7Gu&nN;5I{U>6+O;p^vZP(<$OQ-Trtuy@3)GBJ6aH_DUeaDuJ`TO5A_uUZ|
z^Z8gcQDfK7qmEyn-L+QmGS6QoyudoOwQ%0<8NFR|`}u9#ORvXy{!Gb_4!&T=byGxp
z#pMaMbJj*YT)28m%+f!yH#wA35+g&r8QlJrZ<<l^u72G?cFx}kj~?b7?mH%@*?!gh
zzRIUgk+!17L&g(s)qlCR|KPHjXHRHpa9&dT<sH5wy7gUqV9581e`j85t&>#h=#EwT
z{4P(QujkSWzFFGt{dY?K+J0oVx_;GpM?rj~xu!;l?H})Askg2FPCK+F75mw8FqW~i
zdCPc|Zk%iR{{`ov5BJTMWkkKsGj+6Y{IS7Tq<VYhZMLk`^54f}e&l$*k8zNgTDds$
zQ~ZW0pZU*AJ6~e{A9H%of$MW4o|{)lG9_j?3dv9Dim9EI?6`{KTF~#1)=Bf7UYWD8
z&hTQJlI<yK*VHh7=e^#O?K~<=)pjZ@=DwA)d;YF<UFx40Hzj>9*vawA`e5MOYZWXr
zimX?k2{lyR!9TC^$<M@`z0DU@<@)uD*6ZD!`uAsgA@iv(n-yOPD&3j9Bg*EBK)Y}H
z{QnKhes2ERr@S#zdQ(VMgs!~o_59X3k!c&kJs0=h<2$o0CAhV$r8{m8$H}f)5eMh7
zE>>K>f@6hNrt(_5>&F7*^s{&5oH<su=(V6x=if(fD|DBqT#(DYEd0ak&CP;Kt8Y$U
z(0=O9MJ1l&Yb-_QZ+cTN$Y`IeKSg1}jywMSvlp*&@{tZ+pl$DBbMmi}+Jkyg=CHLk
z!KU5?-&bkJ*axQk)~tN@J;7uyPl$A1-rvU4K0Q|rjA!V~pVguIeM)%AshPj|7AEfT
z_?-S|!bizhGrH?%q=!9@-Z!Iq#<N`Mh|(6mEscxIB5%2RSl2C0?*7iaN&kCM+9SUm
zYx>0ceA4gRW~Z{w<bR%a_1VdFH$5&zZInOe6%t}@S?<Pl<}06Ju9vB2-%Z2CPSYpM
z?74m{<-=V5itq*Xc`c87%3VXJyyi?={$J5Te%k-)zjklURLwMV<mSJhIN@H_r7Me$
z+>4s#wkN0SaJBrpb!9J<c^I}|l$Ki&^Qdft-m3lCtMm<*htK=1pe?0yJTPAH@VQre
z-CK9F-Ds&O<=$sF$(Y56|A(^jKh-6F+XAh+ny3C@oD#Ea0(bwF_cx#I^)PWdcbmJH
zr$Sc#`oFDjCf?X2_k8OC>E!ul;pMLGZktQz=Sjam{-E_rO={(K_Z$1Zd}v#B;isfd
z_0jZqPH#WyYc4<27T5E?Yn7a>(>j&+<=mbTGd)E07aB?J^Im#<Qbc^boYq~HMYSg@
z9>1-RJr<er<Z(iCTyITo(}zp`k*3|L9=~3v_m?^*@4n{H$^I(g)zbJ=-)|(`SSPYK
zZJ+Lz<b~p9lFPLEpG=Bo`JAxGx!n0??xD`YU9;0AW!|zW|5&r&_S7?_*EtM2)-UpF
zS+`aHckV~oMf;C#n7dQ^^^Hxhbfml=9-P3U*#5qjH@fZdwK}IAv*%h>zcl2Ycle|9
zs#n`57i7QAUU+FC<5N3}vsVS~owWXuy4cw4_;l+=`9+t-?yvD?nJKpR+kvxR%IC&(
zRo+`#KX3Q3r(dqW5&5PS<FD{v`((MfagXDQWsd@PKjll`|M+O<?|(=9cs`#{U3TS&
z-U;_upIs_-js-8i9Gj+Gu_N9`@p+<lRFbGmGw<<dGxgu^E$n#xRc66yi-KkC_wpKE
zi)V=}o56apyt<(0+w&z4o$tPv(hEu~4!CkQLh_45#-HU$-7eEwRQdl&KHa)P@X@N%
z0p8oUT%V`LWq#z*<>U>AGfhI4PWHFk;;Yqk-Egks>qE8v-Ul*&M6+!d5WDH0C-7p{
zqED@F&#l^X?s*mSOYRv>9l5pK;ft2O@D2F(_w9wnoEgcj)6YD;I@5D&(%i~h!E@iA
zDZamFs&mQw#gCdly47-v9S_fPOyIm9J^kzvuf0-h93+cBpLr*Jc6sj7&86CAHIJ?*
dKeP;5bk>p0qW`T_@y>laN{U{!uw>4i0{~1wH){X@


From e2091e9e2ec36e602f5a9a47412238951260b146 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 26 Jan 2024 23:35:06 +0100
Subject: [PATCH 067/169] nixos: services: nextcloud: use HTTPS

This should fix my issue with the sliding sync server.
---
 modules/nixos/services/nextcloud/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix
index f2ac8e3..580e9ea 100644
--- a/modules/nixos/services/nextcloud/default.nix
+++ b/modules/nixos/services/nextcloud/default.nix
@@ -43,6 +43,8 @@ in
         dbhost = "/run/postgresql";
       };
 
+      https = true;
+
       extraOptions = {
         overwriteprotocol = "https"; # Nginx only allows SSL
       };

From 58b22b7354c59c6b8a0c1e04a2883bf99414117a Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 25 Jan 2024 20:27:29 +0000
Subject: [PATCH 068/169] home: firefox: tridactyl: remove 'Nitter' rule

Turns out it's very annoying when the Nitter instance has been rate
limited.

This reverts commit e514389a3d3ea25e311b3dd3b24cdd1f7c6eec65.
---
 modules/home/firefox/tridactyl/tridactylrc | 2 --
 1 file changed, 2 deletions(-)

diff --git a/modules/home/firefox/tridactyl/tridactylrc b/modules/home/firefox/tridactyl/tridactylrc
index 0401292..4dc53cf 100644
--- a/modules/home/firefox/tridactyl/tridactylrc
+++ b/modules/home/firefox/tridactyl/tridactylrc
@@ -69,8 +69,6 @@ unbind <C-f>
 " Redirections {{{
 " Always redirect Reddit to the old site
 autocmd DocStart ^http(s?)://www.reddit.com js tri.excmds.urlmodify("-t", "www", "old")
-" Use a better Twitter front-end
-autocmd DocStart ^http(s?)://twitter.com js tri.excmds.urlmodify("-t", "twitter.com", "nitter.net")
 " }}}
 
 " Disabled websites {{{

From e2ec4d3032ee3d3dc3be935b0e2af9ad7ff0c511 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 30 Jan 2024 12:22:04 +0100
Subject: [PATCH 069/169] nixos: services: paperless: fix classifier hangs

This is an experimental fix to try and get around an issue with the
default BLAS/LAPACK implementation. See [1] for more details.

[1]: https://github.com/NixOS/nixpkgs/issues/240591
---
 modules/nixos/services/paperless/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/nixos/services/paperless/default.nix b/modules/nixos/services/paperless/default.nix
index f528ad7..f62879a 100644
--- a/modules/nixos/services/paperless/default.nix
+++ b/modules/nixos/services/paperless/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.my.services.paperless;
 in
@@ -80,6 +80,9 @@ in
           # Misc
           PAPERLESS_TIME_ZONE = config.time.timeZone;
           PAPERLESS_ADMIN_USER = cfg.username;
+
+          # Fix classifier hangs
+          LD_LIBRARY_PATH = "${lib.getLib pkgs.mkl}/lib";
         };
 
       # Admin password

From 1655afcedf07197fc1ba25c945a2a4fcfb60cf6a Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 30 Jan 2024 12:38:48 +0100
Subject: [PATCH 070/169] flake: bump inputs

---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index acf6c48..7714038 100644
--- a/flake.lock
+++ b/flake.lock
@@ -73,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704982712,
-        "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
+        "lastModified": 1706569497,
+        "narHash": "sha256-oixb0IDb5eZYw6BaVr/R/1pSoMh4rfJHkVnlgeRIeZs=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "07f6395285469419cf9d078f59b5b49993198c00",
+        "rev": "60c614008eed1d0383d21daac177a3e036192ed8",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705879479,
-        "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=",
+        "lastModified": 1706473109,
+        "narHash": "sha256-iyuAvpKTsq2u23Cr07RcV5XlfKExrG8gRpF75hf1uVc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913",
+        "rev": "d634c3abafa454551f2083b054cd95c3f287be61",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1705856552,
-        "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
+        "lastModified": 1706371002,
+        "narHash": "sha256-dwuorKimqSYgyu8Cw6ncKhyQjUDOyuXoxDTVmAXq88s=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
+        "rev": "c002c6aa977ad22c60398daaa9be52f2203d0006",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1705927265,
-        "narHash": "sha256-eUUIBb3qYMrQB0ONGEj2kzKN8yzqwDmR4+Ct5/dvJcs=",
+        "lastModified": 1706613454,
+        "narHash": "sha256-oekBAKlWhNgs4MCORSrZnswYTwD5h7HQkDDFf6INAZs=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "a29c6f71063d0ce903e927fa7885651c00abd33b",
+        "rev": "ce9c09fbd09d8cccb7353fe32bdfbd39ff3cb7be",
         "type": "github"
       },
       "original": {
@@ -197,11 +197,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705757126,
-        "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=",
+        "lastModified": 1706424699,
+        "narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc",
+        "rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf",
         "type": "github"
       },
       "original": {

From 02412f2578eabbc030b9a34d6458d2f42070e84d Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 30 Jan 2024 13:21:50 +0100
Subject: [PATCH 071/169] nixos: services: nextcloud: fix renamed option

---
 modules/nixos/services/nextcloud/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix
index 580e9ea..51195df 100644
--- a/modules/nixos/services/nextcloud/default.nix
+++ b/modules/nixos/services/nextcloud/default.nix
@@ -45,7 +45,7 @@ in
 
       https = true;
 
-      extraOptions = {
+      settings = {
         overwriteprotocol = "https"; # Nginx only allows SSL
       };
 

From cc029f7933b73785c5a64aaed02188498b277fb2 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 22 Dec 2023 23:27:04 +0100
Subject: [PATCH 072/169] nixos: services: add aria

---
 modules/nixos/services/aria/default.nix | 76 +++++++++++++++++++++++++
 modules/nixos/services/default.nix      |  1 +
 2 files changed, 77 insertions(+)
 create mode 100644 modules/nixos/services/aria/default.nix

diff --git a/modules/nixos/services/aria/default.nix b/modules/nixos/services/aria/default.nix
new file mode 100644
index 0000000..2d1b3e2
--- /dev/null
+++ b/modules/nixos/services/aria/default.nix
@@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.services.aria;
+in
+{
+  options.my.services.aria = with lib; {
+    enable = mkEnableOption "";
+
+    rpcSecretFile = mkOption {
+      type = types.str;
+      example = "/run/secrets/aria-secret.txt";
+      description = ''
+        File containing the RPC secret.
+      '';
+    };
+
+    rpcPort = mkOption {
+      type = types.port;
+      default = 6800;
+      example = 8080;
+      description = "RPC port";
+    };
+
+    downloadDir = mkOption {
+      type = types.str;
+      default = "/data/downloads";
+      example = "/var/lib/transmission/download";
+      description = "Download directory";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.aria2 = {
+      enable = true;
+
+      inherit (cfg) downloadDir rpcSecretFile;
+
+      rpcListenPort = cfg.rpcPort;
+      openPorts = false; # I don't want to expose the RPC port
+    };
+
+    # Expose DHT ports
+    networking.firewall = {
+      # FIXME: check for overlap?
+      allowedUDPPortRanges = config.services.aria2.listenPortRange;
+    };
+
+    # Set-up media group
+    users.groups.media = { };
+
+    systemd.services.aria2 = {
+      serviceConfig = {
+        Group = lib.mkForce "media"; # Use 'media' group
+      };
+    };
+
+    my.services.nginx.virtualHosts = {
+      aria = {
+        root = "${pkgs.ariang}/share/ariang";
+        # For paranoia, don't allow anybody to use the UI unauthenticated
+        sso = {
+          enable = true;
+        };
+      };
+      aria-rpc = {
+        port = cfg.rpcPort;
+        # Proxy websockets for RPC
+        extraConfig = {
+          locations."/".proxyWebsockets = true;
+        };
+      };
+    };
+
+    # NOTE: unfortunately aria2 does not log connection failures for fail2ban
+  };
+}
diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix
index b27570d..3e2b3c8 100644
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     ./adblock
+    ./aria
     ./backup
     ./blog
     ./calibre-web

From 16f98f144eaf68b024090d60c1db2e7e29b7aa04 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 30 Jan 2024 13:37:26 +0100
Subject: [PATCH 073/169] hosts: nixos: porthos: secrets: add aria RPC token

---
 hosts/nixos/porthos/secrets/aria/rpc-token.age | 7 +++++++
 hosts/nixos/porthos/secrets/secrets.nix        | 2 ++
 2 files changed, 9 insertions(+)
 create mode 100644 hosts/nixos/porthos/secrets/aria/rpc-token.age

diff --git a/hosts/nixos/porthos/secrets/aria/rpc-token.age b/hosts/nixos/porthos/secrets/aria/rpc-token.age
new file mode 100644
index 0000000..e6a42c5
--- /dev/null
+++ b/hosts/nixos/porthos/secrets/aria/rpc-token.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg fpiyZo1AR5hCfk/KtbgWCTzz+05/VOUnnaHhWgXQRwc
+d2w9IX/kq/T6OwQ1zImsCmzIX2yfFD8hQDbs0IW3ZIA
+-> ssh-ed25519 jPowng E9R7p9NCubUQrymjnrNfEjSNIIAXrBQLogNkWsOx8xc
+MrWEE5LNtOqAjnwA6byfSa1udnbUtqBy4FhdxipuA+g
+--- fKgerjgGs+brvNKnrWdpmOadl34LipMT6Msqse2g3E0
+Œ¡E9³ï¬‚KYRL-‡„°¡Ç·\E–ŸK{ÃÜ7âço»ïò²XÂGx�ÍT’Î)Ëœôä�6°%ˆ­LO€Tðÿ*‰™*8\£É@G
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix
index ed6c2fd..7dd34df 100644
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@@ -12,6 +12,8 @@ in
 {
   "acme/dns-key.age".publicKeys = all;
 
+  "aria/rpc-token.age".publicKeys = all;
+
   "backup/password.age".publicKeys = all;
   "backup/credentials.age".publicKeys = all;
 

From 3f13b3f03f70e7632096c9b88ef8cb637f072e95 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 31 Jan 2024 11:56:09 +0000
Subject: [PATCH 074/169] flake: bump inputs

---
 flake.lock | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/flake.lock b/flake.lock
index 7714038..43c64b5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1706371002,
-        "narHash": "sha256-dwuorKimqSYgyu8Cw6ncKhyQjUDOyuXoxDTVmAXq88s=",
+        "lastModified": 1706550542,
+        "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c002c6aa977ad22c60398daaa9be52f2203d0006",
+        "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1706613454,
-        "narHash": "sha256-oekBAKlWhNgs4MCORSrZnswYTwD5h7HQkDDFf6INAZs=",
+        "lastModified": 1706700467,
+        "narHash": "sha256-GYdukl4hSsGoHnlYMV6XgmnumuGr1H4vsL7UNnEmhmA=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "ce9c09fbd09d8cccb7353fe32bdfbd39ff3cb7be",
+        "rev": "e52bfdd7d331dd32f0f0f8eb430488a36d6e6402",
         "type": "github"
       },
       "original": {

From e227ad76b274a866d3a8484fde3531b329407c4b Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 31 Jan 2024 21:41:40 +0000
Subject: [PATCH 075/169] hosts: nixos: aramis: home: use 'pinentry-gtk2'

Now that it's available again, let's use it.

This reverts commit 39eba647acacdf2bb2aafb00be694fa5c2e0726f.
---
 hosts/nixos/aramis/home.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hosts/nixos/aramis/home.nix b/hosts/nixos/aramis/home.nix
index dfe9dbe..66a0892 100644
--- a/hosts/nixos/aramis/home.nix
+++ b/hosts/nixos/aramis/home.nix
@@ -2,7 +2,7 @@
 {
   my.home = {
     # Use graphical pinentry
-    bitwarden.pinentry = "qt";
+    bitwarden.pinentry = "gtk2";
     # Ebook library
     calibre.enable = true;
     # Some amount of social life
@@ -14,7 +14,7 @@
     # Blue light filter
     gammastep.enable = true;
     # Use a small popup to enter passwords
-    gpg.pinentry = "qt";
+    gpg.pinentry = "gtk2";
     # Machine specific packages
     packages.additionalPackages = with pkgs; [
       element-desktop # Matrix client

From 05cf04a11f47a3688ace1787a6ebb5ef16b41260 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 31 Jan 2024 22:07:03 +0000
Subject: [PATCH 076/169] home: mpv: add mpv-cheatsheet

---
 modules/home/mpv/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/home/mpv/default.nix b/modules/home/mpv/default.nix
index 931c252..8af394c 100644
--- a/modules/home/mpv/default.nix
+++ b/modules/home/mpv/default.nix
@@ -13,6 +13,7 @@ in
 
       scripts = [
         pkgs.mpvScripts.mpris # Allow controlling using media keys
+        pkgs.mpvScripts.mpv-cheatsheet # Show some simple mappings on '?'
         pkgs.mpvScripts.uosc # Nicer UI
       ];
     };

From 473be47b29843ae6125296bbf2ea7ea36acc110b Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 3 Feb 2024 23:54:03 +0100
Subject: [PATCH 077/169] overlays: add 'tandoor-recipes-failing-test'

Since it's currently broken on the unstable channel, I am pre-emptively
fixing it so that I can bump my flake inputs.
---
 overlays/tandoor-recipes-failing-test/default.nix | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 overlays/tandoor-recipes-failing-test/default.nix

diff --git a/overlays/tandoor-recipes-failing-test/default.nix b/overlays/tandoor-recipes-failing-test/default.nix
new file mode 100644
index 0000000..43755ac
--- /dev/null
+++ b/overlays/tandoor-recipes-failing-test/default.nix
@@ -0,0 +1,9 @@
+_self: super:
+{
+  tandoor-recipes = super.tandoor-recipes.overridePythonAttrs (oa: {
+    disabledTests = (oa.disabledTests or [ ]) ++ [
+      "test_search_count"
+      "test_url_import_regex_replace"
+    ];
+  });
+}

From b41f0890b8a1cf2d3653cb0e310bbb64b3bffaad Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 3 Feb 2024 18:37:51 +0100
Subject: [PATCH 078/169] flake: bump inputs

---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 43c64b5..ae79c1a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -73,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706569497,
-        "narHash": "sha256-oixb0IDb5eZYw6BaVr/R/1pSoMh4rfJHkVnlgeRIeZs=",
+        "lastModified": 1706830856,
+        "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "60c614008eed1d0383d21daac177a3e036192ed8",
+        "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706473109,
-        "narHash": "sha256-iyuAvpKTsq2u23Cr07RcV5XlfKExrG8gRpF75hf1uVc=",
+        "lastModified": 1706955260,
+        "narHash": "sha256-W3y0j77IDVbmbajudHoUr46RpswujUCl+D5Vru53UsI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d634c3abafa454551f2083b054cd95c3f287be61",
+        "rev": "880d9bc2110f7cae59698f715b8ca42cdc53670c",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1706550542,
-        "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
+        "lastModified": 1706732774,
+        "narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
+        "rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1706700467,
-        "narHash": "sha256-GYdukl4hSsGoHnlYMV6XgmnumuGr1H4vsL7UNnEmhmA=",
+        "lastModified": 1706978646,
+        "narHash": "sha256-XEFktO8Ba41zKawf1Uf6FKIR1x0ShuoSddYXU4PQbx8=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "e52bfdd7d331dd32f0f0f8eb430488a36d6e6402",
+        "rev": "66d6b7b355f3b10ea4140f8b85b2e274c24d442a",
         "type": "github"
       },
       "original": {

From 03dac604e9b8f6925042e7ced1c8f915a842acdb Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 24 Dec 2023 22:56:50 +0100
Subject: [PATCH 079/169] nixos: services: add pyload

---
 modules/nixos/services/default.nix        |  1 +
 modules/nixos/services/pyload/default.nix | 77 +++++++++++++++++++++++
 2 files changed, 78 insertions(+)
 create mode 100644 modules/nixos/services/pyload/default.nix

diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix
index 3e2b3c8..67504da 100644
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@@ -27,6 +27,7 @@
     ./podgrab
     ./postgresql
     ./postgresql-backup
+    ./pyload
     ./quassel
     ./rss-bridge
     ./sabnzbd
diff --git a/modules/nixos/services/pyload/default.nix b/modules/nixos/services/pyload/default.nix
new file mode 100644
index 0000000..40bf12d
--- /dev/null
+++ b/modules/nixos/services/pyload/default.nix
@@ -0,0 +1,77 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.services.pyload;
+in
+{
+  options.my.services.pyload = with lib; {
+    enable = mkEnableOption "pyload download manager";
+
+    credentialsFile = mkOption {
+      type = types.path;
+      example = "/run/secrets/pyload-credentials.env";
+      description = "pyload credentials";
+    };
+
+    downloadDirectory = mkOption {
+      type = types.str;
+      default = "/data/downloads/pyload";
+      example = "/var/lib/pyload/download";
+      description = "Download directory";
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 9093;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.pyload = {
+      enable = true;
+
+      # Listening on `localhost` leads to 502 with the reverse proxy...
+      listenAddress = "127.0.0.1";
+
+      inherit (cfg)
+        credentialsFile
+        downloadDirectory
+        port
+        ;
+    };
+
+    # Use pyload user/media group when downloading files
+    systemd.services.pyload = {
+      serviceConfig = {
+        User = lib.mkForce "pyload";
+        Group = lib.mkForce "media";
+        DynamicUser = lib.mkForce false;
+      };
+    };
+
+    # And make sure the download directory has the correct owners
+    systemd.tmpfiles.settings.pyload = {
+      ${cfg.downloadDirectory}.d = {
+        user = "pyload";
+        group = "media";
+      };
+    };
+
+    # Set-up pyload user and media group
+    users.users.pyload = {
+      isSystemUser = true;
+      group = "media";
+    };
+
+    users.groups.media = { };
+
+    my.services.nginx.virtualHosts = {
+      pyload = {
+        inherit (cfg) port;
+      };
+    };
+
+    # FIXME: fail2ban
+  };
+}

From df44786c9cc5c12935ecce260a5ac55277eb9bef Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 24 Dec 2023 22:57:37 +0100
Subject: [PATCH 080/169] hosts: nixos: porthos: secrets: add pyload creds

---
 hosts/nixos/porthos/secrets/pyload/credentials.age | 7 +++++++
 hosts/nixos/porthos/secrets/secrets.nix            | 2 ++
 2 files changed, 9 insertions(+)
 create mode 100644 hosts/nixos/porthos/secrets/pyload/credentials.age

diff --git a/hosts/nixos/porthos/secrets/pyload/credentials.age b/hosts/nixos/porthos/secrets/pyload/credentials.age
new file mode 100644
index 0000000..089f962
--- /dev/null
+++ b/hosts/nixos/porthos/secrets/pyload/credentials.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg nJbOfp0/wmFOZLzcWjoGB7wEB8e56aO1NntSmn5KomU
+/Vio4Z/t7IPJrdzdwUPidVH3wrouSkwRzNHP0T4z3x0
+-> ssh-ed25519 jPowng QXg/xqs7/VfkYQg3X77w4i53q64bL9oYeTxqb9NVhiQ
+sMHIXlmrIxtIr+s0X4lBqev/PPd3AKD5P7AP5K4NeJg
+--- gzTn+6+aa4Ptic1lsvSt+r3IEBysHrvMMIyONogMDF0
+�ÏÂ�Ë®UE_í</¯çQ·Ü+U“AГMÄÿ/kï×dAL/”úÕįÍoæ\XïEDÇÑfã\ièÄ‘½àpF„`#¬n4è–x1î�ûÞèDëàÂË5CéЦ&fòB»q${Gg…Aqˆ³@üVu!Cc…R\ªÖ¨
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix
index 7dd34df..43a9b35 100644
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@@ -64,6 +64,8 @@ in
 
