docs: add sections and fix typos/errors

treewide: initialize npins
treewide: refactor code
2026-05-04 02:01:13 +02:00 · 2026-05-04 02:01:13 +02:00 · 2026-05-04 02:01:13 +02:00 · 2026-05-04 02:01:13 +02:00 · 2026-05-04 01:59:47 +02:00 · 2026-05-04 01:59:47 +02:00
28 changed files with 281 additions and 388 deletions
@@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 Wl2fDA 3CWPYLgoTMGb9gBbDzZIQxYJ9Gfm49g6lqQyqlegUDQ
-ryhsPP5+Byus2e5GSXDJlKYX1o3HfQ87CLRv2htU4n4
-> ssh-ed25519 EiAAKw B2uGdkeC3OZISN2iH2DR1J7L3/mbuFvebzqaTdAURCw
-ze0X/MmHP78rRqAn0O3VBtnMJsiOXPk8RIe82tdQMeg
--- kLBxPuJdbPmJ1Lz3iBu8EPItdZtpNHIyV6pz1QzhcUY
-ä3ÛÿÉèŸP>gòh@ö•AZ’üz-í6R€¸zèÚ¢[ÇÝÍPÂòã†¿y?•ÉŽU�SNÝ©&ú#}ÝR+o?.B¶&´5]ÇW€OÎ‰Puh‹½ŽÞ=t¶5|¿×“s×€ú&!‰Î-�æTÝSÆfÕ™-j"#žiÂwzºš›ãjö¯“HŒí�
@@ -1,20 +1,34 @@
 age-encryption.org/v1
-> ssh-ed25519 Wl2fDA 8rfiRx7+Gr9BtiSXsVEs2W+pXoms6ynODC1TL90+Wi4
-/uMnYMJovbaPjwX1qCAtIokov40RYIAm2Mup5XKBJvw
-> ssh-ed25519 zNC8SA FlxMK7kMYnKHY9MBJ+HYDI4GNS0nSgZxVuRe4yTWBgg
-HPOV31k8Ueb1W5usG7iLXDQxyAlISrgHThddHpGY2+s
-> ssh-ed25519 EiAAKw Bu7+NJXivoRA07glNWUlBGu03J0ueth7XDU7SWQYT30
-r/DBmf4TRDJBgFF0KdeHuKL5hLdU1z6HtfAAVbc6Y0I
+-> ssh-ed25519 Wl2fDA dM0TgKtswZcbEV9tGGY26YCksV2xadHWXv7D/KksAWk
+1vCcuHmVP2xiHd/7hh0z2Hiq/EeA8uvdsRtQReC5hNY
+-> ssh-ed25519 zNC8SA uTO/3ePjgiKqk3jeRGZX5D3LjzhSBlp2rD2ZakKmfX0
+tVkEEcP/KfD9x52l7iz5F3hKK0LSckjXWK5YP2aeBt4
+-> ssh-ed25519 EiAAKw Etu0I4IzJ3BB2SzCeiexx+dhcLUO5d2Ws+WiJyLk/Sw
+9GBcZPsIXO3mXbri3lFYjtBBu0wFYul6hKsCvBKVLFs
 -> ssh-rsa eFi+Zw
-Nu4gAM/vbh0kpEUIaT4P6iTe9qFFM/9IVxiiKPYHdPnCmPJHrug1afLLFrrrpqkd
-o1NrfYIM9gW6jl5QMCcP5DpzMTppokX0P1Tz1ZeOEtZUVtGeZ7Q2wmL4zftwmG9J
-qoDjsCd0z6MPDUdU46qc7kjQBhOwGLfHXTfGLXGNZxqj0oLvEoEKpdvFNBvMSyxK
-oGZRwGsHQcUXKhCPtf6PVtSkHMABzpUAhgS8oqjp4RVurD0lcrPgsx8pSRRarfyE
-ll1QbFCjftuJfeIEshgRkaLGjIQpZDFA3w2XMqDddFz5H/9Ak+F8/rkNnUrN2x4M
-amca8s4Sbls6RjyysarIytilCtpaKEI2sgkD2fERao6ayTSnWF45qqh635OLaP5A
-b7qcru9gO0C3Ik+UuiZMgovxo/+yBYe3+8x8q/uKR4apPAkt/2q28Uilw1WboIEB
-rIjBr0BN1JeHvkiyljJGcvGf5jHdmOrpQu/L1xuSDjsTnh+U6BshQC8bbkJNsVoL
+uOZsBC+IMHdX2h9Jq/CF/L3BsxDW+dULk04JQbDeM85Mrxxdrv2X3w7AW8YU2KS+
+Xg8LnzH01z4Nfs89uysM/lsWptc9qMeaK9o0oHC+tSJH4Ch43MejbmFYjFibHaCm
+krQM7dAGIJwc/o0+ykaCrbXSvXAyfd6Nw1izou2ZcDRI7mTipOZO8F949SIk//Rc
+UJgPLqpGwScEfrHf4f6tySC4LmD0bPIV1xDpmmXcS7c83E9+iVOtb5Y1In6CQrF1
+XZQCb9MkPySbuicwR022CySb+lc7Ru44RdqBgV1e+wphyZCoqCk09i18egV3hNs6
+iEul3M8dqV27yRKrWIUD5jT2tUszTNJfreiuZl9eDmLkcVWExkWzqWPUFJ48hQiZ
+89Z4Evn04vZGoeL67K5q93lSRHz109zT/KIJSQMZpbaecGAoiZDM8Mdq3KzawGSG
+ENQazx6lnGoMccvxFhjrVqfYj3U4S/pnCow5fatvkBQSyysL63UxE5ivcFUHHppB

