repair flake.lock, update disko

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

README.md

@@ -14,7 +14,9 @@ to onboard a new user or system.
 
 Although we are not actively looking for new members to join in on this repo,
 we are not strictly opposed. Please reach out to
-[@ahuston-0](https://nayeonie.com/ahuston-0) for further information.
+[@ahuston-0](https://github.com/ahuston-0) or
+[@RichieCahill](https://github.com/RichieCahill)
+for further information.
 
 ## Repo Structure
 

disko/hetzner.nix

@@ -0,0 +1,47 @@
+# USAGE in your configuration.nix.
+# Update devices to match your hardware.
+# {
+#  imports = [ ./disko-config.nix ];
+#  disko.devices.disk.main.device = "/dev/sda";
+# }
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+              priority = 1;
+            };
+            root = {
+              end = "-1G";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+            encryptedSwap = {
+              size = "1G";
+              content = {
+                type = "swap";
+                randomEncryption = true;
+                priority = 100; # prefer to encrypt as long as we have space for it
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

docs/CONTRIBUTING.md

@@ -107,7 +107,8 @@ rules.
 We allow secrets to be embedded in the repository using `sops-nix`. As part of
 the process everything is encrypted, however adding a new user is a change
 that every existing SOPS user needs to participate in. Please reach out to
-[@ahuston-0](https://nayeonie.com/ahuston-0) or if you are interested
+[@ahuston-0](https://github.com/ahuston-0) or
+[@RichieCahill](https://github.com/RichieCahill) if you are interested
 in using secrets on your machines.
 
 ## CI/CD

docs/sample-setup.sh

@@ -121,7 +121,7 @@ fi
 DOTS="/mnt/root/dotfiles"
 GC="git -C $DOTS"
 sudo mkdir -p "$DOTS" || echo "directory $DOTS already exists"
-sudo $GC clone https://nayeonie.com/ahuston-0/nix-dotfiles.git .
+sudo $GC clone https://github.com/RAD-Development/nix-dotfiles.git .
 sudo $GC checkout "$FEATUREBRANCH"
 
 # Create ssh keys
@@ -179,4 +179,4 @@ Host github.com
         IdentityFile /root/.ssh/id_ed25519_ghdeploy
 EOF
 printf "%s" "$SSHCONFIG" | sudo tee /root/.ssh/config
-sudo "$GC" remote set-url origin 'ssh://gitea@nayeonie.com:2222/ahuston-0/nix-dotfiles.git'
+sudo "$GC" remote set-url origin 'git@github.com:RAD-Development/nix-dotfiles.git'

