docs: add sections and fix typos/errors

treewide: initialize npins
treewide: refactor code
2026-05-04 02:00:47 +02:00 · 2026-05-04 02:00:47 +02:00 · 2026-05-04 02:00:47 +02:00 · 2026-05-04 02:00:47 +02:00 · 2026-05-04 02:00:47 +02:00 · 2026-05-04 02:00:47 +02:00
30 changed files with 295 additions and 573 deletions
@@ -1,20 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 Wl2fDA 7PqbYWjorqzuPIDZgOZGIMzZa/P89aGzvORfMAeePRU
-J+gesdnj8VwqJSfD1ohDTSp7nBXdM4nEEB5/7aA1PMc
-> ssh-ed25519 zNC8SA z47u0fUlGVYiQr4/S0lLh6WEj7gyedjWsq4fUk5Z1CY
-6qR4zdA1gQqpAcm5Q5AZJgn3ZnafXL4OeHfU4WJae40
-> ssh-ed25519 EiAAKw 8mPi6HaHW+oFZHZ0Y2fJ2XISgarW3i/yLKD2QJleFGs
-Mch7D28T9eiJm8hmSuI7Wm/rjjT+EzzER9vQ7T6rA3k
-> ssh-rsa eFi+Zw
-d3mwAM+p4yz/UK5g4+0WyeOPyEVHQEyzGSB+pPDf6IIXxGbh613h1WD5j3AQQXdH
-178Es9PhkiZcy0Y0IsQt4dyqDzuqMMwzLLvLKgsfliFsPBcdo93V5r9rWtFi3+9S
-jAfhsFzVUj3KhuBY+xsgBtHpLe5CVV52NnEzXkoJw1wbdunNi62QZvyyC+0NixFV
-HW1lxan6g6XXPrXWWrLbZWvpuqvPV6DoLsofzkMm0nd1DhkeHRU1WU8ucnPaETrJ
-E5G3YrlfhftwRzp/QzeoSFREmdAJca7ycIJaJuG8QIszTZLOOQBUAxg7sonATGUc
-Zutg1lJEfaQSe8oG1iMrJlshGspuSmBc1Ki4iQJjhQnYzvkV+Th9trG3QGq5ur9O
-RYCxqjMMzbp6kR2GdJorSM7P5fpzt0sSv2mxd+nQpMoyvOVfbBjmEbiuWrKSlIl0
-tXYrI6723mRNsbtmodUdDttaDFnr2r0MWbpHPn/K6y422GEoAiKE96Z7Pcxo2+Ml
-
--- ILGiZiEBKY+7nych4vWMVWgiFNhF3eP7mtCvJ/JImxM
-jFÍ%aë;¸8Œõl�Ë�Ô é‚YÊ×ö…›�´töÐ:Â÷ì®û¦#í õÞ(¹ðÂV°;ê[Ç`üØë:tžS#ˆ
-@²ãÒk7²àFž¿ÓEn®†!ÉlÈ¥ÛšŽÃ�7°!•Òï‡êY3:+mzÕÒÈö
@@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 Wl2fDA 3CWPYLgoTMGb9gBbDzZIQxYJ9Gfm49g6lqQyqlegUDQ
-ryhsPP5+Byus2e5GSXDJlKYX1o3HfQ87CLRv2htU4n4
-> ssh-ed25519 EiAAKw B2uGdkeC3OZISN2iH2DR1J7L3/mbuFvebzqaTdAURCw
-ze0X/MmHP78rRqAn0O3VBtnMJsiOXPk8RIe82tdQMeg
--- kLBxPuJdbPmJ1Lz3iBu8EPItdZtpNHIyV6pz1QzhcUY
-ä3ÛÿÉèŸP>gòh@ö•AZ’üz-í6R€¸zèÚ¢[ÇÝÍPÂòã†¿y?•ÉŽU�SNÝ©&ú#}ÝR+o?.B¶&´5]ÇW€OÎ‰Puh‹½ŽÞ=t¶5|¿×“s×€ú&!‰Î-�æTÝSÆfÕ™-j"#žiÂwzºš›ãjö¯“HŒí�
@@ -1,20 +1,34 @@
 age-encryption.org/v1
-> ssh-ed25519 Wl2fDA 8rfiRx7+Gr9BtiSXsVEs2W+pXoms6ynODC1TL90+Wi4
-/uMnYMJovbaPjwX1qCAtIokov40RYIAm2Mup5XKBJvw
-> ssh-ed25519 zNC8SA FlxMK7kMYnKHY9MBJ+HYDI4GNS0nSgZxVuRe4yTWBgg
-HPOV31k8Ueb1W5usG7iLXDQxyAlISrgHThddHpGY2+s
-> ssh-ed25519 EiAAKw Bu7+NJXivoRA07glNWUlBGu03J0ueth7XDU7SWQYT30
-r/DBmf4TRDJBgFF0KdeHuKL5hLdU1z6HtfAAVbc6Y0I
+-> ssh-ed25519 Wl2fDA dM0TgKtswZcbEV9tGGY26YCksV2xadHWXv7D/KksAWk
+1vCcuHmVP2xiHd/7hh0z2Hiq/EeA8uvdsRtQReC5hNY
+-> ssh-ed25519 zNC8SA uTO/3ePjgiKqk3jeRGZX5D3LjzhSBlp2rD2ZakKmfX0
+tVkEEcP/KfD9x52l7iz5F3hKK0LSckjXWK5YP2aeBt4
+-> ssh-ed25519 EiAAKw Etu0I4IzJ3BB2SzCeiexx+dhcLUO5d2Ws+WiJyLk/Sw
+9GBcZPsIXO3mXbri3lFYjtBBu0wFYul6hKsCvBKVLFs
 -> ssh-rsa eFi+Zw
-Nu4gAM/vbh0kpEUIaT4P6iTe9qFFM/9IVxiiKPYHdPnCmPJHrug1afLLFrrrpqkd
-o1NrfYIM9gW6jl5QMCcP5DpzMTppokX0P1Tz1ZeOEtZUVtGeZ7Q2wmL4zftwmG9J
-qoDjsCd0z6MPDUdU46qc7kjQBhOwGLfHXTfGLXGNZxqj0oLvEoEKpdvFNBvMSyxK
-oGZRwGsHQcUXKhCPtf6PVtSkHMABzpUAhgS8oqjp4RVurD0lcrPgsx8pSRRarfyE
-ll1QbFCjftuJfeIEshgRkaLGjIQpZDFA3w2XMqDddFz5H/9Ak+F8/rkNnUrN2x4M
-amca8s4Sbls6RjyysarIytilCtpaKEI2sgkD2fERao6ayTSnWF45qqh635OLaP5A
-b7qcru9gO0C3Ik+UuiZMgovxo/+yBYe3+8x8q/uKR4apPAkt/2q28Uilw1WboIEB
-rIjBr0BN1JeHvkiyljJGcvGf5jHdmOrpQu/L1xuSDjsTnh+U6BshQC8bbkJNsVoL
+uOZsBC+IMHdX2h9Jq/CF/L3BsxDW+dULk04JQbDeM85Mrxxdrv2X3w7AW8YU2KS+
+Xg8LnzH01z4Nfs89uysM/lsWptc9qMeaK9o0oHC+tSJH4Ch43MejbmFYjFibHaCm
+krQM7dAGIJwc/o0+ykaCrbXSvXAyfd6Nw1izou2ZcDRI7mTipOZO8F949SIk//Rc
+UJgPLqpGwScEfrHf4f6tySC4LmD0bPIV1xDpmmXcS7c83E9+iVOtb5Y1In6CQrF1
+XZQCb9MkPySbuicwR022CySb+lc7Ru44RdqBgV1e+wphyZCoqCk09i18egV3hNs6
+iEul3M8dqV27yRKrWIUD5jT2tUszTNJfreiuZl9eDmLkcVWExkWzqWPUFJ48hQiZ
+89Z4Evn04vZGoeL67K5q93lSRHz109zT/KIJSQMZpbaecGAoiZDM8Mdq3KzawGSG
+ENQazx6lnGoMccvxFhjrVqfYj3U4S/pnCow5fatvkBQSyysL63UxE5ivcFUHHppB

