draft: partially getting authentik to work

needs manual systemctl start once booted for now

its started at auth.tuxcord.test

agenix/authentik.age

@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 Wl2fDA 7PqbYWjorqzuPIDZgOZGIMzZa/P89aGzvORfMAeePRU
+J+gesdnj8VwqJSfD1ohDTSp7nBXdM4nEEB5/7aA1PMc
+-> ssh-ed25519 zNC8SA z47u0fUlGVYiQr4/S0lLh6WEj7gyedjWsq4fUk5Z1CY
+6qR4zdA1gQqpAcm5Q5AZJgn3ZnafXL4OeHfU4WJae40
+-> ssh-ed25519 EiAAKw 8mPi6HaHW+oFZHZ0Y2fJ2XISgarW3i/yLKD2QJleFGs
+Mch7D28T9eiJm8hmSuI7Wm/rjjT+EzzER9vQ7T6rA3k
+-> ssh-rsa eFi+Zw
+d3mwAM+p4yz/UK5g4+0WyeOPyEVHQEyzGSB+pPDf6IIXxGbh613h1WD5j3AQQXdH
+178Es9PhkiZcy0Y0IsQt4dyqDzuqMMwzLLvLKgsfliFsPBcdo93V5r9rWtFi3+9S
+jAfhsFzVUj3KhuBY+xsgBtHpLe5CVV52NnEzXkoJw1wbdunNi62QZvyyC+0NixFV
+HW1lxan6g6XXPrXWWrLbZWvpuqvPV6DoLsofzkMm0nd1DhkeHRU1WU8ucnPaETrJ
+E5G3YrlfhftwRzp/QzeoSFREmdAJca7ycIJaJuG8QIszTZLOOQBUAxg7sonATGUc
+Zutg1lJEfaQSe8oG1iMrJlshGspuSmBc1Ki4iQJjhQnYzvkV+Th9trG3QGq5ur9O
+RYCxqjMMzbp6kR2GdJorSM7P5fpzt0sSv2mxd+nQpMoyvOVfbBjmEbiuWrKSlIl0
+tXYrI6723mRNsbtmodUdDttaDFnr2r0MWbpHPn/K6y422GEoAiKE96Z7Pcxo2+Ml
+
+--- ILGiZiEBKY+7nych4vWMVWgiFNhF3eP7mtCvJ/JImxM
+jFÍ%aë;¸8Œõl�Ë�Ô é‚YÊ×ö…›�´töÐ:Â÷ì®û¦#í õÞ(¹ðÂV°;ê[Ç`üØë:tžS#ˆ
+@²ãÒk7²àFž¿ÓEn®†!ÉlÈ¥ÛšŽÃ�7°!•Òï‡êY3:+mzÕÒÈö

agenix/dns/tuxcord.net/javalsai.tuxcord.net.key.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Wl2fDA 3CWPYLgoTMGb9gBbDzZIQxYJ9Gfm49g6lqQyqlegUDQ
+ryhsPP5+Byus2e5GSXDJlKYX1o3HfQ87CLRv2htU4n4
+-> ssh-ed25519 EiAAKw B2uGdkeC3OZISN2iH2DR1J7L3/mbuFvebzqaTdAURCw
+ze0X/MmHP78rRqAn0O3VBtnMJsiOXPk8RIe82tdQMeg
+--- kLBxPuJdbPmJ1Lz3iBu8EPItdZtpNHIyV6pz1QzhcUY
+ä3ÛÿÉèŸP>gòh@­ö•AZ’üz-í6R€¸zèÚ¢[ÇÝÍPÂòㆿy?•ÉŽU�SNÝ©&ú#}ÝR+o?.B¶&´5]ÇW€OΉPuh‹½ŽÞ=t¶5|¿×“s×€ú&!­‰Î-�æTÝSÆfÕ™-j"#žiÂwzºš›ãjö¯“HŒí�

