38 changed files with 102 additions and 346 deletions
--- a/.github/workflows/cachix.yaml
+++ b/.github/workflows/cachix.yaml
@ -1,16 +1,13 @@
-name: "Populate Cachix binary cache"
+name: "Build packages for cachix"
 on:
  push:
    paths:
      - '**.nix'
      - '**.age'
      - 'pkgs/**'
      - 'flake.nix'
      - 'flake.lock'
      - '.github/workflows/*'
 jobs:
-  build-pkgs:
+  build:
    name: Nix packages
    runs-on: ubuntu-latest
    strategy:
@ -35,29 +32,4 @@ jobs:
        extraPullNames: "nix-community"
    - name: Build package
-      run: nix build -L .#"${{ matrix.name }}"
+      run: nix build --verbose -L .#"${{ matrix.name }}"
  build-configs:
    name: NixOS configs
    runs-on: ubuntu-latest
    needs: [ build-pkgs ]
    strategy:
      matrix:
        name:
        - boreal
        - zephyrus
    steps:
    - uses: actions/checkout@v2
    - uses: cachix/install-nix-action@v16
    - uses: cachix/cachix-action@v10
      with:
        name: alarsyo
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
        extraPullNames: "nix-community"
    - name: Build package
      run: nix build -L .#nixosConfigurations."${{ matrix.name }}".config.system.build.toplevel
--- a/.gitignore
+++ b/.gitignore
@ -1 +0,0 @@
 /result
--- a/base/gui-programs.nix
+++ b/base/gui-programs.nix
@ -26,8 +26,6 @@ in
        xkbVariant = "us";
        libinput.enable = true;
      };
      logind.lidSwitch = "ignore";
    };
    environment.systemPackages = builtins.attrValues {
@ -55,40 +53,7 @@ in
      inherit (pkgs.unstable) discord;
    };
-    networking.networkmanager = {
+    networking.networkmanager.enable = true;
      enable = true;
      dispatcherScripts = [
        {
          source =
            let
              grep = "${pkgs.gnugrep}/bin/grep";
              nmcli = "${pkgs.networkmanager}/bin/nmcli";
            in pkgs.writeShellScript "disable_wifi_on_ethernet" ''
              export LC_ALL=C
              enable_disable_wifi ()
              {
                  result=$(${nmcli} dev | ${grep} "ethernet" | ${grep} -w "connected")
                  if [ -n "$result" ]; then
                      ${nmcli} radio wifi off
                  else
                      ${nmcli} radio wifi on
                  fi
              }
              if [ "$2" = "up" ]; then
                  enable_disable_wifi
              fi
              if [ "$2" = "down" ]; then
                  enable_disable_wifi
              fi
            '';
          type = "basic";
        }
      ];
    };
    programs.nm-applet.enable = true;
    programs.steam.enable = true;
--- a/base/nix.nix
+++ b/base/nix.nix
@ -8,16 +8,15 @@
      experimental-features = nix-command flakes
    '';
-    settings = {
+    trustedUsers = [ "@wheel" ];
-      trusted-users = [ "@wheel" ];
+
-      substituters = [
+    binaryCaches = [
-        "https://alarsyo.cachix.org"
+      "https://alarsyo.cachix.org"
-        "https://nix-community.cachix.org"
+      "https://nix-community.cachix.org"
-      ];
+    ];
-      trusted-public-keys = [
+    binaryCachePublicKeys = [
-        "alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk="
+      "alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      ];
+    ];
    };
  };
 }
--- a/base/programs.nix
+++ b/base/programs.nix
@ -53,8 +53,6 @@
      # nix pkgs lookup
      nix-index
      agenix
    ;
    inherit (pkgs.llvmPackages_11)
--- a/base/users.nix
+++ b/base/users.nix
@ -5,10 +5,10 @@ in
 {
  users.mutableUsers = false;
  users.users.root = {
-    passwordFile = config.age.secrets."users/root-hashed-password".path;
+    hashedPassword = secrets.shadow-hashed-password-root;
  };
  users.users.alarsyo = {
-    passwordFile = config.age.secrets."users/alarsyo-hashed-password".path;
+    hashedPassword = secrets.shadow-hashed-password-alarsyo;
    isNormalUser = true;