--- GCTLfa/BICL9AWTaqGC13M101Z8sqSqPP4ysJVv5zvg
-]
-ý¢Ôÿi¹‡7c·f`b@%X”¿J�)û[<+;x-ÇKmTõ@ãÌ„�ýŸK]7sc*ëŸ‡¼2Ý®5
+-> ssh-ed25519 QovoLQ wgg0cFlYEVafE3rXK4GrID3RTatZdKPYzsjT18WskFM
+bgv+7an3xgdqf6WaiB1FFkXObcykUnvH6lJmX5gFJkQ
+-> ssh-rsa OFkEIg
+IIQbFB6VUwbB+ZtKR7Ayg9Im6vMU1AzqHT8CBagA5fwJ7Vp1GuX1X9SxL9hMPkd3
+4osEbSu3JJDMwfC6AfFtcEjmxjmRYyiYlzmIjhVEsaTlwyeucAPd+fdj+TPjHidZ
+dffizNEOiENY49jlmWTjMqYKnBsSP9GfH4ZsKpCaWMm2h9p687weuXFfbYfjYMII
+a3C4iG8m+mZ4crYTKZu6WPbnHn9g0pMxZBs4v6MnBHk6eEJ0uiJvrzYApoFE5om7
+9AknL27ra/+A1UQl+1kzLT+IivJa8FCfZ+zF1RYLRvSATlIzCqCiBiayAsVtQg5O
+girBRnlAJTPisszyoAhsqbECvD6bJfwlTW0STg/M1u3ZPMTGL4V0gJgynANmjb7Y
+TXd11zuhjRYgOBAj09trQFTmmwIgPvvu8+VXNDNPAp02ffBT8kMUvSEik98/35x1
+Dwvm38t05O6nqyHUF957CRVTzPQPAnb5Cd+Rw/joID2YPyFN9IZwE4mi2Bf3zdZo
+roxtqCupmWkpxMNN7GZJrmCE/Lh6YV4DgUd6VNQc7QlGsq5K4XRT7aa+s+17cC8e
+HCxQfGM8sMe9T6IK+K4p6qTqluyI/X0r95kGfzhNmgzufc44i6X497i3fDSVoLpx
+Uo7Ao3QRNPyaUXcqTTIg8Kx9YiLQC3tDblVJjIZU89o
+--- Vb9o/bhuN6XXjfK04haEEUXnuIA02j4GH9PmAh0ayN8
+óE¬dGs;’Ž°À±��ü
+ñ,OHˆÿœˆ{²¶>ú*wAÃLÌÄ\©0SQöÖ*{6fô‰+Xš¨.
@@ -1,26 +1,17 @@
 let
-  inherit (import ../lib)
-    users
-    adminSSHKeys
-    attrsToList
-    getSSHKeys
-    ;
+  users = import ../lib/ssh/keys.nix;

