persist zulip

deploy.sh

@@ -0,0 +1,5 @@
+# usage:
+# $ ./deploy.sh <hostname> <ip>
+# example usage:
+# $ ./deply.sh 109-199-104-83 109.199.104.83
+nix run github:nix-community/nixos-anywhere -- --generate-hardware-config nixos-generate-config ./hardware-configuration.nix --flake .?ref=411ee0c#$1 --target-host root@$2

flake.lock

@@ -129,6 +129,27 @@
         "type": "github"
       }
     },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746728054,
+        "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "ff442f5d1425feb86344c028298548024f21256d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "latest",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
@@ -597,6 +618,7 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "disko": "disko",
         "home-manager": "home-manager_2",
         "impermanence": "impermanence",
         "nix-zulip": "nix-zulip",

flake.nix

@@ -4,6 +4,10 @@
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    disko = {
+      url = "github:nix-community/disko/latest";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -41,6 +45,7 @@
   };
   outputs = {
     agenix,
+    disko,
     home-manager,
     impermanence,
     nixos-mailserver,
@@ -64,8 +69,10 @@
           ++ [
             ./users.nix
             ./secrets.nix
-            impermanence.nixosModules.impermanence
+            ./modules/nixos/common.nix
             agenix.nixosModules.default
+            disko.nixosModules.disko
+            impermanence.nixosModules.impermanence
             nixos-mailserver.nixosModule
             noshell.nixosModules.default
             phoenix.nixosModules.default

hardware-configuration.nix

@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

machines.nix

@@ -6,10 +6,11 @@
     modules = [
       # impermanence
       ./modules/nixos/impermanence.nix
+      ./modules/nixos/impermanence-ssh.nix
 
       # hardware configuration
       # includes `system.stateVersion`
-      ./machines/lenovo.nix
+      ./modules/nixos/machines/lenovo.nix
 
       # boot process
       # systemd-boot
@@ -18,8 +19,8 @@
       # networking
       ./modules/nixos/laptop.nix
 
-      # boilerplate settings
-      ./modules/nixos/common.nix
+      # vpn
+      ./modules/nixos/openvpn-client.nix
 
       # ly display manager
       ./modules/nixos/ly.nix
@@ -38,10 +39,12 @@
     modules = [
       # impermanence
       ./modules/nixos/impermanence.nix
+      ./modules/nixos/impermanence-ssh.nix
 
       # hardware configuration
       # verbatim as `nixos-generate-config` AND `system.stateVersion`
-      ./machines/109-199-104-83.nix
+      ./modules/nixos/machines/109-199-104-83.nix
+      ./modules/nixos/disko/remote.nix
 
       # boot process
       # grub boot on /dev/sda
@@ -49,6 +52,7 @@
 
       # networking
       ./modules/nixos/networking/domains/galaxious.de.nix
+      # uses cloud-init to network
       ./modules/nixos/networking/networks/109-199-104-83.nix
 
       # ssh through port 5522 among other things
@@ -57,9 +61,6 @@
       ./modules/nixos/networking/ssh-as-root.nix
       ({config, ...}: {users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];})
 
-      # boilerplate settings
-      ./modules/nixos/common.nix
-
       # simple-nixos-mailserver email server
       # mail.domain
       ./modules/nixos/mailserver.nix
@@ -68,13 +69,15 @@
       # webmail.domain
       ./modules/nixos/roundcube.nix
 
+      # BROKEN
+      # forgejo
+      # git.domain
+      # ./modules/nixos/forgejo.nix
+
+      # BROKEN
       # zulip chat client
       # chat.domain
-      # zulip chat server
-      # zulip.domain
       ./modules/nixos/zulip.nix
-      {
-      }
     ];
   };
 }

modules/nixos/boot/109-199-104-83.nix

@@ -1,3 +1,9 @@
 {
-  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+  age.identityPaths = [
+    "/persist/etc/ssh/ssh_host_ed25519_key"
+  ];
 }

modules/nixos/common.nix

@@ -20,4 +20,7 @@
 
   # disable lecture
   security.sudo.extraConfig = ''Defaults lecture="never"'';
+
+  # make users immutable
+  users.mutableUsers = false;
 }

