Merge pull request 'Update flake inputs' (#258 ) from main-update-flake-inputs into main

Reviewed-on: #258 Reviewed-by: b12f <hello@benjaminbaedorf.eu>
chore: update blesh in nvfetcher
2023-10-13 11:26:39 +02:00 · 2023-10-09 21:11:31 +02:00 · 2023-10-09 19:15:11 +02:00
32 changed files with 53 additions and 1125 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -17,7 +17,7 @@ steps:
      - nix $$NIX_FLAGS develop --command nix flake show
      - nix $$NIX_FLAGS develop --command treefmt --fail-on-change
      - nix $$NIX_FLAGS develop --command editorconfig-checker
-      - nix $$NIX_FLAGS build ".#nixosConfigurations.flora-6.config.system.build.toplevel"
+      - nix $$NIX_FLAGS build ".#nixosConfigurations.PubSolarOS.config.system.build.toplevel"
 ---
 kind: pipeline
@ -44,7 +44,7 @@ steps:
        from_secret: private_ssh_key
      MANTA_USER: pub_solar
      MANTA_URL: https://eu-central.manta.greenbaum.cloud
-      MANTA_KEY_ID: "59:9f:5a:6f:c4:e2:3b:32:7f:13:1f:de:b7:59:80:85"
+      MANTA_KEY_ID: "5d:5f:3d:22:8d:37:1f:e6:d6:ab:06:18:d9:a2:04:67"
    commands:
      - export TARGET_DIR="ci/$${DRONE_REPO}/$${DRONE_BUILD_NUMBER}"
      - echo env var TARGET_DIR is set to $$TARGET_DIR
@ -149,6 +149,6 @@ volumes:
 ---
 kind: signature
-hmac: 17811add241edae457584ba78389886df02b5e51820d826ef5fb2d97de2430e2
+hmac: a116f78a0b22188052893bdb46aa40f8de66438826c10ced362ea183d7644d67
 ...
--- a/flake.lock
+++ b/flake.lock
@ -30,11 +30,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694497842,
+        "lastModified": 1696360011,
-        "narHash": "sha256-z03v/m0OwcLBok97KcUgMl8ZFw5Xwsi2z+n6nL7JdXY=",
+        "narHash": "sha256-HpPv27qMuPou4acXcZ8Klm7Zt0Elv9dgDvSJaomWb9Y=",
        "owner": "LnL7",
        "repo": "nix-darwin",
-        "rev": "4496ab26628c5f43d2a5c577a06683c753e32fe2",
+        "rev": "8b6ea26d5d2e8359d06278364f41fbc4b903b28a",
        "type": "github"
      },
      "original": {
@ -54,11 +54,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1694513707,
+        "lastModified": 1695052866,
-        "narHash": "sha256-wE5kHco3+FQjc+MwTPwLVqYz4hM7uno2CgXDXUFMCpc=",
+        "narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "31c32fb2959103a796e07bbe47e0a5e287c343a8",
+        "rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9",
        "type": "github"
      },
      "original": {
@ -89,28 +89,6 @@
        "type": "github"
      }
    },
    "devshell_2": {
      "inputs": {
        "nixpkgs": [
          "keycloak-theme-pub-solar",
          "nixpkgs"
        ],
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1688380630,
        "narHash": "sha256-8ilApWVb1mAi4439zS3iFeIT0ODlbrifm/fegWwgHjA=",
        "owner": "numtide",
        "repo": "devshell",
        "rev": "f9238ec3d75cefbb2b42a44948c4e8fb1ae9a205",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "devshell",
        "type": "github"
      }
    },
    "digga": {
      "inputs": {
        "darwin": [
@ -219,39 +197,6 @@
        "type": "github"
      }
    },
    "flake-utils_3": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1689068808,
        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_4": {
      "locked": {
        "lastModified": 1653893745,
        "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "fork": {
      "locked": {
        "lastModified": 1692960587,
@ -275,11 +220,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694465129,
+        "lastModified": 1695108154,
-        "narHash": "sha256-8BQiuobMrCfCbGM7w6Snx+OBYdtTIm0+cGVaKwQ5BFg=",
+        "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "9787dffff5d315c9593d3f9fb0f9bf2097e1b57b",
+        "rev": "07682fff75d41f18327a871088d20af2710d4744",
        "type": "github"
      },
      "original": {
@ -289,36 +234,13 @@
        "type": "github"
      }
    },
    "keycloak-theme-pub-solar": {
      "inputs": {
        "devshell": "devshell_2",
        "flake-utils": "flake-utils_3",
        "nixpkgs": [
          "nixos"
        ]
      },
      "locked": {
        "lastModified": 1689875310,
        "narHash": "sha256-gJxh8fVX24nZXBxstZcrzZhMRFG9jyOnQEfkgoRr39I=",
        "ref": "main",
        "rev": "c2c86bbf9855f16a231a596b75b443232a7b9395",
        "revCount": 24,
        "type": "git",
        "url": "https://git.pub.solar/pub-solar/keycloak-theme"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pub.solar/pub-solar/keycloak-theme"
      }
    },
    "latest": {
      "locked": {
-        "lastModified": 1698318101,
+        "lastModified": 1696604326,
-        "narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
+        "narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
+        "rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64",
        "type": "github"
      },
      "original": {
@ -330,11 +252,11 @@
    },
    "nixos": {
      "locked": {
-        "lastModified": 1698434055,
+        "lastModified": 1696697597,
-        "narHash": "sha256-Phxi5mUKSoL7A0IYUiYtkI9e8NcGaaV5PJEaJApU1Ko=",
+        "narHash": "sha256-q26Qv4DQ+h6IeozF2o1secyQG0jt2VUT3V0K58jr3pg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "1a3c95e3b23b3cdb26750621c08cc2f1560cb883",
+        "rev": "5a237aecb57296f67276ac9ab296a41c23981f56",
        "type": "github"
      },
      "original": {
@ -346,11 +268,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1694591211,
+        "lastModified": 1696614066,
-        "narHash": "sha256-NPP7XGZH+Q5ey7nE2zGLrBrzKmLYPhj8YgsTSdhH0D4=",
+        "narHash": "sha256-nAyYhO7TCr1tikacP37O9FnGr2USOsVBD3IgvndUYjM=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "3ccd87fcdae4732fe33773cefa4375c641a057e7",
+        "rev": "bb2db418b616fea536b1be7f6ee72fb45c11afe0",
        "type": "github"
      },
      "original": {
@ -384,65 +306,9 @@
        "flake-compat": "flake-compat",
        "fork": "fork",
        "home": "home",
        "keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
        "latest": "latest",
        "nixos": "nixos",
-        "nixos-hardware": "nixos-hardware",
+        "nixos-hardware": "nixos-hardware"
        "triton-vmtools": "triton-vmtools"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "triton-vmtools": {
      "inputs": {
        "flake-utils": "flake-utils_4",
        "nixpkgs": [
          "nixos"
        ]
      },
      "locked": {
        "dir": "vmtools",
        "lastModified": 1694596254,
        "narHash": "sha256-aqGmoQXVG0Q1SeZuIWws8dbn1JRnjOGxtDVs2SBzNR0=",
        "ref": "main",
        "rev": "463d525addaf05beaf4a632fd85e2a2b25ddf8ee",
        "revCount": 69,
        "type": "git",
        "url": "https://git.pub.solar/pub-solar/infra?dir=vmtools"
      },
      "original": {
        "dir": "vmtools",
        "ref": "main",
        "type": "git",
        "url": "https://git.pub.solar/pub-solar/infra?dir=vmtools"
      }
    },
    "utils": {
--- a/flake.nix
+++ b/flake.nix
@ -36,12 +36,6 @@
    agenix.inputs.darwin.follows = "darwin";
    nixos-hardware.url = "github:nixos/nixos-hardware";
    triton-vmtools.url = "git+https://git.pub.solar/pub-solar/infra?ref=main&dir=vmtools";
    triton-vmtools.inputs.nixpkgs.follows = "nixos";
    keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main";
    keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixos";
  };
  outputs = {
@ -52,8 +46,6 @@
    nixos-hardware,
    agenix,
    deploy,
    triton-vmtools,
    keycloak-theme-pub-solar,
    ...