  tuxcord-ca = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxiko5Csyq9UODglYzLBvRfxkhQu9GXP7SH2BpC8G/7";
 in
 {
-  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "authentik.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;

  # tsig-keygen etc.sub.domain.tld.
-  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.error users.javalsai ];
+  # "dns/tuxcord.net/XXX.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.XXX ];
+
+  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+
+  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
 }
-// builtins.listToAttrs (
-  map (user: {
-    name = "dns/tuxcord.net/${user.name}.tuxcord.net.key.age";
-    value.publicKeys = [ tuxcord-ca ] ++ getSSHKeys user.name;
-  }) (builtins.filter (user: user.value.ddns or false) (attrsToList users))
-)
@@ -23,67 +23,6 @@
        "type": "github"
      }
    },
-    "authentik-go": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1771856219,
-        "narHash": "sha256-zTEmvxe+BpfWYvAl675PnhXCH4jV4GUTFb1MrQ1Eyno=",
-        "owner": "goauthentik",
-        "repo": "client-go",
-        "rev": "4c1444ee54d945fbcc5ae107b4f191ca0352023d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "goauthentik",
-        "repo": "client-go",
-        "type": "github"
-      }
-    },
-    "authentik-nix": {
-      "inputs": {
-        "authentik-go": "authentik-go",
-        "authentik-src": "authentik-src",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils",
-        "napalm": "napalm",
-        "nixpkgs": "nixpkgs",
-        "pyproject-build-systems": "pyproject-build-systems",
-        "pyproject-nix": "pyproject-nix",
-        "systems": "systems_2",
-        "uv2nix": "uv2nix"
-      },
-      "locked": {
-        "lastModified": 1776085803,
-        "narHash": "sha256-JvvWVbXJYSY8qOReMbAOD4lxcN2cjKV6lg/jLz8CEuY=",
-        "owner": "nix-community",
-        "repo": "authentik-nix",
-        "rev": "4370b561c8bafb59773ce3a518506bcf1161dbdb",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "authentik-nix",
-        "type": "github"
-      }
-    },
-    "authentik-src": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1775573258,
-        "narHash": "sha256-Xq7JGI/8ppIydIuWd9KRJKUrh7UpeniwvZ4NAtXbYJ4=",
-        "owner": "goauthentik",
-        "repo": "authentik",
-        "rev": "5249546862986202b901c2afd860992ec48c6ef6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "goauthentik",
-        "ref": "version/2026.2.2",
-        "repo": "authentik",
-        "type": "github"
-      }
-    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
@@ -107,7 +46,6 @@
      }
    },
    "flake-compat": {
-      "flake": false,
      "locked": {
        "lastModified": 1767039857,
        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
@@ -123,21 +61,6 @@
      }
    },
    "flake-compat_2": {
-      "locked": {
-        "lastModified": 1767039857,
-        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1767039857,
@@ -157,24 +80,6 @@
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib"
      },
-      "locked": {
-        "lastModified": 1769996383,
-        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_2": {
-      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib_2"
-      },
      "locked": {
        "lastModified": 1777678872,
        "narHash": "sha256-EPIFsulyon7Z1vLQq5Fk64GR8L7cQsT+IPhcsukVbgk=",
@@ -189,27 +94,6 @@
        "type": "github"
      }
    },
-    "flake-utils": {
-      "inputs": {
-        "systems": [
-          "authentik-nix",
-          "systems"
-        ]
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
    "git-hooks-nix": {
      "inputs": {
        "flake-compat": [
@@ -304,35 +188,9 @@
        "type": "github"
      }
    },
-    "napalm": {
-      "inputs": {
-        "flake-utils": [
-          "authentik-nix",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1725806412,
-        "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
-        "owner": "willibutz",
-        "repo": "napalm",
-        "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "willibutz",
-        "ref": "avoid-foldl-stack-overflow",
-        "repo": "napalm",
-        "type": "github"
-      }
-    },
    "nix-alien": {
      "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
        "nix-index-database": [
          "nix-index-database"
        ],
@@ -376,12 +234,12 @@
    },
    "nix-super": {
      "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
        "flake-parts": [
          "flake-parts"
        ],
        "git-hooks-nix": "git-hooks-nix",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs",