   "podgrab/password.age".publicKeys = all;
 
+  "pyload/credentials.age".publicKeys = all;
+
   "sso/auth-key.age".publicKeys = all;
   "sso/ambroisie/password-hash.age".publicKeys = all;
   "sso/ambroisie/totp-secret.age".publicKeys = all;

From 5ecef0d789ce2fb990f3b5994321cf46c6ad950c Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 24 Dec 2023 22:58:03 +0100
Subject: [PATCH 081/169] hosts: nixos: porthos: services: enable pyload

---
 hosts/nixos/porthos/services.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix
index d73cdc1..2486752 100644
--- a/hosts/nixos/porthos/services.nix
+++ b/hosts/nixos/porthos/services.nix
@@ -134,6 +134,10 @@ in
     };
     # Regular backups
     postgresql-backup.enable = true;
+    pyload = {
+      enable = true;
+      credentialsFile = secrets."pyload/credentials".path;
+    };
     # RSS provider for websites that do not provide any feeds
     rss-bridge.enable = true;
     # Usenet client

From f54cee8f70cd569fcc77093e7330f327ee1b3970 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 4 Feb 2024 14:37:31 +0000
Subject: [PATCH 082/169] nixos: hardware: add graphics

I did not add an Nvidia knob to this module, as I do not foresee *ever*
using one of their graphics card.
---
 modules/nixos/hardware/default.nix          |  1 +
 modules/nixos/hardware/graphics/default.nix | 75 +++++++++++++++++++++
 2 files changed, 76 insertions(+)
 create mode 100644 modules/nixos/hardware/graphics/default.nix

diff --git a/modules/nixos/hardware/default.nix b/modules/nixos/hardware/default.nix
index 2a686f7..95e6a22 100644
--- a/modules/nixos/hardware/default.nix
+++ b/modules/nixos/hardware/default.nix
@@ -6,6 +6,7 @@
     ./bluetooth
     ./ergodox
     ./firmware
+    ./graphics
     ./mx-ergo
     ./networking
     ./sound
diff --git a/modules/nixos/hardware/graphics/default.nix b/modules/nixos/hardware/graphics/default.nix
new file mode 100644
index 0000000..3baac02
--- /dev/null
+++ b/modules/nixos/hardware/graphics/default.nix
@@ -0,0 +1,75 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.hardware.graphics;
+in
+{
+  options.my.hardware.graphics = with lib; {
+    enable = mkEnableOption "graphics configuration";
+
+    gpuFlavor = mkOption {
+      type = with types; nullOr (enum [ "amd" "intel" ]);
+      default = null;
+      example = "intel";
+      description = "Which kind of GPU to install driver for";
+    };
+
+    amd = {
+      enableKernelModule = lib.my.mkDisableOption "Kernel driver module";
+
+      amdvlk = lib.mkEnableOption "Use AMDVLK instead of Mesa RADV driver";
+    };
+
+    intel = {
+      enableKernelModule = lib.my.mkDisableOption "Kernel driver module";
+    };
+  };
+
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
+      hardware.opengl = {
+        enable = true;
+      };
+    }
+
+    # AMD GPU
+    (lib.mkIf (cfg.gpuFlavor == "amd") {
+      boot.initrd.kernelModules = lib.mkIf cfg.amd.enableKernelModule [ "amdgpu" ];
+
+      hardware.opengl = {
+        extraPackages = with pkgs; [
+          # OpenCL
+          rocmPackages.clr
+          rocmPackages.clr.icd
+        ]
+        ++ lib.optional cfg.amd.amdvlk amdvlk
+        ;
+
+        extraPackages32 = with pkgs; [
+        ]
+        ++ lib.optional cfg.amd.amdvlk driversi686Linux.amdvlk
+        ;
+      };
+    })
+
+    # Intel GPU
+    (lib.mkIf (cfg.gpuFlavor == "intel") {
+      boot.initrd.kernelModules = lib.mkIf cfg.intel.enableKernelModule [ "i915" ];
+
+      environment.variables = {
+        VDPAU_DRIVER = "va_gl";
+      };
+
+      hardware.opengl = {
+        extraPackages = with pkgs; [
+          # Open CL
+          intel-compute-runtime
+
+          # VA API
+          intel-media-driver
+          intel-vaapi-driver
+          libvdpau-va-gl
+        ];
+      };
+    })
+  ]);
+}

From 183f3b48c822ddd482bc2609c8053b966f4b1d7a Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 4 Feb 2024 14:39:29 +0000
Subject: [PATCH 083/169] hosts: nixos: aramis: hardware: enable graphics

---
 hosts/nixos/aramis/hardware.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hosts/nixos/aramis/hardware.nix b/hosts/nixos/aramis/hardware.nix
index c66b426..99bc77e 100644
--- a/hosts/nixos/aramis/hardware.nix
+++ b/hosts/nixos/aramis/hardware.nix
@@ -26,6 +26,12 @@
     firmware = {
       cpuFlavor = "intel";
     };
+
+    graphics = {
+      enable = true;
+
+      gpuFlavor = "intel";
+    };
   };
 
   hardware = {

From 7948dc284b0dd7d2cd48932bc52ae64d90a9c01b Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 6 Feb 2024 15:08:16 +0000
Subject: [PATCH 084/169] nixos: hardware: rename 'trackball'

Since I do intend on configuring every trackball I own to use this
scheme, not just the MX Ergo.
---
 modules/nixos/hardware/default.nix                        | 2 +-
 modules/nixos/hardware/{mx-ergo => trackball}/default.nix | 7 ++++---
 modules/nixos/profiles/devices/default.nix                | 2 +-
 3 files changed, 6 insertions(+), 5 deletions(-)
 rename modules/nixos/hardware/{mx-ergo => trackball}/default.nix (79%)

diff --git a/modules/nixos/hardware/default.nix b/modules/nixos/hardware/default.nix
index 95e6a22..8e125ca 100644
--- a/modules/nixos/hardware/default.nix
+++ b/modules/nixos/hardware/default.nix
@@ -7,9 +7,9 @@
     ./ergodox
     ./firmware
     ./graphics
-    ./mx-ergo
     ./networking
     ./sound
+    ./trackball
     ./upower
   ];
 }
diff --git a/modules/nixos/hardware/mx-ergo/default.nix b/modules/nixos/hardware/trackball/default.nix
similarity index 79%
rename from modules/nixos/hardware/mx-ergo/default.nix
rename to modules/nixos/hardware/trackball/default.nix
index e4e55a1..7a99247 100644
--- a/modules/nixos/hardware/mx-ergo/default.nix
+++ b/modules/nixos/hardware/trackball/default.nix
@@ -1,11 +1,11 @@
 # Hold down the `next page` button to scroll using the ball
 { config, lib, ... }:
 let
-  cfg = config.my.hardware.mx-ergo;
+  cfg = config.my.hardware.trackball;
 in
 {
-  options.my.hardware.mx-ergo = with lib; {
-    enable = mkEnableOption "MX Ergo configuration";
+  options.my.hardware.trackball = with lib; {
+    enable = mkEnableOption "trackball configuration";
   };
 
   config = lib.mkIf cfg.enable {
@@ -13,6 +13,7 @@ in
       # This section must be *after* the one configured by `libinput`
       # for the `ScrollMethod` configuration to not be overriden
       inputClassSections = lib.mkAfter [
+        # MX Ergo
         ''
           Identifier      "MX Ergo scroll button configuration"
           MatchProduct    "MX Ergo"
diff --git a/modules/nixos/profiles/devices/default.nix b/modules/nixos/profiles/devices/default.nix
index 7dbd299..7a84bd2 100644
--- a/modules/nixos/profiles/devices/default.nix
+++ b/modules/nixos/profiles/devices/default.nix
@@ -11,7 +11,7 @@ in
     my.hardware = {
       ergodox.enable = true;
 
-      mx-ergo.enable = true;
+      trackball.enable = true;
     };
 
     # MTP devices auto-mount via file explorers

From a5aaf57e63d07666d8b41f8726258ccd88ff8467 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 6 Feb 2024 17:16:43 +0100
Subject: [PATCH 085/169] home: mail: accounts: remove himalaya backends

Their definition is redundant with the logic of the himalaya module,
which does the right thing by default.
---
 modules/home/mail/accounts/default.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/modules/home/mail/accounts/default.nix b/modules/home/mail/accounts/default.nix
index e7663d8..8886139 100644
--- a/modules/home/mail/accounts/default.nix
+++ b/modules/home/mail/accounts/default.nix
@@ -18,8 +18,6 @@ let
     himalaya = {
       enable = cfg.himalaya.enable;
       # FIXME: try to actually configure it at some point
-      backend = "imap";
-      sender = "smtp";
     };
 
     msmtp = {

From 0b74332e9c500967bf748ca4c14e89b322d22096 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 6 Feb 2024 17:16:43 +0100
Subject: [PATCH 086/169] flake: bump inputs

---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index ae79c1a..4773d30 100644
--- a/flake.lock
+++ b/flake.lock
@@ -136,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706955260,
-        "narHash": "sha256-W3y0j77IDVbmbajudHoUr46RpswujUCl+D5Vru53UsI=",
+        "lastModified": 1707175763,
+        "narHash": "sha256-0MKHC6tQ4KEuM5rui6DjKZ/VNiSANB4E+DJ/+wPS1PU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "880d9bc2110f7cae59698f715b8ca42cdc53670c",
+        "rev": "f99eace7c167b8a6a0871849493b1c613d0f1b80",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1706732774,
-        "narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=",
+        "lastModified": 1707092692,
+        "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d",
+        "rev": "faf912b086576fd1a15fca610166c98d47bc667e",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1706978646,
-        "narHash": "sha256-XEFktO8Ba41zKawf1Uf6FKIR1x0ShuoSddYXU4PQbx8=",
+        "lastModified": 1707234300,
+        "narHash": "sha256-D+LdA8g0Tq+KE9EmJMmn8EGRO5jZ2nLe/W0Fr5EIsdg=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "66d6b7b355f3b10ea4140f8b85b2e274c24d442a",
+        "rev": "59fceae769455455ef44c1dfb63bbae1ecddc41d",
         "type": "github"
       },
       "original": {

From 8c03bff1cf8531f2afc5c81556361479ab4391ab Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 6 Feb 2024 17:25:03 +0100
Subject: [PATCH 087/169] overlays: remove 'tandoor-recipes-failing-test'

This is now redundant, the nixpkgs bump provided an updated package
which builds successfully.

This reverts commit 473be47b29843ae6125296bbf2ea7ea36acc110b.
---
 overlays/tandoor-recipes-failing-test/default.nix | 9 ---------
 1 file changed, 9 deletions(-)
 delete mode 100644 overlays/tandoor-recipes-failing-test/default.nix

diff --git a/overlays/tandoor-recipes-failing-test/default.nix b/overlays/tandoor-recipes-failing-test/default.nix
deleted file mode 100644
index 43755ac..0000000
--- a/overlays/tandoor-recipes-failing-test/default.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-_self: super:
-{
-  tandoor-recipes = super.tandoor-recipes.overridePythonAttrs (oa: {
-    disabledTests = (oa.disabledTests or [ ]) ++ [
-      "test_search_count"
-      "test_url_import_regex_replace"
-    ];
-  });
-}

From 9e0930aca4fb0ae40c40c5cd932962e832d0ee0a Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 7 Feb 2024 11:49:42 +0000
Subject: [PATCH 088/169] overlays: gruvbox-nvim-better-diff: simplify

---
 .../gruvbox-nvim-better-diff/generated.nix    | 24 ++++---------------
 1 file changed, 5 insertions(+), 19 deletions(-)

diff --git a/overlays/gruvbox-nvim-better-diff/generated.nix b/overlays/gruvbox-nvim-better-diff/generated.nix
index 50ea4ad..82a18c2 100644
--- a/overlays/gruvbox-nvim-better-diff/generated.nix
+++ b/overlays/gruvbox-nvim-better-diff/generated.nix
@@ -1,24 +1,10 @@
-{ vimUtils, fetchFromGitHub }:
+{ ... }:
 
-_final: _prev: {
-  gruvbox-nvim = vimUtils.buildVimPlugin {
-    pname = "gruvbox.nvim";
-    version = "2023-10-07";
-
-    src = fetchFromGitHub {
-      owner = "ellisonleao";
-      repo = "gruvbox.nvim";
-      rev = "477c62493c82684ed510c4f70eaf83802e398898";
-      sha256 = "0250c24c6n6yri48l288irdawhqs16qna3y74rdkgjd2jvh66vdm";
-    };
-
-    patches = [
+_final: prev: {
+  gruvbox-nvim = prev.gruvbox-nvim.overrideAttrs (oa: {
+    patches = (oa.patches or [ ]) ++ [
       # Inspired by https://github.com/ellisonleao/gruvbox.nvim/pull/291
       ./colours.patch
     ];
-
-    meta = {
-      homepage = "https://github.com/ellisonleao/gruvbox.nvim/";
-    };
-  };
+  });
 }

From d6eceea08a12b09ebcf6396402f6f5242242c667 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 7 Feb 2024 11:50:42 +0000
Subject: [PATCH 089/169] overlays: add gruvbox-nvim-treesitter-fix

The version in nixpkgs is not up-to-date with regards to the
nvim-treesitter breaking changes that were recently introduced.
---
 overlays/gruvbox-nvim-treesitter-fix/default.nix   |  4 ++++
 overlays/gruvbox-nvim-treesitter-fix/generated.nix | 14 ++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 overlays/gruvbox-nvim-treesitter-fix/default.nix
 create mode 100644 overlays/gruvbox-nvim-treesitter-fix/generated.nix

diff --git a/overlays/gruvbox-nvim-treesitter-fix/default.nix b/overlays/gruvbox-nvim-treesitter-fix/default.nix
new file mode 100644
index 0000000..832e71d
--- /dev/null
+++ b/overlays/gruvbox-nvim-treesitter-fix/default.nix
@@ -0,0 +1,4 @@
+self: prev:
+{
+  vimPlugins = prev.vimPlugins.extend (self.callPackage ./generated.nix { });
+}
diff --git a/overlays/gruvbox-nvim-treesitter-fix/generated.nix b/overlays/gruvbox-nvim-treesitter-fix/generated.nix
new file mode 100644
index 0000000..5a18d62
--- /dev/null
+++ b/overlays/gruvbox-nvim-treesitter-fix/generated.nix
@@ -0,0 +1,14 @@
+{ fetchFromGitHub }:
+
+_final: prev: {
+  gruvbox-nvim = prev.gruvbox-nvim.overrideAttrs (_: {
+    version = "2024-01-29";
+
+    src = fetchFromGitHub {
+      owner = "ellisonleao";
+      repo = "gruvbox.nvim";
+      rev = "6e4027ae957cddf7b193adfaec4a8f9e03b4555f";
+      sha256 = "sha256-jWnrRy/PT7D0UcPGL+XTbKHWvS0ixvbyqPtTzG9HY84=";
+    };
+  });
+}

From f4c4a485d60fff68a95e423a6888e31b15cb32db Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 7 Feb 2024 19:44:51 +0000
Subject: [PATCH 090/169] home: xdg: fix sort order

---
 modules/home/xdg/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/home/xdg/default.nix b/modules/home/xdg/default.nix
index 3bba198..3aa43bd 100644
--- a/modules/home/xdg/default.nix
+++ b/modules/home/xdg/default.nix
@@ -48,8 +48,8 @@ in
     LESSHISTFILE = "${dataHome}/less/history";
     LESSKEY = "${configHome}/less/lesskey";
     PSQL_HISTORY = "${dataHome}/psql_history";
-    REPO_CONFIG_DIR = "${configHome}/repo";
     REDISCLI_HISTFILE = "${dataHome}/redis/rediscli_history";
+    REPO_CONFIG_DIR = "${configHome}/repo";
     XCOMPOSECACHE = "${dataHome}/X11/xcompose";
   };
 }

From cb97b0dbdef8cbeb5a088c5fb373b1c7037371b1 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 7 Feb 2024 19:45:32 +0000
Subject: [PATCH 091/169] home: xdg: add python configuration

It looks like 3.13 finally brought a way to change the history location
through `PYTHON_HISTORY`.
---
 modules/home/xdg/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/home/xdg/default.nix b/modules/home/xdg/default.nix
index 3aa43bd..6e49aa1 100644
--- a/modules/home/xdg/default.nix
+++ b/modules/home/xdg/default.nix
@@ -48,6 +48,9 @@ in
     LESSHISTFILE = "${dataHome}/less/history";
     LESSKEY = "${configHome}/less/lesskey";
     PSQL_HISTORY = "${dataHome}/psql_history";
+    PYTHONPYCACHEPREFIX = "${cacheHome}/python/";
+    PYTHONUSERBASE = "${dataHome}/python/";
+    PYTHON_HISTORY = "${stateHome}/python/history";
     REDISCLI_HISTFILE = "${dataHome}/redis/rediscli_history";
     REPO_CONFIG_DIR = "${configHome}/repo";
     XCOMPOSECACHE = "${dataHome}/X11/xcompose";

From 9d9dba2cc224e39f492d9d9e33bde2fecaf65937 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 7 Feb 2024 20:17:46 +0000
Subject: [PATCH 092/169] home: add wget

This is mostly so that I can add the XDG-compliant configuration.
---
 modules/home/default.nix      |  1 +
 modules/home/wget/default.nix | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 modules/home/wget/default.nix

diff --git a/modules/home/default.nix b/modules/home/default.nix
index 4dcfc35..c8183cf 100644
--- a/modules/home/default.nix
+++ b/modules/home/default.nix
@@ -39,6 +39,7 @@
     ./tmux
     ./udiskie
     ./vim
+    ./wget
     ./wm
     ./x
     ./xdg
diff --git a/modules/home/wget/default.nix b/modules/home/wget/default.nix
new file mode 100644
index 0000000..32c13c0
--- /dev/null
+++ b/modules/home/wget/default.nix
@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.my.home.wget;
+in
+{
+  options.my.home.wget = with lib; {
+    enable = my.mkDisableOption "wget configuration";
+
+    package = mkPackageOption pkgs "wget" { };
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.packages = [
+      cfg.package
+    ];
+
+
+    home.sessionVariables = lib.mkIf cfg.enable {
+      WGETRC = "${config.xdg.configHome}/wgetrc";
+    };
+
+    xdg.configFile."wgetrc".text = ''
+      hsts-file = ${config.xdg.dataHome}/wget-hsts
+    '';
+  };
+}

From b0aee235cdc2fc7a22aef2ee423a90849336fc5d Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 8 Feb 2024 14:40:48 +0000
Subject: [PATCH 093/169] home: xdg: add 'GRADLE_USER_HOME'

---
 modules/home/xdg/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/home/xdg/default.nix b/modules/home/xdg/default.nix
index 6e49aa1..aac5058 100644
--- a/modules/home/xdg/default.nix
+++ b/modules/home/xdg/default.nix
@@ -43,6 +43,7 @@ in
     CARGO_HOME = "${dataHome}/cargo";
     DOCKER_CONFIG = "${configHome}/docker";
     GDBHISTFILE = "${dataHome}/gdb/gdb_history";
+    GRADLE_USER_HOME = "${dataHome}/gradle";
     HISTFILE = "${dataHome}/bash/history";
     INPUTRC = "${configHome}/readline/inputrc";
     LESSHISTFILE = "${dataHome}/less/history";

From 5e3bc5a8c99968b4c238b824e5013b289b6af30e Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 11 Feb 2024 12:38:30 +0100
Subject: [PATCH 094/169] flake: bump inputs

---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 4773d30..33d3740 100644
--- a/flake.lock
+++ b/flake.lock
@@ -136,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1707175763,
-        "narHash": "sha256-0MKHC6tQ4KEuM5rui6DjKZ/VNiSANB4E+DJ/+wPS1PU=",
+        "lastModified": 1707607386,
+        "narHash": "sha256-hj/RgQMTvCWQVInkZwiMMieumkfOjHXhtWhfuXHop/8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "f99eace7c167b8a6a0871849493b1c613d0f1b80",
+        "rev": "bfd0ae29a86eff4603098683b516c67e22184511",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1707092692,
-        "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=",
+        "lastModified": 1707546158,
+        "narHash": "sha256-nYYJTpzfPMDxI8mzhQsYjIUX+grorqjKEU9Np6Xwy/0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "faf912b086576fd1a15fca610166c98d47bc667e",
+        "rev": "d934204a0f8d9198e1e4515dd6fec76a139c87f0",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1707234300,
-        "narHash": "sha256-D+LdA8g0Tq+KE9EmJMmn8EGRO5jZ2nLe/W0Fr5EIsdg=",
+        "lastModified": 1707648276,
+        "narHash": "sha256-KOU9ae22fglOXsOHCGYW25iFXnfnz2fSrUy75qfDyuA=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "59fceae769455455ef44c1dfb63bbae1ecddc41d",
+        "rev": "c7fa9c6c3becdb8a330bf1202e009494a381ef32",
         "type": "github"
       },
       "original": {
@@ -197,11 +197,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706424699,
-        "narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=",
+        "lastModified": 1707297608,
+        "narHash": "sha256-ADjo/5VySGlvtCW3qR+vdFF4xM9kJFlRDqcC9ZGI8EA=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf",
+        "rev": "0db2e67ee49910adfa13010e7f012149660af7f0",
         "type": "github"
       },
       "original": {

From 7f1706999856e136c65ebf0c4608fc3c65862a1a Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 12 Feb 2024 11:39:13 +0000
Subject: [PATCH 095/169] home: nix: rename 'inputs' options

This mirrors the changes made to the NixOS module.
---
 modules/home/nix/default.nix | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/modules/home/nix/default.nix b/modules/home/nix/default.nix
index 9ccbdc5..d734fbd 100644
--- a/modules/home/nix/default.nix
+++ b/modules/home/nix/default.nix
@@ -12,7 +12,7 @@ let
       # Use pinned nixpkgs when using `nix run pkgs#<whatever>`
       pkgs = inputs.nixpkgs;
     }
-    (lib.optionalAttrs cfg.overrideNixpkgs {
+    (lib.optionalAttrs cfg.inputs.overrideNixpkgs {
       # ... And with `nix run nixpkgs#<whatever>`
       nixpkgs = inputs.nixpkgs;
     })
@@ -22,20 +22,22 @@ in
   options.my.home.nix = with lib; {
     enable = my.mkDisableOption "nix configuration";
 
-    linkInputs = my.mkDisableOption "link inputs to `$XDG_CONFIG_HOME/nix/inputs`";
+    inputs = {
+      link = my.mkDisableOption "link inputs to `/etc/nix/inputs/`";
 
-    addToRegistry = my.mkDisableOption "add inputs and self to registry";
+      addToRegistry = my.mkDisableOption "add inputs and self to registry";
 
-    addToNixPath = my.mkDisableOption "add inputs and self to nix path";
+      addToNixPath = my.mkDisableOption "add inputs and self to nix path";
 
-    overrideNixpkgs = my.mkDisableOption "point nixpkgs to pinned system version";
+      overrideNixpkgs = my.mkDisableOption "point nixpkgs to pinned system version";
+    };
   };
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
     {
       assertions = [
         {
-          assertion = cfg.addToNixPath -> cfg.linkInputs;
+          assertion = cfg.inputs.addToNixPath -> cfg.inputs.link;
           message = ''
             enabling `my.home.nix.addToNixPath` needs to have
             `my.home.nix.linkInputs = true`
@@ -54,7 +56,7 @@ in
       };
     }
 
-    (lib.mkIf cfg.addToRegistry {
+    (lib.mkIf cfg.inputs.addToRegistry {
       nix.registry =
         let
           makeEntry = v: { flake = v; };
@@ -63,7 +65,7 @@ in
         makeEntries channels;
     })
 
-    (lib.mkIf cfg.linkInputs {
+    (lib.mkIf cfg.inputs.link {
       xdg.configFile =
         let
           makeLink = n: v: {
@@ -75,7 +77,7 @@ in
         makeLinks channels;
     })
 
-    (lib.mkIf cfg.addToNixPath {
+    (lib.mkIf cfg.inputs.addToNixPath {
       home.sessionVariables.NIX_PATH = "${config.xdg.configHome}/nix/inputs\${NIX_PATH:+:$NIX_PATH}";
     })
   ]);