  } @ inputs:
    digga.lib.mkFlake
@ -69,6 +61,14 @@
      channels = {
        nixos = {
          imports = [(digga.lib.importOverlays ./overlays)];
          overlays = [
            (self: super: {
              deploy-rs = {
                inherit (inputs.nixos.legacyPackages.x86_64-linux) deploy-rs;
                lib = inputs.deploy.lib.x86_64-linux;
              };
            })
          ];
        };
        latest = {};
        fork = {};
@ -114,14 +114,12 @@
            ];
          };
          PubSolarOS = {
-            # Broken since https://github.com/NixOS/nixpkgs/commit/5bcef4224928fe45312f0ee321ddf0f0e8feeb7b
+            tests = [
-            # Needs a fix in https://github.com/divnix/digga/blob/main/src/tests.nix#L12-L21
+              #(import ./tests/first-test.nix {
            #tests = [
            #  (import ./tests/first-test.nix {
              #  pkgs = nixos.legacyPackages.x86_64-linux;
              #  lib = nixos.lib;
-            #  })
+              #})
-            #];
+            ];
          };
        };
        importables = rec {
@ -152,11 +150,6 @@
          pub-solar = {suites, ...}: {
            imports = suites.base;
            home.stateVersion = "21.03";
          };
          barkeeper = {suites, ...}: {
            imports = suites.base;
            home.stateVersion = "21.03";
          };
        }; # digga.lib.importers.rakeLeaves ./users/hm;
@ -167,16 +160,6 @@
      homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
      deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
        flora-6 = {
          sshUser = "barkeeper";
          hostname = "flora-6.pub.solar";
          fastConnect = true;
          profilesOrder = ["system" "direnv"];
          profiles.direnv = {
            user = "barkeeper";
            path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.barkeeper;
          };
        };
        #example = {
        #  hostname = "example.com:22";
        #  sshUser = "bartender";
--- a/hosts/flora-6/README.md
+++ b/hosts/flora-6/README.md
@ -1,50 +0,0 @@
 # Deploy infra branch to flora-6
 Use this command after updating flake inputs to update services on `flora-6`.
 ```
 deploy --skip-checks --confirm-timeout 300 --targets '.#flora-6'
 An alternative, if deployment always fails and rolls back.
 ```
 deploy --skip-checks --magic-rollback false --auto-rollback false --targets '.#flora-6'
 ```
 # SSH access to flora-6
 Ensure your SSH public key is in place [here](./users/barkeeper/default.nix) and
 was deployed by someone with access.
 ```
 ssh barkeeper@flora-6.pub.solar
 ```
 # Mailman on NixOS docs
 - add reverse DNS record for IP
 Manual setup done for mailman, adapted from https://nixos.wiki/wiki/Mailman:
 ```
 # Add DNS records in infra repo using terraform:
 # https://git.pub.solar/pub-solar/infra/commit/db234cdb5b55758a3d74387ada0760e06e166b9d
 # Generate initial postfix_domains.db and postfix_lmtp.db databases for Postfix
 sudo -u mailman mailman aliases
 # Create a django superuser account
 sudo -u mailman-web mailman-web createsuperuser
 # Followed outlined steps in web UI
 ```
 ```
--- a/hosts/flora-6/caddy.nix
+++ b/hosts/flora-6/caddy.nix
@ -1,41 +0,0 @@
 {
  config,
  lib,
  pkgs,
  self,
  ...
 }:
 {
  systemd.tmpfiles.rules = [
    "d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -"
  ];
  services.caddy = {
    enable = lib.mkForce true;
    group = "hakkonaut";
    email = "admins@pub.solar";
    enableReload = true;
    globalConfig = lib.mkForce ''
      grace_period 60s
    '';
    virtualHosts = {
      "ci.pub.solar" = {
        logFormat = lib.mkForce ''
          output discard
        '';
        extraConfig = ''
          reverse_proxy :4000
        '';
      };
      "obs-portal.pub.solar" = {
        logFormat = lib.mkForce ''
          output discard
        '';
        extraConfig = ''
          reverse_proxy obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone:3000
        '';
      };
    };
  };
  networking.firewall.allowedTCPPorts = [80 443];
 }
--- a/hosts/flora-6/collabora.nix
+++ b/hosts/flora-6/collabora.nix
@ -1,38 +0,0 @@
 {
  config,
  lib,
  pkgs,
  self,
  ...
 }: {
  virtualisation = {
    docker = {
      enable = true; # sadly podman is not supported rightnow
      extraOptions = ''
        --data-root /data/docker
      '';
    };
    oci-containers = {
      backend = "docker";
      containers."collabora" = {
        image = "collabora/code";
        autoStart = true;
        ports = [
          "9980:9980"
        ];
        extraOptions = [
          "--cap-add=MKNOD"
          "--pull=always"
        ];
        environment = {
          server_name = "collabora.pub.solar";
          aliasgroup1 = "https://cloud.pub.solar:443";
          DONT_GEN_SSL_CERT = "1";
          extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
          SLEEPFORDEBUGGER = "0";
        };
      };
    };
  };
 }
--- a/hosts/flora-6/default.nix
+++ b/hosts/flora-6/default.nix
@ -1,5 +0,0 @@
 {...}: {
  imports = [
    ./flora-6.nix
  ];
 }
--- a/hosts/flora-6/drone.nix
+++ b/hosts/flora-6/drone.nix
@ -1,116 +0,0 @@
 {
  config,
  lib,
  pkgs,
  self,
  ...