--- GCTLfa/BICL9AWTaqGC13M101Z8sqSqPP4ysJVv5zvg
-]
-ý¢Ôÿi¹‡7c·f`b@%X”¿J�)û[<+;x-ÇKmTõ@ãÌ„�ýŸK]7sc*ëŸ‡¼2Ý®5
+-> ssh-ed25519 QovoLQ wgg0cFlYEVafE3rXK4GrID3RTatZdKPYzsjT18WskFM
+bgv+7an3xgdqf6WaiB1FFkXObcykUnvH6lJmX5gFJkQ
+-> ssh-rsa OFkEIg
+IIQbFB6VUwbB+ZtKR7Ayg9Im6vMU1AzqHT8CBagA5fwJ7Vp1GuX1X9SxL9hMPkd3
+4osEbSu3JJDMwfC6AfFtcEjmxjmRYyiYlzmIjhVEsaTlwyeucAPd+fdj+TPjHidZ
+dffizNEOiENY49jlmWTjMqYKnBsSP9GfH4ZsKpCaWMm2h9p687weuXFfbYfjYMII
+a3C4iG8m+mZ4crYTKZu6WPbnHn9g0pMxZBs4v6MnBHk6eEJ0uiJvrzYApoFE5om7
+9AknL27ra/+A1UQl+1kzLT+IivJa8FCfZ+zF1RYLRvSATlIzCqCiBiayAsVtQg5O
+girBRnlAJTPisszyoAhsqbECvD6bJfwlTW0STg/M1u3ZPMTGL4V0gJgynANmjb7Y
+TXd11zuhjRYgOBAj09trQFTmmwIgPvvu8+VXNDNPAp02ffBT8kMUvSEik98/35x1
+Dwvm38t05O6nqyHUF957CRVTzPQPAnb5Cd+Rw/joID2YPyFN9IZwE4mi2Bf3zdZo
+roxtqCupmWkpxMNN7GZJrmCE/Lh6YV4DgUd6VNQc7QlGsq5K4XRT7aa+s+17cC8e
+HCxQfGM8sMe9T6IK+K4p6qTqluyI/X0r95kGfzhNmgzufc44i6X497i3fDSVoLpx
+Uo7Ao3QRNPyaUXcqTTIg8Kx9YiLQC3tDblVJjIZU89o
+--- Vb9o/bhuN6XXjfK04haEEUXnuIA02j4GH9PmAh0ayN8
+óE¬dGs;’Ž°À±��ü
+ñ,OHˆÿœˆ{²¶>ú*wAÃLÌÄ\©0SQöÖ*{6fô‰+Xš¨.
@@ -1,25 +1,17 @@
 let
-  inherit (import ../lib)
-    users
-    adminSSHKeys
-    attrsToList
-    getSSHKeys
-    ;
+  users = import ../lib/ssh/keys.nix;

