chore: migrate nine host

.gitignore

@@ -6,11 +6,13 @@
 
 !hosts/
 !hosts/nine/
+!hosts/nine/github2forgejo/
 !hosts/pala/
 
 !lib/
 
 !modules/
+
 !modules/common/
 !modules/common/nushell/
 !modules/common/ssh/
@@ -19,6 +21,9 @@
 !modules/linux/hyprland/
 !modules/linux/restic/
 
+!modules/acme/
+!modules/mail/
+
 !flake.lock
 
 !*.age

docs/README.md

@@ -1,6 +1,6 @@
 # NCC
 
-RGBCube's Configuration Collection.
+RGBCube's Config Collection.
 
 ## License
 

flake.lock

@@ -27,18 +27,35 @@
         "type": "github"
       }
     },
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
     "crash": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1716374991,
+        "lastModified": 1740235896,
-        "narHash": "sha256-Ezu1HKsZnIE3WXKnqwWaU6ZPoqpyxjybAlUqAYzSYUk=",
+        "narHash": "sha256-C1y5H/BB6FsL5eWyzQXaqJkG5zfRBu+8jloVY4bFvvo=",
         "owner": "RGBCube",
         "repo": "crash",
-        "rev": "ec77c04485e78cfb149f2aa608fb4cc50a148975",
+        "rev": "3405a772baa5c33adab82c3d6034a7f1d8c62b65",
         "type": "github"
       },
       "original": {
@@ -53,11 +70,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1739082714,
+        "lastModified": 1740206139,
-        "narHash": "sha256-cylMa750pId3Hqvzyurd86qJIYyyMWB0M7Gbh7ZB2tY=",
+        "narHash": "sha256-wWSv4KYhPKggKuJLzghfBs99pS3Kli9UBlyXVBzuIzc=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "e84058a7fe56aa01f2db19373cce190098494698",
+        "rev": "133a9eb59fb4ddac443ebe5ab2449d3940396533",
         "type": "github"
       },
       "original": {
@@ -66,9 +83,25 @@
         "type": "github"
       }
     },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1731533236,
@@ -84,21 +117,24 @@
         "type": "github"
       }
     },
-    "flake-utils_2": {
+    "github2forgejo": {
       "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
         "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1731533236,
+        "lastModified": 1740236040,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "narHash": "sha256-xojAD9+186ysmFBNf/jdyGhGeDCDjlRVsRqOUZEaCoU=",
-        "owner": "numtide",
+        "owner": "RGBCube",
-        "repo": "flake-utils",
+        "repo": "GitHub2Forgejo",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "5fcc8e423bb0b43c87ef09981795d25051b77af1",
         "type": "github"
       },
       "original": {
-        "owner": "numtide",
+        "owner": "RGBCube",
-        "repo": "flake-utils",
+        "repo": "GitHub2Forgejo",
         "type": "github"
       }
     },
@@ -109,11 +145,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1739051380,
+        "lastModified": 1740208222,
-        "narHash": "sha256-p1QSLO8DJnANY+ppK7fjD8GqfCrEIDjso1CSRHsXL7Y=",
+        "narHash": "sha256-FqgPcK5BK+Mc4cGBCGz555UsVd/TQK9FvmuamBWu+ZY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "5af1b9a0f193ab6138b89a8e0af8763c21bbf491",
+        "rev": "f4a07823a298deff0efb0db30f9318511de7c232",
         "type": "github"
       },
       "original": {
@@ -122,33 +158,11 @@
         "type": "github"
       }
     },
-    "jj": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "rust-overlay": "rust-overlay"
-      },
-      "locked": {
-        "lastModified": 1739043245,
-        "narHash": "sha256-WmlACEj2OB7XpBYEyvUZiEcSoCXLtRVqJ2UYLBtICGw=",
-        "owner": "jj-vcs",
-        "repo": "jj",
-        "rev": "07c63ed182bb1cbd9b52fe8e4f41638bdb5aafb6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "jj-vcs",
-        "repo": "jj",
-        "type": "github"
-      }
-    },
     "nil": {
       "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils",
         "nixpkgs": "nixpkgs_2",
-        "rust-overlay": "rust-overlay_2"
+        "rust-overlay": "rust-overlay"
       },
       "locked": {
         "lastModified": 1732053863,
@@ -171,11 +185,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1739034224,