 }: {
  age.secrets.drone-secrets = {
    file = "${self}/secrets/drone-secrets.age";
    mode = "600";
    owner = "drone";
  };
  age.secrets.drone-db-secrets = {
    file = "${self}/secrets/drone-db-secrets.age";
    mode = "600";
    owner = "drone";
  };
  users.users.drone = {
    description = "Drone Service";
    home = "/var/lib/drone";
    useDefaultShell = true;
    uid = 994;
    group = "drone";
    isSystemUser = true;
  };
  users.groups.drone = {};
  systemd.tmpfiles.rules = [
    "d '/var/lib/drone-db' 0750 drone drone - -"
  ];
  systemd.services."docker-network-drone" = let
    docker = config.virtualisation.oci-containers.backend;
    dockerBin = "${pkgs.${docker}}/bin/${docker}";
  in {
    serviceConfig.Type = "oneshot";
    before = ["docker-drone-server.service"];
    script = ''
      ${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24
    '';
  };
  virtualisation = {
    docker = {
      enable = true; # sadly podman is not supported rightnow
      extraOptions = ''
        --data-root /data/docker
      '';
    };
    oci-containers = {
      backend = "docker";
      containers."drone-db" = {
        image = "postgres:14";
        autoStart = true;
        user = "994";
        volumes = [
          "/var/lib/drone-db:/var/lib/postgresql/data"
        ];
        extraOptions = [
          "--network=drone-net"
        ];
        environmentFiles = [
          config.age.secrets.drone-db-secrets.path
        ];
      };
      containers."drone-server" = {
        image = "drone/drone:2";
        autoStart = true;
        user = "994";
        ports = [
          "4000:80"
        ];
        dependsOn = ["drone-db"];
        extraOptions = [
          "--network=drone-net"
          "--pull=always"
        ];
        environment = {
          DRONE_GITEA_SERVER = "https://git.pub.solar";
          DRONE_SERVER_HOST = "ci.pub.solar";
          DRONE_SERVER_PROTO = "https";
          DRONE_DATABASE_DRIVER = "postgres";
        };
        environmentFiles = [
          config.age.secrets.drone-secrets.path
        ];
      };
      containers."drone-docker-runner" = {
        image = "drone/drone-runner-docker:1";
        autoStart = true;
        # needs to run as root
        #user = "994";
        volumes = [
          "/var/run/docker.sock:/var/run/docker.sock"
        ];
        dependsOn = ["drone-db"];
        extraOptions = [
          "--network=drone-net"
          "--pull=always"
        ];
        environment = {
          DRONE_RPC_HOST = "ci.pub.solar";
          DRONE_RPC_PROTO = "https";
          DRONE_RUNNER_CAPACITY = "2";
          DRONE_RUNNER_NAME = "flora-6-docker-runner";
        };
        environmentFiles = [
          config.age.secrets.drone-secrets.path
        ];
      };
    };
  };
 }
--- a/hosts/flora-6/flora-6.nix
+++ b/hosts/flora-6/flora-6.nix
@ -1,170 +0,0 @@
 {
  config,
  latestModulesPath,
  lib,
  inputs,
  pkgs,
  profiles,
  self,
  ...
 }: let
  psCfg = config.pub-solar;
 in {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./triton-vmtools.nix
    ./caddy.nix
    ./drone.nix
    # Disable services migrated to nachtigall.pub.solar
    #./keycloak.nix
    #./gitea.nix
    #./mailman.nix
    #./owncast.nix
    #./collabora.nix
    ./forgejo-actions-runner.nix
    profiles.base-user
    profiles.users.root # make sure to configure ssh keys
    profiles.users.barkeeper
    "${latestModulesPath}/services/continuous-integration/gitea-actions-runner.nix"
    "${latestModulesPath}/services/web-servers/caddy/default.nix"
  ];
  disabledModules = [
    "services/continuous-integration/gitea-actions-runner.nix"
    "services/web-servers/caddy/default.nix"
  ];
  config = {
    # # #
    # # # pub.solar options
    # # #
    pub-solar.core = {
      disk-encryption-active = false;
      iso-options.enable = true;
      lite = true;
    };
    # Allow sudo without a password for the barkeeper user
    security.sudo.extraRules = [
      {
        users = ["${psCfg.user.name}"];
        commands = [
          {
            command = "ALL";
            options = ["NOPASSWD"];
          }
        ];
      }
    ];
    # Override nix.conf for more agressive garbage collection
    nix.extraOptions = lib.mkForce ''
      min-free = 536870912
      keep-outputs = false
      keep-derivations = false
      fallback = true
    '';
    # Machine user for CI pipelines
    users.users.hakkonaut = {
      description = "CI and automation user";
      home = "/var/nix/iso-cache";
      useDefaultShell = true;
      uid = 998;
      group = "hakkonaut";
      isSystemUser = true;
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
      ];
    };
    users.groups.hakkonaut = {};
    # # #
    # # # Triton host specific options
    # # # DO NOT ALTER below this line, changes might render system unbootable
    # # #
    # Use the systemd-boot EFI boot loader.
    boot.loader.systemd-boot.enable = true;
    boot.loader.efi.canTouchEfiVariables = true;
    # Force getting the hostname from cloud-init
    networking.hostName = lib.mkDefault "";
    # Set your time zone.
    time.timeZone = "Europe/Berlin";
    # Select internationalisation properties.
    console = {
      font = "Lat2-Terminus16";
      keyMap = "us";
    };
    # List packages installed in system profile. To search, run:
    # $ nix search wget
    environment.systemPackages = with pkgs; [
      git
      vim
      wget
    ];
    # Some programs need SUID wrappers, can be configured further or are
    # started in user sessions.
    # programs.mtr.enable = true;
    # programs.gnupg.agent = {
    #   enable = true;
    #   enableSSHSupport = true;
    # };
    # List services that you want to enable:
    services.cloud-init.enable = true;
    services.cloud-init.ext4.enable = true;
    services.cloud-init.network.enable = true;
    # use the default NixOS cloud-init config, but add some SmartOS customization to it
    environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = ''
      datasource_list: [ SmartOS ]
      # Do not create the centos/ubuntu/debian user
      users: [ ]
      # mount second disk with label ephemeral0, gets formated by cloud-init
      # this will fail to get added to /etc/fstab as it's read-only, but should
      # mount at boot anyway
      mounts:
      - [ vdb, /data, auto, "defaults,nofail" ]
    '';
    # Enable the OpenSSH daemon.
    services.openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
        Macs = [
          "hmac-sha2-512-etm@openssh.com"
          "hmac-sha2-256-etm@openssh.com"
          "umac-128-etm@openssh.com"
          "hmac-sha2-512"
          "hmac-sha2-256"
          "umac-128@openssh.com"
        ];
      };
    };
    # We manage the firewall with nix, too
    # altough triton can also manage firewall rules via the triton fwrule subcommand
    networking.firewall.enable = true;
    # This value determines the NixOS release from which the default
    # settings for stateful data, like file locations and database versions
    # on your system were taken. It‘s perfectly fine and recommended to leave
    # this value at the release version of the first install of this system.
    # Before changing this value read the documentation for this option
    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
    system.stateVersion = "22.05"; # Did you read the comment?