modules/nixos/disko/remote.nix

@@ -0,0 +1,64 @@
+{
+  disko.devices = {
+    disk = {
+      disk1 = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            # legacy boot
+            boot = {
+              name = "boot";
+              size = "1M";
+              type = "EF02";
+            };
+
+            # efi boot
+            esp = {
+              name = "ESP";
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+
+            # btrfs
+            # root is on nodev
+            root = {
+              size = "100%";
+              content = {
+                extraArgs = ["-f"]; # internet told me to, works
+                type = "btrfs";
+                subvolumes = {
+                  # nix store
+                  "/nix" = {
+                    mountpoint = "/nix";
+                  };
+
+                  # persistant directory
+                  "/persist" = {
+                    mountpoint = "/persist";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+    nodev = {
+      # root
+      "/" = {
+        fsType = "tmpfs";
+        mountOptions = [
+          "defaults"
+          "mode=755" # stops security complaints
+        ];
+      };
+    };
+  };
+}

modules/nixos/forgejo.nix

@@ -0,0 +1,27 @@
+{config, ...}: {
+  services.nginx = {
+    virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M
+      '';
+      locations."/".proxyPass = "https://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
+    };
+  };
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      server = rec {
+        DOMAIN = "git.galaxious.de";
+        ROOT_URL = "https://${DOMAIN}";
+        HTTP_PORT = 4043;
+        SSH_PORT = 4022;
+      };
+      service.DISABLE_REGISTRATION = false;
+    };
+  };
+  services.openssh.ports = [config.services.forgejo.settings.server.SSH_PORT];
+}

modules/nixos/impermanence-ssh.nix

@@ -0,0 +1,4 @@
+{
+  # ONLY include this module AFTER a machine has been provisioned
+  environment.persistence."/persist".directories = ["/etc/ssh"];
+}

modules/nixos/laptop.nix

@@ -33,7 +33,5 @@
     "/var/lib/bluetooth"
     # wifi connections
     "/etc/NetworkManager/system-connections"
-    # machine ssh keys
-    "/etc/ssh"
   ];
 }

modules/nixos/machines/109-199-104-83.nix

@@ -12,24 +12,14 @@
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
 
-  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod"];
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
   boot.initrd.kernelModules = [];
   boot.kernelModules = [];
   boot.extraModulePackages = [];
 
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/159e6a69-b4e2-49c3-a6f0-5fcba0ea6a59";
-    fsType = "ext4";
-  };
-
-  fileSystems."/efi" = {
-    device = "systemd-1";
-    fsType = "autofs";
-  };
-
   swapDevices = [];
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 
-  system.stateVersion = "25.11";
+  system.stateVersion = "26.05";
 }

modules/nixos/mailserver.nix

@@ -2,10 +2,14 @@
   mailserver = {
     enable = true;
     stateVersion = 3;
+
+    # domain bs
     fqdn = "mail.${config.networking.domain}";
     domains = ["${config.networking.domain}"];
     x509.useACMEHost = config.mailserver.fqdn;
+
     loginAccounts = {
+      # test acc
       "test@${config.networking.domain}" = {
         hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
       };
@@ -15,6 +19,17 @@
       };
     };
   };
+
+  # put dkim key into /etc for declarability
+  mailserver.dkimKeyDirectory = "/etc/dkim";
+  environment.etc."dkim/${config.networking.domain}.${config.mailserver.dkimSelector}.key" = {
+    source = config.age.secrets."dkim-${config.networking.domain}.${config.mailserver.dkimSelector}.key".path;
+    mode = "600";
+    user = config.services.rspamd.user;
+    group = config.services.rspamd.group;
+  };
+
+  # does acme for me
   services.nginx = {
     enable = true;
     virtualHosts = {
@@ -28,4 +43,15 @@
     acceptTerms = true;
     defaults.email = "mtgmonket@gmail.com";
   };
+
+  # persist directories per the backup guidelines
+  environment.persistence."/persist" = {
+    directories = [
+      # not needed bc the dkim dir is declared
+      # "/var/dkim"
+      "/var/vmail"
+      "/var/lib/redis-rspamd"
+      "/var/lib/acme"
+    ];
+  };
 }