  tuxcord-ca = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxiko5Csyq9UODglYzLBvRfxkhQu9GXP7SH2BpC8G/7";
 in
 {
-  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;

  # tsig-keygen etc.sub.domain.tld.
-  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.error users.javalsai ];
+  # "dns/tuxcord.net/XXX.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.XXX ];
+
+  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+
+  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
 }
-// builtins.listToAttrs (
-  map (user: {
-    name = "dns/tuxcord.net/${user.name}.tuxcord.net.key.age";
-    value.publicKeys = [ tuxcord-ca ] ++ getSSHKeys user.name;
-  }) (builtins.filter (user: user.value.ddns or false) (attrsToList users))
-)
@@ -52,11 +52,6 @@
          formatter = pkgs.nixfmt;
        };

-      flake = {
-        lib = import ./lib;
-        pins = import ./npins;
-      };
-
      systems = [
        "x86_64-linux"
        "aarch64-linux"
@@ -1,24 +0,0 @@
-rec {
-  toList = x: if builtins.isList x then x else [ x ];
-
-  nameValuePair = name: value: { inherit name value; };
-
-  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
-
-  attrsToList = mapAttrsToList nameValuePair;
-
-  getSSHKeys =
-    username:
-    if (builtins.hasAttr "ssh" users.${username}) then
-      toList users.${username}.ssh
-    else
-      builtins.warn "user ${username} declared without ssh keys" [ ];
-
-  users = import ./users.nix;
-
-  adminSSHKeys = builtins.concatLists (
-    map (user: getSSHKeys user.name) (
-      builtins.filter (user: user.value.admin or false) (attrsToList users)
-    )
-  );
-}
@@ -0,0 +1,8 @@
+{
+  error = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
+  javalsai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
+  max = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
+
+  vectorum = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
+  pickzelle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
+}
@@ -1,26 +0,0 @@
-{
-  error = {
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
-    admin = true;
-    ddns = true;
-  };
-
-  javalsai = {
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
-    admin = true;
-    ddns = true;
-  };
-
-  max = {
-    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
-    admin = true;
-  };
-
-  vectorum = {
-    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
-  };
-
-  pickzelle = {
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
-  };
-}
@@ -100,17 +100,21 @@ in
    extraHosts =
      let
        subdomains = [
-          "git"
-          "auth"
+          ""
+          ".git"
        ];
-
-        inherit (config.networking) fqdn;
-        hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
      in
-      lib.concatMapStrings (host: ''
+      builtins.foldl' (
+        hosts-acc: domain-prefix:
+        let
+          host = "${domain-prefix}${config.networking.fqdn}";
+        in
+        hosts-acc
+        + ''
          127.0.0.1 ${host}
          ::1 ${host}
-      '') hosts;
+        ''
+      ) "" subdomains;
  };

  virtualisation.podman.enable = true;
@@ -15,10 +15,7 @@
      "xhci_pci"
    ];

-    kernelModules = [
-      "kvm-amd"
-      "kvm-intel"
-    ];
+    kernelModules = [ "kvm-intel" ];
  };

  hardware = {
@@ -1,14 +1,11 @@
 {
-  imports = [
-    ./storage.nix
-  ];
+  acme = {
+    enable = true;
+    rfc2136.nameserver = "tuxcord.net";
+  };