+        "lastModified": 1739933872,
-        "narHash": "sha256-Mj/8jDzh1KNmUhWqEeVlW3hO9MZkxqioJGnmR7rivaE=",
+        "narHash": "sha256-UhuvTR4OrWR+WBaRCZm4YMkvjJhZ1KZo/jRjE41m+Ek=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "0b6f96a6b9efcfa8d3cc8023008bcbcd1b9bc1a4",
+        "rev": "6ab392f626a19f1122d1955c401286e1b7cf6b53",
         "type": "github"
       },
       "original": {
@@ -184,13 +198,37 @@
         "type": "github"
       }
     },
+    "nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-24_11": "nixpkgs-24_11"
+      },
+      "locked": {
+        "lastModified": 1739121270,
+        "narHash": "sha256-EmJhpy9U8sVlepl2QPjG019VfG67HcucsQNItTqW6cA=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "8c1c4640b878c692dd3d8055e8cdea0a2bbd8cf3",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "master",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1739020877,
+        "lastModified": 1739866667,
-        "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=",
+        "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547",
+        "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680",
         "type": "github"
       },
       "original": {
@@ -200,6 +238,21 @@
         "type": "github"
       }
     },
+    "nixpkgs-24_11": {
+      "locked": {
+        "lastModified": 1734083684,
+        "narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-24.11",
+        "type": "indirect"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1731890469,
@@ -218,15 +271,16 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1739097848,
+        "lastModified": 1739866667,
-        "narHash": "sha256-bbdQB0Y4mB2msqbyQ9QC+YPDZGt1evUK53AwQSyShHM=",
+        "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9a0b855695c31ea653181b742c65e026bada3881",
+        "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -236,10 +290,11 @@
         "agenix": "agenix",
         "crash": "crash",
         "fenix": "fenix",
+        "github2forgejo": "github2forgejo",
         "home-manager": "home-manager",
-        "jj": "jj",
         "nil": "nil",
         "nix-darwin": "nix-darwin",
+        "nixos-mailserver": "nixos-mailserver",
         "nixpkgs": "nixpkgs_3",
         "themes": "themes"
       }
@@ -247,11 +302,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1738997488,
+        "lastModified": 1740077634,
-        "narHash": "sha256-jeNdFVtEDLypGIbNqBjURovfw9hMkVtlLR7j/5fRh54=",
+        "narHash": "sha256-KlYdDhon/hy91NutuBeN8e3qTKf3FXgsudWsjnHud68=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "208bc52b5dc177badc081c64eb0584a313c73242",
+        "rev": "88fbdcd510e79ef3bcd81d6d9d4f07bdce84be8c",
         "type": "github"
       },
       "original": {
@@ -262,27 +317,6 @@
       }
     },
     "rust-overlay": {
-      "inputs": {
-        "nixpkgs": [
-          "jj",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1737685583,
-        "narHash": "sha256-p+NVABRpGi+pT+xxf9HcLcFVxG6L+vEEy+NwzB9T0f8=",
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "rev": "eb64cbcc8eee0fa87ebded92805280d2ec97415a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "oxalica",
-        "repo": "rust-overlay",
-        "type": "github"
-      }
-    },
-    "rust-overlay_2": {
       "inputs": {
         "nixpkgs": [
           "nil",
@@ -348,6 +382,21 @@
         "type": "github"
       }
     },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "themes": {
       "locked": {
         "lastModified": 1715166503,

flake.nix

@@ -1,5 +1,5 @@
 {
-  description = "RGBCube's Configuration Collection";
+  description = "RGBCube's Config Collection";
 
   nixConfig = {
     extra-substituters = [
@@ -32,7 +32,7 @@
   };
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
 
     nix-darwin = {
       url = "github:LnL7/nix-darwin";
@@ -54,17 +54,23 @@
       inputs.home-manager.follows = "home-manager";
     };
 
