docs: document installation, secrets and setup steps

nixos/services: make dns configuration easier
nixos/service: add dns (bind named server)
2026-05-03 19:13:21 -04:00 · 2026-05-03 19:13:21 -04:00 · 2026-05-03 19:12:19 -04:00 · 2026-05-03 18:25:42 -04:00 · 2026-05-03 18:25:42 -04:00 · 2026-05-03 18:25:42 -04:00
38 changed files with 191 additions and 747 deletions
@@ -1,19 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 Wl2fDA sLlStq5Hzb2JNQubLtMk5/kyIp81aTyjUB/Ysv1gRR0
-lTLWsvT5Oxk8ut/g+o9o0DMOIQVDmi9o4EO0fYeIToo
-> ssh-ed25519 zNC8SA G0XcS2gzF0RopI2DqkWaTYXwjUpkVtdrxSQ+p8bfE0w
-pZVIg/1P8BbnpRfV5F0FG3xgLSiA8M+nosQ8iNeYmcU
-> ssh-ed25519 EiAAKw qWmO0IjKoUFVxbxFUx36JIhME2PU7lkD+3agKO7+6nA
-yEIw8IzQmM8C9dZoPajtvdUOF5kJ/C+rtgLczcmP1bs
-> ssh-rsa eFi+Zw
-O5XRvS+Y/1mm9nQ7IZmxEp7RmFjAH0OTKPkRTME7BybnePPZLL0l6wMP26hx88Nv
-dOqdaS07Xb26EIgCS/4xCY4sPWZNEfAfnDVoF4/SNbmfbN0XpNpR981AWcxiTL35
-Fngk0lPa1NtuUH4S4zTda21kXHE0zv2mYLNMuek8dTrUd2piC+Z0WJJdrG1LK0hN
-dDuLzX/mNibNXDvYxyD6mtkO2S1wO9QL88ucNZptT29vcaD48EZM/SsAwgf3OoqH
-kd7jSTTdZ/yk8ccTMiT5eskQ3ZZcqc7JaF+M2d88DP6LcSaJnNzyVSEMAHHfpoY1
-/kHxZ88/ehwPDXrp0bL448jdPuWqPSerzCWyyZFbc8Jj6zRUtC5joL0Vq2Rqs+EH
-rmKMfi1l2+utleGYfCyHI5/czsMhJ2jXLGPguWQQdixNtb/RWFw6DeRP9xdO9QJR
-LkoAFgv0ykP+L+C6sA7bpJqIGNftl4x8OUQxrKtf3YQ8K2LhUZb23JPn4Ob/QXo/
-
--- W7eUDhB/RBUYV1gaM4ktPEOVU6l5IRgOoRDpKKpvAnM
-O\òŒMúOýJä	ÍÅ!ÒHûËÄpK¥Õ:gßÙ[6™M¡VÞÃbYæÌí;è€F'¡#ä7&Žs1„	óØ±‰6º�²5_nÂ’mõÔ.¼qñ'à˜ƒq®6Êf-ÖÄW™w›½ß#5³¯6ˆ¼ŸêªrÒð�„Ð#œÅÄ€=�4EÎËlžÕÿ[
@@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 Wl2fDA 3CWPYLgoTMGb9gBbDzZIQxYJ9Gfm49g6lqQyqlegUDQ
-ryhsPP5+Byus2e5GSXDJlKYX1o3HfQ87CLRv2htU4n4
-> ssh-ed25519 EiAAKw B2uGdkeC3OZISN2iH2DR1J7L3/mbuFvebzqaTdAURCw
-ze0X/MmHP78rRqAn0O3VBtnMJsiOXPk8RIe82tdQMeg
--- kLBxPuJdbPmJ1Lz3iBu8EPItdZtpNHIyV6pz1QzhcUY
-ä3ÛÿÉèŸP>gòh@ö•AZ’üz-í6R€¸zèÚ¢[ÇÝÍPÂòã†¿y?•ÉŽU�SNÝ©&ú#}ÝR+o?.B¶&´5]ÇW€OÎ‰Puh‹½ŽÞ=t¶5|¿×“s×€ú&!‰Î-�æTÝSÆfÕ™-j"#žiÂwzºš›ãjö¯“HŒí�
@@ -1,20 +1,34 @@
 age-encryption.org/v1
-> ssh-ed25519 Wl2fDA 8rfiRx7+Gr9BtiSXsVEs2W+pXoms6ynODC1TL90+Wi4
-/uMnYMJovbaPjwX1qCAtIokov40RYIAm2Mup5XKBJvw
-> ssh-ed25519 zNC8SA FlxMK7kMYnKHY9MBJ+HYDI4GNS0nSgZxVuRe4yTWBgg
-HPOV31k8Ueb1W5usG7iLXDQxyAlISrgHThddHpGY2+s
-> ssh-ed25519 EiAAKw Bu7+NJXivoRA07glNWUlBGu03J0ueth7XDU7SWQYT30
-r/DBmf4TRDJBgFF0KdeHuKL5hLdU1z6HtfAAVbc6Y0I
+-> ssh-ed25519 Wl2fDA dM0TgKtswZcbEV9tGGY26YCksV2xadHWXv7D/KksAWk
