tadpole: Add match block for git.ppp.pm in ssh

backwards: Add match block for git.ppp.pm in ssh
tadpole: Add secrets for git.ppp.pm
2024-09-05 18:32:06 +02:00 · 2024-09-05 18:29:52 +02:00 · 2024-09-05 18:27:07 +02:00 · 2024-09-05 18:26:47 +02:00 · 2024-09-05 18:20:46 +02:00 · 2024-09-05 12:40:00 +02:00
103 changed files with 948 additions and 1395 deletions
--- a/.envrc
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
+.direnv/
 *.qcow2
 result
--- a/config-manager/default.nix
+++ b/config-manager/default.nix
@@ -1,4 +1,10 @@
-{ inputs, pkgs, lib, config, ... }:
+{
+  inputs,
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  flakePath = config.config-manager.flakePath;
  nixosConfiguration = config.config-manager.nixosConfiguration;
@@ -14,15 +20,15 @@ let
      pkgs.writeShellScriptBin "cm" ''
                help() {
                  cat << EOF
-Usage:
+        Usage:
          cm [flag]

-Flags:
+        Flags:
          --update                 updates the flake
          --switch                 rebuilds + switches configuration (using 'nh')
          --build-test-vm, --btvm  build test-vm
          --run-test-vm, --rtvm    run test-vm
-EOF
+        EOF
                }

                update() {
--- a/flake.lock
+++ b/flake.lock
@@ -54,11 +54,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1725037990,
-        "narHash": "sha256-7ZwhCJQ8/BvP5UDSOe9PUzrDlDePxfyDrkEYuuZZJJ8=",
+        "lastModified": 1725470024,
+        "narHash": "sha256-i2iWRFWaTCahFz9B2vKqIqpPimL/yn1zX3lZ2EkBzc0=",
        "owner": "nix-community",
        "repo": "emacs-overlay",
-        "rev": "45405f34d10260753298ff244a9b9c36e04b2e11",
+        "rev": "8a94f9d557f3f8b372f03f18b2e1be3820d7da7f",
        "type": "github"
      },
      "original": {
@@ -113,11 +113,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1724435763,
-        "narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=",
+        "lastModified": 1725180166,
+        "narHash": "sha256-fzssXuGR/mCeGbzM1ExaTqDz7QDGta3WA4jJsZyRruo=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be",
+        "rev": "471e3eb0a114265bcd62d11d58ba8d3421ee68eb",
        "type": "github"
      },
      "original": {
@@ -133,11 +133,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1722636442,
-        "narHash": "sha256-+7IS0n3/F0I5j6ZbrVlLcIIPHY3o+/vLAqg/G48sG+w=",
+        "lastModified": 1725276753,
+        "narHash": "sha256-kcV2M7xIoQvLRIrMndysM4E0d2zGSwIDejamT4LKnDg=",
        "owner": "hyprwm",
        "repo": "contrib",
-        "rev": "9d67858b437d4a1299be496d371b66fc0d3e01f6",
+        "rev": "ae618eafa81b596db034c5df1d75d4eddf785824",
        "type": "github"
      },
      "original": {
@@ -153,11 +153,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1724689275,
-        "narHash": "sha256-wpxC7XiZ9maYZA4BSLKGXc+pn2fwaiq2Ybu5kNjl1ao=",
+        "lastModified": 1725287741,
+        "narHash": "sha256-ZxyB7BwxQjoMz5lUnsb+KuTWfRyPtJVqEjnlOoABSUE=",
        "owner": "viperML",
        "repo": "nh",
-        "rev": "a922eada049854019c5d1bbc82383f7095773e5c",
+        "rev": "5dd64eb04fddeac2eb08c018212cc58978934920",
        "type": "github"
      },
      "original": {
@@ -183,11 +183,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1724878143,
-        "narHash": "sha256-UjpKo92iZ25M05kgSOw/Ti6VZwpgdlOa73zHj8OcaDk=",
+        "lastModified": 1725470640,
+        "narHash": "sha256-xaIvCE8ZP65fj2HR7DlDX+iJMBxasfjEv+zc6Cuwf3I=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "95c3dfe6ef2e96ddc1ccdd7194e3cda02ca9a8ef",
+        "rev": "ace1cedf3ecfbac81b29522d71009878951a69eb",
        "type": "github"
      },
      "original": {
@@ -199,11 +199,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1724819573,
-        "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=",
+        "lastModified": 1725103162,
+        "narHash": "sha256-Ym04C5+qovuQDYL/rKWSR+WESseQBbNAe5DsXNx5trY=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "71e91c409d1e654808b2621f28a327acfdad8dc2",
+        "rev": "12228ff1752d7b7624a54e9c1af4b222b3c1073b",
        "type": "github"
      },
      "original": {
@@ -215,11 +215,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1724855419,
-        "narHash": "sha256-WXHSyOF4nBX0cvHN3DfmEMcLOVdKH6tnMk9FQ8wTNRc=",
+        "lastModified": 1725001927,
+        "narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ae2fc9e0e42caaf3f068c1bfdc11c71734125e06",
+        "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -11,7 +11,7 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    nix-gc-env.url= "github:Julow/nix-gc-env";
+    nix-gc-env.url = "github:Julow/nix-gc-env";

    home-manager = {
      url = "github:nix-community/home-manager";
@@ -39,11 +39,15 @@
    };
  };

-  outputs = { self, ... }@inputs: {
+  outputs =
+    { ... }@inputs:
+    {
      nixosConfigurations = {
        pinwheel = inputs.nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
+          specialArgs = {
+            inherit inputs;
+          };
          modules = [
            ./hosts/pinwheel/configuration.nix
            inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x1-10th-gen
@@ -53,25 +57,20 @@

        backwards = inputs.nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
+          specialArgs = {
+            inherit inputs;
+          };
          modules = [
            ./hosts/backwards/configuration.nix
            ./hosts/backwards/home.nix
          ];
        };

-      sombrero = inputs.nixpkgs.lib.nixosSystem {
-        system = "aarch64-linux";
-        specialArgs = { inherit inputs; };
-        modules = [
-          ./hosts/sombrero/configuration.nix
-          ./hosts/sombrero/home.nix
-        ];
-      };
-
        tadpole = inputs.nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
+          specialArgs = {
+            inherit inputs;
+          };
          modules = [
            ./hosts/tadpole/configuration.nix
            ./hosts/tadpole/home.nix
@@ -80,9 +79,22 @@

        test-vm = inputs.nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
+          specialArgs = {
+            inherit inputs;
+          };
          modules = [ ./hosts/test-vm/configuration.nix ];
        };
      };
+
+      devShells =
+        let
+          system = "x86_64-linux";
+          pkgs = inputs.nixpkgs.legacyPackages.${system};
+        in
+        {
+          ${system}.default = pkgs.mkShell {
+            packages = [ pkgs.nixfmt-rfc-style ];
+          };
+        };
    };
 }
--- a/hosts/backwards/configuration.nix
+++ b/hosts/backwards/configuration.nix
@@ -1,14 +1,16 @@
 { pkgs, ... }:
 {
-  imports =
-    [
+  imports = [
    ../../config-manager/default.nix
    ../../shared-modules/syncthing.nix
    ./hardware-configuration.nix
    ./modules
  ];

-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
  nixpkgs.config.allowUnfree = true;

  console.keyMap = "sv-latin1";
@@ -25,8 +27,11 @@
  users.users.alex = {
    isNormalUser = true;
    description = "alex";
-    extraGroups = [ "networkmanager" "wheel" ];
-    packages = [];
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+    ];
+    packages = [ ];
  };

  environment.variables.EDITOR = "vim";
--- a/hosts/backwards/hardware-configuration.nix
+++ b/hosts/backwards/hardware-configuration.nix
@@ -1,31 +1,46 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:

 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
  ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/bad3d82a-7bb8-490f-bd01-a4b16fe6f33d";
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/bad3d82a-7bb8-490f-bd01-a4b16fe6f33d";
    fsType = "ext4";
  };

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/D049-60DD";
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/D049-60DD";
    fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
  };

