thanatos: add Nix runner

thanatos: setup gitlab-runner
home: tridactyl: add ignore for teams
2024-11-20 13:37:38 +01:00 · 2024-11-20 11:17:24 +01:00 · 2024-11-19 16:49:23 +01:00 · 2024-11-18 14:52:14 +01:00 · 2024-11-18 14:52:14 +01:00 · 2024-11-18 12:54:27 +01:00
165 changed files with 6131 additions and 14712 deletions
--- a/.git-crypt/.gitattributes
+++ b/.git-crypt/.gitattributes
@ -1,4 +0,0 @@
 # Do not edit this file.  To specify the files to encrypt, create your own
 # .gitattributes file in the directory where your files are.
 * !filter !diff
 *.gpg binary
--- a/.git-crypt/keys/default/0/91FF02AD4EEBB9C7E08FF04D6BD29B53D3847632.gpg
+++ b/.git-crypt/keys/default/0/91FF02AD4EEBB9C7E08FF04D6BD29B53D3847632.gpg
--- a/.gitattributes
+++ b/.gitattributes
@ -1,2 +0,0 @@
 secrets/*.secret filter=git-crypt diff=git-crypt
 secrets/wireguard.nix filter=git-crypt diff=git-crypt
--- a/.github/workflows/cachix.yaml
+++ b/.github/workflows/cachix.yaml
@ -0,0 +1,98 @@
 name: "Cachix"
 on:
  push:
    paths:
      - '**.nix'
      - '**.age'
      - 'pkgs/**'
      - 'flake.nix'
      - 'flake.lock'
      - '.github/workflows/cachix.yaml'
 jobs:
  format-check:
    name: Format check
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: cachix/install-nix-action@v27
    - name: Run alejandra
      run: nix develop --command alejandra --check .
  flake-check:
    name: Flake check
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: cachix/install-nix-action@v27
    - uses: cachix/cachix-action@v15
      with:
        name: alarsyo
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
        extraPullNames: "nix-community"
    - name: Build package
      run: nix flake check
  build-pkgs:
    name: Nix packages
    runs-on: ubuntu-latest
    needs: [ flake-check, format-check ]
    strategy:
      fail-fast: false
      matrix:
        name:
        - grafanaDashboards/nginx
        - grafanaDashboards/node-exporter
        - kaleidoscope-udev-rules
        - sddm-sugar-candy
        - spot
    steps:
    - uses: actions/checkout@v4
    - uses: cachix/install-nix-action@v27
    - uses: cachix/cachix-action@v15
      with:
        name: alarsyo
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
        extraPullNames: "nix-community"
    - name: Build package
      run: nix build -L .#"${{ matrix.name }}"
  build-configs:
    name: NixOS configs
    runs-on: ubuntu-latest
    needs: [ build-pkgs ]
    strategy:
      fail-fast: false
      matrix:
        name:
        - boreal
        - hades
        - talos
        - thanatos
    steps:
    - name: Delete huge unnecessary tools folder
      run: rm -rf /opt/hostedtoolcache
    - uses: actions/checkout@v4
    - uses: cachix/install-nix-action@v27
    - uses: cachix/cachix-action@v15
      with:
        name: alarsyo
        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
        extraPullNames: "nix-community"
    - name: Build package
      run: nix build -L .#nixosConfigurations."${{ matrix.name }}".config.system.build.toplevel
--- a/.github/workflows/nur-update.yaml
+++ b/.github/workflows/nur-update.yaml
@ -0,0 +1,17 @@
 name: "NUR"
 on:
  push:
    branches:
      - 'main'
    paths:
      - 'pkgs/**'
      - '.github/workflows/nur-update.yaml'
 jobs:
  update-nur:
    name: "Ping NUR repo hook"
    runs-on: ubuntu-latest
    steps:
      - name: curl nur endpoint
        run: |
          curl -XPOST https://nur-update.nix-community.org/update?repo=alarsyo
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
 /result
--- a/README.org
+++ b/README.org
@ -1,46 +1,25 @@
-#+title: NixOS deployment configuration
+#+title: NixOS configurations
-* Services
+Configuration for my computers! You may find here system configurations for
 various services I host, as well as my dotfiles for daily programs.
-** Bitwarden
+** Packages
-Password manager, Rust lightweight version.
+Various packages of mine can be found in this repo. You can easily use these
 packages from Nix by [[https://github.com/nix-community/NUR][setting up the Nix User Repository]].
-** Borg backup
+*** Flake
-Creating daily backups to borgbase
+If you prefer, theses packages are also exposed as a *flake* in this repo:
-** fail2ban
+- To list packages:
-Keeping the bad guys away
+#+begin_src sh
 nix flake show
 #+end_src
-** Gitea
+- To install one of them:
-Hosting for all my personal projects
+#+begin_src sh
-
+nix build github:alarsyo/nixos-config#$PACKAGE
-** Jellyfin
+#+end_src
 Netflix but just for me
 ** Lohr
 *** Setup
 Needs manual SSH key and known hosts setup.
 ** Matrix
 My Matrix homeserver at =alarsyo.net=. Also hosting an Element web client at
 [[https://chat.alarsyo.net][chat.alarsyo.net]].
 ** Miniflux
 RSS reader
 ** Monitoring
 Grafana and Prometheus are currently used as a glorified =htop=.
 ** Nextcloud
 ** Wireguard VPN
--- a/base/default.nix
+++ b/base/default.nix
@ -1,6 +1,6 @@
-{ ... }:
+{...}: {
 {
  imports = [
    ./gui-programs.nix
    ./networking.nix
    ./nix.nix
    ./programs.nix
--- a/base/gui-programs.nix
+++ b/base/gui-programs.nix
@ -1,25 +1,95 @@
 { pkgs, ... }:
 {
-  environment.systemPackages = with pkgs; [
+  pkgs,
-    alacritty
+  lib,
-    discord
+  config,
-    emacsPgtkGcc
+  options,
-    feh
+  ...
-    firefox
+}: let
-    flameshot
+  inherit
-    pavucontrol
+    (lib)
-    slack
+    mkEnableOption
-    spotify
+    mkIf
-    sqlite # needed for org-roam
+    optional
-    zathura
+    ;
-  ];
+in {
  options.my.gui = {
    enable = mkEnableOption "System has some kind of screen attached";
    isNvidia = mkEnableOption "System a NVIDIA GPU";
  };
-  fonts.fonts = with pkgs; [
+  config = mkIf config.my.gui.enable {
-    input-fonts
+    my.displayManager.sddm.enable = true;
-    emacs-all-the-icons-fonts
+
-  ];
+    programs.gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
      pinentryPackage = pkgs.pinentry-qt;
    };
    services = {
      xserver = {
        enable = true;
        # NOTE: could use `mkOptionDefault` but this feels more explicit
        videoDrivers =
          if config.my.gui.isNvidia
          then ["nvidia"]
          else options.services.xserver.videoDrivers.default;
        xkb = {
          layout = "fr";
          variant = "us";
        };
      };
      libinput = {
        enable = true;
        touchpad = {
          naturalScrolling = true;
        };
      };
      logind.lidSwitch = "ignore";
      printing = {
        enable = true;
        cups-pdf.enable = true;
      };
      udev.packages = [pkgs.chrysalis];
    };
    environment.systemPackages = builtins.attrValues {
      inherit
        (pkgs)
        arandr
        chrysalis
        discord
        feh
        ffmpeg
        gimp-with-plugins
        imagemagick
        mpv
        obs-studio
        pavucontrol
        spotify
        tdesktop
        thunderbird
        virt-manager
        xcolor
        zathura
        ;
      inherit (pkgs.libsForQt5) okular;
    };
    networking.networkmanager.enable = true;
    programs.nm-applet.enable = true;
    programs.steam.enable = true;
    # this is necessary to set GTK stuff in home manager
    # FIXME: better interdependency between this and the home part
    programs.dconf.enable = true;
    # NOTE: needed for home emacs configuration
    nixpkgs.config.input-fonts.acceptLicense = true;
  };
 }
--- a/base/networking.nix
+++ b/base/networking.nix
@ -1,6 +1,11 @@
-{ lib, ... }:
+{lib, ...}: let
-{
+  inherit
-  options.my.networking.externalInterface = with lib; mkOption {
+    (lib)
    mkOption
    types
    ;
 in {
  options.my.networking.externalInterface = mkOption {
    type = types.nullOr types.str;
    default = null;
    example = "eth0";
--- a/base/nix.nix
+++ b/base/nix.nix
@ -1,26 +1,27 @@
-{ pkgs, ... }:
+{pkgs, ...}: {
 {
  nixpkgs.config.allowUnfree = true;
  nix = {
-    package = pkgs.nixUnstable;
+    package = pkgs.nixStable;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
    binaryCaches = [
      "https://alarsyo.cachix.org"
      "https://nix-community.cachix.org"
    ];
    binaryCachePublicKeys = [
      "alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk="
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
    ];
    gc = {
      automatic = true;
-      dates = "03:15";
+      dates = "weekly";
-      options = "--delete-older-than 30d";
+      options = "--delete-older-than 60d";
      persistent = true;
    };
    settings = {
      experimental-features = ["nix-command" "flakes"];
      trusted-users = ["@wheel"];
      substituters = [
        "https://alarsyo.cachix.org"
        "https://nix-community.cachix.org"
      ];
      trusted-public-keys = [
        "alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk="
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      ];
    };
  };
 }
--- a/base/programs.nix
+++ b/base/programs.nix
@ -1,43 +1,49 @@
-{ pkgs, ... }:
+{pkgs, ...}: {
 {
  programs = {
    fish.enable = true;
    gnupg.agent = {
      enable = true;
      pinentryFlavor = "curses";
    };
    less.enable = true;
    mosh.enable = true;
-    ssh = {
+    tmux.enable = true;
-      startAgent = true;
+
-      extraConfig = ''
+    # setcap wrapper for network permissions
-        AddKeysToAgent yes
+    bandwhich.enable = true;
      '';
  };
-    tmux = {
+
-      enable = true;
+  services.openssh = {
-      baseIndex = 1;
+    settings = {
      PasswordAuthentication = false;
      PermitRootLogin = "no";
      StreamLocalBindUnlink = true;
    };
  };
-  environment.systemPackages = with pkgs; [
+  environment.systemPackages = builtins.attrValues {
    inherit
      (pkgs)
      # shell usage
      bat
      fd
      file
      ripgrep
      tree
      wget
-
+      pciutils
      usbutils
      # development
      git
      git-crypt
      git-lfs
      gnumake
      gnupg
    pinentry-curses
      python3
      vim
      # terminal utilities
      htop
-    stow
+      unzip
-  ];
+      zip
      ;
  };
 }
--- a/base/users.nix
+++ b/base/users.nix
@ -1,22 +1,29 @@
 { config, lib, pkgs, ... }:
 let
  secrets = config.my.secrets;
 in
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  secrets = config.my.secrets;
 in {
  users.mutableUsers = false;
  users.users.root = {
-    hashedPassword = secrets.shadow-hashed-password-root;
+    hashedPasswordFile = config.age.secrets."users/root-hashed-password".path;
  };
  users.users.alarsyo = {
-    hashedPassword = secrets.shadow-hashed-password-alarsyo;
+    hashedPasswordFile = config.age.secrets."users/alarsyo-hashed-password".path;
    isNormalUser = true;
    extraGroups = [
      "media"
      "networkmanager"
      "video" # for `light` permissions
      "docker"
      "wheel" # Enable ‘sudo’ for the user.