+1vCcuHmVP2xiHd/7hh0z2Hiq/EeA8uvdsRtQReC5hNY
+-> ssh-ed25519 zNC8SA uTO/3ePjgiKqk3jeRGZX5D3LjzhSBlp2rD2ZakKmfX0
+tVkEEcP/KfD9x52l7iz5F3hKK0LSckjXWK5YP2aeBt4
+-> ssh-ed25519 EiAAKw Etu0I4IzJ3BB2SzCeiexx+dhcLUO5d2Ws+WiJyLk/Sw
+9GBcZPsIXO3mXbri3lFYjtBBu0wFYul6hKsCvBKVLFs
 -> ssh-rsa eFi+Zw
-Nu4gAM/vbh0kpEUIaT4P6iTe9qFFM/9IVxiiKPYHdPnCmPJHrug1afLLFrrrpqkd
-o1NrfYIM9gW6jl5QMCcP5DpzMTppokX0P1Tz1ZeOEtZUVtGeZ7Q2wmL4zftwmG9J
-qoDjsCd0z6MPDUdU46qc7kjQBhOwGLfHXTfGLXGNZxqj0oLvEoEKpdvFNBvMSyxK
-oGZRwGsHQcUXKhCPtf6PVtSkHMABzpUAhgS8oqjp4RVurD0lcrPgsx8pSRRarfyE
-ll1QbFCjftuJfeIEshgRkaLGjIQpZDFA3w2XMqDddFz5H/9Ak+F8/rkNnUrN2x4M
-amca8s4Sbls6RjyysarIytilCtpaKEI2sgkD2fERao6ayTSnWF45qqh635OLaP5A
-b7qcru9gO0C3Ik+UuiZMgovxo/+yBYe3+8x8q/uKR4apPAkt/2q28Uilw1WboIEB
-rIjBr0BN1JeHvkiyljJGcvGf5jHdmOrpQu/L1xuSDjsTnh+U6BshQC8bbkJNsVoL
+uOZsBC+IMHdX2h9Jq/CF/L3BsxDW+dULk04JQbDeM85Mrxxdrv2X3w7AW8YU2KS+
+Xg8LnzH01z4Nfs89uysM/lsWptc9qMeaK9o0oHC+tSJH4Ch43MejbmFYjFibHaCm
+krQM7dAGIJwc/o0+ykaCrbXSvXAyfd6Nw1izou2ZcDRI7mTipOZO8F949SIk//Rc
+UJgPLqpGwScEfrHf4f6tySC4LmD0bPIV1xDpmmXcS7c83E9+iVOtb5Y1In6CQrF1
+XZQCb9MkPySbuicwR022CySb+lc7Ru44RdqBgV1e+wphyZCoqCk09i18egV3hNs6
+iEul3M8dqV27yRKrWIUD5jT2tUszTNJfreiuZl9eDmLkcVWExkWzqWPUFJ48hQiZ
+89Z4Evn04vZGoeL67K5q93lSRHz109zT/KIJSQMZpbaecGAoiZDM8Mdq3KzawGSG
+ENQazx6lnGoMccvxFhjrVqfYj3U4S/pnCow5fatvkBQSyysL63UxE5ivcFUHHppB

--- GCTLfa/BICL9AWTaqGC13M101Z8sqSqPP4ysJVv5zvg
-]
-ý¢Ôÿi¹‡7c·f`b@%X”¿J�)û[<+;x-ÇKmTõ@ãÌ„�ýŸK]7sc*ëŸ‡¼2Ý®5
+-> ssh-ed25519 QovoLQ wgg0cFlYEVafE3rXK4GrID3RTatZdKPYzsjT18WskFM
+bgv+7an3xgdqf6WaiB1FFkXObcykUnvH6lJmX5gFJkQ
+-> ssh-rsa OFkEIg
+IIQbFB6VUwbB+ZtKR7Ayg9Im6vMU1AzqHT8CBagA5fwJ7Vp1GuX1X9SxL9hMPkd3
+4osEbSu3JJDMwfC6AfFtcEjmxjmRYyiYlzmIjhVEsaTlwyeucAPd+fdj+TPjHidZ
+dffizNEOiENY49jlmWTjMqYKnBsSP9GfH4ZsKpCaWMm2h9p687weuXFfbYfjYMII
+a3C4iG8m+mZ4crYTKZu6WPbnHn9g0pMxZBs4v6MnBHk6eEJ0uiJvrzYApoFE5om7
+9AknL27ra/+A1UQl+1kzLT+IivJa8FCfZ+zF1RYLRvSATlIzCqCiBiayAsVtQg5O
+girBRnlAJTPisszyoAhsqbECvD6bJfwlTW0STg/M1u3ZPMTGL4V0gJgynANmjb7Y
+TXd11zuhjRYgOBAj09trQFTmmwIgPvvu8+VXNDNPAp02ffBT8kMUvSEik98/35x1
+Dwvm38t05O6nqyHUF957CRVTzPQPAnb5Cd+Rw/joID2YPyFN9IZwE4mi2Bf3zdZo
+roxtqCupmWkpxMNN7GZJrmCE/Lh6YV4DgUd6VNQc7QlGsq5K4XRT7aa+s+17cC8e
+HCxQfGM8sMe9T6IK+K4p6qTqluyI/X0r95kGfzhNmgzufc44i6X497i3fDSVoLpx
+Uo7Ao3QRNPyaUXcqTTIg8Kx9YiLQC3tDblVJjIZU89o
+--- Vb9o/bhuN6XXjfK04haEEUXnuIA02j4GH9PmAh0ayN8
+óE¬dGs;’Ž°À±��ü
+ñ,OHˆÿœˆ{²¶>ú*wAÃLÌÄ\©0SQöÖ*{6fô‰+Xš¨.