+    github2forgejo = {
+      url = "github:RGBCube/GitHub2Forgejo";
+
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nixos-mailserver = {
+      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
+
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     fenix.url = "github:nix-community/fenix";
 
     # nix.url = "github:NixOS/nix";
     nil.url = "github:oxalica/nil";
 
-    jj = {
-      url = "github:jj-vcs/jj";
-
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
     crash = {
       url = "github:RGBCube/crash";
 
@@ -76,7 +82,7 @@
 
   outputs = inputs @ { nixpkgs, nix-darwin, ... }: let
     inherit (builtins) readDir;
-    inherit (nixpkgs.lib) attrsToList const groupBy listToAttrs mapAttrs;
+    inherit (nixpkgs.lib) attrsToList const groupBy listToAttrs mapAttrs nameValuePair;
 
     lib'' = nixpkgs.lib.extend (_: _: nix-darwin.lib);
     lib'  = lib''.extend (_: _: builtins);
@@ -91,7 +97,12 @@
         else
           "darwinConfigurations")
       |> mapAttrs (const listToAttrs);
-  in hostsByType // {
+
+    hostConfigs = hostsByType.darwinConfigurations // hostsByType.nixosConfigurations
+      |> attrsToList
+      |> map ({ name, value }: nameValuePair name value.config)
+      |> listToAttrs;
+  in hostsByType // hostConfigs // {
     inherit lib;
   };
 }

hosts/nine/default.nix

@@ -1,14 +1,7 @@
 lib: lib.nixosSystem ({ config, keys, lib, ... }: let
-  inherit (lib) collect remove;
+  inherit (lib) collectNix remove;
 in {
-  imports = collect ./. |> remove ./default.nix;
+  imports = collectNix ./. |> remove ./default.nix;
-
-  nixpkgs.hostPlatform = "aarch64-linux";
-
-  system.stateVersion  = "23.11";
-  home-manager.sharedModules = [{
-    home.stateVersion = "23.11";
-  }];
 
   networking.hostName = "nine";
 
@@ -26,6 +19,7 @@ in {
       description                 = "Hungry Seven";
       openssh.authorizedKeys.keys = keys.admins;
       hashedPasswordFile          = config.secrets.sevenPassword.path;
+      isNormalUser                = true;
       extraGroups                 = [ "wheel" ];
     };
 
@@ -33,9 +27,16 @@ in {
       description                 = "Backup";
       openssh.authorizedKeys.keys = keys.all;
       hashedPasswordFile          = config.secrets.sevenPassword.path;
+      isNormalUser                = true;
     };
   };
 
+  home-manager.users = {
+    root   = {};
+    seven  = {};
+    backup = {};
+  };
+
   networking = {
     ipv4 = "152.53.2.105";
     ipv6 = "2a0a:4cc0::12d9";
@@ -57,4 +58,10 @@ in {
       }];
     };
   };
+
+  nixpkgs.hostPlatform       = "aarch64-linux";
+  system.stateVersion        = "23.11";
+  home-manager.sharedModules = [{
+    home.stateVersion = "23.11";
+  }];
 })

hosts/nine/github2forgejo/github2forgejo.nix

@@ -0,0 +1,12 @@
+{ config, lib, ... }: let
+  inherit (lib) enabled;
+in {
+  secrets.github2forgejoEnvironment = {
+    file  = ./environment.age;
+    owner = "github2forgejo";
+  };
+
+  services.github2forgejo = enabled {
+    environmentFile = config.secrets.github2forgejoEnvironment.path;
+  };
+}

hosts/nine/mail.nix

@@ -0,0 +1,14 @@
+{ config, self, ... }: let
+  inherit (config.networking) domain;
+
+  fqdn = "mail2.${domain}";
+in {
+  imports = [(self + /modules/mail)];
+
+  mailserver = {
+    inherit fqdn;
+
+    # Not [ domain ] because this is a backup mailserver. contact@mail2.rgbcu.be.
+    domains = [ fqdn ];
+  };
+} 

hosts/pala/default.nix

@@ -1,4 +1,6 @@
 lib: lib.darwinSystem {
+  type = "desktop";
+
   networking.hostName = "pala";
 
   users.users.pala = {

lib/filesystem.nix

@@ -2,6 +2,6 @@ _: self: super: let
   inherit (self) filter hasSuffix;
   inherit (self.filesystem) listFilesRecursive;
 in {
-  collect = path: listFilesRecursive path
+  collectNix = path: listFilesRecursive path
     |> filter (hasSuffix ".nix");
 }

lib/system.nix

@@ -1,9 +1,9 @@
 inputs: self: super: let
-  inherit (self) attrValues filter getAttrFromPath hasAttrByPath collect;
+  inherit (self) attrValues filter getAttrFromPath hasAttrByPath collectNix;
 
