refactor: update readme for file structure

README.md

@@ -1,15 +1,20 @@
-# NixOS & Home Manager config
+# Flocon
 
 This repository contains all my system configurations, mostly deployed using Nix and [Clan].
 
 ## Structure
 
-- **home**: Dotfiles
-- **machines**: Host-specific configs
-- **infra**: Terraform/OpenTofu files
-- **vars**: Encrypted secrets managed by clan
-- **modules**: NixOS modules
+The file hierarchy is based on the flake's structure, using [flake parts] conventions.
+
+- **clan**: Clan configuration
 - **clanServices**: Custom [Clan Services](https://docs.clan.lol/reference/clanServices)
+- **home**: Dotfiles
+- **homeModules**: [Home Manager] modules
+- **infra**: [Terranix] files (for Terraform/OpenTofu)
+- **machines**: Per-host configurations
+- **nixosModules**: [NixOS] modules
+- **packages**: Nix packages
+- **vars**: Encrypted secrets managed by clan
 
 ## Dotfiles
 
@@ -19,4 +24,8 @@ This repository contains all my system configurations, mostly deployed using Nix
 dotbot -c ./dotbot/windows.yaml -d home
 ```
 
-[Clan]: https//clan.lol
+[Clan]: https://clan.lol
+[Home Manager]: https://home-manager.dev
+[NixOS]: https://nixos.org
+[Terranix]: https://terranix.org
+[Flake parts]: https://flake.parts

clan/flake-module.nix

@@ -93,7 +93,7 @@
     module.input = "clan-core";
     module.name = "importer";
     roles.default.tags.garage = { };
-    roles.default.extraModules = [ ../modules/garage.nix ];
+    roles.default.extraModules = [ self.nixosModules.garage ];
   };
 
   clan.inventory.instances."trusted-nix-caches" = {
@@ -123,7 +123,7 @@
       }
     );
     roles.client.extraModules = [
-      ../modules/storagebox.nix
+      self.nixosModules.storagebox
     ];
     roles.server.machines = { };
   };

flake.lock

@@ -10,11 +10,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1768230255,
-        "narHash": "sha256-d98+nRSV2X86LcJUDZDAR9wvmmGG1uMzY5/zJdKH9pU=",
+        "lastModified": 1770625627,
+        "narHash": "sha256-mjQp38qba98jsSVPCdLHPbIt+KSPECTGfq04qrDie/s=",
         "owner": "nix-community",
         "repo": "buildbot-nix",
-        "rev": "6c62d4e0e82b607638b00d6f4f4ad06646342826",
+        "rev": "9104e3d8c1e63238e4c64f53c90c5eb1fd67268b",
         "type": "github"
       },
       "original": {
@@ -40,11 +40,11 @@
         "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
-        "lastModified": 1768662392,
-        "narHash": "sha256-tE6k6yaQDF1n4YkTC4aH+BgKNQM36bYdhslP0udgMyY=",
+        "lastModified": 1770649721,
+        "narHash": "sha256-4syGZZIi6sYvstH4d9+uoWai2JZclf+1xahZjr08/P0=",
         "ref": "refs/heads/main",
-        "rev": "1f2f93239ef3638d4b7a2187d021b8d8fe6507b8",
-        "revCount": 12169,
+        "rev": "c976a9743f9a4ea6e0915ef17c6a6ddb0652dce1",
+        "revCount": 12867,
         "type": "git",
         "url": "https://git.clan.lol/clan/clan-core"
       },
@@ -53,6 +53,21 @@
         "url": "https://git.clan.lol/clan/clan-core"
       }
     },
+    "crane": {
+      "locked": {
+        "lastModified": 1765145449,
+        "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
     "data-mesher": {
       "inputs": {
         "flake-parts": [
@@ -69,11 +84,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768383623,
-        "narHash": "sha256-X1jD5UvgYW50wWxdxJn9b8hiOvpSoLcO3ZC1AZx7+gQ=",
-        "rev": "82c2fbf84ea0162d95b4958f02499e68c9a843a6",
+        "lastModified": 1770409579,
+        "narHash": "sha256-reWzIb3dxJnLcwBEuT6khzEDvCiBCVTiqBR9C4vH/jg=",
+        "rev": "5065ddc67a7009fb81a29f43aa056b2a4552ed96",
         "type": "tarball",
-        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/82c2fbf84ea0162d95b4958f02499e68c9a843a6.tar.gz"
+        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/5065ddc67a7009fb81a29f43aa056b2a4552ed96.tar.gz"
       },
       "original": {
         "type": "tarball",
@@ -91,11 +106,11 @@
         "treefmt-nix": "treefmt-nix_3"
       },
       "locked": {
-        "lastModified": 1768657403,
-        "narHash": "sha256-YkbdCu2ZInQj72rQQLgVP2x1m8il8+DtwzypBiYrrfE=",
+        "lastModified": 1770621819,
+        "narHash": "sha256-2lc95nmYS9nic05NfuXyYTqsJqcPXNrDTqJd/nwoT2s=",
         "owner": "Mic92",
         "repo": "direnv-instant",
-        "rev": "ab8c70c557f610e20008eb407d17cfd78b44ea1c",
+        "rev": "03b6fe502b6f9247aaf5df9dbab6eb102bce43ed",
         "type": "github"
       },
       "original": {
@@ -112,11 +127,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766150702,
-        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
+        "lastModified": 1769524058,
+        "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
+        "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
         "type": "github"
       },
       "original": {
@@ -132,11 +147,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766150702,
-        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
+        "lastModified": 1769524058,
+        "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
+        "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
         "type": "github"
       },
       "original": {
@@ -145,6 +160,22 @@
         "type": "github"
       }
     },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1761588595,
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -153,11 +184,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767609335,
-        "narHash": "sha256-feveD98mQpptwrAEggBQKJTYbvwwglSbOv53uCfH9PY=",
+        "lastModified": 1769996383,
+        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "250481aafeb741edfe23d29195671c19b36b6dca",