flake.lock

@@ -67,19 +67,43 @@
         "type": "github"
       }
     },
-    "firefox-addons": {
+    "disko": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
         ]
       },
+      "locked": {
+        "lastModified": 1736864502,
+        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "latest",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "firefox-addons": {
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1744500178,
+        "lastModified": 1743483509,
-        "narHash": "sha256-hHXOb7UW0JyNb96ZEuNj75f4hd4T+6ZZ76ir4Yc2okw=",
+        "narHash": "sha256-aHnOrBV4UpVQuv9RHmYaRb0jZRBpmeDWsZWBRoSCc5w=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "42722da72350b489b83940fcfb45769a66fdc50b",
+        "rev": "692aba39210127804151c9436e4b87fe1d0e0f2b",
         "type": "gitlab"
       },
       "original": {
@@ -92,11 +116,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1743774811,
+        "lastModified": 1741628778,
-        "narHash": "sha256-oiHLDHXq7ymsMVYSg92dD1OLnKLQoU/Gf2F1GoONLCE=",
+        "narHash": "sha256-RsvHGNTmO2e/eVfgYK7g+eYEdwwh7SbZa+gZkT24MEA=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "df53a7a31872faf5ca53dd0730038a62ec63ca9e",
+        "rev": "5a81d390bb64afd4e81221749ec4bffcbeb5fa80",
         "type": "github"
       },
       "original": {
@@ -124,11 +148,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1743550720,
+        "lastModified": 1741352980,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
         "type": "github"
       },
       "original": {
@@ -229,11 +253,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742649964,
+        "lastModified": 1741379162,
-        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
+        "narHash": "sha256-srpAbmJapkaqGRE3ytf3bj4XshspVR5964OX5LfjDWc=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
+        "rev": "b5a62751225b2f62ff3147d0a334055ebadcd5cc",
         "type": "github"
       },
       "original": {
@@ -309,11 +333,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744498625,
+        "lastModified": 1743482579,
-        "narHash": "sha256-pL52uCt9CUoTTmysGG91c2FeU7XUvpB7Cep6yon2vDk=",
+        "narHash": "sha256-u81nqA4UuRatKDkzUuIfVYdLMw8birEy+99oXpdyXhY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "db56335ca8942d86f2200664acdbd5b9212b26ad",
+        "rev": "c21383b556609ce1ad901aa08b4c6fbd9e0c7af0",
         "type": "github"
       },
       "original": {
@@ -329,11 +353,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1744212707,
+        "lastModified": 1743447171,
-        "narHash": "sha256-hl9t+RAEO2Jc1lVsR4OvbwG5LTyDo0wkZZ4s7zUGsxU=",
+        "narHash": "sha256-5+lbBGlOmVa+dNY8L4ElDCkB7+VedZpPTcBOFIF+0TM=",
         "ref": "add-gitea-pulls",
-        "rev": "33a935e8ef44e07c709328235ed48c4b4de03483",
+        "rev": "a20f37b97fa43eea1570bf125ee95f19ba7e2674",
-        "revCount": 4364,
+        "revCount": 4327,
         "type": "git",
         "url": "https://nayeonie.com/ahuston-0/hydra"
       },
@@ -386,16 +410,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1744030329,
+        "lastModified": 1739899400,
-        "narHash": "sha256-r+psCOW77vTSTNbxTVrYHeh6OgB0QukbnyUVDwg8s4I=",
+        "narHash": "sha256-q/RgA4bB7zWai4oPySq9mch7qH14IEeom2P64SXdqHs=",
         "owner": "NixOS",
         "repo": "nix",
-        "rev": "a4962f73b5fc874d4b16baef47921daf349addfc",
+        "rev": "e310c19a1aeb1ce1ed4d41d5ab2d02db596e0918",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "2.28-maintenance",
+        "ref": "2.26-maintenance",
         "repo": "nix",
         "type": "github"
       }
@@ -403,11 +427,11 @@
     "nix-eval-jobs": {
       "flake": false,
       "locked": {
-        "lastModified": 1744018595,
+        "lastModified": 1739500569,
-        "narHash": "sha256-v5n6t49X7MOpqS9j0FtI6TWOXvxuZMmGsp2OfUK5QfA=",
+        "narHash": "sha256-3wIReAqdTALv39gkWXLMZQvHyBOc3yPkWT2ZsItxedY=",
         "owner": "nix-community",
         "repo": "nix-eval-jobs",
-        "rev": "cba718bafe5dc1607c2b6761ecf53c641a6f3b21",
+        "rev": "4b392b284877d203ae262e16af269f702df036bc",
         "type": "github"
       },
       "original": {
@@ -423,11 +447,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744518957,
+        "lastModified": 1743306489,
-        "narHash": "sha256-RLBSWQfTL0v+7uyskC5kP6slLK1jvIuhaAh8QvB75m4=",
+        "narHash": "sha256-LROaIjSLo347cwcHRfSpqzEOa2FoLSeJwU4dOrGm55E=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "4fc9ea78c962904f4ea11046f3db37c62e8a02fd",
+        "rev": "b3696bfb6c24aa61428839a99e8b40c53ac3a82d",
         "type": "github"
       },
       "original": {
@@ -474,11 +498,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1744366945,
+        "lastModified": 1743420942,
-        "narHash": "sha256-OuLhysErPHl53BBifhesrRumJNhrlSgQDfYOTXfgIMg=",
+        "narHash": "sha256-b/exDDQSLmENZZgbAEI3qi9yHkuXAXCPbormD8CSJXo=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "1fe3cc2bc5d2dc9c81cb4e63d2f67c1543340df1",
+        "rev": "de6fc5551121c59c01e2a3d45b277a6d05077bc4",
         "type": "github"
       },
       "original": {
@@ -497,11 +521,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744378369,
+        "lastModified": 1743178092,
-        "narHash": "sha256-aCK79lB4Txu20YmQIf126CxsubgmeICpDiG6bsEMzrU=",