-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/ff4de0e5-2c60-4ee7-a55c-450727efb921"; }
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/ff4de0e5-2c60-4ee7-a55c-450727efb921"; }
  ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
--- a/hosts/backwards/modules/audiobookshelf/default.nix
+++ b/hosts/backwards/modules/audiobookshelf/default.nix
@@ -0,0 +1,29 @@
+{ lib, config, ... }:
+let
+  enabled = config.mod.audiobookshelf.enable;
+in
+{
+  options = {
+    mod.audiobookshelf = {
+      enable = lib.mkEnableOption "Enable audiobookshelf module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    fileSystems."/home/alex/media" = {
+      device = "/dev/disk/by-uuid/ad4acc0f-172c-40f8-8473-777c957e8764";
+      fsType = "ext4";
+      options = [ "nofail" ];
+    };
+
+    services.audiobookshelf = {
+      enable = true;
+
+      user = "alex";
+      group = "users";
+
+      host = "0.0.0.0";
+      port = 8000;
+    };
+  };
+}
--- a/hosts/backwards/modules/boot/default.nix
+++ b/hosts/backwards/modules/boot/default.nix
@@ -1,4 +1,9 @@
-{ inputs, lib, config, ... }:
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
 let
  configurationLimit = config.mod.gc.configurationLimit;
 in
--- a/hosts/backwards/modules/calibre-web/default.nix
+++ b/hosts/backwards/modules/calibre-web/default.nix
@@ -0,0 +1,32 @@
+{ lib, config, ... }:
+let
+  enabled = config.mod.calibre-web.enable;
+in
+{
+  options = {
+    mod.calibre-web = {
+      enable = lib.mkEnableOption "add calibre-web module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    services = {
+      calibre-web = {
+        enable = true;
+
+        user = "alex";
+        group = "users";
+
+        listen = {
+          ip = "0.0.0.0";
+          port = 8083;
+        };
+
+        options = {
+          calibreLibrary = "/home/alex/sync/books";
+          enableBookUploading = true;
+        };
+      };
+    };
+  };
+}
--- a/hosts/backwards/modules/default.nix
+++ b/hosts/backwards/modules/default.nix
@@ -15,6 +15,8 @@ in
      syncthing.enable = true;
      restic.enable = true;
      transmission.enable = true;
+      audiobookshelf.enable = true;
+      calibre-web.enable = true;
    };
  };
 }
--- a/hosts/backwards/modules/git/default.nix
+++ b/hosts/backwards/modules/git/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.git.enable;
 in
--- a/hosts/backwards/modules/network/default.nix
+++ b/hosts/backwards/modules/network/default.nix
@@ -12,10 +12,12 @@
      wlp1s0 = {
        useDHCP = false;
        ipv4 = {
-          addresses = [{
+          addresses = [
+            {
              address = "192.168.50.202";
              prefixLength = 24;
-          }];
+            }
+          ];
        };
      };
    };
--- a/hosts/backwards/modules/restic/default.nix
+++ b/hosts/backwards/modules/restic/default.nix
@@ -45,7 +45,7 @@ in
          environmentFile = config.age.secrets.restic-cloud-sync-key.path;
          repositoryFile = config.age.secrets.restic-cloud-sync-repository.path;

-          paths = ["/home/alex/sync"];
+          paths = [ "/home/alex/sync" ];

          timerConfig = {
            OnCalendar = "*-*-* 0/12:00:00"; # Every 12th hour, i.e. twice a day
@@ -70,4 +70,3 @@ in
    };
  };
 }
-
--- a/hosts/backwards/modules/ssh/default.nix
+++ b/hosts/backwards/modules/ssh/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.ssh.enable;

@@ -18,6 +23,11 @@ in
        enable = true;

        matchBlocks = {
+          "git.ppp.pm" = {
+            hostname = "git.ppp.pm";
+            identityFile = "/home/alex/.ssh/alex.backwards-git.ppp.pm";
+          };
+
          "codeberg.org" = {
            hostname = "codeberg.org";
            identityFile = "/home/alex/.ssh/alex.backwards-codeberg.org";
@@ -41,10 +51,12 @@ in
        enable = true;
        ports = [ 1122 ];

-        hostKeys = [{
+        hostKeys = [
+          {
            path = "${rootSSHKeyPath}/root.backwards";
            type = "ed25519";
-        }];
+          }
+        ];

        settings = {
          PasswordAuthentication = false;
@@ -77,6 +89,19 @@ in
        path = "${authorizedKeysPath}/alex.pinwheel-backwards.pub";
      };

+      "alex.backwards-git.ppp.pm" = {
+        file = ../../../../secrets/backwards/alex.backwards-git.ppp.pm.age;
+        path = "/home/alex/.ssh/alex.backwards-git.ppp.pm";
+        owner = "alex";
+        group = "users";
+      };
+      "alex.backwards-git.ppp.pm.pub" = {
+        file = ../../../../secrets/backwards/alex.backwards-git.ppp.pm.pub.age;
+        path = "/home/alex/.ssh/alex.backwards-git.ppp.pm.pub";
+        owner = "alex";
+        group = "users";
+      };
+
      "alex.backwards-codeberg.org" = {
        file = ../../../../secrets/backwards/alex.backwards-codeberg.org.age;
        path = "/home/alex/.ssh/alex.backwards-codeberg.org";
--- a/hosts/backwards/modules/syncthing/default.nix
+++ b/hosts/backwards/modules/syncthing/default.nix
@@ -39,7 +39,10 @@ in
        folders = {
          org = {
            path = "/home/alex/sync/org";
-            devices = [ "phone" "pinwheel" ];
+            devices = [
+              "phone"
+              "pinwheel"
+            ];
            versioning = {
              type = "staggered";
              params = {
--- a/hosts/backwards/modules/transmission/default.nix
+++ b/hosts/backwards/modules/transmission/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.transmission.enable;
 in
--- a/hosts/pinwheel/configuration.nix
+++ b/hosts/pinwheel/configuration.nix
@@ -1,7 +1,6 @@
 { pkgs, ... }:
 {
-  imports =
-    [
+  imports = [
    ../../config-manager/default.nix
    ../../nix-wrapper/default.nix
    ../../shared-modules/syncthing.nix
@@ -9,7 +8,10 @@
    ./modules
  ];

-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
  nixpkgs.config.allowUnfree = true;

  users.users.alex = {
--- a/hosts/pinwheel/hardware-configuration.nix
+++ b/hosts/pinwheel/hardware-configuration.nix
@@ -1,27 +1,38 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:

 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
  ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "thunderbolt"
+    "nvme"
+    "usb_storage"
+    "sd_mod"
+  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/9c3ef2ad-0244-4310-9984-2e548ced3e22";
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/9c3ef2ad-0244-4310-9984-2e548ced3e22";
    fsType = "ext4";
  };

  boot.initrd.luks.devices."luks-f569d036-e500-4839-bc78-ce4b032840d8".device = "/dev/disk/by-uuid/f569d036-e500-4839-bc78-ce4b032840d8";

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/FCAE-6849";
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/FCAE-6849";
    fsType = "vfat";
  };

--- a/hosts/pinwheel/home.nix
+++ b/hosts/pinwheel/home.nix
@@ -22,7 +22,6 @@
          pkgs.htop
          pkgs.onlyoffice-bin
          pkgs.wdisplays
-          pkgs.postman
        ];

        home.stateVersion = "23.05";
--- a/hosts/pinwheel/modules/bemenu/default.nix
+++ b/hosts/pinwheel/modules/bemenu/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  hyprlandEnabled = config.mod.hyprland.enable;

--- a/hosts/pinwheel/modules/bluetooth/default.nix
+++ b/hosts/pinwheel/modules/bluetooth/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.bluetooth.enable;
 in
@@ -58,7 +63,12 @@ in
              };
            };
          in
-              builtins.listToAttrs (builtins.map mkTimer [ trackpad headphones ]);
+          builtins.listToAttrs (
+            builtins.map mkTimer [
+              trackpad
+              headphones
+            ]
+          );

        services =
          let
@@ -107,7 +117,12 @@ in
              };
            };
          in
-              builtins.listToAttrs (builtins.map mkService [ trackpad headphones ]);
+          builtins.listToAttrs (
+            builtins.map mkService [
+              trackpad
+              headphones
+            ]
+          );
      };
  };
 }
--- a/hosts/pinwheel/modules/boot/default.nix
+++ b/hosts/pinwheel/modules/boot/default.nix
@@ -1,4 +1,10 @@
-{ inputs, pkgs, lib, config, ... }:
+{
+  inputs,
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  configurationLimit = config.mod.gc.configurationLimit;
 in
--- a/hosts/pinwheel/modules/c/default.nix
+++ b/hosts/pinwheel/modules/c/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.c.enable;
 in
--- a/hosts/pinwheel/modules/chromium/default.nix
+++ b/hosts/pinwheel/modules/chromium/default.nix
@@ -1,6 +1,6 @@
 { pkgs, ... }:
 {
-  home-manager.users.alex= {
+  home-manager.users.alex = {
    home.packages = [ pkgs.ungoogled-chromium ];
  };

--- a/hosts/pinwheel/modules/containers/default.nix
+++ b/hosts/pinwheel/modules/containers/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  dockerEnabled = config.mod.containers.docker.enable;
  podmanEnabled = config.mod.containers.podman.enable;
--- a/hosts/pinwheel/modules/direnv/default.nix
+++ b/hosts/pinwheel/modules/direnv/default.nix
@@ -9,7 +9,6 @@ in
      nix-direnv.enable = true;
    };

-
    programs.direnv.enableZshIntegration = lib.mkIf zshEnabled true;
  };
 }
--- a/hosts/pinwheel/modules/emacs/config.nix
+++ b/hosts/pinwheel/modules/emacs/config.nix
@@ -1,5 +1,5 @@
 { emacs, runCommand, ... }:
-runCommand "default.el" {} ''
+runCommand "default.el" { } ''
  cp ${./config.org} $TMPDIR/config.org
  cd $TMPDIR
  ${emacs}/bin/emacs --batch -Q \
@@ -7,4 +7,4 @@ runCommand "default.el" {} ''
                     -f org-babel-tangle

  mv config.el $out
-  ''
+''
--- a/hosts/pinwheel/modules/emacs/config.org
+++ b/hosts/pinwheel/modules/emacs/config.org
@@ -498,8 +498,9 @@ Setup prefix for keybindings.
  )

  (defun alex/format-on-save ()
-    (add-hook 'before-save-hook #'eglot-format-buffer -10 t)
-  )
+    (let ((excluded-files '("secrets.nix")))
+  	(unless (member (file-name-nondirectory buffer-file-name) excluded-files)
+        (add-hook 'before-save-hook #'eglot-format-buffer -10 t))))

  (use-package eglot
    :config
@@ -507,6 +508,9 @@ Setup prefix for keybindings.
      '(scala-mode .
        ("metals" :initializationOptions (:isHttpEnabled t))))

