docs: add sections and fix typos/errors

treewide: initialize npins
treewide: refactor code
2026-05-04 02:00:47 +02:00 · 2026-05-04 02:00:47 +02:00 · 2026-05-04 02:00:47 +02:00 · 2026-05-04 02:00:47 +02:00 · 2026-05-04 02:00:47 +02:00 · 2026-05-04 02:00:47 +02:00
35 changed files with 213 additions and 682 deletions
@@ -1 +0,0 @@
-use flake
@@ -1,4 +1,3 @@
 # Nix
-/*.qcow2
-/.direnv
 /result
+/*.qcow2
@@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 Wl2fDA 3CWPYLgoTMGb9gBbDzZIQxYJ9Gfm49g6lqQyqlegUDQ
-ryhsPP5+Byus2e5GSXDJlKYX1o3HfQ87CLRv2htU4n4
-> ssh-ed25519 EiAAKw B2uGdkeC3OZISN2iH2DR1J7L3/mbuFvebzqaTdAURCw
-ze0X/MmHP78rRqAn0O3VBtnMJsiOXPk8RIe82tdQMeg
--- kLBxPuJdbPmJ1Lz3iBu8EPItdZtpNHIyV6pz1QzhcUY
-ä3ÛÿÉèŸP>gòh@ö•AZ’üz-í6R€¸zèÚ¢[ÇÝÍPÂòã†¿y?•ÉŽU�SNÝ©&ú#}ÝR+o?.B¶&´5]ÇW€OÎ‰Puh‹½ŽÞ=t¶5|¿×“s×€ú&!‰Î-�æTÝSÆfÕ™-j"#žiÂwzºš›ãjö¯“HŒí�
@@ -1,20 +1,34 @@
 age-encryption.org/v1
-> ssh-ed25519 Wl2fDA 8rfiRx7+Gr9BtiSXsVEs2W+pXoms6ynODC1TL90+Wi4
-/uMnYMJovbaPjwX1qCAtIokov40RYIAm2Mup5XKBJvw
-> ssh-ed25519 zNC8SA FlxMK7kMYnKHY9MBJ+HYDI4GNS0nSgZxVuRe4yTWBgg
-HPOV31k8Ueb1W5usG7iLXDQxyAlISrgHThddHpGY2+s
-> ssh-ed25519 EiAAKw Bu7+NJXivoRA07glNWUlBGu03J0ueth7XDU7SWQYT30
-r/DBmf4TRDJBgFF0KdeHuKL5hLdU1z6HtfAAVbc6Y0I
+-> ssh-ed25519 Wl2fDA dM0TgKtswZcbEV9tGGY26YCksV2xadHWXv7D/KksAWk
+1vCcuHmVP2xiHd/7hh0z2Hiq/EeA8uvdsRtQReC5hNY
+-> ssh-ed25519 zNC8SA uTO/3ePjgiKqk3jeRGZX5D3LjzhSBlp2rD2ZakKmfX0
+tVkEEcP/KfD9x52l7iz5F3hKK0LSckjXWK5YP2aeBt4
+-> ssh-ed25519 EiAAKw Etu0I4IzJ3BB2SzCeiexx+dhcLUO5d2Ws+WiJyLk/Sw
+9GBcZPsIXO3mXbri3lFYjtBBu0wFYul6hKsCvBKVLFs
 -> ssh-rsa eFi+Zw
-Nu4gAM/vbh0kpEUIaT4P6iTe9qFFM/9IVxiiKPYHdPnCmPJHrug1afLLFrrrpqkd
-o1NrfYIM9gW6jl5QMCcP5DpzMTppokX0P1Tz1ZeOEtZUVtGeZ7Q2wmL4zftwmG9J
-qoDjsCd0z6MPDUdU46qc7kjQBhOwGLfHXTfGLXGNZxqj0oLvEoEKpdvFNBvMSyxK
-oGZRwGsHQcUXKhCPtf6PVtSkHMABzpUAhgS8oqjp4RVurD0lcrPgsx8pSRRarfyE
-ll1QbFCjftuJfeIEshgRkaLGjIQpZDFA3w2XMqDddFz5H/9Ak+F8/rkNnUrN2x4M
-amca8s4Sbls6RjyysarIytilCtpaKEI2sgkD2fERao6ayTSnWF45qqh635OLaP5A
-b7qcru9gO0C3Ik+UuiZMgovxo/+yBYe3+8x8q/uKR4apPAkt/2q28Uilw1WboIEB
-rIjBr0BN1JeHvkiyljJGcvGf5jHdmOrpQu/L1xuSDjsTnh+U6BshQC8bbkJNsVoL
+uOZsBC+IMHdX2h9Jq/CF/L3BsxDW+dULk04JQbDeM85Mrxxdrv2X3w7AW8YU2KS+
+Xg8LnzH01z4Nfs89uysM/lsWptc9qMeaK9o0oHC+tSJH4Ch43MejbmFYjFibHaCm
+krQM7dAGIJwc/o0+ykaCrbXSvXAyfd6Nw1izou2ZcDRI7mTipOZO8F949SIk//Rc
+UJgPLqpGwScEfrHf4f6tySC4LmD0bPIV1xDpmmXcS7c83E9+iVOtb5Y1In6CQrF1
+XZQCb9MkPySbuicwR022CySb+lc7Ru44RdqBgV1e+wphyZCoqCk09i18egV3hNs6
+iEul3M8dqV27yRKrWIUD5jT2tUszTNJfreiuZl9eDmLkcVWExkWzqWPUFJ48hQiZ
+89Z4Evn04vZGoeL67K5q93lSRHz109zT/KIJSQMZpbaecGAoiZDM8Mdq3KzawGSG
+ENQazx6lnGoMccvxFhjrVqfYj3U4S/pnCow5fatvkBQSyysL63UxE5ivcFUHHppB