-  networking.fqdn = "nix.tuxcord.net";
-
-  acme.rfc2136.nameserver = "tuxcord.net";
  dns.enable = true;
-
-  services.getty.autologinUser = "root";
+  networking.fqdn = "nix.tuxcord.net";

  time.timeZone = "Europe/Madrid";
 }
@@ -1,6 +0,0 @@
-{
-  fileSystems."/" = {
-    device = "/dev/vda";
-    fsType = "ext4";
-  };
-}
@@ -32,7 +32,6 @@
        device = "/dev/xvda2";
        fsType = "btrfs";
        options = [ "subvol=@persist" ] ++ defaultOptions;
-        neededForBoot = true;
      };
    };
 }
@@ -1,12 +1,6 @@
 {
-  imports = [
-    ./storage.nix
-  ];
-
-  networking.fqdn = "tuxcord.test";
-
  acme.enable = false;
  dns.enable = true;

-  services.getty.autologinUser = "root";
+  networking.fqdn = "tuxcord.test";
 }
@@ -1,6 +0,0 @@
-{
-  fileSystems."/" = {
-    device = "/dev/vda";
-    fsType = "ext4";
-  };
-}
@@ -55,6 +55,8 @@
    };
  };

+  fileSystems."/persist".neededForBoot = true;
+
  environment.persistence."/persist" = {
    enable = true;
    hideMounts = true;
@@ -70,6 +72,10 @@
    ];
    files = [
      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
    ];
  };

@@ -1,136 +0,0 @@
-{ config, ... }:
-let
-  inherit (config.networking) fqdn;
-
-  acmeEnabled = config.acme.enable;
-in
-{
-  services.authelia.instances.main = {
-    enable = true;
-
-    secrets = {
-      jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH";
-      storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
-      sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey";
-    };
-
-    settings = {
-      theme = "dark";
-      default_redirection_url = "https://${fqdn}"; # HAS to be httpS
-
-      server.address = "127.0.0.1:3001";
-
-      log = {
-        level = "debug";
-        format = "text";
-      };
-
-      authentication_backend = {
-        file = {
-          path = "/var/lib/authelia-main/users_database.yml";
-        };
-      };
-
-      access_control = {
-        default_policy = "deny";
-        rules = [
-          {
-            domain = [ "auth.${fqdn}" ];
-            policy = "bypass";
-          }
-          {
-            domain = [ "*.${fqdn}" ];
-            policy = "one_factor";
-          }
-        ];
-      };
-
-      session = {
-        name = "authelia_session";
-        expiration = "12h";
-        inactivity = "45m";
-        remember_me = "1M";
-        domain = "${fqdn}";
-        redis.host = "/run/redis-authelia-main/redis.sock";
-      };
-
-      regulation = {
-        max_retries = 3;
-        find_time = "5m";
-        ban_time = "15m";
-      };
-
-      storage = {
-        local = {
-          path = "/var/lib/authelia-main/db.sqlite3";
-        };
-      };
-
-      notifier = {
-        disable_startup_check = false;
-        filesystem = {
-          filename = "/var/lib/authelia-main/notification.txt";
-        };
-      };
-    };
-  };
-
-  services.redis.servers.authelia-main = {
-    enable = true;
-    user = "authelia-main";
-    port = 0;
-    unixSocket = "/run/redis-authelia-main/redis.sock";
-    unixSocketPerm = 600;
-  };
-
-  # services.openldap = {
-  #   enable = true;
-
-  #   # enable plain connections only
-  #   urlList = [ "ldap:///" ];
-
-  #   settings = {
-  #     attrs = {
-  #       olcLogLevel = "conns config";
-  #     };
-
-  #     children = {
-  #       # "cn=schema".includes = [
-  #       #   "${pkgs.openldap}/etc/schema/core.ldif"
-  #       #   "${pkgs.openldap}/etc/schema/cosine.ldif"
-  #       #   "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
-  #       # ];
-
-  #       "olcDatabase={1}mdb".attrs = {
-  #         objectClass = [
-  #           "olcDatabaseConfig"
-  #           "olcMdbConfig"
-  #         ];
-
-  #         olcDatabase = "{1}mdb";
-  #         olcDbDirectory = "/var/lib/openldap/data";
-
-  #         olcSuffix = "dc=example,dc=com";
-
-  #         # your admin account, do not use writeText on a production system
-  #         olcRootDN = "cn=admin,dc=example,dc=com";
-  #         olcRootPW.path = builtins.roFile "olcRootPW" "pass";
-
-  #         olcAccess = [
-  #           # custom access rules for userPassword attributes
-  #           ''
-  #             {0}to attrs=userPassword
-  #                           by self write
-  #                           by anonymous auth
-  #                           by * none''
-
-  #           # allow read on anything else
-  #           ''
-  #             {1}to *
-  #                           by * read''
-  #         ];
-  #       };
-  #     };
-  #   };
-  # };
-}
@@ -1,7 +1,6 @@
 {
  imports = [
    ./acme.nix
-    ./authelia.nix
    ./dns.nix
    ./fail2ban.nix
    ./gitea.nix
@@ -1,46 +1,21 @@
-{ config, self, ... }:
+{ config, ... }:
 let
  inherit (config.networking) fqdn;