modules/nixos/networking/networks/109-199-104-83.nix

@@ -1,7 +1,6 @@
 {
   networking = {
-    useNetworkd = true;
-    usePredictableInterfaceNames = true;
+    useDHCP = false;
     hostName = "109-199-104-83";
     firewall = {
       enable = true;
@@ -9,19 +8,8 @@
       allowedUDPPorts = [80 443];
     };
   };
-  systemd.network = {
+  services.cloud-init = {
     enable = true;
-    networks."40-wan" = {
-      matchConfig.Name = "enx0050565f4fff";
-      address = ["2a02:c207:2299:8419::1/64" "109.199.104.83/20"];
-      routes = [
-        {
-          Gateway = "109.199.96.1";
-          GatewayOnLink = true;
-        }
-        {Gateway = "fe80::1";}
-      ];
-      dns = ["2620:fe::fe" "9.9.9.9"];
-    };
+    network.enable = true;
   };
 }

modules/nixos/openvpn-client.nix

@@ -0,0 +1,8 @@
+{lib, ...}: {
+  services.openvpn.servers = {
+    "173.249.5.230" = {config = ''config /etc/openvpn-confs/173.249.5.230.ovpn'';};
+  };
+  networking.enableIPv6 = lib.mkForce false;
+  environment.persistence."/persist".directories = ["/etc/openvpn-confs"];
+  boot.kernelParams = ["ipv6.disable=1"];
+}

modules/nixos/roundcube.nix

@@ -9,4 +9,8 @@
       $config['smtp_pass'] = "%p";
     '';
   };
+  environment.persistence."/persist".directories = [
+    "/var/lib/roundcube"
+    "/var/lib/postgresql"
+  ];
 }

modules/nixos/zulip.nix

@@ -8,25 +8,47 @@
     # host domain
     host = "chat.${config.networking.domain}";
 
-    # secrets
+    # secrets; head rolled on keyboard for all :)
     camoKeyFile = builtins.toString config.age.secrets.zulip-camoKey.path;
     rabbitmqPasswordFile = builtins.toString config.age.secrets.zulip-rabbitmqPassword.path;
     secretKeyFile = builtins.toString config.age.secrets.zulip-secretKey.path;
     sharedSecretKeyFile = builtins.toString config.age.secrets.zulip-sharedSecretKey.path;
     avatarSaltKeyFile = builtins.toString config.age.secrets.zulip-avatarSaltKey.path;
-    extraSecrets = {
-      email_password = builtins.toString config.age.secrets.zulip-extraSecrets-email_password.path;
-    };
+
+    # TODO check for parity with `mailserver-acc-admin-pw.age`
+    extraSecrets.email_password = builtins.toString config.age.secrets.zulip-extraSecrets-email_password.path;
 
     # settings
     zulipSettings = rec {
-      EMAIL_USE_TLS = true;
-      EMAIL_PORT = 587;
+      # email users
+      ZULIP_ADMINISTRATOR = "admin@${config.networking.domain}";
+      EMAIL_HOST_USER = ZULIP_ADMINISTRATOR;
+
+      # configure mailserver port
+      EMAIL_HOST = config.mailserver.fqdn;
+      EMAIL_USE_SSL = true;
+      EMAIL_PORT = 465;
+
+      # setting to allow realm creation; probably unsafe, might delete later :3
+      OPEN_REALM_CREATION = true;
+
+      # send all noreply emails from `admin@galaxious.de`
+      # TODO configure admin to send from any address
       ADD_TOKENS_TO_NOREPLY_ADDRESS = false;
       NOREPLY_EMAIL_ADDRESS = ZULIP_ADMINISTRATOR;
-      OPEN_REALM_CREATION = true;
+
+      # domain name
       EXTERNAL_HOST = config.services.zulip.host;
-      ZULIP_ADMINISTRATOR = "admin@${config.networking.domain}";
     };
   };
+  # persist
+  environment.persistence."/persist".directories = [
+    # messages
+    "/var/lib/rabbitmq"
+    # uploads
+    "/var/lib/zulip"
+
+    # contrived, but in the store a couple layers down
+    # "/var/lib/redis-zulip"
+  ];
 }