--- GCTLfa/BICL9AWTaqGC13M101Z8sqSqPP4ysJVv5zvg
-]
-ý¢Ôÿi¹‡7c·f`b@%X”¿J�)û[<+;x-ÇKmTõ@ãÌ„�ýŸK]7sc*ëŸ‡¼2Ý®5
+-> ssh-ed25519 QovoLQ wgg0cFlYEVafE3rXK4GrID3RTatZdKPYzsjT18WskFM
+bgv+7an3xgdqf6WaiB1FFkXObcykUnvH6lJmX5gFJkQ
+-> ssh-rsa OFkEIg
+IIQbFB6VUwbB+ZtKR7Ayg9Im6vMU1AzqHT8CBagA5fwJ7Vp1GuX1X9SxL9hMPkd3
+4osEbSu3JJDMwfC6AfFtcEjmxjmRYyiYlzmIjhVEsaTlwyeucAPd+fdj+TPjHidZ
+dffizNEOiENY49jlmWTjMqYKnBsSP9GfH4ZsKpCaWMm2h9p687weuXFfbYfjYMII
+a3C4iG8m+mZ4crYTKZu6WPbnHn9g0pMxZBs4v6MnBHk6eEJ0uiJvrzYApoFE5om7
+9AknL27ra/+A1UQl+1kzLT+IivJa8FCfZ+zF1RYLRvSATlIzCqCiBiayAsVtQg5O
+girBRnlAJTPisszyoAhsqbECvD6bJfwlTW0STg/M1u3ZPMTGL4V0gJgynANmjb7Y
+TXd11zuhjRYgOBAj09trQFTmmwIgPvvu8+VXNDNPAp02ffBT8kMUvSEik98/35x1
+Dwvm38t05O6nqyHUF957CRVTzPQPAnb5Cd+Rw/joID2YPyFN9IZwE4mi2Bf3zdZo
+roxtqCupmWkpxMNN7GZJrmCE/Lh6YV4DgUd6VNQc7QlGsq5K4XRT7aa+s+17cC8e
+HCxQfGM8sMe9T6IK+K4p6qTqluyI/X0r95kGfzhNmgzufc44i6X497i3fDSVoLpx
+Uo7Ao3QRNPyaUXcqTTIg8Kx9YiLQC3tDblVJjIZU89o
+--- Vb9o/bhuN6XXjfK04haEEUXnuIA02j4GH9PmAh0ayN8
+óE¬dGs;’Ž°À±��ü
+ñ,OHˆÿœˆ{²¶>ú*wAÃLÌÄ\©0SQöÖ*{6fô‰+Xš¨.
@@ -1,25 +1,17 @@
 let
-  inherit (import ../lib)
-    users
-    adminSSHKeys
-    attrsToList
-    getSSHKeys
-    ;
+  users = import ../lib/ssh/keys.nix;

  tuxcord-ca = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPxiko5Csyq9UODglYzLBvRfxkhQu9GXP7SH2BpC8G/7";
 in
 {
-  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;