  mkVhost =
-    attrs: locations:
+    attrs:
    let
      acmeEnabled = config.acme.enable;
    in
    {
      forceSSL = acmeEnabled;
      useACMEHost = if acmeEnabled then fqdn else null;
-
-      locations = {
-        "= /robots.txt" = {
-          alias = disallowedRobotsTxt;
-        };
-      }
-      // locations;
    }
    // attrs;

  mkProxy = port: {
    proxyPass = "http://127.0.0.1:${toString port}/";
-
-    extraConfig = ''
-      proxy_buffering off;
-      proxy_request_buffering off;
-    '';
  };
-
-  mkSsi = webRoot: {
-    root = webRoot;
-
-    extraConfig = ''
-      ssi on;
-    '';
-  };
-
-  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
-    User-agent: *
-    Disallow: /
-  '';
 in
 {
  services.nginx = {
@@ -52,18 +27,14 @@ in
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

-    virtualHosts = {
-      "${fqdn}" = mkVhost { default = true; } {
-        "/" = mkSsi "${self.pins.website}/web-root";
-      };
+    # services.nginx.virtualHosts."${fqdn}" = {
+    #   addSSL = true;
+    #   root = "/var/www/myhost.org";
+    #   default = true;
+    # };

-      "git.${fqdn}" = mkVhost { } {
-        "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
-      };
-
-      "auth.${fqdn}" = mkVhost { } {
-        "/" = mkProxy 3001;
-      };
+    virtualHosts."git.${fqdn}" = mkVhost {
+      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
    };
  };

@@ -4,13 +4,20 @@

    settings = {
      ClientAliveInterval = 300;
-      X11Forwarding = true;

      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
      PermitRootLogin = "no";
    };
  };
+<<<<<<< HEAD

  networking.firewall.allowedTCPPorts = [ 22 ];
+||||||| parent of 1c2f11d (lib/ssh: add more ssh keys)
+
+  users.users.root.openssh.authorizedKeys.keys = builtins.attrValues {
+    inherit (import "${self}/lib/ssh/keys.nix") error javalsai;
+  };
+=======
+>>>>>>> 1c2f11d (lib/ssh: add more ssh keys)
 }
@@ -1,6 +1,25 @@
 { lib, self, ... }:
 let
-  inherit (self.lib) users;
+  users = [
+    {
+      name = "error";
+      options.admin = true;
+    }
+    {
+      name = "javalsai";
+      options.admin = true;
+    }
+    {
+      name = "max";
+      options.admin = true;
+    }
+    {
+      name = "vectorum";
+    }
+    {
+      name = "pickzelle";
+    }
+  ];

  adminGroups = [
    "adm"
@@ -11,12 +30,29 @@ let
    "wheel"
  ];