      "libvirtd"
    ];
    shell = pkgs.fish;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMbf1C55Hgprm4Y7iNHae2UhZbLa6SNeurDTOyq2tr1G alarsyo@yubikey"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3rrF3VSWI4n4cpguvlmLAaU3uftuX4AVV/39S/8GO9 alarsyo@thinkpad"
    ];
  };
--- a/boreal.nix
+++ b/boreal.nix
@ -1,17 +1,14 @@
-{ ... }:
+{...}: {
 {
  imports = [
    # Default configuration
    ./base
-    ./base/gui-programs.nix
+
    # Module definitions
    ./modules
    # Service definitions
    ./services
    # Configuration secrets
    ./secrets
    # Host-specific config
    ./hosts/boreal
  ];
--- a/flake.lock
+++ b/flake.lock
@ -1,65 +1,219 @@
 {
  "nodes": {
-    "emacs-overlay": {
+    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1618653777,
+        "lastModified": 1716561646,
-        "narHash": "sha256-jSG1i83pmKwAx6QtkVjyCQT+/LvMEMEVeVDZcOFjRTg=",
+        "narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1700795494,
        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1717032306,
        "narHash": "sha256-s3Sis+M1qTSVIehHrEKBzHBpqprIFJli5V6WojkJnYE=",
        "owner": "nix-community",
-        "repo": "emacs-overlay",
+        "repo": "disko",
-        "rev": "905883cd5de24958bfd354c6e335f38f667e7ede",
+        "rev": "8ea5bcccc03111bdedaeaae9380dfab61e9deb33",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "master",
-        "repo": "emacs-overlay",
+        "repo": "disko",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "ref": "main",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flakey-profile": {
      "locked": {
        "lastModified": 1712898590,
        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
        "owner": "lf-",
        "repo": "flakey-profile",
        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
        "type": "github"
      },
      "original": {
        "owner": "lf-",
        "repo": "flakey-profile",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs-unstable"
+          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1618789951,
+        "lastModified": 1703113217,
-        "narHash": "sha256-EoQxcVIiaqjUwwTl1YF3zGnXtzEvOUDL3SBZ8ASELvU=",
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "6aa6556bcab6dc0f6398b4daa8404d788fd7a6a2",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "master",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1726989464,
        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-24.05",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "lix": {
      "flake": false,
      "locked": {
        "lastModified": 1729298361,
        "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
        "rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
        "type": "tarball",
        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
      },
      "original": {
        "type": "tarball",
        "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
      }
    },
    "lix-module": {
      "inputs": {
        "flake-utils": "flake-utils_2",
        "flakey-profile": "flakey-profile",
        "lix": "lix",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1729360442,
        "narHash": "sha256-6U0CyPycIBc04hbYy2hBINnVso58n/ZyywY2BD3hu+s=",
        "rev": "9098ac95768f7006d7e070b88bae76939f6034e6",
        "type": "tarball",
        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/9098ac95768f7006d7e070b88bae76939f6034e6.tar.gz?rev=9098ac95768f7006d7e070b88bae76939f6034e6"
      },
      "original": {
        "type": "tarball",
        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-1.tar.gz"
      }
    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1731797098,
        "narHash": "sha256-UhWmEZhwJZmVZ1jfHZFzCg+ZLO9Tb/v3Y6LC0UNyeTo=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
        "rev": "672ac2ac86f7dff2f6f3406405bddecf960e0db6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "master",
        "repo": "nixos-hardware",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1618149891,
+        "lastModified": 1703013332,
-        "narHash": "sha256-Sz3DzI1k49Puq+F5KRBsaN3gRXHDzCTG6AwK29Znw0M=",
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a7ff7a57c96588fd89370568b72751dd15d24e72",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-20.09",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
        "lastModified": 1618072958,
        "narHash": "sha256-QDKj58ECixtb4EJMWV5D5Lb2xdCgab1Opi4zjQWbDOg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a73020b2a150322c9832b50baeb0296ba3b13dd7",
        "type": "github"
      },
      "original": {
@ -69,12 +223,109 @@
        "type": "github"
      }
    },
    "nixpkgs-unstable-small": {
      "locked": {
        "lastModified": 1729493358,
        "narHash": "sha256-Ti+Y9nWt5Fcs3JlarxLPgIOVlbqQo7jobz/qOwOaziM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a5e6a9e979367ee14f65d9c38119c30272f8455f",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1716914467,
        "narHash": "sha256-KkT6YM/yNQqirtYj/frn6RRakliB8RDvGqVGGaNhdcU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "4a3fc4cf736b7d2d288d7a8bf775ac8d4c0920b4",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1731797254,
        "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
-        "emacs-overlay": "emacs-overlay",
+        "agenix": "agenix",
-        "home-manager": "home-manager",
+        "disko": "disko",
-        "nixpkgs": "nixpkgs",
+        "flake-utils": "flake-utils",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "home-manager": "home-manager_2",
        "lix-module": "lix-module",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_3",
        "nixpkgs-unstable-small": "nixpkgs-unstable-small"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -5,74 +5,128 @@
      type = "github";
      owner = "NixOS";
      repo = "nixpkgs";
-      ref = "nixos-20.09";
+      ref = "nixos-24.05";
    };
-    nixpkgs-unstable = {
+    nixpkgs-unstable-small = {
      type = "github";
      owner = "NixOS";
      repo = "nixpkgs";
-      ref = "nixos-unstable";
+      ref = "nixos-unstable-small";
    };
-    emacs-overlay = {
+    agenix = {
      type = "github";
-      owner = "nix-community";
+      owner = "ryantm";
-      repo = "emacs-overlay";
+      repo = "agenix";
      ref = "master";
    };
    home-manager = {
      type = "github";
      owner = "nix-community";
      repo = "home-manager";
      ref = "release-24.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    flake-utils = {
      type = "github";
      owner = "numtide";
      repo = "flake-utils";
      ref = "main";
    };
    nixos-hardware = {
      type = "github";
      owner = "NixOS";
      repo = "nixos-hardware";
      ref = "master";
-      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
    disko = {
      type = "github";
      owner = "nix-community";
      repo = "disko";
      ref = "master";
    };
    lix-module = {
      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-1.tar.gz";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
-  outputs = { self, nixpkgs, nixpkgs-unstable, emacs-overlay, home-manager }: {
+  outputs = {
-    nixosConfigurations.poseidon = nixpkgs.lib.nixosSystem rec {
+    self,
    nixpkgs,
    home-manager,
    agenix,
    disko,
    lix-module,
    ...
  } @ inputs:
    {
      nixosModules = {
        home = {
          home-manager.backupFileExtension = "hm-backup";
          home-manager.useGlobalPkgs = true;
          home-manager.useUserPackages = true;
          home-manager.users.alarsyo = import ./home;
          home-manager.verbose = true;
        };
      };
      overlays = import ./overlays;
      nixosConfigurations = let
        system = "x86_64-linux";
        shared_overlays =
          [
            (self: super: {
              packages = import ./pkgs {pkgs = super;};
              # packages accessible through pkgs.unstable.package
              unstable = import inputs.nixpkgs-unstable-small {
                inherit system;
                config.allowUnfree = true;
              };
            })
            agenix.overlays.default
          ]
          ++ builtins.attrValues self.overlays;
        sharedModules =
          [
            agenix.nixosModules.default
            home-manager.nixosModules.default
            lix-module.nixosModules.default
            {
              nixpkgs = {
                overlays = shared_overlays;
                config.permittedInsecurePackages = [];
              };
              hardware.enableRedistributableFirmware = true;
            }
          ]
          ++ (nixpkgs.lib.attrValues self.nixosModules);
      in {
        hades = nixpkgs.lib.nixosSystem rec {
          inherit system;
          modules =
            [
-          ./poseidon.nix
+              ./hades.nix
-
+            ]
-          {
+            ++ sharedModules;
            nixpkgs.overlays =
              let
                pkgsUnstable = nixpkgs-unstable.legacyPackages.${system};
              in
                [
                  # packages accessible through pkgs.unstable.package
                  (final: prev: {
                    unstable = pkgsUnstable;
                  })
                  (final: prev: {
                    bitwarden_rs = pkgsUnstable.bitwarden_rs;
                    bitwarden_rs-vault = pkgsUnstable.bitwarden_rs-vault;
                  })
                ];
          }
        ];
        };
-    nixosConfigurations.boreal = nixpkgs-unstable.lib.nixosSystem rec {
+
-      system = "x86_64-linux";
+        boreal = nixpkgs.lib.nixosSystem rec {
          inherit system;
          modules =
            [
              ./boreal.nix
          home-manager.nixosModules.home-manager
          {
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
            home-manager.users.alarsyo = import ./home;
          }
              {
                nixpkgs.overlays = [
              emacs-overlay.overlay
                  # uncomment this to build everything from scratch, fun but takes a
                  # while
                  #
@ -81,7 +135,42 @@
                  # })
                ];
              }
            ]
            ++ sharedModules;
        };
        talos = nixpkgs.lib.nixosSystem {
          inherit system;
          modules =
            [
              inputs.nixos-hardware.nixosModules.framework-13-7040-amd
              disko.nixosModules.default
              ./talos.nix
            ]
            ++ sharedModules;
        };
        thanatos = nixpkgs.lib.nixosSystem {
          inherit system;
          modules =
            [
              disko.nixosModules.default
              ./thanatos.nix
            ]
            ++ sharedModules;
        };
      };
    }
    // inputs.flake-utils.lib.eachDefaultSystem (system: let
      pkgs = nixpkgs.legacyPackages.${system};
    in {
      packages =
        inputs.flake-utils.lib.flattenTree
        (import ./pkgs {inherit pkgs;});
      devShells.default = pkgs.mkShellNoCC {
        buildInputs = [
          pkgs.alejandra
        ];
      };
-  };
+    });
 }
--- a/poseidon.nix
+++ b/poseidon.nix
@ -1,18 +1,16 @@
-{ ... }:
+{...}: {
 {
  imports = [
    # Default configuration
    ./base
    # Module definitions
    ./modules
    # Service definitions
    ./services
    # Configuration secrets
    ./secrets
    # Host-specific config
-    ./hosts/poseidon
+    ./hosts/hades
  ];
  # This value determines the NixOS release from which the default
@ -21,5 +19,5 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "20.09"; # Did you read the comment?
+  system.stateVersion = "22.05"; # Did you read the comment?
 }
--- a/home/alacritty.nix
+++ b/home/alacritty.nix
@ -0,0 +1,51 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.home.alacritty;
  alacrittyTheme = config.my.theme.alacrittyTheme;
 in {
  options.my.home.alacritty.enable = (mkEnableOption "Alacritty terminal") // {default = config.my.home.x.enable;};
  config = mkIf cfg.enable {
    programs.alacritty = {
      enable = true;
      settings = {
        env = {
          WINIT_X11_SCALE_FACTOR = "1.0";
        };
        window = {
          padding = {
            x = 8;
            y = 8;
          };
        };
        font = {
          normal = {
            family = "Iosevka Fixed";
            style = "Medium";
          };
          size = 10.0;
        };
        colors = alacrittyTheme;
      };
    };
    home.packages = [pkgs.iosevka-bin];
    # make sure font is discoverable
    fonts.fontconfig.enable = true;
  };
 }
--- a/home/bat.nix
+++ b/home/bat.nix
@ -0,0 +1,28 @@
 {
  config,
  lib,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.home.bat;
  batTheme = config.my.theme.batTheme;
 in {
  options.my.home.bat = {
    enable = (mkEnableOption "bat code display tool") // {default = true;};
  };
  config = mkIf cfg.enable {
    programs.bat = {
      enable = true;
      config = {
        theme = batTheme.name;
      };
    };
  };
 }
--- a/home/default.nix
+++ b/home/default.nix
@ -1,6 +1,34 @@
-{ ... }:
+{config, ...}: {
-{
+  imports = [
-  home.stateVersion = "20.09";
+    ./alacritty.nix
    ./bat.nix
    ./direnv.nix
    ./emacs.nix
    ./env.nix
    ./firefox.nix
    ./fish
    ./flameshot.nix
    ./git.nix
    ./gtk.nix
    ./laptop.nix
    ./mail.nix
    ./rbw.nix
    ./rofi.nix
    ./ssh.nix
    ./themes
    ./tmux.nix
    ./tridactyl.nix
    ./x
  ];
  home.username = "alarsyo";
  home.sessionVariables = let
    gpgPackage = config.programs.gpg.package;
  in {
    BROWSER = "firefox";
    # FIXME: only set if gpg-agent not in use, otherwise home manager already does that
    SSH_AUTH_SOCK = "$(${gpgPackage}/bin/gpgconf --list-dirs agent-ssh-socket)";
    XDG_DATA_HOME = "$HOME/.local/share";
  };
 }
--- a/home/direnv.nix
+++ b/home/direnv.nix
@ -0,0 +1,26 @@
 {
  config,
  lib,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.home.direnv;
 in {
  options.my.home.direnv = {
    enable = (mkEnableOption "setup direnv usage") // {default = true;};
  };
  config = mkIf cfg.enable {
    programs.direnv = {
      enable = true;
      nix-direnv = {
        enable = true;
      };
    };
  };
 }
--- a/home/emacs.nix
+++ b/home/emacs.nix
@ -0,0 +1,50 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
 in {
  options.my.home.emacs = {
    enable = mkEnableOption "Emacs daemon configuration";
  };
  config = mkIf config.my.home.emacs.enable {
    home.sessionPath = ["${config.xdg.configHome}/emacs/bin"];
    home.sessionVariables = {
      EDITOR = "emacsclient -t";
    };
    home.packages = builtins.attrValues {
      inherit
        (pkgs)
        sqlite # needed by org-roam
        # fonts used by my config
        emacs-all-the-icons-fonts
        iosevka-bin
        ;
    };
    # make sure above fonts are discoverable
    fonts.fontconfig.enable = true;
    services.emacs = {
      enable = true;
      # generate emacsclient desktop file
      client.enable = true;
      socketActivation.enable = true;
    };
    programs.emacs = {
      enable = true;
      package = pkgs.emacs29-pgtk;
      extraPackages = epkgs: [epkgs.vterm epkgs.pdf-tools pkgs.lilypond epkgs.mu4e];
    };
  };
 }
--- a/home/env.nix
+++ b/home/env.nix
@ -0,0 +1,6 @@
 {config, ...}: {
  home.sessionPath = [
    "${config.home.homeDirectory}/.cargo/bin"
    "${config.home.homeDirectory}/.local/bin"
  ];
 }
--- a/home/firefox.nix
+++ b/home/firefox.nix
@ -0,0 +1,29 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.home.firefox;
 in {
  options.my.home.firefox = {
    enable = (mkEnableOption "firefox config") // {default = config.my.home.x.enable;};
  };
  config = mkIf cfg.enable {
    programs.firefox = {
      enable = true;
      package = pkgs.firefox.override {
        nativeMessagingHosts = [
          pkgs.tridactyl-native
        ];
      };
    };
  };
 }
--- a/home/fish/default.nix
+++ b/home/fish/default.nix
@ -0,0 +1,39 @@
 {
  config,
  lib,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.home.fish;
 in {
  options.my.home.fish.enable = (mkEnableOption "Fish shell") // {default = true;};
  config = mkIf cfg.enable {
    home.sessionVariables = {
      # automatically prompt to run program in nix-shell if it's not installed
      NIX_AUTO_RUN = "1";
      NIX_AUTO_RUN_INTERACTIVE = "1";
    };
    programs.fish = {
      enable = true;
      shellAliases = {
        "bt" = "bluetoothctl";
      };
      shellAbbrs = {
        "bton" = "bluetoothctl power on";
        "btoff" = "bluetoothctl power off";
        "btcon" = "bluetoothctl connect";
        "btdis" = "bluetoothctl disconnect";
        "btinfo" = "bluetoothctl info";
      };
    };
    xdg.configFile."fish/functions" = {source = ./. + "/functions";};
  };
 }
--- a/home/fish/functions/dock.fish
+++ b/home/fish/functions/dock.fish
@ -0,0 +1,23 @@
 function dock
    xrandr \
        --output eDP-1 --mode 1920x1080 --pos 0x120 --rotate normal \
        --output HDMI-1 --off \
        --output DP-1 --off \
        --output DP-2 --off \
        --output DP-3 --primary --mode 1920x1200 --pos 1920x0 --rotate normal \
        --output DP-4 --mode 1920x1200 --pos 3840x0 --rotate normal \
        --output DP-4 --off \
        --output DP-5 --off
    i3-msg -q '[workspace="1"]' move workspace to output DP-3 2>/dev/null
    i3-msg -q '[workspace="2"]' move workspace to output DP-3 2>/dev/null
    i3-msg -q '[workspace="3"]' move workspace to output DP-3 2>/dev/null
    i3-msg -q '[workspace="4"]' move workspace to output DP-3 2>/dev/null
    i3-msg -q '[workspace="5"]' move workspace to output DP-3 2>/dev/null
    i3-msg -q '[workspace="7"]' move workspace to output eDP-1 2>/dev/null
    i3-msg -q '[workspace="8"]' move workspace to output DP-4 2>/dev/null
    i3-msg -q '[workspace="9"]' move workspace to output DP-4 2>/dev/null
    i3-msg -q '[workspace="10"]' move workspace to output DP-4 2>/dev/null
 end
--- a/home/fish/functions/dock2.fish
+++ b/home/fish/functions/dock2.fish
@ -0,0 +1,16 @@
 function dock2
    xrandr \
        --output eDP-1 --mode 1920x1080 --pos 2560x0 --rotate normal \
        --output DP-1 --primary --mode 2560x1440 --pos 0x0 --rotate normal \
        --output HDMI-1 --off \
        --output DP-2 --off \
        --output HDMI-2 --off
    i3-msg -q '[workspace="1"]' move workspace to output DP-1 2>/dev/null
    i3-msg -q '[workspace="2"]' move workspace to output DP-1 2>/dev/null
    i3-msg -q '[workspace="3"]' move workspace to output DP-1 2>/dev/null
    i3-msg -q '[workspace="4"]' move workspace to output DP-1 2>/dev/null
    i3-msg -q '[workspace="9"]' move workspace to output DP-1 2>/dev/null
    i3-msg -q '[workspace="10"]' move workspace to output eDP-1 2>/dev/null
 end
--- a/home/fish/functions/magit.fish
+++ b/home/fish/functions/magit.fish
@ -0,0 +1,3 @@
 function magit
    emacsclient --tty --eval '(magit-status)' --suppress-output
 end
--- a/home/fish/functions/nfl.fish
+++ b/home/fish/functions/nfl.fish
@ -0,0 +1,4 @@
 function nfl
    set -l flags "--commit-lock-file"
    nix flake update $flags $argv
 end
--- a/home/fish/functions/undock.fish
+++ b/home/fish/functions/undock.fish
@ -0,0 +1,10 @@
 function undock
    xrandr \
        --output eDP-1 --primary --mode 1920x1080 --pos 0x0 --rotate normal \
        --output HDMI-1 --off \
        --output DP-1 --off \
        --output DP-2 --off \
        --output DP-3 --off \
        --output DP-4 --off \
        --output DP-5 --off
 end
--- a/home/fish/functions/undock2.fish
+++ b/home/fish/functions/undock2.fish
@ -0,0 +1,8 @@
 function undock2
    xrandr \
        --output eDP-1 --primary --mode 1920x1080 --rotate normal \
        --output DP-1 --off \
        --output HDMI-1 --off \
        --output DP-2 --off \
        --output HDMI-2 --off
 end
--- a/home/fish/functions/wake.fish
+++ b/home/fish/functions/wake.fish
@ -0,0 +1,14 @@
 function wake -d "Wake-on-WiFi shortcut" -a host
    if not set -q host[1]
        echo "Usage: wake HOSTNAME"
        return 1
    end
    switch $host
        case boreal
            ssh -t pi@pi.alarsyo.net "bash -ic wakywaky"
        case *
            echo "Unknown host!"