+        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
         "type": "github"
       },
       "original": {
@@ -173,11 +204,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768135262,
-        "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=",
+        "lastModified": 1769996383,
+        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac",
+        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
         "type": "github"
       },
       "original": {
@@ -186,6 +217,28 @@
         "type": "github"
       }
     },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "hercules-ci-effects": {
       "inputs": {
         "flake-parts": [
@@ -198,11 +251,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765774562,
-        "narHash": "sha256-UQhfCggNGDc7eam+EittlYmeW89CZVT1KkFIHZWBH7k=",
+        "lastModified": 1768476106,
+        "narHash": "sha256-V0YOJRum50gtKgwavsAfwXc9+XAsJCC7386YZx1sWGQ=",
         "owner": "hercules-ci",
         "repo": "hercules-ci-effects",
-        "rev": "edcbb19948b6caf1700434e369fde6ff9e6a3c93",
+        "rev": "c19e263e6e22ec7379d972f19e6a322f943c73fb",
         "type": "github"
       },
       "original": {
@@ -218,11 +271,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768598210,
-        "narHash": "sha256-kkgA32s/f4jaa4UG+2f8C225Qvclxnqs76mf8zvTVPg=",
+        "lastModified": 1770654520,
+        "narHash": "sha256-mg5WZMIPGsFu9MxSrUcuJUPMbfMsF77el5yb/7rc10k=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "c47b2cc64a629f8e075de52e4742de688f930dc6",
+        "rev": "6c4fdbe1ad198fac36c320fd45c5957324a80b8e",
         "type": "github"
       },
       "original": {
@@ -231,6 +284,30 @@
         "type": "github"
       }
     },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit": "pre-commit",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1765382359,
+        "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v1.0.0",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
     "nix-darwin": {
       "inputs": {
         "nixpkgs": [
@@ -239,11 +316,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768561867,
-        "narHash": "sha256-prGOZ+w3pZfGTRxworKcJliCNsewF0L4HUPjgU/6eaw=",
+        "lastModified": 1770184146,
+        "narHash": "sha256-DsqnN6LvXmohTRaal7tVZO/AKBuZ02kPBiZKSU4qa/k=",
         "owner": "nix-darwin",
         "repo": "nix-darwin",
-        "rev": "8b720b9662d4dd19048664b7e4216ce530591adc",
+        "rev": "0d7874ef7e3ba02d58bebb871e6e29da36fa1b37",
         "type": "github"
       },
       "original": {
@@ -286,11 +363,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1764234087,
-        "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=",
+        "lastModified": 1769813415,
+        "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "032a1878682fafe829edfcf5fdfad635a2efe748",
+        "rev": "8946737ff703382fda7623b9fab071d037e897d5",
         "type": "github"
       },
       "original": {
@@ -301,11 +378,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1768584846,
-        "narHash": "sha256-IRPmIOV2tPwxbhP/I9M5AmwhTC0lMPtoPStC+8T6xl0=",
+        "lastModified": 1770631810,
+        "narHash": "sha256-b7iK/x+zOXbjhRqa+XBlYla4zFvPZyU5Ln2HJkiSnzc=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "cce68f4a54fa4e3d633358364477f5cc1d782440",
+        "rev": "2889685785848de940375bf7fea5e7c5a3c8d502",
         "type": "github"
       },
       "original": {
@@ -333,11 +410,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1768564909,
-        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
+        "lastModified": 1770562336,
+        "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
+        "rev": "d6c71932130818840fc8fe9509cf50be8c64634f",
         "type": "github"
       },
       "original": {
@@ -347,6 +424,29 @@
         "type": "github"
       }
     },
+    "pre-commit": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765016596,
+        "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "buildbot-nix": "buildbot-nix",
@@ -355,6 +455,7 @@
         "disko": "disko_2",
         "flake-parts": "flake-parts_2",
         "home-manager": "home-manager",
+        "lanzaboote": "lanzaboote",
         "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2",
@@ -362,6 +463,27 @@
         "terranix": "terranix"
       }
     },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1765075567,
+        "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
@@ -370,11 +492,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768481291,
-        "narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=",
+        "lastModified": 1770526836,
+        "narHash": "sha256-xbvX5Ik+0inJcLJtJ/AajAt7xCk6FOCrm5ogpwwvVDg=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e085e303dfcce21adcb5fec535d65aacb066f101",
+        "rev": "d6e0e666048a5395d6ea4283143b7c9ac704720d",
         "type": "github"
       },
       "original": {
@@ -390,11 +512,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768523683,
-        "narHash": "sha256-UbkyPXPPAbz0gHIWvHZ+jrPTruZqkpuwTFo5JXPnIgU=",
+        "lastModified": 1770603164,
+        "narHash": "sha256-2jJNzobNvy307k/FJxDWR6aO6FmClILFdA78CzdW9zY=",
         "owner": "nix-community",
         "repo": "srvos",
-        "rev": "90e9331fd79d4c3bb5c1e7cd2df2e560565fe543",
+        "rev": "aa7bed2868237fad33b5ba12fca8f4f7a4dc07c5",
         "type": "github"
       },
       "original": {
@@ -465,11 +587,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768031762,