  # tsig-keygen etc.sub.domain.tld.
-  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
+  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.error users.javalsai ];
+  # "dns/tuxcord.net/XXX.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ [ users.XXX ];
+
+  "dns/tuxcord.test/tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+  "dns/tuxcord.test/sub.tuxcord.test.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+
+  "dns/nix.tuxcord.net/nix.tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
 }
-// builtins.listToAttrs (
-  map (user: {
-    name = "dns/tuxcord.net/${user.name}.tuxcord.net.key.age";
-    value.publicKeys = [ tuxcord-ca ] ++ getSSHKeys user.name;
-  }) (builtins.filter (user: user.value.ddns or false) (attrsToList users))
-)
@@ -1,12 +0,0 @@
-{{template "base/head" .}}
-<div role="main" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home"}}{{end}}"
-   class="page-content home tw-mb-8 tw-px-8 center" style="height: 100%; flex-direction: column; display: flex; align-items: center; justify-content: space-around;">
-   <img width="500" height="500" src="{{AssetUrlPrefix}}/images/full-logo.svg" alt="{{ctx.Locale.Tr "logo"}}">
-   <div class="hero">
-      <h1 class="ui icon header title">
-         {{AppName}}
-      </h1>
-      <!-- <h2>My own gitea server 😎</h2> -->
-   </div>
-</div>
-{{template "base/footer" .}}
@@ -1,51 +0,0 @@
-@import "/assets/css/theme-forgejo-dark.css";
-
-/* :root { */
-/*   --is-dark-theme: true; */
-
-/*   --accent-color: 221, 85, 85; */
-/*   /1* #d55 *1/ */
-/*   --gitea-color-primary-dark-4: 221, 85, 85; */
-/*   --accent-color-secondary: 96, 72, 10; */
-/*   --accent-color-hover: 170, 68, 68; */
-/*   --color-primary: rgb(var(--accent-color)); */
-/*   --color-secondary: rgb(var(--accent-color-secondary)); */
-/*   --button-color: rgb(var(--accent-color)); */
-/*   --button-color-hover: rgb(var(--accent-color-hover)); */
-/* } */
-
-:root {
-  --is-dark-theme: true;
-
-  --color-primary: #d162a4;
-  --color-primary-contrast: #fff;
-  --color-primary-dark-1: #ba3283;
-  --color-primary-dark-2: #b55690;
-  --color-primary-dark-3: #ac2c79;
-  --color-primary-dark-4: #a30262;
-  --color-primary-dark-5: #8a0253;
-  --color-primary-dark-6: #710144;
-  --color-primary-dark-7: #570135;
-  --color-primary-light-1: #d776af;
-  --color-primary-light-2: #dd89bb;
-  --color-primary-light-3: #e29dc6;
-  --color-primary-light-4: #e8b1d2;
-  --color-primary-light-5: #eec5dd;
-  --color-primary-light-6: #f4d8e9;
-  --color-primary-light-7: #f9ecf4;
-  --color-primary-alpha-10: #d162a419;
-  --color-primary-alpha-20: #d162a433;
-  --color-primary-alpha-30: #d162a44b;
-  --color-primary-alpha-40: #d162a466;
-  --color-primary-alpha-50: #d162a480;
-  --color-primary-alpha-60: #d162a499;
-  --color-primary-alpha-70: #d162a4b3;
-  --color-primary-alpha-80: #d162a4cc;
-  --color-primary-alpha-90: #d162a4e1;
-}
-
-.navbar-left > #navbar-logo.item,
-.navbar-right > #navbar-logo.item,
-.navbar-mobile-right > #navbar-logo.item {
-  padding: 3px;
-}
@@ -52,11 +52,6 @@
          formatter = pkgs.nixfmt;
        };