@@ -1,25 +1,15 @@
 let
-  inherit (import ../lib)
-    users
-    adminSSHKeys
-    attrsToList
-    getSSHKeys
-    ;
+  users = import ../lib/ssh/keys.nix;

  tuxcord-ca = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxiko5Csyq9UODglYzLBvRfxkhQu9GXP7SH2BpC8G/7";
 in
 {
-  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;

  # tsig-keygen etc.sub.domain.tld.
-  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.error users.javalsai ];
+  # "dns/tuxcord.net/XXX.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.XXX ];
+
+  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
 }
-// builtins.listToAttrs (
-  map (user: {
-    name = "dns/tuxcord.net/${user.name}.tuxcord.net.key.age";
-    value.publicKeys = [ tuxcord-ca ] ++ getSSHKeys user.name;
-  }) (builtins.filter (user: user.value.ddns or false) (attrsToList users))
-)
@@ -16,19 +16,13 @@ To test the environment, you can launch a virtualized NixOS system derived from
 nix run '.#nixosConfigurations.<system>.config.system.build.vm'
 ```

-Here, `<system>` refers to the hostname of the system you want to test (e.g., tuxcord-test).
+Here, `<system>` refers to the hostname of the system you want to test (e.g., tuxcord-ca).

 Note that this will create a `qcow2` image file in the current directory. Nix will automatically manage changes to the configuration and update the image file accordingly while keeping part of its mutable state (e.g., root bash history).

 > [!WARNING]
 > Not all changes are applied automatically. Updates such as user passwords changes or modifications to the filesystem layout will require deleting the image file so that Nix can re-create it from scratch.

-# Access
-
-The initial password for the `root` account is `tuxcord`.
-
-SSH login is enabled for the configured user keys, if using the VM test configuration, yo will have to use the bridged IP.
-
 # Tooling

 Tooling used to aid in development.
@@ -42,7 +42,7 @@ Host specific configuration can be found at `nixos/hosts/tuxcord-XX`. This is us

 To learn how to get started, refer to the [Getting Started guide](./GETTING_STARTED.md).

-The guide contains basic instructions as to how to use Nix for this repository, as well as tools to help in certain tasks, some of this tools might be assumed across document resources.
+The guide contains basic instructions as to how to use Nix for this repository, as well as tools to help in certain tasks, some of this tools might be assumed accross document resources.

 It might also be useful to read the [installation section](#installation) to learn how to configure your testing environment.

@@ -6,20 +6,14 @@ Secrets are managed with `agenix` in the `agenix/` directory. This allows to dec

 The `agenix` help menu is already very helpful, but here you have a survival guide:

- `agenix` commands should run relative to the `agenix/` directory.
+- `agenix` commands should run relative to the `agenix/` direcotry.
 - `agenix -d` allows you to descrypt such file if you possess any of the decryption keys.
 - `agenix -e` decrypts (if present) and opens the file in your editor to re-encrypt when exited.
 - `agenix -r` re-encypts `*.age` files in the case you ever change its decryption keys.

 # Secrets

-There is a `ntfy.age` secret file which contents look like:
-
-```sh
-NTFY_TOPIC=readable-name_XXXXXXXXXX
-```
-
-This secret file is meant to be sources by shells before using [ntfy.sh](<https://ntfy.sh/>) to push important notifications. This topic could contain sensitive information and must be kept secret amongst administrators.
+<!-- TODO: missing ntfy.sh secret docs -->

 ## DNS TSIG Keys

@@ -30,5 +24,5 @@ These keys can be generated using `tsig-keygen <key-name>` (historically they we
 When DNS is enabled for a host, it will look for `dns/${fqdn}/${zone}.key` secrets.

 - The key whose zone matches the `${fqdn}` will be allowed to tramit updates for all the domain.
- Keys restrained to a specific `${zone}` will only be allowed to edit records of such zone.
+- Keys restrained to a specific `${subdomain}` will only be allowed to edit records of such subdomain.
 - All keys must be named with the zone they affect, final dot included, so that (e.g. `tuxcord.net/javalsai.tuxcord.net.key` must be generated by `tsig-keygen javalsai.tuxcord.net.`).
@@ -2,13 +2,7 @@

 The first configuration of the server needs some configuration of its mutable state:

-Setup also heavily relies on the secrets configured, make sure you [understand agenix](./SECRETS.md) good enough.
-
-# Root Password
-
-The `root` password is `tuxcord` by default on all system configurations. For security, it's important to remember to change it as soon as an installation is done.
-
-The root account is intended to be kept active in case there ever is the need to perform a TTY login. But this will be rare so do keep a security complex password saved somewhere and don't share it beyond the necessary amount.
+Setup also heavily relies on the secrets configured, make sure you [undestand agenix](./SECRETS.md) good enough.