-        "narHash": "sha256-b2gJDJfi+TbA7Hu2sKip+1mWqya0GJaWrrXQjpbOVTU=",
+        "lastModified": 1770228511,
+        "narHash": "sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD+Fyxk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "0c445aa21b01fd1d4bb58927f7b268568af87b20",
+        "rev": "337a4fe074be1042a35086f15481d763b8ddc0e7",
         "type": "github"
       },
       "original": {
@@ -486,11 +608,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768158989,
-        "narHash": "sha256-67vyT1+xClLldnumAzCTBvU0jLZ1YBcf4vANRWP3+Ak=",
+        "lastModified": 1770228511,
+        "narHash": "sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD+Fyxk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca",
+        "rev": "337a4fe074be1042a35086f15481d763b8ddc0e7",
         "type": "github"
       },
       "original": {
@@ -507,11 +629,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768031762,
-        "narHash": "sha256-b2gJDJfi+TbA7Hu2sKip+1mWqya0GJaWrrXQjpbOVTU=",
+        "lastModified": 1770228511,
+        "narHash": "sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD+Fyxk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "0c445aa21b01fd1d4bb58927f7b268568af87b20",
+        "rev": "337a4fe074be1042a35086f15481d763b8ddc0e7",
         "type": "github"
       },
       "original": {

flake.nix

@@ -3,29 +3,30 @@
 
   outputs =
     inputs@{
-      nixpkgs,
       clan-core,
       flake-parts,
       ...
     }:
-    flake-parts.lib.mkFlake { inherit inputs; } ({
+    flake-parts.lib.mkFlake { inherit inputs; } {
       imports = [
         clan-core.flakeModules.default
+        inputs.home-manager.flakeModules.home-manager
         inputs.terranix.flakeModule
         ./clan/flake-module.nix
         ./clanServices/flake-module.nix
         ./devShells/flake-module.nix
-        ./home-manager/flake-module.nix
+        ./homeModules/flake-module.nix
         ./infra/flake-module.nix
-        ./modules/flake-module.nix
+        ./nixosModules/flake-module.nix
         ./packages/flake-module.nix
+        ./flakeModules/flake-module.nix
       ];
 
       systems = [
         "x86_64-linux"
         "aarch64-linux"
       ];
-    });
+    };
 
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
@@ -60,5 +61,8 @@
     terranix.url = "github:terranix/terranix";
     terranix.inputs.nixpkgs.follows = "nixpkgs";
     terranix.inputs.flake-parts.follows = "flake-parts";
+
+    lanzaboote.url = "github:nix-community/lanzaboote/v1.0.0";
+    lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
   };
 }

flakeModules/atuin.nix

@@ -0,0 +1,16 @@
+{
+  flake.nixosModules.atuin-config = {
+    clan.core.vars.generators.atuin = {
+      prompts.key.persist = true;
+      files.key.owner = "rpqt";
+    };
+  };
+
+  flake.homeModules.atuin-config =
+    { config, osConfig, ... }:
+    {
+      programs.atuin.enable = true;
+      xdg.dataFile."atuin/key".source =
+        config.lib.file.mkOutOfStoreSymlink osConfig.clan.core.vars.generators.atuin.files.key.path;
+    };
+}

flakeModules/flake-module.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./atuin.nix
+  ];
+}

home-manager/desktop/fonts.nix

@@ -1,13 +0,0 @@
-{ pkgs, ... }:
-{
-  home.packages = [
-    pkgs.nerd-fonts.jetbrains-mono
-    pkgs.noto-fonts-color-emoji
-  ];
-
-  fonts.fontconfig.enable = true;
-  fonts.fontconfig.defaultFonts = {
-    sansSerif = [ "Adwaita Sans" ];
-    monospace = [ "Adwaita Mono" ];
-  };
-}

home-manager/desktop/pass.nix

@@ -1,14 +0,0 @@
-{ pkgs, ... }:
-{
-  home.packages = [
-    pkgs.pass
-    pkgs.gnupg
-    pkgs.pinentry-gnome3
-  ];
-
-  programs.gpg.enable = true;
-  services.gpg-agent = {
-    enable = true;
-    pinentry.package = pkgs.pinentry-gnome3;
-  };
-}

home-manager/flake-module.nix

@@ -1,5 +0,0 @@
-{
-  flake.homeManagerModules = {
-    dotfiles.imports = [ ./dotfiles.nix ];
-  };
-}

home/.config/alacritty/alacritty.toml

@@ -1,6 +1,6 @@
 [general]
-live_config_reload = false
-import = ["~/.config/alacritty/themes/kanagawa_wave.toml"]
+live_config_reload = true
+import = ["~/.config/alacritty/themes/default_light.toml"]
 
 [font]
 size = 14

home/.config/alacritty/themes/default_light.toml

@@ -0,0 +1,33 @@
+# Colors (Builtin Light)
+
+[colors.bright]
+black = '#555555'
+blue = '#5555ff'
+cyan = '#22cccc'
+green = '#2fd92f'
+magenta = '#ff55ff'
+red = '#ff5555'
+white = '#ffffff'
+yellow = '#bfbf15'
+
+[colors.cursor]
+cursor = '#000000'
+text = '#ffffff'
+
+[colors.normal]
+black = '#000000'
+blue = '#0000bb'
+cyan = '#00bbbb'
+green = '#00bb00'
+magenta = '#bb00bb'
+red = '#bb0000'
+white = '#bbbbbb'
+yellow = '#bbbb00'
+
+[colors.primary]
+background = '#ffffff'
+foreground = '#000000'
+
+[colors.selection]
+background = '#b5d5ff'
+text = '#000000'

home/.config/direnv/direnv.toml

@@ -0,0 +1,2 @@
+[global]
+hide_env_diff = true

home/.config/helix/languages.toml

@@ -44,6 +44,8 @@ source = { git = "https://github.com/treeman/tree-sitter-djot", rev = "master" }
 [[language]]
 name = "nix"
 formatter = { command = "nixfmt" }
+auto-format = true
+language-servers = [ "nixd" ]
 
 [[language]]
 name = "java"

home/.config/niri/config.kdl

@@ -3,6 +3,8 @@ include "dms/binds.kdl"
 include "dms/colors.kdl"
 include "dms/layout.kdl"
 include "dms/wpblur.kdl"
+include "dms/cursor.kdl"
+include "dms/outputs.kdl"
 
 input {
     keyboard {

home/bin/switch-helix-theme.sh

@@ -1,15 +1,29 @@
 #!/usr/bin/env bash
 
-set -euox pipefail
+set -eu
 
 HELIX_CONFIG_PATH=$(readlink -f "${HOME}/.config/helix/config.toml")
 HELIX_THEME_LIGHT="zed_onelight"
 HELIX_THEME_DARK="kanagawa"
 