agenix/ntfy.age

@@ -1,34 +1,20 @@
 age-encryption.org/v1
--> ssh-ed25519 Wl2fDA dM0TgKtswZcbEV9tGGY26YCksV2xadHWXv7D/KksAWk
+-> ssh-ed25519 Wl2fDA 8rfiRx7+Gr9BtiSXsVEs2W+pXoms6ynODC1TL90+Wi4
-1vCcuHmVP2xiHd/7hh0z2Hiq/EeA8uvdsRtQReC5hNY
+/uMnYMJovbaPjwX1qCAtIokov40RYIAm2Mup5XKBJvw
--> ssh-ed25519 zNC8SA uTO/3ePjgiKqk3jeRGZX5D3LjzhSBlp2rD2ZakKmfX0
+-> ssh-ed25519 zNC8SA FlxMK7kMYnKHY9MBJ+HYDI4GNS0nSgZxVuRe4yTWBgg
-tVkEEcP/KfD9x52l7iz5F3hKK0LSckjXWK5YP2aeBt4
+HPOV31k8Ueb1W5usG7iLXDQxyAlISrgHThddHpGY2+s
--> ssh-ed25519 EiAAKw Etu0I4IzJ3BB2SzCeiexx+dhcLUO5d2Ws+WiJyLk/Sw
+-> ssh-ed25519 EiAAKw Bu7+NJXivoRA07glNWUlBGu03J0ueth7XDU7SWQYT30
-9GBcZPsIXO3mXbri3lFYjtBBu0wFYul6hKsCvBKVLFs
+r/DBmf4TRDJBgFF0KdeHuKL5hLdU1z6HtfAAVbc6Y0I
 -> ssh-rsa eFi+Zw
-uOZsBC+IMHdX2h9Jq/CF/L3BsxDW+dULk04JQbDeM85Mrxxdrv2X3w7AW8YU2KS+
+Nu4gAM/vbh0kpEUIaT4P6iTe9qFFM/9IVxiiKPYHdPnCmPJHrug1afLLFrrrpqkd
-Xg8LnzH01z4Nfs89uysM/lsWptc9qMeaK9o0oHC+tSJH4Ch43MejbmFYjFibHaCm
+o1NrfYIM9gW6jl5QMCcP5DpzMTppokX0P1Tz1ZeOEtZUVtGeZ7Q2wmL4zftwmG9J
-krQM7dAGIJwc/o0+ykaCrbXSvXAyfd6Nw1izou2ZcDRI7mTipOZO8F949SIk//Rc
+qoDjsCd0z6MPDUdU46qc7kjQBhOwGLfHXTfGLXGNZxqj0oLvEoEKpdvFNBvMSyxK
-UJgPLqpGwScEfrHf4f6tySC4LmD0bPIV1xDpmmXcS7c83E9+iVOtb5Y1In6CQrF1
+oGZRwGsHQcUXKhCPtf6PVtSkHMABzpUAhgS8oqjp4RVurD0lcrPgsx8pSRRarfyE
-XZQCb9MkPySbuicwR022CySb+lc7Ru44RdqBgV1e+wphyZCoqCk09i18egV3hNs6
+ll1QbFCjftuJfeIEshgRkaLGjIQpZDFA3w2XMqDddFz5H/9Ak+F8/rkNnUrN2x4M
-iEul3M8dqV27yRKrWIUD5jT2tUszTNJfreiuZl9eDmLkcVWExkWzqWPUFJ48hQiZ
+amca8s4Sbls6RjyysarIytilCtpaKEI2sgkD2fERao6ayTSnWF45qqh635OLaP5A
-89Z4Evn04vZGoeL67K5q93lSRHz109zT/KIJSQMZpbaecGAoiZDM8Mdq3KzawGSG
+b7qcru9gO0C3Ik+UuiZMgovxo/+yBYe3+8x8q/uKR4apPAkt/2q28Uilw1WboIEB
-ENQazx6lnGoMccvxFhjrVqfYj3U4S/pnCow5fatvkBQSyysL63UxE5ivcFUHHppB
+rIjBr0BN1JeHvkiyljJGcvGf5jHdmOrpQu/L1xuSDjsTnh+U6BshQC8bbkJNsVoL
 
--> ssh-ed25519 QovoLQ wgg0cFlYEVafE3rXK4GrID3RTatZdKPYzsjT18WskFM
+--- GCTLfa/BICL9AWTaqGC13M101Z8sqSqPP4ysJVv5zvg
-bgv+7an3xgdqf6WaiB1FFkXObcykUnvH6lJmX5gFJkQ
+]
--> ssh-rsa OFkEIg
+ý­¢Ôÿi¹‡7c·f`b@%X”¿J�)û[<+;x-ÇKmTõ@ãÌ„�ýŸK]7sc*ë­Ÿ‡¼2Ý®5
-IIQbFB6VUwbB+ZtKR7Ayg9Im6vMU1AzqHT8CBagA5fwJ7Vp1GuX1X9SxL9hMPkd3
-4osEbSu3JJDMwfC6AfFtcEjmxjmRYyiYlzmIjhVEsaTlwyeucAPd+fdj+TPjHidZ
-dffizNEOiENY49jlmWTjMqYKnBsSP9GfH4ZsKpCaWMm2h9p687weuXFfbYfjYMII
-a3C4iG8m+mZ4crYTKZu6WPbnHn9g0pMxZBs4v6MnBHk6eEJ0uiJvrzYApoFE5om7
-9AknL27ra/+A1UQl+1kzLT+IivJa8FCfZ+zF1RYLRvSATlIzCqCiBiayAsVtQg5O
-girBRnlAJTPisszyoAhsqbECvD6bJfwlTW0STg/M1u3ZPMTGL4V0gJgynANmjb7Y
-TXd11zuhjRYgOBAj09trQFTmmwIgPvvu8+VXNDNPAp02ffBT8kMUvSEik98/35x1
-Dwvm38t05O6nqyHUF957CRVTzPQPAnb5Cd+Rw/joID2YPyFN9IZwE4mi2Bf3zdZo
-roxtqCupmWkpxMNN7GZJrmCE/Lh6YV4DgUd6VNQc7QlGsq5K4XRT7aa+s+17cC8e
-HCxQfGM8sMe9T6IK+K4p6qTqluyI/X0r95kGfzhNmgzufc44i6X497i3fDSVoLpx
-Uo7Ao3QRNPyaUXcqTTIg8Kx9YiLQC3tDblVJjIZU89o
---- Vb9o/bhuN6XXjfK04haEEUXnuIA02j4GH9PmAh0ayN8
-óE¬dGs;’Ž°À±��ü
-ñ,OHˆÿœˆ{²¶>ú*wAÃLÌÄ\©0SQöÖ*{6fô‰+Xš¨.

