chore: update lockfile

.envrc

@@ -0,0 +1 @@
+use flake

.gitignore

@@ -9,4 +9,5 @@ result-*
 
 nixos-efi-vars.fd
 
-/.pre-commit-config.yaml
+.direnv/
+.pre-commit-config.yaml

deploy/colmena.nix

@@ -21,15 +21,12 @@ let
   nodes = lib.genAttrs hostDirNames (
     hostname: mkNode hostname (utils.hostMeta ../hosts/${hostname}).deployment.tags
   );
+
 in
 inputs.colmena.lib.makeHive (
   {
     meta = {
-      nixpkgs = import inputs.nixpkgs {
+      nixpkgs = import inputs.nixpkgs { localSystem = "x86_64-linux"; };
-        localSystem = "x86_64-linux";
-      };
-
-      nodeNixpkgs = builtins.mapAttrs (_: v: v.pkgs) self.nixosConfigurations;
       specialArgs = {
         inherit inputs;
         outputs = self;

dots/.local/share/task/hooks/on-add.limit.py

@@ -1,29 +0,0 @@
-#!/usr/bin/env python3
-import sys
-import json
-
-SLOTS_FILE = "/home/h/.local/share/task/add_slots"
-
-def get_slots():
-    try:
-        with open(SLOTS_FILE, "r") as f:
-            return int(f.read().strip())
-    except:
-        return 0
-
-slots = get_slots()
-
-if slots <= 0:
-    print(f"Cannot add task: No slots available (0/{slots}).")
-    print("Delete or complete a task first to earn an add slot.")
-    sys.exit(1)
-
-with open(SLOTS_FILE, "w") as f:
-    f.write(str(slots - 1))
-
-print(f"Task added. Slots remaining: {slots - 1}")
-
-for line in sys.stdin:
-    task = json.loads(line)
-    print(json.dumps(task))
-    sys.exit(0)

dots/.local/share/task/hooks/on-modify.limit.py

@@ -1,34 +0,0 @@
-#!/usr/bin/env python3
-import sys
-import json
-
-SLOTS_FILE = "/home/h/.local/share/task/add_slots"
-
-def get_slots():
-    try:
-        with open(SLOTS_FILE, "r") as f:
-            return int(f.read().strip())
-    except:
-        return 0
-
-data = sys.stdin.read().strip().split("\n")
-if len(data) < 2:
-    for line in data:
-        if line:
-            print(line)
-    sys.exit(0)
-
-old_task = json.loads(data[0])
-new_task = json.loads(data[1])
-
-was_pending = old_task.get("status") == "pending"
-is_not_pending = new_task.get("status") in ("completed", "deleted")
-
-if was_pending and is_not_pending:
-    slots = get_slots() + 1
-    with open(SLOTS_FILE, "w") as f:
-        f.write(str(slots))
-    print(f"Slot earned! Total slots: {slots}")
-
-print(json.dumps(new_task))
-sys.exit(0)

flake.lock

@@ -121,11 +121,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1776398575,
+        "lastModified": 1776657773,
-        "narHash": "sha256-WArU6WOdWxzbzGqYk4w1Mucg+bw/SCl6MoSp+/cZMio=",
+        "narHash": "sha256-GgExKCDspgASVM6sRH0VcVyixQznxuR4tjiAA7MfKxs=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "05815686caf4e3678f5aeb5fd36e567886ab0d30",
+        "rev": "986236cd6fad0979233ae5e73456a365f79ff198",
         "type": "gitlab"
       },
       "original": {
@@ -342,11 +342,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776373306,
+        "lastModified": 1776701552,
-        "narHash": "sha256-iAJIzHngGZeLIkjzuuWI6VBsYJ1n89a/Esq0m8R1vjs=",
+        "narHash": "sha256-CCRzOEFg6JwCdZIR5dLD0ypah5/e2JQVuWQ/l3rYrPY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d401492e2acd4fea42f7705a3c266cea739c9c36",
+        "rev": "c81775b640d4507339d127f5adb4105f6015edf2",
         "type": "github"
       },
       "original": {
@@ -398,10 +398,10 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1776422417,
+        "lastModified": 1776716353,
-        "narHash": "sha256-9R4MePj/UT0tqkWEq4Afg7Lp/zdfYHkW+qmpVGchKIs=",
+        "narHash": "sha256-4gmunPEtk1oOK/77YP7M5N0rO9mSPYPrEZbELMKkZDE=",
         "ref": "main",
-        "rev": "75759a14e8d46421fca4306393a38b5ad5240f09",
+        "rev": "13b5d656e0bef196f40d1be8581a97569f7a7eb9",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/hektor/nix-secrets"
@@ -467,11 +467,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1776169885,
+        "lastModified": 1776548001,
-        "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=",
+        "narHash": "sha256-ZSK0NL4a1BwVbbTBoSnWgbJy9HeZFXLYQizjb2DPF24=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9",
+        "rev": "b12141ef619e0a9c1c84dc8c684040326f27cdcc",
         "type": "github"
       },
       "original": {