-if [[ "$2" == "prefer-dark" ]]; then
-  sed -i "s/^theme .*/theme = \"$HELIX_THEME_DARK\"/" "$HELIX_CONFIG_PATH"
+ALACRITTY_CONFIG_PATH=$(readlink -f "${HOME}/.config/alacritty/alacritty.toml")
+ALACRITTY_THEME_LIGHT="default_light"
+ALACRITTY_THEME_DARK="kanagawa_wave"
+
+set_helix_theme() {
+  sed -i "s/^theme .*/theme = \"$1\"/" "$HELIX_CONFIG_PATH"
+}
+
+set_alacritty_theme() {
+  sed -i "s/^import .*/import = \[\"\~\/\.config\/alacritty\/themes\/$1\.toml\"\]/" "$ALACRITTY_CONFIG_PATH"
+}
+
+if [[ "$2" == "dark" || "$2" == "prefer-dark" ]]; then
+  set_helix_theme "$HELIX_THEME_DARK"
+  set_alacritty_theme "$ALACRITTY_THEME_DARK"
 else
-  sed -i "s/^theme .*/theme = \"$HELIX_THEME_LIGHT\"/" "$HELIX_CONFIG_PATH"
+  set_helix_theme "$HELIX_THEME_LIGHT"
+  set_alacritty_theme "$ALACRITTY_THEME_LIGHT"
 fi
 
 pkill -USR1 hx || true

homeModules/chat.nix

@@ -6,7 +6,7 @@
 }:
 {
   imports = [
-    self.homeManagerModules.dotfiles
+    self.homeModules.dotfiles
   ];
 
   home.packages = with pkgs; [ senpai ];

homeModules/cli.nix

@@ -21,7 +21,7 @@ let
 in
 {
   imports = [
-    self.homeManagerModules.dotfiles
+    self.homeModules.dotfiles
   ];
 
   home.packages = with pkgs; [
@@ -53,10 +53,6 @@ in
   programs.starship.enable = true;
   programs.bat.enable = true;
 
-  programs.atuin.enable = true;
-  xdg.dataFile."atuin/key".source =
-    config.lib.file.mkOutOfStoreSymlink osConfig.clan.core.vars.generators.atuin.files.key.path;
-
   programs.zsh = {
     enable = true;
     syntaxHighlighting.enable = true;
@@ -68,6 +64,33 @@ in
     inherit shellAliases;
   };
 
+  programs.zellij.enable = true;
+
+  # programs.khal = {
+  #   enable = true;
+  # };
+
+  # accounts.calendar.basePath = ".calendar";
+
+  # programs.pimsync.enable = true;
+
+  # accounts.calendar.accounts.personal = {
+  #   pimsync.enable = true;
+  #   khal.enable = true;
+  #   thunderbird.enable = true;
+  #   remote = {
+  #     url = "https://cloud.rpqt.fr/remote.php/dav/calendars/rpqt/personal/";
+
+  #     type = "caldav";
+  #     userName = "rpqt@rpqt.fr";
+  #     passwordCommand = [
+  #       "sh"
+  #       "-c"
+  #       "passage web/cloud.rpqt.fr | head -n 1"
+  #     ];
+  #   };
+  # };
+
   xdg.configFile."git".source = "${config.dotfiles.path}/.config/git";
   xdg.configFile."jj/config.toml".source = "${config.dotfiles.path}/.config/jj/config.toml";
   xdg.configFile."task/taskrc".source = "${config.dotfiles.path}/.config/task/taskrc";

homeModules/desktop/fonts.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  home.packages = [
+    pkgs.nerd-fonts.jetbrains-mono
+    pkgs.noto-fonts-color-emoji
+  ];
+}

homeModules/desktop/pass.nix

@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+let
+  pass-alias = pkgs.writeShellScriptBin "pass" ''
+    exec ${pkgs.passage}/bin/passage "$@"
+  '';
+in
+{
+  home.packages = [
+    # pkgs.pass
+    pass-alias
+    pkgs.gnupg
+    pkgs.pinentry-gnome3
+  ];
+
+  # programs.gpg.enable = true;
+  services.gpg-agent = {
+    enable = false;
+    pinentry.package = pkgs.pinentry-gnome3;
+  };
+}

homeModules/desktop/terminal.nix

@@ -6,7 +6,7 @@
 }:
 {
   imports = [
-    self.homeManagerModules.dotfiles
+    self.homeModules.dotfiles
   ];
 
   home.packages = [
@@ -15,8 +15,7 @@
   ];
 
   programs.alacritty.enable = true;
-  xdg.configFile."alacritty/alacritty.toml".source =
-    "${config.dotfiles.path}/.config/alacritty/alacritty.toml";
+  xdg.configFile."alacritty".source = "${config.dotfiles.path}/.config/alacritty";
 
   xdg.configFile."ghostty/config".source = "${config.dotfiles.path}/.config/ghostty/config";
 }

homeModules/dev.nix

@@ -8,8 +8,9 @@
   imports = [
     ./cli.nix
     ./helix.nix
-    self.homeManagerModules.dotfiles
+    self.homeModules.dotfiles
     self.inputs.direnv-instant.homeModules.direnv-instant
+    self.homeModules.atuin-config
   ];
 
   home.packages = with pkgs; [
@@ -25,7 +26,8 @@
     radicle-tui
     typescript-language-server
     nil # Nix language server
-    nixfmt-rfc-style
+    nixd
+    nixfmt
     nixpkgs-review
   ];
 
@@ -37,6 +39,8 @@
 
   programs.direnv-instant.enable = true;
 
+  xdg.configFile."direnv/direnv.toml".source = "${config.dotfiles.path}/.config/direnv/direnv.toml";
+
   xdg.configFile."hut/config".source = "${config.dotfiles.path}/.config/hut/config";
   home.file.".ssh/config".source = "${config.dotfiles.path}/.ssh/config";
 }

homeModules/flake-module.nix

@@ -0,0 +1,27 @@
+{ lib, ... }:
+{
+  flake.homeModules =
+    (builtins.readDir ./.)
+    |> lib.filterAttrs (
+      path: type:
+      (type == "directory" && lib.filesystem.pathIsRegularFile (./${path}/default.nix))
+      || (type == "regular" && (lib.hasSuffix ".nix" path))
+    )
+    |> lib.mapAttrs' (
+      path: type:
+      if type == "directory" then
+        {
+          name = path;
+          value = {
+            imports = [ ./${path} ];
+          };
+        }
+      else
+        {
+          name = lib.removeSuffix ".nix" path;
+          value = {
+            imports = [ ./${path} ];
+          };
+        }
+    );
+}

homeModules/helix.nix

@@ -6,7 +6,7 @@
 }:
 {
   imports = [
-    self.homeManagerModules.dotfiles
+    self.homeModules.dotfiles
   ];
 
   home.packages = [ pkgs.helix ];

homeModules/niri.nix

@@ -1,8 +1,7 @@
 { self, config, ... }:
 {
   imports = [
-    self.homeManagerModules.dotfiles
-    ./wayland.nix
+    self.homeModules.dotfiles
   ];
 
   xdg.configFile."niri".source = "${config.dotfiles.path}/.config/niri";

infra/README.md

@@ -9,6 +9,11 @@ gandi_token = XXX
 hcloud_token = YYY
 ```
 