agenix/secrets.nix

@@ -1,17 +1,26 @@
 let
-  users = import ../lib/ssh/keys.nix;
+  inherit (import ../lib)
+    users
+    adminSSHKeys
+    attrsToList
+    getSSHKeys
+    ;
 
   tuxcord-ca = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxiko5Csyq9UODglYzLBvRfxkhQu9GXP7SH2BpC8G/7";
 in
 {
-  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "authentik.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
 
   # tsig-keygen etc.sub.domain.tld.
-  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.error users.javalsai ];
+  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  # "dns/tuxcord.net/XXX.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.XXX ];
+  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-
+  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
-
-  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
 }
+// builtins.listToAttrs (
+  map (user: {
+    name = "dns/tuxcord.net/${user.name}.tuxcord.net.key.age";
+    value.publicKeys = [ tuxcord-ca ] ++ getSSHKeys user.name;
+  }) (builtins.filter (user: user.value.ddns or false) (attrsToList users))
+)

flake.lock

@@ -23,6 +23,67 @@
         "type": "github"
       }
     },
+    "authentik-go": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1771856219,
+        "narHash": "sha256-zTEmvxe+BpfWYvAl675PnhXCH4jV4GUTFb1MrQ1Eyno=",
+        "owner": "goauthentik",
+        "repo": "client-go",
+        "rev": "4c1444ee54d945fbcc5ae107b4f191ca0352023d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "goauthentik",
+        "repo": "client-go",
+        "type": "github"
+      }
+    },
+    "authentik-nix": {
+      "inputs": {
+        "authentik-go": "authentik-go",
+        "authentik-src": "authentik-src",
+        "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
+        "flake-utils": "flake-utils",
+        "napalm": "napalm",
+        "nixpkgs": "nixpkgs",
+        "pyproject-build-systems": "pyproject-build-systems",
+        "pyproject-nix": "pyproject-nix",
+        "systems": "systems_2",
+        "uv2nix": "uv2nix"
+      },
+      "locked": {
+        "lastModified": 1776085803,
+        "narHash": "sha256-JvvWVbXJYSY8qOReMbAOD4lxcN2cjKV6lg/jLz8CEuY=",
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "rev": "4370b561c8bafb59773ce3a518506bcf1161dbdb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "authentik-nix",
+        "type": "github"
+      }
+    },
+    "authentik-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1775573258,
+        "narHash": "sha256-Xq7JGI/8ppIydIuWd9KRJKUrh7UpeniwvZ4NAtXbYJ4=",
+        "owner": "goauthentik",
+        "repo": "authentik",
+        "rev": "5249546862986202b901c2afd860992ec48c6ef6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "goauthentik",
+        "ref": "version/2026.2.2",
+        "repo": "authentik",
+        "type": "github"
+      }
+    },
     "darwin": {
       "inputs": {
         "nixpkgs": [
@@ -46,6 +107,7 @@
       }
     },
     "flake-compat": {
+      "flake": false,
       "locked": {
         "lastModified": 1767039857,
         "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
@@ -61,6 +123,21 @@
       }
     },
     "flake-compat_2": {
+      "locked": {
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_3": {
       "flake": false,
       "locked": {
         "lastModified": 1767039857,
@@ -80,6 +157,24 @@
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
       },
+      "locked": {
+        "lastModified": 1769996383,
+        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib_2"
+      },
       "locked": {
         "lastModified": 1777678872,
         "narHash": "sha256-EPIFsulyon7Z1vLQq5Fk64GR8L7cQsT+IPhcsukVbgk=",
@@ -94,6 +189,27 @@
         "type": "github"
       }
     },
+    "flake-utils": {
+      "inputs": {
+        "systems": [
+          "authentik-nix",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "git-hooks-nix": {
       "inputs": {
         "flake-compat": [
@@ -188,9 +304,35 @@
         "type": "github"
       }
     },
+    "napalm": {
+      "inputs": {
+        "flake-utils": [
+          "authentik-nix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1725806412,
+        "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
+        "owner": "willibutz",
+        "repo": "napalm",
+        "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "willibutz",
+        "ref": "avoid-foldl-stack-overflow",
+        "repo": "napalm",
+        "type": "github"
+      }
+    },
     "nix-alien": {
       "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "nix-index-database": [