+    (add-to-list 'eglot-server-programs
+       '(nix-mode . ("nixd")))
+
    (setq-default eglot-workspace-configuration
      '(
        :metals (
@@ -521,7 +525,10 @@ Setup prefix for keybindings.
           (go-mode . alex/format-on-save)

           (c-mode . eglot-ensure)
+
           (nix-mode . eglot-ensure)
+           (nix-mode . alex/format-on-save)
+
           (javascript-mode . eglot-ensure)
           (js-mode . eglot-ensure)
           (js-jsx-mode . eglot-ensure)
--- a/hosts/pinwheel/modules/emacs/default.nix
+++ b/hosts/pinwheel/modules/emacs/default.nix
@@ -3,7 +3,7 @@ let
  emacs = pkgs.emacsWithPackagesFromUsePackage {
    package = pkgs.emacs-unstable;
    config = ./config.org;
-    defaultInitFile = pkgs.callPackage ./config.nix {};
+    defaultInitFile = pkgs.callPackage ./config.nix { };

    alwaysEnsure = true;
    alwaysTangle = true;
@@ -51,6 +51,7 @@ in
      emacs
      pkgs.wl-clipboard
      pkgs.emacs-lsp-booster
+      pkgs.nixd
    ];
  };

--- a/hosts/pinwheel/modules/firefox/default.nix
+++ b/hosts/pinwheel/modules/firefox/default.nix
@@ -59,7 +59,7 @@ in
          name = "alex";
          isDefault = true;

-          settings = sharedSettings // {};
+          settings = sharedSettings // { };
        };

        work = {
@@ -109,12 +109,14 @@ in
      configFile."mimeapps.list".force = true;
    };

-
-    home.packages = [ ff ff-alex ];
+    home.packages = [
+      ff
+      ff-alex
+    ];
  };

  environment.variables = {
-    MOZ_ENABLE_WAYLAND=1;
+    MOZ_ENABLE_WAYLAND = 1;
    BROWSER = "${ff-alex}/bin/ff-alex $@";
  };
 }
--- a/hosts/pinwheel/modules/foot/default.nix
+++ b/hosts/pinwheel/modules/foot/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.foot.enable;

--- a/hosts/pinwheel/modules/git/default.nix
+++ b/hosts/pinwheel/modules/git/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.git.enable;
 in
--- a/hosts/pinwheel/modules/go/default.nix
+++ b/hosts/pinwheel/modules/go/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.go.enable;
 in
@@ -10,9 +15,9 @@ in
  };

  config = lib.mkIf enabled {
-    nixpkgs.overlays = let
-      buildGo122 = pkgs: pkg:
-        pkg.override { buildGoModule = pkgs.buildGo122Module; };
+    nixpkgs.overlays =
+      let
+        buildGo122 = pkgs: pkg: pkg.override { buildGoModule = pkgs.buildGo122Module; };
      in
      [
        (final: prev: {
--- a/hosts/pinwheel/modules/greetd/default.nix
+++ b/hosts/pinwheel/modules/greetd/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.greetd.enable;
 in
@@ -13,7 +18,8 @@ in
    services.greetd = {
      enable = true;

-      settings = let
+      settings =
+        let
          session = {
            user = "alex";
            command = "${pkgs.hyprland}/bin/Hyprland";
--- a/hosts/pinwheel/modules/hyprland/default.nix
+++ b/hosts/pinwheel/modules/hyprland/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.hyprland.enable;
 in
@@ -55,7 +60,7 @@ in
            # 2 - Cursor focus will be detached from keyboard focus. Clicking on a window will move keyboard focus to that window.
            follow_mouse = 2;

-            sensitivity = 0.30;
+            sensitivity = 0.3;
            touchpad = {
              natural_scroll = false;
              tap-and-drag = false;
@@ -82,16 +87,19 @@ in
            no_gaps_when_only = 1;
          };

-          bind = let
-            ws = x:
-              let n = if (x + 1) < 10
-                then (x + 1)
-                else 0;
+          bind =
+            let
+              ws =
+                x:
+                let
+                  n = if (x + 1) < 10 then (x + 1) else 0;
                in
                builtins.toString n;

              select = builtins.genList (x: "$mod, ${ws x}, workspace, ${builtins.toString (x + 1)}") 10;
-            move = builtins.genList (x: "$mod SHIFT, ${ws x}, movetoworkspacesilent, ${builtins.toString (x + 1)}") 10;
+              move = builtins.genList (
+                x: "$mod SHIFT, ${ws x}, movetoworkspacesilent, ${builtins.toString (x + 1)}"
+              ) 10;

              magnifier = pkgs.writeShellScript "magnifier" ''
                CURRENT=$(${pkgs.hyprland}/bin/hyprctl getoption cursor:zoom_factor -j | ${pkgs.jq}/bin/jq .float)
@@ -111,7 +119,9 @@ in
                ${pkgs.hyprland}/bin/hyprctl keyword cursor:zoom_factor $UPDATED
              '';
            in
-          select ++ move ++ [
+            select
+            ++ move
+            ++ [
              "$mod, ESCAPE, killactive"

              "$mod, f, fullscreen, 1"
@@ -183,12 +193,16 @@ in
        pkgs.libnotify
      ];

-      script = let
-        moveWSToMonitor = monitor: first: last:
-          if last < first
-          then throw "'first' has to be less than or equal to 'last'"
+      script =
+        let
+          moveWSToMonitor =
+            monitor: first: last:
+            if last < first then
+              throw "'first' has to be less than or equal to 'last'"
            else
-            builtins.genList (n: "dispatch moveworkspacetomonitor ${builtins.toString (first + n)} ${monitor}") (last - first + 1);
+              builtins.genList (
+                n: "dispatch moveworkspacetomonitor ${builtins.toString (first + n)} ${monitor}"
+              ) (last - first + 1);

          external = moveWSToMonitor "HDMI-A-1" 1 5;
          internal = moveWSToMonitor "eDPI-1" 6 10;
--- a/hosts/pinwheel/modules/javascript/default.nix
+++ b/hosts/pinwheel/modules/javascript/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, ...}:
+{ pkgs, ... }:
 {
  home-manager.users.alex = {
    home.packages = [ pkgs.nodePackages.typescript-language-server ];
--- a/hosts/pinwheel/modules/keyboard/default.nix
+++ b/hosts/pinwheel/modules/keyboard/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.keyboard.enable;
 in
--- a/hosts/pinwheel/modules/light/default.nix
+++ b/hosts/pinwheel/modules/light/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  hyprlandEnabled = config.mod.hyprland.enable;
 in
--- a/hosts/pinwheel/modules/mullvad/default.nix
+++ b/hosts/pinwheel/modules/mullvad/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.mullvad.enable;
 in
--- a/hosts/pinwheel/modules/nix/default.nix
+++ b/hosts/pinwheel/modules/nix/default.nix
@@ -2,7 +2,7 @@
 {
  home-manager.users.alex = {
    home.packages = [
-      pkgs.nil
+      pkgs.nixfmt-rfc-style
      pkgs.nix-tree
    ];
  };
--- a/hosts/pinwheel/modules/openvpn/default.nix
+++ b/hosts/pinwheel/modules/openvpn/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.openvpn.enable;
 in
--- a/hosts/pinwheel/modules/physlock/default.nix
+++ b/hosts/pinwheel/modules/physlock/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.physlock.enable;
  hyprlandEnabled = config.mod.hyprland.enable;
--- a/hosts/pinwheel/modules/power/default.nix
+++ b/hosts/pinwheel/modules/power/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.power.enable;
  lowbat = config.mod.lowbat;
@@ -39,8 +44,8 @@ in
        enable = true;

        settings = {
-          START_CHARGE_THRESH_BAT0=75;
-          STOP_CHARGE_THRESH_BAT0=80;
+          START_CHARGE_THRESH_BAT0 = 75;
+          STOP_CHARGE_THRESH_BAT0 = 80;
        };
      };
    };
@@ -58,7 +63,7 @@ in
            Persistent = true;
          };

-          wantedBy = ["timers.target"];
+          wantedBy = [ "timers.target" ];
        };
      };

@@ -78,9 +83,11 @@ in
            pkgs.swaylock
          ];

-          script = let
+          script =
+            let
              pause-music = "${pkgs.playerctl}/bin/playerctl -p spotify pause";
-          in ''
+            in
+            ''
               BATTERY_CAPACITY=$(cat /sys/class/power_supply/${lowbat.battery}/capacity)
               BATTERY_STATUS=$(cat /sys/class/power_supply/${lowbat.battery}/status)
               echo "Battery capacity: $BATTERY_CAPACITY"
--- a/hosts/pinwheel/modules/python/default.nix
+++ b/hosts/pinwheel/modules/python/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.python.enable;
 in
--- a/hosts/pinwheel/modules/rust/default.nix
+++ b/hosts/pinwheel/modules/rust/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.rust.enable;
 in
--- a/hosts/pinwheel/modules/scala/default.nix
+++ b/hosts/pinwheel/modules/scala/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.scala.enable;

--- a/hosts/pinwheel/modules/screenshot/default.nix
+++ b/hosts/pinwheel/modules/screenshot/default.nix
@@ -1,4 +1,10 @@
-{ inputs, pkgs, lib, config, ...}:
+{
+  inputs,
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  hyprlandEnabled = config.mod.hyprland.enable;

--- a/hosts/pinwheel/modules/scripts/default.nix
+++ b/hosts/pinwheel/modules/scripts/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.scripts.enable;