            return 1
    end
 end
--- a/home/flameshot.nix
+++ b/home/flameshot.nix
@ -0,0 +1,21 @@
 {
  config,
  lib,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.home.flameshot;
 in {
  options.my.home.flameshot = {
    enable = mkEnableOption "flameshot autolaunch";
  };
  config.services.flameshot = mkIf cfg.enable {
    enable = true;
  };
 }
--- a/home/git.nix
+++ b/home/git.nix
@ -0,0 +1,68 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.home.git;
 in {
  options.my.home.git.enable = (mkEnableOption "Git configuration") // {default = true;};
  config = mkIf cfg.enable {
    programs.git = {
      enable = true;
      delta = {
        enable = true;
        options = {
          syntax-theme = "Solarized (light)";
        };
      };
      lfs.enable = true;
      userEmail = "antoine@alarsyo.net";
      userName = "Antoine Martin";
      extraConfig = {
        commit = {verbose = true;};
        core = {editor = "vim";};
        init = {defaultBranch = "main";};
        pull = {rebase = true;};
        rerere = {enabled = true;};
        maintenance.prefetch.enabled = false;
      };
      aliases = {
        push-wip = "push -o ci.skip";
        push-merge = "push -o merge_request.create -o merge_request.merge_when_pipeline_succeeds -o merge_request.remove_source_branch";
        push-mr = "push -o merge_request.create -o merge_request.remove_source_branch";
      };
      includes = [
        {
          condition = "gitdir:~/work/lrde/";
          contents = {user = {email = "amartin@lrde.epita.fr";};};
        }
        {
          condition = "gitdir:~/work/prologin/";
          contents = {user = {email = "antoine.martin@prologin.org";};};
        }
        {
          condition = "gitdir:~/work/epita/";
          contents = {user = {email = "antoine4.martin@epita.fr";};};
        }
      ];
      ignores = [
        "/.direnv/"
        "/.envrc"
      ];
    };
  };
 }
--- a/home/gtk.nix
+++ b/home/gtk.nix
@ -0,0 +1,36 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  cfg = config.my.home.gtk;
 in {
  options.my.home.gtk = with lib; {
    enable = (mkEnableOption "GTK configuration") // {default = config.my.home.x.enable;};
  };
  config.gtk = lib.mkIf cfg.enable {
    enable = true;
    font = {
      package = pkgs.dejavu_fonts;
      name = "DejaVu Sans";
    };
    gtk2 = {
      # No garbage polluting my $HOME
      configLocation = "${config.xdg.configHome}/gtk-2.0/gtkrc";
    };
    iconTheme = {
      package = pkgs.gnome.gnome-themes-extra;
      name = "Adwaita";
    };
    theme = {
      package = pkgs.gnome.gnome-themes-extra;
      name = "Adwaita";
    };
  };
 }
--- a/home/laptop.nix
+++ b/home/laptop.nix
@ -0,0 +1,14 @@
 {
  config,
  lib,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    ;
 in {
  options.my.home.laptop = {
    enable = mkEnableOption "Laptop settings";
  };
 }
--- a/home/mail.nix
+++ b/home/mail.nix
@ -0,0 +1,189 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    mapAttrs
    mkEnableOption
    mkIf
    ;
  inherit
    (builtins)
    typeOf
    ;
  myName = "Antoine Martin";
  email_perso = "antoine@alarsyo.net";
  email_lrde = "amartin@lrde.epita.fr";
  email_prologin = "antoine.martin@prologin.org";
  cfg = config.my.home.mail;
  make_mbsync_channel = patterns:
    (
      if (typeOf patterns) == "list"
      then {
        inherit patterns;
      }
      else {
        farPattern = patterns.far;
        nearPattern = patterns.near;
      }
    )
    // {
      extraConfig = {
        Create = "Both";
        Expunge = "Both";
        Remove = "None";
        SyncState = "*";
      };
    };
  make_mbsync_channels = mapAttrs (_: value: make_mbsync_channel value);
  gmail_far_near_patterns = {
    sent = {
      far = "[Gmail]/Sent Mail";
      near = "Sent";
    };
    drafts = {
      far = "[Gmail]/Drafts";
      near = "Drafts";
    };
    junk = {
      far = "[Gmail]/Spam";
      near = "Junk";
    };
    trash = {
      far = "[Gmail]/Trash";
      near = "Trash";
    };
  };
  gmail_mbsync_channels = make_mbsync_channels gmail_far_near_patterns;
 in {
  options.my.home.mail = {
    # I *could* read email in a terminal emacs client on a server, but in
    # practice I don't think it'll happen very often, so let's enable this only
    # when I'm on a machine with a Xorg server.
    enable = (mkEnableOption "email configuration") // {default = config.my.home.x.enable;};
  };
  config = mkIf cfg.enable {
    accounts.email = {
      maildirBasePath = "${config.home.homeDirectory}/.mail";
      accounts = {
        alarsyo = {
          address = email_perso;
          userName = email_perso;
          realName = myName;
          aliases = [
            "alarsyo@alarsyo.net"
            "antoine@amartin.email"
          ];
          flavor = "plain"; # default setting
          passwordCommand = "${pkgs.rbw}/bin/rbw get webmail.migadu.com ${email_perso}";
          primary = true;
          mbsync = {
            enable = true;
            create = "both";
            expunge = "both";
            groups = {
              alarsyo-main.channels = make_mbsync_channels {
                main = ["INBOX" "Sent" "Drafts" "Junk" "Trash"];
              };
              alarsyo-full.channels = make_mbsync_channels {
                full = ["*" "!INBOX" "!Sent" "!Drafts" "!Junk" "!Trash"];
              };
            };
          };
          msmtp.enable = true;
          mu.enable = true;
          imap = {
            host = "imap.migadu.com";
            port = 993;
            tls.enable = true;
          };
          smtp = {
            host = "smtp.migadu.com";
            port = 465;
            tls.enable = true;
          };
        };
        lrde = {
          address = email_lrde;
          userName = "amartin";
          realName = myName;
          flavor = "plain"; # default setting
          passwordCommand = "${pkgs.rbw}/bin/rbw get lrde.epita.fr amartin";
          mbsync = {
            enable = true;
            create = "both";
            expunge = "both";
            patterns = ["*" "!Archives*"];
            extraConfig.account = {
              # otherwise mbsync tries GSSAPI, but I don't have Kerberos setup
              # on this machine
              AuthMechs = "LOGIN";
            };
          };
          msmtp.enable = true;
          mu.enable = true;
          imap = {
            host = "imap.lrde.epita.fr";
            port = 993;
            tls.enable = true;
          };
          smtp = {
            host = "smtp.lrde.epita.fr";
            port = 465;
            tls.enable = true;
          };
        };
        prologin = {
          address = email_prologin;
          userName = email_prologin;
          realName = myName;
          aliases = [
            "alarsyo@prologin.org"
          ];
          flavor = "plain"; # default setting
          passwordCommand = "${pkgs.rbw}/bin/rbw get google.com ${email_prologin}-mailpass";
          primary = false;
          mbsync = {
            enable = true;
            create = "both";
            expunge = "both";
            groups = {
              prologin-main.channels =
                (make_mbsync_channels {
                  main = ["INBOX" "membres@"];
                })
                // gmail_mbsync_channels;
              prologin-info.channels = make_mbsync_channels {
                info = ["info@" "info@gcc"];
              };
            };
          };
          msmtp.enable = true;
          mu.enable = true;
          imap = {
            host = "imap.gmail.com";
            port = 993;
            tls.enable = true;
          };
          smtp = {
            host = "smtp.gmail.com";
            port = 465;
            tls.enable = true;
          };
        };
      };
    };
    programs.mbsync.enable = true;
    programs.msmtp.enable = true;
    programs.mu.enable = true;
  };
 }
--- a/home/rbw.nix
+++ b/home/rbw.nix
@ -0,0 +1,56 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.home.mail;
 in {
  options.my.home.rbw = {
    enable = mkEnableOption "rbw configuration";
  };
  config = mkIf cfg.enable {
    programs.rbw = {
      enable = true;
      settings = {
        email = "antoine@alarsyo.net";
        base_url = "https://pass.alarsyo.net";
        lock_timeout = 60 * 60 * 12;
        pinentry = pkgs.pinentry-qt;
      };
    };