+        "narHash": "sha256-fOMsQpcdIbj+wOexiCSEW2J4Erqd0LRV25aYiOx4QRw=",
         "owner": "SuperSandro2000",
         "repo": "nixos-modules",
-        "rev": "d331edb6574306211b8f5a652a40fcfe1913194c",
+        "rev": "77ff511df92a9d4a828bdf032b8f48e7c3d99b50",
         "type": "github"
       },
       "original": {
@@ -512,11 +536,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1743987495,
+        "lastModified": 1739461644,
-        "narHash": "sha256-46T2vMZ4/AfCK0Y2OjlFzJPxmdpP8GtsuEqSSJv3oe4=",
+        "narHash": "sha256-1o1qR0KYozYGRrnqytSpAhVBYLNBHX+Lv6I39zGRzKM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "db8f4fe18ce772a9c8f3adf321416981c8fe9371",
+        "rev": "97a719c9f0a07923c957cf51b20b329f9fb9d43f",
         "type": "github"
       },
       "original": {
@@ -528,11 +552,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1743296961,
+        "lastModified": 1740877520,
-        "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
+        "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
+        "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
         "type": "github"
       },
       "original": {
@@ -543,11 +567,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1744440957,
+        "lastModified": 1743367904,
-        "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
+        "narHash": "sha256-sOos1jZGKmT6xxPvxGQyPTApOunXvScV4lNjBCXd/CI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
+        "rev": "7ffe0edc685f14b8c635e3d6591b0bbb97365e6c",
         "type": "github"
       },
       "original": {
@@ -559,11 +583,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1744501611,
+        "lastModified": 1743472173,
-        "narHash": "sha256-H+Q/R9FKEuuBRjjgwP6GBPfQMA7rzH7UJm/+HSYZm5o=",
+        "narHash": "sha256-xwNv3FYTC5pl4QVZ79gUxqCEvqKzcKdXycpH5UbYscw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "208645bf60302e4eea10f9b038043205b423de21",
+        "rev": "88e992074d86ad50249de12b7fb8dbaadf8dc0c5",
         "type": "github"
       },
       "original": {
@@ -583,11 +607,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1743884191,
+        "lastModified": 1741693509,
-        "narHash": "sha256-foVcginhVvjg8ZnTzY5wwMeZ4wjJ8yX66PW5kgyivPE=",
+        "narHash": "sha256-emkxnsZstiJWmGACimyAYqIKz2Qz5We5h1oBVDyQjLw=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "fde90f5f52e13eed110a0e53a2818a2b09e4d37c",
+        "rev": "5479646b2574837f1899da78bdf9a48b75a9fb27",
         "type": "github"
       },
       "original": {
@@ -622,6 +646,7 @@
     },
     "root": {
       "inputs": {
+        "disko": "disko",
         "firefox-addons": "firefox-addons",
         "flake-compat": "flake-compat",
         "flake-parts": "flake-parts",
@@ -650,11 +675,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744513456,
+        "lastModified": 1743475035,
-        "narHash": "sha256-NLVluTmK8d01Iz+WyarQhwFcXpHEwU7m5hH3YQQFJS0=",
+        "narHash": "sha256-uLjVsb4Rxnp1zmFdPCDmdODd4RY6ETOeRj0IkC0ij/4=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "730fd8e82799219754418483fabe1844262fd1e2",
+        "rev": "bee11c51c2cda3ac57c9e0149d94b86cc1b00d13",
         "type": "github"
       },
       "original": {
@@ -670,11 +695,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744518500,
+        "lastModified": 1743502316,
-        "narHash": "sha256-lv52pnfiRGp5+xkZEgWr56DWiRgkMFXpiGba3eJ3krE=",
+        "narHash": "sha256-zI2WSkU+ei4zCxT+IVSQjNM9i0ST++T2qSFXTsAND7s=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "7e147a1ae90f0d4a374938cdc3df3cdaecb9d388",
+        "rev": "e7f4d7ed8bce8dfa7d2f2fe6f8b8f523e54646f8",
         "type": "github"
       },
       "original": {
@@ -711,11 +736,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1744540857,
+        "lastModified": 1743496321,
-        "narHash": "sha256-cDC9TBD++zBsUx9X2VhJOjxXclmY8YpSqpKHaVLEXVA=",
+        "narHash": "sha256-xhHg8ixBhZngvGOMb2SJuJEHhHA10n8pA02fEKuKzek=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "379ba613a68fafdd756db370f0ef878a0d3a7308",
+        "rev": "54721996d6590267d095f63297d9051e9342a33d",
         "type": "github"
       },
       "original": {
@@ -791,11 +816,11 @@
     "tinted-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1742851696,
+        "lastModified": 1741468895,
-        "narHash": "sha256-sR4K+OVFKeUOvNIqcCr5Br7NLxOBEwoAgsIyjsZmb8s=",
+        "narHash": "sha256-YKM1RJbL68Yp2vESBqeZQBjTETXo8mCTTzLZyckCfZk=",
         "owner": "tinted-theming",
         "repo": "schemes",
-        "rev": "c37771c4ae8ff1667e27ddcf24991ebeb94a4e77",
+        "rev": "47c8c7726e98069cade5827e5fb2bfee02ce6991",
         "type": "github"
       },
       "original": {
@@ -807,11 +832,11 @@
     "tinted-tmux": {
       "flake": false,
       "locked": {
-        "lastModified": 1743296873,
+        "lastModified": 1740877430,
-        "narHash": "sha256-8IQulrb1OBSxMwdKijO9fB70ON//V32dpK9Uioy7FzY=",
+        "narHash": "sha256-zWcCXgdC4/owfH/eEXx26y5BLzTrefjtSLFHWVD5KxU=",
         "owner": "tinted-theming",
         "repo": "tinted-tmux",
-        "rev": "af5152c8d7546dfb4ff6df94080bf5ff54f64e3a",
+        "rev": "d48ee86394cbe45b112ba23ab63e33656090edb4",
         "type": "github"
       },
       "original": {