 # SSH Keys

@@ -52,11 +52,6 @@
          formatter = pkgs.nixfmt;
        };

-      flake = {
-        lib = import ./lib;
-        pins = import ./npins;
-      };
-
      systems = [
        "x86_64-linux"
        "aarch64-linux"
@@ -1,24 +0,0 @@
-rec {
-  toList = x: if builtins.isList x then x else [ x ];
-
-  nameValuePair = name: value: { inherit name value; };
-
-  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
-
-  attrsToList = mapAttrsToList nameValuePair;
-
-  getSSHKeys =
-    username:
-    if (builtins.hasAttr "ssh" users.${username}) then
-      toList users.${username}.ssh
-    else
-      builtins.warn "user ${username} declared without ssh keys" [ ];
-
-  users = import ./users.nix;
-
-  adminSSHKeys = builtins.concatLists (
-    map (user: getSSHKeys user.name) (
-      builtins.filter (user: user.value.admin or false) (attrsToList users)
-    )
-  );
-}
@@ -0,0 +1,8 @@
+{
+  error = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
+  javalsai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
+  max = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
+
+  vectorum = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
+  pickzelle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
+}
@@ -1,26 +0,0 @@
-{
-  error = {
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
-    admin = true;
-    ddns = true;
-  };
-
-  javalsai = {
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
-    admin = true;
-    ddns = true;
-  };
-
-  max = {
-    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
-    admin = true;
-  };
-
-  vectorum = {
-    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
-  };
-
-  pickzelle = {
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
-  };
-}
@@ -28,8 +28,6 @@ in
    ./vm.nix
  ];

-  age.secrets.ntfy.file = "${self}/agenix/ntfy.age";
-
  nix = {
    package = inputs'.nix-super.packages.default;

@@ -100,17 +98,21 @@ in
    extraHosts =
      let
        subdomains = [
-          "git"
-          "auth"
+          ""
+          ".git"
        ];
-
-        inherit (config.networking) fqdn;
-        hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
      in
-      lib.concatMapStrings (host: ''
+      builtins.foldl' (
+        hosts-acc: domain-prefix:
+        let
+          host = "${domain-prefix}${config.networking.fqdn}";
+        in
+        hosts-acc
+        + ''
          127.0.0.1 ${host}
          ::1 ${host}
-      '') hosts;
+        ''
+      ) "" subdomains;
  };

  virtualisation.podman.enable = true;
@@ -33,6 +33,5 @@ in
    tuxcord-ca = mkSystem "tuxcord-ca" "x86_64-linux";

    tuxcord-test = mkSystem "tuxcord-test" "x86_64-linux";
-    tuxcord-acmetest = mkSystem "tuxcord-acmetest" "x86_64-linux";
  };
 }
@@ -15,10 +15,7 @@
      "xhci_pci"
    ];

-    kernelModules = [
-      "kvm-amd"
-      "kvm-intel"
-    ];
+    kernelModules = [ "kvm-intel" ];
  };

  hardware = {
@@ -1,14 +0,0 @@
-{
-  imports = [
-    ./storage.nix
-  ];
-
-  networking.fqdn = "nix.tuxcord.net";
-
-  acme.rfc2136.nameserver = "tuxcord.net";
-  dns.enable = true;
-
-  services.getty.autologinUser = "root";
-
-  time.timeZone = "Europe/Madrid";
-}
@@ -1,6 +0,0 @@
-{
-  fileSystems."/" = {
-    device = "/dev/vda";
-    fsType = "ext4";
-  };
-}
@@ -4,13 +4,7 @@
    ./storage.nix
  ];

-  acme = {
-    enable = true;
-    useSelfDns = true;
-  };
-
  dns.enable = true;
  networking.fqdn = "tuxcord.net";
-
  time.timeZone = "Canada/Eastern";
 }
@@ -32,7 +32,6 @@
        device = "/dev/xvda2";
        fsType = "btrfs";
        options = [ "subvol=@persist" ] ++ defaultOptions;
-        neededForBoot = true;
      };
    };
 }
@@ -1,12 +1,4 @@
 {
-  imports = [
-    ./storage.nix
-  ];
-
-  networking.fqdn = "tuxcord.test";
-
-  acme.enable = false;
  dns.enable = true;
-
-  services.getty.autologinUser = "root";
+  networking.fqdn = "tuxcord.test";
 }
@@ -1,6 +0,0 @@
-{
-  fileSystems."/" = {
-    device = "/dev/vda";
-    fsType = "ext4";
-  };
-}
@@ -55,6 +55,8 @@
    };
  };

+  fileSystems."/persist".neededForBoot = true;
+
  environment.persistence."/persist" = {
    enable = true;
    hideMounts = true;
@@ -70,6 +72,10 @@
    ];
    files = [
      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
    ];
  };

@@ -1,89 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  cfg = config.acme;
-
-  inherit (lib)
-    mkIf
-    mkEnableOption
-    mkOption
-    types
-    ;
-
-  inherit (config.networking) fqdn;
-in
-{
-  # we'll only support rfc2136 based challenges
-  options.acme = {
-    enable = mkEnableOption "" // {
-      default = true;
-    };
-
-    useSelfDns = mkOption {
-      default = false;
-      description = "Sets values of the self DNS if enabled, otherwise requires manual `rfc2136` nameserver and key values.";
-    };
-
-    rfc2136 = {
-      key = mkOption {
-        type = types.path;
-        default = config.age.secrets."dns/${fqdn}.key.age".path;