From 0bb2be6b87ad84e197b2be03514f59d4bd7b11ed Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 12 Feb 2024 11:40:09 +0000
Subject: [PATCH 096/169] home: nix: add 'cache.selfHosted'

Once again mirroring the NixOS module changes that I forgot to port
over.
---
 modules/home/nix/default.nix | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/modules/home/nix/default.nix b/modules/home/nix/default.nix
index d734fbd..07606bb 100644
--- a/modules/home/nix/default.nix
+++ b/modules/home/nix/default.nix
@@ -22,6 +22,10 @@ in
   options.my.home.nix = with lib; {
     enable = my.mkDisableOption "nix configuration";
 
+    cache = {
+      selfHosted = my.mkDisableOption "self-hosted cache";
+    };
+
     inputs = {
       link = my.mkDisableOption "link inputs to `/etc/nix/inputs/`";
 
@@ -56,6 +60,22 @@ in
       };
     }
 
+    (lib.mkIf cfg.cache.selfHosted {
+      nix = {
+        settings = {
+          # The NixOS module adds the official Hydra cache by default
+          # No need to use `extra-*` options.
+          substituters = [
+            "https://cache.belanyi.fr/"
+          ];
+
+          trusted-public-keys = [
+            "cache.belanyi.fr:LPhrTqufwfxTceg1nRWueDWf7/2zSVY9K00pq2UI7tw="
+          ];
+        };
+      };
+    })
+
     (lib.mkIf cfg.inputs.addToRegistry {
       nix.registry =
         let

From c9969775da97b656c5227ec811f51abba52a5550 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 12 Feb 2024 14:18:44 +0000
Subject: [PATCH 097/169] nixos: services: backup: add essential files

---
 modules/nixos/services/backup/default.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/modules/nixos/services/backup/default.nix b/modules/nixos/services/backup/default.nix
index ff0fc7f..8aeeae1 100644
--- a/modules/nixos/services/backup/default.nix
+++ b/modules/nixos/services/backup/default.nix
@@ -89,6 +89,16 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    # Essential files which should always be backed up
+    my.services.backup.paths = lib.flatten [
+      # Should be unique to a given host, used by some software (e.g: ZFS)
+      "/etc/machine-id"
+      # Contains the UID/GID map, and other useful state
+      "/var/lib/nixos"
+      # SSH host keys (and public keys for convenience)
+      (builtins.map (key: [ key.path "${key.path}.pub" ]) config.services.openssh.hostKeys)
+    ];
+
     services.restic.backups.backblaze = {
       # Take care of included and excluded files
       paths = cfg.paths;

From 521522e4e9163d66b5e6b42231d98e39b633a2a3 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 13 Aug 2023 15:59:25 +0100
Subject: [PATCH 098/169] home: zsh: use 'mkMerge'

This will make adding modular configuration easier.
---
 modules/home/zsh/default.nix | 138 ++++++++++++++++++-----------------
 1 file changed, 70 insertions(+), 68 deletions(-)

diff --git a/modules/home/zsh/default.nix b/modules/home/zsh/default.nix
index 4cadb57..2821f28 100644
--- a/modules/home/zsh/default.nix
+++ b/modules/home/zsh/default.nix
@@ -17,79 +17,81 @@ in
     launchTmux = mkEnableOption "auto launch tmux at shell start";
   };
 
-  config = lib.mkIf cfg.enable {
-    home.packages = with pkgs; [
-      zsh-completions
-    ];
-
-    programs.zsh = {
-      enable = true;
-      dotDir = "${relativeXdgConfig}/zsh"; # Don't clutter $HOME
-      enableCompletion = true;
-
-      history = {
-        size = 500000;
-        save = 500000;
-        extended = true;
-        expireDuplicatesFirst = true;
-        ignoreSpace = true;
-        ignoreDups = true;
-        share = false;
-        path = "${config.xdg.dataHome}/zsh/zsh_history";
-      };
-
-      plugins = [
-        {
-          name = "fast-syntax-highlighting";
-          file = "share/zsh/site-functions/fast-syntax-highlighting.plugin.zsh";
-          src = pkgs.zsh-fast-syntax-highlighting;
-        }
-        {
-          name = "agkozak-zsh-prompt";
-          file = "share/zsh/site-functions/agkozak-zsh-prompt.plugin.zsh";
-          src = pkgs.agkozak-zsh-prompt;
-        }
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
+      home.packages = with pkgs; [
+        zsh-completions
       ];
 
-      # Modal editing is life, but CLI benefits from emacs gymnastics
-      defaultKeymap = "emacs";
+      programs.zsh = {
+        enable = true;
+        dotDir = "${relativeXdgConfig}/zsh"; # Don't clutter $HOME
+        enableCompletion = true;
 
-      # Make those happen early to avoid doing double the work
-      initExtraFirst = ''
-        ${
-          lib.optionalString cfg.launchTmux ''
-            # Launch tmux unless already inside one
-            if [ -z "$TMUX" ]; then
-              exec tmux new-session
-            fi
-          ''
-        }
-      '';
+        history = {
+          size = 500000;
+          save = 500000;
+          extended = true;
+          expireDuplicatesFirst = true;
+          ignoreSpace = true;
+          ignoreDups = true;
+          share = false;
+          path = "${config.xdg.dataHome}/zsh/zsh_history";
+        };
 
-      initExtra = ''
-        source ${./completion-styles.zsh}
-        source ${./extra-mappings.zsh}
-        source ${./options.zsh}
+        plugins = [
+          {
+            name = "fast-syntax-highlighting";
+            file = "share/zsh/site-functions/fast-syntax-highlighting.plugin.zsh";
+            src = pkgs.zsh-fast-syntax-highlighting;
+          }
+          {
+            name = "agkozak-zsh-prompt";
+            file = "share/zsh/site-functions/agkozak-zsh-prompt.plugin.zsh";
+            src = pkgs.agkozak-zsh-prompt;
+          }
+        ];
 
-        # Source local configuration
-        if [ -f "$ZDOTDIR/zshrc.local" ]; then
-          source "$ZDOTDIR/zshrc.local"
-        fi
-      '';
+        # Modal editing is life, but CLI benefits from emacs gymnastics
+        defaultKeymap = "emacs";
 
-      localVariables = {
-        # I like having the full path
-        AGKOZAK_PROMPT_DIRTRIM = 0;
-        # Because I *am* from EPITA
-        AGKOZAK_PROMPT_CHAR = [ "42sh$" "42sh#" ":" ];
-        # Easy on the eyes
-        AGKOZAK_COLORS_BRANCH_STATUS = "magenta";
-        # I don't like moving my eyes
-        AGKOZAK_LEFT_PROMPT_ONLY = 1;
+        # Make those happen early to avoid doing double the work
+        initExtraFirst = ''
+          ${
+            lib.optionalString cfg.launchTmux ''
+              # Launch tmux unless already inside one
+              if [ -z "$TMUX" ]; then
+                exec tmux new-session
+              fi
+            ''
+          }
+        '';
+
+        initExtra = ''
+          source ${./completion-styles.zsh}
+          source ${./extra-mappings.zsh}
+          source ${./options.zsh}
+
+          # Source local configuration
+          if [ -f "$ZDOTDIR/zshrc.local" ]; then
+            source "$ZDOTDIR/zshrc.local"
+          fi
+        '';
+
+        localVariables = {
+          # I like having the full path
+          AGKOZAK_PROMPT_DIRTRIM = 0;
+          # Because I *am* from EPITA
+          AGKOZAK_PROMPT_CHAR = [ "42sh$" "42sh#" ":" ];
+          # Easy on the eyes
+          AGKOZAK_COLORS_BRANCH_STATUS = "magenta";
+          # I don't like moving my eyes
+          AGKOZAK_LEFT_PROMPT_ONLY = 1;
+        };
+
+        # Enable VTE integration
+        enableVteIntegration = true;
       };
-
-      # Enable VTE integration
-      enableVteIntegration = true;
-    };
-  };
+    }
+  ]);
 }

From c89dec2a38f403cc2b27997493034d05258b3e0f Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 13 Aug 2023 16:05:27 +0100
Subject: [PATCH 099/169] home: zsh: enforce order of 'initExtra{First,}'

In case I want to add more values to those options, I still want the
_main_ values to be ordered before/after.
---
 modules/home/zsh/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/home/zsh/default.nix b/modules/home/zsh/default.nix
index 2821f28..987f3b8 100644
--- a/modules/home/zsh/default.nix
+++ b/modules/home/zsh/default.nix
@@ -56,7 +56,7 @@ in
         defaultKeymap = "emacs";
 
         # Make those happen early to avoid doing double the work
-        initExtraFirst = ''
+        initExtraFirst = lib.mkBefore ''
           ${
             lib.optionalString cfg.launchTmux ''
               # Launch tmux unless already inside one
@@ -67,7 +67,7 @@ in
           }
         '';
 
-        initExtra = ''
+        initExtra = lib.mkAfter ''
           source ${./completion-styles.zsh}
           source ${./extra-mappings.zsh}
           source ${./options.zsh}

From d6c29481351d6e1de30055c8b50ea5abbe3f310c Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 13 Aug 2023 16:19:47 +0100
Subject: [PATCH 100/169] home: zsh: add 'zsh-done'

---
 modules/home/zsh/default.nix | 40 ++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/modules/home/zsh/default.nix b/modules/home/zsh/default.nix
index 987f3b8..d983116 100644
--- a/modules/home/zsh/default.nix
+++ b/modules/home/zsh/default.nix
@@ -15,6 +15,16 @@ in
     enable = my.mkDisableOption "zsh configuration";
 
     launchTmux = mkEnableOption "auto launch tmux at shell start";
+
+    notify = {
+      enable = mkEnableOption "zsh-done notification";
+
+      ssh = {
+        enable = mkEnableOption "notify through SSH/non-graphical connections";
+
+        useOsc777 = lib.my.mkDisableOption "use OSC-777 for notifications";
+      };
+    };
   };
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
@@ -93,5 +103,35 @@ in
         enableVteIntegration = true;
       };
     }
+
+    (lib.mkIf cfg.notify.enable {
+      programs.zsh = {
+        plugins = [
+          {
+            name = "zsh-done";
+            file = "share/zsh/site-functions/done.plugin.zsh";
+            src = pkgs.ambroisie.zsh-done;
+          }
+        ];
+
+        # `localVariables` values don't get merged correctly due to their type,
+        # don't use `mkIf`
+        localVariables = { }
+          # Enable `zsh-done` through SSH, if configured
+          // lib.optionalAttrs cfg.notify.ssh.enable { DONE_ALLOW_NONGRAPHICAL = 1; }
+        ;
+
+        # Use OSC-777 to send the notification through SSH
+        initExtra = lib.mkIf cfg.notify.ssh.useOsc777 ''
+          done_send_notification() {
+            local exit_status="$1"
+            local title="$2"
+            local message="$3"
+
+            ${lib.getExe pkgs.ambroisie.osc777} "$title" "$message"
+          }
+        '';
+      };
+    })
   ]);
 }

From 8b07ff5bbe6bf4078ff8e4a1d356e8de735d505d Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 12 Feb 2024 21:22:19 +0000
Subject: [PATCH 101/169] homes: bazin: enable zsh notifications

---
 hosts/homes/ambroisie@bazin/default.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/hosts/homes/ambroisie@bazin/default.nix b/hosts/homes/ambroisie@bazin/default.nix
index a969d8a..c71e07c 100644
--- a/hosts/homes/ambroisie@bazin/default.nix
+++ b/hosts/homes/ambroisie@bazin/default.nix
@@ -21,5 +21,17 @@
         package = pkgs.emptyDirectory;
       };
     };
+
+    zsh = {
+      notify = {
+        enable = true;
+
+        ssh = {
+          enable = true;
+          # `notify-send` is proxied to the ChromeOS layer
+          useOsc777 = false;
+        };
+      };
+    };
   };
 }

From 08f31c088ba2b2682210a1e2de4aa7f412858fc8 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 13 Feb 2024 14:34:12 +0000
Subject: [PATCH 102/169] home: atuin: explicitly set 'enter_accept'

---
 modules/home/atuin/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/home/atuin/default.nix b/modules/home/atuin/default.nix
index 19a6fb9..b8973cc 100644
--- a/modules/home/atuin/default.nix
+++ b/modules/home/atuin/default.nix
@@ -25,6 +25,8 @@ in
         search_mode = "skim";
         # Show long command lines at the bottom
         show_preview = true;
+        # I like being able to edit my commands
+        enter_accept = false;
       };
     };
   };

From 3c79a373e4744fc57497fedc9990efac6a0ae53b Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 15 Feb 2024 16:32:37 +0000
Subject: [PATCH 103/169] pkgs: zsh-done: 0.1.0 -> 0.1.1

---
 pkgs/zsh-done/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/zsh-done/default.nix b/pkgs/zsh-done/default.nix
index bddc6c1..bdb6af3 100644
--- a/pkgs/zsh-done/default.nix
+++ b/pkgs/zsh-done/default.nix
@@ -2,13 +2,13 @@
 
 stdenvNoCC.mkDerivation rec {
   pname = "zsh-done";
-  version = "0.1.0";
+  version = "0.1.1";
 
   src = fetchFromGitHub {
     owner = "ambroisie";
     repo = "zsh-done";
     rev = "v${version}";
-    hash = "sha256-DC7urJDXPP9vBYABrJF5KZ4HfMbrpHIVogSmEB8PWLA=";
+    hash = "sha256-dyhPhoMrAfDWtrBX5TA+B3G7QZ7gBhoDGNOEqGsCBQU=";
   };
 
   dontConfigure = true;

From a0dde6f27437c8e52c4f72187d8d3899cd90e30f Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 15 Feb 2024 16:33:27 +0000
Subject: [PATCH 104/169] home: zsh: add notification exclusion list

---
 modules/home/zsh/default.nix | 36 ++++++++++++++++++++++++++++++++----
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/modules/home/zsh/default.nix b/modules/home/zsh/default.nix
index d983116..5bfeaee 100644
--- a/modules/home/zsh/default.nix
+++ b/modules/home/zsh/default.nix
@@ -19,6 +19,27 @@ in
     notify = {
       enable = mkEnableOption "zsh-done notification";
 
+      exclude = mkOption {
+        type = with types; listOf str;
+        default = [
+          "direnv reload"
+          "fg"
+          "git (?!push|pull|fetch)"
+          "htop"
+          "less"
+          "man"
+          "nvim"
+          "tail -f"
+          "tmux"
+          "vim"
+        ];
+        example = [ "command --long-running-option" ];
+        description = ''
+          List of exclusions which should not be create a notification. Accepts
+          Perl regexes (implicitly anchored with `^\s*`).
+        '';
+      };
+
       ssh = {
         enable = mkEnableOption "notify through SSH/non-graphical connections";
 
@@ -116,10 +137,17 @@ in
 
         # `localVariables` values don't get merged correctly due to their type,
         # don't use `mkIf`
-        localVariables = { }
-          # Enable `zsh-done` through SSH, if configured
-          // lib.optionalAttrs cfg.notify.ssh.enable { DONE_ALLOW_NONGRAPHICAL = 1; }
-        ;
+        localVariables = {
+          DONE_EXCLUDE =
+            let
+              joined = lib.concatMapStringsSep "|" (c: "(${c})") cfg.notify.exclude;
+            in
+            ''^\s*(${joined})'';
+        }
+        # Enable `zsh-done` through SSH, if configured
+        // lib.optionalAttrs cfg.notify.ssh.enable {
+          DONE_ALLOW_NONGRAPHICAL = 1;
+        };
 
         # Use OSC-777 to send the notification through SSH
         initExtra = lib.mkIf cfg.notify.ssh.useOsc777 ''

From b2a199c9a02c164f93ecf50e41077dbc3744c2bc Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 15 Feb 2024 16:58:54 +0000
Subject: [PATCH 105/169] home: nix: fix cache configuration

Copy-paste is bad kids, the home-manager module does *not* do the same
as NixOS.

I was rebuilding the world, since this was overriding the official Hydra
cache...
---
 modules/home/nix/default.nix | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/modules/home/nix/default.nix b/modules/home/nix/default.nix
index 07606bb..0934189 100644
--- a/modules/home/nix/default.nix
+++ b/modules/home/nix/default.nix
@@ -63,13 +63,11 @@ in
     (lib.mkIf cfg.cache.selfHosted {
       nix = {
         settings = {
-          # The NixOS module adds the official Hydra cache by default
-          # No need to use `extra-*` options.
-          substituters = [
+          extra-substituters = [
             "https://cache.belanyi.fr/"
           ];
 
-          trusted-public-keys = [
+          extra-trusted-public-keys = [
             "cache.belanyi.fr:LPhrTqufwfxTceg1nRWueDWf7/2zSVY9K00pq2UI7tw="
           ];
         };

From c5e5bee206097db2046496fabff009f9673a99c0 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 16 Feb 2024 19:04:49 +0000
Subject: [PATCH 106/169] home: git: enable 'rerere'

How did I not already have it enabled?
---
 modules/home/git/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/home/git/default.nix b/modules/home/git/default.nix
index 9c10257..1bb2215 100644
--- a/modules/home/git/default.nix
+++ b/modules/home/git/default.nix
@@ -148,6 +148,10 @@ in
         autoStash = true;
       };
 
+      rerere = {
+        enabled = true;
+      };
+
       url = {
         "git@git.belanyi.fr:" = {
           insteadOf = "https://git.belanyi.fr/";

From 7e361aff9dd40ea4a9b3cae63c58390d2b6a9c31 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 16 Feb 2024 22:44:24 +0000
Subject: [PATCH 107/169] templates: c++-cmake: fix formatting

---
 templates/c++-cmake/tests/unit/CMakeLists.txt | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/templates/c++-cmake/tests/unit/CMakeLists.txt b/templates/c++-cmake/tests/unit/CMakeLists.txt
index bb94448..266e3e3 100644
--- a/templates/c++-cmake/tests/unit/CMakeLists.txt
+++ b/templates/c++-cmake/tests/unit/CMakeLists.txt
@@ -1,15 +1,15 @@
 find_package(GTest)
 
-if (${GTest_FOUND})
-include(GoogleTest)
+if(${GTest_FOUND})
+  include(GoogleTest)
 
-add_executable(dummy_test dummy_test.cc)
-target_link_libraries(dummy_test PRIVATE common_options)
+  add_executable(dummy_test dummy_test.cc)
+  target_link_libraries(dummy_test PRIVATE common_options)
 
-target_link_libraries(dummy_test PRIVATE
-  GTest::gtest
-  GTest::gtest_main
-)
+  target_link_libraries(dummy_test PRIVATE
+    GTest::gtest
+    GTest::gtest_main
+  )
 
-gtest_discover_tests(dummy_test)
-endif (${GTest_FOUND})
+  gtest_discover_tests(dummy_test)
+endif()

From 5d38d94da6768c8fd0f3a4ab1263f10cdb2bde48 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 16 Feb 2024 22:56:44 +0000
Subject: [PATCH 108/169] templates: use 'backend' CI label

---
 templates/c++-cmake/.woodpecker/check.yml | 2 +-
 templates/c++-meson/.woodpecker/check.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/c++-cmake/.woodpecker/check.yml b/templates/c++-cmake/.woodpecker/check.yml
index 628e491..aff6e84 100644
--- a/templates/c++-cmake/.woodpecker/check.yml
+++ b/templates/c++-cmake/.woodpecker/check.yml
@@ -1,5 +1,5 @@
 labels:
-  type: exec
+  backend: local
 
 steps:
 - name: nix flake check
diff --git a/templates/c++-meson/.woodpecker/check.yml b/templates/c++-meson/.woodpecker/check.yml
index 628e491..aff6e84 100644
--- a/templates/c++-meson/.woodpecker/check.yml
+++ b/templates/c++-meson/.woodpecker/check.yml
@@ -1,5 +1,5 @@
 labels:
-  type: exec
+  backend: local
 
 steps:
 - name: nix flake check

From 65394711863dd75bbd5167ac4455787b05fe435f Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 16 Feb 2024 23:00:57 +0000
Subject: [PATCH 109/169] templates: use explicit 'pre-commit check' CI step

---
 templates/c++-cmake/.woodpecker/check.yml | 5 +++++
 templates/c++-meson/.woodpecker/check.yml | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/templates/c++-cmake/.woodpecker/check.yml b/templates/c++-cmake/.woodpecker/check.yml
index aff6e84..9135f7b 100644
--- a/templates/c++-cmake/.woodpecker/check.yml
+++ b/templates/c++-cmake/.woodpecker/check.yml
@@ -2,6 +2,11 @@ labels:
   backend: local
 
 steps:
+- name: pre-commit check
+  image: bash
+  commands:
+  - nix develop --command pre-commit run --all
+
 - name: nix flake check
   image: bash
   commands:
diff --git a/templates/c++-meson/.woodpecker/check.yml b/templates/c++-meson/.woodpecker/check.yml
index aff6e84..9135f7b 100644
--- a/templates/c++-meson/.woodpecker/check.yml
+++ b/templates/c++-meson/.woodpecker/check.yml
@@ -2,6 +2,11 @@ labels:
   backend: local
 
 steps:
+- name: pre-commit check
+  image: bash
+  commands:
+  - nix develop --command pre-commit run --all
+
 - name: nix flake check
   image: bash
   commands:

From eb668525f8e977dd972af075ab8801921d914ffc Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 23 Feb 2024 13:14:09 +0000
Subject: [PATCH 110/169] home: zsh: ignore more commands for notification

---
 modules/home/zsh/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/home/zsh/default.nix b/modules/home/zsh/default.nix
index 5bfeaee..a277366 100644
--- a/modules/home/zsh/default.nix
+++ b/modules/home/zsh/default.nix
@@ -22,6 +22,7 @@ in
       exclude = mkOption {
         type = with types; listOf str;
         default = [
+          "delta"
           "direnv reload"
           "fg"
           "git (?!push|pull|fetch)"

From f9cdff8c138e941720850487f90c6aa06878bbaa Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 23 Feb 2024 13:28:48 +0000
Subject: [PATCH 111/169] hosts: homes: bazin: ignore interactive adb shells

---
 hosts/homes/ambroisie@bazin/default.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hosts/homes/ambroisie@bazin/default.nix b/hosts/homes/ambroisie@bazin/default.nix
index c71e07c..a65a626 100644
--- a/hosts/homes/ambroisie@bazin/default.nix
+++ b/hosts/homes/ambroisie@bazin/default.nix
@@ -1,5 +1,5 @@
 # Google Laptop configuration
-{ lib, pkgs, ... }:
+{ lib, options, pkgs, ... }:
 {
   services.gpg-agent.enable = lib.mkForce false;
 
@@ -26,6 +26,10 @@
       notify = {
         enable = true;
 
+        exclude = options.my.home.zsh.notify.exclude.default ++ [
+          "adb shell$" # Only interactive shell sessions
+        ];
+
         ssh = {
           enable = true;
           # `notify-send` is proxied to the ChromeOS layer

From b9b47fffd6cab923fd37bad5fddacfad8f7a1a74 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 29 Feb 2024 12:06:58 +0000
Subject: [PATCH 112/169] flake: bump inputs

Fix the pyLoad user/group option that I added upstream [1].

Fix an evaluation error due to Pipewire changes [2].