           "nix-index-database"
         ],
@@ -234,12 +376,12 @@
     },
     "nix-super": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat_3",
         "flake-parts": [
           "flake-parts"
         ],
         "git-hooks-nix": "git-hooks-nix",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-23-11": "nixpkgs-23-11",
         "nixpkgs-regression": "nixpkgs-regression"
       },
@@ -259,15 +401,18 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1771903837,
+        "lastModified": 1771848320,
-        "narHash": "sha256-jEA8WggGKtMFeNeCKq3NK8cLEjJmG6/RLUElYYbBZ0E=",
+        "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
-        "rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951",
+        "owner": "NixOS",
-        "type": "tarball",
+        "repo": "nixpkgs",
-        "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.6495.e764fc9a4058/nixexprs.tar.xz"
+        "rev": "2fc6539b481e1d2569f25f8799236694180c0993",
+        "type": "github"
       },
       "original": {
-        "type": "tarball",
+        "owner": "NixOS",
-        "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "nixpkgs-23-11": {
@@ -287,6 +432,21 @@
       }
     },
     "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1769909678,
+        "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "72716169fe93074c333e8d0173151350670b824c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib_2": {
       "locked": {
         "lastModified": 1777168982,
         "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=",
@@ -318,6 +478,19 @@
       }
     },
     "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1771903837,
+        "narHash": "sha256-jEA8WggGKtMFeNeCKq3NK8cLEjJmG6/RLUElYYbBZ0E=",
+        "rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.6495.e764fc9a4058/nixexprs.tar.xz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"
+      }
+    },
+    "nixpkgs_3": {
       "locked": {
         "lastModified": 1777428379,
         "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
@@ -333,15 +506,66 @@
         "type": "github"
       }
     },
+    "pyproject-build-systems": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik-nix",
+          "pyproject-nix"
+        ],
+        "uv2nix": [
+          "authentik-nix",
+          "uv2nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1771423342,
+        "narHash": "sha256-7uXPiWB0YQ4HNaAqRvVndYL34FEp1ZTwVQHgZmyMtC8=",
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "rev": "04e9c186e01f0830dad3739088070e4c551191a4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "build-system-pkgs",
+        "type": "github"
+      }
+    },
+    "pyproject-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1771518446,
+        "narHash": "sha256-nFJSfD89vWTu92KyuJWDoTQJuoDuddkJV3TlOl1cOic=",
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "rev": "eb204c6b3335698dec6c7fc1da0ebc3c6df05937",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "pyproject.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
-        "flake-parts": "flake-parts",
+        "authentik-nix": "authentik-nix",
+        "flake-parts": "flake-parts_2",
         "impermanence": "impermanence",
         "nix-alien": "nix-alien",
         "nix-index-database": "nix-index-database",
         "nix-super": "nix-super",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_3"
       }
     },
     "systems": {
@@ -358,6 +582,46 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default-linux",
+        "type": "github"
+      }
+    },
+    "uv2nix": {
+      "inputs": {
+        "nixpkgs": [
+          "authentik-nix",
+          "nixpkgs"
+        ],
+        "pyproject-nix": [
+          "authentik-nix",
+          "pyproject-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1772187362,
+        "narHash": "sha256-gCojeIlQ/rfWMe3adif3akyHsT95wiMkLURpxTeqmPc=",
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "rev": "abe65de114300de41614002fe9dce2152ac2ac23",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pyproject-nix",
+        "repo": "uv2nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -31,6 +31,13 @@
       url = "github:privatevoid-net/nix-super";
       inputs.flake-parts.follows = "flake-parts";
     };
+
+    authentik-nix = {
+      url = "github:nix-community/authentik-nix";
+
+      # inputs.nixpkgs.follows = "nixpkgs"
+      # inputs.flake-parts.follows = "flake-parts"
+    };
   };
 
   outputs =
@@ -52,6 +59,11 @@
           formatter = pkgs.nixfmt;
         };
 