-      };
-
-      nameserver = mkOption {
-        type = types.str;
-        default = if cfg.useSelfDns then fqdn else null;
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    assertions = [
-      {
-        assertion = with cfg.rfc2136; nameserver != null && key != null;
-        message = "ACME needs rfc2136 parameters to work, consider using `useSelfDns` option.";
-      }
-    ];
-
-    environment.persistence."/persist".directories = [
-      {
-        directory = "/var/lib/acme";
-        group = "acme";
-        user = "acme";
-      }
-    ];
-
-    security.acme = {
-      acceptTerms = true;
-
-      defaults = {
-        email = "error@tuxcord.net";
-        reloadServices = [ "nginx" ];
-        postRun = ''
-          source ${config.age.secrets.ntfy.path}
-          ${pkgs.ntfy-sh}/bin/ntfy publish -T recycle -t "${config.host.name}" "HTTPS certificate has been renewed"
-        '';
-      };
-
-      certs."${fqdn}" = {
-        dnsProvider = "rfc2136";
-        environmentFile =
-          with cfg.rfc2136;
-          builtins.toFile "dns-01-challenge.cfg" ''
-            RFC2136_NAMESERVER=${nameserver}
-            RFC2136_TSIG_FILE="${key}"
-          '';
-        extraDomainNames = [
-          "*.${fqdn}"
-          "${fqdn}"
-        ];
-
-        inherit (config.services.nginx) group;
-      };
-    };
-  };
-}
@@ -1,136 +0,0 @@
-{ config, ... }:
-let
-  inherit (config.networking) fqdn;
-
-  acmeEnabled = config.acme.enable;
-in
-{
-  services.authelia.instances.main = {
-    enable = true;
-
-    secrets = {
-      jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH";
-      storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
-      sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey";
-    };
-
-    settings = {
-      theme = "dark";
-      default_redirection_url = "https://${fqdn}"; # HAS to be httpS
-
-      server.address = "127.0.0.1:3001";
-
-      log = {
-        level = "debug";
-        format = "text";
-      };
-
-      authentication_backend = {
-        file = {
-          path = "/var/lib/authelia-main/users_database.yml";
-        };
-      };
-
-      access_control = {
-        default_policy = "deny";
-        rules = [
-          {
-            domain = [ "auth.${fqdn}" ];
-            policy = "bypass";
-          }
-          {
-            domain = [ "*.${fqdn}" ];
-            policy = "one_factor";
-          }
-        ];
-      };
-
-      session = {
-        name = "authelia_session";
-        expiration = "12h";
-        inactivity = "45m";
-        remember_me = "1M";
-        domain = "${fqdn}";
-        redis.host = "/run/redis-authelia-main/redis.sock";
-      };
-
-      regulation = {
-        max_retries = 3;
-        find_time = "5m";
-        ban_time = "15m";
-      };
-
-      storage = {
-        local = {
-          path = "/var/lib/authelia-main/db.sqlite3";
-        };
-      };
-
-      notifier = {
-        disable_startup_check = false;
-        filesystem = {
-          filename = "/var/lib/authelia-main/notification.txt";
-        };
-      };
-    };
-  };
-
-  services.redis.servers.authelia-main = {
-    enable = true;
-    user = "authelia-main";
-    port = 0;
-    unixSocket = "/run/redis-authelia-main/redis.sock";
-    unixSocketPerm = 600;
-  };
-
-  # services.openldap = {
-  #   enable = true;
-
-  #   # enable plain connections only
-  #   urlList = [ "ldap:///" ];
-
-  #   settings = {
-  #     attrs = {
-  #       olcLogLevel = "conns config";
-  #     };
-
-  #     children = {
-  #       # "cn=schema".includes = [
-  #       #   "${pkgs.openldap}/etc/schema/core.ldif"
-  #       #   "${pkgs.openldap}/etc/schema/cosine.ldif"
-  #       #   "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
-  #       # ];
-
-  #       "olcDatabase={1}mdb".attrs = {
-  #         objectClass = [
-  #           "olcDatabaseConfig"
-  #           "olcMdbConfig"
-  #         ];
-
-  #         olcDatabase = "{1}mdb";
-  #         olcDbDirectory = "/var/lib/openldap/data";
-
-  #         olcSuffix = "dc=example,dc=com";
-
-  #         # your admin account, do not use writeText on a production system
-  #         olcRootDN = "cn=admin,dc=example,dc=com";
-  #         olcRootPW.path = builtins.roFile "olcRootPW" "pass";
-
-  #         olcAccess = [
-  #           # custom access rules for userPassword attributes
-  #           ''
-  #             {0}to attrs=userPassword
-  #                           by self write
-  #                           by anonymous auth
-  #                           by * none''
-
-  #           # allow read on anything else
-  #           ''
-  #             {1}to *
-  #                           by * read''
-  #         ];
-  #       };
-  #     };
-  #   };
-  # };
-}
@@ -1,7 +1,5 @@
 {
  imports = [
-    ./acme.nix
-    ./authelia.nix
    ./dns.nix
    ./fail2ban.nix
    ./gitea.nix
@@ -1,21 +1,6 @@
-{
-  config,
-  lib,
-  self,
-  ...