[1]: https://github.com/NixOS/nixpkgs/pull/287304
[2]: https://github.com/NixOS/nixpkgs/pull/282377
---
 flake.lock                                   | 36 ++++++++++----------
 modules/nixos/hardware/bluetooth/default.nix |  8 ++---
 modules/nixos/services/pyload/default.nix    | 23 ++-----------
 3 files changed, 24 insertions(+), 43 deletions(-)

diff --git a/flake.lock b/flake.lock
index 33d3740..cd0b2de 100644
--- a/flake.lock
+++ b/flake.lock
@@ -14,11 +14,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703433843,
-        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
+        "lastModified": 1707830867,
+        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
+        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
         "type": "github"
       },
       "original": {
@@ -94,11 +94,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "lastModified": 1709126324,
+        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1707607386,
-        "narHash": "sha256-hj/RgQMTvCWQVInkZwiMMieumkfOjHXhtWhfuXHop/8=",
+        "lastModified": 1709204054,
+        "narHash": "sha256-U1idK0JHs1XOfSI1APYuXi4AEADf+B+ZU4Wifc0pBHk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "bfd0ae29a86eff4603098683b516c67e22184511",
+        "rev": "2f3367769a93b226c467551315e9e270c3f78b15",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1707546158,
-        "narHash": "sha256-nYYJTpzfPMDxI8mzhQsYjIUX+grorqjKEU9Np6Xwy/0=",
+        "lastModified": 1709150264,
+        "narHash": "sha256-HofykKuisObPUfj0E9CJVfaMhawXkYx3G8UIFR/XQ38=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d934204a0f8d9198e1e4515dd6fec76a139c87f0",
+        "rev": "9099616b93301d5cf84274b184a3a5ec69e94e08",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1707648276,
-        "narHash": "sha256-KOU9ae22fglOXsOHCGYW25iFXnfnz2fSrUy75qfDyuA=",
+        "lastModified": 1709206595,
+        "narHash": "sha256-lBU/gE7DiJCNkJGPVUms0zA0hxzDVgENIXfebj1oeLc=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "c7fa9c6c3becdb8a330bf1202e009494a381ef32",
+        "rev": "fbe8df1c13fd8e63e35c2c4654104661eb1fbbed",
         "type": "github"
       },
       "original": {
@@ -197,11 +197,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1707297608,
-        "narHash": "sha256-ADjo/5VySGlvtCW3qR+vdFF4xM9kJFlRDqcC9ZGI8EA=",
+        "lastModified": 1708018599,
+        "narHash": "sha256-M+Ng6+SePmA8g06CmUZWi1AjG2tFBX9WCXElBHEKnyM=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "0db2e67ee49910adfa13010e7f012149660af7f0",
+        "rev": "5df5a70ad7575f6601d91f0efec95dd9bc619431",
         "type": "github"
       },
       "original": {
diff --git a/modules/nixos/hardware/bluetooth/default.nix b/modules/nixos/hardware/bluetooth/default.nix
index 2d840f9..c019b31 100644
--- a/modules/nixos/hardware/bluetooth/default.nix
+++ b/modules/nixos/hardware/bluetooth/default.nix
@@ -25,8 +25,8 @@ in
         package = pkgs.pulseaudioFull;
       };
 
-      environment.etc = {
-        "wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = ''
+      services.pipewire.wireplumber.configPackages = [
+        (pkgs.writeTextDir "share/wireplumber/bluetooth.lua.d/51-bluez-config.lua" ''
           bluez_monitor.properties = {
             -- SBC XQ provides better audio
             ["bluez5.enable-sbc-xq"] = true,
@@ -40,8 +40,8 @@ in
             -- FIXME: Some devices may now support both hsp_ag and hfp_ag
             ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
           }
-        '';
-      };
+        '')
+      ];
     })
 
     # Support for A2DP audio profile
diff --git a/modules/nixos/services/pyload/default.nix b/modules/nixos/services/pyload/default.nix
index 40bf12d..88889bf 100644
--- a/modules/nixos/services/pyload/default.nix
+++ b/modules/nixos/services/pyload/default.nix
@@ -39,31 +39,12 @@ in
         downloadDirectory
         port
         ;
-    };
 
-    # Use pyload user/media group when downloading files
-    systemd.services.pyload = {
-      serviceConfig = {
-        User = lib.mkForce "pyload";
-        Group = lib.mkForce "media";
-        DynamicUser = lib.mkForce false;
-      };
-    };
-
-    # And make sure the download directory has the correct owners
-    systemd.tmpfiles.settings.pyload = {
-      ${cfg.downloadDirectory}.d = {
-        user = "pyload";
-        group = "media";
-      };
-    };
-
-    # Set-up pyload user and media group
-    users.users.pyload = {
-      isSystemUser = true;
+      # Use media group when downloading files
       group = "media";
     };
 
+    # Set-up media group
     users.groups.media = { };
 
     my.services.nginx.virtualHosts = {

From 56c0c28b02acc493ae028ebca5d77cc3a455ba81 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 1 Mar 2024 17:20:44 +0000
Subject: [PATCH 113/169] hosts: nixos: porthos: home: disable cache

Same reason as the system-wide configuration...
---
 hosts/nixos/porthos/home.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hosts/nixos/porthos/home.nix b/hosts/nixos/porthos/home.nix
index 90aa0ec..1de3565 100644
--- a/hosts/nixos/porthos/home.nix
+++ b/hosts/nixos/porthos/home.nix
@@ -1,6 +1,13 @@
 { ... }:
 {
   my.home = {
+    nix = {
+      cache = {
+        # This server is the one serving the cache, don't try to query it
+        selfHosted = false;
+      };
+    };
+
     # Allow using 24bit color when SSH-ing from various clients
     tmux.trueColorTerminals = [
       # My usual terminal, e.g: on laptop

From 4d25609b26633b6ccf3994162ca74cc179d6fbc6 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 1 Mar 2024 20:48:44 +0000
Subject: [PATCH 114/169] nixos: system: nix: expand trusted users

---
 modules/nixos/system/nix/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/nixos/system/nix/default.nix b/modules/nixos/system/nix/default.nix
index 47d6499..ad13539 100644
--- a/modules/nixos/system/nix/default.nix
+++ b/modules/nixos/system/nix/default.nix
@@ -56,6 +56,8 @@ in
 
         settings = {
           experimental-features = [ "nix-command" "flakes" ];
+          # Trusted users are equivalent to root, and might as well allow wheel
+          trusted-users = [ "root" "@wheel" ];
         };
       };
     }

From a3afafd9e05958f6cf6368d10a36717562d3d99c Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 2 Mar 2024 12:48:08 +0100
Subject: [PATCH 115/169] nixos: services: add mealie

---
 modules/nixos/services/default.nix        |  1 +
 modules/nixos/services/mealie/default.nix | 72 +++++++++++++++++++++++
 2 files changed, 73 insertions(+)
 create mode 100644 modules/nixos/services/mealie/default.nix

diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix
index 67504da..90dd3e1 100644
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@@ -16,6 +16,7 @@
     ./jellyfin
     ./lohr
     ./matrix
+    ./mealie
     ./miniflux
     ./monitoring
     ./navidrome
diff --git a/modules/nixos/services/mealie/default.nix b/modules/nixos/services/mealie/default.nix
new file mode 100644
index 0000000..ebbebb2
--- /dev/null
+++ b/modules/nixos/services/mealie/default.nix
@@ -0,0 +1,72 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.services.mealie;
+in
+{
+  options.my.services.mealie = with lib; {
+    enable = mkEnableOption "Mealie service";
+
+    port = mkOption {
+      type = types.port;
+      default = 4537;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+
+    credentialsFile = mkOption {
+      type = types.str;
+      example = "/var/lib/mealie/credentials.env";
+      description = ''
+        Configuration file for secrets.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.mealie = {
+      enable = true;
+      inherit (cfg) port credentialsFile;
+
+      settings = {
+        # Basic settings
+        BASE_URL = "https://mealie.${config.networking.domain}";
+        TZ = config.time.timeZone;
+        ALLOw_SIGNUP = "false";
+
+        # Use PostgreSQL
+        DB_ENGINE = "postgres";
+        POSTGRES_USER = "mealie";
+        POSTGRES_PASSWORD = "";
+        POSTGRES_SERVER = "/run/postgresql";
+        # Pydantic and/or mealie doesn't handle the URI correctly, hijack it
+        # with query parameters...
+        POSTGRES_DB = "mealie?host=/run/postgresql&dbname=mealie";
+      };
+    };
+
+    systemd.services = {
+      mealie = {
+        after = [ "postgresql.service" ];
+        requires = [ "postgresql.service" ];
+      };
+    };
+
+    # Set-up database
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "mealie" ];
+      ensureUsers = [
+        {
+          name = "mealie";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    my.services.nginx.virtualHosts = {
+      mealie = {
+        inherit (cfg) port;
+      };
+    };
+  };
+}

From 380933e69b83c7662ec97510e6ab52eef5aad159 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 2 Mar 2024 12:48:42 +0100
Subject: [PATCH 116/169] hosts: nixos: porthos: secrets: add mealie mail

---
 hosts/nixos/porthos/secrets/mealie/mail.age | Bin 0 -> 516 bytes
 hosts/nixos/porthos/secrets/secrets.nix     |   4 ++++
 2 files changed, 4 insertions(+)
 create mode 100644 hosts/nixos/porthos/secrets/mealie/mail.age

diff --git a/hosts/nixos/porthos/secrets/mealie/mail.age b/hosts/nixos/porthos/secrets/mealie/mail.age
new file mode 100644
index 0000000000000000000000000000000000000000..b7348ae2a09fbf001f2354936f2df7112ed29c5d
GIT binary patch
literal 516
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn_Ri1BO;-r;FpNkx
zarH6C4=*q_$PdV^^3Mw|@riKHk4g%!N(}Th2nj4s%`D4z_vA|Vjm#?Yc6Kawb16$J
zHgpMbuQV?X$qdP?NH(nUEHMiz3v|v%EG_k{Oh&gYD<Ho-FI^!&yF4hxyTBkfImjtI
zAUVg#BgiDzC&Rg*(m$=pt<p8uz$7dz+cP)I-GVE$O5Zmk*efU_$RxzCDl6A5GQ-$0
z&(u)cGP%kvJWAiE!rk1}$)lpu-Iq&OS63lFE4;MQFw`)^Ez{gJC^90aJS4y|u_CG}
zFDEoKAjKlXFw(-O+{nelt(+^(>dN{xo*F+wSMJ%o+)34Qd+m$Y#mNF2nAzMs+zmCZ
z&HkO;SFQHv_}4?xM|;~Qq<<+mA+_rmgEqgD?OD!_Kj9&@^Z#_{x_13#%22y&^)Az0
zYmp+WBU25pX>QpU{}mgV3oV+S%QPoCC#oAvx+|#8!d`zx;7Rp8zG&tf!rQZWpU(F6
z*?IH(%8v^^9AYf7@Y(wF|K9|0riHO=+L2#*-Y>sV+qFDQonOmAkHPHSX2-s*GY_7d
zy}Kc*<3{?G)01B=%sMEVsJ$zXk89V>r5C0>cJT~bmUFSQxxVDqmm3`kZ;j%20{|t3
B%@+Uw

literal 0
HcmV?d00001

diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix
index 43a9b35..3545e3a 100644
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@@ -41,6 +41,10 @@ in
     publicKeys = all;
   };
 
+  "mealie/mail.age" = {
+    publicKeys = all;
+  };
+
   "miniflux/credentials.age".publicKeys = all;
 
   "monitoring/password.age" = {

From 7f0a889ccd1cf1139fe7c9327dd1821ed884b116 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 2 Mar 2024 12:48:59 +0100
Subject: [PATCH 117/169] hosts: nixos: porthos: services: enable mealie

---
 hosts/nixos/porthos/services.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix
index 2486752..c3ffa39 100644
--- a/hosts/nixos/porthos/services.nix
+++ b/hosts/nixos/porthos/services.nix
@@ -68,6 +68,10 @@ in
         secretFile = secrets."matrix/sliding-sync-secret".path;
       };
     };
+    mealie = {
+      enable = true;
+      credentialsFile = secrets."mealie/mail".path;
+    };
     miniflux = {
       enable = true;
       credentialsFiles = secrets."miniflux/credentials".path;

From 6bef924513a1e72243808ab4d8277cb65aa68047 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 4 Mar 2024 11:44:49 +0000
Subject: [PATCH 118/169] overlays: remove gruvbox-nvim-treesitter-fix

Not needed anymore.

This reverts commit d6eceea08a12b09ebcf6396402f6f5242242c667.
---
 overlays/gruvbox-nvim-treesitter-fix/default.nix   |  4 ----
 overlays/gruvbox-nvim-treesitter-fix/generated.nix | 14 --------------
 2 files changed, 18 deletions(-)
 delete mode 100644 overlays/gruvbox-nvim-treesitter-fix/default.nix
 delete mode 100644 overlays/gruvbox-nvim-treesitter-fix/generated.nix

diff --git a/overlays/gruvbox-nvim-treesitter-fix/default.nix b/overlays/gruvbox-nvim-treesitter-fix/default.nix
deleted file mode 100644
index 832e71d..0000000
--- a/overlays/gruvbox-nvim-treesitter-fix/default.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-self: prev:
-{
-  vimPlugins = prev.vimPlugins.extend (self.callPackage ./generated.nix { });
-}
diff --git a/overlays/gruvbox-nvim-treesitter-fix/generated.nix b/overlays/gruvbox-nvim-treesitter-fix/generated.nix
deleted file mode 100644
index 5a18d62..0000000
--- a/overlays/gruvbox-nvim-treesitter-fix/generated.nix
+++ /dev/null
@@ -1,14 +0,0 @@
-{ fetchFromGitHub }:
-
-_final: prev: {
-  gruvbox-nvim = prev.gruvbox-nvim.overrideAttrs (_: {
-    version = "2024-01-29";
-
-    src = fetchFromGitHub {
-      owner = "ellisonleao";
-      repo = "gruvbox.nvim";
-      rev = "6e4027ae957cddf7b193adfaec4a8f9e03b4555f";
-      sha256 = "sha256-jWnrRy/PT7D0UcPGL+XTbKHWvS0ixvbyqPtTzG9HY84=";
-    };
-  });
-}

From ed15e62e1d390d46f18565a02266c9021ec09075 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 5 Mar 2024 12:44:08 +0000
Subject: [PATCH 119/169] nixos: services: gitea: use 'git' group

---
 modules/nixos/services/gitea/default.nix | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/modules/nixos/services/gitea/default.nix b/modules/nixos/services/gitea/default.nix
index 4a8a3bb..e7f39a5 100644
--- a/modules/nixos/services/gitea/default.nix
+++ b/modules/nixos/services/gitea/default.nix
@@ -58,6 +58,8 @@ in
         appName = "Ambroisie's forge";
 
         user = "git";
+        group = "git";
+
         lfs.enable = true;
 
         useWizard = false;
@@ -107,11 +109,6 @@ in
       home = config.services.gitea.stateDir;
       useDefaultShell = true;
       group = "git";
-
-      # The service for gitea seems to hardcode the group as
-      # gitea, so, uh, just in case?
-      extraGroups = [ "gitea" ];
-
       isSystemUser = true;
     };
     users.groups.git = { };

From 40d1b3983700b1b1fa1899679e94dc9bc80fc65b Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 5 Mar 2024 14:16:22 +0000
Subject: [PATCH 120/169] nixos: services: gitea: update mail configuration

---
 hosts/nixos/porthos/services.nix         |  2 +-
 modules/nixos/services/gitea/default.nix | 26 ++++++++++++------------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix
index c3ffa39..c872160 100644
--- a/hosts/nixos/porthos/services.nix
+++ b/hosts/nixos/porthos/services.nix
@@ -41,7 +41,7 @@ in
       enable = true;
       mail = {
         enable = true;
-        host = "smtp.migadu.com:465";
+        host = "smtp.migadu.com";
         user = lib.my.mkMailAddress "gitea" "belanyi.fr";
         passwordFile = secrets."gitea/mail-password".path;
       };
diff --git a/modules/nixos/services/gitea/default.nix b/modules/nixos/services/gitea/default.nix
index e7f39a5..6185a22 100644
--- a/modules/nixos/services/gitea/default.nix
+++ b/modules/nixos/services/gitea/default.nix
@@ -18,9 +18,15 @@ in
       };
       host = mkOption {
         type = types.str;
-        example = "smtp.example.com:465";
+        example = "smtp.example.com";
         description = "Host for the mail account";
       };
+      port = mkOption {
+        type = types.port;
+        default = 465;
+        example = 587;
+        description = "Port for the mail account";
+      };
       user = mkOption {
         type = types.str;
         example = "gitea@example.com";
@@ -31,17 +37,11 @@ in
         example = "/run/secrets/gitea-mail-password.txt";
         description = "Password for the mail account";
       };
-      type = mkOption {
+      protocol = mkOption {
         type = types.str;
-        default = "smtp";
+        default = "smtps";
         example = "smtp";
-        description = "Password for the mail account";
-      };
-      tls = mkOption {
-        type = types.bool;
-        default = true;
-        example = false;
-        description = "Use TLS for connection";
+        description = "Protocol for connection";
       };
     };
   };
@@ -86,11 +86,11 @@ in
 
           mailer = lib.mkIf cfg.mail.enable {
             ENABLED = true;
-            HOST = cfg.mail.host;
+            SMTP_ADDR = cfg.mail.host;
+            SMTP_PORT = cfg.mail.port;
             FROM = cfg.mail.user;
             USER = cfg.mail.user;
-            MAILER_TYPE = cfg.mail.type;
-            IS_TLS_ENABLED = cfg.mail.tls;
+            PROTOCOL = cfg.mail.protocol;
           };
 
           service = {

From d423a03663ccabde691f2b59b34ed1be756c0eed Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 5 Mar 2024 14:20:57 +0000
Subject: [PATCH 121/169] nixos: services: gitea: fix mail 'FROM' address

---
 modules/nixos/services/gitea/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nixos/services/gitea/default.nix b/modules/nixos/services/gitea/default.nix
index 6185a22..212f59c 100644
--- a/modules/nixos/services/gitea/default.nix
+++ b/modules/nixos/services/gitea/default.nix
@@ -88,7 +88,7 @@ in
             ENABLED = true;
             SMTP_ADDR = cfg.mail.host;
             SMTP_PORT = cfg.mail.port;
-            FROM = cfg.mail.user;
+            FROM = "Gitea <${cfg.mail.user}>";
             USER = cfg.mail.user;
             PROTOCOL = cfg.mail.protocol;
           };

From 6a47703c08ebeed4b3f62f5db9844f87eb955ded Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 5 Mar 2024 21:15:57 +0000
Subject: [PATCH 122/169] pkgs: add digestpp

---
 pkgs/default.nix          |  2 ++
 pkgs/digestpp/default.nix | 31 +++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 pkgs/digestpp/default.nix

diff --git a/pkgs/default.nix b/pkgs/default.nix
index 6b7fce1..94f3440 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -10,6 +10,8 @@ pkgs.lib.makeScope pkgs.newScope (pkgs: {
 
   diff-flake = pkgs.callPackage ./diff-flake { };
 
+  digestpp = pkgs.callPackage ./digestpp { };
+
   dragger = pkgs.callPackage ./dragger { };
 
   drone-rsync = pkgs.callPackage ./drone-rsync { };
diff --git a/pkgs/digestpp/default.nix b/pkgs/digestpp/default.nix
new file mode 100644
index 0000000..2fd90db
--- /dev/null
+++ b/pkgs/digestpp/default.nix
@@ -0,0 +1,31 @@
+{ lib
+, fetchFromGitHub
+, stdenv
+}:
+stdenv.mkDerivation {
+  pname = "digestpp";
+  version = "0-unstable-2023-11-07";
+
+  src = fetchFromGitHub {
+    owner = "kerukuro";
+    repo = "digestpp";
+    rev = "ebb699402c244e22c3aff61d2239bcb2e87b8ef8";
+    hash = "sha256-9X/P7DgZB6bSYjQWRli4iAXEFjhmACOVv3EYQrXuH5c=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/include/digestpp
+    cp -r *.hpp algorithm/ detail/ $out/include/digestpp
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "C++11 header-only message digest library";
+    homepage = "https://github.com/kerukuro/digestpp";
+    license = licenses.unlicense;
+    maintainers = with maintainers; [ ambroisie ];
+  };
+}

From ef882a52673bf3b7a7c4f4658624183c760e8b18 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 5 Mar 2024 21:16:10 +0000
Subject: [PATCH 123/169] pkgs: add sqlite_orm

---
 pkgs/default.nix            |  2 ++
 pkgs/sqlite_orm/default.nix | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 pkgs/sqlite_orm/default.nix

diff --git a/pkgs/default.nix b/pkgs/default.nix
index 94f3440..ddd0b02 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -28,6 +28,8 @@ pkgs.lib.makeScope pkgs.newScope (pkgs: {
 
   rbw-pass = pkgs.callPackage ./rbw-pass { };
 
+  sqlite_orm = pkgs.callPackage ./sqlite_orm { };
+
   unbound-zones-adblock = pkgs.callPackage ./unbound-zones-adblock { };
 
   zsh-done = pkgs.callPackage ./zsh-done { };
diff --git a/pkgs/sqlite_orm/default.nix b/pkgs/sqlite_orm/default.nix
new file mode 100644
index 0000000..3891eee
--- /dev/null
+++ b/pkgs/sqlite_orm/default.nix
@@ -0,0 +1,32 @@
+{ lib
+, cmake
+, fetchFromGitHub
+, sqlite
+, stdenv
+}:
+stdenv.mkDerivation (finalAttrs: {
+  pname = "sqlite_orm";
+  version = "1.8.2";
+
+  src = fetchFromGitHub {
+    owner = "fnc12";
+    repo = "sqlite_orm";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-KqphGFcnR1Y11KqL7sxODSv7lEvcURdF6kLd3cg84kc=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+  ];
+
+  propagatedBuildInputs = [
+    sqlite
+  ];
+
+  meta = with lib; {
+    description = "Light header only SQLite ORM";
+    homepage = "https://sqliteorm.com/";
+    license = licenses.agpl3Only; # MIT license is commercial
+    maintainers = with maintainers; [ ambroisie ];
+  };
+})

From 84fea2f6771907a7b84cee07030fc3645a3c5dd3 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 5 Mar 2024 21:16:34 +0000
Subject: [PATCH 124/169] pkgs: add bt-migrate

---
 pkgs/bt-migrate/default.nix | 61 +++++++++++++++++++++++++++++++++++++
 pkgs/default.nix            |  2 ++
 2 files changed, 63 insertions(+)
 create mode 100644 pkgs/bt-migrate/default.nix

diff --git a/pkgs/bt-migrate/default.nix b/pkgs/bt-migrate/default.nix
new file mode 100644
index 0000000..df99c55
--- /dev/null
+++ b/pkgs/bt-migrate/default.nix
@@ -0,0 +1,61 @@
+{ lib
+, boost
+, cmake
+, cxxopts
+, digestpp
+, fetchFromGitHub
+, fmt
+, jsoncons
+, pugixml
+, sqlite_orm
+, stdenv
+}:
+stdenv.mkDerivation {
+  pname = "bt-migrate";
+  version = "0-unstable-2023-08-17";
+
+  src = fetchFromGitHub {
+    owner = "mikedld";
+    repo = "bt-migrate";
+    rev = "e15a489c0c76f98355586ebbee08223af4e9bf50";
+    hash = "sha256-kA6yxhbIh3ThmgF8Zyoe3I79giLVmdNr9IIrw5Xx4s0=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+  ];
+
+  buildInputs = [
+    boost
+    cxxopts
+    fmt
+    jsoncons
+    pugixml
+    sqlite_orm
+  ];
+
+  cmakeFlags = [
+    (lib.strings.cmakeBool "USE_VCPKG" false)
+    # NOTE: digestpp does not have proper CMake packaging (yet?)
+    (lib.strings.cmakeBool "USE_FETCHCONTENT" true)
+    (lib.strings.cmakeFeature "FETCHCONTENT_SOURCE_DIR_DIGESTPP" "${digestpp}/include/digestpp")
+  ];
+
+  # NOTE: no install target in CMake...
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin
+    cp BtMigrate $out/bin
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Torrent state migration tool";
+    homepage = "https://github.com/mikedld/bt-migrate";
+    license = licenses.gpl3Only;
+    maintainers = with maintainers; [ ambroisie ];
+    mainProgram = "BtMigrate";
+  };
+}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index ddd0b02..e82a90c 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -1,5 +1,7 @@
 { pkgs }:
 pkgs.lib.makeScope pkgs.newScope (pkgs: {
+  bt-migrate = pkgs.callPackage ./bt-migrate { };
+
   bw-pass = pkgs.callPackage ./bw-pass { };
 
   change-audio = pkgs.callPackage ./change-audio { };

From a4e742bf5541967ee08954ab12f02a29633f8eb8 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 5 Mar 2024 21:45:18 +0000
Subject: [PATCH 125/169] nixos: services: blog: fix catch-all redirection

Don't use a hard-coded address...
---
 modules/nixos/services/blog/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nixos/services/blog/default.nix b/modules/nixos/services/blog/default.nix
index 3e68df2..e4d2d42 100644
--- a/modules/nixos/services/blog/default.nix
+++ b/modules/nixos/services/blog/default.nix
@@ -35,7 +35,7 @@ in
         useACMEHost = domain;
         default = true;
 
-        locations."/".return = "302 https://belanyi.fr$request_uri";
+        locations."/".return = "302 https://${domain}$request_uri";
       };
     };
 