flake.nix

@@ -5,7 +5,7 @@
     substituters = [
       "https://cache.nixos.org/?priority=1&want-mass-query=true"
       "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
-      # "https://attic.nayeonie.com/nix-cache"
+      "https://attic.nayeonie.com/nix-cache"
     ];
     trusted-substituters = [
       "https://cache.nixos.org"
@@ -15,11 +15,10 @@
     trusted-public-keys = [
       "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      "nix-cache:grGRsHhqNDhkEuTODvHJXYmoCClntC+U8XAJQzwMaZM="
+      "nix-cache:trR+y5nwpQHR4hystoogubFmp97cewkjWeqqbygRQRs="
     ];
     trusted-users = [ "root" ];
     allow-import-from-derivation = true;
-    fallback = true;
   };
 
   inputs = {
@@ -41,6 +40,12 @@
     #     flake-parts.follows = "flake-parts";
     #   };
     # };
+    disko = {
+      url = "github:nix-community/disko/latest";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
 
     firefox-addons = {
       url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
@@ -137,7 +142,7 @@
       systems = [
         "x86_64-linux"
         # disable arm for now as hydra isn't set up for it
-        # "aarch64-linuxa
+        # "aarch64-linux"
       ];
 
       forEachSystem = lib.genAttrs systems;
@@ -153,7 +158,7 @@
           lib = self;
         }
       );
-      inherit (lib.adev.systems) genSystems getImages;
+      inherit (lib.rad-dev.systems) genSystems getImages;
       inherit (self) outputs; # for hydra
     in
     rec {

lib/default.nix

@@ -1,7 +1,7 @@
 { lib, ... }:
 {
-  # create adev namespace for lib
+  # create rad-dev namespace for lib
-  adev = rec {
+  rad-dev = rec {
     systems = import ./systems.nix { inherit lib; };
     container-utils = import ./container-utils.nix { inherit lib; };
 

lib/systems.nix

@@ -176,7 +176,7 @@ rec {
           (configPath + "/configuration.nix")
         ]
         ++ modules
-        ++ (lib.adev.fileList (src + "/modules"))
+        ++ (lib.rad-dev.fileList (src + "/modules"))
         ++ genWrapper sops genSops args
         ++ genWrapper home genHome args
         ++ genWrapper true genUsers args
@@ -222,7 +222,7 @@ rec {
             // import configPath { inherit inputs; }
           );
         }
-      ) (lib.adev.lsdir path)
+      ) (lib.rad-dev.lsdir path)
     );
 
   # gets all the images of a specified format

modules/autopull.nix

@@ -61,7 +61,7 @@ in
     lib.mkIf cfg.enable {
       environment.systemPackages =
         [ pkgs.git ]
-        ++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.adev.mapGetAttr "ssh-key" repos)) [
+        ++ lib.optionals (lib.any (ssh-key: ssh-key != "") (lib.rad-dev.mapGetAttr "ssh-key" repos)) [
           pkgs.openssh
         ];
 

modules/kub_net.nix

@@ -1,10 +1,10 @@
 { lib, config, ... }:
 let
-  cfg = config.services.adev.k3s-net;
+  cfg = config.services.rad-dev.k3s-net;
 in
 {
   options = {
-    services.adev.k3s-net = {
+    services.rad-dev.k3s-net = {
       enable = lib.mkOption {
         default = false;
         example = true;

modules/yubikey.nix

@@ -5,11 +5,11 @@
   ...
 }:
 let
-  cfg = config.services.adev.yubikey;
+  cfg = config.services.rad-dev.yubikey;
 in
 {
   options = {
-    services.adev.yubikey = {
+    services.rad-dev.yubikey = {
       enable = lib.mkEnableOption "enable yubikey defaults";
       enable-desktop-app = lib.mkEnableOption "installs desktop application";
     };

shell.nix

@@ -38,7 +38,7 @@ forEachSystem (
     };
 
     # constructs a custom shell with commonly used utilities
-    adev = pkgs.mkShell {
+    rad-dev = pkgs.mkShell {
       packages = with pkgs; [
         deadnix
         pre-commit
@@ -56,7 +56,7 @@ forEachSystem (
     default = pkgs.mkShell {
       inputsFrom = [
         pre-commit
-        adev
+        rad-dev
         sops
       ];
     };

systems/artemision/configuration.nix

@@ -75,7 +75,7 @@
     fprintd.enable = lib.mkForce false;
     openssh.enable = lib.mkForce false;
 
-    adev.yubikey = {
+    rad-dev.yubikey = {
       enable = true;
       enable-desktop-app = true;
     };

systems/hetzner-bridge/configuration.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    ../../disko/hetzner.nix
+    ./networking.nix
+  ];
+  disko.devices.disk.main.device = "scsi-0QEMU_QEMU_HARDDISK_55513992";
+
+  boot = {
+    useSystemdBoot = true;
+  };
+
+  virtualisation.docker.enable = false;
+  services = {
+    locate.enable = false;
+    endlessh-go.enable = false;
+  };
+
+  #hardware.enableAllFirmware = true;
+
+  system.stateVersion = "24.05";
+}

systems/hetzner-bridge/default.nix

@@ -0,0 +1,8 @@
+{ inputs, ... }:
+{
+  users = [ "alice" ];
+  modules = [
+    # inputs.attic.nixosModules.atticd
+    inputs.disko.nixosModules.disko
+  ];
+}

systems/hetzner-bridge/hardware.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    initrd.availableKernelModules = [
+      "ahci"
+      "xhci_pci"
+      "virtio_pci"
+      "virtio_scsi"
+      "sd_mod"
+      "sr_mod"
+    ];
+    initrd.kernelModules = [ ];
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

systems/hetzner-bridge/networking.nix

@@ -0,0 +1,19 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  networking.useDHCP = false;
+
+  systemd.network = {
+    enable = true;
+    networks."10-wan" = {
+      #matchConfig.Name = "enp1s0"; # either ens3 or enp1s0 depending on system, check 'ip addr'
+      matchConfig.Name = "ether";
+      networkConfig.DHCP = "ipv4";
+    };
+  };
+}

systems/palatine-hill/docker/archiveteam.nix

@@ -122,7 +122,7 @@ let
     cmd = lib.splitString " " "--concurrent 6 AmAnd0";
 