-      flake = {
-        lib = import ./lib;
-        pins = import ./npins;
-      };
-
      systems = [
        "x86_64-linux"
        "aarch64-linux"
@@ -1,24 +0,0 @@
-rec {
-  toList = x: if builtins.isList x then x else [ x ];
-
-  nameValuePair = name: value: { inherit name value; };
-
-  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
-
-  attrsToList = mapAttrsToList nameValuePair;
-
-  getSSHKeys =
-    username:
-    if (builtins.hasAttr "ssh" users.${username}) then
-      toList users.${username}.ssh
-    else
-      builtins.warn "user ${username} declared without ssh keys" [ ];
-
-  users = import ./users.nix;
-
-  adminSSHKeys = builtins.concatLists (
-    map (user: getSSHKeys user.name) (
-      builtins.filter (user: user.value.admin or false) (attrsToList users)
-    )
-  );
-}
@@ -0,0 +1,8 @@
+{
+  error = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
+  javalsai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
+  max = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
+
+  vectorum = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
+  pickzelle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
+}
@@ -1,26 +0,0 @@
-{
-  error = {
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
-    admin = true;
-    ddns = true;
-  };
-
-  javalsai = {
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
-    admin = true;
-    ddns = true;
-  };
-
-  max = {
-    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
-    admin = true;
-  };
-
-  vectorum = {
-    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
-  };
-
-  pickzelle = {
-    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
-  };
-}
@@ -99,15 +99,22 @@ in

    extraHosts =
      let
-        subdomains = [ "git" ];
-
-        inherit (config.networking) fqdn;
-        hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
+        subdomains = [
+          ""
+          ".git"
+        ];
      in
-      lib.concatMapStrings (host: ''
-        127.0.0.1 ${host}
-        ::1 ${host}
-      '') hosts;
+      builtins.foldl' (
+        hosts-acc: domain-prefix:
+        let
+          host = "${domain-prefix}${config.networking.fqdn}";
+        in
+        hosts-acc
+        + ''
+          127.0.0.1 ${host}
+          ::1 ${host}
+        ''
+      ) "" subdomains;
  };

  virtualisation.podman.enable = true;
@@ -15,10 +15,7 @@
      "xhci_pci"
    ];

-    kernelModules = [
-      "kvm-amd"
-      "kvm-intel"
-    ];
+    kernelModules = [ "kvm-intel" ];
  };

  hardware = {
@@ -1,14 +1,11 @@
 {
-  imports = [
-    ./storage.nix
-  ];
+  acme = {
+    enable = true;
+    rfc2136.nameserver = "tuxcord.net";
+  };

-  networking.fqdn = "nix.tuxcord.net";
-
-  acme.rfc2136.nameserver = "tuxcord.net";
  dns.enable = true;
-
-  services.getty.autologinUser = "root";
+  networking.fqdn = "nix.tuxcord.net";

  time.timeZone = "Europe/Madrid";
 }
@@ -1,6 +0,0 @@
-{
-  fileSystems."/" = {
-    device = "/dev/vda";
-    fsType = "ext4";
-  };
-}
@@ -32,7 +32,6 @@
        device = "/dev/xvda2";
        fsType = "btrfs";
        options = [ "subvol=@persist" ] ++ defaultOptions;
-        neededForBoot = true;
      };
    };
 }
@@ -1,12 +1,6 @@
 {
-  imports = [
-    ./storage.nix
-  ];
-
-  networking.fqdn = "tuxcord.test";
-
  acme.enable = false;
  dns.enable = true;

-  services.getty.autologinUser = "root";
+  networking.fqdn = "tuxcord.test";
 }
@@ -1,6 +0,0 @@
-{
-  fileSystems."/" = {
-    device = "/dev/vda";
-    fsType = "ext4";
-  };
-}
@@ -55,6 +55,8 @@
    };
  };

+  fileSystems."/persist".neededForBoot = true;
+
  environment.persistence."/persist" = {
    enable = true;
    hideMounts = true;
@@ -70,6 +72,10 @@
    ];
    files = [
      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
    ];
  };