+## Deploying
+
+Apply configuration from the repository root with `nix run .#infra.apply` (runs `tofu apply`).
+There is also `nix run .#infra.plan` for `tofu plan`, etc.
+
 ## Importing
 
 To import already existent resources, use the `import` command:

infra/lib.nix

@@ -24,7 +24,7 @@ in
           value = lib.tf.ref ''provider::hcloud::txt_record("v=spf1 include:spf.migadu.com -all")'';
         }
         {
-          value = lib.tf.ref ''provider::hcloud::txt_record("hosted-email-verify=pgeaq3bp")'';
+          value = lib.tf.ref ''provider::hcloud::txt_record("hosted-email-verify=${hostedEmailVerify}")'';
         }
       ];
     };

infra/web.nix

@@ -51,6 +51,20 @@
         records = [ { value = infra.machines.verbena.ipv6; } ];
       };
 
+      git_rpqt_fr_a = {
+        zone = config.resource.hcloud_zone.rpqt_fr "name";
+        name = "git";
+        type = "A";
+        records = [ { value = infra.machines.verbena.ipv4; } ];
+      };
+
+      git_rpqt_fr_aaaa = {
+        zone = config.resource.hcloud_zone.rpqt_fr "name";
+        name = "git";
+        type = "AAAA";
+        records = [ { value = infra.machines.verbena.ipv6; } ];
+      };
+
       buildbot_turifer_dev_a = {
         zone = config.resource.hcloud_zone.turifer_dev "name";
         name = "buildbot";

machines/crocus/configuration.nix

@@ -6,7 +6,7 @@
   imports = [
     self.nixosModules.radicle
     self.nixosModules.nix-defaults
-    ../../modules/remote-builder.nix
+    self.nixosModules.remote-builder
     self.inputs.srvos.nixosModules.server
     self.inputs.srvos.nixosModules.hardware-hetzner-cloud
   ];

machines/genepi/builder.nix

@@ -1,6 +1,7 @@
+{ self, ... }:
 {
   imports = [
-    ../../modules/remote-builder.nix
+    self.nixosModules.remote-builder
   ];
 