   };
-  inherit (lib.adev.container-utils) createTemplatedContainers;
+  inherit (lib.rad-dev.container-utils) createTemplatedContainers;
 
   vars = import ../vars.nix;
   at_path = vars.primary_archiveteam;

systems/palatine-hill/docker/minecraft.nix

@@ -46,7 +46,7 @@ in
       cmd = [
         (
           "--mapping=mc.alicehuston.xyz=${defaultServer}:25565"
-          + (lib.adev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
+          + (lib.rad-dev.mapAttrsToString (hostname: url: "," + url + "=" + hostname + ":25565") servers)
         )
       ];
     };

systems/palatine-hill/postgresql.nix

@@ -28,26 +28,12 @@ in
       '';
 
       # initialScript = config.sops.secrets."postgres/init".path;
-      ensureDatabases = [
+      ensureDatabases = [ "atticd" ];
-        "atticd"
-        "alice"
-      ];
       ensureUsers = [
         {
           name = "atticd";
           ensureDBOwnership = true;
         }
-        {
-          name = "alice";
-          ensureDBOwnership = true;
-          ensureClauses = {
-            superuser = true;
-            login = true;
-            createrole = true;
-            createdb = true;
-            replication = true;
-          };
-        }
       ];
 
       refreshCollation = true;
@@ -62,7 +48,6 @@ in
           "hydra-send-stats"
           "hydra-server"
           "atticd"
-          "gitea"
         ];
       };
     };

users/alice/home.nix

@@ -90,9 +90,6 @@
       nodejs_20
       nodePackages.prettier
       treefmt
-
-      gocryptfs
-      awscli2
     ];
   };
 

users/alice/home/doom/custom.el

@@ -22,6 +22,6 @@
 
 (setq! lsp-nix-nil-max-mem 20000)
 (setq! lsp-nix-nil-formatter ["nixfmt"])
-;; (add-hook 'python-mode-hook (lambda ()
+(add-hook 'python-mode-hook (lambda ()
-;;                                 (require 'sphinx-doc)
+                                (require 'sphinx-doc)
-;;                                 (sphinx-doc-mode t)))
+                                (sphinx-doc-mode t)))

users/alice/home/doom/packages.el

@@ -81,9 +81,9 @@
 (package! pacdiff.el
   :recipe (:host github :repo "fbrosda/pacdiff.el" :files ("pacdiff.el" "README.org" "LICENSE")))
 
-;;(package! python-docstring-mode
+(package! python-docstring-mode
-;;  :recipe (:host github :repo "glyph/python-docstring-mode" :files ("python-docstring.el" "docstring_wrap.py")))
+  :recipe (:host github :repo "glyph/python-docstring-mode" :files ("python-docstring.el" "docstring_wrap.py")))
 
-;;(package! sphinx-doc)
+(package! sphinx-doc)
 