@@ -3,7 +3,7 @@
    ./acme.nix
    ./dns.nix
    ./fail2ban.nix
-    ./forgejo.nix
+    ./gitea.nix
    ./host.nix
    ./nginx.nix
    ./snapper.nix
@@ -1,125 +0,0 @@
-{ config, pkgs, ... }:
-let
-  inherit (config.networking) fqdn;
-
-  acmeEnabled = config.acme.enable;
-
-  themeName = "tuxcord";
-  forgejoPublic = pkgs.linkFarm "forgejo-public" [
-    {
-      name = "assets/css/theme-${themeName}.css";
-      path = ../../assets/forgejo/theme.css;
-    }
-    {
-      name = "assets/img";
-      path = makeForgejoImages {
-        big = ../../assets/branding/logo.svg;
-        small = ../../assets/branding/logo-head.svg;
-        rasterWidth = 1024;
-      };
-    }
-    {
-      name = "assets/images/full-logo.svg";
-      path = ../../assets/branding/logo.svg;
-    }
-  ];
-  forgejoTemplates = ../../assets/forgejo/templates;
-
-  makeForgejoImages =
-    {
-      big,
-      small,
-      rasterWidth,
-    }:
-    pkgs.stdenv.mkDerivation rec {
-      name = "forgejo-images";
-
-      srcs = [
-        big
-        small
-      ];
-      unpackPhase = "true";
-
-      buildInputs = with pkgs; [
-        inkscape
-      ];
-
-      # https://forgejo.org/docs/next/contributor/customization/#changing-the-logo
-      buildPhase = ''
-        mkdir -p $out
-
-        cp "${big}" $out/logo.svg
-        inkscape -w ${toString rasterWidth} ${big} -o $out/logo.png
-
-        cp "${small}" $out/favicon.svg
-        inkscape -w ${toString rasterWidth} ${small} -o $out/favicon.png
-      '';
-    };
-in
-{
-  services.forgejo = {
-    enable = true;
-
-    database.type = "mysql";
-
-    lfs.enable = true;
-
-    settings = {
-      DEFAULT = {
-        APP_NAME = "TuxCord Code Forge";
-      };
-
-      server = {
-        DOMAIN = fqdn;
-        ROOT_URL = "${if acmeEnabled then "https" else "http"}://${fqdn}/";
-        HTTP_PORT = 3000;
-      };
-
-      service = {
-        DISABLE_REGISTRATION = true;
-        REQUIRE_SIGNIN_VIEW = false;
-      };
-
-      repository = {
-        ENABLE_PUSH_CREATE_USER = true;
-        ENABLE_PUSH_CREATE_ORG = true;
-        DEFAULT_BRANCH = "main";
-      };
-
-      ui = {
-        DEFAULT_THEME = themeName;
-      };
-
-      # TODO: once we have email setup this would be nice
-      mailer.ENABLED = true;
-
-      actions = {
-        ENABLED = true;
-        # DEFAULT_ACTIONS_URL = "github";
-      };
-    };
-  };
-
-  systemd.services.forgejo-branding = {
-    enable = true;
-
-    wantedBy = [ "forgejo.service" ];
-    before = [ "forgejo.service" ];
-
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = pkgs.writeShellScript "forgejo-branding.oneshot" ''
-        ${pkgs.rsync}/bin/rsync -rl --chown forgejo:forgejo --delete ${forgejoPublic}/ ${config.services.forgejo.customDir}/public
-        ${pkgs.rsync}/bin/rsync -rl --chown forgejo:forgejo --delete ${forgejoTemplates}/ ${config.services.forgejo.customDir}/templates
-      '';
-    };
-  };
-
-  environment.persistence."/persist".directories = [
-    {
-      directory = config.services.forgejo.stateDir;
-      group = "forgejo";
-      user = "forgejo";
-    }
-  ];
-}
@@ -0,0 +1,40 @@
+{ config, ... }:
+let
+  inherit (config.networking) fqdn;
+
+  acmeEnabled = config.acme.enable;
+in
+{
+  services.gitea = {
+    enable = true;
+
+    appName = "TuxCord Gitea";
+    database.type = "mysql";
+
+    lfs.enable = true;
+
+    settings = {
+      server = {
+        DOMAIN = fqdn;
+        ROOT_URL = "${if acmeEnabled then "https" else "http"}://${fqdn}/";
+        HTTP_PORT = 3000;
+      };
+
+      service = {
+        DISABLE_REGISTRATION = true;
+        REQUIRE_SIGNIN_VIEW = false;
+      };
+
+      repository = {
+        ENABLE_PUSH_CREATE_USER = true;
+        ENABLE_PUSH_CREATE_ORG = true;
+        DEFAULT_BRANCH = "main";
+      };
+
+      # ui.DEFAULT_THEME = "...";
+
+      # TODO: once we have email setup this would be nice
+      mailer.ENABLED = true;
+    };
+  };
+}
@@ -1,46 +1,21 @@
-{ config, self, ... }:
+{ config, ... }:
 let
  inherit (config.networking) fqdn;