    # `rbw-agent` should be launched on first call to `rbw`, so this shouldn't
    # be necessary.
    #
    # However, if for instance `rbw` if first called by the emacs-daemon (when
    # accessing an IMAP account password), then restarting the user service
    # associated to the emacs daemon also kills the rbw-agent it spawned,
    # resetting the lock status and prompting for a passphrase again.
    #
    # This user service makes sure the rbw-agent is started when the user
    # session launches.
    systemd.user.services.rbw = {
      Unit = {
        Description = "rbw agent autostart";
        After = "graphical-session.target";
        PartOf = "graphical-session.target";
      };
      Install.WantedBy = ["graphical-session.target"];
      Service = {
        ExecStart = "${pkgs.rbw}/bin/rbw-agent";
        Restart = "on-abort";
        Type = "forking";
        PIDFile = "%t/rbw/pidfile";
      };
    };
  };
 }
--- a/home/rofi.nix
+++ b/home/rofi.nix
@ -0,0 +1,26 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.home.rofi;
 in {
  options.my.home.rofi = {
    enable = (mkEnableOption "rofi configuration") // {default = config.my.home.x.enable;};
  };
  config = mkIf cfg.enable {
    programs.rofi = {
      enable = true;
      terminal = "${pkgs.alacritty}/bin/alacritty";
    };
  };
 }
--- a/home/ssh.nix
+++ b/home/ssh.nix
@ -0,0 +1,62 @@
 {
  config,
  lib,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.home.ssh;
 in {
  options.my.home.ssh = {
    enable = (mkEnableOption "ssh configuration") // {default = true;};
  };
  config = mkIf cfg.enable {
    programs.ssh = {
      enable = true;
      matchBlocks = let
        addGPGAgentForwarding = hostConf:
          {
            remoteForwards = [
              {
                # shhhh this is a path but it works
                bind.address = "/run/user/1000/gnupg/S.gpg-agent.ssh";
                host.address = "/run/user/1000/gnupg/S.gpg-agent.ssh";
              }
            ];
          }
          // hostConf;
      in {
        boreal = addGPGAgentForwarding {hostname = "boreal.alarsyo.net";};
        hades = addGPGAgentForwarding {hostname = "hades.alarsyo.net";};
        thanatos = addGPGAgentForwarding {hostname = "thanatos.alarsyo.net";};
        pi = addGPGAgentForwarding {
          hostname = "pi.alarsyo.net";
          user = "pi";
        };
        "thanatos.lrde.epita.fr" =
          lib.hm.dag.entryBefore ["*.lrde.epita.fr"]
          (addGPGAgentForwarding {
            user = "alarsyo";
          });
        "*.lrde.epita.fr" = {
          user = "amartin";
        };
        lrde-proxyjump = {
          host = "*.lrde.epita.fr !ssh.lrde.epita.fr";
          proxyJump = "ssh.lrde.epita.fr";
        };
      };
      includes = ["prologin_config"];
    };
  };
 }
--- a/home/themes/alacritty.nix
+++ b/home/themes/alacritty.nix
@ -0,0 +1,93 @@
 {lib}: let
  inherit
    (lib)
    mkOption
    types
    ;
  mkColorOption = import ./color.nix {inherit lib;};
  primaryColorModule = types.submodule {
    options = {
      background = mkColorOption {};
      foreground = mkColorOption {};
    };
  };
  cursorColorModule = types.submodule {
    options = {
      text = mkColorOption {};
      cursor = mkColorOption {};
    };
  };
  rainbowColorModule = types.submodule {
    options = {
      black = mkColorOption {};
      red = mkColorOption {};
      green = mkColorOption {};
      yellow = mkColorOption {};
      blue = mkColorOption {};
      magenta = mkColorOption {};
      cyan = mkColorOption {};
      white = mkColorOption {};
    };
  };
 in
  types.submodule {
    options = {
      primary = mkOption {
        type = primaryColorModule;
        default = {
          foreground = "#c5c8c6";
          background = "#1d1f21";
        };
      };
      cursor = mkOption {
        type = cursorColorModule;
        default = {
          text = "#1d1f21";
          cursor = "#c5c8c6";
        };
      };
      normal = mkOption {
        type = rainbowColorModule;
        default = {
          black = "#1d1f21";
          red = "#cc6666";
          green = "#b5bd68";
          yellow = "#f0c674";
          blue = "#81a2be";
          magenta = "#b294bb";
          cyan = "#8abeb7";
          white = "#c5c8c6";
        };
      };
      bright = mkOption {
        type = rainbowColorModule;
        default = {
          black = "#666666";
          red = "#d54e53";
          green = "#b9ca4a";
          yellow = "#e7c547";
          blue = "#7aa6da";
          magenta = "#c397d8";
          cyan = "#70c0b1";
          white = "#eaeaea";
        };
      };
      dim = mkOption {
        type = rainbowColorModule;
        default = {
          black = "#131415";
          red = "#864343";
          green = "#777c44";
          yellow = "#9e824c";
          blue = "#556a7d";
          magenta = "#75617b";
          cyan = "#5b7d78";
          white = "#828482";
        };
      };
    };
  }
--- a/home/themes/bat.nix
+++ b/home/themes/bat.nix
@ -0,0 +1,15 @@
 {lib}: let
  inherit
    (lib)
    mkOption
    types
    ;
 in
  types.submodule {
    options = {
      name = mkOption {
        type = types.str;
        default = "";
      };
    };
  }
--- a/home/themes/color.nix
+++ b/home/themes/color.nix
@ -0,0 +1,18 @@
 {lib}: let
  inherit
    (lib)
    mkOption
    types
    ;
  mkColorOption = {
    default ? "#000000",
    description ? "",
  }:
    mkOption {
      inherit description default;
      example = "#abcdef";
      type = types.strMatching "#[0-9a-f]{6}";
    };
 in
  mkColorOption
--- a/home/themes/default.nix
+++ b/home/themes/default.nix
@ -0,0 +1,45 @@
 {
  config,
  lib,
  ...
 }: let
  inherit
    (lib)
    mkOption
    types
    ;
  themeType = types.submodule {
    options = {
      alacrittyTheme = mkOption {
        type = import ./alacritty.nix {inherit lib;};
        default = {};
      };
      batTheme = mkOption {
        type = import ./bat.nix {inherit lib;};
        default = {};
      };
      i3Theme = mkOption {
        type = import ./i3.nix {inherit lib;};
        default = {};
      };
      i3BarTheme = mkOption {
        type = import ./i3bar.nix {inherit lib;};
        default = {};
      };
    };
  };
 in {
  options.my.theme = mkOption {
    type = themeType;
    default = {};
  };
  options.my.themes = mkOption {
    type = types.attrsOf themeType;
  };
  config.my.themes = {
    solarizedLight = import ./solarizedLight;
  };
 }
--- a/home/themes/i3.nix
+++ b/home/themes/i3.nix
@ -0,0 +1,188 @@
 {lib}: let
  inherit
    (lib)
    mkOption
    types
    ;
  mkColorOption = import ./color.nix {inherit lib;};
  barColorSetModule = types.submodule {
    options = {
      border = mkColorOption {};
      background = mkColorOption {};
      text = mkColorOption {};
    };
  };
  colorSetModule = types.submodule {
    options = {
      border = mkColorOption {};
      childBorder = mkColorOption {};
      background = mkColorOption {};
      text = mkColorOption {};
      indicator = mkColorOption {};
    };
  };
 in
  types.submodule {
    options = {
      bar = mkOption {
        type = types.submodule {
          options = {
            background = mkColorOption {
              default = "#000000";
              description = "Background color of the bar.";
            };
            statusline = mkColorOption {
              default = "#ffffff";
              description = "Text color to be used for the statusline.";
            };
            separator = mkColorOption {
              default = "#666666";
              description = "Text color to be used for the separator.";
            };
            focusedWorkspace = mkOption {
              type = barColorSetModule;
              default = {
                border = "#4c7899";
                background = "#285577";
                text = "#ffffff";
              };
              description = ''
                Border, background and text color for a workspace button when the workspace has focus.
              '';
            };
            activeWorkspace = mkOption {
              type = barColorSetModule;
              default = {
                border = "#333333";
                background = "#5f676a";
                text = "#ffffff";
              };
              description = ''
                Border, background and text color for a workspace button when the workspace is active.
              '';
            };
            inactiveWorkspace = mkOption {
              type = barColorSetModule;
              default = {
                border = "#333333";
                background = "#222222";
                text = "#888888";
              };
              description = ''
                Border, background and text color for a workspace button when the workspace does not
                have focus and is not active.
              '';
            };
            urgentWorkspace = mkOption {
              type = barColorSetModule;
              default = {
                border = "#2f343a";
                background = "#900000";
                text = "#ffffff";
              };
              description = ''
                Border, background and text color for a workspace button when the workspace contains
                a window with the urgency hint set.
              '';
            };
            bindingMode = mkOption {
              type = barColorSetModule;
              default = {
                border = "#2f343a";
                background = "#900000";
                text = "#ffffff";
              };
              description = "Border, background and text color for the binding mode indicator";
            };
          };
        };
        default = {};
      };
      background = mkOption {
        type = types.str;
        default = "#ffffff";
        description = ''
          Background color of the window. Only applications which do not cover
          the whole area expose the color.
        '';
      };
      focused = mkOption {
        type = colorSetModule;
        default = {
          border = "#4c7899";
          background = "#285577";
          text = "#ffffff";
          indicator = "#2e9ef4";
          childBorder = "#285577";
        };
        description = "A window which currently has the focus.";
      };
      focusedInactive = mkOption {
        type = colorSetModule;
        default = {
          border = "#333333";
          background = "#5f676a";
          text = "#ffffff";
          indicator = "#484e50";
          childBorder = "#5f676a";
        };
        description = ''
          A window which is the focused one of its container,
          but it does not have the focus at the moment.
        '';
      };
      unfocused = mkOption {
        type = colorSetModule;
        default = {
          border = "#333333";
          background = "#222222";
          text = "#888888";
          indicator = "#292d2e";
          childBorder = "#222222";
        };
        description = "A window which is not focused.";
      };
      urgent = mkOption {
        type = colorSetModule;
        default = {
          border = "#2f343a";
          background = "#900000";
          text = "#ffffff";
          indicator = "#900000";
          childBorder = "#900000";
        };
        description = "A window which has its urgency hint activated.";
      };
      placeholder = mkOption {
        type = colorSetModule;
        default = {
          border = "#000000";
          background = "#0c0c0c";
          text = "#ffffff";
          indicator = "#000000";
          childBorder = "#0c0c0c";
        };
        description = ''
          Background and text color are used to draw placeholder window
          contents (when restoring layouts). Border and indicator are ignored.
        '';
      };
    };
  }
--- a/home/themes/i3bar.nix
+++ b/home/themes/i3bar.nix
@ -0,0 +1,28 @@
 {lib}: let
  inherit
    (lib)
    mkOption
    types
    ;
  mkColorOption = import ./color.nix {inherit lib;};
 in
  types.submodule {
    options = {
      theme = mkOption {
        type = types.submodule {
          options = {
            name = mkOption {
              type = types.str;
              default = "plain";
            };
            overrides = mkOption {
              type = types.attrsOf types.str;
              default = {};
            };
          };
        };
        default = {};
      };
    };
  }
--- a/home/themes/solarizedLight/alacritty.nix
+++ b/home/themes/solarizedLight/alacritty.nix
@ -0,0 +1,55 @@
 let
  inherit
    (import ./colors.nix)
    base0
    base00
    base01
    base02
    base03
    base1
    base2
    base3
    blue
    cyan
    green
    magenta
    orange
    red
    violet
    yellow
    ;
 in {
  primary = {
    background = base3;
    foreground = base00;
  };
  cursor = {
    text = base3;
    cursor = base00;
  };
  normal = {
    black = base02;
    red = red;
    green = green;
    yellow = yellow;
    blue = blue;
    magenta = magenta;
    cyan = cyan;
    white = base2;
  };
  bright = {
    black = base03;
    red = orange;
    green = base01;
    yellow = base00;
    blue = base0;
    magenta = violet;
    cyan = base1;
    white = base3;
  };
  dim = {};
 }
--- a/home/themes/solarizedLight/bat.nix
+++ b/home/themes/solarizedLight/bat.nix
@ -0,0 +1,3 @@
 {
  name = "Solarized (light)";
 }
--- a/home/themes/solarizedLight/colors.nix
+++ b/home/themes/solarizedLight/colors.nix
@ -0,0 +1,18 @@
 {
  base03 = "#002b36"; # brblack
  base02 = "#073642"; # black
  base01 = "#586e75"; # brgreen
  base00 = "#657b83"; # bryellow
  base0 = "#839496"; # brblue
  base1 = "#93a1a1"; # brcyan
  base2 = "#eee8d5"; # white
  base3 = "#fdf6e3"; # brwhite
  yellow = "#b58900"; # yellow
  orange = "#cb4b16"; # brred
  red = "#dc322f"; # red
  magenta = "#d33682"; # magenta
  violet = "#6c71c4"; # brmagenta
  blue = "#268bd2"; # blue
  cyan = "#2aa198"; # cyan
  green = "#859900"; # green
 }
--- a/home/themes/solarizedLight/default.nix
+++ b/home/themes/solarizedLight/default.nix
@ -0,0 +1,6 @@
 {
  alacrittyTheme = import ./alacritty.nix;
  batTheme = import ./bat.nix;
  i3Theme = import ./i3.nix;
  i3BarTheme = import ./i3bar.nix;
 }
--- a/home/themes/solarizedLight/i3.nix
+++ b/home/themes/solarizedLight/i3.nix
@ -0,0 +1,72 @@
 let
  inherit
    (import ./colors.nix)
    base00
    base2
    base3
    blue
    magenta
    orange
    red
    yellow
    ;
 in {
  bar = {
    background = base3;
    statusline = yellow;
    separator = red;
    focusedWorkspace = {
      border = blue;
      background = blue;
      text = base3; # base2 ?