  };
 }
--- a/hosts/flora-6/forgejo-actions-runner.nix
+++ b/hosts/flora-6/forgejo-actions-runner.nix
@ -1,35 +0,0 @@
 {
  config,
  lib,
  pkgs,
  self,
  ...
 }: {
  age.secrets.forgejo-actions-runner-token = {
    file = "${self}/secrets/forgejo-actions-runner-token.age";
    mode = "644";
  };
  # forgejo actions runner
  # https://forgejo.org/docs/latest/admin/actions/
  # https://docs.gitea.com/usage/actions/quickstart
  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances."flora-6" = {
      enable = true;
      name = config.networking.hostName;
      url = "https://git.pub.solar";
      tokenFile = config.age.secrets.forgejo-actions-runner-token.path;
      labels = [
        # provide a debian 12 bookworm base for actions
        "debian-latest:docker://debian:bookworm"
        # fake the ubuntu name, commonly used in actions examples
        "ubuntu-latest:docker://debian:bookworm"
        # alpine
        "alpine-latest:docker://alpine:3.18"
        # nix flakes enabled image from
        "nix-flakes:docker://git.pub.solar/pub-solar/nix-flakes-node:latest"
      ];
    };
  };
 }
--- a/hosts/flora-6/gitea.nix
+++ b/hosts/flora-6/gitea.nix
@ -1,82 +0,0 @@
 {
  config,
  lib,
  pkgs,
  self,
  ...
 }: {
  age.secrets.gitea-database-password = {
    file = "${self}/secrets/gitea-database-password.age";
    mode = "600";
    owner = "gitea";
  };
  age.secrets.gitea-mailer-password = {
    file = "${self}/secrets/gitea-mailer-password.age";
    mode = "600";
    owner = "gitea";
  };
  # gitea
  services.gitea = {
    enable = true;
    package = pkgs.forgejo;
    appName = "pub.solar git server";
    database = {
      type = "postgres";
      passwordFile = config.age.secrets.gitea-database-password.path;
    };
    lfs.enable = true;
    mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
    settings = {
      server = {
        ROOT_URL = "https://git.pub.solar";
        DOMAIN = "git.pub.solar";
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 3000;
      };
      mailer = {
        ENABLED = true;
        PROTOCOL = "smtps";
        SMTP_ADDR = "mx2.greenbaum.cloud";
        SMTP_PORT = 465;
        FROM = ''"pub.solar git server" <gitea@pub.solar>'';
        USER = "admins@pub.solar";
      };
      "repository.signing" = {
        SIGNING_KEY = "default";
        MERGES = "always";
      };
      openid = {
        ENABLE_OPENID_SIGNIN = true;
        ENABLE_OPENID_SIGNUP = true;
      };
      # uncomment after initial deployment, first user is admin user
      # required to setup SSO (oauth openid-connect, keycloak auth provider)
      service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
      service.ENABLE_NOTIFY_MAIL = true;
      session.COOKIE_SECURE = lib.mkForce true;
    };
  };
  # See: https://docs.gitea.io/en-us/signing/#installing-and-generating-a-gpg-key-for-gitea
  # Required for gitea server side gpg signatures
  # configured/setup manually in:
  # /var/lib/gitea/data/home/.gitconfig
  # /var/lib/gitea/data/home/.gnupg/
  # sudo su gitea
  # export GNUPGHOME=/var/lib/gitea/data/home/.gnupg
  # gpg --quick-gen-key 'pub.solar gitea <gitea@pub.solar>' ed25519
  # TODO: implement declarative GPG key generation and
  # gitea gitconfig
  programs.gnupg.agent = {
    enable = true;
    pinentryFlavor = "curses";
  };
  # Required to make gpg work without a graphical environment?
  # otherwise generating a new gpg key fails with this error:
  # gpg: agent_genkey failed: No pinentry
  # see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
  environment.variables = {
    GPG_TTY = "$(tty)";
  };
 }
--- a/hosts/flora-6/hardware-configuration.nix
+++ b/hosts/flora-6/hardware-configuration.nix
@ -1,44 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }: {
  imports = [];
  boot.initrd.availableKernelModules = ["ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk"];
  boot.initrd.kernelModules = [];
  boot.kernelModules = [];
  boot.extraModulePackages = [];
  fileSystems."/" = {
    device = "/dev/disk/by-label/nixos";
    autoResize = true;
    fsType = "ext4";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-label/boot";
    fsType = "vfat";
  };
  fileSystems."/data" = {
    device = "/dev/disk/by-label/ephemeral0";
    fsType = "ext4";
    options = [
      "defaults"
      "nofail"
    ];
  };
  swapDevices = [];
  networking.useDHCP = lib.mkDefault false;
  networking.networkmanager.enable = lib.mkForce false;
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/flora-6/keycloak.nix
+++ b/hosts/flora-6/keycloak.nix
@ -1,30 +0,0 @@
 {
  config,
  lib,
  inputs,
  pkgs,
  self,
  ...
 }: {
  age.secrets.keycloak-database-password = {
    file = "${self}/secrets/keycloak-database-password.age";
    mode = "700";
    #owner = "keycloak";
  };
  # keycloak
  services.keycloak = {
    enable = true;
    database.passwordFile = config.age.secrets.keycloak-database-password.path;
    settings = {
      hostname = "auth.pub.solar";
      http-host = "127.0.0.1";
      http-port = 8080;
      proxy = "edge";
      features = "declarative-user-profile";
    };
    themes = {
      "pub.solar" = inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
    };
  };
 }
--- a/hosts/flora-6/mailman.nix
+++ b/hosts/flora-6/mailman.nix
@ -1,102 +0,0 @@
 {
  config,
  lib,
  pkgs,
  self,
  ...