-  commonModules = collect ../modules/common;
+  commonModules = collectNix ../modules/common;
-  nixosModules  = collect ../modules/linux;
+  nixosModules  = collectNix ../modules/linux;
-  darwinModules = collect ../modules/darwin;
+  darwinModules = collectNix ../modules/darwin;
 
   collectInputs = let
     inputs' = attrValues inputs;

modules/acme/default.nix

@@ -0,0 +1,21 @@
+{ config, ... }: let
+  inherit (config.networking) domain;
+in {
+  secrets.acmeEnvironment.file = ./environment.age;
+
+  security.acme = {
+    acceptTerms = true;
+
+    defaults = {
+      environmentFile = config.secrets.acmeEnvironment.path;
+      dnsProvider     = "cloudflare";
+      dnsResolver     = "1.1.1.1";
+      email           = "security@${domain}";
+    };
+
+    certs.${domain} = {
+      extraDomainNames = [ "*.${domain}" ];
+      group            = "nginx";
+    };
+  };
+}

modules/acme/environment.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw /sYx2CZG4l/oWbh9aKT4lFOcSiwY6A9SxwgX32mXqBs
+iK6qzFpI4xGh5m4oqmW18eM2v6OVj/z3t1aRslnhH50
+-> ssh-ed25519 spFFQA S3tkGQbTGQgWcp8Uh625eMCnE/h4nFVeb/z1AVemBkw
+9RiAPo2w7PC+2abVofU1Aficcn0eOfvvOMgxGXRIL+0
+-> ssh-ed25519 dASlBQ zuVu1QbtutWUG93M+i/UlVlkrmUdz71SrW8jhV4Pxg4
+OMEdnXV0Ix11FRX58Q3zH7nRG2tSkBl1wDmGY7J4JLM
+-> ssh-ed25519 CzqbPQ XLqIYDBAQXyL4/khZ71XP6uajnkX2HhzA2Ksx1UTGiU
+MWrt9f1XjxECD4TRKbME2bN4XU1ns9VQ7btuqijXJYU
+--- rpTCT+04nE+Jl+2qDHbocBGeYQYBtW/EcRiYHWTqcvw
+ñP3ÐÔ¢p
¸ŸQ¬^“¬­ ³š8lA<6C>¶Å»‰ÌhYQê±	Gü×ÿ‘¢ðWÐüÊ'ï&ãתHÐÉ;Ü<>ï ¼	á*3™­û Ð÷
+t€AõàOXkˆ>M¸††öiœ:!äo¸Ì›s9å!:£$£rŽ»ÿaŽ4"HUD
+Œ¾ËbHºôH£–w'Å Ì<C2A0>Ù±x·³ÌJ¨<>àXœYy«+å–ú¡P»(‹eG&&ŽTGÐ'ÔÍ8à:!)Ôª<´

modules/common/git.nix

@@ -95,8 +95,6 @@ in {
       '';
 
       programs.git = enabled {
-        package = pkgs.gitFull;
-
         userName  = homeConfig.programs.jujutsu.settings.user.name;
         userEmail = homeConfig.programs.jujutsu.settings.user.email;
 

modules/common/helix.nix

@@ -240,7 +240,7 @@ in {
 
     # RUST
     pkgs.rust-analyzer-nightly
-    pkgs.lldb_20
+    pkgs.lldb
 
     # TYPESCRIPT & OTHERS
     pkgs.deno

modules/common/ip.nix

@@ -0,0 +1,8 @@
+{ lib, ... }: let
+  inherit (lib) mkValue;
+in {
+  options.networking = {
+    ipv4 = mkValue null;
+    ipv6 = mkValue null;
+  };
+}