    extraGroups = [
      "media"
--- a/flake.lock
+++ b/flake.lock
@ -1,30 +1,12 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1641576265,
        "narHash": "sha256-G4W39k5hdu2kS13pi/RhyTOySAo7rmrs7yMUZRH0OZI=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "08b9c96878b2f9974fc8bde048273265ad632357",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "emacs-overlay": {
      "locked": {
-        "lastModified": 1644230579,
+        "lastModified": 1642358862,
-        "narHash": "sha256-/3v0jBKY1QJPK6cdO0fZl+xK5E+GZhHcbgWb7RoFEN4=",
+        "narHash": "sha256-tttyyXdpOQYxFG3HkOOcK0dFxBpdaeWHRrIWWnQRZYA=",
        "owner": "nix-community",
        "repo": "emacs-overlay",
-        "rev": "02d47fdf48e54598f9838f01a9d172bfa206b63e",
+        "rev": "cdd347f1b966415c5473b3e3f4640c0d0fd13b55",
        "type": "github"
      },
      "original": {
@ -57,11 +39,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1643933104,
+        "lastModified": 1642372264,
-        "narHash": "sha256-NZPuFxRsZKN8pjRuHPpzlMyt6JQhcjiduBG8bMghSjE=",
+        "narHash": "sha256-SRnw7qcHmvUBxby925Vm+nhPqq7YVs1qquNqv7TRyVY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "63dccc4e60422c1db2c3929b2fd1541f36b7e664",
+        "rev": "46bba772f26f89b62811f487d2b0d5357c91bc32",
        "type": "github"
      },
      "original": {
@ -89,40 +71,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1618628710,
+        "lastModified": 1642104392,
-        "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=",
+        "narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=",
        "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source",
        "rev": "7919518f0235106d050c77837df5e338fb94de5d",
        "type": "path"
      },
      "original": {
        "id": "nixpkgs",
        "type": "indirect"
      }
    },
    "nixpkgs-unstable-small": {
      "locked": {
        "lastModified": 1644225686,
        "narHash": "sha256-XDslFfn44H93WjGytIhrPSduGIug1p4cPN/cEuHdIBI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "64cb9c78e14d0ffc9ee627772a972aa4b59bbfd8",
+        "rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1644033087,
        "narHash": "sha256-beskas17YPhrcnanzywake9/z+k+xOWmavW24YUN8ng=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "9f697d60e4d9f08eacf549502528bfaed859d33b",
        "type": "github"
      },
      "original": {
@ -132,14 +85,29 @@
        "type": "github"
      }
    },
    "nixpkgs-unstable-small": {
      "locked": {
        "lastModified": 1642285376,
        "narHash": "sha256-LfZBVKCrPOx5k9pUoJlRsBvdz7yn1qYHenCKuqwwFGo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "0a223c8d509cea6b4be3906f9c39820ff195fad2",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "emacs-overlay": "emacs-overlay",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable-small": "nixpkgs-unstable-small"
      }
    }
--- a/flake.nix
+++ b/flake.nix
@ -15,12 +15,6 @@
      ref = "nixos-unstable-small";
    };
    agenix = {
      type = "github";
      owner = "ryantm";
      repo = "agenix";
    };
    emacs-overlay = {
      type = "github";
      owner = "nix-community";
@ -51,7 +45,7 @@
    };
  };
-  outputs = { self, nixpkgs, home-manager, agenix, ... } @inputs: {
+  outputs = { self, nixpkgs, home-manager, ... } @inputs: {
    nixosModules = {
      home = {
        home-manager.useGlobalPkgs = true;
@ -80,13 +74,9 @@
              inherit system;
              config.allowUnfree = true;
            };
          })
          agenix.overlay
        ] ++ builtins.attrValues self.overlays;
        sharedModules = [
          agenix.nixosModules.age
          home-manager.nixosModule
          { nixpkgs.overlays = shared_overlays; }
        ] ++ (nixpkgs.lib.attrValues self.nixosModules);
--- a/home/default.nix
+++ b/home/default.nix
@ -12,6 +12,7 @@