-  mkUser = name: uid: admin: {
+  getSSHKeys =
+    username:
+    let
+      sshKeys = import "${self}/lib/ssh/keys.nix";
+    in
+    if (builtins.hasAttr username sshKeys) then
+      lib.lists.toList sshKeys.${username}
+    else
+      lib.warn "user ${username} declared without ssh key" [ ];
+
+  mkUser =
+    name: uid: options:
+    let
+      admin = options.admin or false;
+
+    in
+    {
      users.users.${name} = {
-      inherit uid;
        isNormalUser = true;
        extraGroups = lib.optionals admin adminGroups;
-      openssh.authorizedKeys.keys = self.lib.getSSHKeys name;
+        inherit uid;
+
+        openssh.authorizedKeys.keys = getSSHKeys name;
      };

      systemd.slices."user-${builtins.toString uid}".sliceConfig = {
@@ -33,33 +69,21 @@ in
 lib.recursiveUpdate
  (builtins.foldl'
    (attrs: user: {
-      options = lib.recursiveUpdate attrs.options (
-        mkUser user.name attrs.uid (user.value.admin or false)
-      );
+      options = lib.recursiveUpdate attrs.options (mkUser user.name attrs.uid (user.options or { }));
      uid = attrs.uid + 1;
    })
    {
      options = { };
      uid = 1000;
    }
-    (lib.attrsToList users)
+    users
  ).options
  {
-    users = {
-      motd = ''
-                  __                                          __                      __
-        ---------/\ \__                                      /\ \                    /\ \__
-        ---------\ \ ,_\  __  __  __  _   ___    ___   _ __  \_\ \        ___      __\ \ ,_\
-        ----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \      /'_ `\  /'__`\ \ \/
-        -----------\ \ \_\ \ \_\ \/>  <//\ \__//\ \L\ \ \ \//\ \L\ \  __/\ \/\ \/\  __/\ \ \_
-        ------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
-        -------------\/__/ \/___/ \//\/_/\/____/\/___/  \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
-                                                    A friendly Linux community - est. July 2023
-      '';
-
-      users.root = {
+    users.users.root = {
      initialPassword = "tuxcord";
-        openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
-      };
+
+      openssh.authorizedKeys.keys = lib.lists.concatLists (
+        map (user: getSSHKeys user.name) (builtins.filter (user: user.options.admin or false) users)
+      );
    };
  }
@@ -9,8 +9,15 @@
 */
 # Generated by npins. Do not modify; will be overwritten regularly
 let
-  data = builtins.fromJSON (builtins.readFile ./sources.json);
-  version = data.version;
+  # Backwards-compatibly make something that previously didn't take any arguments take some
+  # The function must return an attrset, and will unfortunately be eagerly evaluated
+  # Same thing, but it catches eval errors on the default argument so that one may still call it with other arguments
+  mkFunctor =
+    fn:
+    let
+      e = builtins.tryEval (fn { });
+    in
+    (if e.success then e.value else { error = fn { }; }) // { __functor = _self: fn; };

  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
  range =
@@ -21,7 +28,6 @@ let

  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
-  concatMapStrings = f: list: concatStrings (map f list);
  concatStrings = builtins.concatStringsSep "";