modules/common/nix.nix

@@ -1,5 +1,5 @@
 { self, config, inputs, lib, pkgs, ... }: let
-  inherit (lib) concatStringsSep const disabled filterAttrs flip isType mapAttrs mapAttrsToList merge mkAfter optionalAttrs;
+  inherit (lib) concatStringsSep const disabled filterAttrs flip id isType mapAttrs mapAttrsToList merge mkAfter optionalAttrs;
   inherit (lib.strings) toJSON;
 
   registryMap = inputs
@@ -11,7 +11,7 @@ in {
 
   nix.nixPath = registryMap
       |> mapAttrsToList (name: value: "${name}=${value}")
-      |> concatStringsSep ":";
+      |> (if config.isDarwin then concatStringsSep ":" else id);
 
   nix.registry = registryMap // { default = inputs.nixpkgs; }
     |> mapAttrs (_: flake: { inherit flake; });

modules/common/nushell/default.nix

@@ -1,11 +1,12 @@
 { config, lib, pkgs, ... }: let
   inherit (lib) enabled filter first foldl' getExe last match mkIf nameValuePair optionalAttrs readFile removeAttrs splitString;
 in {
-  users = optionalAttrs config.isLinux { defaultUserShell = pkgs.nushell; };
+  environment = optionalAttrs config.isLinux {
+    sessionVariables.SHELLS = getExe pkgs.nushell;
+  } // {
+    shells = mkIf config.isDarwin [ pkgs.nushell ];
 
-  environment.shells = mkIf config.isDarwin [ pkgs.nushell ];
+    shellAliases = {
-
-  environment.shellAliases = {
       la  = "ls --all";
       lla = "ls --long --all";
       sl  = "ls";
@@ -19,12 +20,13 @@ in {
       tree   = "tree -CF --dirsfirst";
     };
 
-  environment.systemPackages = [
+    systemPackages = [
       pkgs.fish   # For completions.
       pkgs.zoxide # For completions and better cd.
     ];
 
-  environment.variables.STARSHIP_LOG = "error";
+    variables.STARSHIP_LOG = "error";
+  };
 
   nixpkgs.overlays = [(self: super: {
     zoxide = super.zoxide.overrideAttrs (old: {

modules/common/python.nix

@@ -1,10 +1,6 @@
 { pkgs, ... }: {
   environment.systemPackages = [
-    (pkgs.python311.withPackages (pkgs: [
+    pkgs.python314
-      pkgs.pip
-      pkgs.requests
-    ]))
-
     pkgs.uv
   ];
 }

modules/common/ssh/default.nix

@@ -46,11 +46,11 @@ in {
         #   port     = 2222;
         # };
 
-        # nine = {
+        nine = {
-        #   hostname = self.nine.networking.ipv4;
+          hostname = self.nine.networking.ipv4;
-        #   user     = "seven";
+          user     = "seven";
-        #   port     = 2222;
+          port     = 2222;
-        # };
+        };
       };
     };
   }];

modules/common/system.nix

@@ -1,5 +1,5 @@
 { config, lib, ... }: let
-  inherit (lib) any elem getAttr last mapAttrsToList mkConst splitString;
+  inherit (lib) last mkConst mkValue splitString;
 in {
   options = {
     os = mkConst <| last <| splitString "-" config.nixpkgs.hostPlatform.system;
@@ -7,7 +7,9 @@ in {
     isLinux  = mkConst <| config.os == "linux";
     isDarwin = mkConst <| config.os == "darwin";
 