        "nixpkgs-23-11": "nixpkgs-23-11",
        "nixpkgs-regression": "nixpkgs-regression"
      },
@@ -401,18 +259,15 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1771848320,
-        "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "2fc6539b481e1d2569f25f8799236694180c0993",
-        "type": "github"
+        "lastModified": 1771903837,
+        "narHash": "sha256-jEA8WggGKtMFeNeCKq3NK8cLEjJmG6/RLUElYYbBZ0E=",
+        "rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.6495.e764fc9a4058/nixexprs.tar.xz"
      },
      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"
      }
    },
    "nixpkgs-23-11": {
@@ -432,21 +287,6 @@
      }
    },
    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1769909678,
-        "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "72716169fe93074c333e8d0173151350670b824c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
-    "nixpkgs-lib_2": {
      "locked": {
        "lastModified": 1777168982,
        "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=",
@@ -478,19 +318,6 @@
      }
    },
    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1771903837,
-        "narHash": "sha256-jEA8WggGKtMFeNeCKq3NK8cLEjJmG6/RLUElYYbBZ0E=",
-        "rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951",
-        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.6495.e764fc9a4058/nixexprs.tar.xz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"
-      }
-    },
-    "nixpkgs_3": {
      "locked": {
        "lastModified": 1777428379,
        "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
@@ -506,66 +333,15 @@
        "type": "github"
      }
    },
-    "pyproject-build-systems": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ],
-        "pyproject-nix": [
-          "authentik-nix",
-          "pyproject-nix"
-        ],
-        "uv2nix": [
-          "authentik-nix",
-          "uv2nix"
-        ]
-      },
-      "locked": {
-        "lastModified": 1771423342,
-        "narHash": "sha256-7uXPiWB0YQ4HNaAqRvVndYL34FEp1ZTwVQHgZmyMtC8=",
-        "owner": "pyproject-nix",
-        "repo": "build-system-pkgs",
-        "rev": "04e9c186e01f0830dad3739088070e4c551191a4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pyproject-nix",
-        "repo": "build-system-pkgs",
-        "type": "github"
-      }
-    },
-    "pyproject-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1771518446,
-        "narHash": "sha256-nFJSfD89vWTu92KyuJWDoTQJuoDuddkJV3TlOl1cOic=",
-        "owner": "pyproject-nix",
-        "repo": "pyproject.nix",
-        "rev": "eb204c6b3335698dec6c7fc1da0ebc3c6df05937",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pyproject-nix",
-        "repo": "pyproject.nix",
-        "type": "github"
-      }
-    },
    "root": {
      "inputs": {
        "agenix": "agenix",
-        "authentik-nix": "authentik-nix",
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts",
        "impermanence": "impermanence",
        "nix-alien": "nix-alien",
        "nix-index-database": "nix-index-database",
        "nix-super": "nix-super",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_2"
      }
    },
    "systems": {
@@ -582,46 +358,6 @@
        "repo": "default",
        "type": "github"
      }
-    },
-    "systems_2": {
-      "locked": {
-        "lastModified": 1689347949,
-        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
-        "owner": "nix-systems",
-        "repo": "default-linux",
-        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default-linux",
-        "type": "github"
-      }
-    },
-    "uv2nix": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ],
-        "pyproject-nix": [
-          "authentik-nix",
-          "pyproject-nix"
-        ]
-      },
-      "locked": {
-        "lastModified": 1772187362,
-        "narHash": "sha256-gCojeIlQ/rfWMe3adif3akyHsT95wiMkLURpxTeqmPc=",
-        "owner": "pyproject-nix",
-        "repo": "uv2nix",
-        "rev": "abe65de114300de41614002fe9dce2152ac2ac23",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pyproject-nix",
-        "repo": "uv2nix",
-        "type": "github"
-      }
    }
  },
  "root": "root",
@@ -31,13 +31,6 @@
      url = "github:privatevoid-net/nix-super";
      inputs.flake-parts.follows = "flake-parts";
    };
-
-    authentik-nix = {
-      url = "github:nix-community/authentik-nix";
-
-      # inputs.nixpkgs.follows = "nixpkgs"
-      # inputs.flake-parts.follows = "flake-parts"
-    };
  };

  outputs =
@@ -59,11 +52,6 @@
          formatter = pkgs.nixfmt;
        };