--- a/hosts/pinwheel/modules/sound/default.nix
+++ b/hosts/pinwheel/modules/sound/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  hyprlandEnabled = config.mod.hyprland.enable;
 in
@@ -20,7 +25,8 @@ in
  home-manager.users.alex = {
    wayland.windowManager.hyprland = lib.mkIf hyprlandEnabled {
      settings = {
-        bind = let
+        bind =
+          let
            toggle-output-mute = pkgs.writeShellScript "toggle-output-mute" ''
              ${pkgs.wireplumber}/bin/wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle
              MUTED=$(${pkgs.wireplumber}/bin/wpctl get-volume @DEFAULT_AUDIO_SINK@ | grep MUTED | wc -l)
@@ -32,7 +38,8 @@ in
              MUTED=$(${pkgs.wireplumber}/bin/wpctl get-volume @DEFAULT_AUDIO_SOURCE@ | grep MUTED | wc -l)
              echo $MUTED > /sys/class/leds/platform::micmute/brightness
            '';
-        in [
+          in
+          [
            ", XF86AudioRaiseVolume, exec, ${pkgs.wireplumber}/bin/wpctl set-volume -l 1.5 @DEFAULT_AUDIO_SINK@ 2%+"
            ", XF86AudioLowerVolume, exec, ${pkgs.wireplumber}/bin/wpctl set-volume @DEFAULT_AUDIO_SINK@ 2%-"
            ", XF86AudioMute, exec, ${toggle-output-mute}"
--- a/hosts/pinwheel/modules/spotify/default.nix
+++ b/hosts/pinwheel/modules/spotify/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  hyprlandEnabled = config.mod.hyprland.enable;
 in
@@ -6,10 +11,12 @@ in
  home-manager.users.alex = {
    wayland.windowManager.hyprland = lib.mkIf hyprlandEnabled {
      settings = {
-        bind = let
+        bind =
+          let
            prev = "${pkgs.playerctl}/bin/playerctl -p spotify previous";
            next = "${pkgs.playerctl}/bin/playerctl -p spotify next";
-        in [
+          in
+          [
            ", XF86AudioPrev, exec, ${prev}"
            ", XF86AudioNext, exec, ${next}"
            ", XF86AudioPlay, exec, ${pkgs.playerctl}/bin/playerctl -p spotify play-pause"
--- a/hosts/pinwheel/modules/ssh/default.nix
+++ b/hosts/pinwheel/modules/ssh/default.nix
@@ -12,20 +12,6 @@
          port = 1122;
        };

-        "sombrero.local" = {
-          hostname = "192.168.50.200";
-          user = "alex";
-          identityFile = "/home/alex/.ssh/alex.pinwheel-sombrero";
-          port = 1122;
-        };
-
-        "sombrero" = {
-          hostname = "sombrero.a2x.se";
-          user = "alex";
-          identityFile = "/home/alex/.ssh/alex.pinwheel-sombrero";
-          port = 1122;
-        };
-
        "andromeda" = {
          hostname = "andromeda.a2x.se";
          user = "alex";
@@ -72,18 +58,6 @@
      owner = "alex";
      group = "users";
    };
-    "alex.pinwheel-sombrero" = {
-      file = ../../../../secrets/pinwheel/alex.pinwheel-sombrero.age;
-      path = "/home/alex/.ssh/alex.pinwheel-sombrero";
-      owner = "alex";
-      group = "users";
-    };
-    "alex.pinwheel-sombrero.pub" = {
-      file = ../../../../secrets/pinwheel/alex.pinwheel-sombrero.pub.age;
-      path = "/home/alex/.ssh/alex.pinwheel-sombrero.pub";
-      owner = "alex";
-      group = "users";
-    };

    "alex.pinwheel-github.com" = {
      file = ../../../../secrets/pinwheel/alex.pinwheel-github.com.age;
@@ -155,9 +129,11 @@
    enable = true;
    ports = [ 1122 ];

-    hostKeys = [{
+    hostKeys = [
+      {
        path = "/etc/ssh/pinwheel";
        type = "ed25519";
-    }];
+      }
+    ];
  };
 }
--- a/hosts/pinwheel/modules/swaylock/default.nix
+++ b/hosts/pinwheel/modules/swaylock/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.swaylock.enable;
  hyprlandEnabled = config.mod.hyprland.enable;
@@ -30,7 +35,8 @@ in

      wayland.windowManager.hyprland = lib.mkIf hyprlandEnabled {
        settings = {
-          bind = let
+          bind =
+            let
              pause-music = "${pkgs.playerctl}/bin/playerctl -p spotify pause";

              dpmsTimeout = config.mod.swaylock.dpmsTimeout;
--- a/hosts/pinwheel/modules/syncthing/default.nix
+++ b/hosts/pinwheel/modules/syncthing/default.nix
@@ -16,13 +16,15 @@
      devices = {
        phone.id = config.lib.syncthing.phone;
        backwards.id = config.lib.syncthing.backwards;
-        sombrero.id = config.lib.syncthing.sombrero;
      };

      folders = {
        org = {
          path = "/home/alex/sync/org";
-          devices = [ "sombrero" "phone" "backwards" ];
+          devices = [
+            "phone"
+            "backwards"
+          ];
          versioning = {
            type = "staggered";
            params = {
@@ -33,7 +35,7 @@

        personal = {
          path = "/home/alex/sync/personal";
-          devices = [ "sombrero" "backwards" ];
+          devices = [ "backwards" ];
          versioning = {
            type = "staggered";
            params = {
@@ -44,7 +46,7 @@

        work = {
          path = "/home/alex/sync/work";
-          devices = [ "sombrero" "backwards" ];
+          devices = [ "backwards" ];
          versioning = {
            type = "staggered";
            params = {
@@ -55,7 +57,7 @@

        books = {
          path = "/home/alex/sync/books";
-          devices = [ "sombrero" "backwards" ];
+          devices = [ "backwards" ];
          versioning = {
            type = "staggered";
            params = {
--- a/hosts/pinwheel/modules/terraform/default.nix
+++ b/hosts/pinwheel/modules/terraform/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, ...}:
+{ pkgs, ... }:
 {
  home-manager.users.alex = {
    home.packages = [
--- a/hosts/pinwheel/modules/vm/default.nix
+++ b/hosts/pinwheel/modules/vm/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.vm.enable;
 in
@@ -26,8 +31,8 @@ in
    home-manager.users.alex = {
      dconf.settings = {
        "org/virt-manager/virt-manager/connections" = {
-          autoconnect = ["qemu:///system"];
-          uris = ["qemu:///system"];
+          autoconnect = [ "qemu:///system" ];
+          uris = [ "qemu:///system" ];
        };
      };
    };
--- a/hosts/pinwheel/modules/waybar/default.nix
+++ b/hosts/pinwheel/modules/waybar/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  hyprlandEnabled = config.mod.hyprland.enable;

@@ -194,8 +199,15 @@ in
            "interval" = 60;
            "format" = "<span font='10' rise='1000'>{icon}</span> {capacity}%";
            "format-time" = "{H}h {M}min";
-            "format-charging" ="󰂄 {capacity}%";
-            "format-icons" = ["󰁺" "󰁻" "󰁽" "󰁿" "󰂁" "󰁹" ];
+            "format-charging" = "󰂄 {capacity}%";
+            "format-icons" = [
+              "󰁺"
+              "󰁻"
+              "󰁽"
+              "󰁿"
+              "󰂁"
+              "󰁹"
+            ];
          };

          "clock" = {
--- a/hosts/pinwheel/modules/wezterm/default.nix
+++ b/hosts/pinwheel/modules/wezterm/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.wezterm.enable;

--- a/hosts/pinwheel/modules/work/default.nix
+++ b/hosts/pinwheel/modules/work/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  gitEnabled = config.mod.git.enable;
  goEnabled = config.mod.go.enable;
@@ -7,21 +12,25 @@ in
 {
  home-manager.users.alex = {
    home.sessionVariables = {
-      GITHUB_ACTOR="Alexander Heldt";
-      GITHUB_TOKEN="$(${pkgs.coreutils}/bin/cat ${config.age.secrets.work-github-token.path})";
+      GITHUB_ACTOR = "Alexander Heldt";
+      GITHUB_TOKEN = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.work-github-token.path})";
    };

    home.packages = [
-      (pkgs.callPackage ./syb-cli.nix {})
-      (pkgs.callPackage ./pants.nix {})
+      (pkgs.callPackage ./syb-cli.nix { })

      (pkgs.jetbrains.plugins.addPlugins pkgs.jetbrains.idea-ultimate [ "ideavim" ])
-      (pkgs.google-cloud-sdk.withExtraComponents [ pkgs.google-cloud-sdk.components.gke-gcloud-auth-plugin ])
-      (pkgs.graphite-cli.overrideAttrs(_: {
+      (pkgs.google-cloud-sdk.withExtraComponents [
+        pkgs.google-cloud-sdk.components.gke-gcloud-auth-plugin
+      ])
+      (pkgs.graphite-cli.overrideAttrs (_: {
        version = "1.4.3";
      }))
      pkgs.xdg-utils # needed by graphite-cli