    ./laptop.nix
    ./lorri.nix
    ./rofi.nix
    ./secrets
    ./ssh.nix
    ./themes
    ./tmux.nix
--- a/home/lorri.nix
+++ b/home/lorri.nix
@ -16,6 +16,7 @@ in
    services.lorri.enable = true;
    programs.direnv = {
        enable = true;
        enableFishIntegration = true;
        # FIXME: proper file, not lorri.nix
        nix-direnv = {
          enable = true;
--- a/home/secrets/bluetooth-mouse-mac-address.secret
+++ b/home/secrets/bluetooth-mouse-mac-address.secret
--- a/home/secrets/default.nix
+++ b/home/secrets/default.nix
@ -0,0 +1,19 @@
 { lib, ... }:
 let
  inherit (lib)
    fileContents
    mkOption
    types
  ;
 in
 {
  options.my.secrets = mkOption {
    type = types.attrs;
  };
  config.my.secrets = {
    # I'm not sure hiding this is very important, but it *seems* like a bad idea
    # to expose this
    bluetooth-mouse-mac-address = fileContents ./bluetooth-mouse-mac-address.secret;
  };
 }
--- a/home/tridactylrc
+++ b/home/tridactylrc
@ -1,5 +1,3 @@
 " -*- tridactylrc -*-
 " This wipes all existing settings. This means that if a setting in this file is
 " removed, then it will return to default. In other words, this file serves as
 " as an enforced single point of truth for Tridactyl's configuration.
--- a/home/x/i3bar.nix
+++ b/home/x/i3bar.nix
@ -35,7 +35,8 @@ in
  config = mkIf isEnabled {
    home.packages = builtins.attrValues {
      inherit (pkgs)
-        # FIXME: is this useful?
+        iw # Used by `net` block
        lm_sensors # Used by `temperature` block
        font-awesome
      ;
    };
@ -104,6 +105,12 @@ in
              block = "networkmanager";
              primary_only = true;
            }
            {
              block = "bluetooth";
              mac = config.my.secrets.bluetooth-mouse-mac-address;
              hide_disconnected = true;
              format = "{percentage}";
            }
            {
              block = "sound";
              driver = "pulseaudio";
--- a/hosts/boreal/default.nix
+++ b/hosts/boreal/default.nix
@ -3,14 +3,15 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, lib, pkgs, ... }:
 let
  secrets = config.my.secrets;
 in
 {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./home.nix
      ./secrets.nix
    ];
  boot.kernelPackages = pkgs.linuxPackages_latest;
@ -45,12 +46,17 @@
  # List services that you want to enable:
  my.services = {
-    restic-backup = {
+    borg-backup = {
      enable = true;
-      repo = "b2:boreal-backup";
+      repo = secrets.borg-backup.boreal-repo;
-      passwordFile = config.age.secrets."restic-backup/boreal-password".path;
+      # for a workstation, having backups spanning the last month should be
-      environmentFile = config.age.secrets."restic-backup/boreal-credentials".path;
+      # enough
-
+      prune = {
        keep = {
          daily = 7;
          weekly = 4;
        };
      };
      paths = [
        "/home/alarsyo"
      ];
@ -58,7 +64,7 @@
        "/home/alarsyo/Downloads"
        # Rust builds using half my storage capacity
-        "/home/alarsyo/**/target"
+        "/home/alarsyo/*/target"
        "/home/alarsyo/work/rust/build"
        # don't backup nixpkgs
--- a/hosts/boreal/secrets.nix
+++ b/hosts/boreal/secrets.nix
@ -1,19 +0,0 @@
 { config, lib, options, ... }:
 {
  config.age = {
    secrets =
      let
        toSecret = name: { ... }@attrs: {
          file = ./../../modules/secrets + "/${name}.age";
        } // attrs;
      in
        lib.mapAttrs toSecret {
          "restic-backup/boreal-credentials" = {};
          "restic-backup/boreal-password" = {};
          "users/alarsyo-hashed-password" = {};
          "users/root-hashed-password" = {};
        };
  };
 }
--- a/hosts/poseidon/default.nix
+++ b/hosts/poseidon/default.nix
@ -12,7 +12,6 @@ in
      ./hardware-configuration.nix
      ./home.nix
      ./secrets.nix
    ];