-      flake = {
-        lib = import ./lib;
-        pins = import ./npins;
-      };
-
      systems = [
        "x86_64-linux"
        "aarch64-linux"
@@ -1,24 +0,0 @@
-rec {
-  toList = x: if builtins.isList x then x else [ x ];
-
-  nameValuePair = name: value: { inherit name value; };
-
-  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
-
-  attrsToList = mapAttrsToList nameValuePair;
-
-  getSSHKeys =
-    username:
-    if (builtins.hasAttr "ssh" users.${username}) then
-      toList users.${username}.ssh
-    else
-      builtins.warn "user ${username} declared without ssh keys" [ ];
-
-  users = import ./users.nix;
-
-  adminSSHKeys = builtins.concatLists (
-    map (user: getSSHKeys user.name) (
-      builtins.filter (user: user.value.admin or false) (attrsToList users)
-    )
-  );
-}
@@ -0,0 +1,8 @@
+{
+  error = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
+  javalsai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
+  max = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
+
+  vectorum = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
+  pickzelle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
+}
@@ -1,26 +0,0 @@
-{
-  error = {
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
-    admin = true;
-    ddns = true;
-  };
-
-  javalsai = {
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
-    admin = true;
-    ddns = true;
-  };
-
-  max = {
-    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
-    admin = true;
-  };
-
-  vectorum = {
-    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
-  };
-
-  pickzelle = {
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
-  };
-}
@@ -18,7 +18,6 @@ in
    agenix.nixosModules.default
    impermanence.nixosModules.default
    nix-index-database.nixosModules.nix-index
-    authentik-nix.nixosModules.default

    ./hardware.nix
    ./impermanence.nix
@@ -100,15 +99,22 @@ in

    extraHosts =
      let
-        subdomains = [ "git" "auth" ];
-
-        inherit (config.networking) fqdn;
-        hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
+        subdomains = [
+          ""
+          ".git"
+        ];
      in
-      lib.concatMapStrings (host: ''
+      builtins.foldl' (
+        hosts-acc: domain-prefix:
+        let
+          host = "${domain-prefix}${config.networking.fqdn}";
+        in
+        hosts-acc
+        + ''
          127.0.0.1 ${host}
          ::1 ${host}
-      '') hosts;
+        ''
+      ) "" subdomains;
  };

  virtualisation.podman.enable = true;
@@ -15,10 +15,7 @@
      "xhci_pci"
    ];

-    kernelModules = [
-      "kvm-amd"
-      "kvm-intel"
-    ];
+    kernelModules = [ "kvm-intel" ];
  };

  hardware = {
@@ -1,14 +1,11 @@
 {
-  imports = [
-    ./storage.nix
-  ];
+  acme = {
+    enable = true;
+    rfc2136.nameserver = "tuxcord.net";
+  };

-  networking.fqdn = "nix.tuxcord.net";
-
-  acme.rfc2136.nameserver = "tuxcord.net";
  dns.enable = true;
-
-  services.getty.autologinUser = "root";
+  networking.fqdn = "nix.tuxcord.net";

  time.timeZone = "Europe/Madrid";
 }
@@ -1,6 +0,0 @@
-{
-  fileSystems."/" = {
-    device = "/dev/vda";
-    fsType = "ext4";
-  };
-}
@@ -32,7 +32,6 @@
        device = "/dev/xvda2";
        fsType = "btrfs";
        options = [ "subvol=@persist" ] ++ defaultOptions;
-        neededForBoot = true;
      };
    };
 }
@@ -1,12 +1,6 @@
 {
-  imports = [
-    ./storage.nix
-  ];
-
-  networking.fqdn = "tuxcord.test";
-
  acme.enable = false;
  dns.enable = true;

-  services.getty.autologinUser = "root";
+  networking.fqdn = "tuxcord.test";
 }
@@ -1,6 +0,0 @@
-{
-  fileSystems."/" = {
-    device = "/dev/vda";
-    fsType = "ext4";
-  };
-}
@@ -55,6 +55,8 @@
    };
  };

+  fileSystems."/persist".neededForBoot = true;
+
  environment.persistence."/persist" = {
    enable = true;
    hideMounts = true;
@@ -70,6 +72,10 @@
    ];
    files = [
      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
    ];
  };