    };
    inactiveWorkspace = {
      border = base2;
      background = base2;
      text = base00;
    };
    activeWorkspace = {
      border = blue;
      background = base2;
      text = yellow;
    };
    urgentWorkspace = {
      border = red;
      background = red;
      text = base3;
    };
  };
  focused = {
    border = blue;
    background = blue;
    text = base3;
    indicator = magenta;
    childBorder = blue;
  };
  focusedInactive = {
    border = base2;
    background = base2;
    text = base00;
    indicator = magenta;
    childBorder = base2;
  };
  unfocused = {
    border = base2;
    background = base2;
    text = base00;
    indicator = magenta;
    childBorder = base2;
  };
  urgent = {
    border = orange;
    background = orange;
    text = base3;
    indicator = magenta;
    childBorder = orange;
  };
 }
--- a/home/themes/solarizedLight/i3bar.nix
+++ b/home/themes/solarizedLight/i3bar.nix
@ -0,0 +1,28 @@
 let
  inherit
    (import ./colors.nix)
    base00
    base2
    base3
    blue
    green
    red
    yellow
    ;
 in {
  theme = {
    name = "solarized-light";
    overrides = {
      idle_bg = base2;
      idle_fg = base00;
      info_bg = blue;
      info_fg = base3;
      good_bg = green;
      good_fg = base3;
      warning_bg = yellow;
      warning_fg = base3;
      critical_bg = red;
      critical_fg = base3;
    };
  };
 }
--- a/home/tmux.nix
+++ b/home/tmux.nix
@ -0,0 +1,44 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.home.tmux;
 in {
  options.my.home.tmux = {
    enable = (mkEnableOption "tmux dotfiles") // {default = true;};
  };
  config = mkIf cfg.enable {
    programs.tmux = {
      enable = true;
      baseIndex = 1;
      terminal = "screen-256color";
      clock24 = true;
      plugins = let
        inherit (pkgs) tmuxPlugins;
      in [
        {
          plugin = tmuxPlugins.cpu;
          extraConfig = ''
            set -g status-right 'CPU: #{cpu_percentage} | %a %d-%h %H:%M '
          '';
        }
        {
          plugin = tmuxPlugins.tmux-colors-solarized;
          extraConfig = ''
            set -g @colors-solarized 'light'
          '';
        }
      ];
    };
  };
 }
--- a/home/tridactyl.nix
+++ b/home/tridactyl.nix
@ -0,0 +1,21 @@
 {
  config,
  lib,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.home.tridactyl;
 in {
  options.my.home.tridactyl = {
    enable = (mkEnableOption "tridactyl code display tool") // {default = config.my.home.firefox.enable;};
  };
  config = mkIf cfg.enable {
    xdg.configFile."tridactyl/tridactylrc".source = ./tridactylrc;
  };
 }
--- a/home/tridactylrc
+++ b/home/tridactylrc
@ -0,0 +1,43 @@
 " -*- tridactylrc -*-
 " This wipes all existing settings. This means that if a setting in this file is
 " removed, then it will return to default. In other words, this file serves as
 " as an enforced single point of truth for Tridactyl's configuration.
 sanitize tridactyllocal tridactylsync
 " Ctrl-F should use the browser's native 'find' functionality.
 unbind <C-f>
 " Tridactyl has an incomplete find mode
 bind / fillcmdline find
 bind ? fillcmdline find -?
 bind n findnext 1
 bind N findnext -1
 bind ,<Space> nohlsearch
 " case insensitive if lowercase, case sensitive if using some uppercase letters
 set findcase smart
 set modeindicatormodes {"ignore": "false"}
 " New reddit is bad
 " autocmd DocStart ^http(s?)://www.reddit.com js tri.excmds.urlmodify("-t", "www", "old")
 " Orange site / Reddit / Lobste.rs specific hints to toggle comments
 bind ;c hint -Jc [class*="expand"],[class="togg"],[class="comment_folder"]
 " Use emacs as editor
 set editorcmd emacsclient -c
 " copy all the things
 set yankto both
 blacklistadd calendar.google.com
 blacklistadd jellyfin.alarsyo.net
 blacklistadd localhost
 blacklistadd netflix.com
 blacklistadd primevideo.com
 blacklistadd youtube.com
 " prevent teams from crashing
 seturl teams.microsoft.com superignore true
--- a/home/x/cursor.nix
+++ b/home/x/cursor.nix
@ -0,0 +1,27 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.home.x.cursor;
 in {
  options.my.home.x.cursor.enable = (mkEnableOption "X cursor") // {default = config.my.home.x.enable;};
  config = mkIf cfg.enable {
    home.pointerCursor = {
      package = pkgs.capitaine-cursors;
      name = "capitaine-cursors";
      # available sizes for capitaine-cursors are:
      # 24, 30, 36, 48, 60, 72
      size = 30;
      x11.enable = true;
    };
  };
 }
--- a/home/x/default.nix
+++ b/home/x/default.nix
@ -0,0 +1,21 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    ;
 in {
  imports = [
    ./cursor.nix
    ./i3.nix
    ./i3bar.nix
  ];
  options.my.home.x = {
    enable = mkEnableOption "X server configuration";
  };
 }
--- a/home/x/i3.nix
+++ b/home/x/i3.nix
@ -0,0 +1,217 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    mkOptionDefault
    ;
  isEnabled = config.my.home.x.i3.enable;
  myTerminal =
    # FIXME: fix when terminal is setup in home
    # if config.my.home.terminal.program != null
    if true
    then "alacritty"
    else "i3-sensible-terminal";
  alt = "Mod1"; # `Alt` key
  modifier = "Mod4"; # `Super` key
  logoutMode = "[L]ogout, [S]uspend, [P]oweroff, [R]eboot";
  i3Theme = config.my.theme.i3Theme;
 in {
  options.my.home.x.i3 = {
    enable = mkEnableOption "i3wm configuration";
  };
  config = mkIf isEnabled {
    my.home = {
      flameshot.enable = true;
    };
    home.packages = [pkgs.betterlockscreen pkgs.playerctl];
    # used to control music
    services.playerctld.enable = true;
    xsession.windowManager.i3 = {
      enable = true;
      config = {
        inherit modifier;
        bars = let
          barConfigPath =
            config.xdg.configFile."i3status-rust/config-top.toml".target;
        in [
          {
            statusCommand = "i3status-rs ~/${barConfigPath}";
            position = "top";
            fonts = {
              names = ["DejaVuSansMono" "FontAwesome6Free"];
              size = 9.0;
            };
            colors = i3Theme.bar;
            trayOutput = "primary";
            # disable mouse scroll wheel in bar
            extraConfig = ''
              bindsym button4 nop
              bindsym button5 nop
            '';
          }
        ];
        colors = {
          inherit
            (i3Theme)
            focused
            focusedInactive
            unfocused
            urgent
            ;
        };
        focus = {
          followMouse = true;
          mouseWarping = true;
        };
        workspaceAutoBackAndForth = true;
        fonts = {
          names = ["DejaVu Sans Mono"];
          size = 8.0;
        };
        keybindings = mkOptionDefault {
          "${modifier}+Shift+e" = ''mode "${logoutMode}"'';
          "${modifier}+b" = "exec --no-startup-id bluetoothctl power on";
          "${modifier}+i" = "exec emacsclient --create-frame";
          "${modifier}+o" = "exec emacsclient --create-frame --eval '(load \"${config.xdg.configHome}/doom/launch-agenda.el\")'";
          # Volume handling
          "XF86AudioRaiseVolume" = "exec --no-startup-id pactl set-sink-volume @DEFAULT_SINK@ +5%";
          "XF86AudioLowerVolume" = "exec --no-startup-id pactl set-sink-volume @DEFAULT_SINK@ -5%";
          "XF86AudioMute" = "exec --no-startup-id pactl set-sink-mute @DEFAULT_SINK@ toggle";
          "XF86AudioMicMute" = "exec --no-startup-id pactl set-source-mute @DEFAULT_SOURCE@ toggle";
          # I need play-pause everywhere because somehow, keycode 172 seems to
          # be interpreted as pause everytime when sent by my keyboard. Ugh,
          # computers.
          "XF86AudioPlay" = "exec --no-startup-id playerctl play-pause";
          "XF86AudioPause" = "exec --no-startup-id playerctl play-pause";
          "XF86AudioPrev" = "exec --no-startup-id playerctl previous";
          "XF86AudioNext" = "exec --no-startup-id playerctl next";
          "XF86MonBrightnessDown" = "exec --no-startup-id light -U 5";
          "XF86MonBrightnessUp" = "exec --no-startup-id light -A 5";
          "${modifier}+XF86MonBrightnessDown" = "exec --no-startup-id light -U 0.1";
          "${modifier}+XF86MonBrightnessUp" = "exec --no-startup-id light -A 0.1";
          "${modifier}+l" = "exec --no-startup-id betterlockscreen --lock";
          "${modifier}+d" = "exec ${pkgs.rofi}/bin/rofi -show run";
          "${modifier}+Shift+a" = ''exec --no-startup-id autorandr --change'';
        };
        modes = let
          makeModeBindings = attrs:
            attrs
            // {
              "Escape" = "mode default";
              "Return" = "mode default";
            };
        in
          mkOptionDefault {
            "${logoutMode}" = makeModeBindings {
              "l" = "exec --no-startup-id i3-msg exit, mode default";
              "s" = "exec --no-startup-id betterlockscreen --suspend, mode default";
              "p" = "exec --no-startup-id systemctl poweroff, mode default";
              "r" = "exec --no-startup-id systemctl reboot, mode default";
            };
          };
        terminal = myTerminal;
        assigns = {
          "10" = [
            {class = "Slack";}
            {class = "discord";}
          ];
        };
        # TODO: make it configurable per machine
        workspaceOutputAssign = [
          {
            workspace = "1";
            output = ["DP-4" "eDP-1"];
          }
          {
            workspace = "2";
            output = ["DP-4" "eDP-1"];
          }
          {
            workspace = "3";
            output = ["DP-5" "eDP-1"];
          }
          {
            workspace = "4";
            output = ["DP-5" "eDP-1"];
          }
          {
            workspace = "5";
            output = ["DP-5" "eDP-1"];
          }
          {
            workspace = "6";
            output = ["eDP-1"];
          }
          {
            workspace = "7";
            output = ["eDP-1"];
          }
          {
            workspace = "8";
            output = ["DP-4" "eDP-1"];
          }
          {
            workspace = "9";
            output = ["DP-4" "eDP-1"];
          }
          {
            workspace = "10";
            output = ["DP-4" "eDP-1"];
          }
        ];
        window.commands = [
          {
            command = "border pixel 2";
            criteria = {class = "Alacritty";};
          }
          # NOTE: should be done with an assign command, but Spotify doesn't set
          # its class until after initialization, so has to be done this way.
          #
          # See https://i3wm.org/docs/userguide.html#assign_workspace
          {
            criteria = {class = "Spotify";};
            command = "move --no-auto-back-and-forth to workspace 8";
          }
        ];
      };
    };
  };
 }
--- a/home/x/i3bar.nix
+++ b/home/x/i3bar.nix
@ -0,0 +1,158 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    lists
    mkIf
    mkOption
    optional
    types
    ;
  isEnabled = config.my.home.x.enable;
  i3BarTheme = config.my.theme.i3BarTheme;
  cfg = config.my.home.x.i3bar;
 in {
  options.my.home.x.i3bar = {
    temperature.chip = mkOption {
      type = types.str;
      example = "coretemp-isa-*";
      default = "";
    };
    temperature.inputs = mkOption {
      type = types.listOf types.str;
      example = ["Core 0" "Core 1" "Core 2" "Core 3"];
      default = "";
    };
    networking.throughput_interfaces = mkOption {
      type = types.listOf types.str;
      example = ["wlp1s0"];
      default = [];
    };
  };
  config = mkIf isEnabled {
    home.packages = builtins.attrValues {
      inherit
        (pkgs)
        # FIXME: is this useful?
        font-awesome
        ;
    };
    programs.i3status-rust = {
      enable = true;
      bars = {
        top = {
          icons = "awesome5";
          settings.theme = {
            theme = i3BarTheme.theme.name;
            overrides = i3BarTheme.theme.overrides;
          };
          blocks =
            [
              {
                block = "pomodoro";
                notify_cmd = "i3nag";
                blocking_cmd = true;
              }
              {
                block = "disk_space";
                path = "/";
                info_type = "available";
                interval = 60;
                warning = 20.0;
                alert = 10.0;
                alert_unit = "GB";
              }
              {
                block = "memory";
                format = " $icon $mem_used.eng(prefix:G)/$mem_total.eng(prefix:G) ";
                warning_mem = 70.0;
                critical_mem = 90.0;
              }
              {
                block = "cpu";
                interval = 1;
                format = " $icon $barchart ";
              }
              {
                block = "temperature";
                interval = 10;
                format = " $icon $max ";
                chip = cfg.temperature.chip;
                inputs = cfg.temperature.inputs;
              }
              {
                block = "custom";
                # TODO: get service name programmatically somehow
                command = let
                  systemctl = lib.getExe' pkgs.systemd "systemctl";
                in
                  pkgs.writeShellScript "check-restic.sh" ''
                    BACKUP_STATUS=Good
                    if ${systemctl} is-failed --quiet restic-backups-backblaze.service; then
                      BACKUP_STATUS=Critical
                    fi
                    echo "{\"state\": \"$BACKUP_STATUS\", \"text\": \"Backup\"}"
                  '';
                json = true;
                interval = 60;
              }
            ]
            ++ (
              lists.optionals ((builtins.length cfg.networking.throughput_interfaces) != 0)
              (map
                (interface: {
                  block = "net";
                  device = interface;
                  interval = 1;
                  missing_format = "";
                })
                cfg.networking.throughput_interfaces)
            )
            ++ [
              {
                block = "net";
                format = " $icon {$ip|} {SSID: $ssid|}";
                theme_overrides = {
                  idle_bg = {link = "good_bg";};
                  idle_fg = {link = "good_fg";};
                };
              }
              {
                block = "sound";
                driver = "pulseaudio";
              }
            ]
            ++ (
              optional config.my.home.laptop.enable
              {
                block = "battery";
                format = " $icon $percentage ($power) ";
              }
            )
            ++ [
              # {
              #   block = "notify";
              # }
              {
                block = "time";
                interval = 5;
                format = " $icon $timestamp.datetime(f:'%a %d/%m %T', l:fr_FR) ";
                timezone = "Europe/Paris";
              }
            ];
        };
      };
    };
  };
 }
--- a/hosts/boreal/default.nix
+++ b/hosts/boreal/default.nix
@ -1,25 +1,40 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, lib, pkgs, ... }:
 let
  secrets = config.my.secrets;
 in
 {
-  imports =
+  config,
-    [ # Include the results of the hardware scan.
+  lib,
  pkgs,
  ...