-}:
+{ config, lib, ... }:
 let
-  cfg = config.dns;
-
-  inherit (lib)
-    mkEnableOption
-    mkIf
-    strings
-    ;
-
-  inherit (config.networking) fqdn;
-
-  agenixDnsDir = "${self}/agenix/dns/${fqdn}";
+  agenixDnsDir = ../../agenix/dns + "/${config.dns.domain}";
  agenixKeys = builtins.attrNames (builtins.readDir agenixDnsDir);

  keys = map (
@@ -25,23 +10,35 @@ let
      subdomain = name: "subdomain ${name}";

      zoneDomain =
-        if strings.hasSuffix ".key.age" filename then
-          strings.removeSuffix ".key.age" filename
+        if lib.strings.hasSuffix ".key.age" filename then
+          lib.strings.removeSuffix ".key.age" filename
        else
          throw "${filename} is not a `.key.age` file";
    in
    {
-      inherit (config.age.secrets."dns/${filename}") path;
      name = zoneDomain;
-      type = if zoneDomain == fqdn then zonesub else subdomain;
+      path = config.age.secrets."dns/${filename}".path;
+      type = if zoneDomain == config.dns.domain then zonesub else subdomain;
    }
  ) agenixKeys;
+
+  cfg = config.dns;
+  inherit (lib)
+    mkEnableOption
+    mkOption
+    mkIf
+    ;
 in
 {
  options.dns = {
    enable = mkEnableOption "" // {
      default = true;
    };
+
+    domain = mkOption {
+      type = with lib.types; str;
+      default = config.networking.fqdn;
+    };
  };

  config = mkIf cfg.enable {
@@ -56,8 +53,7 @@ in
          value = {
            file = path;
            group = "named";
-            owner = if config.acme.enable then "acme" else "named";
-            mode = "440";
+            owner = "named";
          };
        }
      ) agenixKeys
@@ -68,7 +64,8 @@ in

      extraConfig = builtins.concatStringsSep "\n" (map (key: "include \"${key.path}\";") keys);

-      zones."${fqdn}" = {
+      zones = {
+        "${config.dns.domain}" = {
          # grant "tuxcord.net" zonesub ANY;
          extraConfig = ''
            update-policy {
@@ -77,10 +74,11 @@ in
              )}
            };
          '';
-        file = "/var/dns/${fqdn}.zone"; # need to put default stuff
+          file = "/var/dns/${config.dns.domain}.zone"; # need to put default stuff
          master = true;
        };
      };
+    };

    environment.persistence."/persist".directories = [
      {
@@ -1,40 +1,27 @@
-{ config, ... }:
-let
-  inherit (config.networking) fqdn;
-
-  acmeEnabled = config.acme.enable;
-in
+{ config, lib, ... }:
 {
  services.gitea = {
    enable = true;

-    appName = "TuxCord Gitea";
+    appName = "Tuxcord's Gitea";
    database.type = "mysql";

    lfs.enable = true;

-    settings = {
-      server = {
-        DOMAIN = fqdn;
-        ROOT_URL = "${if acmeEnabled then "https" else "http"}://${fqdn}/";
-        HTTP_PORT = 3000;
-      };
+    settings.server.DOMAIN = config.networking.fqdn;
+    # settings.server.ROOT_URL = "https://git.tuxcord.net/"; ? would also depend on ssl status
+    settings.server.HTTP_PORT = 3000;

-      service = {
-        DISABLE_REGISTRATION = true;
-        REQUIRE_SIGNIN_VIEW = false;
-      };
+    settings.service.DISABLE_REGISTRATION = true;
+    settings.service.REQUIRE_SIGNIN_VIEW = false;

-      repository = {
-        ENABLE_PUSH_CREATE_USER = true;
-        ENABLE_PUSH_CREATE_ORG = true;
-        DEFAULT_BRANCH = "main";
-      };
+    settings.repository.ENABLE_PUSH_CREATE_USER = true;
+    settings.repository.ENABLE_PUSH_CREATE_ORG = true;
+    settings.repository.DEFAULT_BRANCH = "main";

-      # ui.DEFAULT_THEME = "...";
+    # settings.ui.DEFAULT_THEME = "...";

    # TODO: once we have email setup this would be nice
-      mailer.ENABLED = true;
-    };
+    settings.mailer.ENABLED = true;
  };
 }
@@ -1,46 +1,17 @@
-{ config, self, ... }:
+{ config, ... }:
 let
  inherit (config.networking) fqdn;

  mkVhost =
-    attrs: locations:
-    let
-      acmeEnabled = config.acme.enable;
-    in
+    attrs:
    {
-      forceSSL = acmeEnabled;
-      useACMEHost = if acmeEnabled then fqdn else null;
-
-      locations = {
-        "= /robots.txt" = {
-          alias = disallowedRobotsTxt;
-        };
-      }
-      // locations;
+      forceSSL = false; # TODO: tweak per host
    }
    // attrs;

  mkProxy = port: {
    proxyPass = "http://127.0.0.1:${toString port}/";
-
-    extraConfig = ''
-      proxy_buffering off;
-      proxy_request_buffering off;
-    '';
  };
-
-  mkSsi = webRoot: {
-    root = webRoot;
-
-    extraConfig = ''
-      ssi on;
-    '';
-  };
-
-  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
-    User-agent: *
-    Disallow: /
-  '';
 in
 {
  services.nginx = {
@@ -52,18 +23,14 @@ in
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

-    virtualHosts = {
-      "${fqdn}" = mkVhost { default = true; } {
-        "/" = mkSsi "${self.pins.website}/web-root";
-      };
+    # services.nginx.virtualHosts."${fqdn}" = {
+    #   addSSL = true;
+    #   root = "/var/www/myhost.org";
+    #   default = true;
+    # };

-      "git.${fqdn}" = mkVhost { } {
-        "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
-      };
-
-      "auth.${fqdn}" = mkVhost { } {
-        "/" = mkProxy 3001;
-      };
+    virtualHosts."git.${fqdn}" = mkVhost {
+      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
    };
  };

@@ -4,7 +4,6 @@

    settings = {
      ClientAliveInterval = 300;
-      X11Forwarding = true;

      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
@@ -1,6 +1,25 @@