  # Use the GRUB 2 boot loader.
--- a/hosts/poseidon/secrets.nix
+++ b/hosts/poseidon/secrets.nix
@ -1,16 +0,0 @@
 { config, lib, options, ... }:
 {
  config.age = {
    secrets =
      let
        toSecret = name: { ... }@attrs: {
          file = ./../../modules/secrets + "/${name}.age";
        } // attrs;
      in
        lib.mapAttrs toSecret {
          "users/alarsyo-hashed-password" = {};
          "users/root-hashed-password" = {};
        };
  };
 }
--- a/hosts/zephyrus/default.nix
+++ b/hosts/zephyrus/default.nix
@ -3,12 +3,14 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, lib, pkgs, ... }:
 let
  secrets = config.my.secrets;
 in
 {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ./home.nix
      ./secrets.nix
    ];
  boot.kernelPackages = pkgs.linuxPackages;
@ -41,39 +43,6 @@
    tailscale.enable = true;
    pipewire.enable = true;
    restic-backup = {
      enable = true;
      repo = "b2:zephyrus-backup";
      passwordFile = config.age.secrets."restic-backup/zephyrus-password".path;
      environmentFile = config.age.secrets."restic-backup/zephyrus-credentials".path;
      timerConfig = {
        OnCalendar = "*-*-* 13:00:00"; # laptop only gets used during the day
      };
      paths = [
        "/home/alarsyo"
      ];
      exclude = [
        "/home/alarsyo/Downloads"
        # Rust builds using half my storage capacity
        "/home/alarsyo/**/target"
        "/home/alarsyo/work/rust/build"
        # don't backup nixpkgs
        "/home/alarsyo/work/nixpkgs"
        # C build crap
        "*.a"
        "*.o"
        "*.so"
        # ignore all dotfiles as .config and .cache can become quite big
        "/home/alarsyo/.*"
      ];
    };
  };
  services = {
@ -84,11 +53,6 @@
      };
    };
    fwupd.enable = true;
    openssh = {
      enable = true;
      permitRootLogin = "no";
      passwordAuthentication = false;
    };
  };
  my.gui.enable = true;
--- a/hosts/zephyrus/hardware-configuration.nix
+++ b/hosts/zephyrus/hardware-configuration.nix
@ -29,7 +29,6 @@ in
    { device = "/dev/disk/by-uuid/6395cef1-c30b-450a-917c-cfb3c0380642";
      fsType = "btrfs";
      options = [ "subvol=@home" "compress=zstd" "noatime" ];
      neededForBoot = true; # agenix needs my key for some root secrets
    };
  fileSystems."/nix" =
--- a/hosts/zephyrus/secrets.nix
+++ b/hosts/zephyrus/secrets.nix
@ -1,19 +0,0 @@
 { config, lib, options, ... }:
 {
  config.age = {
    secrets =
      let
        toSecret = name: { ... }@attrs: {
          file = ./../../modules/secrets + "/${name}.age";
        } // attrs;
      in
        lib.mapAttrs toSecret {
          "restic-backup/zephyrus-credentials" = {};
          "restic-backup/zephyrus-password" = {};
          "users/alarsyo-hashed-password" = {};
          "users/root-hashed-password" = {};
        };
  };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -2,7 +2,6 @@
 {
  imports = [
    ./sddm.nix
    ./secrets
    ./wakeonwlan.nix
  ];
 }
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@ -1,9 +0,0 @@
 { config, lib, options, ... }:
 {
  config.age = {