 }: {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./home.nix
    ./secrets.nix
  ];
  boot.kernelPackages = pkgs.linuxPackages;
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.tmp.useTmpfs = true;
  boot.supportedFilesystems = {
    btrfs = true;
    ntfs = true;
  };
  services.xserver.windowManager.i3.enable = true;
  services.btrfs = {
    autoScrub = {
      enable = true;
-      fileSystems = [ "/" ];
+      fileSystems = ["/"];
    };
  };
@ -29,62 +44,63 @@ in
  # Set your time zone.
  time.timeZone = "Europe/Paris";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.interfaces.enp7s0.useDHCP = true;
  networking.interfaces.wlp3s0.useDHCP = true;
  # List services that you want to enable:
  my.services = {
-    wireguard = {
+    restic-backup = {
      enable = true;
-      iface = "wg";
+      repo = "b2:boreal-backup";
-      port = 51820;
+      passwordFile = config.age.secrets."restic-backup/boreal-password".path;
      environmentFile = config.age.secrets."restic-backup/boreal-credentials".path;
-      net = {
+      paths = [
-        v4 = {
+        "/home/alarsyo"
-          subnet = "10.0.0";
+      ];
-          mask = 24;
+      exclude = [
-        };
+        "/home/alarsyo/Downloads"
-        v6 = {
+
-          subnet = "fd42:42:42";
+        # Rust builds using half my storage capacity
-          mask = 64;
+        "/home/alarsyo/**/target"
-        };
+        "/home/alarsyo/work/rust/build"
        # don't backup nixpkgs
        "/home/alarsyo/work/nixpkgs"
        # C build crap
        "*.a"
        "*.o"
        "*.so"
        # ignore all dotfiles as .config and .cache can become quite big
        "/home/alarsyo/.*"
      ];
    };
    pipewire.enable = true;
    tailscale = {
      enable = true;
      useRoutingFeatures = "both";
    };
  };
  services = {
    openssh = {
      enable = true;
-      permitRootLogin = "no";
+    };
-      passwordAuthentication = false;
+  };
  my.gui = {
    enable = true;
    isNvidia = true;
  };
-    xserver = {
+  hardware = {
    bluetooth = {
      enable = true;
-      videoDrivers = [ "nvidia" ];
+      powerOnBoot = false;
      windowManager.i3.enable = true;
      layout = "fr";
      xkbVariant = "us";
    };
-
+    nvidia = {
-    emacs = {
+      open = true;
-      enable = true;
+      modesetting.enable = true;
      package = pkgs.emacsPgtkGcc;
    };
  };
  sound.enable = true;
  hardware.pulseaudio = {
    enable = true;
    extraModules = [ pkgs.pulseaudio-modules-bt ];
    package = pkgs.pulseaudioFull;
  };
  hardware.bluetooth = {
    enable = true;
    powerOnBoot = true;
  };
 }
--- a/hosts/boreal/hardware-configuration.nix
+++ b/hosts/boreal/hardware-configuration.nix
@ -1,30 +1,34 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
-  imports =
+  config,
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
-  boot.initrd.kernelModules = [ ];
+  boot.initrd.kernelModules = [];
-  boot.kernelModules = [ "kvm-amd" ];
+  boot.kernelModules = ["kvm-amd"];
-  boot.extraModulePackages = [ ];
+  boot.extraModulePackages = [];
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "/dev/disk/by-uuid/1a942915-c1ae-4058-b99d-09d12d40dbd3";
+    device = "/dev/disk/by-uuid/1a942915-c1ae-4058-b99d-09d12d40dbd3";
    fsType = "btrfs";
-      options = [ "subvol=nixos" "compress=zstd:1" "noatime" ];
+    options = ["subvol=nixos" "compress=zstd:1" "noatime"];
  };
-  fileSystems."/boot" =
+  fileSystems."/boot" = {
-    { device = "/dev/disk/by-uuid/17C7-368D";
+    device = "/dev/disk/by-uuid/17C7-368D";
    fsType = "vfat";
  };
-  swapDevices = [ ];
+  swapDevices = [];
  hardware.cpu.amd.updateMicrocode = true;
 }
--- a/hosts/boreal/home.nix
+++ b/hosts/boreal/home.nix
@ -0,0 +1,36 @@
 {
  config,
  pkgs,
  ...
 }: {
  home-manager.users.alarsyo = {
    home.stateVersion = "20.09";
    # Keyboard settings & i3 settings
    my.home.x.enable = true;
    my.home.x.i3.enable = true;
    my.home.x.i3bar.temperature.chip = "k10temp-pci-*";
    my.home.x.i3bar.temperature.inputs = ["Tccd1"];
    my.home.x.i3bar.networking.throughput_interfaces = ["enp8s0" "wlp4s0"];
    my.home.emacs.enable = true;
    my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight;
    home.packages = builtins.attrValues {
      inherit
        (pkgs)
        # some websites only work there :(
        chromium
        darktable
        hugin
        enblend-enfuse
        # dev
        rustup
        ;
      inherit (pkgs.packages) spot;
    };
  };
 }
--- a/hosts/boreal/secrets.nix
+++ b/hosts/boreal/secrets.nix
@ -0,0 +1,23 @@
 {
  config,
  lib,
  options,
  ...
 }: {
  config.age = {
    secrets = let
      toSecret = name: {...} @ attrs:
        {
          file = ./../../modules/secrets + "/${name}.age";
        }
        // attrs;
    in
      lib.mapAttrs toSecret {
        "restic-backup/boreal-credentials" = {};
        "restic-backup/boreal-password" = {};
        "users/alarsyo-hashed-password" = {};
        "users/root-hashed-password" = {};
      };
  };
 }
--- a/hosts/hades/default.nix
+++ b/hosts/hades/default.nix
@ -0,0 +1,169 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  secrets = config.my.secrets;
 in {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./home.nix
    ./secrets.nix
  ];
  boot.loader.systemd-boot.enable = false;
  boot.loader.grub = {
    enable = true;
    efiSupport = false;
    devices = ["/dev/sda" "/dev/sdb"];
  };
  boot.tmp.useTmpfs = true;
  networking.hostName = "hades"; # Define your hostname.
  networking.domain = "alarsyo.net";
  # Set your time zone.
  time.timeZone = "Europe/Paris";
  networking.useDHCP = false;
  networking.interfaces.enp35s0.ipv4.addresses = [
    {
      address = "95.217.121.60";
      prefixLength = 26;
    }
  ];
  networking.interfaces.enp35s0.ipv6.addresses = [
    {
      address = "2a01:4f9:4a:3649::2";
      prefixLength = 64;
    }
  ];
  networking.defaultGateway = "95.217.121.1";
  networking.defaultGateway6 = {
    address = "fe80::1";
    interface = "enp35s0";
  };
  networking.nameservers = ["1.1.1.1" "1.0.0.1"];
  my.networking.externalInterface = "enp35s0";
  # List services that you want to enable:
  my.services = {
    fail2ban.enable = true;
    forgejo = {
      enable = true;
      privatePort = 8082;
    };
    immich = {
      enable = true;
      port = 8089;
    };
    jellyfin = {
      enable = true;
    };
    lohr = {
      enable = true;
      port = 8083;
    };
    matrix = {
      enable = true;
      secretConfigFile = config.age.secrets."matrix-synapse/secret-config".path;
    };
    mealie = {
      enable = true;
      port = 8090;
    };
    microbin = {
      enable = true;
      privatePort = 8088;
      passwordFile = config.age.secrets."microbin/secret-config".path;
    };
    miniflux = {
      enable = true;
      adminCredentialsFile = config.age.secrets."miniflux/admin-credentials".path;
      privatePort = 8080;
    };
    navidrome = {
      enable = true;
      musicFolder.path = "${config.services.nextcloud.home}/data/alarsyo/files/Musique/Songs";
    };
    nextcloud = {
      enable = true;
      adminpassFile = config.age.secrets."nextcloud/admin-pass".path;
    };
    nginx.enable = true;
    paperless = {
      enable = true;
      port = 8085;
      passwordFile = config.age.secrets."paperless/admin-password".path;
      secretKeyFile = config.age.secrets."paperless/secret-key".path;
    };
    pleroma = {
      enable = true;
      port = 8086;
      secretConfigFile = config.age.secrets."pleroma/pleroma-config".path;
    };
    restic-backup = {
      enable = true;
      repo = "b2:hades-backup-alarsyo";
      passwordFile = config.age.secrets."restic-backup/hades-password".path;
      environmentFile = config.age.secrets."restic-backup/hades-credentials".path;
      paths = ["/home/alarsyo"];
    };
    scribe = {
      enable = true;
      port = 8087;
    };
    tailscale = {
      enable = true;
      useRoutingFeatures = "server";
    };
    transmission = {
      enable = true;
      username = "alarsyo";
    };
    vaultwarden = {
      enable = true;
      privatePort = 8081;
      websocketPort = 3012;
    };
  };
  services = {
    openssh.enable = true;
    vnstat.enable = true;
  };
  virtualisation.docker.enable = true;
  environment.systemPackages = with pkgs; [
    docker-compose
  ];
  # Takes a long while to build
  documentation.nixos.enable = false;
 }
--- a/hosts/hades/hardware-configuration.nix
+++ b/hosts/hades/hardware-configuration.nix
@ -0,0 +1,29 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = ["ahci" "sd_mod"];
  boot.initrd.kernelModules = ["dm-snapshot"];
  boot.kernelModules = ["kvm-amd"];
  boot.extraModulePackages = [];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/2a24010c-14bd-439b-b30b-d0e18db69952";
    fsType = "ext4";
  };
  swapDevices = [];
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/hades/home.nix
+++ b/hosts/hades/home.nix
@ -0,0 +1,6 @@
 {config, ...}: {
  home-manager.users.alarsyo = {
    home.stateVersion = "22.05";
    my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight;
  };
 }
--- a/hosts/hades/secrets.nix
+++ b/hosts/hades/secrets.nix
@ -0,0 +1,46 @@
 {
  config,
  lib,
  options,
  ...
 }: {
  config.age = {
    secrets = let
      toSecret = name: {...} @ attrs:
        {
          file = ./../../modules/secrets + "/${name}.age";
        }
        // attrs;
    in
      lib.mapAttrs toSecret {
        "lohr/shared-secret" = {};
        "matrix-synapse/secret-config" = {
          owner = "matrix-synapse";
        };
        "microbin/secret-config" = {};
        "miniflux/admin-credentials" = {};
        "nextcloud/admin-pass" = {
          owner = "nextcloud";
        };
        "ovh/credentials" = {};
        "paperless/admin-password" = {};
        "paperless/secret-key" = {};
        "pleroma/pleroma-config" = {
          owner = "pleroma";
        };
        "restic-backup/hades-credentials" = {};
        "restic-backup/hades-password" = {};
        "users/alarsyo-hashed-password" = {};
        "users/root-hashed-password" = {};
      };
  };
 }
--- a/hosts/poseidon/default.nix
+++ b/hosts/poseidon/default.nix
@ -1,146 +0,0 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, lib, pkgs, ... }:
 let
  secrets = config.my.secrets;
 in
 {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
  boot.supportedFilesystems = [ "btrfs" ];
  services.btrfs = {
    autoScrub = {
      enable = true;
      fileSystems = [ "/" ];
    };
  };
  networking.hostName = "poseidon"; # Define your hostname.
  networking.domain = "alarsyo.net";
  # Set your time zone.
  time.timeZone = "Europe/Paris";
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
  networking.useDHCP = false;
  networking.interfaces.eno1.ipv4.addresses = [
    {
      address = "163.172.11.110";
      prefixLength = 24;
    }
  ];
  networking.defaultGateway = {
    address = "163.172.11.1";
    interface = "eno1";
  };
  networking.nameservers = [
    "62.210.16.6"
    "62.210.16.7"
  ];
  my.networking.externalInterface = "eno1";
  # List services that you want to enable:
  my.services = {
    bitwarden_rs = {
      enable = true;
      privatePort = 8081;
      websocketPort = 3012;
    };
    borg-backup = {
      enable = true;
      repo = secrets.borg-backup-repo;
    };
    fail2ban = {
      enable = true;
    };
    gitea = {
      enable = true;
      privatePort = 8082;
    };
    jellyfin = {
      enable = true;
    };
    lohr = {
      enable = true;
      port = 8083;
    };
    miniflux = {
      enable = true;
      adminCredentialsFile = "${../../secrets/miniflux-admin-credentials.secret}";
      privatePort = 8080;
    };
    matrix = {
      enable = true;
      registration_shared_secret = secrets.matrix-registration-shared-secret;
    };
    monitoring = {
      enable = true;
      useACME = true;
      domain = "monitoring.${config.networking.domain}";
    };
    nextcloud = {
      enable = true;
    };
    postgresql-backup = {
      enable = true;
    };
    tgv = {
      enable = true;
    };
    transmission = {
      enable = true;
      username = "alarsyo";
      password = secrets.transmission-password;
    };
    wireguard = {
      enable = true;
      iface = "wg";
      port = 51820;
      net = {
        v4 = {
          subnet = "10.0.0";
          mask = 24;
        };
        v6 = {
          subnet = "fd42:42:42";
          mask = 64;
        };
      };
    };
  };
  security.acme.acceptTerms = true;
  security.acme.email = "antoine97.martin@gmail.com";
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  services.openssh.permitRootLogin = "no";
  services.openssh.passwordAuthentication = false;
 }
--- a/hosts/poseidon/hardware-configuration.nix
+++ b/hosts/poseidon/hardware-configuration.nix
@ -1,36 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ahci" "usbhid" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/adcf0158-edfb-402f-82e7-61e4902af989";
      fsType = "btrfs";
      options = [
        "subvol=@nixos"
        "compress=zstd"
        "noatime"
      ];
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/ff54b622-0e26-4c6e-aa0c-ac2c1e12699a";
      fsType = "ext4";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/381a9c5e-4d71-45b4-ac62-e7414b3768fc"; }
    ];
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/hosts/talos/default.nix
+++ b/hosts/talos/default.nix
@ -0,0 +1,174 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 {
  config,
  lib,
  pkgs,
  ...