 { lib, self, ... }:
 let
-  inherit (self.lib) users;
+  users = [
+    {
+      name = "error";
+      options.admin = true;
+    }
+    {
+      name = "javalsai";
+      options.admin = true;
+    }
+    {
+      name = "max";
+      options.admin = true;
+    }
+    {
+      name = "vectorum";
+    }
+    {
+      name = "pickzelle";
+    }
+  ];

  adminGroups = [
    "adm"
@@ -11,12 +30,29 @@ let
    "wheel"
  ];

-  mkUser = name: uid: admin: {
+  getSSHKeys =
+    username:
+    let
+      sshKeys = import "${self}/lib/ssh/keys.nix";
+    in
+    if (builtins.hasAttr username sshKeys) then
+      lib.lists.toList sshKeys.${username}
+    else
+      lib.warn "user ${username} declared without ssh key" [ ];
+
+  mkUser =
+    name: uid: options:
+    let
+      admin = options.admin or false;
+
+    in
+    {
      users.users.${name} = {
-      inherit uid;
        isNormalUser = true;
        extraGroups = lib.optionals admin adminGroups;
-      openssh.authorizedKeys.keys = self.lib.getSSHKeys name;
+        inherit uid;
+
+        openssh.authorizedKeys.keys = getSSHKeys name;
      };

      systemd.slices."user-${builtins.toString uid}".sliceConfig = {
@@ -33,33 +69,21 @@ in
 lib.recursiveUpdate
  (builtins.foldl'
    (attrs: user: {
-      options = lib.recursiveUpdate attrs.options (
-        mkUser user.name attrs.uid (user.value.admin or false)
-      );
+      options = lib.recursiveUpdate attrs.options (mkUser user.name attrs.uid (user.options or { }));
      uid = attrs.uid + 1;
    })
    {
      options = { };
      uid = 1000;
    }
-    (lib.attrsToList users)
+    users
  ).options
  {
-    users = {
-      motd = ''
-                  __                                          __                      __
-        ---------/\ \__                                      /\ \                    /\ \__
-        ---------\ \ ,_\  __  __  __  _   ___    ___   _ __  \_\ \        ___      __\ \ ,_\
-        ----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \      /'_ `\  /'__`\ \ \/
-        -----------\ \ \_\ \ \_\ \/>  <//\ \__//\ \L\ \ \ \//\ \L\ \  __/\ \/\ \/\  __/\ \ \_
-        ------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
-        -------------\/__/ \/___/ \//\/_/\/____/\/___/  \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
-                                                    A friendly Linux community - est. July 2023
-      '';
-
-      users.root = {
+    users.users.root = {
      initialPassword = "tuxcord";
-        openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
-      };
+
+      openssh.authorizedKeys.keys = lib.lists.concatLists (
+        map (user: getSSHKeys user.name) (builtins.filter (user: user.options.admin or false) users)
+      );
    };
  }
@@ -7,8 +7,8 @@
    memorySize = 4096;

    qemu.networkingOptions = lib.mkForce [
-      "-nic bridge,br=virbr0,id=hn0,model=virt-net-pci,helper=\${QEMU_BRIDGE_HELPER_PATH}"
-      "-device virtio-net-pci,netdev=hn0,id=nic1,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
+      "-net nic,netdev=user.0,model=virtio"
+      "-netdev user,id=user.0,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
    ];
  };
 }
@@ -1,146 +0,0 @@
-/*
-  This file is provided under the MIT licence:
-
-  Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-  The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-  THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-*/
-# Generated by npins. Do not modify; will be overwritten regularly
-let
-  data = builtins.fromJSON (builtins.readFile ./sources.json);
-  version = data.version;
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
-  range =
-    first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
-  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
-  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
-  concatMapStrings = f: list: concatStrings (map f list);
-  concatStrings = builtins.concatStringsSep "";
-
-  # If the environment variable NPINS_OVERRIDE_${name} is set, then use
-  # the path directly as opposed to the fetched source.
-  # (Taken from Niv for compatibility)
-  mayOverride =
-    name: path:
-    let
-      envVarName = "NPINS_OVERRIDE_${saneName}";
-      saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
-      ersatz = builtins.getEnv envVarName;
-    in
-    if ersatz == "" then
-      path
-    else
-      # this turns the string into an actual Nix path (for both absolute and
-      # relative paths)
-      builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" (
-        if builtins.substring 0 1 ersatz == "/" then
-          /. + ersatz
-        else
-          /. + builtins.getEnv "PWD" + "/${ersatz}"
-      );
-
-  mkSource =
-    name: spec:
-    assert spec ? type;
-    let
-      path =
-        if spec.type == "Git" then
-          mkGitSource spec
-        else if spec.type == "GitRelease" then
-          mkGitSource spec
-        else if spec.type == "PyPi" then
-          mkPyPiSource spec
-        else if spec.type == "Channel" then
-          mkChannelSource spec
-        else if spec.type == "Tarball" then
-          mkTarballSource spec
-        else
-          builtins.throw "Unknown source type ${spec.type}";
-    in
-    spec // { outPath = mayOverride name path; };
-
-  mkGitSource =
-    {
-      repository,
-      revision,
-      url ? null,
-      submodules,
-      hash,
-      branch ? null,
-      ...