pub-keys.nix

@@ -1,10 +1,11 @@
 {
   age.secrets = {
     andromeda-pw.file = ./secrets/andromeda-pw.age;
+    "dkim-galaxious.de.mail.key".file = ./secrets/dkim-galaxious.de.mail.key.age;
     mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age;
     mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age;
     mailserver-acc-admin-pw.file = ./secrets/mailserver-acc-admin-pw.age;
-    "mailserver-acc-zulip+admin-pw".file = ./secrets + "/mailserver-acc-zulip+admin-pw.age";
+    "mailserver-acc-zulip+admin-pw".file = "${./secrets}/mailserver-acc-zulip+admin-pw.age";
     zulip-avatarSaltKey.file = ./secrets/zulip-avatarSaltKey.age;
     zulip-camoKey.file = ./secrets/zulip-camoKey.age;
     zulip-extraSecrets-email_password.file = ./secrets/zulip-extraSecrets-email_password.age;
@@ -16,7 +17,7 @@
     ssh = {
       andromeda = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJy2VD362wUcu0lKj2d6OIU8dbAna0Lu/NaAYIj8gdIA andromeda@lenovo";
       lenovo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHG4eqsLTq2os2mxfwhys3BpVnowcJrqt2CbRFzN2pJb root@lenovo";
-      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJe5ol56yC23fivSEKeK4HZQm934ROX46AM7o0aE2hMq root@vmi2998419";
+      _109-199-104-83 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBH5TA6Br8K4xTjD5YcXQDh4UQSvuE0lEs1UxUytDiAn root@109-199-104-83";
     };
   };
 }

secrets/andromeda-pw.age

@@ -1,7 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg 4fCTrNibFdjnVfsIbXi6plbd56K8ZDDqtgryXPk2SUA
-vKlbDi+HpyYlSsN39GRh6GRwdHRSjypCEqguOaHPFDM
--> ssh-ed25519 UHxfvA RqrDa4xJoAy1Gdzvq6Z5eTSNTDtHzUmzRoLC+j+HxiI
-+5CohUFSDB9oiLU0T25FKrQrz07DCviVuzZsVcUltOc
---- SQ5zQx9lL5UdNinOgP6yG5WWiBdhSwFqJVt6u3SNpLA
-<EFBFBD>6<EFBFBD><16><0B><>U<><55><EFBFBD>p<70><EE9087><EFBFBD><EFBFBD>Q<>]<5D>N<EFBFBD>;K;1y<31><79><EFBFBD>
+-> ssh-ed25519 mT2fyg ixFM7swaItfNnTRVSdTm1wZJ8lHUv7tDOgSXo1OpgCc
+lf8/ChfcpgYkK8mTS9Zk++toOu0KNh88S+Lqu4a0UIw
+-> ssh-ed25519 UHxfvA hbsRwdzU1IP3K/gH0btUOQ8hZer8Kgq+RqzcEVrCqTE
+iSVh+yeypHoalRhaRM2XMlBvtO8HCyatDnWgUyC3GWU
+--- hcs6DJZRvjoKDPI/cjUXRfM7+06PNJvWqjkvJof/bSs
+Bo<1A>p<EFBFBD>Qlg-<2D>\<5C>=ƙ	ڼ<0B><><1E><>sv<13><>~<7E><>O<EFBFBD><4F>{R
x<1E>IErô<>s<EFBFBD>1<1F><>v<EFBFBD><76><EFBFBD>:<<EFBFBD>
+i<EFBFBD><EFBFBD><EFBFBD>1<EFBFBD>v<0E><03>K<EFBFBD><4B><07><16><>*<2A> |<7C> <20><><EFBFBD><EFBFBD><EFBFBD>5[{<7B>\<5C>

