gtk: set border-radius to 0

helix: disable completion-replace,
flake: switch to agenix
2025-09-08 20:34:15 +02:00 · 2025-09-08 20:33:03 +02:00 · 2025-09-08 20:02:55 +02:00
21 changed files with 152 additions and 336 deletions
--- a/default.nix
+++ b/default.nix
@ -47,6 +47,7 @@ let
      modules = [
        { networking.hostName = hostname; }
        ./hosts/${hostname}
+        inputs.agenix.nixosModules.age
      ]
      ++ ((listFilesRecursive ./modules) |> filter (hasSuffix ".mod.nix"));
      lib = inputs.nixpkgs.lib.extend (
--- a/flake.lock
+++ b/flake.lock
@ -16,6 +16,29 @@
        "url": "https://git.lix.systems/lix-project/flake-compat.git"
      }
    },
+    "agenix": {
+      "inputs": {
+        "darwin": [],
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1754433428,
+        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "crane": {
      "locked": {
        "lastModified": 1754269165,
@ -101,7 +124,7 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1731533236,
@ -184,6 +207,27 @@
        "type": "github"
      }
    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "impermanence": {
      "locked": {
        "lastModified": 1737831083,
@ -355,6 +399,7 @@
    "root": {
      "inputs": {
        "__flake-compat": "__flake-compat",
+        "agenix": "agenix",
        "ghostty": "ghostty",
        "hjem": "hjem",
        "impermanence": "impermanence",
@ -363,7 +408,6 @@
        "nil": "nil",
        "nixpkgs": "nixpkgs_2",
        "quickshell": "quickshell",
-        "sops-nix": "sops-nix",
        "watt": "watt",
        "zedless": "zedless",
        "zen-browser-flake": "zen-browser-flake"
@ -419,7 +463,7 @@
          "nixpkgs"
        ],
        "rust-overlay": "rust-overlay",
-        "systems": "systems_2"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1749906619,
@ -435,26 +479,6 @@
        "type": "github"
      }
    },
-    "sops-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1754988908,
-        "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=",
-        "owner": "mic92",
-        "repo": "sops-nix",
-        "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48",
-        "type": "github"
-      },
-      "original": {
-        "owner": "mic92",
-        "repo": "sops-nix",
-        "type": "github"
-      }
-    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
@ -485,6 +509,21 @@
        "type": "github"
      }
    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "watt": {
      "inputs": {
        "nixpkgs": [
--- a/flake.nix
+++ b/flake.nix
@ -51,9 +51,10 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    sops-nix = {
-      url = "github:mic92/sops-nix";
+    agenix = {
+      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.darwin.follows = "";
    };

    __flake-compat = {
--- a/modules/home/dev/helix.hjem.nix
+++ b/modules/home/dev/helix.hjem.nix
@ -350,7 +350,6 @@ let
      clipboard-provider = "wayland";

      completion-trigger-len = 1;
-      completion-replace = true;
      mouse = true;
      bufferline = "multiple";
      popup-border = "none";
@ -388,10 +387,6 @@ let
        "diagnostics"
        "line-numbers"
      ];
-      inline-diagnostics = {
-        cursor-line = "hint";
-        other-lines = "error";
-      };
    };
    keys = {
      normal = {
--- a/modules/packages/packages.mod.nix
+++ b/modules/packages/packages.mod.nix
@ -6,10 +6,8 @@
  ...
 }:
 let
-
  inherit (lib) getFlakePkg;
  nil = getFlakePkg inputs.nil;
-
 in
 {
  environment = {
@ -94,6 +92,7 @@ in
      ])
      ++ [
        nil
+        inputs.agenix.packages.${pkgs.stdenv.system}.agenix
      ];
  };
 }
--- a/modules/programs/cli/jujutsu.mod.nix
+++ b/modules/programs/cli/jujutsu.mod.nix
@ -2,19 +2,17 @@
  config,
  lib,
  pkgs,
+  self,
  ...