  # If the environment variable NPINS_OVERRIDE_${name} is set, then use
@@ -48,41 +54,87 @@ let

  mkSource =
    name: spec:
+    {
+      pkgs ? null,
+    }:
    assert spec ? type;
    let
+      # Unify across builtin and pkgs fetchers.
+      # `fetchGit` requires a wrapper because of slight API differences.
+      fetchers =
+        if pkgs == null then
+          {
+            inherit (builtins) fetchTarball fetchurl;
+            # For some fucking reason, fetchGit has a different signature than the other builtin fetchers …
+            fetchGit = args: (builtins.fetchGit args).outPath;
+          }
+        else
+          {
+            fetchTarball =
+              {
+                url,
+                sha256,
+              }:
+              pkgs.fetchzip {
+                inherit url sha256;
+                extension = "tar";
+              };
+            inherit (pkgs) fetchurl;
+            fetchGit =
+              {
+                url,
+                submodules,
+                rev,
+                name,
+                narHash,
+              }:
+              pkgs.fetchgit {
+                inherit url rev name;
+                fetchSubmodules = submodules;
+                hash = narHash;
+              };
+          };
+
+      # Dispatch to the correct code path based on the type
      path =
        if spec.type == "Git" then
-          mkGitSource spec
+          mkGitSource fetchers spec
        else if spec.type == "GitRelease" then
-          mkGitSource spec
+          mkGitSource fetchers spec
        else if spec.type == "PyPi" then
-          mkPyPiSource spec
+          mkPyPiSource fetchers spec
        else if spec.type == "Channel" then
-          mkChannelSource spec
+          mkChannelSource fetchers spec
        else if spec.type == "Tarball" then
-          mkTarballSource spec
+          mkTarballSource fetchers spec
+        else if spec.type == "Container" then
+          mkContainerSource pkgs spec
        else
          builtins.throw "Unknown source type ${spec.type}";
    in
    spec // { outPath = mayOverride name path; };

  mkGitSource =
+    {
+      fetchTarball,
+      fetchGit,
+      ...
+    }:
    {
      repository,
      revision,
      url ? null,
      submodules,
      hash,
-      branch ? null,
      ...
    }:
    assert repository ? type;
    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
    # In the latter case, there we will always be an url to the tarball
    if url != null && !submodules then
-      builtins.fetchTarball {
+      fetchTarball {
        inherit url;
-        sha256 = hash; # FIXME: check nix version & use SRI hashes
+        sha256 = hash;
      }
    else
      let
@@ -93,6 +145,8 @@ let
            "https://github.com/${repository.owner}/${repository.repo}.git"
          else if repository.type == "GitLab" then
            "${repository.server}/${repository.repo_path}.git"
+          else if repository.type == "Forgejo" then
+            "${repository.server}/${repository.owner}/${repository.repo}.git"
          else
            throw "Unrecognized repository type ${repository.type}";
        urlToName =
@@ -107,40 +161,89 @@ let
          "${if matched == null then "source" else builtins.head matched}${appendShort}";
        name = urlToName url revision;
      in
-      builtins.fetchGit {
+      fetchGit {
        rev = revision;
-        inherit name;
-        # hash = hash;
-        inherit url submodules;
+        narHash = hash;
+
+        inherit name submodules url;
      };

  mkPyPiSource =
-    { url, hash, ... }:
-    builtins.fetchurl {
+    { fetchurl, ... }:
+    {
+      url,
+      hash,
+      ...
+    }:
+    fetchurl {
      inherit url;
      sha256 = hash;
    };

  mkChannelSource =
-    { url, hash, ... }:
-    builtins.fetchTarball {
+    { fetchTarball, ... }:
+    {
+      url,
+      hash,
+      ...
+    }:
+    fetchTarball {
      inherit url;
      sha256 = hash;
    };