   roles.remote-builder = {

machines/genepi/configuration.nix

@@ -17,8 +17,7 @@
     ./pinchflat.nix
     ./syncthing.nix
 
-    ../../modules/acme-home.nix
-    ../../modules/lounge.nix
+    self.nixosModules.lounge
     self.nixosModules.nix-defaults
 
     self.nixosModules.user-rpqt

machines/genepi/glance-config.nix

@@ -65,6 +65,11 @@
                   url = "https://git.turifer.dev";
                   icon = "sh:gitea";
                 }
+                {
+                  title = "Forgejo";
+                  url = "https://git.rpqt.fr";
+                  icon = "sh:forgejo";
+                }
                 {
                   title = "Pinchflat";
                   url = "https://pinchflat.${tld}";

machines/haze/configuration.nix

@@ -8,7 +8,6 @@
     ./boot.nix
     ./chat.nix
     ./gimp.nix
-    ./gnome.nix
     ./hibernate.nix
     ./niri.nix
     ./ssh.nix
@@ -16,8 +15,9 @@
     ./network.nix
     ./syncthing.nix
 
+    self.nixosModules.atuin-config
     self.nixosModules.desktop
-    self.nixosModules.dev
+    self.nixosModules.lanzaboote
     self.nixosModules.nix-defaults
 
     self.inputs.home-manager.nixosModules.home-manager
@@ -26,7 +26,6 @@
       home-manager.useUserPackages = true;
       home-manager.users.rpqt = ./home.nix;
       home-manager.extraSpecialArgs = {
-        inherit (self) inputs;
         inherit self;
       };
     }
@@ -86,4 +85,9 @@
   };
 
   services.tailscale.useRoutingFeatures = "client";
+
+  services.displayManager.autoLogin = {
+    enable = true;
+    user = "rpqt";
+  };
 }

machines/haze/home.nix

@@ -1,15 +1,15 @@
+{ self, ... }:
 {
   imports = [
-    ../../home-manager/chat.nix
-    ../../home-manager/common.nix
-    ../../home-manager/desktop
-    ../../home-manager/dev.nix
-    ../../home-manager/helix.nix
-    ../../home-manager/mail
-    ../../home-manager/minecraft.nix
-    ../../home-manager/desktop
-    ../../home-manager/desktop/gnome.nix
-    ../../home-manager/desktop/niri.nix
-    ../../home-manager/desktop/vicinae.nix
+    self.homeModules.chat
+    self.homeModules.common
+    self.homeModules.desktop
+    self.homeModules.dev
+    self.homeModules.helix
+    self.homeModules.mail
+    self.homeModules.minecraft
+    self.homeModules.desktop
+    self.homeModules.niri
+    self.homeModules.vicinae
   ];
 }

machines/verbena/configuration.nix

@@ -4,6 +4,7 @@
     self.nixosModules.nix-defaults
     self.nixosModules.nextcloud
     self.nixosModules.gitea
+    self.nixosModules.forgejo
     self.nixosModules.vaultwarden
 
     self.inputs.srvos.nixosModules.server

modules/desktop.nix

@@ -1,25 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = [
-    pkgs.mpv # video player
-    pkgs.amberol # music player
-    pkgs.alacritty
-    pkgs.ghostty
-    pkgs.libreoffice
-    pkgs.nautilus
-  ];
-
-  programs.firefox = {
-    enable = true;
-    nativeMessagingHosts.packages = [ pkgs.passff-host ];
-  };
-
-  programs.thunderbird.enable = true;
-
-  programs.nautilus-open-any-terminal = {
-    enable = true;
-    terminal = "ghostty";
-  };
-
-  services.pcscd.enable = true;
-}

modules/dev.nix

@@ -1,6 +0,0 @@
-{
-  clan.core.vars.generators.atuin = {
-    prompts.key.persist = true;
-    files.key.owner = "rpqt";
-  };
-}

nixosModules/borgbackup.nix

@@ -6,7 +6,7 @@ let
 in
 {
   imports = [
-    ./storagebox.nix
+    self.nixosModules.storagebox
     self.inputs.clan-core.clanModules.borgbackup
   ];
 

nixosModules/desktop.nix

@@ -0,0 +1,53 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = [
+    pkgs.mpv # video player
+    pkgs.amberol # music player
+    pkgs.alacritty
+    pkgs.ghostty
+    pkgs.libreoffice
+    pkgs.nautilus
+  ];
+
+  fonts.packages = [
+    pkgs.inter
+  ];
+
+  programs.firefox = {
+    enable = true;
+    languagePacks = [ "fr" ];
+  };
+
+  programs.thunderbird.enable = true;
+
+  programs.nautilus-open-any-terminal = {
+    enable = true;
+    terminal = "ghostty";
+  };
+
+  # services.yubikey-agent.enable = true;
+  programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3;
+
+  services.pcscd.enable = true;
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+
+  hardware.bluetooth.enable = true;
+
+  services.displayManager = {
+    sddm.enable = true;
+    sddm.wayland.enable = true;
+  };
+
+  # Display manager keyboard layout
+  services.xserver = {
+    enable = true;
+    xkb.layout = "fr";
+  };
+}