    identityPaths = options.age.identityPaths.default ++ [
      "/home/alarsyo/.ssh/id_ed25519"
    ];
  };
 }
--- a/modules/secrets/restic-backup/boreal-credentials.age
+++ b/modules/secrets/restic-backup/boreal-credentials.age
@ -1,10 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 YWMQkg B5tQXcUdu751YYA4Y8uRH/DgGDi24AsXEAKkCVfg+Ro
 21Gz0MsMCtWzUdVuaWdNwEU9Ts8lOQWCd7Ejf2tkxks
 -> ssh-ed25519 k2gHjw NIG04WnNgq5bnSl9KmvFyvpGdFlmOFtXzuYtrsFOKXM
 ZYZVyIM0jnhguRmfIpRtFg0StgYTlu/P9bgxBy9dbOg
 -> u5-grease
 MTgqDb6tqCuvdlXj9c2Y3XX1X7JfrdeKLM0EQ75ZJe+Hrntnpvn4fSlBr8QoOahm
 fg
 --- VzgNZ3/IBQVeYfOMGjnHPDRKoBDdxHth61pevk5+fLw
 ŒÙúDíï°	´&…<QØ+¨úþ‹éJoTÇ;US9.©âu'v¸œ,‘Ä@“úÿQKcë‚ÛzÑ>v¢€ÃN1›±tòÚ8›w<˜Îò“w°d<C2B0><64>>s:µG_øæÆšyø„u,þÅ%@J hñ"†Ev‡ÙX
--- a/modules/secrets/restic-backup/boreal-password.age
+++ b/modules/secrets/restic-backup/boreal-password.age
--- a/modules/secrets/restic-backup/zephyrus-credentials.age
+++ b/modules/secrets/restic-backup/zephyrus-credentials.age
@ -1,11 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 ZQuVNA KjrRurc5ztGrYO2wx0ToE8E4Yz2sbNwPi4zCGAJUK3k
 +U1Ox1U4Z9ssleGchzMJGpQjFaRoqMYSLhKHXj1F2/U
 -> ssh-ed25519 k2gHjw W35K39F0sREO2igYKaa3zr1LKgF6xiU5YtMq3RYqkC4
 YJV8kdjMJSoRX7iLw2bQXET9zOudFuhZeHqPqHkNjuc
 -> (aAM-grease j{6WJ 3C&
 Pfh0krD/ClkQcByosGU3CxPivvPei5tXWZHh6odkWxn29iqsKT6L1ihEgYJDlopA
 8ODR4G4ax6ZY13O+qjc
 --- ugjGDcsxbwlKmTN+4lUyrhD6GJPl0qk4i+4OLS2NRP0
 ]#z…ƒã‹p¢¶X7Ó™	¼1mê%wýFÒ
4õÒØ³Äcp+Q2¹ú“<C3BA>×ì¢pmxx>Åˆœ)Eô;~äî<>¢ÔsÆx[S$z¥¨&øžùrBSVÄzÿ÷þ\SXøærdö×\ÜóŠ5Tªfÿ|¿ô
 TÜ
--- a/modules/secrets/restic-backup/zephyrus-password.age
+++ b/modules/secrets/restic-backup/zephyrus-password.age
@ -1,9 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 ZQuVNA H3/RLTRU8T3JY99f+b9xT5oIqPCDyxjRfFbJ7iR3/zE
 CTLpdnGapstc+/epugi1CxIZ3T7JZgE4Ew14B2WuanY
 -> ssh-ed25519 k2gHjw wEnvcV2UApJ1MMyIQgSSkF+zhG+fugEiCieCpPBdJyc
 polPsTGun9e6Bq6rogQBrmT32GQXiixxlKmuRpDDM0c
 -> Jt-grease rX6~
 RL6JmjlIQaG17HQQFY3hTYtTiL12Sr3RX/Scv6gO7gO8
 --- eUEOS9mtYxxW2bqzEpD+ZsyYjhHWCArPd2PiFn6wMF4
 ƒ*@ò-úñæÀ£’¬…9ÂÜpMDŸ¸™I{ázÃ¼ke°K);‰ü+úU¥îñOZâ{ÙBSx’/ÑLI¡”G «9—‰	”þ1É:YÝ½°4x:K—f¹Žq‘ö9ï˜a¥Oº[jNåÇXq¡‘,âÏæZü=*˜'€'t×„ƒÍ	
²ˆö¿!vWòÛ6n›†ÅéG&QwõÚG
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -1,21 +0,0 @@
 let
  alarsyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3rrF3VSWI4n4cpguvlmLAaU3uftuX4AVV/39S/8GO9 alarsyo@thinkpad";
  users = [ alarsyo ];
  boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal";
  poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon";
  zephyrus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU4JfIADH9MXUnVe+3ezYK9WXsqy/jJcm1zFkmL4aSU root@zephyrus";
  machines = [ boreal poseidon zephyrus ];
  all = users ++ machines;
 in
 {
  "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
  "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
  "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
  "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
  "users/root-hashed-password.age".publicKeys = machines;
  "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ];
 }
--- a/modules/secrets/users/alarsyo-hashed-password.age