home/hosts/andromache/default.nix

@@ -25,6 +25,7 @@
     ../../modules/nvim
     ../../modules/pandoc
     ../../modules/photography
+    ../../modules/secrets
     ../../modules/shell
     ../../modules/ssh
     ../../modules/taskwarrior

home/modules/anki/default.nix

@@ -13,10 +13,12 @@ let
   standalone = osConfig == null;
 in
 lib.optionalAttrs standalone {
-  sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "anki" [
+  sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
+    anki = [
       "sync-user"
       "sync-key"
-  ] { };
+    ];
+  };
 }
 // {
   warnings = lib.optional (

home/modules/taskwarrior/default.nix

@@ -15,11 +15,13 @@ let
 in
 lib.optionalAttrs standalone {
   sops = {
-    secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "taskwarrior" [
+    secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
+      taskwarrior = [
         "sync-server-url"
         "sync-server-client-id"
         "sync-encryption-secret"
-    ] { };
+      ];
+    };
 
     templates."taskrc.d/sync" = {
       content = ''
@@ -56,14 +58,6 @@ lib.optionalAttrs standalone {
     ".local/share/task/hooks/on-exit.sync.py" = {
       source = dotsPath + "/.local/share/task/hooks/on-exit.sync.py";
     };
-    ".local/share/task/hooks/on-add.limit.py" = {
-      source = dotsPath + "/.local/share/task/hooks/on-add.limit.py";
-      executable = true;
-    };
-    ".local/share/task/hooks/on-modify.limit.py" = {
-      source = dotsPath + "/.local/share/task/hooks/on-modify.limit.py";
-      executable = true;
-    };
     ".local/share/task/scripts/sync-and-notify.sh" = {
       source = dotsPath + "/.local/share/task/scripts/sync-and-notify.sh";
       executable = true;

hosts/andromache/default.nix

@@ -68,6 +68,7 @@ in
     nixSigningKey.enable = true;
   };
 
+  restic-backup.enable = true;
   tailscale.enable = true;
 
   docker.user = config.host.username;

hosts/astyanax/default.nix

@@ -64,6 +64,7 @@ in
     nixSigningKey.enable = true;
   };
 
+  restic-backup.enable = true;
   tailscale.enable = true;
   docker.user = config.host.username;
   nfc.user = config.host.username;

hosts/eetion/default.nix

@@ -9,9 +9,12 @@
     ./host.nix
     ../../modules/common
     ../../modules/ssh
+    ../../modules/tailscale
     # ../../modules/uptime-kuma
   ];
 
+  tailscale.enable = true;
+
   ssh = {
     inherit (config.host) username;
     publicHostname = config.host.name;

modules/ai-tools/default.nix

@@ -1,14 +1,13 @@
-{ config, myUtils, ... }:
+{ config, ... }:
 
 let
-  inherit (config.secrets) sopsDir username;
+  inherit (config.secrets) username owner;
-  owner = config.users.users.${username}.name;
 in
 {
-  config.sops = {
+  config = {
-    secrets = myUtils.mkSopsSecrets sopsDir "opencode" [ "api-key" ] { inherit owner; };
+    secrets.groups.opencode = [ "api-key" ];
 