+      pkgs.postman
+      pkgs.grpcurl
+
      # for `radio`
      pkgs.go-mockery
      pkgs.golangci-lint
--- a/hosts/pinwheel/modules/work/pants.nix
+++ b/hosts/pinwheel/modules/work/pants.nix
@@ -1,47 +0,0 @@
-{
-  fetchurl,
-  pkgs,
-  lib,
-}:
-let
-  pname = "pants";
-  version = "0.12.0";
-
-  scie-pants = pkgs.stdenv.mkDerivation {
-    inherit pname version;
-
-    src = fetchurl {
-      url = "https://github.com/pantsbuild/scie-pants/releases/download/v${version}/scie-${pname}-linux-x86_64";
-      hash = "sha256-9PjgobndxVqDTYGtw1HESrtzwzH2qE9zFwR26xtwZrM=";
-    };
-
-    phases = ["installPhase" "patchPhase"];
-    installPhase = ''
-      mkdir -p $out/bin
-      cp $src $out/bin/pants
-      chmod +x $out/bin/pants
-    '';
-  };
-in
-pkgs.buildFHSUserEnv  {
-  name = "pants";
-
-  targetPackages = with pkgs; [
-    python39
-  ];
-
-  runScript = "${scie-pants}/bin/pants";
-  profile = ''
-    export NIX_SSL_CERT_FILE="/etc/ssl/certs/ca-certificates.crt"
-    export SSL_CERT_FILE="/etc/ssl/certs/ca-bundle.crt"
-  '';
-
-  meta = with lib; {
-    description = "Protects your Pants from the elements";
-    homepage = "https://github.com/pantsbuild/scie-pants";
-    license = licenses.asl20;
-    maintainers = [];
-    platforms = [ "x86_64-linux" ];
-    mainProgram = "pants";
-  };
-}
--- a/hosts/pinwheel/modules/zsh/default.nix
+++ b/hosts/pinwheel/modules/zsh/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.zsh.enable;
 in
--- a/hosts/sombrero/configuration.nix
+++ b/hosts/sombrero/configuration.nix
@@ -1,79 +0,0 @@
-{ pkgs, ... }:
-{
-  imports =
-    [
-      ../../config-manager/default.nix
-      ../../shared-modules/syncthing.nix
-      ./hardware-configuration.nix
-      ./modules
-    ];
-
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-
-  nixpkgs.config.allowUnfree = true;
-
-  environment.variables.EDITOR = "vim";
-
-  hardware.enableRedistributableFirmware = true;
-
-  # Set your time zone.
-  time.timeZone = "Europe/Stockholm";
-
-  # Select internationalisation properties.
-  # i18n.defaultLocale = "en_US.UTF-8";
-  # console = {
-  #   font = "Lat2-Terminus16";
-  #   keyMap = "us";
-  #   useXkbConfig = true; # use xkbOptions in tty.
-  # };
-
-  users = {
-    mutableUsers = false;
-
-    users.root = {
-      hashedPassword = "$6$3mkwaUWd8NA6XuEb$x80tETKGz6FEG.kej3v5Vh6hRNoC6bikhXogTP.zZwYtISA46JaN3RMK3ckbqt8Aj52d3krSLOfBaAR1qzuJ2/";
-    };
-
-    users."alex" = {
-      isNormalUser = true;
-      hashedPassword = "$6$3mkwaUWd8NA6XuEb$x80tETKGz6FEG.kej3v5Vh6hRNoC6bikhXogTP.zZwYtISA46JaN3RMK3ckbqt8Aj52d3krSLOfBaAR1qzuJ2/";
-      extraGroups = [ "wheel" ];
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    gnumake
-    mkpasswd
-    vim
-  ];
-
-  config-manager = {
-    flakePath = "/home/alex/config";
-  };
-
-  mod = {
-    git.enable = true;
-    ssh.enable = true;
-    docker.enable = true;
-    nginx.enable = true;
-    syncthing.enable = true;
-    plex.enable = true;
-    calibre-web.enable = true;
-    transmission.enable = true;
-    restic.enable = true;
-    pppdotpm-site.enable = false;
-  };
-
-  # Copy the NixOS configuration file and link it from the resulting system
-  # (/run/current-system/configuration.nix). This is useful in case you
-  # accidentally delete configuration.nix.
-  # system.copySystemConfiguration = true;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.11"; # Did you read the comment?
-}
--- a/hosts/sombrero/hardware-configuration.nix
+++ b/hosts/sombrero/hardware-configuration.nix
@@ -1,52 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ lib, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/15329cb1-655e-475d-96f0-bfb8ccd05167";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/AD29-0697";
-      fsType = "vfat";
-    };
-
-  fileSystems."/home/alex/media" =
-    { device = "/dev/disk/by-uuid/ad4acc0f-172c-40f8-8473-777c957e8764";
-      fsType = "ext4";
-      options = [ "nofail" ];
-    };
-
-  fileSystems."/home/alex/backup" =
-    { device = "/dev/disk/by-uuid/34601701-65e6-4b2c-ac4d-8bef3dfd743f";
-      fsType = "ext4";
-      options = [ "nofail" ];
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/98c46b15-7efe-43fd-8812-7e2c01f5a40a"; }
-    ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
-}
--- a/hosts/sombrero/home.nix
+++ b/hosts/sombrero/home.nix
@@ -1,25 +0,0 @@
-{ inputs, pkgs, ... }:
-{
-  imports = [ inputs.home-manager.nixosModules.home-manager ];
-
-  config = {
-    home-manager = {
-      useGlobalPkgs = true;
-      useUserPackages = true;
-
-      users.alex = {
-        programs.home-manager.enable = true;
-
-        home.username = "alex";
-        home.homeDirectory = "/home/alex";
-
-        home.packages = [
-          pkgs.unar
-        ];
-
-        home.stateVersion = "22.11";
-      };
-    };
-  };
-
-}
--- a/hosts/sombrero/modules/age/default.nix
+++ b/hosts/sombrero/modules/age/default.nix
@@ -1,14 +0,0 @@
-{ inputs, pkgs, ... }:
-{
-  imports = [ inputs.agenix.nixosModules.default ];
-
-  config = {
-    age = {
-      identityPaths = [ "/etc/ssh/sombrero" ];
-    };
-
-    environment.systemPackages = [
-      inputs.agenix.packages."${pkgs.system}".default
-    ];
-  };
-}
--- a/hosts/sombrero/modules/boot/default.nix
+++ b/hosts/sombrero/modules/boot/default.nix
@@ -1,25 +0,0 @@
-{ pkgs, ... }: {
-  boot = {
-    loader = {
-      grub.enable = false;
-      efi.canTouchEfiVariables = true;
-
-      raspberryPi = {
-        enable = true;
-        version = 4;
-      };
-    };
-
-    tmp = {
-      useTmpfs = true;
-    };
-
-    kernelPackages = pkgs.linuxPackages_rpi4;
-    kernelParams = [
-      "8250.nr_uarts=1"
-      "console=ttyAMA0,115200"
-      "console=tty1"
-      "cma=128M"
-    ];
-  };
-}
--- a/hosts/sombrero/modules/calibre-web/default.nix
+++ b/hosts/sombrero/modules/calibre-web/default.nix
@@ -1,52 +0,0 @@
-{ lib, config, ... }:
-let
-  enabled = config.mod.calibre-web.enable;
-  nginxEnabled = config.mod.nginx.enable;
-in
-{
-  options = {
-    mod.calibre-web = {
-      enable = lib.mkEnableOption "add calibre-web module";
-    };
-  };
-
-  config = lib.mkIf (enabled && nginxEnabled) {
-    services = {
-      calibre-web = {
-        enable = true;
-
-        user = "alex";
-        group = "users";
-
-        listen = {
-          ip = "127.0.0.1";
-          port = 8083;
-        };
-
-        options = {
-          calibreLibrary = "/home/alex/backup/books";
-          enableBookUploading = true;
-        };
-      };
-    };
-
-    networking = {
-      firewall = {
-        allowedTCPPorts = [ 8083 ];
-      };
-    };
-
-    services = {
-      nginx = {
-        virtualHosts."books.sombrero.a2x.se" = {
-          forceSSL = true;
-          enableACME = true;
-
-          locations."/" = {
-            proxyPass = "http://127.0.0.1:8083";
-          };
-        };
-      };
-    };
-  };
-}
--- a/hosts/sombrero/modules/default.nix
+++ b/hosts/sombrero/modules/default.nix
@@ -1,8 +0,0 @@
-{ lib, ... }:
-let
-  toModulePath = dir: _: ./. + "/${dir}";
-  filterDirs = dirs: lib.attrsets.filterAttrs (_: type: type == "directory") dirs;
-in
-{
-  imports = lib.mapAttrsToList toModulePath (filterDirs (builtins.readDir ./.));
-}
--- a/hosts/sombrero/modules/docker/default.nix
+++ b/hosts/sombrero/modules/docker/default.nix
@@ -1,29 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  enabled = config.mod.docker.enable;
-in
-{
-  options = {
-    mod.docker = {
-      enable = lib.mkEnableOption "enable docker module";
-    };
-  };
-
-  config = lib.mkIf enabled {
-    virtualisation = {
-      docker = {
-        enable = true;
-      };
-
-      oci-containers = {
-        backend = "docker";
-      };
-    };
-
-    users.users.alex.extraGroups = [ "docker" ];
-
-    home-manager.users.alex = {
-      home.packages = [ pkgs.docker-compose ];
-    };
-  };
-}
--- a/hosts/sombrero/modules/git/default.nix
+++ b/hosts/sombrero/modules/git/default.nix
@@ -1,30 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  enabled = config.mod.git.enable;
-in
-{
-  options = {
-    mod.git = {
-      enable = lib.mkEnableOption "enable git module";
-    };
-  };
-
-  config = lib.mkIf enabled {
-    home-manager.users.alex = {
-      programs.git = {
-        enable = true;
-
-        includes = [
-          { path = ./gitconfig; }
-        ];
-      };
-
-      home.packages = [ pkgs.tig ];
-
-      home.file.".tigrc".text = ''
-        set main-view-line-number = yes
-        set main-view-line-number-interval = 1
-      '';
-    };
-  };
-}
--- a/hosts/sombrero/modules/git/gitconfig
+++ b/hosts/sombrero/modules/git/gitconfig
@@ -1,10 +0,0 @@
-[user]
-    name = Alexander Heldt
-    email = me@alexanderheldt.se
-
-[url "git@github.com:"]
-    insteadOf = https://github.com/
-
-[url "git@codeberg.org:"]
-    insteadOf = https://codeberg.org/
-
--- a/hosts/sombrero/modules/mullvad/default.nix
+++ b/hosts/sombrero/modules/mullvad/default.nix
@@ -1,6 +0,0 @@
-{ ... }:
-{
-  services.mullvad-vpn = {
-    enable = true;
-  };
-}
--- a/hosts/sombrero/modules/network/default.nix
+++ b/hosts/sombrero/modules/network/default.nix
@@ -1,18 +0,0 @@
-{
-  networking = {
-    hostName = "sombrero";
-
-    defaultGateway = "192.168.50.1";
-    nameservers = [ "8.8.8.8" ];
-    interfaces = {
-      eth0 = {
-        ipv4 = {
-          addresses = [{
-            address = "192.168.50.200";
-            prefixLength = 24;
-          }];
-        };
-      };
-    };
-  };
-}
--- a/hosts/sombrero/modules/nginx/default.nix
+++ b/hosts/sombrero/modules/nginx/default.nix
@@ -1,38 +0,0 @@
-{ lib, config, ... }:
-let
-  enabled = config.mod.nginx.enable;
-in
-{
-  options = {
-    mod.nginx = {
-      enable = lib.mkEnableOption "add nginx module";
-    };
-  };
-
-  config = lib.mkIf enabled {
-    security = {
-      acme = {
-        acceptTerms = true;
-
-        defaults = {
-          email = "p@ppp.pm";
-        };
-      };
-    };
-
-    services = {
-      nginx = {
-        enable = true;
-
-        recommendedProxySettings = true;
-        recommendedTlsSettings = true;
-      };
-    };
-
-    networking = {
-      firewall = {
-        allowedTCPPorts = [ 80 443 ];
-      };
-    };
-  };
-}
--- a/hosts/sombrero/modules/plex/default.nix
+++ b/hosts/sombrero/modules/plex/default.nix
@@ -1,42 +0,0 @@
-{ lib, config, ... }:
-let
-  enable = config.mod.plex.enable;
-  dockerEnabled = config.mod.docker.enable;
-in
-{
-  options = {
-    mod.plex = {
-      enable = lib.mkEnableOption "enable plex module";
-    };
-  };