 }:
 let
  inherit (lib.meta) getExe;
  inherit (lib.lists) singleton;
-  inherit (lib.strings) optionalString;
+  inherit (lib.modules) mkIf;

  inherit (config.meta.mainUser) username;
  inherit (config.meta.system) isWorkstation;

-  organizationScope = config.sops.secrets.organization_scope.path;
-  uniScope = config.sops.secrets.uni_scope.path;
-
  toml = pkgs.formats.toml { };
  jj-config = toml.generate "config.toml" {
    user = {
@ -62,7 +60,10 @@ let
        "@-"
      ];
    };
-    git.push-new-bookmarks = true;
+    git = {
+      # colocate = true;
+      push-new-bookmarks = true;
+    };
    revset-aliases."closest_bookmark(to)" = "heads(::to & bookmarks())";
    signing = {
      backend = "ssh";
@ -88,6 +89,7 @@ let
    };
    ui = {
      default-command = "log";
+      diff-editor = ":builtin";
      diff-formatter = [
        "${getExe pkgs.difftastic}"
        "--color"
@ -105,17 +107,26 @@ let
    };
  };

+  inherit (config.age.secrets) organizationScope uniScope;
  jj-wrapped = pkgs.symlinkJoin {
    name = "jj-wrapped";
-    paths = [ pkgs.jujutsu ];
+    paths = singleton [ pkgs.jujutsu ];
    nativeBuildInputs = [ pkgs.makeWrapper ];
-    postBuild = optionalString isWorkstation ''
-      wrapProgram $out/bin/jj --add-flags " --config-file ${uniScope} --config-file ${organizationScope}"
+    postBuild = ''
+      wrapProgram $out/bin/jj --add-flags " --config-file ${organizationScope.path} --config-file ${uniScope.path}"
    '';
  };
-
 in
 {
  hjem.users.${username}.xdg.config.files."jj/config.toml".source = jj-config;
-  environment.systemPackages = singleton jj-wrapped;
+  age.secrets.organizationScope = mkIf isWorkstation {
+    file = "${self}/secrets/organization_scope.age";
+    owner = username;
+  };
+  age.secrets.uniScope = mkIf isWorkstation {
+    file = "${self}/secrets/uni_scope.age";
+    owner = username;
+  };
+  environment.systemPackages = singleton (if isWorkstation then jj-wrapped else pkgs.jujutsu);
+
 }
--- a/modules/programs/gui/bitwarden.mod.nix
+++ b/modules/programs/gui/bitwarden.mod.nix
@ -2,16 +2,13 @@
  config,
  lib,
  pkgs,
+  self,
  ...
 }:
 let
  inherit (config.modules.system) isGraphical;
  inherit (lib.modules) mkIf;
-  inherit (lib.meta) getExe;
-  inherit (builtins) readFile;
  inherit (config.meta.mainUser) username;
-  realEmail = readFile config.sops.secrets.real_email.path;
-  bitwardenUrl = readFile config.sops.secrets.bitwarden_url.path;

  fix_ssh_keys = pkgs.writeText "patch" ''
    diff --git a/src/api.rs b/src/api.rs
@ -65,13 +62,9 @@ let
 in
 {
  config = mkIf isGraphical {
-    hjem.users.${username}.xdg.config.files."rbw/config.json".text =
-      builtins.toJSON
-      <| {
-        email = realEmail;
-        pinentry = getExe pkgs.pinentry-qt;
-        base_url = bitwardenUrl;
-      };
+    age.secrets.rbwConfig.file = (self + "/secrets/rbw_config.age");