From 97cc08d199977b5dca863c6c3963a9f3f1708be1 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 7 Mar 2024 11:32:28 +0000
Subject: [PATCH 126/169] flake: use explicit 'systems' input

---
 flake/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/flake/default.nix b/flake/default.nix
index 65102e1..5e52025 100644
--- a/flake/default.nix
+++ b/flake/default.nix
@@ -1,9 +1,9 @@
 { flake-parts
-, futils
+, systems
 , ...
 } @ inputs:
 let
-  mySystems = futils.lib.defaultSystems;
+  mySystems = import systems;
 in
 flake-parts.lib.mkFlake { inherit inputs; } {
   systems = mySystems;

From 742b4c39a277b32d5f8afd0150457c953d09842a Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 7 Mar 2024 15:42:58 +0000
Subject: [PATCH 127/169] home: tmux: migrate to 'terminalFeatures'

There are other terminal capabilities I want to override in tmux, so
let's make this type more extensible.
---
 hosts/homes/ambroisie@bazin/default.nix      |  6 ++--
 hosts/homes/ambroisie@mousqueton/default.nix |  6 ++--
 hosts/nixos/porthos/home.nix                 |  8 ++---
 modules/home/tmux/default.nix                | 35 ++++++++++++--------
 4 files changed, 33 insertions(+), 22 deletions(-)

diff --git a/hosts/homes/ambroisie@bazin/default.nix b/hosts/homes/ambroisie@bazin/default.nix
index a65a626..f52fbce 100644
--- a/hosts/homes/ambroisie@bazin/default.nix
+++ b/hosts/homes/ambroisie@bazin/default.nix
@@ -12,8 +12,10 @@
       # I use scripts that use the passthrough sequence often on this host
       enablePassthrough = true;
 
-      # HTerm uses `xterm-256color` as its `$TERM`, so use that here
-      trueColorTerminals = [ "xterm-256color" ];
+      terminalFeatures = {
+        # HTerm uses `xterm-256color` as its `$TERM`, so use that here
+        xterm-256color = { };
+      };
     };
 
     ssh = {
diff --git a/hosts/homes/ambroisie@mousqueton/default.nix b/hosts/homes/ambroisie@mousqueton/default.nix
index 5c0a963..44e62e6 100644
--- a/hosts/homes/ambroisie@mousqueton/default.nix
+++ b/hosts/homes/ambroisie@mousqueton/default.nix
@@ -15,8 +15,10 @@
       # I use scripts that use the passthrough sequence often on this host
       enablePassthrough = true;
 
-      # HTerm uses `xterm-256color` as its `$TERM`, so use that here
-      trueColorTerminals = [ "xterm-256color" ];
+      terminalFeatures = {
+        # HTerm uses `xterm-256color` as its `$TERM`, so use that here
+        xterm-256color = { };
+      };
     };
   };
 }
diff --git a/hosts/nixos/porthos/home.nix b/hosts/nixos/porthos/home.nix
index 1de3565..c2c858b 100644
--- a/hosts/nixos/porthos/home.nix
+++ b/hosts/nixos/porthos/home.nix
@@ -8,11 +8,11 @@
       };
     };
 
-    # Allow using 24bit color when SSH-ing from various clients
-    tmux.trueColorTerminals = [
+    # Allow using extended features when SSH-ing from various clients
+    tmux.terminalFeatures = {
       # My usual terminal, e.g: on laptop
-      "alacritty"
-    ];
+      alacritty = { };
+    };
 
     # Always start a tmux session when opening a shell session
     zsh.launchTmux = true;
diff --git a/modules/home/tmux/default.nix b/modules/home/tmux/default.nix
index 08aeb55..76e18ca 100644
--- a/modules/home/tmux/default.nix
+++ b/modules/home/tmux/default.nix
@@ -5,6 +5,14 @@ let
     config.my.home.x.enable
     (config.my.home.wm.windowManager != null)
   ];
+
+  mkTerminalFlags = opt: flag:
+    let
+      mkFlag = term: ''set -as terminal-features ",${term}:${flag}"'';
+      enabledTerminals = lib.filterAttrs (_: v: v.${opt}) cfg.terminalFeatures;
+      terminals = lib.attrNames enabledTerminals;
+    in
+    lib.concatMapStringsSep "\n" mkFlag terminals;
 in
 {
   options.my.home.tmux = with lib; {
@@ -12,16 +20,20 @@ in
 
     enablePassthrough = mkEnableOption "tmux DCS passthrough sequence";
 
-    trueColorTerminals = mkOption {
-      type = with types; listOf str;
-      default = lib.my.nullableToList config.my.home.terminal.program;
-      defaultText = ''
-        `[ config.my.home.terminal.program ]` if it is non-null, otherwise an
-        empty list.
+    terminalFeatures = mkOption {
+      type = with types; attrsOf (submodule {
+        options = {
+          trueColor = my.mkDisableOption "24-bit (RGB) color support";
+        };
+      });
+
+      default = { ${config.my.home.terminal.program} = { }; };
+      defaultText = litteralExpression ''
+        { ''${config.my.home.terminal.program} = { }; };
       '';
-      example = [ "xterm-256color" ];
+      example = { xterm-256color = { }; };
       description = ''
-        $TERM values which should be considered to always support 24-bit color.
+        $TERM values which should be considered to have additional features.
       '';
     };
   };
@@ -90,12 +102,7 @@ in
       }
 
       # Force 24-bit color for each relevant $TERM
-      ${
-        let
-          mkTcFlag = term: ''set -as terminal-features ",${term}:RGB"'';
-        in
-        lib.concatMapStringsSep "\n" mkTcFlag cfg.trueColorTerminals
-      }
+      ${mkTerminalFlags "trueColor" "RGB"}
     '';
   };
 }

From 22139bd69f20911fb83aa7ab26ed6afd4974e771 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 7 Mar 2024 15:44:17 +0000
Subject: [PATCH 128/169] home: tmux: add hyperlinks support

Somewhat unfortunate that those have to be enabled by force, but easy
enough to support.
---
 modules/home/tmux/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/home/tmux/default.nix b/modules/home/tmux/default.nix
index 76e18ca..61cf2ec 100644
--- a/modules/home/tmux/default.nix
+++ b/modules/home/tmux/default.nix
@@ -23,6 +23,8 @@ in
     terminalFeatures = mkOption {
       type = with types; attrsOf (submodule {
         options = {
+          hyperlinks = my.mkDisableOption "hyperlinks through OSC8";
+
           trueColor = my.mkDisableOption "24-bit (RGB) color support";
         };
       });
@@ -101,6 +103,8 @@ in
         ''
       }
 
+      # Force OSC8 hyperlinks for each relevant $TERM
+      ${mkTerminalFlags "hyperlinks" "hyperlinks"}
       # Force 24-bit color for each relevant $TERM
       ${mkTerminalFlags "trueColor" "RGB"}
     '';

From 8591fb8b3571899efcb4a850216a0b8bc5942435 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 8 Mar 2024 12:56:19 +0000
Subject: [PATCH 129/169] home: tmux: expand history limit

---
 modules/home/tmux/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/home/tmux/default.nix b/modules/home/tmux/default.nix
index 61cf2ec..501b954 100644
--- a/modules/home/tmux/default.nix
+++ b/modules/home/tmux/default.nix
@@ -46,7 +46,7 @@ in
     keyMode = "vi"; # Home-row keys and other niceties
     clock24 = true; # I'm one of those heathens
     escapeTime = 0; # Let vim do its thing instead
-    historyLimit = 50000; # Bigger buffer
+    historyLimit = 100000; # Bigger buffer
     terminal = "tmux-256color"; # I want accurate termcap info
 
     plugins = with pkgs.tmuxPlugins; [

From c1ffe096312ca96aca76b07fa0db465d44331778 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 5 Mar 2024 12:32:40 +0000
Subject: [PATCH 130/169] nixos: services: add forgejo

---
 modules/nixos/services/default.nix         |   1 +
 modules/nixos/services/forgejo/default.nix | 162 +++++++++++++++++++++
 2 files changed, 163 insertions(+)
 create mode 100644 modules/nixos/services/forgejo/default.nix

diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix
index 90dd3e1..3b32d06 100644
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@@ -10,6 +10,7 @@
     ./drone
     ./fail2ban
     ./flood
+    ./forgejo
     ./gitea
     ./grocy
     ./indexers
diff --git a/modules/nixos/services/forgejo/default.nix b/modules/nixos/services/forgejo/default.nix
new file mode 100644
index 0000000..0f3dfc5
--- /dev/null
+++ b/modules/nixos/services/forgejo/default.nix
@@ -0,0 +1,162 @@
+# A low-ressource, full-featured git forge.
+{ config, lib, ... }:
+let
+  cfg = config.my.services.forgejo;
+in
+{
+  options.my.services.forgejo = with lib; {
+    enable = mkEnableOption "Forgejo";
+    port = mkOption {
+      type = types.port;
+      default = 3042;
+      example = 8080;
+      description = "Internal port";
+    };
+    mail = {
+      enable = mkEnableOption {
+        description = "mailer configuration";
+      };
+      host = mkOption {
+        type = types.str;
+        example = "smtp.example.com";
+        description = "Host for the mail account";
+      };
+      port = mkOption {
+        type = types.port;
+        default = 465;
+        example = 587;
+        description = "Port for the mail account";
+      };
+      user = mkOption {
+        type = types.str;
+        example = "forgejo@example.com";
+        description = "User for the mail account";
+      };
+      passwordFile = mkOption {
+        type = types.str;
+        example = "/run/secrets/forgejo-mail-password.txt";
+        description = "Password for the mail account";
+      };
+      protocol = mkOption {
+        type = types.str;
+        default = "smtps";
+        example = "smtp";
+        description = "Protocol for connection";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.enable -> !config.my.services.gitea.enable;
+        message = ''
+          `config.my.services.forgejo` is incompatible with
+          `config.my.services.gitea`.
+        '';
+      }
+    ];
+
+    services.forgejo =
+      let
+        inherit (config.networking) domain;
+        forgejoDomain = "git.${domain}";
+      in
+      {
+        enable = true;
+
+        user = "git";
+        group = "git";
+
+        lfs.enable = true;
+
+        useWizard = false;
+
+        database = {
+          type = "postgres"; # Automatic setup
+          user = "git"; # User needs to be the same as forgejo user
+          name = "git"; # Name must be the same as user for `ensureDBOwnership`
+        };
+
+        # NixOS module uses `forgejo dump` to backup repositories and the database,
+        # but it produces a single .zip file that's not very backup friendly.
+        # I configure my backup system manually below.
+        dump.enable = false;
+
+        mailerPasswordFile = lib.mkIf cfg.mail.enable cfg.mail.passwordFile;
+
+        settings = {
+          DEFAULT = {
+            APP_NAME = "Ambroisie's forge";
+          };
+
+          server = {
+            HTTP_PORT = cfg.port;
+            DOMAIN = forgejoDomain;
+            ROOT_URL = "https://${forgejoDomain}";
+          };
+
+          mailer = lib.mkIf cfg.mail.enable {
+            ENABLED = true;
+            SMTP_ADDR = cfg.mail.host;
+            SMTP_PORT = cfg.mail.port;
+            FROM = "Forgejo <${cfg.mail.user}>";
+            USER = cfg.mail.user;
+            PROTOCOL = cfg.mail.protocol;
+          };
+
+          service = {
+            DISABLE_REGISTRATION = true;
+          };
+
+          session = {
+            # only send cookies via HTTPS
+            COOKIE_SECURE = true;
+          };
+        };
+      };
+
+    users.users.git = {
+      description = "Forgejo Service";
+      home = config.services.forgejo.stateDir;
+      useDefaultShell = true;
+      group = "git";
+      isSystemUser = true;
+    };
+    users.groups.git = { };
+
+    my.services.nginx.virtualHosts = {
+      # Proxy to Forgejo
+      git = {
+        inherit (cfg) port;
+      };
+      # Redirect `forgejo.` to actual forge subdomain
+      forgejo = {
+        redirect = config.services.forgejo.settings.server.ROOT_URL;
+      };
+    };
+
+    my.services.backup = {
+      paths = [
+        config.services.forgejo.lfs.contentDir
+        config.services.forgejo.repositoryRoot
+      ];
+    };
+
+    services.fail2ban.jails = {
+      forgejo = ''
+        enabled = true
+        filter = forgejo
+        action = iptables-allports
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/forgejo.conf".text = ''
+        [Definition]
+        failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>$
+        journalmatch = _SYSTEMD_UNIT=forgejo.service
+      '';
+    };
+  };
+}

From b41fd9e48ecc27f79757f014272c2c190e0c7d9b Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 5 Mar 2024 12:32:40 +0000
Subject: [PATCH 131/169] hosts: nixos: porthos: secrets: add forgejo mail

---
 hosts/nixos/porthos/secrets/forgejo/mail-password.age | 10 ++++++++++
 hosts/nixos/porthos/secrets/secrets.nix               |  5 +++++
 2 files changed, 15 insertions(+)
 create mode 100644 hosts/nixos/porthos/secrets/forgejo/mail-password.age

diff --git a/hosts/nixos/porthos/secrets/forgejo/mail-password.age b/hosts/nixos/porthos/secrets/forgejo/mail-password.age
new file mode 100644
index 0000000..67ef695
--- /dev/null
+++ b/hosts/nixos/porthos/secrets/forgejo/mail-password.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg Lhgx43wR8PtAMf5v1eJxKlUBSAoOLdOOn/QaQrwF8zA
+jfUCpgNzkHCNTWCqtErDaLMmg1Oy+s9zUra1JLCi+J4
+-> ssh-ed25519 jPowng kSeQ/SmMrzd8ByVu3YHWeZyKmqFZvQSBnDunkB8e6wc
+WRmnfrV5xcRXA9t0ZXx6YvbRl0sX4PTrw63VVKX4Ei4
+--- a+LLM1gP9g1AbUapbeeKaS4cEcRBmPo3MHU2DSWTAds
+Ò,FÜÒ6”â⬘ixÌ�°Øe|
«
+²
+ÌÏœ,{†
ˆõvª!–†‰zÜ$P;ãé©TØÆÉKW
+ qGô
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix
index 3545e3a..bea380c 100644
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@@ -21,6 +21,11 @@ in
   "drone/secret.age".publicKeys = all;
   "drone/ssh/private-key.age".publicKeys = all;
 
+  "forgejo/mail-password.age" = {
+    owner = "git";
+    publicKeys = all;
+  };
+
   "gitea/mail-password.age" = {
     owner = "git";
     publicKeys = all;

From f3207468f979d5bffc42e131152d33bff6d8548c Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 9 Mar 2024 13:34:38 +0100
Subject: [PATCH 132/169] nixos: services: woodpecker: configurable forge

---
 modules/nixos/services/woodpecker/default.nix        | 6 ++++++
 modules/nixos/services/woodpecker/server/default.nix | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/nixos/services/woodpecker/default.nix b/modules/nixos/services/woodpecker/default.nix
index 34ffca6..8fa692e 100644
--- a/modules/nixos/services/woodpecker/default.nix
+++ b/modules/nixos/services/woodpecker/default.nix
@@ -8,6 +8,12 @@
 
   options.my.services.woodpecker = with lib; {
     enable = mkEnableOption "Woodpecker CI";
+    forge = mkOption {
+      type = types.enum [ "gitea" "forgejo" ];
+      default = "gitea";
+      example = "forgejo";
+      description = "Which Forge to connect to";
+    };
     runners = mkOption {
       type = with types; listOf (enum [ "exec" "docker" ]);
       default = [ ];
diff --git a/modules/nixos/services/woodpecker/server/default.nix b/modules/nixos/services/woodpecker/server/default.nix
index f02a5c5..adf533e 100644
--- a/modules/nixos/services/woodpecker/server/default.nix
+++ b/modules/nixos/services/woodpecker/server/default.nix
@@ -17,7 +17,7 @@ in
         WOODPECKER_GRPC_ADDR = ":${toString cfg.rpcPort}";
 
         WOODPECKER_GITEA = "true";
-        WOODPECKER_GITEA_URL = config.services.gitea.settings.server.ROOT_URL;
+        WOODPECKER_GITEA_URL = config.services.${cfg.forge}.settings.server.ROOT_URL;
 
         WOODPECKER_LOG_LEVEL = "debug";
       };

From 0f33dbd5c24440fd243725fd96f8081ad66750d8 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 5 Mar 2024 12:32:40 +0000
Subject: [PATCH 133/169] hosts: nixos: porthos: switch to forgejo

This required a quick rename to migrate from one to the other.
---
 hosts/nixos/porthos/services.nix              | 8 ++++----
 modules/nixos/services/woodpecker/default.nix | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix
index c872160..a67ae3b 100644
--- a/hosts/nixos/porthos/services.nix
+++ b/hosts/nixos/porthos/services.nix
@@ -36,14 +36,14 @@ in
     flood = {
       enable = true;
     };
-    # Gitea forge
-    gitea = {
+    # Forgejo forge
+    forgejo = {
       enable = true;
       mail = {
         enable = true;
         host = "smtp.migadu.com";
-        user = lib.my.mkMailAddress "gitea" "belanyi.fr";
-        passwordFile = secrets."gitea/mail-password".path;
+        user = lib.my.mkMailAddress "forgejo" "belanyi.fr";
+        passwordFile = secrets."forgejo/mail-password".path;
       };
     };
     # Meta-indexers
diff --git a/modules/nixos/services/woodpecker/default.nix b/modules/nixos/services/woodpecker/default.nix
index 8fa692e..012eaae 100644
--- a/modules/nixos/services/woodpecker/default.nix
+++ b/modules/nixos/services/woodpecker/default.nix
@@ -10,8 +10,8 @@
     enable = mkEnableOption "Woodpecker CI";
     forge = mkOption {
       type = types.enum [ "gitea" "forgejo" ];
-      default = "gitea";
-      example = "forgejo";
+      default = "forgejo";
+      example = "gitea";
       description = "Which Forge to connect to";
     };
     runners = mkOption {

From 5d3160fb0de293fbc100f511be6d1034fdd91877 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 5 Mar 2024 00:45:31 +0100
Subject: [PATCH 134/169] hosts: nixos: porthos: migrate to new host

OVH/Kimsufi are deprecating my current server by the end of the year. So
let's migrate to a new host.

This was more painful than initially planned, OVH introduced a change to
their rescue system which messes with the NixOS installation [1].

In the end I used a kexec image [2] to run the installation.

[1]: https://github.com/NixOS/nix/issues/7790
[2]: https://github.com/nix-community/nixos-images
---
 hosts/nixos/porthos/boot.nix                 | 11 ++++----
 hosts/nixos/porthos/default.nix              |  8 +-----
 hosts/nixos/porthos/hardware.nix             | 13 +++++++--
 hosts/nixos/porthos/install.sh               | 29 ++++++++++++++------
 hosts/nixos/porthos/networking.nix           | 29 ++++++--------------
 modules/home/ssh/default.nix                 |  2 +-
 modules/nixos/services/wireguard/default.nix |  2 +-
 7 files changed, 48 insertions(+), 46 deletions(-)

diff --git a/hosts/nixos/porthos/boot.nix b/hosts/nixos/porthos/boot.nix
index fbc5db7..461e969 100644
--- a/hosts/nixos/porthos/boot.nix
+++ b/hosts/nixos/porthos/boot.nix
@@ -3,15 +3,14 @@
 
 {
   boot = {
-    # Use the GRUB 2 boot loader.
-    loader.grub = {
-      enable = true;
-      # Define on which hard drive you want to install Grub.
-      device = "/dev/disk/by-id/ata-HGST_HUS724020ALA640_PN2181P6J58M1P";
+    # Use the systemd-boot EFI boot loader.
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
     };
 
     initrd = {
-      availableKernelModules = [ "uhci_hcd" "ahci" "usbhid" ];
+      availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "usbhid" "sd_mod" ];
       kernelModules = [ "dm-snapshot" ];
     };
 
diff --git a/hosts/nixos/porthos/default.nix b/hosts/nixos/porthos/default.nix
index 2dea899..bd1bdb1 100644
--- a/hosts/nixos/porthos/default.nix
+++ b/hosts/nixos/porthos/default.nix
@@ -16,11 +16,5 @@
   # Set your time zone.
   time.timeZone = "Europe/Paris";
 
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "20.09"; # Did you read the comment?
+  system.stateVersion = "24.05"; # Did you read the comment?
 }
diff --git a/hosts/nixos/porthos/hardware.nix b/hosts/nixos/porthos/hardware.nix
index 5a6e0d7..2172c5c 100644
--- a/hosts/nixos/porthos/hardware.nix
+++ b/hosts/nixos/porthos/hardware.nix
@@ -1,5 +1,5 @@
 # Hardware configuration
-{ lib, modulesPath, ... }:
+{ modulesPath, ... }:
 
 {
   imports = [
@@ -11,9 +11,18 @@
     fsType = "ext4";
   };
 
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "vfat";
+  };
+
   swapDevices = [
     { device = "/dev/disk/by-label/swap"; }
   ];
 
-  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  my.hardware = {
+    firmware = {
+      cpuFlavor = "intel";
+    };
+  };
 }
diff --git a/hosts/nixos/porthos/install.sh b/hosts/nixos/porthos/install.sh
index 8edc175..e6ba0aa 100644
--- a/hosts/nixos/porthos/install.sh
+++ b/hosts/nixos/porthos/install.sh
@@ -3,7 +3,7 @@
 SWAP_SIZE=16GiB
 
 parted /dev/sda --script -- \
-    mklabel msdos \
+    mklabel gpt \
     mkpart primary 512MiB -$SWAP_SIZE \
     mkpart primary linux-swap -$SWAP_SIZE 100% \
     mkpart ESP fat32 1MiB 512MiB \
@@ -11,14 +11,24 @@ parted /dev/sda --script -- \
 
 parted /dev/sdb --script -- \
     mklabel gpt \
-    mkpart primary 0MiB 100%
+    mkpart primary 0% 100%
+parted /dev/sdc --script -- \
+    mklabel gpt \
+    mkpart primary 0% 100%
+parted /dev/sdd --script -- \
+    mklabel gpt \
+    mkpart primary 0% 100%
 
 mkfs.ext4 -L media1 /dev/sda1
 mkfs.ext4 -L media2 /dev/sdb1
+mkfs.ext4 -L media3 /dev/sdc1
+mkfs.ext4 -L media4 /dev/sdd1
 
 pvcreate /dev/sda1
 pvcreate /dev/sdb1
-vgcreate lvm /dev/sda1 /dev/sdb1
+pvcreate /dev/sdc1
+pvcreate /dev/sdd1
+vgcreate lvm /dev/sda1 /dev/sdb1 /dev/sdc1 /dev/sdd1
 lvcreate -l 100%FREE -n media lvm
 
 mkfs.ext4 -L nixos /dev/mapper/lvm-media
@@ -27,17 +37,17 @@ mkfs.fat -F 32 -n boot /dev/sda3
 
 mount /dev/disk/by-label/nixos /mnt
 swapon /dev/sda2
+mkdir -p /mnt/boot
+mount /dev/disk/by-label/boot /mnt/boot
 
 apt install sudo
 useradd -m -G sudo setupuser
-# shellcheck disable=2117
-su setupuser
 
 cat << EOF
 # Run the following commands as setup user
-curl -L https://nixos.org/nix/install | sh
-. $HOME/.nix-profile/etc/profile.d/nix.sh
-nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs
+curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
+. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+nix profile install nixpkgs#nixos-install-tools
 sudo "$(which nixos-generate-config)" --root /mnt
 
 # Change uuids to labels
@@ -54,3 +64,6 @@ git crypt unlock
 
 nixos-install --root /mnt --flake '.#<hostname>'
 EOF
+
+# shellcheck disable=2117
+su setupuser
diff --git a/hosts/nixos/porthos/networking.nix b/hosts/nixos/porthos/networking.nix
index 1e2c9cd..717652b 100644
--- a/hosts/nixos/porthos/networking.nix
+++ b/hosts/nixos/porthos/networking.nix
@@ -6,30 +6,17 @@
     hostName = "porthos"; # Define your hostname.
     domain = "belanyi.fr"; # Define your domain.
 