-
-  config = lib.mkIf (enable && dockerEnabled) {
-    virtualisation = {
-      oci-containers.containers = {
-        plex = {
-          image = "linuxserver/plex";
-          autoStart = true;
-
-          environment = {
-            TZ = "Europe/Stockholm";
-            VERSION = "latest";
-          };
-
-          extraOptions = [ "--network=host" ];
-
-          volumes = [
-            "/home/alex/media/plex/db:/config"
-            "/home/alex/media/movies:/movies"
-            "/home/alex/media/tv:/tv"
-          ];
-        };
-      };
-    };
-
-    networking = {
-      firewall = {
-        allowedTCPPorts = [ 32400 ];
-      };
-    };
-  };
-}
--- a/hosts/sombrero/modules/ppp.pm-site/default.nix
+++ b/hosts/sombrero/modules/ppp.pm-site/default.nix
@@ -1,33 +0,0 @@
-{ inputs, lib, config, ... }:
-let
-  enabled = config.mod.pppdotpm-site.enable;
-
-  nginxEnabled = config.mod.nginx.enable;
-in
-{
-  imports = [ inputs.pppdotpm-site.nixosModules.default ];
-
-  options = {
-    mod.pppdotpm-site = {
-      enable = lib.mkEnableOption "enable ppp.pm site";
-    };
-  };
-
-  config = lib.mkIf (enabled && nginxEnabled) {
-    security.acme = {
-      certs = {
-        "ppp.pm" = {
-          webroot = "/var/lib/acme/acme-challenge/";
-          email = "p@ppp.pm";
-          group = "nginx";
-        };
-      };
-    };
-
-    services.pppdotpm-site = {
-      enable = true;
-      domain = "ppp.pm";
-      useACMEHost = "ppp.pm";
-    };
-  };
-}
--- a/hosts/sombrero/modules/restic/default.nix
+++ b/hosts/sombrero/modules/restic/default.nix
@@ -1,43 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  enabled = config.mod.restic.enable;
-in
-{
-  options = {
-    mod.restic = {
-      enable = lib.mkEnableOption "enable restic module";
-    };
-  };
-
-  config = lib.mkIf enabled {
-    services = {
-      restic.backups = {
-        "sync" = {
-          initialize = true;
-
-          user = "alex";
-
-          passwordFile = "/home/alex/backup/restic/password.file";
-          environmentFile = "/home/alex/backup/restic/aws.env";
-          repository = "s3:https://s3.eu-north-1.amazonaws.com/restic-sync-backup";
-
-          paths = ["/home/alex/backup/sync"];
-
-          timerConfig = {
-            OnCalendar = "daily";
-            Persistent = true;
-          };
-
-          pruneOpts = [
-            "--keep-daily 2"
-            "--keep-weekly 7"
-            "--keep-yearly 12"
-          ];
-        };
-      };
-    };
-
-    environment.systemPackages = [ pkgs.restic ];
-  };
-}
-
--- a/hosts/sombrero/modules/ssh/default.nix
+++ b/hosts/sombrero/modules/ssh/default.nix
@@ -1,102 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  enabled = config.mod.ssh.enable;
-
-  authorizedKeysPath = "/home/alex/.ssh/authorized-keys";
-in
-{
-  options = {
-    mod.ssh = {
-      enable = lib.mkEnableOption "enable ssh module";
-    };
-  };
-
-  config = lib.mkIf enabled {
-    home-manager.users.alex = {
-      programs.ssh = {
-        enable = true;
-
-        matchBlocks = {
-          "codeberg.org" = {
-            hostname = "codeberg.org";
-            identityFile = "/home/alex/.ssh/alex.sombrero-codeberg.org";
-          };
-
-          "github.com" = {
-            hostname = "github.com";
-            identityFile = "/home/alex/.ssh/alex.sombrero-github.com";
-          };
-        };
-      };
-    };
-
-    environment.etc."ssh/authorized_keys_command" = {
-      mode = "0755";
-      text = ''
-        #!${pkgs.bash}/bin/bash
-        for file in ${authorizedKeysPath}/*; do
-          ${pkgs.coreutils}/bin/cat "$file"
-        done
-      '';
-    };
-
-    services = {
-      openssh = {
-        enable = true;
-        ports = [ 1122 ];
-
-        hostKeys = [{
-          path = "/etc/ssh/sombrero";
-          type = "ed25519";
-        }];
-
-        settings = {
-          PasswordAuthentication = false;
-          KbdInteractiveAuthentication = false;
-        };
-
-        authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
-        authorizedKeysCommandUser = "root";
-      };
-    };
-
-    networking = {
-      firewall = {
-        allowedTCPPorts = [ 1122 ];
-      };
-    };
-
-    age.secrets = {
-      "alex.pinwheel-sombrero.pub" = {
-        file = ../../../../secrets/pinwheel/alex.pinwheel-sombrero.pub.age;
-        path = "${authorizedKeysPath}/alex.pinwheel-sombrero.pub";
-      };
-
-      "alex.sombrero-codeberg.org" = {
-        file = ../../../../secrets/sombrero/alex.sombrero-codeberg.org.age;
-        path = "/home/alex/.ssh/alex.sombrero-codeberg.org";
-        owner = "alex";
-        group = "users";
-      };
-      "alex.sombrero-codeberg.org.pub" = {
-        file = ../../../../secrets/sombrero/alex.sombrero-codeberg.org.pub.age;
-        path = "/home/alex/.ssh/alex.sombrero-codeberg.org.pub";
-        owner = "alex";
-        group = "users";
-      };
-
-      "alex.sombrero-github.com" = {
-        file = ../../../../secrets/sombrero/alex.sombrero-github.com.age;
-        path = "/home/alex/.ssh/alex.sombrero-github.com";
-        owner = "alex";
-        group = "users";
-      };
-      "alex.sombrero-github.com.pub" = {
-        file = ../../../../secrets/sombrero/alex.sombrero-github.com.pub.age;
-        path = "/home/alex/.ssh/alex.sombrero-github.com.pub";
-        owner = "alex";
-        group = "users";
-      };
-    };
-  };
-}
--- a/hosts/sombrero/modules/syncthing/default.nix
+++ b/hosts/sombrero/modules/syncthing/default.nix
@@ -1,130 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  enabled = config.mod.syncthing.enable;
-  nginxEnabled = config.mod.nginx.enable;
-in
-{
-  options = {
-    mod.syncthing = {
-      enable = lib.mkEnableOption "add syncthing module";
-    };
-  };
-
-  config = lib.mkIf (enabled && nginxEnabled) {
-    networking = {
-      firewall = {
-        allowedTCPPorts = [ 8384 ];
-      };
-    };
-
-    services = {
-      syncthing = {
-        enable = true;
-        openDefaultPorts = true;
-
-        user = "alex";
-        group = "users";
-
-        dataDir = "/home/alex/backup/sync";
-
-        cert = config.age.secrets.syncthing-cert.path;
-        key = config.age.secrets.syncthing-key.path;
-
-        guiAddress = "0.0.0.0:8384";
-
-        settings = {
-          gui = {
-            user = "syncthing";
-            password = "$2a$12$J/h/JOUiW24ZXsLYLEl2kOZUS1LftxANi0OlZxLy8Dst3/jpBd0v2";
-            insecureSkipHostcheck = false;
-          };
-
-          devices = {
-            phone.id = config.lib.syncthing.phone;
-            pinwheel.id = config.lib.syncthing.pinwheel;
-          };
-
-          folders = {
-            "org" = {
-              path = "/home/alex/backup/sync/org";
-              devices = [ "phone" "pinwheel" ];
-              versioning = {
-                type = "staggered";
-                params = {
-                  maxAge = "2592000"; # 30 days
-                };
-              };
-            };
-
-            "phone-gps" = {
-              path = "/home/alex/backup/sync/gps";
-              devices = [ "phone" ];
-              versioning = {
-                type = "staggered";
-                params = {
-                  maxAge = "2592000"; # 30 days
-                };
-              };
-            };
-
-            "personal" = {
-              path = "/home/alex/backup/sync/personal";
-              devices = [ "pinwheel" ];
-              versioning = {
-                type = "staggered";
-                params = {
-                  maxAge = "2592000"; # 30 days
-                };
-              };
-            };
-
-            "work" = {
-              path = "/home/alex/backup/sync/work";
-              devices = [ "pinwheel" ];
-              versioning = {
-                type = "staggered";
-                params = {
-                  maxAge = "2592000"; # 30 days
-                };
-              };
-            };
-
-            "books" = {
-              path = "/home/alex/backup/books";
-              devices = [ "pinwheel" ];
-              versioning = {
-                type = "staggered";
-                params = {
-                  maxAge = "2592000"; # 30 days
-                };
-              };
-            };
-
-            "audiobooks" = {
-              path = "/home/alex/media/sync/audiobooks";
-              devices = [ "phone" ];
-            };
-          };
-        };
-      };
-
-      nginx = {
-        virtualHosts."syncthing.sombrero.a2x.se" = {
-          forceSSL = true;
-          enableACME = true;
-
-          locations."/" = {
-            proxyPass = "http://0.0.0.0:8384";
-          };
-        };
-      };
-    };
-
-    age = {
-      secrets = {
-        "syncthing-cert".file = ../../../../secrets/sombrero/syncthing-cert.age;
-        "syncthing-key".file = ../../../../secrets/sombrero/syncthing-key.age;
-      };
-    };
-  };
-}
--- a/hosts/sombrero/modules/tailscale/default.nix
+++ b/hosts/sombrero/modules/tailscale/default.nix
@@ -1,9 +0,0 @@
-{ ... }:
-{
-  services.tailscale.enable = true;
-
-  networking.firewall = {
-    checkReversePath = "loose";
-    allowedUDPPorts = [ 41641 ];
-  };
-}
--- a/hosts/sombrero/modules/transmission/default.nix
+++ b/hosts/sombrero/modules/transmission/default.nix
@@ -1,40 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  enabled = config.mod.transmission.enable;
-in
-{
-  options = {
-    mod.transmission = {
-      enable = lib.mkEnableOption "enable transmission module";
-    };
-  };
-
-  config = lib.mkIf enabled {
-    services = {
-      transmission = {
-        enable = true;
-        package = pkgs.transmission_4;
-        openFirewall = true;
-        openRPCPort = true;
-        settings.rpc-port = 9191;
-        settings.rpc-bind-address = "0.0.0.0";
-
-        user = "alex";
-        group = "users";
-
-        home = "/home/alex/media/ts-home";
-        downloadDirPermissions = "775";
-
-        settings = {
-          incomplete-dir-enabled = false;
-          download-dir = "/home/alex/media";
-
-          rpc-authentication-required = true;
-          rpc-whitelist-enabled = false;
-          rpc-username = "transmission";
-          rpc-password = "{55d884e4042db67313da49e05d7089a368eb64b3Br.3X.Xi";
-        };
-      };
-    };
-  };
-}
--- a/hosts/tadpole/configuration.nix
+++ b/hosts/tadpole/configuration.nix
@@ -1,20 +1,22 @@
 { pkgs, ... }:
 {
-  imports =
-    [
+  imports = [
    ../../config-manager/default.nix
    ./hardware-configuration.nix
    ./modules
  ];