+    hjem.users.${username}.xdg.config.files."rbw/config.json".source = config.age.secrets.rbwConfig.path;
+
    environment = {
      systemPackages = lib.attrValues {
        inherit (pkgs)
--- a/modules/services/matrix.mod.nix
+++ b/modules/services/matrix.mod.nix
@ -2,6 +2,7 @@
  config,
  lib,
  pkgs,
+  self,
  ...
 }:
 let
@ -12,8 +13,6 @@ let

  cfg = config.modules.system.services.matrix;

-  registrationToken = config.sops.secrets.tuwunel_token_file.path;
-
  port = 4926;
  domain = "faukah.com";

@ -29,6 +28,8 @@ in
 {
  options.modules.system.services.matrix.enable = mkEnableOption "matrix";
  config = mkIf cfg.enable {
+    age.secrets.registrationToken.file = "${self}/secrets/tuwunel_token_file.age";
+
    services = {
      nginx = {
        enable = true;
@ -62,7 +63,7 @@ in
            allow_federation = true;
            allow_encryption = true;
            new_user_displayname_suffix = "";
-            registration_token_file = registrationToken;
+            registration_token_file = config.age.secrets.registrationToken.path;
          };
        };
      };
--- a/modules/style/gtk.mod.nix
+++ b/modules/style/gtk.mod.nix
@ -96,8 +96,18 @@ in
            "xdg/gtk-3.0/settings.ini".text = toGtk3Ini {
              Settings = gtkIni;
            };
-            "xdg/gtk-4.0/gtk.css".text = css;
-            "xdg/gtk-3.0/gtk.css".text = css;
+            "xdg/gtk-4.0/gtk.css".text = ''
+              ${css}
+              window {
+                border-radius: 0 0;
+              }
+            '';
+            "xdg/gtk-3.0/gtk.css".text = ''
+              ${css}
+              window {
+                border-radius: 0 0;
+              }
+            '';

            "xdg/gtk-2.0/gtkrc".text = ''
              gtk-cursor-theme-name = BreezeX-RosePine-Linux
--- a/modules/system/os/impermanence.mod.nix
+++ b/modules/system/os/impermanence.mod.nix
@ -40,6 +40,7 @@ in
        "/var/lib/pipewire"
        "/var/lib/systemd/coredump"
        "/etc/secureboot"
+        "/run/secrets"
      ];

      users.cr = {
--- a/modules/system/secrets/organization_scope.toml
+++ b/modules/system/secrets/organization_scope.toml
@ -1,23 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:vwfjHpLbHG8g79CpMpsDzYAk0vlfwKuWUTSZnKzGwCZW5rrFFBLamQoZLt5HpvvsGqBrqRditj+GSsHsZAzxz25Vfv7dcyvz1AdaFI56zmU1NzSK+RAyucPZfnjV98vJUqFgVmOFQBkv0o1ThrzXmE8jd1Osz7qKIoy/+rHCzqsBw8wFD3tMe4UjGtkI9DYFSJUh1Ym9PjBE,iv:JeLgCfQXvjWNk8BypNbqJw1+OHawEDQSCdamq0C+lis=,tag:XZUy4g3W4O9L/c1PXlooKA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSy9XdnBQbld5Ly9ET3ZR\nb0U3aW16LytkOUdxNmNVUU40V3NZTWNnNEJjClA2WE5XS0xjdUN3TENoRWlaR2Vn\nQ0MzTnBzME42TVY0cFRQNk4xcng1dkEKLS0tIFJOSC9OT01TNTZTWERjRXFCZFVq\nbEpFRHpVYXI0YXJYcjVxN3hkWEpZM0kKynHKxZwBUWiCdUx/fqYsWWHmIJLrYGTC\naXQXbjR2fprPsyZb7tTZ4L8DtxdjKgmxsbgi+8QYumy/S/ivH4Gipw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiYVU3V2xkNm9qRGd5enBB\nK3YyRjN1YjhDbjRsbEdteVRFa3Q2QkNPZDNNCkI4Qk1kcU9XUlo2eXpDdnl0WFdN\nSnZweHFIZmQ0UjBoRmxzekxoRDhNRVEKLS0tIGE2d1o2czVMbXFzODl4NjZib2Nv\nNnVZMVJScGc0cTRlYzVocHpPdmlsekUKlsFnd1aNCDBBlCto+vBdchtaRBJ/7LJT\nrW4h5YE9RbbMF1TEJOJf+Pkeikgkv3EPOHdH3eJPJ5yckNA4tc67ag==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBneUFoZ1FtYmJuRnppRHMx\nQWZQK2xGWmNFMXQvNldNSFVLMUVka1p2MmpNCkFWSHozVGQxeVRiZFVwRnU3RkEv\ncDYxRE1ESVNrcW45c0IxQWwwSlJ2aEUKLS0tIG0veVU3YXJuZURCS2JkOXptV09J\nQzlpNVBqSC9sQVh5dDJpb3c2M3dlOTQKu3PufhYt42QwB1ncc2QjBSdTbJ5EYu2z\nRFrAz2nq0rRDIjL4EFHdlSFWgI2amQwpbgZxy/+YeEpWO/Zd7uGX3w==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-03T16:39:42Z",
-		"mac": "ENC[AES256_GCM,data:DkWLyVJQIhQDOqUD2W61E+dxQVgxwqqJAVuKh6LPMOihj1MbjFDgU1YEf+CJG3sN5iQt9LtshqFZMOpy8NYMBT+8korofuaa3DeAulg3UAb29lkiXNAkrysMFUmtWUEjvKzWNuo7fGzJj0IUzIGi+HRdZXrK8y25XnVv+6bxcmE=,iv:fJjHxGmBvSPMTqwRuP2JJUEdzVPfEvnNbSZgYHTy47E=,tag:HxA6t69e/l7xYBbEiDJ0Xw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/modules/system/secrets/personal_info.json
+++ b/modules/system/secrets/personal_info.json
@ -1,32 +0,0 @@
-{
-	"real_name": "ENC[AES256_GCM,data:R7Kac0dwMbxmCw4hpw==,iv:CijNtk8WiPlEwIg0OLu4ILLE2wh0W9HXm9OK9/Da+ng=,tag:NK2N6faooEknURwLuVP7OQ==,type:str]",
-	"real_email": "ENC[AES256_GCM,data:wwXcdxZQDxt2gnWP1qf9cw==,iv:fkx0m72FF7pB15fHRxObsTaLdnkOsexCgzOyfpoGFmE=,tag:mj2/4cofrJSIOqdAWiWstg==,type:str]",
-	"university_email": "ENC[AES256_GCM,data:WPy2AckQPWn+1OHJuTM=,iv:o2AT+RMUfCFVWaoD5D/GV5aq9kOgD/rCaHzwqYFIjig=,tag:KprTGSH2NvsrOCvhxLL/9w==,type:str]",
-	"organization_short_name": "ENC[AES256_GCM,data:dTVFz51V,iv:5sUc4qUIu+QNzmWihAXgyfRwZAdjEq9/prJCxpB2jbg=,tag:r91kaPi6p4heizRy5duFrw==,type:str]",
-	"organization_email": "ENC[AES256_GCM,data:GNBt9fXxBkh3z8L+DeD/mhBz14mJjkeX1wk9rHkUTg==,iv:7/VLeL3s9/CL2VtDiWFJNx+VJuGsGamWbcIG/MxNlC8=,tag:/KOXA6gII3Wrmgd9wjhD+g==,type:str]",
-	"bitwarden_url": "ENC[AES256_GCM,data:vhEVMZwDyQhQtXYR1diLQIDf6urqu03VC+M=,iv:icG6ieX9WjAj5Y4DpmSJaBvcqjksll3tWtWE5psaK08=,tag:+tIURDxZxv6qXR8B/eVyfg==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WUlpSkI5dElCVmpzNEw5\nc2pTaFBxWWNoOVJsb0NBWkw4VFQ4aDN4WFU0CjBSKy9oc2pJVzl0M0Z3bUpvNzB4\neU1RT2JWMndHUUFITE03aDBDU1BoUVEKLS0tIC9DNE9ZUnJMb0V0dlpkSUFYNk1K\nTnhRMTl0eENpRmhhYlhKTVg4MGlSS3MKMWY+ezH2HjRd5p/KqUBCFU8sn+FmYd/f\nrHQZhPo481+U6zMyiiu35lcujNRcEtJfcIAL2tobiTDNLQs94re5fg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqYVZ4THhxVlkzRi9ETTht\nOWtINWUxU0R1SGZhK3FqbHdSWmlhaGc1WGpZCklqL2Jpb2F0bzJqYXZHZVZHS25L\nZVc0dnRBOG9lVTZYQkpkQTVKY04zTjQKLS0tIGdVK1Y2VFFMbTVmVWo2eFpKbFY1\nYU5LaW90eWxDNUlhMmRnTTEvRTA1ZkEKFnX/HzVMIK9XT+cO80cCzVJxIj3dicjG\nbvxz/o7/dVmmx0bUusWIiR/SA5JXPkbi0C8F+llkPoYV3idWUOvnKA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age18ga6m08fjs2azav73sl8y4xudhld9ger3zwpnc5euy2j3cjam35sstud9w",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbFBXZFdFQjREeVpaelhQ\nWGVBOWNnNERYT0JGSDNsWDYzcFA1Q1R0ZlVRCjJ4V3R5UU1zT0FJTU5taEgrRmht\nY3J5OG1qREV1a3FTSy9hMmZubXVDMFEKLS0tIFplOHpkTmZkWDBYSUxQVkxjZ215\naS83dUdUMFVhVkZaWW55akxiM2dPaU0KTVp2Bwt9/UD42HJ9UJRYwWQrmbxxXdKF\ngjKHvWNiASiPczj/DDuGDR0tjbYvtS2DTqDLECr3EQYqRIiPW8Lq9g==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SStPblpVVFRpbk9FWGxl\nY25yUXpkUFlxV1lkSjlpZUZlY212L0prN21vCmtlVDJQcWV4TjlYNnFUSmI2Tkxp\nMHYrTi9aMmNlY25penJKR1NQN1VJWW8KLS0tIDNvVUcyUXdCR2xPTkZjWTRqenhm\nMk5oU0tOUHVmbmhUSklHQ2s5dVlLbVkKoRvSoy2BsJaOdCuOW1lD1vGpu8czakmA\nWztrXYqwo57E6z2dPjb0Fo/RJlo4OWQ2/bYOYYpq8aS1HvuRV5096w==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-01T21:25:00Z",
-		"mac": "ENC[AES256_GCM,data:CUMEpOwIw+/RIOyr6aE2YVZiJLGY8FhMv0IOUIFV1kHveOEtAkNWbRzOV1o1cq9pA9ot0dKn4KZRLuUZ+uJzCrxwBHILBZMFksS0czSPgLfg0uz9mJ2u1pPjvoUcQRuIOUN1Id32zQ/W36nPEpR3J/Jomx5nCVNiFmZSteZCx+E=,iv:wGzjsGMJ72ejDCiHN6Xo1ZP5ho1F++WZrwE2YwCN8ns=,tag:Ev1xjuwta6KL8lnPbhliyw==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/modules/system/secrets/secrets.json
+++ b/modules/system/secrets/secrets.json
@ -1,27 +0,0 @@
-{
-	"factorio_token": "ENC[AES256_GCM,data:l6o2LzFRcY43lieDBaFOk5ACqmp408AZNinfF2c7,iv:AiXRw30CZ9dJYP2jBvK89LiwG+d8sbQmyWVMDDUpxYU=,tag:/oHfsW6NFmr2bnH0WXMQWw==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWU56Y2ZRaW9BU1Z6ZmFl\nckxqTllsOGl5Rmp0bTNIR0lCWlpDZjlnQnkwCkJzbVJqbUlaUkNINWpuMlNweUJa\nT0FhNFNMMi9OcnBVT0dOM0g2bS9aQTAKLS0tIDN2NXQ4VlFRNjUxRDZkeVNYY3Zo\nSDF2M2dCZGQ3am9MTTErWVlrQVBUM1UKME4+7N01byHhzcH4p1js4RazQtI38bm7\nlSUztxOz/d4g4zt9DcyFQ0z1XobiGPjij7TM5BHkK37c1u2uKdnVwg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbUkvMmtWcFhsT3hqOTZi\nMGVER0xCRFNrTUJMYm1ud0JwcGVsSXdEd25JCmV6NVJOQ25CbHJybnREZFZlbXd1\nMDBqTXJ6WmVUSlBCMFRQdUVPYml6dWMKLS0tIE9Nd2NFbSttTkZXYUVERzhsL2pn\nai90U0xLYkpNTTBNdW5SOVcxaDlFblEKZ4/9KzcB/z54IUTve3sD7vCV9fzxrNfb\nimtHIsDMS1QAOo/o5B7gqR0OAobQTi34LJmLNKC/b21syo6CUXnbsg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVem9QL3VMSTZDN3VrQ3NN\nZG4wam50Zk1pZGZYOStlZWxwU1B2eEhWMWlrCkcvMU1rUnhJRFdodVkwcTB1MFVI\nZWM3NDJoYTMwamZYdTRXMW5VTE9Xak0KLS0tIHBmVWI2eHdvOFJnSXhYVzFlbUR5\nenFoVTc5SDJJb3hFemlqbGxEVnpLMTQKXOi7TnhFbY2c5yD6UM0be5YhSgmplmgr\nQxXYsqjyPQBRsg7L+R5ZWc1VbtYZpGfsq7z3uaCnLKpJceKyEuVjOg==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age18ga6m08fjs2azav73sl8y4xudhld9ger3zwpnc5euy2j3cjam35sstud9w",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TjVhaXA4b3RyUWRmVnox\nYVVTbDdzY2wxNDdIb1JBNFFLUVJBQ2RQU2xFCjJvRC9BenJTTFpIL2dSaGxTRXVt\neDhJbHR1WXRlYlVOQmt5Zlk2Z0V1TFUKLS0tIG1DWXFFWDE3ZVgzcEwraVFMNlZB\nQ2VxMnBDazUzUDRtYW5CdnZqUGQzeTQKo8iUBT5Me74N2jtXlZ+/ENwn/sOeOAOi\nyAX0p2M8YOPeQGRFpUGFcL4ww5PP+1VP01i6biJHwG1F90KXH0MLVg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-04T19:38:09Z",