 ;; https://github.com/glyph/python-docstring-mode.git

users/alice/secrets.yaml

@@ -4,13 +4,16 @@ alice:
     #ENC[AES256_GCM,data:vUMcowHjlQA0RWflfaQhZKkalO39epYi6N9PPW8=,iv:6DFqHlQR+mi+ZkfMUhlhwvpMwnxXNfQV6+sYgPzSj4I=,tag:Pz1zJayscGckPO8Q2ZVb4g==,type:comment]
     gha-hydra-token: ENC[AES256_GCM,data:CXdOiW9oYaVj4oqfiXSz9O9xIsB5ZyUac2WFSFD1ankZpnmQpv9TwolJxb6h8r+UM7Q9QzCCWk7KHe80lolZhpHa79bpcj+wt9v51ydj0Zy+3sufHS+JnGwmqBbw6dVqJ2uBr4nW2NADzHEbG8N367uKYEq2vazB4y02JiopXL8DHsYcx+Z4u7GJC/gYbpm9vnt8OVdYmfYRQ9BGSiaJOghDzpmCisEZdLpCLXM3cULn8yVUXIFWx8yF/6JrWN+myeoZiUFCL2sZmeSIswFg9kwBKXIsjBrz+EDXZzDCEr88UrEJ0j2+egsrG9BNlstVwC8oscYdbXWmYUdsCBNVxK3xjJYm9gDdSyo0DfSvTzK1t+/s9L1zC8uqj2TXYdVd6QyH2TRXxiPeNLYClRHT2UljymSpIVXOn/Okuo7dte+ZZqZVndT1lwK//2y8V3Hng+5wixfFFsQAd5oJzfraRSnM+RLZtjI3TMoyc5no3pVwV6zsCqRd2nvr7gieXUMWtSLb6YrM6tvhRpeiieYUqQ8NwHV0Avqco0I838o5yywVGSnUflGxnwYoGQIX70qoTcxNPGuiiiqSynh64e3nrlC9xN6EWuFpUNVfkBibZNRi+EyDAhK7LKwiPbL2z919N54vyzzoWA1KUFqxow+JsX+Q8rpnfJtag44F5qFt3/Be5PIMYVU7acXTiVJvM3cKPMQIBPXpQFX5OshwGhttGFuB53aWPHCzlhT4NDQbcZ/rLQ3bcytVpnH55WWze0Oe0zUZYGFc/rV9Fc4QjhR7/8pAi9kGUlKy2MYBamjmnCWlOnHPIQQLpPs/oiW+,iv:KL2P3O8Fnbn56hLX8PWIrigoPTBfIvMUpizKy3C3RIA=,tag:G0M/9iT9IWUSJ5ktUc/g5A==,type:str]
     wakatime-api-key: ENC[AES256_GCM,data:ITu5pRySYGCJ6q9IQ35NfpGX2FyIJRYHGDeBiq0btzIrqitxcFox1Vc=,iv:HsXpyFHV7dG5qORk26BtD+kFo4Jdq2c4fozMpoqyDfU=,tag:uaQoXvvYqNfmRXVDVH8AoQ==,type:str]
-    attic-nix-cache-creator: ENC[AES256_GCM,data:ygWuPJfFZQVHtJ83DfB7VB84PNF0knLkOwD4A67NMNp8pU9pA9lI56RSyKDkFd+qYRBSeEXSepbSOA+BhvQaCZiVEiao3LBlh7/6Sp5ni+Rdt3hGKcd+JRQyedEmTkg9h8NbtR6LvI90EiMhyVg6WLCzlGAtFFBcSvIqssrC/KDHCjd4uMzXeW23wUB40dU1PpwkLPtcNVvIzgxqYRsRPFOXZxGxQYGpBWtzDveqgmeLwavhU481wHfCwqpyXJZflbR+UzWdr+zbmSFdJadlLdHeooNGvRC+av0MK4YMCCgu1Em34IeawpiesFhhj/IVGa2xQWjXE0MF3SDLvlh5yMqNPodTZ7FAEZgD7rTYIbaH8JHiYbgI6v7/ANPcFqw2eKT7wVP8cTL1yPedcZcU,iv:J7JYA98NHxM0tExfUdjkir6/+tkOkPLMBNdjXBP9fbA=,tag:WaCWmrzLgr9lDUL+jxeMNA==,type:str]
+    attic-nix-cache-creator: ENC[AES256_GCM,data:P0iBdy4IYrxcq7v4wTgwwZvAfVdRFo08pi0zvpY9cP9BDCwbBnp+3qDKWL29rC7OxsaLtmRkvPmbkF3ZX3Yu5OaptwVg2Xi0vNqhk3gu5Fdj8ygPigB0ZtimkfWv1QkctoVoXKXuLv6Xd4XKPCWOOIekWlJsBRcyfyzkyFURkU9tBBkXyEAWItho/J8hJr6r00eA3EN4rTe8Ge+PGpfTfpZVpnoGrC35xPnGLq19+b44DectHDTkMZrZKxiCaVIgKUZDLaFgi6a6PsX+L1HQAIZukXJu3m4BPdvzzby+zgX24pVJOYjAUB2BwO9jUlMS6+7qo0p6k01uLicryfKx/ajdAHcy39tFHX7naA4JriC2/FgI2HlFGp0Lc+g0pfdCYwLs5QBfRaOHyrbFWUDG,iv:OBrgnewqBaug00ygAXs0eFs3LqcHqo1EW96N5I38A0o=,tag:V+Gn47O6AH1RwL9qJLpAkw==,type:str]
-    attic-nix-cache-reader: ENC[AES256_GCM,data:78jJJh332XvFx29HxNW7CULMNMsQ2xMTCIIk5oX5AimBoFXXVH7z9EGFbDimwfaYlsPK6xuU+9mnCnhCjCoGFRX9GQbW+Z2D9TGMsBfe3eztbWlcJ++EkWSCbHKEIGKTF13aRGrKRIOjIy9Gl3qZt4BnZtQPFMOzQO8u80M116u3w4ttqz9rzaIrXWB6GIMI5lWF5rQe5ML1vDgvL2KNMNkPAAm5O1Fv887woVcqxbPhiNhJGXBSiPZpe3PG8wP6z0GTe/GhMTPCOlVJIdsxKnEaRaTSAtVazFos5zSMvLYYrbj6ISoS9tEQ6bFMy6xl,iv:dGDSTtsQlwElerRXpT97uapzOh766bysZTQMjUEEJnM=,tag:OQOYmQqKywdSjUUXnELdpQ==,type:str]
+    attic-nix-cache-reader: ENC[AES256_GCM,data:DWIkRri3lHJOVXIAbHWJL7cCV4FHjB91bbpPAib/5ZDKap3xjnxUjwswc7wjO1hCoV3+gmep1a64kma6MJts4bcAug5bPyrrPy//rVpCYvSbSmbPz5k4sW5GLU/Sf4NyBevsQo9KRrphpoSUQEFQB27vabYDjjkB051/qJo1B9B7nqmrSyd3np4YdyHAgUiMyJt0oqx8nXySz3XZU+DIM8/OhMZILpnEWIgyP2K7j8JNNpZZJ5sD/icUy6Vba/4LcKjtmYtfQ+HO1soyF6aMiQSjhp7fzJHktwa9kgB3oDzIg3KyCJYS2RNW7mW9Dd1T,iv:fvhGFU22KgknMpJbOkA3v29bKzRVX6hi7V7xJgSUjPg=,tag:TjGSUl0XXS7jlhP/NG4cvQ==,type:str]