  mkTarballSource =
+    { fetchTarball, ... }:
    {
      url,
      locked_url ? url,
      hash,
      ...
    }:
-    builtins.fetchTarball {
+    fetchTarball {
      url = locked_url;
      sha256 = hash;
    };
+
+  mkContainerSource =
+    pkgs:
+    {
+      image_name,
+      image_tag,
+      image_digest,
+      ...
+    }:
+    if pkgs == null then
+      builtins.throw "container sources require passing in a Nixpkgs value: https://github.com/andir/npins/blob/master/README.md#using-the-nixpkgs-fetchers"
+    else
+      pkgs.dockerTools.pullImage {
+        imageName = image_name;
+        imageDigest = image_digest;
+        finalImageTag = image_tag;
+      };
 in
-if version == 5 then
-  builtins.mapAttrs mkSource data.pins
-else
+mkFunctor (
+  {
+    input ? ./sources.json,
+  }:
+  let
+    data =
+      if builtins.isPath input then
+        # while `readFile` will throw an error anyways if the path doesn't exist,
+        # we still need to check beforehand because *our* error can be caught but not the one from the builtin
+        # *piegames sighs*
+        if builtins.pathExists input then
+          builtins.fromJSON (builtins.readFile input)
+        else
+          throw "Input path ${toString input} does not exist"
+      else if builtins.isAttrs input then
+        input
+      else
+        throw "Unsupported input type ${builtins.typeOf input}, must be a path or an attrset";
+    version = data.version;
+  in
+  if version == 7 then
+    builtins.mapAttrs (name: spec: mkFunctor (mkSource name spec)) data.pins
+  else
    throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
+)
@@ -1,17 +1,4 @@
 {
-  "pins": {
-    "website": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.javalsai.tuxcord.net/tuxcord/website.git"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "b18dd7b863644debb0a843a5b21bb490bfe7d048",
-      "url": null,
-      "hash": "18czfxaldy0zhjprdsqzxnzj3p9qlc4canwigr13iw2wisi4ww5y"
-    }
-  },
-  "version": 5
+  "pins": {},
+  "version": 7
 }
@@ -31,6 +31,7 @@
          git
          inputs.agenix.packages.${stdenv.hostPlatform.system}.default
          jujutsu
+          neovim
          nix-output-monitor
          nixfmt
          npins
Author	SHA1	Message	Date
javalsai	e2c359b2c8	docs: add sections and fix typos/errors	2026-05-04 02:01:13 +02:00
ErrorNoInternet	717e23efa3	treewide: initialize npins	2026-05-04 02:01:13 +02:00
ErrorNoInternet	c0ee94dd43	treewide: refactor code	2026-05-04 02:01:13 +02:00
javalsai	cb67598c41	nixos/security: add acme through dns challenge few side refactors of this: - no more `dns.domain`, it all must rely on `fqdn`, prevents inconsistencies. - also added an specific host `tuxcord-acmetest` that uses the key zone for `nix.tuxcord.net` to test certificate pulling.	2026-05-04 02:01:13 +02:00
javalsai	0cd381a41c	docs: document installation, secrets and setup steps Check / Nix flake (push) Failing after 10s Details Lint / Nix expressions (push) Failing after 11s Details	2026-05-04 01:59:47 +02:00
javalsai	3f1ef7052e	nixos/services: make dns configuration easier	2026-05-04 01:59:47 +02:00
javalsai	e83b3bae26	nixos/service: add dns (bind named server)	2026-05-04 01:59:47 +02:00
javalsai	744921de6e	nixos/programs: add bind utils	2026-05-04 01:59:47 +02:00
javalsai	0b55eff920	lib/ssh: add more ssh keys	2026-05-04 01:59:44 +02:00
javalsai	dd7ad60710	nixos/services: add gitea server Check / Nix flake (push) Failing after 9s Details Lint / Nix expressions (push) Failing after 10s Details	2026-05-04 01:56:34 +02:00
javalsai	fd18ae4a78	nixos/services: add nginx base configuration	2026-05-04 01:56:34 +02:00
javalsai	d7deaa187c	nixos/networking: add own fqdn to extraHosts	2026-05-04 01:56:34 +02:00
javalsai	c6d66902bb	nixos/hosts: add tuxcord-vm host configuration	2026-05-04 01:56:34 +02:00
ErrorNoInternet	4704a887fa	nixos: separate openssh firewall port	2026-05-04 01:56:34 +02:00
javalsai	eaaffcc289	lib/ssh: add more ssh keys	2026-05-04 01:56:32 +02:00