 }: {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./disko-config.nix
    ./home.nix
    ./secrets.nix
  ];
  boot.kernelPackages = pkgs.linuxPackages_6_11;
  # Set Wi-Fi regulatory domain. Currently always set to '00' (world), and could
  # lead to bad Wi-Fi performance
  boot.kernelParams = ["cfg80211.ieee80211_regdom=FR"];
  boot.extraModulePackages = with config.boot.kernelPackages; [
    v4l2loopback
  ];
  boot.extraModprobeConfig = ''
    options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1
  '';
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot = {
    enable = true;
    editor = false;
    consoleMode = "auto";
  };
  boot.loader.efi.canTouchEfiVariables = true;
  boot.tmp.useTmpfs = true;
  services.btrfs = {
    autoScrub = {
      enable = true;
      fileSystems = ["/"];
    };
  };
  networking.hostName = "talos"; # Define your hostname.
  networking.domain = "alarsyo.net";
  # Pick only one of the below networking options.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  networking.networkmanager = {
    enable = true;
    wifi.powersave = true;
  };
  # Set your time zone.
  time.timeZone = "Europe/Paris";
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  programs = {
    light.enable = true;
  };
  services = {
    fwupd.enable = true;
    openssh.enable = true;
  };
  virtualisation = {
    docker.enable = true;
    libvirtd.enable = false;
    virtualbox.host = {
      enable = false;
    };
  };
  my.services = {
    tailscale = {
      enable = true;
      useRoutingFeatures = "client";
    };
    pipewire.enable = true;
    restic-backup = {
      enable = true;
      repo = "b2:talos-backup";
      passwordFile = config.age.secrets."restic-backup/talos-password".path;
      environmentFile = config.age.secrets."restic-backup/talos-credentials".path;
      timerConfig = {
        OnCalendar = "*-*-* 13:00:00"; # laptop only gets used during the day
      };
      paths = [
        "/home/alarsyo"
      ];
      exclude = [
        "/home/alarsyo/Downloads"
        # Rust builds using half my storage capacity
        "/home/alarsyo/**/target"
        "/home/alarsyo/work/rust/build"
        # don't backup nixpkgs
        "/home/alarsyo/work/nixpkgs"
        "/home/alarsyo/go"
        # C build crap
        "*.a"
        "*.o"
        "*.so"
        ".direnv"
        # test vms
        "*.qcow2"
        "*.vbox"
        "*.vdi"
        # secrets stay offline
        "/home/alarsyo/**/secrets"
        # ignore all dotfiles as .config and .cache can become quite big
        "/home/alarsyo/.*"
      ];
    };
  };
  my.gui.enable = true;
  hardware.bluetooth = {
    enable = true;
    powerOnBoot = false;
    settings.General.Experimental = true;
  };
  # Configure console keymap
  console.keyMap = "us";
  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
  i18n.extraLocaleSettings = {
    LC_ADDRESS = "fr_FR.UTF-8";
    LC_IDENTIFICATION = "fr_FR.UTF-8";
    LC_MEASUREMENT = "fr_FR.UTF-8";
    LC_MONETARY = "fr_FR.UTF-8";
    LC_NAME = "fr_FR.UTF-8";
    LC_PAPER = "fr_FR.UTF-8";
    LC_TELEPHONE = "fr_FR.UTF-8";
  };
  # Enable the KDE Plasma Desktop Environment.
  services.desktopManager.plasma6.enable = true;
  services.power-profiles-daemon.enable = true;
  environment.systemPackages = [
    pkgs.unstable.zed-editor
    pkgs.foot
  ];
  #programs.hyprland.enable = true;
  programs.sway = {
    enable = true;
    wrapperFeatures.gtk = true;
  };
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;
 }
--- a/hosts/talos/disko-config.nix
+++ b/hosts/talos/disko-config.nix
@ -0,0 +1,68 @@
 {
  disko.devices = {
    disk = {
      nvme0n1 = {
        type = "disk";
        device = "/dev/nvme0n1";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "512M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [
                  "defaults"
                ];
              };
            };
            luks = {
              size = "600G";
              content = {
                type = "luks";
                name = "crypted";
                # disable settings.keyFile if you want to use interactive password entry
                passwordFile = "/tmp/secret.key"; # Interactive
                settings = {
                  allowDiscards = true;
                  #keyFile = "/tmp/secret.key";
                };
                #additionalKeyFiles = [ "/tmp/additionalSecret.key" ];
                content = {
                  type = "btrfs";
                  extraArgs = ["-f"];
                  subvolumes = {
                    "@" = {
                      mountpoint = "/";
                      mountOptions = ["compress=zstd" "noatime"];
                    };
                    "@home" = {
                      mountpoint = "/home";
                      mountOptions = ["compress=zstd" "noatime"];
                    };
                    "@nix" = {
                      mountpoint = "/nix";
                      mountOptions = ["compress=zstd" "noatime"];
                    };
                    "@persist" = {
                      mountpoint = "/persist";
                      mountOptions = ["compress=zstd" "noatime"];
                    };
                    "@snapshots" = {};
                    "@swap" = {
                      mountpoint = "/.swapvol";
                      swap.swapfile.size = "8G";
                    };
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/talos/hardware-configuration.nix
+++ b/hosts/talos/hardware-configuration.nix
@ -0,0 +1,29 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = ["kvm-amd"];
  boot.extraModulePackages = [];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/talos/home.nix
+++ b/hosts/talos/home.nix
@ -0,0 +1,129 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    mkOptionDefault
    ;
 in {
  home-manager.users.alarsyo = {
    home.stateVersion = "23.11";
    my.home.laptop.enable = true;
    # Keyboard settings & i3 settings
    my.home.x.enable = true;
    my.home.x.i3bar.temperature.chip = "k10temp-pci-*";
    my.home.x.i3bar.temperature.inputs = ["Tctl"];
    my.home.x.i3bar.networking.throughput_interfaces = ["wlp1s0"];
    my.home.emacs.enable = true;
    my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight;
    # TODO: place in global home conf
    services.dunst.enable = true;
    home.packages = builtins.attrValues {
      inherit
        (pkgs)
        ansel
        chromium # some websites only work there :(
        zotero
        ;
      inherit
        (pkgs.packages)
        spot
        ;
    };
    wayland.windowManager.sway = {
      enable = true;
      swaynag.enable = true;
      wrapperFeatures.gtk = true;
      config = {
        modifier = "Mod4";
        input = {
          "type:keyboard" = {
            xkb_layout = "fr";
            xkb_variant = "us";
          };
          "type:touchpad" = {
            dwt = "enabled";
            tap = "enabled";
            middle_emulation = "enabled";
            natural_scroll = "enabled";
          };
        };
        output = {
          "eDP-1" = {
            scale = "1.5";
          };
        };
        fonts = {
          names = ["Iosevka Fixed" "FontAwesome6Free"];
          size = 9.0;
        };
        bars = [
          {
            mode = "dock";
            hiddenState = "hide";
            position = "top";
            workspaceButtons = true;
            workspaceNumbers = true;
            statusCommand = "${pkgs.i3status}/bin/i3status";
            fonts = {
              names = ["Iosevka Fixed" "FontAwesome6Free"];
              size = 9.0;
            };
            trayOutput = "primary";
            colors = {
              background = "#000000";
              statusline = "#ffffff";
              separator = "#666666";
              focusedWorkspace = {
                border = "#4c7899";
                background = "#285577";
                text = "#ffffff";
              };
              activeWorkspace = {
                border = "#333333";
                background = "#5f676a";
                text = "#ffffff";
              };
              inactiveWorkspace = {
                border = "#333333";
                background = "#222222";
                text = "#888888";
              };
              urgentWorkspace = {
                border = "#2f343a";
                background = "#900000";
                text = "#ffffff";
              };
              bindingMode = {
                border = "#2f343a";
                background = "#900000";
                text = "#ffffff";
              };
            };
          }
        ];
        keybindings = mkOptionDefault {
          "Mod4+i" = "exec emacsclient --create-frame";
        };
      };
    };
    programs = {
      fuzzel.enable = true;
      swaylock.enable = true;
      waybar = {
        enable = true;
      };
    };
  };
 }
--- a/hosts/talos/secrets.nix
+++ b/hosts/talos/secrets.nix
@ -0,0 +1,23 @@
 {
  config,
  lib,
  options,
  ...
 }: {
  config.age = {
    secrets = let
      toSecret = name: {...} @ attrs:
        {
          file = ./../../modules/secrets + "/${name}.age";
        }
        // attrs;
    in
      lib.mapAttrs toSecret {
        "restic-backup/talos-credentials" = {};
        "restic-backup/talos-password" = {};
        "users/alarsyo-hashed-password" = {};
        "users/root-hashed-password" = {};
      };
  };
 }
--- a/hosts/thanatos/default.nix
+++ b/hosts/thanatos/default.nix
@ -0,0 +1,96 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  secrets = config.my.secrets;
 in {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./disko-configuration.nix
    ./home.nix
    ./secrets.nix
  ];
  boot.loader.grub.enable = true;
  boot.tmp.useTmpfs = true;
  networking.hostName = "thanatos"; # Define your hostname.
  networking.domain = "lrde.epita.fr";
  # Set your time zone.
  time.timeZone = "Europe/Paris";
  # List services that you want to enable:
  my.services = {
    tailscale = {
      enable = true;
      useRoutingFeatures = "both";
    };
  };
  services = {
    gitlab-runner = {
      enable = true;
      settings = {
        concurrent = 4;
      };
      services = {
        nix = {
          authenticationTokenConfigFile = config.age.secrets."gitlab-runner/thanatos-nix-runner-env".path;
          dockerImage = "alpine";
          dockerVolumes = [
            "/nix/store:/nix/store:ro"
            "/nix/var/nix/db:/nix/var/nix/db:ro"
            "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
          ];
          dockerDisableCache = true;
          preBuildScript = pkgs.writeScript "setup-container" ''
            mkdir -p -m 0755 /nix/var/log/nix/drvs
            mkdir -p -m 0755 /nix/var/nix/gcroots
            mkdir -p -m 0755 /nix/var/nix/profiles
            mkdir -p -m 0755 /nix/var/nix/temproots
            mkdir -p -m 0755 /nix/var/nix/userpool
            mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
            mkdir -p -m 1777 /nix/var/nix/profiles/per-user
            mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
            mkdir -p -m 0700 "$HOME/.nix-defexpr"
            . ${pkgs.nix}/etc/profile.d/nix.sh
            ${pkgs.nix}/bin/nix-env -i ${lib.concatStringsSep " " (with pkgs; [nix cacert git openssh])}
            ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
            ${pkgs.nix}/bin/nix-channel --update nixpkgs
            mkdir -p ~/.config/nix
            echo "experimental-features = nix-command flakes" > ~/.config/nix/nix.conf
          '';
          environmentVariables = {
            ENV = "/etc/profile";
            USER = "root";
            NIX_REMOTE = "daemon";
            PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
            NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
          };
        };
        default = {
          authenticationTokenConfigFile = config.age.secrets."gitlab-runner/thanatos-runner-env".path;
          dockerImage = "debian:stable";
        };
      };
    };
    openssh.enable = true;
  };
  virtualisation.docker.enable = true;
  environment.systemPackages = with pkgs; [
    docker-compose
  ];
 }
--- a/hosts/thanatos/disko-configuration.nix
+++ b/hosts/thanatos/disko-configuration.nix
@ -0,0 +1,52 @@
 {
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        device = "/dev/disk/by-id/ata-CT250MX500SSD1_2301E69A20C4";
        content = {
          type = "gpt";
          partitions = {
            boot = {
              size = "1M";
              type = "EF02"; # for grub MBR
            };
            ESP = {
              size = "512M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
              };
            };
            root = {
              size = "100%";
              content = {
                type = "btrfs";
                subvolumes = {
                  "/root" = {
                    mountpoint = "/";
                    mountOptions = ["compress=zstd" "noatime"];
                  };
                  "/home" = {
                    mountpoint = "/home";
                    mountOptions = ["compress=zstd" "noatime"];
                  };
                  "/nix" = {
                    mountpoint = "/nix";
                    mountOptions = ["compress=zstd" "noatime"];
                  };
                  "/swap" = {
                    mountpoint = "/.swapvol";
                    swap.swapfile.size = "8G";
                  };
                };
              };
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/thanatos/hardware-configuration.nix
+++ b/hosts/thanatos/hardware-configuration.nix
@ -0,0 +1,29 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = ["kvm-intel"];
  boot.extraModulePackages = [];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/thanatos/home.nix
+++ b/hosts/thanatos/home.nix
@ -0,0 +1,7 @@
 {config, ...}: {
  home-manager.users.alarsyo = {
    home.stateVersion = "23.11";
    my.theme = config.home-manager.users.alarsyo.my.themes.solarizedLight;
  };
 }
--- a/hosts/thanatos/secrets.nix
+++ b/hosts/thanatos/secrets.nix
@ -0,0 +1,22 @@
 {
  config,
  lib,
  options,
  ...
 }: {
  config.age = {
    secrets = let
      toSecret = name: {...} @ attrs:
        {
          file = ./../../modules/secrets + "/${name}.age";
        }
        // attrs;
    in
      lib.mapAttrs toSecret {
        "users/alarsyo-hashed-password" = {};
        "users/root-hashed-password" = {};
        "gitlab-runner/thanatos-runner-env" = {};
        "gitlab-runner/thanatos-nix-runner-env" = {};
      };
  };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@ -0,0 +1,7 @@
 {...}: {
  imports = [
    ./sddm.nix
    ./secrets
    ./wakeonwlan.nix
  ];
 }
--- a/modules/sddm.nix
+++ b/modules/sddm.nix
@ -0,0 +1,31 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    ;
  cfg = config.my.displayManager.sddm;
 in {
  options.my.displayManager.sddm.enable = mkEnableOption "SDDM setup";
  config = mkIf cfg.enable {
    services.displayManager.sddm = {
      enable = true;
      theme = "catppuccin-latte";
      wayland.enable = true;
    };
    environment.systemPackages = [
      (pkgs.catppuccin-sddm.override
        {
          flavor = "latte";
        })
    ];
  };
 }
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@ -0,0 +1,7 @@
 {
  config,
  lib,
  options,
  ...