-    attic-nix-cache-writer: ENC[AES256_GCM,data:IIrGw+MtZEZqJdNGPryN5xKg7UOP+0kjzpthhyRdQz0P3yS/vThSaV+VuduQq5WgnaNjXLA6LBU+cufmVmvrkeTkZ281976sLTbYzrPCW/hCy1+w7qdv6vauaFsLqtnmWlHNwCIkXbUvQWq56WvP6m1PuYaUIFYn3SUprQ1du+X0buK1FUOhSH4HXfiqpNJOomLhok9M0Tyzn8yK5Fn1dzmJ8tsgBczzhWeZzsj4TuksFLV2r6NXzeQp2jWQkxv39Eg6Lf+0eaHxWQFR4s2uKYzwdsDOnpSmUgXFTzVB6RGAEpasKkVZ2NfG4GeUKBFPDVJoR6ilLZA=,iv:e58OGCbgLIIzKfBALtrsYmWg9Gp0nySNYsJ3X5IWp4I=,tag:bnwBipVK3BSOizg8twQ4lQ==,type:str]
+    attic-nix-cache-writer: ENC[AES256_GCM,data:vxSeys7EJDyatZFpeyxeDzaKGqDtm3atpVly6+BPHUFTrlLaVl86roGZjpBB9wwOMuP007qJNva0HQcTONbSyNw/snUU5JpaFWLT87Eu81V8gdulzHwm61caQ4A/e1ylKkdtwalNymBSyWi9b+SOWXTgralrg9L3OHw+nVuZaAi8QXF2ImLoZ2vXl7MGNXParflV2KK2uqfRatDZMbSSFipT0tQpkNTBTA6l8woILK3BKrHdYq+D8n4EmRowSuMWuN1uknyctb4+Ap3AeBITvyJjKejocQ9qK9plP6CChiC4Z1mmt/HOrfXYXiJO+Va64rOYRywMga8=,iv:bAx7iR24dpIOudkiFOc/xmIG73rcaMDdhWjiBO4BsBM=,tag:gtTyldhdRV97YJREG5lPjA==,type:str]
-    attic-nix-cache-admin: ENC[AES256_GCM,data:xHJGeU4EUn1HRy2nIValiJ6iLZnYmmT6Njv/cGMh15Q0hJXKNBSsi8f0mAfLI7EX+GaC299VKh2uTlU25jptrAvogLxNJIc+LZBLsSkyGE/ojqqevHMKmZ/6eciLZRQL5ey9TM3V9HHyDOhGaFgdfawtwg/vyvbV13lZBKpqneAX9T3gPRuKRjV4/Uc/5cUckiOF8bQ50xVFN8Cql9HgGDJEGWgg4XUTPu5eYspof2EN63pYvU7wg6HD2begeLDvqc2/i2DIcsc0wqc5DgkY/dH2YtcssBtU8AR9vKpl+HmH/wvt6dfaEyZ7hF7ITGwWnOO6H2ko3SjYRfHkFK3XDmm1YRRjfkptnw==,iv:BdVgNyZ1azl5tKfH+RTeXuNV/rYY6hPvrareKlIXSeQ=,tag:/ar87eAjMod4TmQXoerNBQ==,type:str]
+    attic-nix-cache-admin: ENC[AES256_GCM,data:OP02nJTo0cx8M9cR+P7cpI1gEXCKqXWehlaL+dYGwGSUnQ6iSC25vpdZ5SSnjyhiBZe+VnYld+b5PO+OOt7NMGxVvQ0zcuvrG7qfhEpIfGrbx9S9cEV2eAMchG/Hua609MUTbFYKvpwWw6tFZD2dYYQv2gXI7mYSeN0Tw4i2x1f/+cKDtV+ak+UHRgEe/f5OdE8v5I6dRXUQGVOBSRAQkfYDFuI2JUz4oNJsz66YkdMtgudhqWi4mekODD3v2Gcg/zAv1PogaHaIH1BHNvLQ/DsNVcvLsnTb6inM3cTCyPpHcx+VwPO7g9kYNV8xcCRkAIvX6aFzRVT0tJcEXFWStMnKS8nr8HoKFQ==,iv:ftmN3jK5qa6SwrSyhhL3PZls2hTG6xGa0LW7ycdkYxQ=,tag:TQCELzJQjsMfAJseZ7tB4w==,type:str]
     gitea-actions-token: ENC[AES256_GCM,data:QTEPMAh1RWWJ/O3yhkQkEBTdVL8XhIRGCDbiM0lLjfILKF4SpSJ2sA==,iv:mBaaB1JHb2KVc9n2pdeX4pSMvb7q5z3joMT7rR5Whgs=,tag:ef+58SI4AUeqUsk3RVDsRQ==,type:str]
-    gitea-pr-token: ENC[AES256_GCM,data:ybTya4X2wd65pNFSGbQkg73lu66GNtSba4yf8J6tT8XkuOtfvtBS4g==,iv:39mJiAlw4kud4l06jOpxOCRumChE/5q8IBNsPHG1rMc=,tag:MEvHD2b9E3fVHLlz7haNyw==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
     age:
         - recipient: age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
           enc: |
@@ -39,8 +42,8 @@ sops:
             ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
             7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-07T23:43:57Z"
+    lastmodified: "2025-03-26T15:28:13Z"
-    mac: ENC[AES256_GCM,data:ygQzxSpGJqXwkOq7jGDeflA2FTSSxnre/PXm0LxmxzQQW5s7LeIVSI75fMqWir0WU3Pi/xroYGEWjpCG6JvxV5RiJycTONk8VE7c3jtw3AbrHSS0b1K5tJ+Sf+q3rHJFWWk/COrPk8IsRFNb+taqH4jnaH3AAVNo5u0C1CHKMes=,iv:FO2GVDXE8SjjA81/9cDwc+dX8kJ2oHt5kqkhNBuMb54=,tag:hgzRAmsh32SCvJEvKyV+vg==,type:str]
+    mac: ENC[AES256_GCM,data:BfEahKHAcnLc/PSagENBIVwxufJrjpMSC6U4hkkxNwcEJYDNAlrF0w00aiexLeX+UfVGIw19+SrNL5zuecEf+GaYzYNy9RE3c66KUM2B/cpuBuzkiwLaBCTfcWr7k8dW11BGFCmugRSG4w6wXKG5B/LyEKB6Vcvp0JRbCYSqZSY=,iv:97UzvdvQCtTLaLDrg6VEwiofHtSPGtaxuPLHfTAyIFA=,tag:r4r45OaV9ZRDzd56RGLFZw==,type:str]
     pgp:
         - created_at: "2024-09-05T06:10:22Z"
           enc: |-
@@ -55,4 +58,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
     unencrypted_suffix: _unencrypted
-    version: 3.10.1
+    version: 3.9.4