-
-    # The global useDHCP flag is deprecated, therefore explicitly set to false here.
-    # Per-interface useDHCP will be mandatory in the future, so this generated config
-    # replicates the default behaviour.
-    useDHCP = false;
-
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    useDHCP = true;
     interfaces = {
-      bond0.useDHCP = true;
-      bonding_masters.useDHCP = true;
-      dummy0.useDHCP = true;
-      erspan0.useDHCP = true;
-      eth0.useDHCP = true;
-      eth1.useDHCP = true;
-      gre0.useDHCP = true;
-      gretap0.useDHCP = true;
-      ifb0.useDHCP = true;
-      ifb1.useDHCP = true;
-      ip6tnl0.useDHCP = true;
-      sit0.useDHCP = true;
-      teql0.useDHCP = true;
-      tunl0.useDHCP = true;
+      eno1.useDHCP = true;
+      eno2.useDHCP = true;
     };
   };
 
   # Which interface is used to connect to the internet
-  my.hardware.networking.externalInterface = "eth0";
+  my.hardware.networking.externalInterface = "eno1";
 }
diff --git a/modules/home/ssh/default.nix b/modules/home/ssh/default.nix
index 674cf6a..748b195 100644
--- a/modules/home/ssh/default.nix
+++ b/modules/home/ssh/default.nix
@@ -49,7 +49,7 @@ in
           };
 
           porthos = {
-            hostname = "91.121.177.163";
+            hostname = "37.187.146.15";
             identityFile = "~/.ssh/shared_rsa";
             user = "ambroisie";
           };
diff --git a/modules/nixos/services/wireguard/default.nix b/modules/nixos/services/wireguard/default.nix
index 26e54e0..a76e424 100644
--- a/modules/nixos/services/wireguard/default.nix
+++ b/modules/nixos/services/wireguard/default.nix
@@ -13,7 +13,7 @@ let
     porthos = {
       clientNum = 1;
       publicKey = "PLdgsizztddri0LYtjuNHr5r2E8D+yI+gM8cm5WDfHQ=";
-      externalIp = "91.121.177.163";
+      externalIp = "37.187.146.15";
     };
 
     # "Clients"

From 6140e1c8f926eced8867c71b18cdefa0f8a22f7a Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 9 Mar 2024 22:00:17 +0100
Subject: [PATCH 135/169] nixos: services: lohr: migrate to tmpfiles

This is better than a custom script.
---
 modules/nixos/services/lohr/default.nix | 34 ++++++++++++++-----------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/modules/nixos/services/lohr/default.nix b/modules/nixos/services/lohr/default.nix
index dd4eea8..21aadba 100644
--- a/modules/nixos/services/lohr/default.nix
+++ b/modules/nixos/services/lohr/default.nix
@@ -59,21 +59,6 @@ in
           "LOHR_HOME=${lohrHome}"
           "LOHR_CONFIG="
         ];
-        ExecStartPre = lib.mkIf (cfg.sshKeyFile != null) ''+${
-          pkgs.writeScript "copy-ssh-key" ''
-            #!${pkgs.bash}/bin/bash
-            # Ensure the key is not there
-            mkdir -p '${lohrHome}/.ssh'
-            rm -f '${lohrHome}/.ssh/id_ed25519'
-
-            # Move the key into place
-            cp ${cfg.sshKeyFile} '${lohrHome}/.ssh/id_ed25519'
-
-            # Fix permissions
-            chown -R lohr:lohr '${lohrHome}/.ssh'
-            chmod -R 0700 '${lohrHome}/.ssh'
-          ''
-        }'';
         ExecStart =
           let
             configFile = settingsFormat.generate "lohr-config.yaml" cfg.setting;
@@ -103,5 +88,24 @@ in
         inherit (cfg) port;
       };
     };
+
+    # SSH key provisioning
+    systemd.tmpfiles.settings."10-lohr" = lib.mkIf (cfg.sshKeyFile != null) {
+      "${lohrHome}/.ssh" = {
+        d = {
+          user = "lohr";
+          group = "lohr";
+          mode = "0700";
+        };
+      };
+      "${lohrHome}/.ssh/id_ed25519" = {
+        "f+" = {
+          user = "lohr";
+          group = "lohr";
+          mode = "0700";
+          argument = cfg.sshKeyFile;
+        };
+      };
+    };
   };
 }

From 08f4175412cc2257f3a30db51e310f4208009560 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 11 Mar 2024 11:52:42 +0000
Subject: [PATCH 136/169] overlays: add none-ls-shellcheck-nvim

---
 overlays/none-ls-shellcheck-nvim/default.nix   |  4 ++++
 overlays/none-ls-shellcheck-nvim/generated.nix | 15 +++++++++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 overlays/none-ls-shellcheck-nvim/default.nix
 create mode 100644 overlays/none-ls-shellcheck-nvim/generated.nix

diff --git a/overlays/none-ls-shellcheck-nvim/default.nix b/overlays/none-ls-shellcheck-nvim/default.nix
new file mode 100644
index 0000000..832e71d
--- /dev/null
+++ b/overlays/none-ls-shellcheck-nvim/default.nix
@@ -0,0 +1,4 @@
+self: prev:
+{
+  vimPlugins = prev.vimPlugins.extend (self.callPackage ./generated.nix { });
+}
diff --git a/overlays/none-ls-shellcheck-nvim/generated.nix b/overlays/none-ls-shellcheck-nvim/generated.nix
new file mode 100644
index 0000000..ee93a88
--- /dev/null
+++ b/overlays/none-ls-shellcheck-nvim/generated.nix
@@ -0,0 +1,15 @@
+{ vimUtils, fetchFromGitHub }:
+_final: _prev:
+{
+  none-ls-shellcheck-nvim = vimUtils.buildVimPlugin {
+    pname = "none-ls-shellcheck.nvim";
+    version = "2024-02-28";
+    src = fetchFromGitHub {
+      owner = "gbprod";
+      repo = "none-ls-shellcheck.nvim";
+      rev = "1eed283a7ede771b522a0a9f30bb604f02f51d64";
+      sha256 = "1hs0q9a0xwyqml0bfmplk89f1dk4nyg6aapfarnx44zqiw1183kn";
+    };
+    meta.homepage = "https://github.com/gbprod/none-ls-shellcheck.nvim/";
+  };
+}

From 30247ce3a07a8d804fa471dc69f4c1186a40421e Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 11 Mar 2024 11:53:19 +0000
Subject: [PATCH 137/169] home: vim: null-ls: fix deprecated builtins

`none-ls` deprecated a lot of unmaintained builtins, or ones that they
find has been replaced by a compete LSP server.

This removes those deprecated builtins, or uses a shim until I migrate
to the relevant LSP configuration (for `bash-language-server`).
---
 modules/home/vim/default.nix                 |  1 +
 modules/home/vim/plugin/settings/null-ls.lua | 26 +++-----------------
 2 files changed, 5 insertions(+), 22 deletions(-)

diff --git a/modules/home/vim/default.nix b/modules/home/vim/default.nix
index 871bf40..3e1aee4 100644
--- a/modules/home/vim/default.nix
+++ b/modules/home/vim/default.nix
@@ -68,6 +68,7 @@ in
       lsp-format-nvim # Simplified formatting configuration
       lsp_lines-nvim # Show diagnostics *over* regions
       none-ls-nvim # LSP integration for linters and formatters
+      none-ls-shellcheck-nvim # shellcheck shim for none-ls
       nvim-treesitter.withAllGrammars # Better highlighting
       nvim-treesitter-textobjects # More textobjects
       nvim-ts-context-commentstring # Comment string in nested language blocks
diff --git a/modules/home/vim/plugin/settings/null-ls.lua b/modules/home/vim/plugin/settings/null-ls.lua
index 0eaa55c..9915194 100644
--- a/modules/home/vim/plugin/settings/null-ls.lua
+++ b/modules/home/vim/plugin/settings/null-ls.lua
@@ -28,14 +28,6 @@ null_ls.register({
     }),
 })
 
--- Haskell
-null_ls.register({
-    null_ls.builtins.formatting.brittany.with({
-        -- Only used if available
-        condition = utils.is_executable_condition("brittany"),
-    }),
-})
-
 -- Nix
 null_ls.register({
     null_ls.builtins.formatting.nixpkgs_fmt.with({
@@ -50,16 +42,6 @@ null_ls.register({
 
 -- Python
 null_ls.register({
-    null_ls.builtins.diagnostics.flake8.with({
-        -- Only used if available, but prefer pflake8 if available
-        condition = function()
-            return utils.is_executable("flake8") and not utils.is_executable("pflake8")
-        end,
-    }),
-    null_ls.builtins.diagnostics.pyproject_flake8.with({
-        -- Only used if available
-        condition = utils.is_executable_condition("pflake8"),
-    }),
     null_ls.builtins.diagnostics.mypy.with({
         -- Only used if available
         condition = utils.is_executable_condition("mypy"),
@@ -81,13 +63,13 @@ null_ls.register({
 
 -- Shell (non-POSIX)
 null_ls.register({
-    null_ls.builtins.code_actions.shellcheck.with({
+    require("none-ls-shellcheck.diagnostics").with({
         -- Restrict to bash and zsh
         filetypes = { "bash", "zsh" },
         -- Only used if available
         condition = utils.is_executable_condition("shellcheck"),
     }),
-    null_ls.builtins.diagnostics.shellcheck.with({
+    require("none-ls-shellcheck.code_actions").with({
         -- Show error code in message
         diagnostics_format = "[#{c}] #{m}",
         -- Require explicit empty string test, use bash dialect
@@ -110,13 +92,13 @@ null_ls.register({
 
 -- Shell (POSIX)
 null_ls.register({
-    null_ls.builtins.code_actions.shellcheck.with({
+    require("none-ls-shellcheck.diagnostics").with({
         -- Restrict to POSIX sh
         filetypes = { "sh" },
         -- Only used if available
         condition = utils.is_executable_condition("shellcheck"),
     }),
-    null_ls.builtins.diagnostics.shellcheck.with({
+    require("none-ls-shellcheck.code_actions").with({
         -- Show error code in message
         diagnostics_format = "[#{c}] #{m}",
         -- Require explicit empty string test

From f13a6fb023bf16954531e27aea752a2d24a18fbd Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 11 Mar 2024 12:01:15 +0000
Subject: [PATCH 138/169] home: vim: lspconfig: add 'ruff-lsp'

Since everybody is moving towards using it instead of other linters...
---
 modules/home/vim/plugin/settings/lspconfig.lua | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/home/vim/plugin/settings/lspconfig.lua b/modules/home/vim/plugin/settings/lspconfig.lua
index 794a765..7b2d95f 100644
--- a/modules/home/vim/plugin/settings/lspconfig.lua
+++ b/modules/home/vim/plugin/settings/lspconfig.lua
@@ -52,6 +52,13 @@ if utils.is_executable("pyright") then
     })
 end
 
+if utils.is_executable("ruff-lsp") then
+    lspconfig.ruff_lsp.setup({
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
+    })
+end
+
 -- Rust
 if utils.is_executable("rust-analyzer") then
     lspconfig.rust_analyzer.setup({

From 7a3e64f814c9be720eb5e638c5a7d63cd9b5537d Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 11 Mar 2024 12:04:38 +0000
Subject: [PATCH 139/169] home: vim: lspconfig: add 'hls'

If I ever end up actually learning it...
---
 modules/home/vim/plugin/settings/lspconfig.lua | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/home/vim/plugin/settings/lspconfig.lua b/modules/home/vim/plugin/settings/lspconfig.lua
index 7b2d95f..178898a 100644
--- a/modules/home/vim/plugin/settings/lspconfig.lua
+++ b/modules/home/vim/plugin/settings/lspconfig.lua
@@ -29,6 +29,14 @@ if utils.is_executable("clangd") then
     })
 end
 
+-- Haskell
+if utils.is_executable("haskell-language-server-wrapper") then
+    lspconfig.hls.setup({
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
+    })
+end
+
 -- Nix
 if utils.is_executable("nil") then
     lspconfig.nil_ls.setup({

From dc27b5991220a1d019c339686af484f396660025 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 11 Mar 2024 12:20:53 +0000
Subject: [PATCH 140/169] home: vim: lspconfig: migrate to 'bashls'

Since `none-ls` has removed their `shellcheck` built-in. This actually
makes the diagnostics more robust to POSIX/non-POSIX scripts (the LSP
server detects it at runtime, which is more robust than the `ftdetect`
scripts).

Nice bonus: the shellcheck code is shown in the diagnostics message
without any configuration!

I'm not sure if I can configure `avoid-nullary-conditions` -- though it
seems like this check is broken at the moment (I couldn't get it to
trigger during my tests).
---
 modules/home/vim/default.nix                  |  3 +-
 .../home/vim/plugin/settings/lspconfig.lua    |  9 ++++++
 modules/home/vim/plugin/settings/null-ls.lua  | 32 -------------------
 3 files changed, 10 insertions(+), 34 deletions(-)

diff --git a/modules/home/vim/default.nix b/modules/home/vim/default.nix
index 3e1aee4..07711cc 100644
--- a/modules/home/vim/default.nix
+++ b/modules/home/vim/default.nix
@@ -68,7 +68,6 @@ in
       lsp-format-nvim # Simplified formatting configuration
       lsp_lines-nvim # Show diagnostics *over* regions
       none-ls-nvim # LSP integration for linters and formatters
-      none-ls-shellcheck-nvim # shellcheck shim for none-ls
       nvim-treesitter.withAllGrammars # Better highlighting
       nvim-treesitter-textobjects # More textobjects
       nvim-ts-context-commentstring # Comment string in nested language blocks
@@ -106,7 +105,7 @@ in
       nixpkgs-fmt
 
       # Shell
-      shellcheck
+      nodePackages.bash-language-server
       shfmt
     ];
   };
diff --git a/modules/home/vim/plugin/settings/lspconfig.lua b/modules/home/vim/plugin/settings/lspconfig.lua
index 178898a..c2de2ea 100644
--- a/modules/home/vim/plugin/settings/lspconfig.lua
+++ b/modules/home/vim/plugin/settings/lspconfig.lua
@@ -74,3 +74,12 @@ if utils.is_executable("rust-analyzer") then
         on_attach = lsp.on_attach,
     })
 end
+
+-- Shell
+if utils.is_executable("bash-language-server") then
+    lspconfig.bashls.setup({
+        filetypes = { "bash", "sh", "zsh" },
+        capabilities = capabilities,
+        on_attach = lsp.on_attach,
+    })
+end
diff --git a/modules/home/vim/plugin/settings/null-ls.lua b/modules/home/vim/plugin/settings/null-ls.lua
index 9915194..c372751 100644
--- a/modules/home/vim/plugin/settings/null-ls.lua
+++ b/modules/home/vim/plugin/settings/null-ls.lua
@@ -63,22 +63,6 @@ null_ls.register({
 
 -- Shell (non-POSIX)
 null_ls.register({
-    require("none-ls-shellcheck.diagnostics").with({
-        -- Restrict to bash and zsh
-        filetypes = { "bash", "zsh" },
-        -- Only used if available
-        condition = utils.is_executable_condition("shellcheck"),
-    }),
-    require("none-ls-shellcheck.code_actions").with({
-        -- Show error code in message
-        diagnostics_format = "[#{c}] #{m}",
-        -- Require explicit empty string test, use bash dialect
-        extra_args = { "-s", "bash", "-o", "avoid-nullary-conditions" },
-        -- Restrict to bash and zsh
-        filetypes = { "bash", "zsh" },
-        -- Only used if available
-        condition = utils.is_executable_condition("shellcheck"),
-    }),
     null_ls.builtins.formatting.shfmt.with({
         -- Indent with 4 spaces, simplify the code, indent switch cases,
         -- add space after redirection, use bash dialect
@@ -92,22 +76,6 @@ null_ls.register({
 
 -- Shell (POSIX)
 null_ls.register({
-    require("none-ls-shellcheck.diagnostics").with({
-        -- Restrict to POSIX sh
-        filetypes = { "sh" },
-        -- Only used if available
-        condition = utils.is_executable_condition("shellcheck"),
-    }),
-    require("none-ls-shellcheck.code_actions").with({
-        -- Show error code in message
-        diagnostics_format = "[#{c}] #{m}",
-        -- Require explicit empty string test
-        extra_args = { "-o", "avoid-nullary-conditions" },
-        -- Restrict to POSIX sh
-        filetypes = { "sh" },
-        -- Only used if available
-        condition = utils.is_executable_condition("shellcheck"),
-    }),
     null_ls.builtins.formatting.shfmt.with({
         -- Indent with 4 spaces, simplify the code, indent switch cases,
         -- add space after redirection, use POSIX

From 9749f0aa28dc945125066aaf47cb6066237ce6f6 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 11 Mar 2024 12:29:34 +0000
Subject: [PATCH 141/169] overlays: remove none-ls-shellcheck-nvim

---
 overlays/none-ls-shellcheck-nvim/default.nix   |  4 ----
 overlays/none-ls-shellcheck-nvim/generated.nix | 15 ---------------
 2 files changed, 19 deletions(-)
 delete mode 100644 overlays/none-ls-shellcheck-nvim/default.nix
 delete mode 100644 overlays/none-ls-shellcheck-nvim/generated.nix

diff --git a/overlays/none-ls-shellcheck-nvim/default.nix b/overlays/none-ls-shellcheck-nvim/default.nix
deleted file mode 100644
index 832e71d..0000000
--- a/overlays/none-ls-shellcheck-nvim/default.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-self: prev:
-{
-  vimPlugins = prev.vimPlugins.extend (self.callPackage ./generated.nix { });
-}
diff --git a/overlays/none-ls-shellcheck-nvim/generated.nix b/overlays/none-ls-shellcheck-nvim/generated.nix
deleted file mode 100644
index ee93a88..0000000
--- a/overlays/none-ls-shellcheck-nvim/generated.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{ vimUtils, fetchFromGitHub }:
-_final: _prev:
-{
-  none-ls-shellcheck-nvim = vimUtils.buildVimPlugin {
-    pname = "none-ls-shellcheck.nvim";
-    version = "2024-02-28";
-    src = fetchFromGitHub {
-      owner = "gbprod";
-      repo = "none-ls-shellcheck.nvim";
-      rev = "1eed283a7ede771b522a0a9f30bb604f02f51d64";
-      sha256 = "1hs0q9a0xwyqml0bfmplk89f1dk4nyg6aapfarnx44zqiw1183kn";
-    };
-    meta.homepage = "https://github.com/gbprod/none-ls-shellcheck.nvim/";
-  };
-}

From b2dc051e6ad854c26784174c5b7823ebc9dbaec0 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 9 Mar 2024 21:49:12 +0100
Subject: [PATCH 142/169] flake: bump inputs

And fix the breaking changes in Vikunja (which actually make my
configuration simpler).
---
 flake.lock                                 | 24 +++++++++++-----------
 modules/nixos/services/vikunja/default.nix | 23 ++-------------------
 2 files changed, 14 insertions(+), 33 deletions(-)

diff --git a/flake.lock b/flake.lock
index cd0b2de..ce8318f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -73,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706830856,
-        "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=",
+        "lastModified": 1709336216,
+        "narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f",
+        "rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709204054,
-        "narHash": "sha256-U1idK0JHs1XOfSI1APYuXi4AEADf+B+ZU4Wifc0pBHk=",
+        "lastModified": 1709988192,
+        "narHash": "sha256-qxwIkl85P0I1/EyTT+NJwzbXdOv86vgZxcv4UKicjK8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2f3367769a93b226c467551315e9e270c3f78b15",
+        "rev": "b0b0c3d94345050a7f86d1ebc6c56eea4389d030",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1709150264,
-        "narHash": "sha256-HofykKuisObPUfj0E9CJVfaMhawXkYx3G8UIFR/XQ38=",
+        "lastModified": 1709703039,
+        "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9099616b93301d5cf84274b184a3a5ec69e94e08",
+        "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1709206595,
-        "narHash": "sha256-lBU/gE7DiJCNkJGPVUms0zA0hxzDVgENIXfebj1oeLc=",
+        "lastModified": 1710013455,
+        "narHash": "sha256-qzOpU4APTso6JLA+/F4zlO/yL8++n/CsUpmxbQAsy/4=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "fbe8df1c13fd8e63e35c2c4654104661eb1fbbed",
+        "rev": "cf1e9b0e085368cc489c765f285f1d07c2ec8d36",
         "type": "github"
       },
       "original": {
diff --git a/modules/nixos/services/vikunja/default.nix b/modules/nixos/services/vikunja/default.nix
index 9767d00..6e7700f 100644
--- a/modules/nixos/services/vikunja/default.nix
+++ b/modules/nixos/services/vikunja/default.nix
@@ -30,8 +30,6 @@ in
       frontendScheme = "https";
       frontendHostname = vikunjaDomain;
 
-      setupNginx = false;
-
       database = {
         type = "postgres";
         user = "vikunja";
@@ -61,28 +59,11 @@ in
     # This is a weird setup
     my.services.nginx.virtualHosts = {
       ${subdomain} = {
-        # Serve the root for the web-ui
-        root = config.services.vikunja.package-frontend;
-
-        extraConfig = {
-          locations = {
-            "/" = {
-              tryFiles = "try_files $uri $uri/ /";
-            };
-
-            # Serve the API through a UNIX socket
-            "~* ^/(api|dav|\\.well-known)/" = {
-              proxyPass = "http://unix:${socketPath}";
-              extraConfig = ''
-                client_max_body_size 20M;
-              '';
-            };
-          };
-        };
+        socket = socketPath;
       };
     };
 
-    systemd.services.vikunja-api = {
+    systemd.services.vikunja = {
       serviceConfig = {
         # Use a system user to simplify using the CLI
         DynamicUser = lib.mkForce false;

From 276cc7e5f2dcdfe2929128323501b261bcb5b455 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 11 Mar 2024 13:53:11 +0000
Subject: [PATCH 143/169] home: xdg: add '_JAVA_OPTIONS'

---
 modules/home/xdg/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/home/xdg/default.nix b/modules/home/xdg/default.nix
index aac5058..b7ba32b 100644
--- a/modules/home/xdg/default.nix
+++ b/modules/home/xdg/default.nix
@@ -55,5 +55,6 @@ in
     REDISCLI_HISTFILE = "${dataHome}/redis/rediscli_history";
     REPO_CONFIG_DIR = "${configHome}/repo";
     XCOMPOSECACHE = "${dataHome}/X11/xcompose";
+    _JAVA_OPTIONS = "-Djava.util.prefs.userRoot=${configHome}/java";
   };
 }

From 3fb758028ca02108451e9cad3fb00d6ced482215 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 11 Mar 2024 14:48:14 +0000
Subject: [PATCH 144/169] home: vim: lspconfig: remove 'rnix-lsp'

It's been abandoned, `nil` is a better language server nowadays.
---
 modules/home/vim/plugin/settings/lspconfig.lua | 7 -------
 modules/home/vim/plugin/settings/null-ls.lua   | 6 ++----
 2 files changed, 2 insertions(+), 11 deletions(-)

diff --git a/modules/home/vim/plugin/settings/lspconfig.lua b/modules/home/vim/plugin/settings/lspconfig.lua
index c2de2ea..628eab9 100644
--- a/modules/home/vim/plugin/settings/lspconfig.lua
+++ b/modules/home/vim/plugin/settings/lspconfig.lua
@@ -45,13 +45,6 @@ if utils.is_executable("nil") then
     })
 end
 
-if utils.is_executable("rnix-lsp") then
-    lspconfig.rnix.setup({
-        capabilities = capabilities,
-        on_attach = lsp.on_attach,
-    })
-end
-
 -- Python
 if utils.is_executable("pyright") then
     lspconfig.pyright.setup({
diff --git a/modules/home/vim/plugin/settings/null-ls.lua b/modules/home/vim/plugin/settings/null-ls.lua
index c372751..50d12e0 100644
--- a/modules/home/vim/plugin/settings/null-ls.lua
+++ b/modules/home/vim/plugin/settings/null-ls.lua
@@ -31,11 +31,9 @@ null_ls.register({
 -- Nix
 null_ls.register({
     null_ls.builtins.formatting.nixpkgs_fmt.with({
-        -- Only used if available, but prefer rnix if available
+        -- Only used if available, but prefer LSP if available
         condition = function()
-            return utils.is_executable("nixpkgs-fmt")
-                and not utils.is_executable("rnix-lsp")
-                and not utils.is_executable("nil")
+            return utils.is_executable("nixpkgs-fmt") and not utils.is_executable("nil")
         end,
     }),
 })

From f06e99d95b3ddce679c7569f580d6d2d433ce27f Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 11 Mar 2024 18:10:13 +0000
Subject: [PATCH 145/169] home: xdg: move 'less' variables to their module

---
 modules/home/pager/default.nix | 1 +
 modules/home/xdg/default.nix   | 2 --
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/home/pager/default.nix b/modules/home/pager/default.nix
index aa72587..e304097 100644
--- a/modules/home/pager/default.nix
+++ b/modules/home/pager/default.nix
@@ -16,6 +16,7 @@ in
       LESS = "-R -+X -c";
       # Better XDG compliance
       LESSHISTFILE = "${config.xdg.dataHome}/less/history";
+      LESSKEY = "${config.xdg.configHome}/less/lesskey";
     };
   };
 }
diff --git a/modules/home/xdg/default.nix b/modules/home/xdg/default.nix
index b7ba32b..8b01696 100644
--- a/modules/home/xdg/default.nix
+++ b/modules/home/xdg/default.nix
@@ -46,8 +46,6 @@ in
     GRADLE_USER_HOME = "${dataHome}/gradle";
     HISTFILE = "${dataHome}/bash/history";
     INPUTRC = "${configHome}/readline/inputrc";
-    LESSHISTFILE = "${dataHome}/less/history";
-    LESSKEY = "${configHome}/less/lesskey";
     PSQL_HISTORY = "${dataHome}/psql_history";
     PYTHONPYCACHEPREFIX = "${cacheHome}/python/";
     PYTHONUSERBASE = "${dataHome}/python/";

From b24d299f7090348053e7b79307bc501b2d54a0e9 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 11 Mar 2024 18:13:41 +0000
Subject: [PATCH 146/169] home: xdg: move 'gdb' variables to their module

---
 modules/home/gdb/default.nix | 9 ++++++++-
 modules/home/xdg/default.nix | 1 -
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/modules/home/gdb/default.nix b/modules/home/gdb/default.nix
index ab51938..fe8eb69 100644
--- a/modules/home/gdb/default.nix
+++ b/modules/home/gdb/default.nix
@@ -26,7 +26,14 @@ in
         gdb
       ];
 
-      xdg.configFile."gdb/gdbinit".source = ./gdbinit;
+      xdg = {
+        configFile."gdb/gdbinit".source = ./gdbinit;
+        dataFile. "gdb/.keep".text = "";
+      };
+
+      home.sessionVariables = {
+        GDBHISTFILE = "${config.xdg.dataHome}/gdb/gdb_history";
+      };
     }
 
     (lib.mkIf cfg.rr.enable {
diff --git a/modules/home/xdg/default.nix b/modules/home/xdg/default.nix
index 8b01696..fb2668c 100644
--- a/modules/home/xdg/default.nix
+++ b/modules/home/xdg/default.nix
@@ -42,7 +42,6 @@ in
     ANDROID_USER_HOME = "${configHome}/android";
     CARGO_HOME = "${dataHome}/cargo";
     DOCKER_CONFIG = "${configHome}/docker";
-    GDBHISTFILE = "${dataHome}/gdb/gdb_history";
     GRADLE_USER_HOME = "${dataHome}/gradle";
     HISTFILE = "${dataHome}/bash/history";
     INPUTRC = "${configHome}/readline/inputrc";

From 07eca729f58e244702f953dcd98e0544d36a0bb1 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 12 Mar 2024 11:31:16 +0000
Subject: [PATCH 147/169] home: vim: null-ls: fix 'nixpkgs-fmt' condition

I haven't configured `nil` to format anything.