  mkVhost =
-    attrs: locations:
+    attrs:
    let
      acmeEnabled = config.acme.enable;
    in
    {
      forceSSL = acmeEnabled;
      useACMEHost = if acmeEnabled then fqdn else null;
-
-      locations = {
-        "= /robots.txt" = {
-          alias = disallowedRobotsTxt;
-        };
-      }
-      // locations;
    }
    // attrs;

  mkProxy = port: {
    proxyPass = "http://127.0.0.1:${toString port}/";
-
-    extraConfig = ''
-      proxy_buffering off;
-      proxy_request_buffering off;
-    '';
  };
-
-  mkSsi = webRoot: {
-    root = webRoot;
-
-    extraConfig = ''
-      ssi on;
-    '';
-  };
-
-  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
-    User-agent: *
-    Disallow: /
-  '';
 in
 {
  services.nginx = {
@@ -52,14 +27,14 @@ in
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

-    virtualHosts = {
-      "${fqdn}" = mkVhost { default = true; } {
-        "/" = mkSsi "${self.pins.website}/web-root";
-      };
+    # services.nginx.virtualHosts."${fqdn}" = {
+    #   addSSL = true;
+    #   root = "/var/www/myhost.org";
+    #   default = true;
+    # };

-      "git.${fqdn}" = mkVhost { } {
-        "/" = mkProxy config.services.forgejo.settings.server.HTTP_PORT;
-      };
+    virtualHosts."git.${fqdn}" = mkVhost {
+      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
    };
  };

@@ -1,17 +1,23 @@
-{ config, ... }:
 {
  services.openssh = {
    enable = true;

    settings = {
      ClientAliveInterval = 300;
-      X11Forwarding = true;

      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
      PermitRootLogin = "no";
    };
  };
+<<<<<<< HEAD

-  networking.firewall.allowedTCPPorts = config.services.openssh.ports;
+  networking.firewall.allowedTCPPorts = [ 22 ];
+||||||| parent of 1c2f11d (lib/ssh: add more ssh keys)
+
+  users.users.root.openssh.authorizedKeys.keys = builtins.attrValues {
+    inherit (import "${self}/lib/ssh/keys.nix") error javalsai;
+  };
+=======
+>>>>>>> 1c2f11d (lib/ssh: add more ssh keys)
 }
@@ -1,6 +1,25 @@
 { lib, self, ... }:
 let
-  inherit (self.lib) users;
+  users = [
+    {
+      name = "error";
+      options.admin = true;
+    }
+    {
+      name = "javalsai";
+      options.admin = true;
+    }
+    {
+      name = "max";
+      options.admin = true;
+    }
+    {
+      name = "vectorum";
+    }
+    {
+      name = "pickzelle";
+    }
+  ];

  adminGroups = [
    "adm"
@@ -11,55 +30,60 @@ let
    "wheel"
  ];

-  mkUser = name: uid: admin: {
-    users.users.${name} = {
-      inherit uid;
-      isNormalUser = true;
-      extraGroups = lib.optionals admin adminGroups;
-      openssh.authorizedKeys.keys = self.lib.getSSHKeys name;
-    };
+  getSSHKeys =
+    username:
+    let
+      sshKeys = import "${self}/lib/ssh/keys.nix";
+    in
+    if (builtins.hasAttr username sshKeys) then
+      lib.lists.toList sshKeys.${username}
+    else
+      lib.warn "user ${username} declared without ssh key" [ ];