-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];

  nixpkgs.config.allowUnfree = true;

  users.users.alex = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
-    packages = [];
+    packages = [ ];
  };

  environment.variables.EDITOR = "vim";
--- a/hosts/tadpole/hardware-configuration.nix
+++ b/hosts/tadpole/hardware-configuration.nix
@@ -1,25 +1,38 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:

 {
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
  ];

-  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/7a2b1179-6582-4ef1-b094-0f11449373ed";
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/7a2b1179-6582-4ef1-b094-0f11449373ed";
    fsType = "ext4";
  };

-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/aa0634e1-a1c2-4461-978a-cf1768f38b0c"; }
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/aa0634e1-a1c2-4461-978a-cf1768f38b0c"; }
  ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
--- a/hosts/tadpole/modules/boot/default.nix
+++ b/hosts/tadpole/modules/boot/default.nix
@@ -1,4 +1,9 @@
-{ inputs, lib, config, ... }:
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
 let
  configurationLimit = config.mod.gc.configurationLimit;
 in
--- a/hosts/tadpole/modules/gitea/default.nix
+++ b/hosts/tadpole/modules/gitea/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  conf = config.mod.gitea;
  gitDomain = "git.${conf.baseDomain}";
@@ -26,7 +31,7 @@ in

      webfingerAccounts = lib.mkOption {
        type = lib.types.listOf lib.types.str;
-        default = [];
+        default = [ ];
        description = "The accounts that should be listed";
      };
    };
@@ -47,7 +52,7 @@ in
        message = "There is no cert configured for ${conf.baseDomain} used by webfinger";
      }
      {
-        assertion = conf.webfingerEnable && conf.webfingerAccounts != [];
+        assertion = conf.webfingerEnable && conf.webfingerAccounts != [ ];
        message = "Option 'mod.gitea.webfingerAccounts' cannot be empty";
      }
    ];
@@ -81,14 +86,19 @@ in
    services.nginx = {
      virtualHosts."${conf.baseDomain}" =
        let
-          mkWebfinger = account:
-            pkgs.writeTextDir (lib.escapeURL "acct:${account}") (lib.generators.toJSON {} {
+          mkWebfinger =
+            account:
+            pkgs.writeTextDir (lib.escapeURL "acct:${account}") (
+              lib.generators.toJSON { } {
                subject = "acct:${account}";
-              links = [{
+                links = [
+                  {
                    rel = "http://openid.net/specs/connect/1.0/issuer";
                    href = "https://${gitDomain}";
-              }];
-            });
+                  }
+                ];
+              }
+            );

          webfingerRoot = pkgs.symlinkJoin {
            name = "${gitDomain}-webfinger";
--- a/hosts/tadpole/modules/nginx/default.nix
+++ b/hosts/tadpole/modules/nginx/default.nix
@@ -31,7 +31,10 @@ in

    networking = {
      firewall = {
-        allowedTCPPorts = [ 80 443 ];
+        allowedTCPPorts = [
+          80
+          443
+        ];
      };
    };
  };
--- a/hosts/tadpole/modules/ppp.pm-site/default.nix
+++ b/hosts/tadpole/modules/ppp.pm-site/default.nix
@@ -1,4 +1,9 @@
-{ inputs, lib, config, ... }:
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.pppdotpm-site.enable;

--- a/hosts/tadpole/modules/ssh/default.nix
+++ b/hosts/tadpole/modules/ssh/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, lib, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.ssh.enable;

@@ -18,6 +23,11 @@ in
        enable = true;

        matchBlocks = {
+          "git.ppp.pm" = {
+            hostname = "git.ppp.pm";
+            identityFile = "/home/alex/.ssh/alex.tadpole-git.ppp.pm";
+          };
+
          "codeberg.org" = {
            hostname = "codeberg.org";
            identityFile = "/home/alex/.ssh/alex.tadpole-codeberg.org";
@@ -41,10 +51,12 @@ in
        enable = true;
        ports = [ 1122 ];

-        hostKeys = [{
+        hostKeys = [
+          {
            path = "${rootSSHKeyPath}/root.tadpole";
            type = "ed25519";
-        }];
+          }
+        ];

        settings = {
          PasswordAuthentication = false;
@@ -77,6 +89,19 @@ in
        path = "${authorizedKeysPath}/alex.pinwheel-tadpole.pub";
      };

+      "alex.tadpole-git.ppp.pm" = {
+        file = ../../../../secrets/tadpole/alex.tadpole-git.ppp.pm.age;
+        path = "/home/alex/.ssh/alex.tadpole-git.ppp.pm";
+        owner = "alex";
+        group = "users";
+      };
+      "alex.tadpole-git.ppp.pm.pub" = {
+        file = ../../../../secrets/tadpole/alex.tadpole-git.ppp.pm.pub.age;
+        path = "/home/alex/.ssh/alex.tadpole-git.ppp.pm.pub";
+        owner = "alex";
+        group = "users";
+      };
+
      "alex.tadpole-codeberg.org" = {
        file = ../../../../secrets/tadpole/alex.tadpole-codeberg.org.age;
        path = "/home/alex/.ssh/alex.tadpole-codeberg.org";
--- a/hosts/test-vm/configuration.nix
+++ b/hosts/test-vm/configuration.nix
@@ -28,7 +28,7 @@
      };
    };