And I don't really care to, this is good enough for me.
---
 modules/home/vim/plugin/settings/null-ls.lua | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/modules/home/vim/plugin/settings/null-ls.lua b/modules/home/vim/plugin/settings/null-ls.lua
index 50d12e0..e7265c7 100644
--- a/modules/home/vim/plugin/settings/null-ls.lua
+++ b/modules/home/vim/plugin/settings/null-ls.lua
@@ -31,10 +31,8 @@ null_ls.register({
 -- Nix
 null_ls.register({
     null_ls.builtins.formatting.nixpkgs_fmt.with({
-        -- Only used if available, but prefer LSP if available
-        condition = function()
-            return utils.is_executable("nixpkgs-fmt") and not utils.is_executable("nil")
-        end,
+        -- Only used if available
+        condition = utils.is_executable_condition("nixpkgs-fmt"),
     }),
 })
 

From 4a8981c7b493ad49878c1b6606dccc99244a0a6f Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 12 Mar 2024 12:30:36 +0000
Subject: [PATCH 148/169] home: vim: lua: utils: fix documentation

---
 modules/home/vim/lua/ambroisie/utils.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/home/vim/lua/ambroisie/utils.lua b/modules/home/vim/lua/ambroisie/utils.lua
index 418e0d1..7807e71 100644
--- a/modules/home/vim/lua/ambroisie/utils.lua
+++ b/modules/home/vim/lua/ambroisie/utils.lua
@@ -15,7 +15,7 @@ end
 
 --- return a function that checks if a given command is executable
 --- @param cmd string? command to check
---- @return fun(cmd: string): boolean executable
+--- @return fun(): boolean executable
 M.is_executable_condition = function(cmd)
     return function()
         return M.is_executable(cmd)

From 56e158f5c52d4333e7c1a3ddc3e2a34dc0aa40ae Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 12 Mar 2024 12:30:36 +0000
Subject: [PATCH 149/169] home: vim: lua: utils: fix deprecated function

---
 modules/home/vim/lua/ambroisie/utils.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/home/vim/lua/ambroisie/utils.lua b/modules/home/vim/lua/ambroisie/utils.lua
index 7807e71..fcb86e9 100644
--- a/modules/home/vim/lua/ambroisie/utils.lua
+++ b/modules/home/vim/lua/ambroisie/utils.lua
@@ -44,7 +44,7 @@ end
 --- @param bufnr int? buffer number
 --- @return table all active LSP client names
 M.list_lsp_clients = function(bufnr)
-    local clients = vim.lsp.buf_get_clients(bufnr)
+    local clients = vim.lsp.get_active_clients({ bufnr = bufnr or 0 })
     local names = {}
 
     for _, client in ipairs(clients) do

From 0108b06a02cef330ba71fbca975a9907ea8274c9 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 12 Mar 2024 12:40:49 +0000
Subject: [PATCH 150/169] home: vim: lualine: use explicit buffer number

I want to tighten the API of this function a little bit, so let's be
more specific.
---
 modules/home/vim/plugin/settings/lualine.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/home/vim/plugin/settings/lualine.lua b/modules/home/vim/plugin/settings/lualine.lua
index fdaccda..5219a95 100644
--- a/modules/home/vim/plugin/settings/lualine.lua
+++ b/modules/home/vim/plugin/settings/lualine.lua
@@ -10,7 +10,7 @@ local function list_spell_languages()
 end
 
 local function list_lsp_clients()
-    local client_names = utils.list_lsp_clients()
+    local client_names = utils.list_lsp_clients(0)
 
     if #client_names == 0 then
         return ""

From 070df03b7e4d81ae75c298379fbd9279be11e903 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 12 Mar 2024 12:42:21 +0000
Subject: [PATCH 151/169] home: vim: lua: utils: allow querying all clients

---
 modules/home/vim/lua/ambroisie/utils.lua | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/home/vim/lua/ambroisie/utils.lua b/modules/home/vim/lua/ambroisie/utils.lua
index fcb86e9..a84ea7b 100644
--- a/modules/home/vim/lua/ambroisie/utils.lua
+++ b/modules/home/vim/lua/ambroisie/utils.lua
@@ -40,11 +40,11 @@ M.is_ssh = function()
     return false
 end
 
---- list all active LSP clients for current buffer
+--- list all active LSP clients for specific buffer, or all buffers
 --- @param bufnr int? buffer number
 --- @return table all active LSP client names
 M.list_lsp_clients = function(bufnr)
-    local clients = vim.lsp.get_active_clients({ bufnr = bufnr or 0 })
+    local clients = vim.lsp.get_active_clients({ bufnr = bufnr })
     local names = {}
 
     for _, client in ipairs(clients) do

From b16b6a534bd55ba67ecbb5bc0c9ed6befbb18f64 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 12 Mar 2024 15:11:11 +0000
Subject: [PATCH 152/169] home: vim: lua: lsp: use 'vim.print'

---
 modules/home/vim/lua/ambroisie/lsp.lua | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/home/vim/lua/ambroisie/lsp.lua b/modules/home/vim/lua/ambroisie/lsp.lua
index 99d8dab..31a5bd1 100644
--- a/modules/home/vim/lua/ambroisie/lsp.lua
+++ b/modules/home/vim/lua/ambroisie/lsp.lua
@@ -51,8 +51,7 @@ M.on_attach = function(client, bufnr)
     local wk = require("which-key")
 
     local function list_workspace_folders()
-        local utils = require("ambroisie.utils")
-        utils.dump(vim.lsp.buf.list_workspace_folders())
+        vim.print(vim.lsp.buf.list_workspace_folders())
     end
 
     local function cycle_diagnostics_display()

From d365aba3c0d91a0b1db91a420c2cddacf032a340 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 12 Mar 2024 15:13:20 +0000
Subject: [PATCH 153/169] home: vim: lua: utils: remove 'dump'

It's now available as 'vim.print'.
---
 modules/home/vim/lua/ambroisie/utils.lua | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/modules/home/vim/lua/ambroisie/utils.lua b/modules/home/vim/lua/ambroisie/utils.lua
index a84ea7b..3d2dd3b 100644
--- a/modules/home/vim/lua/ambroisie/utils.lua
+++ b/modules/home/vim/lua/ambroisie/utils.lua
@@ -1,11 +1,5 @@
 local M = {}
 
---- pretty print lua object
---- @param obj any object to pretty print
-M.dump = function(obj)
-    print(vim.inspect(obj))
-end
-
 --- checks if a given command is executable
 --- @param cmd string? command to check
 --- @return boolean executable

From 0ff8366105ab0ba6d8da2571c58c9a69bc97b2e5 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 13 Mar 2024 13:08:57 +0000
Subject: [PATCH 154/169] home: vim: fix path high-lighting

It was previously linked to `Underlined`, which just looks plain wrong
IMO.

This links it back to `GruvboxOrange`, as it used to be.
---
 modules/home/vim/init.vim | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/home/vim/init.vim b/modules/home/vim/init.vim
index bd63d25..0650014 100644
--- a/modules/home/vim/init.vim
+++ b/modules/home/vim/init.vim
@@ -88,6 +88,17 @@ set background=dark
 
 " 24 bit colors
 set termguicolors
+" Setup some overrides for gruvbox
+lua << EOF
+local gruvbox = require("gruvbox")
+
+gruvbox.setup({
+    overrides = {
+        -- Only URLs should be underlined
+        ["@string.special.path"] = { link = "GruvboxOrange" },
+    }
+})
+EOF
 " Use my preferred colorscheme
 colorscheme gruvbox
 " }}}

From c0ef5c9275217ba76493cc496be441575ea2d09a Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 13 Mar 2024 11:54:50 +0000
Subject: [PATCH 155/169] overlays: add gruvbox-nvin-expose-palette

---
 overlays/gruvbox-nvin-expose-palette/default.nix   |  4 ++++
 overlays/gruvbox-nvin-expose-palette/generated.nix | 14 ++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 overlays/gruvbox-nvin-expose-palette/default.nix
 create mode 100644 overlays/gruvbox-nvin-expose-palette/generated.nix

diff --git a/overlays/gruvbox-nvin-expose-palette/default.nix b/overlays/gruvbox-nvin-expose-palette/default.nix
new file mode 100644
index 0000000..832e71d
--- /dev/null
+++ b/overlays/gruvbox-nvin-expose-palette/default.nix
@@ -0,0 +1,4 @@
+self: prev:
+{
+  vimPlugins = prev.vimPlugins.extend (self.callPackage ./generated.nix { });
+}
diff --git a/overlays/gruvbox-nvin-expose-palette/generated.nix b/overlays/gruvbox-nvin-expose-palette/generated.nix
new file mode 100644
index 0000000..c52ad04
--- /dev/null
+++ b/overlays/gruvbox-nvin-expose-palette/generated.nix
@@ -0,0 +1,14 @@
+{ fetchpatch, ... }:
+
+_final: prev: {
+  gruvbox-nvim = prev.gruvbox-nvim.overrideAttrs (oa: {
+    patches = (oa.patches or [ ]) ++ [
+      # https://github.com/ellisonleao/gruvbox.nvim/pull/319
+      (fetchpatch {
+        name = "expose-color-palette.patch";
+        url = "https://github.com/ellisonleao/gruvbox.nvim/commit/07a493ba4f8b650aab9ed9e486caa89822be0996.patch";
+        hash = "sha256-iGwt8qIHe2vaiAUcpaUxyGlM472F89vobTdQ7CF/H70=";
+      })
+    ];
+  });
+}

From 10b4e6ce2dffdf829a8e13d056273a2767dafec3 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Mar 2024 10:56:08 +0000
Subject: [PATCH 156/169] home: vim: explicitly revert diff highlighting

---
 modules/home/vim/init.vim | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/home/vim/init.vim b/modules/home/vim/init.vim
index 0650014..c94fc53 100644
--- a/modules/home/vim/init.vim
+++ b/modules/home/vim/init.vim
@@ -91,11 +91,17 @@ set termguicolors
 " Setup some overrides for gruvbox
 lua << EOF
 local gruvbox = require("gruvbox")
+local colors = gruvbox.palette
 
 gruvbox.setup({
     overrides = {
         -- Only URLs should be underlined
         ["@string.special.path"] = { link = "GruvboxOrange" },
+        -- Revert back to the better diff highlighting
+        DiffAdd = { fg = colors.green, bg = "NONE" },
+        DiffChange = { fg = colors.aqua, bg = "NONE" },
+        DiffDelete = { fg = colors.red, bg = "NONE" },
+        DiffText = { fg = colors.yellow, bg = colors.bg0 },
     }
 })
 EOF

From 41e1ad326569d65120103748f562d3f72caf6562 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 14 Mar 2024 10:57:21 +0000
Subject: [PATCH 157/169] overlays: remove 'gruvbox-nvim-better-diff'

Now that I have the explicit override for it, this overlay is not
necessary.

This reverts commit 9e0930aca4fb0ae40c40c5cd932962e832d0ee0a.
This reverts commit 28187c3b8f34c0912d9f8ce5f74f415a6b77a1c2.
---
 .../gruvbox-nvim-better-diff/colours.patch    | 28 -------------------
 overlays/gruvbox-nvim-better-diff/default.nix |  4 ---
 .../gruvbox-nvim-better-diff/generated.nix    | 10 -------
 3 files changed, 42 deletions(-)
 delete mode 100644 overlays/gruvbox-nvim-better-diff/colours.patch
 delete mode 100644 overlays/gruvbox-nvim-better-diff/default.nix
 delete mode 100644 overlays/gruvbox-nvim-better-diff/generated.nix

diff --git a/overlays/gruvbox-nvim-better-diff/colours.patch b/overlays/gruvbox-nvim-better-diff/colours.patch
deleted file mode 100644
index 5b0d61a..0000000
--- a/overlays/gruvbox-nvim-better-diff/colours.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 416b3c9c5e783d173ac0fd5310a76c1b144b92c1 Mon Sep 17 00:00:00 2001
-From: eeeXun <sdes96303@gmail.com>
-Date: Thu, 19 Oct 2023 02:34:12 +0800
-Subject: Use better diff colours
-
----
- README.md       | 3 ++-
- lua/gruvbox.lua | 7 ++++---
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/lua/gruvbox.lua b/lua/gruvbox.lua
-index ceba0735..a319fc6a 100644
---- a/lua/gruvbox.lua
-+++ b/lua/gruvbox.lua
-@@ -360,9 +361,9 @@ local function get_groups()
-     PmenuSel = { fg = colors.bg2, bg = colors.blue, bold = config.bold },
-     PmenuSbar = { bg = colors.bg2 },
-     PmenuThumb = { bg = colors.bg4 },
--    DiffDelete = { bg = colors.dark_red },
--    DiffAdd = { bg = colors.dark_green },
--    DiffChange = { bg = colors.dark_aqua },
--    DiffText = { bg = colors.yellow, fg = colors.bg0 },
-+    DiffDelete = { fg = colors.red },
-+    DiffAdd = { fg = colors.green },
-+    DiffChange = { fg = colors.aqua },
-+    DiffText = { fg = colors.yellow, bg = colors.bg0 },
-     SpellCap = { link = "GruvboxBlueUnderline" },
-     SpellBad = { link = "GruvboxRedUnderline" },
diff --git a/overlays/gruvbox-nvim-better-diff/default.nix b/overlays/gruvbox-nvim-better-diff/default.nix
deleted file mode 100644
index 832e71d..0000000
--- a/overlays/gruvbox-nvim-better-diff/default.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-self: prev:
-{
-  vimPlugins = prev.vimPlugins.extend (self.callPackage ./generated.nix { });
-}
diff --git a/overlays/gruvbox-nvim-better-diff/generated.nix b/overlays/gruvbox-nvim-better-diff/generated.nix
deleted file mode 100644
index 82a18c2..0000000
--- a/overlays/gruvbox-nvim-better-diff/generated.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ ... }:
-
-_final: prev: {
-  gruvbox-nvim = prev.gruvbox-nvim.overrideAttrs (oa: {
-    patches = (oa.patches or [ ]) ++ [
-      # Inspired by https://github.com/ellisonleao/gruvbox.nvim/pull/291
-      ./colours.patch
-    ];
-  });
-}

From 4a01a5053262c45bbeefd5ca4fd8ccff87440f5f Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 16 Mar 2024 19:49:00 +0100
Subject: [PATCH 158/169] flake: bump inputs

And fix the update `pinentry` options in home-manager.
---
 flake.lock                         | 24 ++++++++++++------------
 hosts/nixos/aramis/home.nix        |  4 ++--
 modules/home/bitwarden/default.nix |  9 ++-------
 modules/home/gpg/default.nix       | 11 +++--------
 4 files changed, 19 insertions(+), 29 deletions(-)

diff --git a/flake.lock b/flake.lock
index ce8318f..a42d5dd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -94,11 +94,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709126324,
-        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709988192,
-        "narHash": "sha256-qxwIkl85P0I1/EyTT+NJwzbXdOv86vgZxcv4UKicjK8=",
+        "lastModified": 1710532761,
+        "narHash": "sha256-SUXGZNrXX05YA9G6EmgupxhOr3swI1gcxLUeDMUhrEY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "b0b0c3d94345050a7f86d1ebc6c56eea4389d030",
+        "rev": "206f457fffdb9a73596a4cb2211a471bd305243d",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1709703039,
-        "narHash": "sha256-6hqgQ8OK6gsMu1VtcGKBxKQInRLHtzulDo9Z5jxHEFY=",
+        "lastModified": 1710451336,
+        "narHash": "sha256-pP86Pcfu3BrAvRO7R64x7hs+GaQrjFes+mEPowCfkxY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9df3e30ce24fd28c7b3e2de0d986769db5d6225d",
+        "rev": "d691274a972b3165335d261cc4671335f5c67de9",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1710013455,
-        "narHash": "sha256-qzOpU4APTso6JLA+/F4zlO/yL8++n/CsUpmxbQAsy/4=",
+        "lastModified": 1710607749,
+        "narHash": "sha256-TRgxM7sOiWF8cea73OzDnmfhyYnN8+vDHUUJlkDDZ/U=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "cf1e9b0e085368cc489c765f285f1d07c2ec8d36",
+        "rev": "b870db4117d587a8c5c2c8c9e2d311d7fa4befe2",
         "type": "github"
       },
       "original": {
diff --git a/hosts/nixos/aramis/home.nix b/hosts/nixos/aramis/home.nix
index 66a0892..64b63ce 100644
--- a/hosts/nixos/aramis/home.nix
+++ b/hosts/nixos/aramis/home.nix
@@ -2,7 +2,7 @@
 {
   my.home = {
     # Use graphical pinentry
-    bitwarden.pinentry = "gtk2";
+    bitwarden.pinentry = pkgs.pinentry-gtk2;
     # Ebook library
     calibre.enable = true;
     # Some amount of social life
@@ -14,7 +14,7 @@
     # Blue light filter
     gammastep.enable = true;
     # Use a small popup to enter passwords
-    gpg.pinentry = "gtk2";
+    gpg.pinentry = pkgs.pinentry-gtk2;
     # Machine specific packages
     packages.additionalPackages = with pkgs; [
       element-desktop # Matrix client
diff --git a/modules/home/bitwarden/default.nix b/modules/home/bitwarden/default.nix
index c709f7b..0c0dfab 100644
--- a/modules/home/bitwarden/default.nix
+++ b/modules/home/bitwarden/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.my.home.bitwarden;
 in
@@ -6,12 +6,7 @@ in
   options.my.home.bitwarden = with lib; {
     enable = my.mkDisableOption "bitwarden configuration";
 
-    pinentry = mkOption {
-      type = types.str;
-      default = "tty";
-      example = "gtk2";
-      description = "Which pinentry interface to use";
-    };
+    pinentry = mkPackageOption pkgs "pinentry" { default = [ "pinentry-tty" ]; };
   };
 
   config = lib.mkIf cfg.enable {
diff --git a/modules/home/gpg/default.nix b/modules/home/gpg/default.nix
index 7eadf48..51c865a 100644
--- a/modules/home/gpg/default.nix
+++ b/modules/home/gpg/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.my.home.gpg;
 in
@@ -6,12 +6,7 @@ in
   options.my.home.gpg = with lib; {
     enable = my.mkDisableOption "gpg configuration";
 
-    pinentry = mkOption {
-      type = types.str;
-      default = "tty";
-      example = "gtk2";
-      description = "Which pinentry interface to use";
-    };
+    pinentry = mkPackageOption pkgs "pinentry" { default = [ "pinentry-tty" ]; };
   };
 
   config = lib.mkIf cfg.enable {
@@ -22,7 +17,7 @@ in
     services.gpg-agent = {
       enable = true;
       enableSshSupport = true; # One agent to rule them all
-      pinentryFlavor = cfg.pinentry;
+      pinentryPackage = cfg.pinentry;
       extraConfig = ''
         allow-loopback-pinentry
       '';

From 61fa35093ce3eb7f3cbcc9ca97dcdb2af471eba5 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 22 Mar 2024 22:03:32 +0100
Subject: [PATCH 159/169] nixos: services: mealie: fix bulk upload

---
 modules/nixos/services/mealie/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/nixos/services/mealie/default.nix b/modules/nixos/services/mealie/default.nix
index ebbebb2..55ac376 100644
--- a/modules/nixos/services/mealie/default.nix
+++ b/modules/nixos/services/mealie/default.nix
@@ -66,6 +66,13 @@ in
     my.services.nginx.virtualHosts = {
       mealie = {
         inherit (cfg) port;
+
+        extraConfig = {
+          # Allow bulk upload of recipes for import/export
+          locations."/".extraConfig = ''
+            client_max_body_size 0;
+          '';
+        };
       };
     };
   };

From 607aa5351c94bb52308cc83efc8f0f8f7acaf332 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 22 Mar 2024 22:03:32 +0100
Subject: [PATCH 160/169] nixos: services: tandoor-recipes: fix bulk upload

---
 modules/nixos/services/tandoor-recipes/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/modules/nixos/services/tandoor-recipes/default.nix b/modules/nixos/services/tandoor-recipes/default.nix
index f5dc2db..48ad7a8 100644
--- a/modules/nixos/services/tandoor-recipes/default.nix
+++ b/modules/nixos/services/tandoor-recipes/default.nix
@@ -73,6 +73,13 @@ in
     my.services.nginx.virtualHosts = {
       recipes = {
         inherit (cfg) port;
+
+        extraConfig = {
+          # Allow bulk upload of recipes for import/export
+          locations."/".extraConfig = ''
+            client_max_body_size 0;
+          '';
+        };
       };
     };
   };

From 15d0e6bb38b86cd9693dd9c43ee1da4a98744974 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 28 Mar 2024 11:19:33 +0000
Subject: [PATCH 161/169] flake: bump inputs