utils/hetzner-install.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env nix
+#! nix shell nixpkgs#bash nixpkgs#git --command bash
+
+set -o errexit   # abort on nonzero exitstatus
+set -o nounset   # abort on unbound variable
+set -o pipefail  # don't hide errors within pipes
+
+MACHINENAME="hetzner-bridge"
+
+sudo mkdir /root/.ssh
+sudo chmod 700 /root/.ssh
+sudo ssh-keygen -t ed25519 -o -a 100 -f "/root/.ssh/id_ed25519_giteadeploy" -q -N "" -C "$MACHINENAME" || echo "key already exists"
+
+sudo cat /root/.ssh/id_ed25519_giteadeploy.pub
+
+sudo ssh-keygen -A
+
+nix --extra-experimental-features 'flakes nix-command' shell nixpkgs#git
+nix --extra-experimental-features 'flakes nix-command' store gc
+FLAKE="git+ssh://gitea@nayeonie.com:2222/ahuston-0/nix-dotfiles?ref=feature/hetzner-bridge#hetzner-bridge"
+DISK_DEVICE=/dev/sda
+sudo nix \
+    --extra-experimental-features 'flakes nix-command' \
+    run github:nix-community/disko#disko-install -- \
+    --flake "$FLAKE" \
+    --write-efi-boot-entries \
+    --disk main "$DISK_DEVICE"

utils/hetzner-nixos-anywhere.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env nix
+#! nix shell nixpkgs#bash nixpkgs#mktemp nixpkgs#openssh nixpkgs#nixos-anywhere nixpkgs#sops --command bash
+
+echoerr() { printf "%s\n" "$*" >&2; }
+
+if (( $# != 1 )); then
+    echoerr "usage: $0 <hostname>"
+fi
+
+HOSTNAME=$1
+
+# Create a temporary directory
+temp=$(mktemp -d)
+
+# Function to cleanup temporary directory on exit
+cleanup() {
+  rm -rf "$temp"
+}
+trap cleanup EXIT
+
+# Create the directory where sshd expects to find the host keys
+install -d -m755 "$temp/etc/ssh"
+
+# Create host keys
+ssh-keygen -A -f "$temp/etc/ssh/"
+
+# Set the correct permissions so sshd will accept the key
+chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
+
+AGEKEY=$(ssh-to-age < "$temp/etc/ssh/ssh_host_ed25519_key.pub")
+
+echo "$AGEKEY" | tee "./$HOSTNAME.age"
+
+# Install NixOS to the host system with our secrets
+nixos-anywhere --extra-files "$temp" --flake '.#your-host' root@yourip