 }: let
  # Source: https://github.com/NixOS/nixpkgs/blob/nixos-22.11/nixos/modules/services/mail/mailman.nix#L9C10-L10
  # webEnv is required by the mailman-uwsgi systemd service
  inherit (pkgs.mailmanPackages.buildEnvs {}) webEnv;
 in {
  networking.firewall.allowedTCPPorts = [25];
  services.postfix = {
    enable = true;
    relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
    # get TLS certs for list.pub.solar from caddy
    # TODO: when caddy renews certs, postfix doesn't know about it
    # implement custom built caddy with events exec handler or systemd-reload
    # hook so postfix reloads, too
    sslCert = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/list.pub.solar/list.pub.solar.crt";
    sslKey = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/list.pub.solar/list.pub.solar.key";
    config = {
      transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
      local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
    };
    rootAlias = "admins@pub.solar";
    postmasterAlias = "admins@pub.solar";
    hostname = "list.pub.solar";
  };
  systemd.paths.watcher-caddy-ssl-file = {
    description = "Watches for changes in caddy's TLS cert file (after renewals) to reload postfix";
    documentation = ["systemd.path(5)"];
    partOf = ["postfix-reload.service"];
    pathConfig = {
      PathChanged = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/list.pub.solar/list.pub.solar.crt";
      Unit = "postfix-reload.service";
    };
    wantedBy = ["multi-user.target"];
  };
  systemd.services."postfix-reload" = {
    description = "Reloads postfix config, e.g. after TLS certs change, notified by watcher-caddy-ssl-file.path";
    documentation = ["systemd.path(5)"];
    requires = ["postfix.service"];
    after = ["postfix.service"];
    startLimitIntervalSec = 10;
    startLimitBurst = 5;
    serviceConfig.Type = "oneshot";
    script = ''
      ${pkgs.systemd}/bin/systemctl reload postfix
    '';
    wantedBy = ["multi-user.target"];
  };
  services.mailman = {
    enable = true;
    # We use caddy instead of nginx
    #serve.enable = true;
    hyperkitty.enable = true;
    webHosts = ["list.pub.solar"];
    siteOwner = "admins@pub.solar";
  };
  # TODO add django-keycloak as auth provider
  # https://django-keycloak.readthedocs.io/en/latest/
  ## Extend settings.py directly since this can't be done via JSON
  ## settings (services.mailman.webSettings)
  #environment.etc."mailman3/settings.py".text = ''
  #  INSTALLED_APPS.extend([
  #    "allauth.socialaccount.providers.github",
  #    "allauth.socialaccount.providers.gitlab"
  #  ])
  #'';
  systemd.services.mailman-uwsgi = let
    uwsgiConfig.uwsgi = {
      type = "normal";
      plugins = ["python3"];
      home = webEnv;
      manage-script-name = true;
      mount = "/=mailman_web.wsgi:application";
      http = "127.0.0.1:18507";
    };
    uwsgiConfigFile = pkgs.writeText "uwsgi-mailman.json" (builtins.toJSON uwsgiConfig);
  in {
    wantedBy = ["multi-user.target"];
    after = ["postgresql.service"];
    requires = ["mailman-web-setup.service" "postgresql.service"];
    restartTriggers = [config.environment.etc."mailman3/settings.py".source];
    serviceConfig = {
      # Since the mailman-web settings.py obstinately creates a logs
      # dir in the cwd, change to the (writable) runtime directory before
      # starting uwsgi.
      ExecStart = "${pkgs.coreutils}/bin/env -C $RUNTIME_DIRECTORY ${pkgs.uwsgi.override {plugins = ["python3"];}}/bin/uwsgi --json ${uwsgiConfigFile}";
      User = "mailman-web";
      Group = "mailman";
      RuntimeDirectory = "mailman-uwsgi";
    };
  };
 }
--- a/hosts/flora-6/owncast.nix
+++ b/hosts/flora-6/owncast.nix
@ -1,24 +0,0 @@
 {
  config,
  lib,
  pkgs,
  self,
  ...
 }: {
  # owncast
  services.owncast = {
    enable = true;
    user = "owncast";
    group = "owncast";
    # The directory where owncast stores its data files.
    dataDir = "/var/lib/owncast";
    # Open the appropriate ports in the firewall for owncast.
    openFirewall = true;
    # The IP address to bind the owncast web server to.
    listen = "127.0.0.1";
    # TCP port where owncast rtmp service listens.
    rtmp-port = 1935;
    # TCP port where owncast web-gui listens.
    port = 5000;
  };
 }
--- a/hosts/flora-6/triton-vmtools.nix
+++ b/hosts/flora-6/triton-vmtools.nix
@ -1,9 +0,0 @@
 {
  pkgs,
  inputs,
  ...