-    systemd.slices."user-${builtins.toString uid}".sliceConfig = {
-      CPUQuota = "50%";
-      CPUWeight = "10";
-      IOAccounting = true;
-      IOWeight = "10";
-      MemoryMax = "2G";
-      MemorySwapMax = "1G";
-      TasksMax = "100";
+  mkUser =
+    name: uid: options:
+    let
+      admin = options.admin or false;
+
+    in
+    {
+      users.users.${name} = {
+        isNormalUser = true;
+        extraGroups = lib.optionals admin adminGroups;
+        inherit uid;
+
+        openssh.authorizedKeys.keys = getSSHKeys name;
+      };
+
+      systemd.slices."user-${builtins.toString uid}".sliceConfig = {
+        CPUQuota = "50%";
+        CPUWeight = "10";
+        IOAccounting = true;
+        IOWeight = "10";
+        MemoryMax = "2G";
+        MemorySwapMax = "1G";
+        TasksMax = "100";
+      };
    };
-  };
 in
 lib.recursiveUpdate
  (builtins.foldl'
    (attrs: user: {
-      options = lib.recursiveUpdate attrs.options (
-        mkUser user.name attrs.uid (user.value.admin or false)
-      );
+      options = lib.recursiveUpdate attrs.options (mkUser user.name attrs.uid (user.options or { }));
      uid = attrs.uid + 1;
    })
    {
      options = { };
      uid = 1000;
    }
-    (lib.attrsToList users)
+    users
  ).options
  {
-    users = {
-      motd = ''
-                  __                                          __                      __
-        ---------/\ \__                                      /\ \                    /\ \__
-        ---------\ \ ,_\  __  __  __  _   ___    ___   _ __  \_\ \        ___      __\ \ ,_\
-        ----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \      /'_ `\  /'__`\ \ \/
-        -----------\ \ \_\ \ \_\ \/>  <//\ \__//\ \L\ \ \ \//\ \L\ \  __/\ \/\ \/\  __/\ \ \_
-        ------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
-        -------------\/__/ \/___/ \//\/_/\/____/\/___/  \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
-                                                    A friendly Linux community - est. July 2023
-      '';
+    users.users.root = {
+      initialPassword = "tuxcord";

-      users.root = {
-        initialPassword = "tuxcord";
-        openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
-      };
+      openssh.authorizedKeys.keys = lib.lists.concatLists (
+        map (user: getSSHKeys user.name) (builtins.filter (user: user.options.admin or false) users)
+      );
    };
  }
@@ -65,9 +65,7 @@ let
        if pkgs == null then
          {
            inherit (builtins) fetchTarball fetchurl;
-            # Frustratingly, due to flakes and `fetchTree`, `fetchGit`
-            # has a different signature than the other builtin
-            # fetchers
+            # For some fucking reason, fetchGit has a different signature than the other builtin fetchers …
            fetchGit = args: (builtins.fetchGit args).outPath;
          }
        else
@@ -88,16 +86,16 @@ let
                submodules,
                rev,
                name,
-                lfs,
                narHash,
              }:
              pkgs.fetchgit {
-                inherit url rev name lfs;
+                inherit url rev name;
                fetchSubmodules = submodules;
                hash = narHash;
              };
          };

+      # Dispatch to the correct code path based on the type
      path =
        if spec.type == "Git" then
          mkGitSource fetchers spec
@@ -107,8 +105,8 @@ let
          mkPyPiSource fetchers spec
        else if spec.type == "Channel" then
          mkChannelSource fetchers spec
-        else if spec.type == "Url" || spec.type == "MutableUrl" then
-          mkUrlSource fetchers spec
+        else if spec.type == "Tarball" then
+          mkTarballSource fetchers spec
        else if spec.type == "Container" then
          mkContainerSource pkgs spec
        else
@@ -128,7 +126,6 @@ let
      url ? null,
      submodules,
      hash,
-      lfs,
      ...
    }:
    assert repository ? type;
@@ -168,7 +165,7 @@ let
        rev = revision;
        narHash = hash;

-        inherit name submodules url lfs;
+        inherit name submodules url;
      };

  mkPyPiSource =
@@ -195,20 +192,16 @@ let
      sha256 = hash;
    };

-  mkUrlSource =
-    {
-      fetchTarball,
-      fetchurl,
-      ...
-    }:
+  mkTarballSource =
+    { fetchTarball, ... }:
    {
      url,
+      locked_url ? url,
      hash,
-      unpack,
      ...
    }:
-    (if unpack then fetchTarball else fetchurl) {
-      inherit url;
+    fetchTarball {
+      url = locked_url;
      sha256 = hash;
    };