+      flake = {
+        lib = import ./lib;
+        pins = import ./npins;
+      };
+
       systems = [
         "x86_64-linux"
         "aarch64-linux"

lib/default.nix

@@ -0,0 +1,24 @@
+rec {
+  toList = x: if builtins.isList x then x else [ x ];
+
+  nameValuePair = name: value: { inherit name value; };
+
+  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
+
+  attrsToList = mapAttrsToList nameValuePair;
+
+  getSSHKeys =
+    username:
+    if (builtins.hasAttr "ssh" users.${username}) then
+      toList users.${username}.ssh
+    else
+      builtins.warn "user ${username} declared without ssh keys" [ ];
+
+  users = import ./users.nix;
+
+  adminSSHKeys = builtins.concatLists (
+    map (user: getSSHKeys user.name) (
+      builtins.filter (user: user.value.admin or false) (attrsToList users)
+    )
+  );
+}

lib/ssh/keys.nix

@@ -1,8 +0,0 @@
-{
-  error = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
-  javalsai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
-  max = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
-
-  vectorum = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
-  pickzelle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
-}

lib/users.nix

@@ -0,0 +1,26 @@
+{
+  error = {
+    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
+    admin = true;
+    ddns = true;
+  };
+
+  javalsai = {
+    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
+    admin = true;
+    ddns = true;
+  };
+
+  max = {
+    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
+    admin = true;
+  };
+
+  vectorum = {
+    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
+  };
+
+  pickzelle = {
+    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
+  };
+}

nixos/common.nix

@@ -18,6 +18,7 @@ in
     agenix.nixosModules.default
     impermanence.nixosModules.default
     nix-index-database.nixosModules.nix-index
+    authentik-nix.nixosModules.default
 
     ./hardware.nix
     ./impermanence.nix
@@ -99,22 +100,15 @@ in
 
     extraHosts =
       let
-        subdomains = [
+        subdomains = [ "git" "auth" ];
-          ""
+
-          ".git"
+        inherit (config.networking) fqdn;
-        ];
+        hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
       in
-      builtins.foldl' (
+      lib.concatMapStrings (host: ''
-        hosts-acc: domain-prefix:
+        127.0.0.1 ${host}
-        let
+        ::1 ${host}
-          host = "${domain-prefix}${config.networking.fqdn}";
+      '') hosts;
-        in
-        hosts-acc
-        + ''
-          127.0.0.1 ${host}
-          ::1 ${host}
-        ''
-      ) "" subdomains;
   };
 
   virtualisation.podman.enable = true;

nixos/hardware.nix

@@ -15,7 +15,10 @@
       "xhci_pci"
     ];
 
-    kernelModules = [ "kvm-intel" ];
+    kernelModules = [
+      "kvm-amd"
+      "kvm-intel"
+    ];
   };
 
   hardware = {

nixos/hosts/tuxcord-acmetest/default.nix

@@ -1,11 +1,14 @@
 {
-  acme = {
+  imports = [
-    enable = true;
+    ./storage.nix
-    rfc2136.nameserver = "tuxcord.net";
+  ];
-  };
 
-  dns.enable = true;
   networking.fqdn = "nix.tuxcord.net";
 
+  acme.rfc2136.nameserver = "tuxcord.net";
+  dns.enable = true;
+
+  services.getty.autologinUser = "root";
+
   time.timeZone = "Europe/Madrid";
 }

nixos/hosts/tuxcord-acmetest/storage.nix

@@ -0,0 +1,6 @@
+{
+  fileSystems."/" = {
+    device = "/dev/vda";
+    fsType = "ext4";
+  };
+}

nixos/hosts/tuxcord-ca/storage.nix

@@ -32,6 +32,7 @@
         device = "/dev/xvda2";
         fsType = "btrfs";
         options = [ "subvol=@persist" ] ++ defaultOptions;
+        neededForBoot = true;
       };
     };
 }

nixos/hosts/tuxcord-test/default.nix

@@ -1,6 +1,12 @@
 {
+  imports = [
+    ./storage.nix
+  ];
+
+  networking.fqdn = "tuxcord.test";
+
   acme.enable = false;
   dns.enable = true;
 
-  networking.fqdn = "tuxcord.test";
+  services.getty.autologinUser = "root";
 }

nixos/hosts/tuxcord-test/storage.nix

@@ -0,0 +1,6 @@
+{
+  fileSystems."/" = {
+    device = "/dev/vda";
+    fsType = "ext4";
+  };
+}

nixos/impermanence.nix

@@ -55,8 +55,6 @@
     };
   };
 
-  fileSystems."/persist".neededForBoot = true;
-
   environment.persistence."/persist" = {
     enable = true;
     hideMounts = true;
@@ -72,10 +70,6 @@
     ];
     files = [
       "/etc/machine-id"
-      "/etc/ssh/ssh_host_ed25519_key"
-      "/etc/ssh/ssh_host_ed25519_key.pub"
-      "/etc/ssh/ssh_host_rsa_key"
-      "/etc/ssh/ssh_host_rsa_key.pub"
     ];
   };
 

nixos/modules/authentik.nix

@@ -0,0 +1,17 @@
+{ config, self, ... }:
+let
+  inherit (config.networking) fqdn;
+in
+{
+  age.secrets.authentik.file = "${self}/agenix/authentik.age";
+
+  services.authentik = {
+    enable = true;
+    environmentFile = config.age.secrets.authentik.path; # just trust, this specifies port 3001
+    # nginx = {
+    #   enable = true;
+    #   enableACME = true;
+    #   host = "auth.${fqdn}";
+    # };
+  };
+}