secrets/mailserver-acc-test-pw.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg slLOkD/9TAYOuZ/g5U4NvPWUlmYZeie12xzggioviw0
-E0uAj4RMgv7DTJpvtEO54G9XHNLFOgFflR54Cl6/X8g
--> ssh-ed25519 UHxfvA xHFujOdegur0PLNHZP+h5RxHhVD2K906NZx7nprMkUs
-PdDxzD5QBdE/yWPMnF+CDGROEpE4nYvg12v1G3QK9XI
--> ssh-ed25519 Xoin5w YWsO9HtEFB79+aKr6eWi5Sg5geKfzT+IrDy2L5qEmx4
-sXLRmcRDyAv64nSGs8QXcHmKYO+F11Pzea1EVGmpEys
---- Sjg8SqkkEEL4X0G1GOUoHO702ZtrM0hMniIdS7yIsDA
-'<27>B<EFBFBD><42>(<28><>7Dϓ=<3D><>h<EFBFBD><10><>h	f<>ɮ<13>xT<78><54>!K.<2E><1D><>~س<>,<2C>ߓ<>D|<7C><>+p<><70><EFBFBD>"<22>t<EFBFBD><74>G<EFBFBD>y<EFBFBD>Q<EFBFBD><51>RcP<63>Q<EFBFBD><51>Q<><51>
+-> ssh-ed25519 mT2fyg at6Q9eK1o8Mk0+fJh+mnIVrvV1tASV+PGuV8MXuwR2c
+cm3wvsLAemeeTFok7yBocNlfwewKruPnymG+wsT5g+Y
+-> ssh-ed25519 UHxfvA aaQqfrUfUnLzwUVT6nCRPIAVlIhIWAJcPyeg3J6BQUI
+4sh8ZV14csafSs8yAtFZIccSkiz6YnseV3DJcuhw7dQ
+-> ssh-ed25519 yXDKAA KmwRbJURujQhlqOIVxzlVjyvaYRfyuJAVGWMZdkFaAE
+mX083o2XdnnYgqLs5NeppwMbFHDHTucMiHHZuYdzLvo
+--- Ay/SP2CXGOhSzO4KoiXFQhJMMdHaecxXOtNkGBK/RO0
+ Z<11>?<14><0E><1A><><EFBFBD>B<EFBFBD><1E>F<EFBFBD>9_N`<60><>8<EFBFBD><38><EFBFBD>&<26><><1D>@<40><>)q<>7<EFBFBD>a<11>O

secrets/mailserver-acc-zulip+admin-pw.age

@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 mT2fyg JsKjySZOoC/xK6HFjgBSYumrg/Ak7EBjYCqa9uszXGo
-daQvoxsqkxA4OClbWm4YHes5zkky8wikEKg94ceeNWw
--> ssh-ed25519 UHxfvA yDtvX6SqI9HFN3v1teeRfVicMXpS0fYLiyxe391kIHY
-xpYokiMmAlFbZHuOIqxKeGXtgiB9yOvRquI8OY5mdqE
--> ssh-ed25519 Xoin5w 9ND7dZoaaLXVu7VN3fYF6bZa23QpCr29b4DNIOSRi2Q
-L6oOEQ8XSZZuQyfxPwgGYycMqAKfslEtFRJbBHbomoY
---- ewcxsNTgXUy+wlZ3MiSC2KYO0BowGOAn/JvvV7x3pBc
-<08>V<EFBFBD>5a<35><61><EFBFBD>.<2E>B'K<><4B>7<EFBFBD><37><17>LR9h`<60><>€<EFBFBD>շ<>I<EFBFBD><18><EFBFBD>
-8c<EFBFBD>%)<29>ۣ<EFBFBD>5<EFBFBD><35><EFBFBD><1C><1E><><EFBFBD><EFBFBD>KLR<4C><52>y<EFBFBD>199Y?<3F>v<EFBFBD><1E><16><><EFBFBD>2<EFBFBD>ЖK<D096>f<02><>ԏ!<21><>{3<>)<29>,
+-> ssh-ed25519 mT2fyg sRu0FIphSJVMBcC02mo1YuZdy3i2+/jMeN3ROvxp4kM
+sEwx23t3IAauISKesq+110ZKRKxQv3Zesd0AJufYOLs
+-> ssh-ed25519 UHxfvA +YaJGPRT7nX2CqVzw1ixNLpW7MfzEnj44pSwj4iUwhI
+E2U6Q+4uesNCWK7uVSztrA84TU/n/xLFm3PJH0hO/EM
+-> ssh-ed25519 yXDKAA V2kygl0BK/oYpKnnheslBO2YqXFdQWFgtqfmDNdgolc
+NpJNN4nfrbgOav8Y38C9DwKFZH+QTRp/US/8kyo9m0o
+--- LdqtfywtHOAy3AZ7AexZU0TJMU/ugq+ZYN07706rNxY
+<EFBFBD>
+U$<24>Ap<>nG<6E>Neɕ<65>u<EFBFBD>y`!<21>ʤ<EFBFBD><CAA4><EFBFBD>f;ipv<70>Y<EFBFBD><59>V_3<5F><33>N+<06><><EFBFBD>k#<23>{<7B><><EFBFBD><EFBFBD><EFBFBD>W<EFBFBD>*<2A>n(<28><0F><03><><14><>ջG6<47><36>݈yc`<60><>q<EFBFBD>:$K]?͗b=<3D>'<27>^<5E>9