-    isDesktop = mkConst <| config.isDarwin || false; # (any (elem "graphical") <| mapAttrsToList (_: getAttr "extraGroups") config.users.users);
+    type = mkValue "server";
-    isServer  = mkConst <| !config.isDesktop;
+
+    isDesktop = mkConst <| config.type == "desktop";
+    isServer  = mkConst <| config.type == "server";
   };
 }

modules/linux/crash.nix

@@ -1,7 +1,3 @@
-{ config, lib, pkgs, ... }: let
+{ pkgs, ... }: {
-  inherit (lib) getExe;
-in {
-  environment.sessionVariables.SHELLS = getExe config.environment.sessionVariables.SHELL;
-
   users.defaultUserShell = pkgs.crash;
 }

modules/linux/endlessh-go.nix

@@ -1,5 +1,5 @@
 { config, lib, pkgs, ... }: let
-  inherit (lib) enabled merge mkEnableOption mkIf mkOption types;
+  inherit (lib) enabled mkEnableOption mkIf mkOption types;
 
   fakeSSHPort    = 22;
 in {
@@ -19,7 +19,7 @@ in {
     extraOptions = [
       "-alsologtostderr"
       "-geoip_supplier max-mind-db"
-      "-max_mind_db ${pkgs.clash-geoip}/etc/clash/Country.mmdb"
+      "-max_mind_db ${pkgs.dbip-country-lite}/share/dbip/dbip-country-lite.mmdb"
     ];
 
     prometheus = config.services.prometheus.exporters.endlessh-go;

modules/linux/restic/default.nix

@@ -1,5 +1,5 @@
 { config, lib, ... }: let
-  inherit (lib) genAttrs merge mkConst mkIf remove;
+  inherit (lib) genAttrs mkConst mkIf remove;
 in{
   options.resticHosts = mkConst <| remove config.networking.hostName [ "cube" "disk" "nine" ];
 

modules/linux/restic/password.age

@@ -1,11 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 +rZ0Tw xhx8zm8GiLF+Y+2w9jxYr0k5EV09CwlYxaXlH9ZvRF8
+-> ssh-ed25519 +rZ0Tw CtS/6eNaVgR5InQp3n06/zY/rp6UOYEhe092pCHIKHM
-m6WXa1m9kRJxXHDamHhTuXbWkBqPmvzei6ZU/CgTTgE
+/GHgCc3HFQx079StHxc+bwy8UBn39xKLa0yC7TisI28
--> ssh-ed25519 spFFQA jzcaT4YrjACZ8UdNBHCPr6oHTRtdGXBj8dR2TGEo9A0
+-> ssh-ed25519 spFFQA /Pi6oNwnVhPbxqHqIdTTuyMKgYlrGZP54OsXPZPlkQE
-Q9t68ssLWmfSINP2l5ifRQ4q9ITpT6fx9lKnB1sdl2g
+pWxgQH3AcKOO6k3XqfE7vqMh3KQvmMMobPzb7jFFV7w
--> ssh-ed25519 dASlBQ FVfNa8ql4GBQc8lFGyLZ76yq3hY0/XJPT5IenlxuIRg
+-> ssh-ed25519 dASlBQ kP3MP43ihgSVjFjW25E1sDIOZL9jBrZ8yv+ca8TjFn8
-4SmF95S6VDt43LuLZLPpUSB+4HHYl5LRVWV6MkW0q5M
+cdKgnRSTykGS2C3m4IyYlBtSyTmS1SPSbesdR6egzHs
--> ssh-ed25519 CzqbPQ 3BBzb1KkXAIzBsdQpHVQ53LjueHhJ8bcfZbH1ZV1D0I
+-> ssh-ed25519 CzqbPQ 5AUMLp2mUwdNZpenEbI6Czw1yU9CxkCeratgkXjezWo
-OoHk1f28Qr5HHaOVuVm/Pr8MqEuGtuHev2pzlYmc93c
+dmAHKomz8ifPuLdmXgBVI8dAhlHfkTZ0/chhdCdTHhk
---- TcuCWM/kQHR+DtXdZlZCXHDoDxsFkzQbfM/Ebbcb5BI
+--- wrGrDfB+rsqf65ALfKuDMhFD6cLMheAH9JXQXcvPhHc
-<EFBFBD>|ìç38|H„%Ët
ˆÈ<CB86>38ΊrŠz¶‰ð?4ÜH¤“ÕŽ²ª’×ø<C397>Có+„Ò
+„b²¼–aFaÈ—v<E28094>¹¹½åd´<á3…s\<5C>þA¬±…ìÐÑê˜â¬ý<C2AC>#;ãn