@@ -1,17 +0,0 @@
-{ config, self, ... }:
-let
-  inherit (config.networking) fqdn;
-in
-{
-  age.secrets.authentik.file = "${self}/agenix/authentik.age";
-
-  services.authentik = {
-    enable = true;
-    environmentFile = config.age.secrets.authentik.path; # just trust, this specifies port 3001
-    # nginx = {
-    #   enable = true;
-    #   enableACME = true;
-    #   host = "auth.${fqdn}";
-    # };
-  };
-}
@@ -1,7 +1,6 @@
 {
  imports = [
    ./acme.nix
-    ./authentik.nix
    ./dns.nix
    ./fail2ban.nix
    ./gitea.nix
@@ -1,46 +1,21 @@
-{ config, self, ... }:
+{ config, ... }:
 let
  inherit (config.networking) fqdn;

  mkVhost =
-    attrs: locations:
+    attrs:
    let
      acmeEnabled = config.acme.enable;
    in
    {
      forceSSL = acmeEnabled;
      useACMEHost = if acmeEnabled then fqdn else null;
-
-      locations = {
-        "= /robots.txt" = {
-          alias = disallowedRobotsTxt;
-        };
-      }
-      // locations;
    }
    // attrs;

  mkProxy = port: {
    proxyPass = "http://127.0.0.1:${toString port}/";
-
-    extraConfig = ''
-      proxy_buffering off;
-      proxy_request_buffering off;
-    '';
  };
-
-  mkSsi = webRoot: {
-    root = webRoot;
-
-    extraConfig = ''
-      ssi on;
-    '';
-  };
-
-  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
-    User-agent: *
-    Disallow: /
-  '';
 in
 {
  services.nginx = {
@@ -52,18 +27,14 @@ in
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

-    virtualHosts = {
-      "${fqdn}" = mkVhost { default = true; } {
-        "/" = mkSsi "${self.pins.website}/web-root";
-      };
+    # services.nginx.virtualHosts."${fqdn}" = {
+    #   addSSL = true;
+    #   root = "/var/www/myhost.org";
+    #   default = true;
+    # };

-      "git.${fqdn}" = mkVhost { } {
-        "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
-      };
-
-      "auth.${fqdn}" = mkVhost { } {
-        "/" = mkProxy 3001;
-      };
+    virtualHosts."git.${fqdn}" = mkVhost {
+      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
    };
  };

@@ -4,13 +4,20 @@

    settings = {
      ClientAliveInterval = 300;
-      X11Forwarding = true;

      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
      PermitRootLogin = "no";
    };
  };
+<<<<<<< HEAD

  networking.firewall.allowedTCPPorts = [ 22 ];
+||||||| parent of 1c2f11d (lib/ssh: add more ssh keys)
+
+  users.users.root.openssh.authorizedKeys.keys = builtins.attrValues {
+    inherit (import "${self}/lib/ssh/keys.nix") error javalsai;
+  };
+=======
+>>>>>>> 1c2f11d (lib/ssh: add more ssh keys)
 }
@@ -1,6 +1,25 @@
 { lib, self, ... }:
 let
-  inherit (self.lib) users;
+  users = [
+    {
+      name = "error";
+      options.admin = true;
+    }
+    {
+      name = "javalsai";
+      options.admin = true;
+    }
+    {
+      name = "max";
+      options.admin = true;
+    }
+    {
+      name = "vectorum";
+    }
+    {
+      name = "pickzelle";
+    }
+  ];

  adminGroups = [
    "adm"
@@ -11,12 +30,29 @@ let
    "wheel"
  ];

-  mkUser = name: uid: admin: {
+  getSSHKeys =
+    username:
+    let
+      sshKeys = import "${self}/lib/ssh/keys.nix";
+    in
+    if (builtins.hasAttr username sshKeys) then
+      lib.lists.toList sshKeys.${username}
+    else
+      lib.warn "user ${username} declared without ssh key" [ ];
+
+  mkUser =
+    name: uid: options:
+    let
+      admin = options.admin or false;
+
+    in
+    {
      users.users.${name} = {
-      inherit uid;
        isNormalUser = true;
        extraGroups = lib.optionals admin adminGroups;
-      openssh.authorizedKeys.keys = self.lib.getSSHKeys name;
+        inherit uid;
+
+        openssh.authorizedKeys.keys = getSSHKeys name;
      };