-    environment.systemPackages = [];
+    environment.systemPackages = [ ];

    system.stateVersion = "24.05";
  };
--- a/hosts/test-vm/ppp.pm-site.nix
+++ b/hosts/test-vm/ppp.pm-site.nix
@@ -1,4 +1,9 @@
-{ inputs, lib, config, ... }:
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
 let
  enabled = config.mod.pppdotpm-site.enable;
 in
--- a/secrets/backwards/alex.backwards-git.ppp.pm.age
+++ b/secrets/backwards/alex.backwards-git.ppp.pm.age
--- a/secrets/backwards/alex.backwards-git.ppp.pm.pub.age
+++ b/secrets/backwards/alex.backwards-git.ppp.pm.pub.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,7 +2,6 @@ let
  # see `modules/age/default.nix` where these are defined
  pinwheel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoI7Q4zT2AGXU+i8fLmzcNLdfMkEnfHYh4PmaEmo2QW root@pinwheel";
  backwards = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcTK3CUtTsgavuLlbfOqCbHYLtUrIKqnSqYmtzGCZnv root.backwards";
-  sombrero = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/NltCo1L+X1OIBfIKzfrbxLpCOerQ4vTIs+QPTXkf/ root@sombrero";
  tadpole = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDbyj/vYafqpJH33jFz5HV+gwCiEIJTpxKrEFrBWx73A root@tadpole";
  alex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTgiHYcdhS87pPnduLunZVEgLVj4EtbG9XVSZP1l5s5 alex";
 in {
@@ -12,8 +11,6 @@ in {
  "pinwheel/mullvad-account-history.age".publicKeys = [ pinwheel alex ];
  "pinwheel/alex.pinwheel-backwards.age".publicKeys = [ pinwheel alex ];
  "pinwheel/alex.pinwheel-backwards.pub.age".publicKeys = [ pinwheel backwards alex ];
-  "pinwheel/alex.pinwheel-sombrero.age".publicKeys = [ pinwheel alex ];
-  "pinwheel/alex.pinwheel-sombrero.pub.age".publicKeys = [ pinwheel sombrero alex ];
  "pinwheel/alex.pinwheel-tadpole.age".publicKeys = [ pinwheel alex ];
  "pinwheel/alex.pinwheel-tadpole.pub.age".publicKeys = [ pinwheel tadpole alex ];
  "pinwheel/alex.pinwheel-github.com.age".publicKeys = [ pinwheel alex ];
@@ -40,18 +37,15 @@ in {
  "backwards/restic-cloud-sync-repository.age".publicKeys = [ backwards alex ];
  "backwards/alex.backwards-codeberg.org.age".publicKeys = [ backwards alex ];
  "backwards/alex.backwards-codeberg.org.pub.age".publicKeys = [ backwards alex ];
+  "backwards/alex.backwards-git.ppp.pm.age".publicKeys = [ backwards alex ];
+  "backwards/alex.backwards-git.ppp.pm.pub.age".publicKeys = [ backwards alex ];
  "backwards/wpa_supplicant.conf.age".publicKeys = [ backwards alex ];

-  "sombrero/syncthing-cert.age".publicKeys = [ sombrero alex ];
-  "sombrero/syncthing-key.age".publicKeys = [ sombrero alex ];
-  "sombrero/alex.sombrero-github.com.age".publicKeys = [ sombrero alex ];
-  "sombrero/alex.sombrero-github.com.pub.age".publicKeys = [ sombrero alex ];
-  "sombrero/alex.sombrero-codeberg.org.age".publicKeys = [ sombrero alex ];
-  "sombrero/alex.sombrero-codeberg.org.pub.age".publicKeys = [ sombrero alex ];
-
  "tadpole/root.tadpole.age".publicKeys = [ tadpole alex ];
  "tadpole/root.tadpole.pub.age".publicKeys = [ tadpole alex ];
  "tadpole/alex.tadpole-codeberg.org.age".publicKeys = [ tadpole alex ];
  "tadpole/alex.tadpole-codeberg.org.pub.age".publicKeys = [ tadpole alex ];
+  "tadpole/alex.tadpole-git.ppp.pm.age".publicKeys = [ tadpole alex ];
+  "tadpole/alex.tadpole-git.ppp.pm.pub.age".publicKeys = [ tadpole alex ];
  "tadpole/gitea-dbpassword.age".publicKeys = [ tadpole alex ];
 }
--- a/secrets/sombrero/alex.sombrero-codeberg.org.age
+++ b/secrets/sombrero/alex.sombrero-codeberg.org.age
--- a/secrets/sombrero/alex.sombrero-codeberg.org.pub.age
+++ b/secrets/sombrero/alex.sombrero-codeberg.org.pub.age
@@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 MxZlmA NNDIdpcC5ad2zy6SNwiLbowPBahLGKnv/W6LI4rp0Bk
-78Alin5dlkRgliZkL7iLSY6MRtdZPjgtz+Z70CA+aQ8
-> ssh-ed25519 +oNaHQ i5i36kNiCMMsePFyaLHOvzMPee5RuE+yHtlh7bHq0no
-B4fpYax3fzgOUGYwL4E0V9cqyvDbF5iYo/haUyR34gw
--- jBxmbEHiLGLglJDbeYDbfDrgc2DPsVIoISNj7stw8pc
-MJ<><4A>|.<2E>T<1B>j<EFBFBD><6A><EFBFBD><EFBFBD><EFBFBD> w9v<39><76><EFBFBD><08><>kuY0B櫼D-<2D>O<EFBFBD><4F>-]<5D>D<EFBFBD>y]a<>j<EFBFBD>(<28>(<28>G<EFBFBD>y	<1F><><EFBFBD><EFBFBD> <20>W8<57><38><EFBFBD>-i<><69><EFBFBD><EFBFBD>/<03><17>=i}D=ȟ<1B><><EFBFBD>,U<><17>z<EFBFBD><1C><>ݲ'<27>P<EFBFBD>Yo<59><6F>7<EFBFBD><37>sei;
--- a/secrets/sombrero/alex.sombrero-github.com.age
+++ b/secrets/sombrero/alex.sombrero-github.com.age
--- a/secrets/sombrero/alex.sombrero-github.com.pub.age
+++ b/secrets/sombrero/alex.sombrero-github.com.pub.age
--- a/secrets/sombrero/syncthing-cert.age
+++ b/secrets/sombrero/syncthing-cert.age
--- a/secrets/sombrero/syncthing-key.age
+++ b/secrets/sombrero/syncthing-key.age
--- a/secrets/tadpole/alex.tadpole-git.ppp.pm.age
+++ b/secrets/tadpole/alex.tadpole-git.ppp.pm.age
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Alexander Heldt	ededfaa675	tadpole: Add match block for `git.ppp.pm` in `ssh`	2024-09-05 18:32:06 +02:00
Alexander Heldt	1e6f0fa4e3	backwards: Add match block for `git.ppp.pm` in `ssh`	2024-09-05 18:29:52 +02:00
Alexander Heldt	03cc3a616b	tadpole: Add secrets for `git.ppp.pm`	2024-09-05 18:27:07 +02:00
Alexander Heldt	320f164b11	backwards: Add secrets for `git.ppp.pm`	2024-09-05 18:26:47 +02:00
Alexander Heldt	899b450f8c	pinwheel: Don't format files named "secrets.nix" in `emacs`	2024-09-05 18:20:46 +02:00
Alexander Heldt	d2743436aa	pinwheel: Add `grpcurl` to `work` module	2024-09-05 12:40:00 +02:00
Alexander Heldt	fb281612e8	pinwheel: Move `postman` to `work` module	2024-09-05 12:39:44 +02:00
Alexander Heldt	18bda50a13	Update flake inputs	2024-09-04 21:15:37 +02:00
Alexander Heldt	a49c49cc02	pinwheel: Add `nixfmt` to `nix` module	2024-09-02 22:36:16 +02:00
Alexander Heldt	15711a903e	pinwheel: Format `nix` files on save in `emacs`	2024-09-02 21:59:10 +02:00
Alexander Heldt	fd4d1d13df	pinwheel: Remove `nil` from `nix` module	2024-09-02 21:59:10 +02:00
Alexander Heldt	0dfbf16522	pinwheel: Use `nixd` in `emacs`	2024-09-02 21:59:10 +02:00
Alexander Heldt	f15701f426	Apply `nixfmt`	2024-09-02 21:55:41 +02:00
Alexander Heldt	bda8def5fe	Add dev shell with `nixfmt`	2024-09-02 21:07:34 +02:00
Alexander Heldt	dd9be869d2	Remove unused `self` reference in `flake.nix`	2024-09-02 20:42:12 +02:00
Alexander Heldt	4afbe23915	pinwheel: Remove `pants.nix` from `work` module	2024-09-02 20:41:42 +02:00
Alexander Heldt	04f1bef188	sombrero: remove host `sombrero`	2024-09-02 20:29:48 +02:00
Alexander Heldt	395e4f8256	backwards: Enable `calibre-web` module	2024-09-01 17:53:36 +02:00
Alexander Heldt	1c654cc104	backwards: Add `calibre-web` module	2024-09-01 17:51:44 +02:00
Alexander Heldt	6142c30f4a	backwards: Enable `audiobookshelf` module	2024-09-01 12:20:36 +02:00
Alexander Heldt	81d06fc019	backwards: Add `audiobookshelf` module	2024-09-01 12:20:36 +02:00