-    templates."opencode/auth.json" = {
+    sops.templates."opencode/auth.json" = {
       inherit owner;
       path = "/home/${username}/.local/share/opencode/auth.json";
       content = ''

modules/anki/default.nix

@@ -1,11 +1,6 @@
-{ config, myUtils, ... }:
-
-let
-  inherit (config.secrets) sopsDir username;
-  owner = config.users.users.${username}.name;
-in
 {
-  config.sops = {
+  config.secrets.groups.anki = [
-    secrets = myUtils.mkSopsSecrets sopsDir "anki" [ "sync-user" "sync-key" ] { inherit owner; };
+    "sync-user"
-  };
+    "sync-key"
+  ];
 }

modules/backups/default.nix

@@ -1,21 +1,16 @@
 {
   lib,
   config,
-  myUtils,
   ...
 }:
 
 let
   cfg = config.restic-backup;
-  inherit (config.secrets) sopsDir;
+  host = config.networking.hostName;
 in
 {
-  options = {
+  options.restic-backup = {
-    restic-backup = {
+    enable = lib.mkEnableOption "restic backups";
-      repository = lib.mkOption {
-        type = lib.types.str;
-        default = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${config.networking.hostName}";
-      };
 
     passwordFile = lib.mkOption {
       type = lib.types.str;
@@ -27,31 +22,32 @@ in
       default = [ "/home" ];
     };
   };
+
+  config = lib.mkIf cfg.enable {
+    secrets.groups = {
+      restic = [ "password" ];
+      backblaze-b2 = [
+        "bucket-name"
+        "account-id"
+        "account-key"
+      ];
     };
 
-  config = {
+    sops.templates = {
-    sops = {
+      "restic/repo-${host}" = {
-      secrets = lib.mkMerge [
+        content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${host}";
-        (myUtils.mkSopsSecrets sopsDir "restic" [ "password" ] { })
-        (myUtils.mkSopsSecrets sopsDir "backblaze-b2" [ "bucket-name" "account-id" "account-key" ] { })
-      ];
-      templates = {
-        "restic/repo-${config.networking.hostName}" = {
-          content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${config.networking.hostName}";
       };
-        "restic/b2-env-${config.networking.hostName}" = {
+      "restic/b2-env-${host}" = {
         content = ''
           B2_ACCOUNT_ID=${config.sops.placeholder."backblaze-b2/account-id"}
           B2_ACCOUNT_KEY=${config.sops.placeholder."backblaze-b2/account-key"}
         '';
       };
     };
-    };
 
     services.restic.backups.home = {
-      repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path;
+      repositoryFile = config.sops.templates."restic/repo-${host}".path;
-      inherit (cfg) passwordFile;
+      inherit (cfg) passwordFile paths;
-      inherit (cfg) paths;
       timerConfig = {
         OnCalendar = "daily";
         Persistent = true;
@@ -64,7 +60,7 @@ in
         "--keep-monthly 6"
         "--keep-yearly 1"
       ];
-      environmentFile = config.sops.templates."restic/b2-env-${config.networking.hostName}".path;
+      environmentFile = config.sops.templates."restic/b2-env-${host}".path;
     };
   };
 }

modules/hcloud/default.nix

@@ -1,30 +1,27 @@
 {
   lib,
   config,
-  myUtils,
   ...
 }:
 
 let
   cfg = config.hcloud;
-  inherit (config.secrets) sopsDir;
+  inherit (config.secrets) owner;
 in
 {
   options.hcloud = {
     enable = lib.mkEnableOption "hcloud CLI configuration";
     username = lib.mkOption {
       type = lib.types.str;
-      description = "Username for hcloud CLI configuration";
+      description = "username for hcloud CLI configuration";
     };
   };
 
   config = lib.mkIf cfg.enable {
-    sops.secrets = myUtils.mkSopsSecrets sopsDir "hcloud" [ "api-token" ] {
+    secrets.groups.hcloud = [ "api-token" ];
-      owner = config.users.users.${cfg.username}.name;
-    };
 
     sops.templates."hcloud/cli.toml" = {
-      owner = config.users.users.${cfg.username}.name;
+      inherit owner;
       path = "/home/${cfg.username}/.config/hcloud/cli.toml";
       content = ''
         active_context = "server"

modules/secrets/default.nix

@@ -11,13 +11,11 @@ let
   cfg = config.secrets;
   inherit (cfg) sopsDir;
   owner = config.users.users.${cfg.username}.name;
-  mkSopsSecrets = myUtils.mkSopsSecrets sopsDir;
 in
 {
   imports = [ inputs.sops-nix.nixosModules.sops ];
 
-  options = {
+  options.secrets = {
-    secrets = {
     username = lib.mkOption {
       type = lib.types.str;
     };
@@ -27,6 +25,16 @@ in
       default = "${toString inputs.nix-secrets}/secrets";
     };
 