      systemd.slices."user-${builtins.toString uid}".sliceConfig = {
@@ -33,33 +69,21 @@ in
 lib.recursiveUpdate
  (builtins.foldl'
    (attrs: user: {
-      options = lib.recursiveUpdate attrs.options (
-        mkUser user.name attrs.uid (user.value.admin or false)
-      );
+      options = lib.recursiveUpdate attrs.options (mkUser user.name attrs.uid (user.options or { }));
      uid = attrs.uid + 1;
    })
    {
      options = { };
      uid = 1000;
    }
-    (lib.attrsToList users)
+    users
  ).options
  {
-    users = {
-      motd = ''
-                  __                                          __                      __
-        ---------/\ \__                                      /\ \                    /\ \__
-        ---------\ \ ,_\  __  __  __  _   ___    ___   _ __  \_\ \        ___      __\ \ ,_\
-        ----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \      /'_ `\  /'__`\ \ \/
-        -----------\ \ \_\ \ \_\ \/>  <//\ \__//\ \L\ \ \ \//\ \L\ \  __/\ \/\ \/\  __/\ \ \_
-        ------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
-        -------------\/__/ \/___/ \//\/_/\/____/\/___/  \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
-                                                    A friendly Linux community - est. July 2023
-      '';
-
-      users.root = {
+    users.users.root = {
      initialPassword = "tuxcord";
-        openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
-      };
+
+      openssh.authorizedKeys.keys = lib.lists.concatLists (
+        map (user: getSSHKeys user.name) (builtins.filter (user: user.options.admin or false) users)
+      );
    };
  }
@@ -9,8 +9,15 @@
 */
 # Generated by npins. Do not modify; will be overwritten regularly
 let
-  data = builtins.fromJSON (builtins.readFile ./sources.json);
-  version = data.version;
+  # Backwards-compatibly make something that previously didn't take any arguments take some
+  # The function must return an attrset, and will unfortunately be eagerly evaluated
+  # Same thing, but it catches eval errors on the default argument so that one may still call it with other arguments
+  mkFunctor =
+    fn:
+    let
+      e = builtins.tryEval (fn { });
+    in
+    (if e.success then e.value else { error = fn { }; }) // { __functor = _self: fn; };

  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
  range =
@@ -21,7 +28,6 @@ let

  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
-  concatMapStrings = f: list: concatStrings (map f list);
  concatStrings = builtins.concatStringsSep "";

  # If the environment variable NPINS_OVERRIDE_${name} is set, then use
@@ -48,41 +54,87 @@ let

  mkSource =
    name: spec:
+    {
+      pkgs ? null,
+    }:
    assert spec ? type;
    let
+      # Unify across builtin and pkgs fetchers.
+      # `fetchGit` requires a wrapper because of slight API differences.
+      fetchers =
+        if pkgs == null then
+          {
+            inherit (builtins) fetchTarball fetchurl;
+            # For some fucking reason, fetchGit has a different signature than the other builtin fetchers …
+            fetchGit = args: (builtins.fetchGit args).outPath;
+          }
+        else
+          {
+            fetchTarball =
+              {
+                url,
+                sha256,
+              }:
+              pkgs.fetchzip {
+                inherit url sha256;
+                extension = "tar";
+              };
+            inherit (pkgs) fetchurl;
+            fetchGit =
+              {
+                url,
+                submodules,
+                rev,
+                name,
+                narHash,
+              }:
+              pkgs.fetchgit {
+                inherit url rev name;
+                fetchSubmodules = submodules;
+                hash = narHash;
+              };
+          };
+
+      # Dispatch to the correct code path based on the type
      path =
        if spec.type == "Git" then
-          mkGitSource spec
+          mkGitSource fetchers spec
        else if spec.type == "GitRelease" then
-          mkGitSource spec
+          mkGitSource fetchers spec
        else if spec.type == "PyPi" then
-          mkPyPiSource spec
+          mkPyPiSource fetchers spec
        else if spec.type == "Channel" then
-          mkChannelSource spec
+          mkChannelSource fetchers spec
        else if spec.type == "Tarball" then
-          mkTarballSource spec
+          mkTarballSource fetchers spec
+        else if spec.type == "Container" then
+          mkContainerSource pkgs spec
        else
          builtins.throw "Unknown source type ${spec.type}";
    in
    spec // { outPath = mayOverride name path; };

  mkGitSource =
+    {
+      fetchTarball,
+      fetchGit,
+      ...
+    }:
    {
      repository,
      revision,
      url ? null,
      submodules,
      hash,
-      branch ? null,
      ...
    }:
    assert repository ? type;
    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
    # In the latter case, there we will always be an url to the tarball
    if url != null && !submodules then
-      builtins.fetchTarball {
+      fetchTarball {
        inherit url;
-        sha256 = hash; # FIXME: check nix version & use SRI hashes
+        sha256 = hash;
      }
    else
      let
@@ -93,6 +145,8 @@ let
            "https://github.com/${repository.owner}/${repository.repo}.git"
          else if repository.type == "GitLab" then
            "${repository.server}/${repository.repo_path}.git"
+          else if repository.type == "Forgejo" then
+            "${repository.server}/${repository.owner}/${repository.repo}.git"
          else
            throw "Unrecognized repository type ${repository.type}";
        urlToName =
@@ -107,40 +161,89 @@ let
          "${if matched == null then "source" else builtins.head matched}${appendShort}";
        name = urlToName url revision;
      in
-      builtins.fetchGit {
+      fetchGit {
        rev = revision;
-        inherit name;
-        # hash = hash;
-        inherit url submodules;
+        narHash = hash;
+
+        inherit name submodules url;
      };

  mkPyPiSource =
-    { url, hash, ... }:
-    builtins.fetchurl {
+    { fetchurl, ... }:
+    {
+      url,
+      hash,
+      ...
+    }:
+    fetchurl {
      inherit url;
      sha256 = hash;
    };