nixosModules/forgejo.nix

@@ -0,0 +1,76 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.forgejo;
+in
+{
+  services.forgejo = {
+    enable = true;
+    lfs.enable = true;
+
+    settings = {
+      # storage = {
+      # };
+
+      server = {
+        ROOT_URL = "https://${cfg.settings.server.DOMAIN}";
+        DOMAIN = "git.rpqt.fr";
+        HTTP_PORT = 3001;
+        LANDING_PAGE = "explore";
+      };
+
+      session.PROVIDER = "db";
+      session.COOKIE_SECURE = true;
+
+      service.DISABLE_REGISTRATION = true;
+
+      # Create a repository by pushing to it
+      repository.ENABLE_PUSH_CREATE_USER = true;
+    };
+  };
+
+  systemd.services.forgejo.environment = {
+    FORGEJO__storage__STORAGE_TYPE = "minio";
+    FORGEJO__storage__MINIO_ENDPOINT = "localhost:3900";
+    FORGEJO__storage__MINIO_BUCKET = "forgejo";
+    FORGEJO__storage__MINIO_LOCATION = "garage";
+    FORGEJO__storage__MINIO_USE_SSL = "false";
+  };
+
+  systemd.services.forgejo.serviceConfig = {
+    LoadCredential = [
+      "minio_access_key_id:${config.clan.core.vars.generators.forgejo-s3-storage.files.access-key-id.path}"
+      "minio_secret_access_key:${config.clan.core.vars.generators.forgejo-s3-storage.files.access-key-secret.path}"
+    ];
+    Environment = [
+      "FORGEJO__storage__MINIO_ACCESS_KEY_ID__FILE=%d/minio_access_key_id"
+      "FORGEJO__storage__MINIO_SECRET_ACCESS_KEY__FILE=%d/minio_secret_access_key"
+    ];
+  };
+
+  clan.core.vars.generators.forgejo-s3-storage = {
+    prompts.access-key-id = {
+      description = "s3 access key id";
+      type = "line";
+      persist = true;
+    };
+    prompts.access-key-secret = {
+      description = "s3 access key secret";
+      type = "hidden";
+      persist = true;
+    };
+  };
+
+  clan.core.state.forgejo.folders = [ config.services.forgejo.stateDir ];
+
+  services.nginx.virtualHosts."git.rpqt.fr" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString (cfg.settings.server.HTTP_PORT)}";
+    };
+  };
+
+  security.acme.certs."git.rpqt.fr" = {
+    email = "admin@rpqt.fr";
+  };
+}

nixosModules/lanzaboote.nix

@@ -0,0 +1,23 @@
+{
+  self,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    self.inputs.lanzaboote.nixosModules.lanzaboote
+  ];
+
+  environment.systemPackages = [
+    # For debugging and troubleshooting Secure Boot.
+    pkgs.sbctl
+  ];
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
+}

nixosModules/nextcloud.nix

@@ -34,7 +34,7 @@ in
     };
     extraAppsEnable = true;
     extraApps = {
-      # inherit (pkgs.nextcloud32Packages.apps) tasks;
+      inherit (config.services.nextcloud.package.packages.apps) tasks contacts calendar;
     };
   };
 

vars/per-machine/verbena/forgejo-s3-storage/access-key-id/machines/verbena

@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena

vars/per-machine/verbena/forgejo-s3-storage/access-key-id/secret

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:lILPrDhV479Rju4cNbtcEGU0KhOM7Xirbvk=,iv:LVMTgLoV53cRoa7xP0kvWWZyRC3zL8N00UfQQ/dPafY=,tag:q7PoGHYjI5Sa/3h7xZ0kZg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTb3o4ejBZSUcvU1J4aDJ1\nMS8wVUFhaUZtSGlSZ3N6bUVSU1FxQ21DM0dnCjc4WDFmWWpra2lGMVBManpoSjVH\nSldZL3lBR2ZzSWd4VDZDUGtmSnpuRGsKLS0tIHVvcXVJUDZrekNxZFZtL0p0dUR0\nQ211dFpBQ0xEbWRNaisyVWU1TDZnbmMK3VhJbIlVy2jCbzEjSbR9PkN9oZNGjDfm\n7cSnYX8qLaHOJqAAj2isN7SeeYTpRE1IWiguXwKB9bhtij+1S6ymyA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBROWxkUGhUY3pVZk9EQVlO\ndnVKeUM0TThJeGZTOEV2MkVudCttQUVBdDI0CnZwWFBpYTVYR3l5L0RQb05HbTd2\nbndPaEpZWXFTOXl3VE5lWDFrV29mQ1EKLS0tIExMaVpVWXpORExxWWEyNDVia3RM\nMkxTQ0QzM21SeE9NUGlWeGJRMFE0SWcKRaL0GXuZ4/9NKeKFNmJIORpEsVOKBhR4\nzcnJGwY2QnteYkfHhUiZT7vBPIKC6xsCD2gtLAywjX1KUr+FZb4YaA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBeXZGMnBO\nZGRGRW02MXE1TXc0dEErejFQSURKSFo4SEUrQnJXZTdicE9hKwpCTUY1Q2hkT3BC\nV2xmWFR4Zjh5VWF5VzQ5azFkVEF2eS9Fcy9wVUVCYUs4Ci0tLSBLb3RSenEwcDUv\nTitHN3FpNDZHaDlpbWc2cDVkNzlxZCtXWkZGbUxLQnNFCoR/dPrE99WjUojR2Nl1\nC8ZHNnJE53jI1lQGvy5aSo3HmKt97dQwlYuJ0MvHu3CtL9DUenEAfe/OSL4PIb+p\nUZA=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBM2tyQURp\ncGlwTlF1M1JTSXBVM1BlUXYrQ2d2dTRudUwwVDRUdXBubU5OdApmdG1sbS9UcnU0\nYjh0bGlGd2FSdU9pcmEyck9PWkUrUlBFRlR2SVBBLy9RCi0tLSBlL2hVeHRJL1lw\nN1ZVeGFOUGVtVmIwZzc4QzNCdUx1WGhTMGlkYjh6RDFNCqyR5iQ9aCIgCmi2mKDZ\nHPHlerB0TLlvU50w7WLUXzjPts+ZQVE3fMLHUrFi09D1zyKYrB0kDYDcSgcK9j7m\ncTY=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-01-23T12:31:31Z",
+		"mac": "ENC[AES256_GCM,data:9s8Kfn08MtBUg9D3MjAfYgEVJ+tsLI3K5DzZec+dl4EzDh3RuF12OI2GbWMgzpAHcEVBcBC0mpvY+ITSTPViNlCu/YBWRzpO9QQPBKRO7VwlwlKIhydjIK+t71QCDiMfWUVEHC5vmYiZeF0uwXSuD/+1WMUFsFYG1LUauN0dhVA=,iv:3mvjAuOQMypsTmzLvBl2H7Pb5CcwHdV9hvZAoWcVOQ0=,tag:hJoTCtWVtC9wBPOn8WDofw==,type:str]",
+		"version": "3.11.0"
+	}
+}