-    }:
-    assert repository ? type;
-    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
-    # In the latter case, there we will always be an url to the tarball
-    if url != null && !submodules then
-      builtins.fetchTarball {
-        inherit url;
-        sha256 = hash; # FIXME: check nix version & use SRI hashes
-      }
-    else
-      let
-        url =
-          if repository.type == "Git" then
-            repository.url
-          else if repository.type == "GitHub" then
-            "https://github.com/${repository.owner}/${repository.repo}.git"
-          else if repository.type == "GitLab" then
-            "${repository.server}/${repository.repo_path}.git"
-          else
-            throw "Unrecognized repository type ${repository.type}";
-        urlToName =
-          url: rev:
-          let
-            matched = builtins.match "^.*/([^/]*)(\\.git)?$" url;
-
-            short = builtins.substring 0 7 rev;
-
-            appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
-          in
-          "${if matched == null then "source" else builtins.head matched}${appendShort}";
-        name = urlToName url revision;
-      in
-      builtins.fetchGit {
-        rev = revision;
-        inherit name;
-        # hash = hash;
-        inherit url submodules;
-      };
-
-  mkPyPiSource =
-    { url, hash, ... }:
-    builtins.fetchurl {
-      inherit url;
-      sha256 = hash;
-    };
-
-  mkChannelSource =
-    { url, hash, ... }:
-    builtins.fetchTarball {
-      inherit url;
-      sha256 = hash;
-    };
-
-  mkTarballSource =
-    {
-      url,
-      locked_url ? url,
-      hash,
-      ...
-    }:
-    builtins.fetchTarball {
-      url = locked_url;
-      sha256 = hash;
-    };
-in
-if version == 5 then
-  builtins.mapAttrs mkSource data.pins
-else
-  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
@@ -1,17 +0,0 @@
-{
-  "pins": {
-    "website": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.javalsai.tuxcord.net/tuxcord/website.git"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "b18dd7b863644debb0a843a5b21bb490bfe7d048",
-      "url": null,
-      "hash": "18czfxaldy0zhjprdsqzxnzj3p9qlc4canwigr13iw2wisi4ww5y"
-    }
-  },
-  "version": 5
-}
@@ -5,24 +5,6 @@
    {
      devShells.default = pkgs.mkShell {
        name = "configuration.nix";
-
-        shellHook = ''
-          for path in \
-            /usr/lib/qemu/qemu-bridge-helper \
-            /run/wrappers/bin/qemu-bridge-helper
-          do
-            if [ -x "$path" ]; then
-              export QEMU_BRIDGE_HELPER_PATH="$path"
-              break
-            fi
-          done
-
-          if [ -z "$QEMU_BRIDGE_HELPER_PATH" ]; then
-            printf "\033[1;33m%s\033[0m\n" \
-              "WARN: 'qemu-bridge-helper' not found, make sure it is installed and the nix shell hook is looking for it" >&2
-          fi
-        '';
-
        packages = with pkgs; [
          bat
          cachix
@@ -31,6 +13,7 @@
          git
          inputs.agenix.packages.${stdenv.hostPlatform.system}.default
          jujutsu
+          neovim
          nix-output-monitor
          nixfmt
          npins
Author	SHA1	Message	Date
javalsai	64c1ea18e0	docs: document installation, secrets and setup steps Check / Nix flake (push) Failing after 8s Details Lint / Nix expressions (push) Failing after 10s Details	2026-05-03 19:13:21 -04:00
javalsai	1a866719ea	nixos/services: make dns configuration easier	2026-05-03 19:13:21 -04:00
javalsai	a0125116cd	nixos/service: add dns (bind named server)	2026-05-03 19:12:19 -04:00
javalsai	2c6ea390f0	nixos/programs: add bind utils	2026-05-03 18:25:42 -04:00
javalsai	78df628955	nixos/services: add gitea server Check / Nix flake (push) Failing after 9s Details Lint / Nix expressions (push) Failing after 11s Details	2026-05-03 18:25:42 -04:00
javalsai	fae8f3580a	nixos/services: add nginx base configuration	2026-05-03 18:25:42 -04:00
javalsai	b6e8297085	nixos/networking: add own fqdn to extraHosts	2026-05-03 13:38:03 -04:00
javalsai	8864af1ddf	nixos/hosts: add tuxcord-vm host configuration	2026-05-03 13:37:25 -04:00
ErrorNoInternet	5942c97c1c	nixos: separate openssh firewall port Check / Nix flake (push) Failing after 8s Details Lint / Nix expressions (push) Failing after 11s Details	2026-05-03 11:29:25 -04:00
javalsai	1c2f11debc	lib/ssh: add more ssh keys Check / Nix flake (push) Failing after 9s Details Lint / Nix expressions (push) Failing after 10s Details	2026-05-02 19:13:36 -04:00
javalsai	4d55336eeb	nixos/vm: enable qemu netork bridge	2026-05-02 18:01:29 -04:00