-		"mac": "ENC[AES256_GCM,data:2QT0gRTp1eiu+ugKJXeLWcw1O+9RElL5R8zl0vUu8gBpR381xW7anQIwpZ1A/3rKnaosD4g/yvsoXioMv6ueeZ66A4HX8gXhQbGt2o4In2rY2/LpXMIG4xS3u380kvaCfU83Aib+rkOKfOyeNaOtN8nNiyIWwZeHzj7AObng+6o=,iv:wZVGSFiFU5ddjw5HMZwYc2khKyTYHVYQD6WOWGcoFxM=,tag:ZDkJsTKQzzb8PyaVOr+TrA==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/modules/system/secrets/server_secrets.json
+++ b/modules/system/secrets/server_secrets.json
@ -1,27 +0,0 @@
-{
-	"tuwunel_token_file": "ENC[AES256_GCM,data:U4zCJdLb2k9Lz4blu0PJnEThODSMr4q8CfxJfV3MnRHzTMBTnUrsoIGe9OLdXKUClbwh,iv:RLJNK2onDbjndnV1dxZP4kDi/4uG+vpJXJEwFfXgX0k=,tag:LnYm++1RRyA6pOgwt3uKnQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ck51OThhMTdZTU82ZGp1\najZUMGIxcUV1ZG5NNmlPdnhpYU1MVzNkTUFnCmpvcXZhejN6cUFjUFQ4algySWtS\nVjlmbVlqTzdneFU3a1cyb1JaNjNIOFEKLS0tIEh0U1Z4OE1sRjhjSkU0Ymo2NWpm\nbDFkTnlsZG1wWVJxZVE5SlNJK3N0d1EKRofs4HxDqnlNMQ9tSsioL2WBpGkHFGyd\n0PmS3EMzaoC1i+c7iCA4Loa9MboXAaptusU9RwGNNH2brEr/VveyHA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKa2ZOa1JOM1dwV3RyZGFV\nTWcxdDhVOFN4WXJFWHVGU3lWOUJPTTR6RWlnCjA2ekpjd3Z5QnZRRUJ6NDB6WERw\nV2ZzdnE1OWRrZEJKMWJMK3Yvek9HM3MKLS0tIDdJTVd6NTdsU1EzbmN4ckFNcDhh\ndFoxSXlodkd0eU16TGE1eFMrbUpQaDgKHomclyqK1IfRGC0A22VfSPtL8sgAsgCb\nGyaeimbU+PbJ+ccgOlqHrEFDmvNPoUX4BQpJnNtmRE/0b9vWdmImqA==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvaCswRUltdmJGVlJ1bW1Q\nb29OVDAvbTNpTTlmNE9CS0VVRG1tZFdlL1NJCmRMaEpyTnRjWElURk9KdExWL1lj\nRWx1L2szYUNTTkpPL2xUSlVTYjdFYmMKLS0tIHk4eE1WQ0xkanRwN0VHVXZSakd0\nTGt2R01iSWFTQkd3WGZqVlR1TXNTZVUKC37r0ncK4QVlRpdsbY/B4p7dv4pLpU62\nwybk8LbRtnnWClMgnfOqwxf3hmpLPfZbq6frEaxAiJNJ2Im3FDv2EQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age18ga6m08fjs2azav73sl8y4xudhld9ger3zwpnc5euy2j3cjam35sstud9w",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK2F4NzIvTVNTSnFpaDdr\nSXhOL0VuUStTakhlalk5dDNrTjE4OUU5ckFrCmJ5ZzEySHMvT3lEd090bmZKOTBi\nQ0VuS2M2L29pK0tTbzF5NWZQWEVma2MKLS0tIEhFV1ZUNU5YWTliR09mS1FaUmNB\nRlFwbTZGUWh1VXhPU3hOT0N4U2s2RVEK6hlPy0ir3hf9JZ9ZPID3r6W3eewrzLNz\nDFhoK2cH6/2FtcBPLRxQkVRAimeFJrdalv1TJ6BZHUT6bkt7PTlkZQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-05T14:59:59Z",
-		"mac": "ENC[AES256_GCM,data:rJpbVc3WQSW9KzxX6fPZoKXf0Gg/nyS5UPRL505tBkzXWvL29K/Q+of5+139Y2vcvLPbWCF8FoOd+BQ0dAh7R3QCUuObjkt6eBqNZN1gxqG1me0NttZxmu3K4doI1uHrN8wSL4frgpMSFS2pAtxivd8Uqs/a32HieQcf1eshqEw=,iv:5vzhK2CucHXrTeux52+8tjaLbL2fvsB1StLHRLDpYuk=,tag:XFSVY6GbCwxxqljYAM8l8Q==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/modules/system/secrets/sops.mod.nix
+++ b/modules/system/secrets/sops.mod.nix
@ -1,146 +0,0 @@
-{
-  config,
-  inputs,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  inherit (lib.attrsets) attrValues attrNames;
-  inherit (lib.strings) concatStringsSep hasSuffix;
-  inherit (lib.lists) flatten remove;
-  inherit (builtins)
-    fromJSON
-    listToAttrs
-    map
-    readFile
-    filter
-    readDir
-    ;
-
-  fromYAML = (pkgs.formats.yaml { }).generate;
-
-  # get the age key for a machine using
-  # nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'.