secrets/secrets.nix

@@ -8,6 +8,9 @@ in {
   "andromeda-pw.age".publicKeys = [andromeda lenovo];
   "mtgmonkey-pw.age".publicKeys = [andromeda lenovo];
 
+  # dkim private keys
+  "dkim-galaxious.de.mail.key.age".publicKeys = [andromeda lenovo _109-199-104-83];
+
   # mail account passwords
   "mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];
   "mailserver-acc-admin-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];

users.nix

@@ -19,22 +19,6 @@ in {
           "wheel"
         ];
       };
-      "mtgmonkey" = {
-        isNormalUser = true;
-        description = "mtgmonkey";
-        hashedPasswordFile = builtins.toString config.age.secrets.mtgmonkey-pw.path;
-        extraGroups = [
-          (lib.mkIf
-            (machine == machines.lenovo)
-            "networkmanager")
-          "wheel"
-        ];
-        openssh.authorizedKeys.keys = [
-          (lib.mkIf
-            (machine == machines."109-199-104-83")
-            config.pub-keys.ssh.andromeda)
-        ];
-      };
     };
   environment.persistence."/persist".users = lib.mkIf config.environment.persistence."/persist".enable (
     builtins.mapAttrs
@@ -45,7 +29,7 @@ in {
           ".backups"
           ".local/share/Anki2"
           ".local/share/chat.fluffy.fluffychat"
-          ".local/share.zoxide"
+          ".local/share/zoxide"
           ".ssh"
           "conf"
           "Downloads"

users/andromeda/home.nix

@@ -91,6 +91,91 @@ in {
       };
     };
     fastfetch.enable = true;
+    firefox = {
+      enable = true;
+      package = pkgs.firefox.override {
+        cfg.enableTridactylNative = true;
+      };
+      profiles.${config.home.username} = {
+        extensions.packages = [
+          pkgs.nur.repos.rycee.firefox-addons.tridactyl
+        ];
+        search = {
+          default = "repos";
+          privateDefault = "ddghtml";
+          order = [
+            "wiki"
+            "options"
+            "packages"
+            "repos"
+          ];
+          engines = {
+            "packages" = {
+              urls = [
+                {
+                  template = "https://search.nixos.org/packages";
+                  params = [
+                    {
+                      name = "channel";
+                      value = "unstable";
+                    }
+                    {
+                      name = "query";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+            };
+
+            "options" = {
+              urls = [
+                {
+                  template = "https://search.nixos.org/options";
+                  params = [
+                    {
+                      name = "channel";
+                      value = "unstable";
+                    }
+                    {
+                      name = "query";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+            };
+
+            "wiki" = {
+              urls = [
+                {
+                  template = "https://wiki.nixos.org/w/index.php";
+                  params = [
+                    {
+                      name = "search";
+                      value = "{searchTerms}";
+                    }
+                  ];
+                }
+              ];
+            };
+
+            "repos" = {
+              template = "https://html.duckduckgo.com/html/";
+              params = [
+                {
+                  name = "q";
+                  value = "{searchTerms}+(site:*.gitlab.org OR site:github.com OR site:git.mtgmonkey.net OR site:sr.ht)";
+                }
+              ];
+            };
+          };
+        };
+        settings = {
+          "extensions.autoDisableScopes" = 0;
+        };
+      };
+    };
     git = {
       enable = true;
       settings = {
@@ -103,15 +188,6 @@ in {
     };
     gh.enable = true;
     home-manager.enable = true;
-    firefox = {
-      enable = true;
-      package = pkgs.firefox.override {
-        cfg.enableTridactylNative = true;
-      };
-      profiles.${config.home.username}.extensions.packages = [
-        pkgs.nur.repos.rycee.firefox-addons.tridactyl
-      ];
-    };
     lsd.enable = true;
     nvf = {
       enable = true;