@@ -218,7 +211,6 @@ let
      image_name,
      image_tag,
      image_digest,
-      hash,
      ...
    }:
    if pkgs == null then
@@ -228,9 +220,7 @@ let
        imageName = image_name;
        imageDigest = image_digest;
        finalImageTag = image_tag;
-        hash = hash;
      };
-
 in
 mkFunctor (
  {
@@ -241,7 +231,7 @@ mkFunctor (
      if builtins.isPath input then
        # while `readFile` will throw an error anyways if the path doesn't exist,
        # we still need to check beforehand because *our* error can be caught but not the one from the builtin
-        # See: <https://git.lix.systems/lix-project/lix/issues/1098>
+        # *piegames sighs*
        if builtins.pathExists input then
          builtins.fromJSON (builtins.readFile input)
        else
@@ -252,7 +242,7 @@ mkFunctor (
        throw "Unsupported input type ${builtins.typeOf input}, must be a path or an attrset";
    version = data.version;
  in
-  if version == 8 then
+  if version == 7 then
    builtins.mapAttrs (name: spec: mkFunctor (mkSource name spec)) data.pins
  else
    throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
@@ -1,18 +1,4 @@
 {
-  "pins": {
-    "website": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.javalsai.tuxcord.net/tuxcord/website.git"
-      },
-      "branch": "main",
-      "submodules": false,
-      "lfs": true,
-      "revision": "b18dd7b863644debb0a843a5b21bb490bfe7d048",
-      "url": null,
-      "hash": "sha256-xYH9RXYZDVotUW8fKIEC9u0GJeEg2nV/23aQlEyeQso="
-    }
-  },
-  "version": 8
+  "pins": {},
+  "version": 7
 }
@@ -2,26 +2,6 @@
 {
  perSystem =
    { pkgs, ... }:
-    let
-      npins' = pkgs.npins.overrideAttrs (
-        final: old: {
-          src = pkgs.fetchFromGitHub {
-            owner = "javalsai";
-            repo = "npins";
-            rev = "f3def7dfeecc16884cb0601f6c904d5142f47383";
-            hash = "sha256-ejeOGmDw+D4KddFJ5OAPradqoS+p2eAhhS4fOLQOWOk=";
-          };
-
-          cargoHash = null;
-          cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
-            src = final.src;
-            hash = "sha256-mG4UClFBgiWBraWQ12N3CSyapaIpuXI9F8wQGwh/ooQ=";
-          };
-
-          cargoBuildFeatures = [ ];
-        }
-      );
-    in
    {
      devShells.default = pkgs.mkShell {
        name = "configuration.nix";
@@ -51,9 +31,10 @@
          git
          inputs.agenix.packages.${stdenv.hostPlatform.system}.default
          jujutsu
+          neovim
          nix-output-monitor
          nixfmt
-          npins'
+          npins
          parted
          smartmontools
          statix
Author	SHA1	Message	Date
javalsai	8d6be9fcf0	docs: add sections and fix typos/errors Check / Nix flake (push) Failing after 9s Details Lint / Nix expressions (push) Failing after 11s Details	2026-05-04 02:00:47 +02:00
ErrorNoInternet	4c52994bf8	treewide: initialize npins	2026-05-04 02:00:47 +02:00
ErrorNoInternet	b964fe3e89	treewide: refactor code	2026-05-04 02:00:47 +02:00
javalsai	9008f6fdb9	nixos/security: add acme through dns challenge few side refactors of this: - no more `dns.domain`, it all must rely on `fqdn`, prevents inconsistencies. - also added an specific host `tuxcord-acmetest` that uses the key zone for `nix.tuxcord.net` to test certificate pulling.	2026-05-04 02:00:47 +02:00
javalsai	701a477d42	docs: document installation, secrets and setup steps	2026-05-04 02:00:47 +02:00
javalsai	b491abe065	nixos/services: make dns configuration easier	2026-05-04 02:00:47 +02:00
javalsai	ddb136f971	nixos/service: add dns (bind named server)	2026-05-04 02:00:47 +02:00
javalsai	d8a90697e9	nixos/programs: add bind utils	2026-05-04 02:00:47 +02:00
javalsai	433645f459	lib/ssh: add more ssh keys	2026-05-04 02:00:44 +02:00
javalsai	dd7ad60710	nixos/services: add gitea server Check / Nix flake (push) Failing after 9s Details Lint / Nix expressions (push) Failing after 10s Details	2026-05-04 01:56:34 +02:00
javalsai	fd18ae4a78	nixos/services: add nginx base configuration	2026-05-04 01:56:34 +02:00
javalsai	d7deaa187c	nixos/networking: add own fqdn to extraHosts	2026-05-04 01:56:34 +02:00
javalsai	c6d66902bb	nixos/hosts: add tuxcord-vm host configuration	2026-05-04 01:56:34 +02:00
ErrorNoInternet	4704a887fa	nixos: separate openssh firewall port	2026-05-04 01:56:34 +02:00
javalsai	eaaffcc289	lib/ssh: add more ssh keys	2026-05-04 01:56:32 +02:00