nixos/modules/default.nix

@@ -1,6 +1,7 @@
 {
   imports = [
     ./acme.nix
+    ./authentik.nix
     ./dns.nix
     ./fail2ban.nix
     ./gitea.nix

nixos/modules/nginx.nix

@@ -1,21 +1,46 @@
-{ config, ... }:
+{ config, self, ... }:
 let
   inherit (config.networking) fqdn;
 
   mkVhost =
-    attrs:
+    attrs: locations:
     let
       acmeEnabled = config.acme.enable;
     in
     {
       forceSSL = acmeEnabled;
       useACMEHost = if acmeEnabled then fqdn else null;
+
+      locations = {
+        "= /robots.txt" = {
+          alias = disallowedRobotsTxt;
+        };
+      }
+      // locations;
     }
     // attrs;
 
   mkProxy = port: {
     proxyPass = "http://127.0.0.1:${toString port}/";
+
+    extraConfig = ''
+      proxy_buffering off;
+      proxy_request_buffering off;
+    '';
   };
+
+  mkSsi = webRoot: {
+    root = webRoot;
+
+    extraConfig = ''
+      ssi on;
+    '';
+  };
+
+  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
+    User-agent: *
+    Disallow: /
+  '';
 in
 {
   services.nginx = {
@@ -27,14 +52,18 @@ in
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
 
-    # services.nginx.virtualHosts."${fqdn}" = {
+    virtualHosts = {
-    #   addSSL = true;
+      "${fqdn}" = mkVhost { default = true; } {
-    #   root = "/var/www/myhost.org";
+        "/" = mkSsi "${self.pins.website}/web-root";
-    #   default = true;
+      };
-    # };
 
-    virtualHosts."git.${fqdn}" = mkVhost {
+      "git.${fqdn}" = mkVhost { } {
-      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+        "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+      };
+
+      "auth.${fqdn}" = mkVhost { } {
+        "/" = mkProxy 3001;
+      };
     };
   };
 

nixos/openssh.nix

@@ -4,6 +4,7 @@
 
     settings = {
       ClientAliveInterval = 300;
+      X11Forwarding = true;
 
       KbdInteractiveAuthentication = false;
       PasswordAuthentication = false;

nixos/users.nix

@@ -1,25 +1,6 @@
 { lib, self, ... }:
 let
-  users = [
+  inherit (self.lib) users;
-    {
-      name = "error";
-      options.admin = true;
-    }
-    {
-      name = "javalsai";
-      options.admin = true;
-    }
-    {
-      name = "max";
-      options.admin = true;
-    }
-    {
-      name = "vectorum";
-    }
-    {
-      name = "pickzelle";
-    }
-  ];
 
   adminGroups = [
     "adm"
@@ -30,60 +11,55 @@ let
     "wheel"
   ];
 
-  getSSHKeys =
+  mkUser = name: uid: admin: {
-    username:
+    users.users.${name} = {
-    let
+      inherit uid;
-      sshKeys = import "${self}/lib/ssh/keys.nix";
+      isNormalUser = true;
-    in
+      extraGroups = lib.optionals admin adminGroups;
-    if (builtins.hasAttr username sshKeys) then
+      openssh.authorizedKeys.keys = self.lib.getSSHKeys name;
-      lib.lists.toList sshKeys.${username}
-    else
-      lib.warn "user ${username} declared without ssh key" [ ];
-
-  mkUser =
-    name: uid: options:
-    let
-      admin = options.admin or false;
-
-    in
-    {
-      users.users.${name} = {
-        isNormalUser = true;
-        extraGroups = lib.optionals admin adminGroups;
-        inherit uid;
-
-        openssh.authorizedKeys.keys = getSSHKeys name;
-      };
-
-      systemd.slices."user-${builtins.toString uid}".sliceConfig = {
-        CPUQuota = "50%";
-        CPUWeight = "10";
-        IOAccounting = true;
-        IOWeight = "10";
-        MemoryMax = "2G";
-        MemorySwapMax = "1G";
-        TasksMax = "100";
-      };
     };
+
+    systemd.slices."user-${builtins.toString uid}".sliceConfig = {
+      CPUQuota = "50%";
+      CPUWeight = "10";
+      IOAccounting = true;
+      IOWeight = "10";
+      MemoryMax = "2G";
+      MemorySwapMax = "1G";
+      TasksMax = "100";
+    };
+  };
 in
 lib.recursiveUpdate
   (builtins.foldl'
     (attrs: user: {
-      options = lib.recursiveUpdate attrs.options (mkUser user.name attrs.uid (user.options or { }));
+      options = lib.recursiveUpdate attrs.options (
+        mkUser user.name attrs.uid (user.value.admin or false)
+      );
       uid = attrs.uid + 1;
     })
     {
       options = { };
       uid = 1000;
     }
-    users
+    (lib.attrsToList users)
   ).options
   {
-    users.users.root = {
+    users = {
-      initialPassword = "tuxcord";
+      motd = ''
+                  __                                          __                      __
+        ---------/\ \__                                      /\ \                    /\ \__
+        ---------\ \ ,_\  __  __  __  _   ___    ___   _ __  \_\ \        ___      __\ \ ,_\
+        ----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \      /'_ `\  /'__`\ \ \/
+        -----------\ \ \_\ \ \_\ \/>  <//\ \__//\ \L\ \ \ \//\ \L\ \  __/\ \/\ \/\  __/\ \ \_
+        ------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
+        -------------\/__/ \/___/ \//\/_/\/____/\/___/  \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
+                                                    A friendly Linux community - est. July 2023
+      '';
 