 }: {
  environment.systemPackages = with pkgs; [
    inputs.triton-vmtools.packages.${pkgs.system}.default
  ];
 }
--- a/modules/terminal-life/default.nix
+++ b/modules/terminal-life/default.nix
@ -25,11 +25,6 @@ in {
    programs.command-not-found.enable = false;
    environment.systemPackages = with pkgs; [
      ack
      bat
      exa
      fd
      neovim
      screen
    ];
--- a/overlays/overrides.nix
+++ b/overlays/overrides.nix
@ -5,7 +5,6 @@ channels: final: prev: {
    (channels.latest)
    nixd
    docker_24
    forgejo-actions-runner
    ;
  inherit
--- a/pkgs/_sources/generated.nix
+++ b/pkgs/_sources/generated.nix
@ -3,17 +3,17 @@
 {
  blesh-nvfetcher = {
    pname = "blesh-nvfetcher";
-    version = "4089c4e1cb411121472180189953664b978d8972";
+    version = "9d84b424daf31b192891c06275fff316fa5ddd35";
    src = fetchFromGitHub {
      owner = "akinomyoga";
      repo = "ble.sh";
-      rev = "4089c4e1cb411121472180189953664b978d8972";
+      rev = "9d84b424daf31b192891c06275fff316fa5ddd35";
      fetchSubmodules = true;
      deepClone = false;
      leaveDotGit = true;
-      sha256 = "sha256-ZLkiBm3vsRe42crLffM9Z8F5yzKvNRV2/AqK9RkuU+8=";
+      sha256 = "sha256-7aX5UtDB9pUHHeOi9n+qWsM2KGenHVL6O18vG9W8tmQ=";
    };
-    date = "2023-07-18";
+    date = "2023-10-02";
  };
  instant-nvim-nvfetcher = {
    pname = "instant-nvim-nvfetcher";
--- a/profiles/base-user/session-variables.nix
+++ b/profiles/base-user/session-variables.nix
@ -7,13 +7,6 @@
  psCfg = config.pub-solar;
  wlroots = psCfg.graphical.wayland;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
  globalVariables = {
    EDITOR = "/run/current-system/sw/bin/nvim";
    VISUAL = "/run/current-system/sw/bin/nvim";
    # Make sure virsh runs without root
    LIBVIRT_DEFAULT_URI = "qemu:///system";
  };
  variables = {
    XDG_CONFIG_HOME = xdg.configHome;
    XDG_CACHE_HOME = xdg.cacheHome;
@ -32,8 +25,11 @@
      then "pixman"
      else "gles2";
    EDITOR = "/etc/profiles/per-user/${psCfg.user.name}/bin/nvim";
    VISUAL = "/etc/profiles/per-user/${psCfg.user.name}/bin/nvim";
    # fix "xdg-open fork-bomb" your preferred browser from here
-    BROWSER = "firefox";
+    BROWSER = "${pkgs.firefox-wayland}/bin/firefox";
    # node
    NODE_REPL_HISTORY = "${xdg.dataHome}/node_repl_history";
@ -45,6 +41,9 @@
    NPM_CONFIG_CACHE = "${xdg.configHome}/npm";
    # TODO: used to be XDG_RUNTIME_DIR NPM_CONFIG_TMP = "/tmp/npm";
    # Make sure virsh runs without root
    LIBVIRT_DEFAULT_URI = "qemu:///system";
    # wine
    WINEPREFIX = "${xdg.dataHome}/wineprefixes/default";
@ -121,5 +120,5 @@ in {
    systemd.user.sessionVariables = variablesWithMeta;
  };
-  environment.variables = globalVariables;
+  environment.variables = variablesWithMeta;
 }
--- a/secrets/drone-db-secrets.age
+++ b/secrets/drone-db-secrets.age
@ -1,21 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 Y0ZZaw aeKyGeq9/rWQneJZIkrovdlgAdRTqYuUeqPIhT5dEwk
 pkwICt3TV2RSMo93GMqVNZ6kYorTE48yyVuSdbLlLDc
 -> ssh-ed25519 BVsyTA nNb8z1VNBdzeojDeQ0aRO9W12LVN/Zc5mQmN+jOxInc
 VeoBXWSz2ZbXcFTNc+XtWFtWUomC+PaG8pUrRoF1CCU
 -> ssh-rsa kFDS0A
 h7Wk2206zM8zX9RE1DSSmaEiMI/v3A3p7h+uQB5uLz9nK+l7z92H9nHMExErdA9u
 CjS2/uG8pjHtktNk5/nOyx64myrr3Y/HvJlHKhshiQF26CKiANO1LZa+Vy+P/LyM
 8uI1T+bvqSJLPVr0CJ4gJ32YL9CPp0BJCpR27RHtXhdni9n08biBaib8c6loaD8K
 fZr7TPH40F1mrn9+3paR9vKedJuPwEj2dKiHKcqC2zHr4GW28HwL03xNfCtdWw7x
 Zxjyxk1cagVfPHeG9ObliJOohWZSQB/B4byVaRs6EyhYI0noqg/hl60VcizMmu/+
 PvXxOq2llAnOF0A5gA5b5LtFQD1xRPNLwe6F+rt076Fgt2qn3q3BQGKOahRv0vy6
 d3fEGiZvSgiMFlB6JRHIz2PDbpYHHIAUDEPP3M7a5mdwgKyYyFjsboc5MbRSK609
 oM1QmZg+14fdddisGjuzz96p2SYwcbQu7i4Haf/4i142FYUHYYLtreMTGsW3oCYq
 Qa/SQ2Ip07BFBhGve73W8XXzNyYUW+GLsZOcX/NrxSjAYoVFKMzMVv8DGrt6SXap
 yu6aR6065HJgKEWdssWce/g4xkVpYv7frXnYLdDseMFz7ZfMOc7ieAKYpS5Sb9r3
 LMifMXPRAXkam5JMbVr6aF2k3FkTzeDKrhlH6aKgh5Q
 -> ;cm1-grease
 TvutGCeP
 --- +a2HtxLwZbsg0VlFHB2tIo/ULFcjS6VZ+4EhyvnDVq8
 ñuDz¤lìTN<54>?{ÕêpAjKSzöUŽn.C ©pQ¶ýˆÜüø¹YÿÅo¦‰âu.?¢Æk9';“|Ú€>«Qçlhd)ÄÔSË€7æ5?È›Ÿ+«ÕÛp"<22>.(ˆrãDÉ<44>ÅP½@’¯0+;Whä <20>Ö'Ã
--- a/secrets/drone-secrets.age
+++ b/secrets/drone-secrets.age