  mkChannelSource =
-    { url, hash, ... }:
-    builtins.fetchTarball {
+    { fetchTarball, ... }:
+    {
+      url,
+      hash,
+      ...
+    }:
+    fetchTarball {
      inherit url;
      sha256 = hash;
    };

  mkTarballSource =
+    { fetchTarball, ... }:
    {
      url,
      locked_url ? url,
      hash,
      ...
    }:
-    builtins.fetchTarball {
+    fetchTarball {
      url = locked_url;
      sha256 = hash;
    };
+
+  mkContainerSource =
+    pkgs:
+    {
+      image_name,
+      image_tag,
+      image_digest,
+      ...
+    }:
+    if pkgs == null then
+      builtins.throw "container sources require passing in a Nixpkgs value: https://github.com/andir/npins/blob/master/README.md#using-the-nixpkgs-fetchers"
+    else
+      pkgs.dockerTools.pullImage {
+        imageName = image_name;
+        imageDigest = image_digest;
+        finalImageTag = image_tag;
+      };
 in
-if version == 5 then
-  builtins.mapAttrs mkSource data.pins
-else
+mkFunctor (
+  {
+    input ? ./sources.json,
+  }:
+  let
+    data =
+      if builtins.isPath input then
+        # while `readFile` will throw an error anyways if the path doesn't exist,
+        # we still need to check beforehand because *our* error can be caught but not the one from the builtin
+        # *piegames sighs*
+        if builtins.pathExists input then
+          builtins.fromJSON (builtins.readFile input)
+        else
+          throw "Input path ${toString input} does not exist"
+      else if builtins.isAttrs input then
+        input
+      else
+        throw "Unsupported input type ${builtins.typeOf input}, must be a path or an attrset";
+    version = data.version;
+  in
+  if version == 7 then
+    builtins.mapAttrs (name: spec: mkFunctor (mkSource name spec)) data.pins
+  else
    throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
+)
@@ -1,17 +1,4 @@
 {
-  "pins": {
-    "website": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.javalsai.tuxcord.net/tuxcord/website.git"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "b18dd7b863644debb0a843a5b21bb490bfe7d048",
-      "url": null,
-      "hash": "18czfxaldy0zhjprdsqzxnzj3p9qlc4canwigr13iw2wisi4ww5y"
-    }
-  },
-  "version": 5
+  "pins": {},
+  "version": 7
 }
@@ -31,6 +31,7 @@
          git
          inputs.agenix.packages.${stdenv.hostPlatform.system}.default
          jujutsu
+          neovim
          nix-output-monitor
          nixfmt
          npins
Author	SHA1	Message	Date
javalsai	8d6be9fcf0	docs: add sections and fix typos/errors Check / Nix flake (push) Failing after 9s Details Lint / Nix expressions (push) Failing after 11s Details	2026-05-04 02:00:47 +02:00
ErrorNoInternet	4c52994bf8	treewide: initialize npins	2026-05-04 02:00:47 +02:00
ErrorNoInternet	b964fe3e89	treewide: refactor code	2026-05-04 02:00:47 +02:00
javalsai	9008f6fdb9	nixos/security: add acme through dns challenge few side refactors of this: - no more `dns.domain`, it all must rely on `fqdn`, prevents inconsistencies. - also added an specific host `tuxcord-acmetest` that uses the key zone for `nix.tuxcord.net` to test certificate pulling.	2026-05-04 02:00:47 +02:00
javalsai	701a477d42	docs: document installation, secrets and setup steps	2026-05-04 02:00:47 +02:00
javalsai	b491abe065	nixos/services: make dns configuration easier	2026-05-04 02:00:47 +02:00
javalsai	ddb136f971	nixos/service: add dns (bind named server)	2026-05-04 02:00:47 +02:00
javalsai	d8a90697e9	nixos/programs: add bind utils	2026-05-04 02:00:47 +02:00
javalsai	433645f459	lib/ssh: add more ssh keys	2026-05-04 02:00:44 +02:00
javalsai	dd7ad60710	nixos/services: add gitea server Check / Nix flake (push) Failing after 9s Details Lint / Nix expressions (push) Failing after 10s Details	2026-05-04 01:56:34 +02:00
javalsai	fd18ae4a78	nixos/services: add nginx base configuration	2026-05-04 01:56:34 +02:00
javalsai	d7deaa187c	nixos/networking: add own fqdn to extraHosts	2026-05-04 01:56:34 +02:00
javalsai	c6d66902bb	nixos/hosts: add tuxcord-vm host configuration	2026-05-04 01:56:34 +02:00
ErrorNoInternet	4704a887fa	nixos: separate openssh firewall port	2026-05-04 01:56:34 +02:00
javalsai	eaaffcc289	lib/ssh: add more ssh keys	2026-05-04 01:56:32 +02:00