vars/per-machine/verbena/forgejo-s3-storage/access-key-id/users/rpqt

@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt

vars/per-machine/verbena/forgejo-s3-storage/access-key-secret/machines/verbena

@@ -0,0 +1 @@
+../../../../../../sops/machines/verbena

vars/per-machine/verbena/forgejo-s3-storage/access-key-secret/secret

@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:aEG/3fHh4cJ1hheU4P6PFKgm9n9HJblURiqvKms0fnx1cTJSd74qaNejWVlnThuxqPFgi4kv8LIi9WzmpEWy8Q==,iv:zrPF2WvbXPxzQxxZ9p+v/BR1YfNfS02PVi/+5pMzamA=,tag:n96sdJSnBoBWD0ibmAYweQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WkxjWFZrdE1iVFIxN2xw\ncXlhNGp3cDRKaitqdWNMZTRuNDNHNHVjTEhjCm9wWUswVGlKL2ducjhmQzNzcXps\nbGRMZmk4dm9pdXR2MjdpK1FxOFFkZkUKLS0tIGsydS91UTlGWjlNbytRVWZaamRj\nSXJKVWxhTXV3MmlhcnNMb3d4Vm8vWEkKiEbNBhLLFzNNGmrvGZEedvnX3EjAhJCW\nvTIi3W89nHdOV8pHJK+aIaUT5EhBSTdyCAF/Ecl1MtG6kXjc4G7a3Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKRkNkTjVtazhoSGM1dlB3\nN29hYWMxWjNUdVpkVDZQTzh5T2w5enQyKzE0CnpwUzlKZ3pERVhZbmFkQlVhd20y\ndHl2WU9CUDhGVjh4NlVSQmxHUFE3UWcKLS0tIDh6RWtURUE1QW04Q3NENDgvVGE2\nYXdYaEgrVlp6NEZSbmNkM3pYZUNvVGMK2PqzSlhUQhUcsQxNUG0XqjGHjctVvXSR\ncGXZZypty4jd5sWgQKVb4tJ5qu/BlssQnT6YailJEW/8XrhjSuddvg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBbFROMGpQ\nYmlpaC83ZDc0b0NCcHI2UVBvQVkvQVI2cmtRbHpEUDFXTTFiaApyeHZ5Sk9jWUho\nUCsveWZoK1FCVGkwZ2hWMTVTZDdwT1BOdG91TWMwRGJnCi0tLSBOV3l0L1BmY0RR\nRWVzYXgwME95ZHMyRWxqdk5odm1zczMzUCtkRU13eUNRCpUjzMJdcOPbmM8aIA5I\nhDET4gkaq9Nm/W2+UhuwR9NcFj2mpSCKAc2BJX6wLJ3vTqOXb3yl4L2PQT6db7bt\nQ/c=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNkJGOHpK\nUnRzTE8yV1hsYzZXK1N6V09yc2JaMHVvVnV5bEJaZ1hId2tPbApzWC9oS3NzMytW\najVocEZEMTBGblpWV1lNaGh4bnpGRzMybkM2WHNvelZnCi0tLSBESEhJSWtYdW9U\nMmFES1pGY0tJN3hTQlZqeTRoZ3VvQTRxNVFBdVVkVnprCu6aApFJvusV0eJqgBDU\niDDTdsOsY6L7XQHJtiITwsCz9a3jwvgu0+p3TIFAi5NU+RbGWMhlo9OZ+e2hTGGe\nPRY=\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-01-23T12:31:31Z",
+		"mac": "ENC[AES256_GCM,data:849ki7N7EUxz8a7HnA6oljWx3WN5TbhyqOZSe8T7i931U4tZbzuchxjVQTVb7dGS0sIM5G3rPztP0mAvP9ata6HLPVqov4oTlPW9/+HfcPnlX9stC1uDfJ0AUYyQ6Q6Xavs615X0XE8N1ccGBXoyfOGFBQYcz5vz0aqH4OmbRLM=,iv:SZbVM6UntxRpE1SB7iepCdKUgNCJL+5q2wJA5u9n/4E=,tag:9FlUde54jxc1RKvKl1auBg==,type:str]",
+		"version": "3.11.0"
+	}
+}

vars/per-machine/verbena/forgejo-s3-storage/access-key-secret/users/rpqt

@@ -0,0 +1 @@
+../../../../../../sops/users/rpqt