--- a/secrets/forgejo-actions-runner-token.age
+++ b/secrets/forgejo-actions-runner-token.age
@ -1,21 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 Y0ZZaw cLetjZ+06zS48SueAbu6ll7HfMi8+v5lcndSTTrrcn0
 dqsiy8kF4BXXVInthrnf7uyeTj/NepnCYucRzm914b0
 -> ssh-ed25519 BVsyTA tjOnTm+Xu/uikNjhbCiMz6aNKXK1ZSionX60jVhC4wM
 GDTXCeZ1LUuYA39UeLCcLLj6YKpGYK2I9enyLdnmOTM
 -> ssh-rsa kFDS0A
 A3Ef0X7xROEZfuW+uWAfQwCkDOCFzIgzcHmeekuE7CGJqphkgJNnfs+8f+2zb+NS
 PWBKuX4A4zd6iWWBHU3ara8VpQ/XQRaGQ6rE0MD90iLurOUrBJhT8WxICrtL+SLB
 GgK1TZHLnoOdOL30E369cjHG3ngxiDNfSnJ4lSEmI+KrkugF1e36Ld10sWF+4CN3
 frKLZ/SkAoOiV4tn+uz8U0e2mgyYt4NdkkEW5qjC9dZL11LiOTbPHMfj+t4Oursr
 uWgC/aVN2lo8xrwTKR+wYGPE8smgPg9kdo/qS3pPay1amTzuB2UIbn9D+9p1H13I
 h9qKVo7hIxBAo57Shzzcu/N5Q+jZ7qKRehUohQiG2xBE8Ta6PXn+dYHil9c75ifx
 JJMoyzmm5kTlmdZTEYnzUsrSMQ1jsKY6jRfgih+IBAz+3ICSLXMTUy+x2txTTf1L
 BsuAJ4ofqoMFn9xuHsAZIOsE6WWr2WgYJ/DWxzrsdph1AoiM2ks2PWx1P6Nko6Es
 k2uzLVTlwV8BhdPmZmLLjXjY6EjQGi9XMRKG1XIFghHxaDWCzJP5n4SLy4nQpEfj
 yIQgrTljd3qrY8cMr7m3CTrbdWglDx+NW+w2ZYjD33CaEHxuhJhVZgpaGHI1+1eJ
 IU1ocYQDBv+qDKRrwDPlm/Qo9GTV1fjMK4eae9s5SB8
 -> CPC/RW-grease -B m#:k?Q$ yPh}&! OBmDxdzJ
 bI+MclhvNA
 --- 1UeacEZQM6xS9TvnO2SVSv/ur5jfQHakGYY0/nW3utA
 c`‚£¬Bßú?ŠÀ£É™Wz<57>ÿþb$‚±ˆZmüèBË]í¾œ	G£pß¯Œwû<77>1
&Ç`<60>ã5èÓõ<C393>› r<>b®™—8ƒ–ˆ©
--- a/secrets/gitea-database-password.age
+++ b/secrets/gitea-database-password.age
@ -1,21 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 Y0ZZaw uzrzBJArGlkBnqZLu6KHIOprfw2g8fg0hnvC7GwNhxw
 6VsKzFS5E11R9TJVSj23yZLjssFW3RNRXi65MaaYb4E
 -> ssh-ed25519 BVsyTA 9QJTZgKGm4x9s4egO2vjxupre2kjOcf+o+bGen8e5nM
 TQIW/4zvD5bxQRGmCujglMKI94wtCc3lGxEYVX6HfNY
 -> ssh-rsa kFDS0A
 L71mZDfLzaWsrwMxS2FHv4HaDv3AEPEZZFOxNroCVNT+4s/ZcYClqiKGrDWzSMvj
 TPN+OPDamzzNjG67t2qkOspjb9aL5906Awnw4mfDjcX03+hoGA1z74bx8weeXf5U
 6/5IxsPlVAjFOEd0Nu0GUW72pvQoVA4oAHrAw01YKcUGTJsF8XfpcNDt70df6IQT
 JU+t6kw3uzUkdgotTatt7lngWIW8NUlMkpCYLEkTV6Xq5kiZBditaO9JgW7+dJw2
 /4fDBo0eWE5IxSN/9aqbDZp4yMuRPbmdw4E0kV5kWixsR5l+8T4oQr8AfaOGBc5C
 vnirQQvQ55DazihYb/04NO4EJn2/ZL2Y/7Pej7BiqVSItp8uc2U99pmigzI4nMIr
 jL3ywv1QwP00R+iDlU1hlGkGjq2Ll0jbxvB8XD6GCKRSIo4pXvZDqFCnzGYz4TKE
 mIxDfyS+HGlQTmuZFcrpqGUSY8SXK65w/7Wc1bHqCYRXBVpw24BTktQtPdaQRW4X
 FxyPB8jXpw/HHQ1ITaheKCi2wrkWaivApHnbgBCqx4VuQgudQAViB2VQZOrcwOIR
 tX23fuE4AhUkIUM8p80CoROZC+fxPGkx5qigzfLDgSdp6SBMB47RlSrmHI42v5oh
 7Z8rbaXlby87zpqO7EzFO/ixpdBrTPyiCuV8oASMqWQ
 -> {J_21-grease
 aUQ
 --- 2n/6hKYw0JRzr3HvMe2SFDdINMATOomDbAXfibwaCKA
 œ=ÅRÆ‡__‹ª<<3C>ŒïÑ¨©›¿jBøWü`<60>Nÿ3vÑ½½tUpk:#tgý<0E>¡éîÜóÌ¸Ë¥5Ë‚Ê¹¤,§À•±xËå¤ùº7œ6ßVŠ[\hPYÙ ¹óÀèrû«
--- a/secrets/gitea-mailer-password.age
+++ b/secrets/gitea-mailer-password.age
--- a/secrets/keycloak-database-password.age
+++ b/secrets/keycloak-database-password.age
@ -1,21 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 Y0ZZaw 6Ab765r1KhdPSNomPyArPOa9EpOK1gJH1O/2ImGovDE
 AbIsUHJvTypKJbOE3LuLFXYkIzfTXxRmiLFy91HzaUE
 -> ssh-ed25519 BVsyTA tCs+TlkHQMbqgeN28U2aLo3luZNHRemLKbsqX8gOSWU
 PU1JXT1JjKeSZ5cybTuq+WOipWWmqhHGLtEVHi1/8pg
 -> ssh-rsa kFDS0A
 TQbtZUL6l+DJxir6AVNUWMNPXrzJ6Ns3xb2C9s+lXsvlTlm834H8nt/JxJBCeRoH
 ymH0PcXKHCk54iPypW5KqFRIwoDYBTi3t3fSqjyLQk4eFNBjByGy+IVAaF6dcS5y
 +pYwpZxgshv8u6iSEiRgLvqp0bIs/g/tPHowZ6ezlpyKOzh3+KRYK7e82dJFznwb
 Q9V+PdWZJLqobbo4bmz7nT3qNlS75tpcVk2FAwsNB1pk3Q4ucbQb33eslSny93s9
 DjGCQFOMCkSZwKk98jV8aV01Liu4+tgMty5Sb6+Ei/tt+4TvjlX3t6hl9kvCVQNn
 gXjc1y2FxfuwN7hTnFYM6QAwB4ETUPwsyqoOAzfFWzpQNpit+ZOtRMw42gcSkhA7
 RcyHeYGtQCeK+MKU9YaWZrDZjFjwpA7oxVkBGk6Xd6drVfw0tMurXpruuIzswo2Q
 iwdSGNsyAmMAKIoAWrjyxuXodgAwii8JgLr93IfkEuOQ/izQQ5sJCFP4Q4pB/Svk
 8yG62fflaJ6epTn2uEBD9EDqlNCGpDwNwdBnASdpcSCeooCqcqDIHpk0VJly+HiQ
 VyxpD+3ZfaguUkiVC44oxAkQocitj8ypNmuGqphG+1ReN4ew8xi74f0WWq4lxkY4
 DieriNG+NG4JS7SgUTz5ZStYbOuIJJ/n82TcejWkJGM
 -> dqJ?-grease .CNJ%TkE
 D6Hq2UnwetlWfmLWLcijubdNB2uJNjRRIw
 --- +wyqgdU3ahUepcqy53z01275bJE6CadK4+yXH0bSvuI
 ò¡ˆœÃ¿ÆV-j‘^/u˜»¼y{ŽÊ‹”Ášj¾Éø 7@¡øâhõ´©‘$†p«·íÜ—Q˜Ý'k œ£äz•<>š#ö:¦<>„‚àˆ·,¿4v}1š<C5A1>Ðr¥Áüje›V
--- a/secrets/mailman-core-secrets.age
+++ b/secrets/mailman-core-secrets.age
--- a/secrets/mailman-db-secrets.age
+++ b/secrets/mailman-db-secrets.age