modules/linux/steam.nix

@@ -1,4 +1,6 @@
-{ pkgs, ... }: {
+{ config, pkgs, lib, ... }: let
+  inherit (lib) merge mkIf;
+in merge <| mkIf config.isDesktop {
   # Steam uses 32-bit drivers for some unholy fucking reason.
   hardware.graphics.enable32Bit = true;
 

modules/mail/default.nix

@@ -0,0 +1,53 @@
+{ self, config, lib, ... }: let
+  inherit (lib) const enabled genAttrs head mkDefault;
+  inherit (config.networking) domain;
+
+  fqdn = "mail1.${domain}";
+in {
+  imports = [(self + /modules/acme)];
+
+  secrets.mailPassword.file = ./password.hash.age;
+
+  services.prometheus.exporters.postfix = enabled {
+    listenAddress = "[::]";
+  };
+
+  services.restic.backups = genAttrs config.resticHosts <| const {
+    paths = [ config.mailserver.dkimKeyDirectory config.mailserver.mailDirectory ];
+  };
+
+  mailserver = enabled {
+    fqdn = mkDefault fqdn;
+
+    domains           = mkDefault [ domain ];
+    certificateScheme = "acme";
+
+    # We use systemd-resolved instead of Knot Resolver.
+    localDnsResolver = false;
+
+    hierarchySeparator = "/";
+    useFsLayout        = true;
+
+    dkimKeyDirectory = "/var/lib/dkim";
+    mailDirectory    = "/var/lib/mail";
+    sieveDirectory   = "/var/lib/sieve";
+
+    vmailUserName  = "mail";
+    vmailGroupName = "mail";
+
+    # The mailserver at <turkiye.gov> malfunctions.
+    # dmarcReporting = enabled {
+    #   domain = head config.mailserver.domains;
+
+    #   organizationName = "Doofemshmirtz Evil Inc.";
+    # };
+
+    fullTextSearch = enabled;
+
+    loginAccounts."contact@${head config.mailserver.domains}" = {
+      aliases = [ "@${head config.mailserver.domains}" ];
+
+      hashedPasswordFile = config.secrets.mailPassword.path;
+    };
+  };
+}

modules/mail/password.hash.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw 3FKgAlI2mIHkl623ktW4WVByhP3yZr0SGnUlMegyHHc
+gbSjIj69rEKgieBaCt7AbmVKM4SzKHpeFh6VidOuJ1M
+-> ssh-ed25519 spFFQA OxjlQ9UqV/ff49cTNl2y/RrQyhRHw/bZ6A4tssSRHGw
+S2vXscTOiuIj8K0jSxactZlfC1xNeOLK1pNiOsSzcu0
+-> ssh-ed25519 dASlBQ 37/rUlIczHaI5Kd8UY5nGjh4Zainn6aRoXJf2wCIMnQ
+RQnektskdprpUMzPqBqRk3jsOokDev3COMFILjgEKV4
+-> ssh-ed25519 CzqbPQ T77BWh2cC1MtJFbBdl3MFXuQ1Htlc/kWcCtHhWV+9l8
+A+3zHRx14GklmeHzbtGGVgzLQLNGz5Z39Fx5Oc08sDo
+--- ojzWUX7nzpF8qmd7JqY3utHTTYlboKQu6+jRec61sRE
+â°ÞSôKkrÁê™&bH“5wÖµ0€Ãe;U×jmUÅ9•¤hRؾ%16Ò|]£*Æs´þÌëwW§yœT_þ[Öug8€Q]nDØà¨vá<76> „°ˆÎ	øCÑ