-      openssh.authorizedKeys.keys = lib.lists.concatLists (
+      users.root = {
-        map (user: getSSHKeys user.name) (builtins.filter (user: user.options.admin or false) users)
+        initialPassword = "tuxcord";
-      );
+        openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
+      };
     };
   }

nixos/vm.nix

@@ -7,8 +7,8 @@
     memorySize = 4096;
 
     qemu.networkingOptions = lib.mkForce [
-      "-net nic,netdev=user.0,model=virtio"
+      "-nic bridge,br=virbr0,id=hn0,model=virt-net-pci,helper=\${QEMU_BRIDGE_HELPER_PATH}"
-      "-netdev user,id=user.0,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
+      "-device virtio-net-pci,netdev=hn0,id=nic1,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
     ];
   };
 }

npins/default.nix

@@ -9,15 +9,8 @@
 */
 # Generated by npins. Do not modify; will be overwritten regularly
 let
-  # Backwards-compatibly make something that previously didn't take any arguments take some
+  data = builtins.fromJSON (builtins.readFile ./sources.json);
-  # The function must return an attrset, and will unfortunately be eagerly evaluated
+  version = data.version;
-  # Same thing, but it catches eval errors on the default argument so that one may still call it with other arguments
-  mkFunctor =
-    fn:
-    let
-      e = builtins.tryEval (fn { });
-    in
-    (if e.success then e.value else { error = fn { }; }) // { __functor = _self: fn; };
 
   # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
   range =
@@ -28,6 +21,7 @@ let
 
   # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
   stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
+  concatMapStrings = f: list: concatStrings (map f list);
   concatStrings = builtins.concatStringsSep "";
 
   # If the environment variable NPINS_OVERRIDE_${name} is set, then use
@@ -54,87 +48,41 @@ let
 
   mkSource =
     name: spec:
-    {
-      pkgs ? null,
-    }:
     assert spec ? type;
     let
-      # Unify across builtin and pkgs fetchers.
-      # `fetchGit` requires a wrapper because of slight API differences.
-      fetchers =
-        if pkgs == null then
-          {
-            inherit (builtins) fetchTarball fetchurl;
-            # For some fucking reason, fetchGit has a different signature than the other builtin fetchers …
-            fetchGit = args: (builtins.fetchGit args).outPath;
-          }
-        else
-          {
-            fetchTarball =
-              {
-                url,
-                sha256,
-              }:
-              pkgs.fetchzip {
-                inherit url sha256;
-                extension = "tar";
-              };
-            inherit (pkgs) fetchurl;
-            fetchGit =
-              {
-                url,
-                submodules,
-                rev,
-                name,
-                narHash,
-              }:
-              pkgs.fetchgit {
-                inherit url rev name;
-                fetchSubmodules = submodules;
-                hash = narHash;
-              };
-          };
-
-      # Dispatch to the correct code path based on the type
       path =
         if spec.type == "Git" then
-          mkGitSource fetchers spec
+          mkGitSource spec
         else if spec.type == "GitRelease" then
-          mkGitSource fetchers spec
+          mkGitSource spec
         else if spec.type == "PyPi" then
-          mkPyPiSource fetchers spec
+          mkPyPiSource spec
         else if spec.type == "Channel" then
-          mkChannelSource fetchers spec
+          mkChannelSource spec
         else if spec.type == "Tarball" then
-          mkTarballSource fetchers spec
+          mkTarballSource spec
-        else if spec.type == "Container" then
-          mkContainerSource pkgs spec
         else
           builtins.throw "Unknown source type ${spec.type}";
     in
     spec // { outPath = mayOverride name path; };
 