--- a/secrets/mailman-web-secrets.age
+++ b/secrets/mailman-web-secrets.age
@ -1,23 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 Y0ZZaw ow3ZJJeaGDamcg9i41timzWkN4yMR/7GcEWfzCcbj3U
 DnxakA3u8/S4Z6e7gHdn0HOPxj79wylERS1sCCyf8lg
 -> ssh-ed25519 BVsyTA 8+2zeUwhNjVcF8asfDQN3TWQrcYu3Emcu7/v6E1dEk4
 eeAkJNuF4oj2590vnW3Ve/mEG3mTN4opZKEDYjNMdXo
 -> ssh-rsa kFDS0A
 XLIvXYoewWG/pfqIKGdY+d1IexC4bGg6jKljuMrj9MN5lIvGbZlClETJwxyrKViW
 ZZ19Mo16CBnsrnl0E6K+NRj+gpOAkdbWcPsx3JoHQyPCDlZnNlNJ4iIuXYE6SEM0
 vuwWxQPA9OvgWB8Ck/WoRbhemtJzzkf11dGS0LHs4dITyo8is0YEZTj6IXgg4MDO
 NtIsgkKo30PaLUQvjX/fhrUSrCZCxure15BFRh3TbgKbBmznSJkKXzEPqy95YG0H
 XU0FDxnJlMLNfYJXyBjoJOzL/b2TU85HaNYKSbX9m2XT2vPn5taJDHiro+iFjqBs
 UMWavJ7FbtdKS+iKUdA4DqlIQBopQM/SLH5SFVuQx1g/k6XgqL9gP/G0hjrzyvBO
 tUA/Pc58P5OR52xYN+6Nvsooe9yFNzHklxZerCnNJfZhzNkVuCKuiM9EKfjq2F6V
 sRGdZRIwu7cDP9zsa3AldsFiO6POIbl26nTE7SS4X0VLK+eBX1rXU8wl/XQqQFh0
 N2rueaJ5Bs+cWd7MnzMWuzxCGwDuJomgr7i4JRYfwfVi7g2VyETX1TdbOXPl5JSP
 /qN850rfhO/TbB2Rlc3ZZU+lDFLJmWnyh5nyqzv6bsGRMAhMYlvJ35pd7pitH6Wt
 q9UU4+jX8cJ6g/rcwAYt/h0mOrwpyO1dpc2tbBufYVI
 -> Iy*"-grease Jq*A C .]mQ9fl
 0Nkdf7PXtL4atPLw9zvf2aAyDCdpya93eXHsLRa8M92OQ/g
 --- CoJAKrsHzBMDUswYw62nAucSWUYmyB4S6sFh1tSz38E
 Át…sw3f!žw*¹K4»‘zˆD {Æ‚Ä€lžò¨äÙnY¼y´Ù	<09>TÊêâ 0ñ"xG
 :G÷ª¢ê¼¶`ä~ÕÊ-£ç…~ZÏÁ&¤ÑŸµ9ëÏÞÁÂ±æÙ$ìÜ<1C>g·\ûCsó>
n÷Ä>©ýDÊkí[¥¡»µ·Ü“t<ä5Ï¢±lQW-lâú´XˆÕ3má@ÅÅ3ÌZMõ–Í<E28093>x}‘l5á’¬¯ôœ¹QEœSÿ„l5
 ÏÕšÿY1‰=þ0 ÅvD˜?›ðÄKŸ6´%’KÀâáúÌœ¤b¸¢'š‡¾@§<ÝËÙø½²Ü¿$W,ZÇä,knªIç%PGóðÞ…zKp)ÛØq$^ð>ˆ¥£F0W+‰ 
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -1,27 +1,8 @@
 let
  # set ssh public keys here for your system and user
-  b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw==";
+  system = "";
-  teutat3s-dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
+  user = "";
-  flora-6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@pub-solar-infra-vm-1";
+  allKeys = [system user];
  allKeys = [
    flora-6
    teutat3s-dumpyourvms
    b12f-bbcom
  ];
  deployKeys = [
    flora-6
    teutat3s-dumpyourvms
    b12f-bbcom
  ];
 in {
-  "gitea-database-password.age".publicKeys = deployKeys;
+  "secret.age".publicKeys = allKeys;
  "gitea-mailer-password.age".publicKeys = deployKeys;
  "keycloak-database-password.age".publicKeys = deployKeys;
  "drone-secrets.age".publicKeys = deployKeys;
  "drone-db-secrets.age".publicKeys = deployKeys;
  "mailman-core-secrets.age".publicKeys = deployKeys;
  "mailman-web-secrets.age".publicKeys = deployKeys;
  "mailman-db-secrets.age".publicKeys = deployKeys;
  "forgejo-actions-runner-token.age".publicKeys = deployKeys;
 }
--- a/shell/devos.nix
+++ b/shell/devos.nix
@ -59,6 +59,6 @@ in {
    ]
    ++ lib.optionals (pkgs.stdenv.hostPlatform.isLinux && !pkgs.stdenv.buildPlatform.isDarwin) [
      (devos nixos-generators)
-      (devos inputs.deploy.packages.${pkgs.system}.deploy-rs)
+      (devos deploy-rs.deploy-rs)
    ];
 }
--- a/users/barkeeper/default.nix
+++ b/users/barkeeper/default.nix
@ -1,42 +0,0 @@
 {
  config,
  hmUsers,
  pkgs,
  lib,
  ...
 }: let
  psCfg = config.pub-solar;
 in {
  config = {
    home-manager.users = {inherit (hmUsers) barkeeper;};
    pub-solar = {
      # These are your personal settings
      # The only required settings are `name` and `password`,
      # The rest is used for programs like git
      user = {
        name = "barkeeper";
        description = "pub.solar infra user";
        password = "$6$MCJ28kLwfNl9SNDq$Oh9eT6Sn6z4xGrQsLlIBI7cvJzX3P5As59OSZ.hoeBWc79Un2YdwH/hRIC.4ZDOuwQp0lHI82dNn/xeTaCn631";
        fullName = "pub.solar infra barkeeper";
        email = "admins@pub.solar";
        gpgKeyId = "";
        publicKeys = [
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main"
          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a @teutat3s"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135 @hensoko"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb @hensoko"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKa5elEXgBc2luVBOHVWZisJgt0epFQOercPi0tZzPU root@cloud.pub.solar"
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix"
        ];
      };
    };
  };
 }