-  # sops_master_key
-  master_key = "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc";
-  # tempeance /persist/etc/ssh/ssh_host_ed25519_key
-  temperance_host_key = "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85";
-  # hermit /etc/ssh/ssh_host_ed25519_key
-  hermit_host_key = "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff";
-
-  # tower /etc/ssh/ssh_host_ed25519_key
-  tower_host_key = "age18ga6m08fjs2azav73sl8y4xudhld9ger3zwpnc5euy2j3cjam35sstud9w";
-
-  sops = pkgs.symlinkJoin {
-    name = "sops-wrapped";
-    paths = [ pkgs.sops ];
-    nativeBuildInputs = [ pkgs.makeWrapper ];
-    postBuild = ''
-      wrapProgram $out/bin/sops --add-flags " --config ${sopsConfig}"
-    '';
-    # --age ${keys}
-  };
-
-  mkRecipients = list: [ { age = list; } ];
-
-  sopsConfig = fromYAML ".sops.yaml" {
-    keys = [
-      master_key
-      hermit_host_key
-    ];
-    creation_rules = [
-      {
-        path_regex = "secrets.json";
-        key_groups = mkRecipients [
-          master_key
-          hermit_host_key
-          temperance_host_key
-          tower_host_key
-        ];
-      }
-      {
-        path_regex = "personal_info.json";
-        key_groups = mkRecipients [
-          master_key
-          hermit_host_key
-          tower_host_key
-          temperance_host_key
-        ];
-      }
-      {
-        path_regex = "server_secrets.json";
-        key_groups = mkRecipients [
-          master_key
-          tower_host_key
-          hermit_host_key
-          temperance_host_key
-        ];
-      }
-      {
-        path_regex = "uni_scope.toml";
-        key_groups = mkRecipients [
-          master_key
-          hermit_host_key
-          temperance_host_key
-        ];
-      }
-      {
-        path_regex = "organization_scope.toml";
-        key_groups = mkRecipients [
-          master_key
-          hermit_host_key
-          temperance_host_key
-        ];
-      }
-    ];
-  };
-
-  secretFiles = filter (file: hasSuffix "json" file) <| attrNames <| readDir ./.;
-
-  secretNames = file: remove "sops" <| attrNames <| fromJSON <| readFile <| ./. + "/${file}";
-  fileModes = {
-    "personal_info.json" = "0444";
-    "factorio_token" = "0444";
-  };
-
-  generateSecrets =
-    file:
-    map (n: {
-      name = n;
-      value = {
-        sopsFile = ./. + "/${file}";
-        mode = fileModes.${file} or "0400";
-      };
-    })
-    <| secretNames file;
-
-in
-{
-  imports = [
-    inputs.sops-nix.nixosModules.sops
-  ];
-
-  config = {
-    sops = {
-      defaultSopsFile = ./secrets.json;
-      defaultSopsFormat = "json";
-      age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-      secrets = (listToAttrs <| filter (x: x != [ ]) <| flatten <| map generateSecrets secretFiles) // {
-        uni_scope = {
-          sopsFile = ./uni_scope.toml;
-          format = "binary";
-          mode = "0444";
-        };
-        organization_scope = {
-          sopsFile = ./organization_scope.toml;
-          format = "binary";
-          mode = "0444";
-        };
-      };
-    };
-    environment.systemPackages = attrValues {
-      inherit sops;
-    };
-  };
-}
--- a/modules/system/secrets/uni_scope.toml
+++ b/modules/system/secrets/uni_scope.toml