   mkGitSource =
-    {
-      fetchTarball,
-      fetchGit,
-      ...
-    }:
     {
       repository,
       revision,
       url ? null,
       submodules,
       hash,
+      branch ? null,
       ...
     }:
     assert repository ? type;
     # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
     # In the latter case, there we will always be an url to the tarball
     if url != null && !submodules then
-      fetchTarball {
+      builtins.fetchTarball {
         inherit url;
-        sha256 = hash;
+        sha256 = hash; # FIXME: check nix version & use SRI hashes
       }
     else
       let
@@ -145,8 +93,6 @@ let
             "https://github.com/${repository.owner}/${repository.repo}.git"
           else if repository.type == "GitLab" then
             "${repository.server}/${repository.repo_path}.git"
-          else if repository.type == "Forgejo" then
-            "${repository.server}/${repository.owner}/${repository.repo}.git"
           else
             throw "Unrecognized repository type ${repository.type}";
         urlToName =
@@ -161,89 +107,40 @@ let
           "${if matched == null then "source" else builtins.head matched}${appendShort}";
         name = urlToName url revision;
       in
-      fetchGit {
+      builtins.fetchGit {
         rev = revision;
-        narHash = hash;
+        inherit name;
-
+        # hash = hash;
-        inherit name submodules url;
+        inherit url submodules;
       };
 
   mkPyPiSource =
-    { fetchurl, ... }:
+    { url, hash, ... }:
-    {
+    builtins.fetchurl {
-      url,
-      hash,
-      ...
-    }:
-    fetchurl {
       inherit url;
       sha256 = hash;
     };
 
   mkChannelSource =
-    { fetchTarball, ... }:
+    { url, hash, ... }:
-    {
+    builtins.fetchTarball {
-      url,
-      hash,
-      ...
-    }:
-    fetchTarball {
       inherit url;
       sha256 = hash;
     };
 
   mkTarballSource =
-    { fetchTarball, ... }:
     {
       url,
       locked_url ? url,
       hash,
       ...
     }:
-    fetchTarball {
+    builtins.fetchTarball {
       url = locked_url;
       sha256 = hash;
     };
-
-  mkContainerSource =
-    pkgs:
-    {
-      image_name,
-      image_tag,
-      image_digest,
-      ...
-    }:
-    if pkgs == null then
-      builtins.throw "container sources require passing in a Nixpkgs value: https://github.com/andir/npins/blob/master/README.md#using-the-nixpkgs-fetchers"
-    else
-      pkgs.dockerTools.pullImage {
-        imageName = image_name;
-        imageDigest = image_digest;
-        finalImageTag = image_tag;
-      };
 in
-mkFunctor (
+if version == 5 then
-  {
+  builtins.mapAttrs mkSource data.pins
-    input ? ./sources.json,
+else
-  }:
+  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
-  let
-    data =
-      if builtins.isPath input then
-        # while `readFile` will throw an error anyways if the path doesn't exist,
-        # we still need to check beforehand because *our* error can be caught but not the one from the builtin
-        # *piegames sighs*
-        if builtins.pathExists input then
-          builtins.fromJSON (builtins.readFile input)
-        else
-          throw "Input path ${toString input} does not exist"
-      else if builtins.isAttrs input then
-        input
-      else
-        throw "Unsupported input type ${builtins.typeOf input}, must be a path or an attrset";
-    version = data.version;
-  in
-  if version == 7 then
-    builtins.mapAttrs (name: spec: mkFunctor (mkSource name spec)) data.pins
-  else
-    throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
-)

npins/sources.json

@@ -1,4 +1,17 @@
 {
-  "pins": {},
+  "pins": {
-  "version": 7
+    "website": {
+      "type": "Git",
+      "repository": {
+        "type": "Git",
+        "url": "https://git.javalsai.tuxcord.net/tuxcord/website.git"
+      },
+      "branch": "main",
+      "submodules": false,
+      "revision": "b18dd7b863644debb0a843a5b21bb490bfe7d048",
+      "url": null,
+      "hash": "18czfxaldy0zhjprdsqzxnzj3p9qlc4canwigr13iw2wisi4ww5y"
+    }
+  },
+  "version": 5
 }

shells/default.nix

@@ -5,6 +5,24 @@
     {
       devShells.default = pkgs.mkShell {
         name = "configuration.nix";
+
+        shellHook = ''
+          for path in \
+            /usr/lib/qemu/qemu-bridge-helper \
+            /run/wrappers/bin/qemu-bridge-helper
+          do
+            if [ -x "$path" ]; then
+              export QEMU_BRIDGE_HELPER_PATH="$path"
+              break
+            fi
+          done
+
+          if [ -z "$QEMU_BRIDGE_HELPER_PATH" ]; then
+            printf "\033[1;33m%s\033[0m\n" \
+              "WARN: 'qemu-bridge-helper' not found, make sure it is installed and the nix shell hook is looking for it" >&2
+          fi
+        '';
+
         packages = with pkgs; [
           bat
           cachix
@@ -13,7 +31,6 @@
           git
           inputs.agenix.packages.${stdenv.hostPlatform.system}.default
           jujutsu
-          neovim
           nix-output-monitor
           nixfmt
           npins