+++ b/modules/secrets/users/alarsyo-hashed-password.age
--- a/modules/secrets/users/root-hashed-password.age
+++ b/modules/secrets/users/root-hashed-password.age
--- a/overlays/i3status-rust/default.nix
+++ b/overlays/i3status-rust/default.nix
@ -10,7 +10,6 @@ final: prev:
    buildInputs = builtins.attrValues {
      inherit (final)
        dbus
        lm_sensors
        openssl
        pulseaudio
      ;
--- a/pkgs/spot/default.nix
+++ b/pkgs/spot/default.nix
@ -3,7 +3,7 @@
 , python3
 }:
 let
-  version = "2.10.4";
+  version = "2.10.3";
 in
 stdenv.mkDerivation {
  inherit version;
@ -15,6 +15,6 @@ stdenv.mkDerivation {
  src = fetchurl {
    url = "https://www.lrde.epita.fr/dload/spot/spot-${version}.tar.gz";
-    sha256 = "sha256-6GKc22zOgwd4JpYM0B7OUhPar5ooPW9iqvaa+gYjR4o=";
+    sha256 = "sha256-iX6VSGFzdI8rZe7L2ZojS39od/IYboaNp6zlZxgEAZ8=";
  };
 }
--- a/poseidon.nix
+++ b/poseidon.nix
@ -5,9 +5,6 @@
    # Default configuration
    ./base
    # Module definitions
    ./modules
    # Service definitions
    ./services
--- a/secrets/borg-backup/boreal-repo.secret
+++ b/secrets/borg-backup/boreal-repo.secret
--- a/secrets/borg-backup/default.nix
+++ b/secrets/borg-backup/default.nix
@ -5,5 +5,6 @@ let
  ;
 in
 {
  boreal-repo = fileContents ./boreal-repo.secret;
  poseidon-repo = fileContents ./poseidon-repo.secret;
 }
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -44,7 +44,7 @@ in
    security.acme = {
      acceptTerms = true;
-      defaults.email = "antoine97.martin@gmail.com";
+      email = "antoine97.martin@gmail.com";
      certs =
        let
--- a/services/restic-backup.nix
+++ b/services/restic-backup.nix
@ -11,6 +11,7 @@ let
  ;
  cfg = config.my.services.restic-backup;
  secrets = config.my.secrets;
  excludeArg = "--exclude-file=" + (pkgs.writeText "excludes.txt" (concatStringsSep "\n" cfg.exclude));
  makePruneOpts = pruneOpts:
    attrsets.mapAttrsToList (name: value: "--keep-${name} ${toString value}") pruneOpts;
@ -61,23 +62,6 @@ in {
        monthly = 6;
      };
    };
    passwordFile = mkOption {
      type = types.str;
      default = "/root/restic/password";
    };
    environmentFile = mkOption {
      type = types.str;
      default = "/root/restic/creds";
    };
    timerConfig = mkOption {
      type = types.attrsOf types.str;
      default = {
        OnCalendar = "daily";
      };
    };
  };
  config = mkIf cfg.enable {
@ -89,13 +73,15 @@ in {
      paths = cfg.paths;
      repository = cfg.repo;
-      passwordFile = cfg.passwordFile;
+      passwordFile = "/root/restic/password";
-      environmentFile = cfg.environmentFile;
+      environmentFile = "/root/restic/creds";
      extraBackupArgs = [ "--verbose=2" ]
                        ++ optional (builtins.length cfg.exclude != 0) excludeArg;
-      timerConfig = cfg.timerConfig;
+      timerConfig = {
        OnCalendar = "daily";
      };
      pruneOpts = makePruneOpts cfg.prune;
    };
--- a/zephyrus.nix
+++ b/zephyrus.nix
@ -10,6 +10,9 @@
    # Service definitions
    ./services
    # Configuration secrets
    ./secrets
    # Host-specific config
    ./hosts/zephyrus
  ];