 }: {
 }
--- a/modules/secrets/gandi/api-key.age
+++ b/modules/secrets/gandi/api-key.age
@ -0,0 +1,12 @@
 age-encryption.org/v1
 -> ssh-ed25519 k2gHjw E972A3kem7+3ul2Ai8TV8EVkF9upClr46y1pbN+AfDY
 qZdZuv+F9c46uxKWYdBKp6AGkTA5IEjcBwDlBHpEbCU
 -> ssh-ed25519 pX8y2g WEBknhwaTqfVzaLQRg1tfEY/aGZDFnH0PvXOZ3pC1k8
 A23ELihRVsx8jhTcJAy3a1/saKWPc6ojf8HhPHj0niw
 -> ssh-ed25519 z6Eu8Q IsN3L8xlk8VwrqUByYiUhthAk06KCn6hcYlZrodk/Vg
 lX/SjRJIZEt1/Q6iLKFiUTHB4eH8ig4WJN79mU/AVUw
 -> &r29]-grease #}
 100ULy2nfLIOODMNPyvq0ATuGdVBAgwcXAs
 --- VkOZ7Vy9R4QPqvgAveJae/L4/nuDnQ/bAoN7UEKzxyw
 wQ{3É”3‘
 m2eÞ?×ò¥.M„<19>:Df)ïˆ;t{zR½ªo’ñ²›‡òE#c·çáéTE…Ú9¹H67ÊqAÜ_Lb}
--- a/modules/secrets/gitlab-runner/thanatos-nix-runner-env.age
+++ b/modules/secrets/gitlab-runner/thanatos-nix-runner-env.age
--- a/modules/secrets/gitlab-runner/thanatos-runner-env.age
+++ b/modules/secrets/gitlab-runner/thanatos-runner-env.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 k2gHjw naNq55qkAm47KXPJpYFDjVQuxPz2Ffpima5z1WEqRSA
 ETC3Hh4gglwYpiJCu/EGOUzjN3BJYk8yJshMeMkgYug
 -> ssh-ed25519 6UUuZw Azk9jDbUL/nO20lvzs0s36q/4ZcWSpkUbt1J/PE7A2M
 kPKHGLoWHDpFhsRr+CBteWKYsDw0dn/+IKbrh/5qMoE
 --- g1akMn28voSQByQR9/ArJ4CsQehcwJ7MfCco+k2fPWo
 › YMZÓíî:ú{R^n~ó½±ã¢ÊwPaª§h£8<C2A3>T'hcmªe(<28>‘ÝXx=7”‹‡Ë¢[äË4@b=“&ª®æYÅ;‘€Ü[„ª¹ØÁˆß¿kôk>ˆ5’4‚0ÞGâŒ÷ðÌŸ±Q<C2B1>Êë·±Ÿw¡
--- a/modules/secrets/lohr/shared-secret.age
+++ b/modules/secrets/lohr/shared-secret.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 k2gHjw R7jnkS7fFFSouPgvjrCnyfWNHOanOWKVUDp4Fd2xqFU
 MdWD5E8dWfDHqFNTDCqOlyMhwpfEtqhlpnx3opft70w
 -> ssh-ed25519 pX8y2g /CAWr94ucfxWKLWQPSQD2fl09TuUZELywWoZgHZS0AY
 NeDHZc2ooKl2Bp0nAEY9P/Apdramb2TpHWpx0jkceyk
 -> bzN-grease F &,%3jl~w &]8&d*N6 5UJ
 58BUbsIwRkkUrNoSbgbMo/o1tKttXP2YWIJs9cbfXrT6XcO+Km0g90LPbYCmsqTZ
 pr8TINM2Wd8RQw
 --- 7K7sEw2zIWhuR3intlPGFipaVhHli+tWHqmyobRjLYo
 oÔèÛ„Å[\ñ²û¸©lN/X•ô:<03>±Œu¥N¾Öó
kºƒ{ïÁmeÿ0A=,h_¤÷è,œ4S&‰ù<E280B0>9œ‚hÙ1/ÄÍž’¥é÷ypa³öz2Ñ€†íTº,©’Réâ€U
--- a/modules/secrets/matrix-synapse/secret-config.age
+++ b/modules/secrets/matrix-synapse/secret-config.age
--- a/modules/secrets/microbin/secret-config.age
+++ b/modules/secrets/microbin/secret-config.age
--- a/modules/secrets/miniflux/admin-credentials.age
+++ b/modules/secrets/miniflux/admin-credentials.age
--- a/modules/secrets/nextcloud/admin-pass.age
+++ b/modules/secrets/nextcloud/admin-pass.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 k2gHjw md0WbIE3MSWLqqerCD4ljh4U+4fWaOhKZxl9RQt+HDo
 8Wj+hn5wwzgA6D1zQEaP1WIfmmK6pXVy2ZX5OQ/N0pU
 -> ssh-ed25519 pX8y2g ByOhNTkxCHFkOQAOrID+bZEQzwesbnKluY6G5sSUhlg
 AybKPZKzELtvWTT/Kmc+zs7KC4GB9214GUdnWMhGnmo
 -> QK!x#/y-grease c|K1% \ug . >WFn:bI
 Cgx9qaPIUk1hGKtQYJ6kNk/+bHTJ
 --- YwtEWMiVxfvMGE1ngDiy/dALw/Y9YAxduaqlVgPNqdk
 ÿ¿zîóÑF(Ãƒ8§?VÁJýæávH(kÔ‚9o\!£Ê¿ˆÐÓN7é@«àY#ÕÓ19êümùV¢}ŸZðØ¶QWEÇ’þ}v/éƒ<®	õ»æh‰¶T3†vN‚®”1
--- a/modules/secrets/ovh/credentials.age
+++ b/modules/secrets/ovh/credentials.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 k2gHjw XED7gkKAp1ioBegA7ryqULRF1BORpW74esfIGp9zPE8
 ANxnQN+tox9KYdZvNZFZvQxOymckldPQMhFnz6fSIBo
 -> ssh-ed25519 pX8y2g 9wgPqL6GoOxad5AAUmDAYj0h/57AEM8VsQKq1pGTtjM
 SxD++XJioZLpt6C8Xse5Nmz4wtL0Fb5NKWo5ijKpyv8
 --- 3qOJnkY3Uc4fIex9mgz2+w+su5dS7K7Tmtk1hiqkn9M
 ÁXª¨àeéˆaLQH2*ZÅTé¿ ‘®P;Ý(jCÌ€k‡viäµû<C2B5>ÿ’Ä§¡à†kæ`™ô]mò<6D>ÿBñ,³±,ü÷?!¶{àŠ%eÙì(„Su¿-SŸD¢¾“=H#‡„¼Þq=ï<>Uùí;=OÍ<÷R¼ÇÎE±“<+&èdÂæ<18>>G+_oP¥Þ]ÿê¦RÄßL$Ö³\š°ü0ø¤N!þ"Áã&÷%Nž à<ËÃ,òv°1ÿ‘Ê‘Új1
--- a/modules/secrets/paperless/admin-password.age
+++ b/modules/secrets/paperless/admin-password.age
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> ssh-ed25519 k2gHjw Cnh9E+IbDcTnJT0AmN1pFJ9PrT/bWswps3viYITN2yo
 DwsFW60Su9sble5QFEjX5QoWVl/lMBsqAPWK+AB9epw
 -> ssh-ed25519 pX8y2g fMdWosCSxRpJSA3VGDEyWzeQfTJD5sPnu38MrcJJ1A8
 g16EuuS95pIeUuLZfqXR4Mey2GKiXRlxA2KRLD1RVns
 -> s*.sKB4H-grease V9A)DG( T<yeD0a<
 kaz3Ejq54nizMyMabG2TBzJ/oy8VIUKxQcXgWjM6CZp+8j36y5LtnR7osDZRzs27
 Yf+Y52QuZWswmD+tC+VxaQUpdd+3xvv2MH7D5ih2tTXy9/wZFKWTvIsvKBKz7dOQ
 --- Y6f3eO8mQAb/gAG4CnbxZa7L+FVBCd3v33tXf01pKLg
 kÆ«Ø<fÂÇEGuñ‰x#ô;ZÔ/@%:ºì(&&ºXVøø¹Û"ö¾ÎÂ‘ñö,y`~n]BÅïî=Š\v8Œø´Ç¸”ŸþcO(7˜ú<CB9C>¡eÍXÝ0éÎï™•
--- a/modules/secrets/paperless/secret-key.age
+++ b/modules/secrets/paperless/secret-key.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 k2gHjw CoGvifgWo1JvHjx3PKJa3jR3lKrvgvKnTTui1w6UR0I
 gcadr6WbTzyrPD3h3oDifFj/pMZKIzUfDXL6e6610Is
 -> ssh-ed25519 pX8y2g MBFa4xDU6CaH6amzlGTmFXIcAXLq2xykRd0WkeUEkQo
 91jV5LUuhvOVKSg2cz3TMKI2SaZvCTzXL/xyUWbYJAg
 -> lkH}'\W;-grease nZ K\MP7 HUsh
 vWwsKxuBXKwpTBkYERd7kPo
 --- xohFX48WGxRFVYQzdbSl7l2Go90FSUPH5ml6OalKJwQ
 ÍsüÈùÁòÆ€ã·Õ<12>¡ŸhÝÝõ¦!è,(ÒQlÁök¶þV×ä¬ÛóË~éýÔÍU
!ÂûB0	~ÃÏA!2Ùnp€`²‹’ÕÍìL&¯±³{†}„3%{’[)<18>t…®/nÊjb^{<7B>ƒ1Gû[G0ß
¿×‘ò m›o˜Ÿˆ«	È:naŸ¨Q®¥\âæômfG¾;ù(Sþ¶ŸÉÎå
--- a/modules/secrets/pleroma/pleroma-config.age
+++ b/modules/secrets/pleroma/pleroma-config.age
--- a/modules/secrets/restic-backup/boreal-credentials.age
+++ b/modules/secrets/restic-backup/boreal-credentials.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 YWMQkg B5tQXcUdu751YYA4Y8uRH/DgGDi24AsXEAKkCVfg+Ro
 21Gz0MsMCtWzUdVuaWdNwEU9Ts8lOQWCd7Ejf2tkxks
 -> ssh-ed25519 k2gHjw NIG04WnNgq5bnSl9KmvFyvpGdFlmOFtXzuYtrsFOKXM
 ZYZVyIM0jnhguRmfIpRtFg0StgYTlu/P9bgxBy9dbOg
 -> u5-grease
 MTgqDb6tqCuvdlXj9c2Y3XX1X7JfrdeKLM0EQ75ZJe+Hrntnpvn4fSlBr8QoOahm
 fg
 --- VzgNZ3/IBQVeYfOMGjnHPDRKoBDdxHth61pevk5+fLw
 ŒÙúDíï°	´&…<QØ+¨úþ‹éJoTÇ;US9.©âu'v¸œ,‘Ä@“úÿQKcë‚ÛzÑ>v¢€ÃN1›±tòÚ8›w<˜Îò“w°d<C2B0><64>>s:µG_øæÆšyø„u,þÅ%@J hñ"†Ev‡ÙX
--- a/modules/secrets/restic-backup/boreal-password.age
+++ b/modules/secrets/restic-backup/boreal-password.age
--- a/modules/secrets/restic-backup/hades-credentials.age
+++ b/modules/secrets/restic-backup/hades-credentials.age
--- a/modules/secrets/restic-backup/hades-password.age
+++ b/modules/secrets/restic-backup/hades-password.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 k2gHjw tz1jNUQvZEVHqehFVapGqTzuRS42q/cMxyMxxKq+LzM
 kA2ZKO7MJijITas44VeEKSNl801EmGea9k35OXiZ+BE
 -> ssh-ed25519 pX8y2g xjtYR+DLpZ8aWXSGnZwbW1LYgIzcFWirKzCFJ8XcFmk
 bDXZMuNZexO3Cj0RmzjGA33Xt6eMV1zTqjkw+hFUB54
 -> XL-grease ]SR-r g<"^}r I> PHC
 i5h9MKFYUKNt
 --- arx3EqdP9sGpt3TmJDAHNaF03UL+hfJTle+FSdlP/6A
 }èÆÎÔvÒjAÄû§ËòzÎ<7A>“TGWïv¼B¼ª0<C2AA><ñá;ZïY‚ªü{ª·ÂŽL<´\è‰Å<E280B0>>…Ì4¿o~€ã,šËèš«^4^yl\Ftgd<>Ä
 G±Æ²æ*"”
--- a/modules/secrets/restic-backup/poseidon-credentials.age
+++ b/modules/secrets/restic-backup/poseidon-credentials.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 k2gHjw oSO/cLGLMkjqRIjYewTqtOccb7CLSmODK+B6Kb/L/gk
 cGU5gafJCeX/o3qqcNNPGIAXbAwm8sZi59QIDqcmWUA
 -> ssh-ed25519 z6Eu8Q FMOXZNxOrbT95XR5R6tul1A+aiCP/QHRsCZraA/SZmw
 UXjp7Z93U56hZ9f/OijkzZ1UCRf+VVwD0b1dY04lCVs
 -> )-grease
 qkTAz5YAzx5TLvSvmiAL1EDt3pYUgwdMMcRKDBdTBrvxeQE
 --- EBQNvbSPDyq5SFKU517JyM024/zZx0DqoxMiP9jzlSs
 rP+áÕôy¯j‡²f>ï9ÓÈŽÌ·ýw›ÕtØ6šsˆgƒ½/tØÞàSÍ—ì¡Ø\fZªêª<C3AA>N?v·ŒÚ
 µ1÷Iíœ¹+uÝ¾U-ëCfÜn1`cò-’‹RCéêP'¿zB)¿ØFŽ` äV<C3A4>ÖBKX
--- a/modules/secrets/restic-backup/poseidon-password.age
+++ b/modules/secrets/restic-backup/poseidon-password.age
--- a/Show more
+++ b/Show more
		`@ -1,2 +0,0 @@`
			`secrets/*.secret filter=git-crypt diff=git-crypt`
			`secrets/wireguard.nix filter=git-crypt diff=git-crypt`