@ -1,23 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:l4IvlpDrDVnlArtnixJqwI0Ai3xG5jF5clhLGWOrqywd0lnKFjNDuEMcHlKN6cGmeFwX6i/6qkXcKT//pKNQDUvALzDY8PNp9AKV9/NmnQ7ZWzpyScXNqMnNwgs9+TA5SpKAZseVpEk3Nle29Jbene9BTYL614tlkL/uXO5KLLQAPZ4GGQ==,iv:qmrKAfdaDh3dVY95oKo666Knw7F29hi3O7zDIZFyYbc=,tag:Db54A+7rW7Amctx9lL9yBA==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1a4jv2avdlj5zzq9p7ss9958t4wt3an95c3j86eclge7q2qc6n3wq4ucymc",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlLzZCMVNkcmRMQTIvdk5N\nUVZ6TUVBT2s3RTYxMVlJZHU4RzFjVUdIckVZCks2MDRJSDdYVkpHN3llUXNnZDc5\nV29zMm12TmN6K0t3VmY2MmFBVVdZd1EKLS0tIFNXREFUOUoyZTNuWFdNdXBYY3FT\naTBickFBOUhBUTFvZXhMVHNGRmR0T3MKdSUtmD9xB5qypB+hj62/U57VyOzj5yt7\nhOoNvkOyVJuRWwtwEo8SBMKvFs+mzULqHJh7slFamM6VjEokhDE+zw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age12neldqxts6h3zstmk5hvmn2pq8s9qfhkt7cjcdd9wygekqrmparq6djsff",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsaXRGOXp5ZEVFcGN5V1JL\nM1NIcEhMUEFOZUJxRi9iYXJSRXhEZHVWZUdBCmxtN00yRXV2U0RlOUhiVU5PS2xz\nUWRYdHltTnlaQmR3SnJpY2VTbThKOGMKLS0tIEZiQlJLRDhvL2pMaEx5ZEpoS2xi\nQmdxcG9lTHVVYUlnY3JyOW1ybnEwc2sKqi80VUMu5lgXPbkQDGp4C7JuWSwESSqy\nVbm4TdvAXEn69t03O4+Vff+Bx5HsAzcWerA1+ZvlLBdkAYcGC2YKIw==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age16p3h2xu69lpy3f2msfs69q4uhu2hytkqk2p80ss9hxqcwky4cc6ss38x85",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkMjJBb3RROUFkWURZejlv\nYXVXK0pkK2ZPTHpSZEJoaTlFY2hYMm1xREQ4Clh1VFFWVkRqTnJoT01EZkg3VytX\nakZ4UUJ4MSt4WVg3R2ZRRXJraUtxWFEKLS0tIHRWNjJYU1QydFZUZ0UzWmoyeU9t\nZ0gyMzRkOEt6TVZQMTZmdGpaUU9rTVkKct5ZlfiPrEJWC3hZsESbEr5ewUWgFL7r\n5WESkGmeA1coph5XzbO+asEfPcs2kRCZcOzRSsU55SNTwloDyCtuWg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-09-03T16:39:27Z",
-		"mac": "ENC[AES256_GCM,data:awRHWYorrKxyF1qUIXO6JZ6mVI3iCOSK9eVbltvaO2xCqdlyDEzRR5gvj2IZuK+I9rubPmlgB3/VfIeK/Kn1VbHGuKfRoHId9mwL27VgnOeD6UPQFMkqs0n/vYBydZUcy/U6QUnQnrqTt6V28yzgaqRaj2pR/ipPm7NMDjj1JkI=,iv:6+dmOJOMfkQu44b4T7oYQxh/NnpBTEtgXGnBh+3CpxI=,tag:jdzLQ+74sH6s/Lc2iT5V9g==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}
--- a/secrets/organization_scope.age
+++ b/secrets/organization_scope.age
--- a/secrets/rbw_config.age
+++ b/secrets/rbw_config.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,29 @@
+let
+  faukah = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGeejxEV2IZyiXKnh4EqfplfBHAAHrfYo7nXqr2MMlZ" ];
+
+  hermit = "";
+  temperance = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkxWaadx+19Zm4T5ScuNnrBcDvNNke6dUUAdTTJs0wF";
+  tower = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBWgQaeT0AVdfDWbOBfjHNW1XVmRbnrJ4SdrDV52LJcZ";
+  systems = [
+    hermit
+    temperance
+    tower
+  ];
+
+in
+{
+
+  "organization_scope.age".publicKeys = faukah ++ [
+    hermit
+    temperance
+  ];
+  "uni_scope.age".publicKeys = faukah ++ [
+    hermit
+    temperance
+  ];
+  "rbw_config.age".publicKeys = faukah ++ [
+    hermit
+    temperance
+  ];
+  "tuwunel_token_file.age".publicKeys = faukah ++ [ tower ];
+}
--- a/secrets/tuwunel_token_file.age
+++ b/secrets/tuwunel_token_file.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 esTGig oxyT3fMRR7TqPGq4sl0OqeaqTlzAxCCeHMsipCUfXkY
+IVPz6CQ8QGZcrW/GWdi5AwTL2OCDBgZ6YTOd0RndLxU
+-> ssh-ed25519 1m6k0Q XV1LqwhxumepyWsPFaql0KMD69T4HjGSips8VDZaL2o
+0M/f1mfyOVt/qzutsKPAyfRDQ+zcGmeRkaMZqo/Yfzw
+--- hlUxkTa5TKDRqiJYwHEUIKT5daWAx+cIsGVh952jtDA
+‘U›îò±ž>v6ÛæGÁ#û<b¡Œkáú«É4]É½âŒ¬æ<â@}SÁLÖ²¥lÎöÅ{nföÁžœÜ[ñ+ŒSŽ¾ãïk2¯¶þûQ<C3BB>_
--- a/secrets/uni_scope.age
+++ b/secrets/uni_scope.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 esTGig hQGR8v46uXOg6dL7STwden7O6OosaehUZ6J2jFOXRDk
+MDRxJNWL9SHT5lW2CTJS4m96Xl9Z6HXQ0xtPcBcqdPY
+-> ssh-ed25519 wOh7DA W9VB99g0YQT6HeSiSf79qbL8rxp9hkEPJJJvXfxesxo
+vkK+7+/H6GxabsDT3jUMzl6lgUXVfzwXFPGAmoRJ5PI
+--- JA3McSNaH9i3nkz/C6TQEW4Stl1UKk2PKufQAp6dWaI
+?ÖûÏó[kŒ`“U
¾c*ŸFËß2àãšs<C5A1>ÀåSw0šÉ_²ä.¥êWÛîgã+	¾½{èJIîMx%Þ©a<0B>æð{#och0Iq«¸ôéQ
®éé,A¡Î#›‘wžÕ¼¾Ê"—È_ ØL`ð_ÞªÚæ72…å{»k˜Šõ9©3<C2A9>ãõX¦ŸLëõbÔ?ø%ÓäxN¶|r‡cKeÉÎF
Author	SHA1	Message	Date
faukah	06c8228d16	gtk: set border-radius to 0	2025-09-08 20:34:15 +02:00
faukah	67003ca4e2	helix: disable completion-replace,	2025-09-08 20:33:03 +02:00
faukah	dec6d98f1e	flake: switch to agenix	2025-09-08 20:02:55 +02:00