---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index a42d5dd..4308e9c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -116,11 +116,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703887061,
-        "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
         "owner": "hercules-ci",
         "repo": "gitignore.nix",
-        "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1710532761,
-        "narHash": "sha256-SUXGZNrXX05YA9G6EmgupxhOr3swI1gcxLUeDMUhrEY=",
+        "lastModified": 1711604890,
+        "narHash": "sha256-vbI/gxRTq/gHW1Q8z6D/7JG/qGNl3JTimUDX+MwnC3A=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "206f457fffdb9a73596a4cb2211a471bd305243d",
+        "rev": "3142bdcc470e1e291e1fbe942fd69e06bd00c5df",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1710451336,
-        "narHash": "sha256-pP86Pcfu3BrAvRO7R64x7hs+GaQrjFes+mEPowCfkxY=",
+        "lastModified": 1711523803,
+        "narHash": "sha256-UKcYiHWHQynzj6CN/vTcix4yd1eCu1uFdsuarupdCQQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d691274a972b3165335d261cc4671335f5c67de9",
+        "rev": "2726f127c15a4cc9810843b96cad73c7eb39e443",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1710607749,
-        "narHash": "sha256-TRgxM7sOiWF8cea73OzDnmfhyYnN8+vDHUUJlkDDZ/U=",
+        "lastModified": 1711622043,
+        "narHash": "sha256-nCNcHYlmmPPIDRkDCvNoEog+AuG7jdmkhkU0fqoS82A=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "b870db4117d587a8c5c2c8c9e2d311d7fa4befe2",
+        "rev": "b7ff69e152caedbe4d0e40173d61732ac139a09c",
         "type": "github"
       },
       "original": {
@@ -197,11 +197,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1708018599,
-        "narHash": "sha256-M+Ng6+SePmA8g06CmUZWi1AjG2tFBX9WCXElBHEKnyM=",
+        "lastModified": 1711519547,
+        "narHash": "sha256-Q7YmSCUJmDl71fJv/zD9lrOCJ1/SE/okZ2DsrmRjzhY=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "5df5a70ad7575f6601d91f0efec95dd9bc619431",
+        "rev": "7d47a32e5cd1ea481fab33c516356ce27c8cef4a",
         "type": "github"
       },
       "original": {

From 06c64c1a782c2677edbc55a5bebf3332c3fb7d36 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 1 Apr 2024 22:25:37 +0100
Subject: [PATCH 162/169] templates: fix 'matrix-notifier' CI step

---
 templates/c++-cmake/.woodpecker/check.yml | 2 +-
 templates/c++-meson/.woodpecker/check.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/c++-cmake/.woodpecker/check.yml b/templates/c++-cmake/.woodpecker/check.yml
index 9135f7b..8e71643 100644
--- a/templates/c++-cmake/.woodpecker/check.yml
+++ b/templates/c++-cmake/.woodpecker/check.yml
@@ -24,7 +24,7 @@ steps:
   - source: matrix_password
     target: pass
   commands:
-  - nix run '.#matrix-notifier'
+  - nix run github:ambroisie/matrix-notifier
   when:
     status:
     - failure
diff --git a/templates/c++-meson/.woodpecker/check.yml b/templates/c++-meson/.woodpecker/check.yml
index 9135f7b..8e71643 100644
--- a/templates/c++-meson/.woodpecker/check.yml
+++ b/templates/c++-meson/.woodpecker/check.yml
@@ -24,7 +24,7 @@ steps:
   - source: matrix_password
     target: pass
   commands:
-  - nix run '.#matrix-notifier'
+  - nix run github:ambroisie/matrix-notifier
   when:
     status:
     - failure

From 4b5a19a8faade3a5dda68dab7046fb413de31277 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 1 Apr 2024 22:26:21 +0100
Subject: [PATCH 163/169] templates: fix deprecated CI syntax

---
 .woodpecker/check.yml                     | 18 +++++++++---------
 templates/c++-cmake/.woodpecker/check.yml | 18 +++++++++---------
 templates/c++-meson/.woodpecker/check.yml | 18 +++++++++---------
 3 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/.woodpecker/check.yml b/.woodpecker/check.yml
index aff6e84..e04cd46 100644
--- a/.woodpecker/check.yml
+++ b/.woodpecker/check.yml
@@ -9,15 +9,15 @@ steps:
 
 - name: notifiy
   image: bash
-  secrets:
-  - source: matrix_homeserver
-    target: address
-  - source: matrix_roomid
-    target: room
-  - source: matrix_username
-    target: user
-  - source: matrix_password
-    target: pass
+  environment:
+    ADDRESS:
+      from_secret: matrix_homeserver
+    ROOM:
+      from_secret: matrix_roomid
+    USER:
+      from_secret: matrix_username
+    PASS:
+      from_secret: matrix_password
   commands:
   - nix run '.#matrix-notifier'
   when:
diff --git a/templates/c++-cmake/.woodpecker/check.yml b/templates/c++-cmake/.woodpecker/check.yml
index 8e71643..4ff7dba 100644
--- a/templates/c++-cmake/.woodpecker/check.yml
+++ b/templates/c++-cmake/.woodpecker/check.yml
@@ -14,15 +14,15 @@ steps:
 
 - name: notifiy
   image: bash
-  secrets:
-  - source: matrix_homeserver
-    target: address
-  - source: matrix_roomid
-    target: room
-  - source: matrix_username
-    target: user
-  - source: matrix_password
-    target: pass
+  environment:
+    ADDRESS:
+      from_secret: matrix_homeserver
+    ROOM:
+      from_secret: matrix_roomid
+    USER:
+      from_secret: matrix_username
+    PASS:
+      from_secret: matrix_password
   commands:
   - nix run github:ambroisie/matrix-notifier
   when:
diff --git a/templates/c++-meson/.woodpecker/check.yml b/templates/c++-meson/.woodpecker/check.yml
index 8e71643..4ff7dba 100644
--- a/templates/c++-meson/.woodpecker/check.yml
+++ b/templates/c++-meson/.woodpecker/check.yml
@@ -14,15 +14,15 @@ steps:
 
 - name: notifiy
   image: bash
-  secrets:
-  - source: matrix_homeserver
-    target: address
-  - source: matrix_roomid
-    target: room
-  - source: matrix_username
-    target: user
-  - source: matrix_password
-    target: pass
+  environment:
+    ADDRESS:
+      from_secret: matrix_homeserver
+    ROOM:
+      from_secret: matrix_roomid
+    USER:
+      from_secret: matrix_username
+    PASS:
+      from_secret: matrix_password
   commands:
   - nix run github:ambroisie/matrix-notifier
   when:

From 96aa934bec78ee047ba999c25b9d6836c3d576b6 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 28 Mar 2024 20:20:41 +0000
Subject: [PATCH 164/169] pkgs: zsh-done: fix homepage link

---
 pkgs/zsh-done/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/zsh-done/default.nix b/pkgs/zsh-done/default.nix
index bdb6af3..8fac813 100644
--- a/pkgs/zsh-done/default.nix
+++ b/pkgs/zsh-done/default.nix
@@ -26,7 +26,7 @@ stdenvNoCC.mkDerivation rec {
     description = ''
       A zsh plug-in to receive notifications when long processes finish
     '';
-    homepage = "https://gitea.belanyi.fr/ambroisie/zsh-done";
+    homepage = "https://git.belanyi.fr/ambroisie/zsh-done";
     license = licenses.mit;
     platforms = platforms.unix;
     maintainers = with maintainers; [ ambroisie ];

From d97da124ee39432b20ae3ebeba218f5ed6577589 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 28 Mar 2024 20:20:41 +0000
Subject: [PATCH 165/169] templates: fix homepage links

---
 templates/c++-cmake/flake.nix | 2 +-
 templates/c++-meson/flake.nix | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/c++-cmake/flake.nix b/templates/c++-cmake/flake.nix
index cb468e7..db3b35c 100644
--- a/templates/c++-cmake/flake.nix
+++ b/templates/c++-cmake/flake.nix
@@ -52,7 +52,7 @@
 
             meta = with lib; {
               description = "A C++ project";
-              homepage = "https://gitea.belanyi.fr/ambroisie/project";
+              homepage = "https://git.belanyi.fr/ambroisie/project";
               license = licenses.mit;
               maintainers = with maintainers; [ ambroisie ];
               platforms = platforms.unix;
diff --git a/templates/c++-meson/flake.nix b/templates/c++-meson/flake.nix
index 9cfed0d..5957c62 100644
--- a/templates/c++-meson/flake.nix
+++ b/templates/c++-meson/flake.nix
@@ -52,7 +52,7 @@
 
             meta = with lib; {
               description = "A C++ project";
-              homepage = "https://gitea.belanyi.fr/ambroisie/project";
+              homepage = "https://git.belanyi.fr/ambroisie/project";
               license = licenses.mit;
               maintainers = with maintainers; [ ambroisie ];
               platforms = platforms.unix;

From 8a4fdf6a56f69e9dbf6852a520ab43257c7731b1 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 28 Mar 2024 20:21:41 +0000
Subject: [PATCH 166/169] templates: fix description typo

---
 templates/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/default.nix b/templates/default.nix
index f58fd72..31c3a81 100644
--- a/templates/default.nix
+++ b/templates/default.nix
@@ -5,6 +5,6 @@
   };
   "c++-meson" = {
     path = ./c++-meson;
-    description = "A C++ project using CMake";
+    description = "A C++ project using Meson";
   };
 }

From f729f6a0980b439ed3d8143f2af82860c27bd5bd Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 2 Apr 2024 12:25:05 +0200
Subject: [PATCH 167/169] hosts: nixos: porthos: secrets: add 'lohr' owner

---
 hosts/nixos/porthos/secrets/secrets.nix | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix
index bea380c..c43376b 100644
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@@ -31,8 +31,14 @@ in
     publicKeys = all;
   };
 
-  "lohr/secret.age".publicKeys = all;
-  "lohr/ssh-key.age".publicKeys = all;
+  "lohr/secret.age" = {
+    owner = "lohr";
+    publicKeys = all;
+  };
+  "lohr/ssh-key.age" = {
+    owner = "lohr";
+    publicKeys = all;
+  };
 
   "matrix/mail.age" = {
     owner = "matrix-synapse";

From 8f120e2129ceb2e32945cb5eecaaf43968d8f9cf Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Tue, 2 Apr 2024 12:25:34 +0200
Subject: [PATCH 168/169] nixos: services: lohr: fix SSH key creation

In the migration to `tmpfiles.d(5)`, I used the wrong type of file.

Using `f` would write the path to the file as its content, rather than
copy it. Unfortunately `C` and `C+` do not overwrite an existing file,
so using a symlink it the correct solution here.

This means the SSH key file must have `lohr` as an owner... Perhaps I
should make it so the service can read the file itself, rather than
rely on the filesystem location, so that I don't have to contort myself
quite so much to make it work.
---
 modules/nixos/services/lohr/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nixos/services/lohr/default.nix b/modules/nixos/services/lohr/default.nix
index 21aadba..21ed93b 100644
--- a/modules/nixos/services/lohr/default.nix
+++ b/modules/nixos/services/lohr/default.nix
@@ -99,7 +99,7 @@ in
         };
       };
       "${lohrHome}/.ssh/id_ed25519" = {
-        "f+" = {
+        "L+" = {
           user = "lohr";
           group = "lohr";
           mode = "0700";

From 314cd4956b31e6f3ccfc7b74d77c6e25d64e331f Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Fri, 27 Oct 2023 15:02:04 +0000
Subject: [PATCH 169/169] WIP: Bazel template

---
 templates/c++-bazel/.bazelignore             |   3 +
 templates/c++-bazel/.bazelrc                 |   6 +
 templates/c++-bazel/.clang-format            |  23 +++
 templates/c++-bazel/.envrc                   |   5 +
 templates/c++-bazel/.gitignore               |   6 +
 templates/c++-bazel/.woodpecker/check.yml    |  31 ++++
 templates/c++-bazel/BUILD                    |   0
 templates/c++-bazel/WORKSPACE                |  48 +++++++
 templates/c++-bazel/flake.lock               | 143 +++++++++++++++++++
 templates/c++-bazel/flake.nix                | 126 ++++++++++++++++
 templates/c++-bazel/src/BUILD                |   6 +
 templates/c++-bazel/src/main.cc              |   5 +
 templates/c++-bazel/tests/unit/BUILD         |  10 ++
 templates/c++-bazel/tests/unit/dummy_test.cc |   5 +
 14 files changed, 417 insertions(+)
 create mode 100644 templates/c++-bazel/.bazelignore
 create mode 100644 templates/c++-bazel/.bazelrc
 create mode 100644 templates/c++-bazel/.clang-format
 create mode 100644 templates/c++-bazel/.envrc
 create mode 100644 templates/c++-bazel/.gitignore
 create mode 100644 templates/c++-bazel/.woodpecker/check.yml
 create mode 100644 templates/c++-bazel/BUILD
 create mode 100644 templates/c++-bazel/WORKSPACE
 create mode 100644 templates/c++-bazel/flake.lock
 create mode 100644 templates/c++-bazel/flake.nix
 create mode 100644 templates/c++-bazel/src/BUILD
 create mode 100644 templates/c++-bazel/src/main.cc
 create mode 100644 templates/c++-bazel/tests/unit/BUILD
 create mode 100644 templates/c++-bazel/tests/unit/dummy_test.cc

diff --git a/templates/c++-bazel/.bazelignore b/templates/c++-bazel/.bazelignore
new file mode 100644
index 0000000..6622ec1
--- /dev/null
+++ b/templates/c++-bazel/.bazelignore
@@ -0,0 +1,3 @@
+.pre-commit-config.yaml
+result
+.direnv
diff --git a/templates/c++-bazel/.bazelrc b/templates/c++-bazel/.bazelrc
new file mode 100644
index 0000000..0ef96ae
--- /dev/null
+++ b/templates/c++-bazel/.bazelrc
@@ -0,0 +1,6 @@
+# rule_nixpkgs' specific configuration
+build --host_platform=@io_tweag_rules_nixpkgs//nixpkgs/platforms:host
+build --crosstool_top=@nixpkgs_config_cc//:toolchain
+
+# Use C++20
+build:linux --cxxopt=-std=c++20
diff --git a/templates/c++-bazel/.clang-format b/templates/c++-bazel/.clang-format
new file mode 100644
index 0000000..19c58aa
--- /dev/null
+++ b/templates/c++-bazel/.clang-format
@@ -0,0 +1,23 @@
+# vim: ft=yaml
+---
+BasedOnStyle: LLVM
+IndentWidth: 4
+---
+Language: Cpp
+# Force pointers to the type for C++.
+DerivePointerAlignment: false
+PointerAlignment: Left
+
+# Short functions should not be on a single line, unless empty
+AllowShortFunctionsOnASingleLine: Empty
+
+# Make them level
+AccessModifierOffset: -4
+
+# It makes more sense this way
+BreakBeforeBinaryOperators: All
+BreakBeforeTernaryOperators: true
+
+# Aesthetic
+AlignOperands: AlignAfterOperator
+---
diff --git a/templates/c++-bazel/.envrc b/templates/c++-bazel/.envrc
new file mode 100644
index 0000000..de77fcb
--- /dev/null
+++ b/templates/c++-bazel/.envrc
@@ -0,0 +1,5 @@
+if ! has nix_direnv_version || ! nix_direnv_version 3.0.0; then
+    source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.0/direnvrc" "sha256-21TMnI2xWX7HkSTjFFri2UaohXVj854mgvWapWrxRXg="
+fi
+
+use flake
diff --git a/templates/c++-bazel/.gitignore b/templates/c++-bazel/.gitignore
new file mode 100644
index 0000000..84bd7c0
--- /dev/null
+++ b/templates/c++-bazel/.gitignore
@@ -0,0 +1,6 @@
+# Bazel build directories
+/bazel-*/
+
+# Nix generated files
+/.pre-commit-config.yaml
+/result
diff --git a/templates/c++-bazel/.woodpecker/check.yml b/templates/c++-bazel/.woodpecker/check.yml
new file mode 100644
index 0000000..4ff7dba
--- /dev/null
+++ b/templates/c++-bazel/.woodpecker/check.yml
@@ -0,0 +1,31 @@
+labels:
+  backend: local
+
+steps:
+- name: pre-commit check
+  image: bash
+  commands:
+  - nix develop --command pre-commit run --all
+
+- name: nix flake check
+  image: bash
+  commands:
+  - nix flake check
+
+- name: notifiy
+  image: bash
+  environment:
+    ADDRESS:
+      from_secret: matrix_homeserver
+    ROOM:
+      from_secret: matrix_roomid
+    USER:
+      from_secret: matrix_username
+    PASS:
+      from_secret: matrix_password
+  commands:
+  - nix run github:ambroisie/matrix-notifier
+  when:
+    status:
+    - failure
+    - success
diff --git a/templates/c++-bazel/BUILD b/templates/c++-bazel/BUILD
new file mode 100644
index 0000000..e69de29
diff --git a/templates/c++-bazel/WORKSPACE b/templates/c++-bazel/WORKSPACE
new file mode 100644
index 0000000..72d35b6
--- /dev/null
+++ b/templates/c++-bazel/WORKSPACE
@@ -0,0 +1,48 @@
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+http_archive(
+    name = "io_tweag_rules_nixpkgs",
+    sha256 = "980edfceef2e59e1122d9be6c52413bc298435f0a3d452532b8a48d7562ffd67",
+    strip_prefix = "rules_nixpkgs-0.10.0",
+    urls = ["https://github.com/tweag/rules_nixpkgs/releases/download/v0.10.0/rules_nixpkgs-0.10.0.tar.gz"],
+)
+
+load("@io_tweag_rules_nixpkgs//nixpkgs:repositories.bzl", "rules_nixpkgs_dependencies")
+
+# load everything that rules_nixpkgs rules need to work
+rules_nixpkgs_dependencies()
+
+load("@io_tweag_rules_nixpkgs//nixpkgs:nixpkgs.bzl", "nixpkgs_cc_configure", "nixpkgs_local_repository")
+
+# Define nixpkgs version using the flakes lock file.
+nixpkgs_local_repository(
+    name = "nixpkgs",
+    nix_file_deps = ["//:flake.lock"],
+    nix_flake_lock_file = "//:flake.lock",
+)
+
+nixpkgs_cc_configure(
+    name = "nixpkgs_config_cc",
+    repository = "@nixpkgs",
+)
+
+# load rules_cc
+http_archive(
+    name = "rules_cc",
+    sha256 = "4dccbfd22c0def164c8f47458bd50e0c7148f3d92002cdb459c2a96a68498241",
+    urls = ["https://github.com/bazelbuild/rules_cc/releases/download/0.0.1/rules_cc-0.0.1.tar.gz"],
+)
+
+load("@rules_cc//cc:repositories.bzl", "rules_cc_dependencies", "rules_cc_toolchains")
+
+rules_cc_dependencies()
+
+rules_cc_toolchains()
+
+# Load dependencies
+http_archive(
+    name = "com_google_googletest",
+    sha256 = "8ad598c73ad796e0d8280b082cebd82a630d73e73cd3c70057938a6501bba5d7",
+    strip_prefix = "googletest-1.14.0",
+    urls = ["https://github.com/google/googletest/archive/refs/tags/v1.14.0.tar.gz"],
+)
diff --git a/templates/c++-bazel/flake.lock b/templates/c++-bazel/flake.lock
new file mode 100644
index 0000000..7440f4d
--- /dev/null
+++ b/templates/c++-bazel/flake.lock
@@ -0,0 +1,143 @@
+{
+  "nodes": {
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "futils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "ref": "main",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "pre-commit-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1660459072,
+        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1698134075,
+        "narHash": "sha256-foCD+nuKzfh49bIoiCBur4+Fx1nozo+4C/6k8BYk4sg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8efd5d1e283604f75a808a20e6cde0ef313d07d4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1685801374,
+        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": [
+          "futils"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1698227354,
+        "narHash": "sha256-Fi5H9jbaQLmLw9qBi/mkR33CoFjNbobo5xWdX4tKz1Q=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "bd38df3d508dfcdff52cd243d297f218ed2257bf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "ref": "master",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "futils": "futils",
+        "nixpkgs": "nixpkgs",
+        "pre-commit-hooks": "pre-commit-hooks"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/templates/c++-bazel/flake.nix b/templates/c++-bazel/flake.nix
new file mode 100644
index 0000000..63c64d6
--- /dev/null
+++ b/templates/c++-bazel/flake.nix
@@ -0,0 +1,126 @@
+{
+  description = "A C++ project";
+
+  inputs = {
+    futils = {
+      type = "github";
+      owner = "numtide";
+      repo = "flake-utils";
+      ref = "main";
+    };
+
+    nixpkgs = {
+      type = "github";
+      owner = "NixOS";
+      repo = "nixpkgs";
+      ref = "nixos-unstable";
+    };
+
+    pre-commit-hooks = {
+      type = "github";
+      owner = "cachix";
+      repo = "pre-commit-hooks.nix";
+      ref = "master";
+      inputs = {
+        flake-utils.follows = "futils";
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
+  };
+
+  outputs = { self, futils, nixpkgs, pre-commit-hooks }:
+    {
+      overlays = {
+        default = final: _prev: {
+          project = with final; buildBazelPackage {
+            pname = "project";
+            version = "0.0.0";
+
+            src = self;
+
+            inherit (pkgs) bazel;
+
+            fetchAttrs = {
+              # Fixed output derivation hash after bazel fetch.
+              # This varies per platform, probably from the JDK pulled in being part
+              # of the output derivation ? Is there a more robust way to do this ?
+              # (Hashes extracted from the ofborg build logs)
+              sha256 = let inherit (stdenv.hostPlatform) system; in {
+                x86_64-linux = "${lib.fakeHash}";
+              }.${system} or (throw "No hash for system: ${system}");
+
+
+              # Use WORKSPACE file to fetch `rule_cc`
+              removeRulesCC = false;
+            };
+
+            buildAttrs = {
+              installPhase = ''
+                mkdir -p "$out/bin"
+
+                install bazel-bin/src/project "$out/bin"
+              '';
+            };
+
+            doCheck = true;
+
+            meta = with lib; {
+              description = "A C++ project";
+              homepage = "https://gitea.belanyi.fr/ambroisie/project";
+              license = licenses.mit;
+              maintainers = with maintainers; [ ambroisie ];
+              platforms = platforms.unix;
+            };
+          };
+        };
+      };
+    } // futils.lib.eachDefaultSystem (system:
+      let
+        pkgs = import nixpkgs {
+          inherit system;
+          overlays = [
+            self.overlays.default
+          ];
+        };
+
+        pre-commit = pre-commit-hooks.lib.${system}.run {
+          src = self;
+
+          hooks = {
+            nixpkgs-fmt = {
+              enable = true;
+            };
+
+            clang-format = {
+              enable = true;
+            };
+          };
+        };
+      in
+      {
+        checks = {
+          inherit (self.packages.${system}) project;
+
+          inherit pre-commit;
+        };
+
+        devShells = {
+          default = pkgs.mkShellNoCC {
+            inputsFrom = with self.packages.${system}; [
+              project
+            ];
+
+            packages = with pkgs; [
+              clang-tools
+            ];
+
+            inherit (pre-commit) shellHook;
+          };
+        };
+
+        packages = futils.lib.flattenTree {
+          default = pkgs.project;
+          inherit (pkgs) project;
+        };
+      });
+}
diff --git a/templates/c++-bazel/src/BUILD b/templates/c++-bazel/src/BUILD
new file mode 100644
index 0000000..a1b3dc9
--- /dev/null
+++ b/templates/c++-bazel/src/BUILD
@@ -0,0 +1,6 @@
+cc_binary(
+    name = "project",
+    srcs = [
+        "main.cc",
+    ],
+)
diff --git a/templates/c++-bazel/src/main.cc b/templates/c++-bazel/src/main.cc
new file mode 100644
index 0000000..5eb9e4a
--- /dev/null
+++ b/templates/c++-bazel/src/main.cc
@@ -0,0 +1,5 @@
+#include <iostream>
+
+int main() {
+    std::cout << "Hello World!\n";
+}
diff --git a/templates/c++-bazel/tests/unit/BUILD b/templates/c++-bazel/tests/unit/BUILD
new file mode 100644
index 0000000..63ed0e5
--- /dev/null
+++ b/templates/c++-bazel/tests/unit/BUILD
@@ -0,0 +1,10 @@
+cc_test(
+    name = "dummy_test",
+    size = "small",
+    srcs = [
+        "dummy_test.cc",
+    ],
+    deps = [
+        "@com_google_googletest//:gtest_main",
+    ],
+)
diff --git a/templates/c++-bazel/tests/unit/dummy_test.cc b/templates/c++-bazel/tests/unit/dummy_test.cc
new file mode 100644
index 0000000..4573678
--- /dev/null
+++ b/templates/c++-bazel/tests/unit/dummy_test.cc
@@ -0,0 +1,5 @@
+#include <gtest/gtest.h>
+
+TEST(misc, passing) {
+    ASSERT_EQ(1, 1);
+}