modules/mail/password.plain.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw yK5fuqcnE1yO5tTAudZ/TXDvBf0sn4eCr39j/jZgil0
++hTr80COfDui7lhRnaDjNB2c2gtNOKQaiW4Yiz0am/A
+-> ssh-ed25519 spFFQA kDMyjjSxHOaLZ6ocr/q7MmRoqrXHdzHFzbZslaA0hlE
+jurwi1z6m+weYx5Wr3+E8+2fbYgwPFTKOPOuAYjt8wI
+-> ssh-ed25519 dASlBQ 5CYRg+Sw+jDk+S1EtLEG+PXf6EKJwx/Re9e/txOrs2A
+vUaTfOS9Fuce2x/qL5Pg3L0ZHZPBrhr63W4UT0n28uI
+-> ssh-ed25519 CzqbPQ 1uz6duuPfhpAjWjGdjwUGr7UHyqxG/zKn6rCVPgxSF8
+y5t/i2p08GqDOeaC27CJE528br/qU4i+iUEvMXDdX4w
+--- mGUus7T7rcsjt8LRCBc0vr5f3KFLSZweFYvaaNen+zg
+iOÐ2Ñ»GQ
(o
ÿX3=>®:¨²É)mç½
+ÀÁ<EFBFBD>í"[ûQ»Q

rebuild.nu

@@ -1,6 +1,6 @@
 #!/usr/bin/env nu
 
-# Rebuild a NixOS / Darwin configuration.
+# Rebuild a NixOS / Darwin config.
 def main --wrapped [
   host: string = "" # The host to build.
   ...arguments      # The arguments to pass to `nixos-rebuild switch`.
@@ -11,17 +11,6 @@ def main --wrapped [
     (hostname)
   }
 
-  let args_split = $arguments | split list "--"
-
-  let nh_flags = [
-    "--hostname" $host
-  ] | append ($args_split | get --ignore-errors 0 | default [])
-
-  let nix_flags = [
-    "--option" "accept-flake-config" "true"
-    "--option" "eval-cache"          "false"
-  ] | append ($args_split | get --ignore-errors 1 | default [])
-
   if $host != (hostname) {
     git ls-files
     | (rsync
@@ -33,12 +22,25 @@ def main --wrapped [
 
     ssh -q -tt $host $"
       cd ncc
+      # TODO: Migration artifact. Remove.
+      nix shell github:NixOS/nix --command nu -c '
         ./rebuild.nu ($host) ($arguments | str join ' ')
+      '
     "
 
     return
   }
 
+  let args_split = $arguments | prepend "" | split list "--"
+  let nh_flags = [
+    "--hostname" $host
+  ] | append ($args_split | get 0 | filter { $in != "" })
+
+  let nix_flags = [
+    "--option" "accept-flake-config" "true"
+    "--option" "eval-cache"          "false"
+  ] | append ($args_split | get --ignore-errors 1 | default [])
+
   if (uname | get kernel-name) == "Darwin" {
     darwin-rebuild switch --flake (".#" + $host) ...$nix_flags
 
@@ -56,7 +58,8 @@ def main --wrapped [
 # the "install developer tools" popup.
 #
 # Set by default to "SplitForks" because who even uses that?
-const original_trigger = "/usr/bin/SplitForks"
+# TODO: Migration artifact. Make const.
+let original_trigger = "/usr/bin/SplitForks"
 
 # Where the symbolic links to `/usr/bin/false` will
 # be created in to shadow all popup-triggering binaries.
@@ -75,7 +78,8 @@ const original_trigger = "/usr/bin/SplitForks"
 #
 # Do NOT set this to a path that you use for other things,
 # it will get deleted if it exists to only have the shadowers.
-const shadow_path = "~/.local/shadow" | path expand # Did you read the comment?
+# TODO: Migration artifact. Make const.
+let shadow_path = "~/.local/shadow" | path expand # Did you read the comment?
 
 def darwin-shadow-xcode-popup [] {
   print "shadowing xcode popup binaries..."

secrets.nix

@@ -4,8 +4,13 @@ in {
   # nine
   "hosts/nine/id.age".publicKeys                         = [ nine ] ++ admins;
   "hosts/nine/password.seven.age".publicKeys             = [ nine ] ++ admins;
+  "hosts/nine/github2forgejo/environment.age".publicKeys = [ nine ] ++ admins;
 
   # shared
   "modules/common/ssh/config.age".publicKeys     = all;
   "modules/linux/restic/password.age".publicKeys = all;
+
+  "modules/acme/environment.age".publicKeys    = all;
+  "modules/mail/password.hash.age".publicKeys  = all;
+  "modules/mail/password.plain.age".publicKeys = all;
 }