+    groups = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+      default = { };
+      description = "Declarative secret groups: { group = [ key names ]; }";
+    };
+
+    owner = lib.mkOption {
+      type = lib.types.unspecified;
+    };
+
     nixSigningKey = {
       enable = lib.mkEnableOption "nix signing key configuration";
     };
@@ -35,30 +43,30 @@ in
       enable = lib.mkEnableOption "set up Yubikey";
     };
   };
-  };
 
   config = {
+    secrets = {
+      inherit owner;
+      groups = {
+        email = [
+          "personal"
+          "work"
+        ];
+        nix = lib.optional cfg.nixSigningKey.enable "signing-key";
+      };
+    };
+
     sops = {
       # for yubikey, generate as follows:
       # ```
       # age-plugin-yubikey --identity > <keyfile-path>
       # ```
       age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt";
-
+      secrets = myUtils.mkSopsSecrets sopsDir owner cfg.groups;
-      secrets = lib.mkMerge [
-        (mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; })
-        (lib.mkIf cfg.nixSigningKey.enable {
-          nix-signing-key = {
-            sopsFile = "${sopsDir}/nix.yaml";
-            key = "signing-key";
-            inherit owner;
-          };
-        })
-      ];
     };
 
     nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [
-      config.sops.secrets.nix-signing-key.path
+      config.sops.secrets."nix/signing-key".path
     ];
 
     services = {

modules/taskwarrior/default.nix

@@ -1,18 +1,17 @@
-{ config, myUtils, ... }:
+{ config, ... }:
 
 let
-  inherit (config.secrets) sopsDir username;
+  inherit (config.secrets) owner;
-  owner = config.users.users.${username}.name;
 in
 {
-  config.sops = {
+  config = {
-    secrets = myUtils.mkSopsSecrets sopsDir "taskwarrior" [
+    secrets.groups.taskwarrior = [
       "sync-server-url"
       "sync-server-client-id"
       "sync-encryption-secret"
-    ] { inherit owner; };
+    ];
 
-    templates."taskrc.d/sync" = {
+    sops.templates."taskrc.d/sync" = {
       inherit owner;
       content = ''
         sync.server.url=${config.sops.placeholder."taskwarrior/sync-server-url"}

utils/default.nix

@@ -1,41 +1,12 @@
 { lib }:
 
+let
+  hosts = import ./hosts.nix;
+  secrets = import ./secrets.nix { inherit lib; };
+in
 {
   dirNames =
     path: builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir path));
-
-  hostMeta =
-    hostDir:
-    if builtins.pathExists (hostDir + "/meta.nix") then
-      import (hostDir + "/meta.nix")
-    else
-      throw "meta.nix required in ${hostDir}";
-
-  mkSopsSecrets =
-    sopsDir: group: names: extraOpts:
-    let
-      file = "${group}.yaml";
-    in
-    lib.foldl' lib.mergeAttrs { } (
-      map (name: {
-        "${group}/${name}" = {
-          sopsFile = "${sopsDir}/${file}";
-          key = name;
-        }
-        // extraOpts;
-      }) names
-    );
-
-  sopsAvailability =
-    config: osConfig:
-    let
-      osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? secrets;
-      hmSopsAvailable = config ? sops && config.sops ? secrets;
-      preferOs = osSopsAvailable;
-    in
-    {
-      available = osSopsAvailable || hmSopsAvailable;
-      secrets = if preferOs then osConfig.sops.secrets else config.sops.secrets;
-      templates = if preferOs then osConfig.sops.templates else config.sops.templates;
-    };
 }
+// hosts
+// secrets

utils/hosts.nix

@@ -0,0 +1,8 @@
+{
+  hostMeta =
+    hostDir:
+    if builtins.pathExists (hostDir + "/meta.nix") then
+      import (hostDir + "/meta.nix")
+    else
+      throw "meta.nix required in ${hostDir}";
+}

utils/secrets.nix

@@ -0,0 +1,37 @@
+{ lib }:
+
+{
+  mkSopsSecrets =
+    sopsDir: owner: groups:
+    let
+      opts = lib.optionalAttrs (owner != null) { inherit owner; };
+      mkGroup =
+        group: names:
+        let
+          file = "${group}.yaml";
+        in
+        lib.foldl' lib.mergeAttrs { } (
+          map (name: {
+            "${group}/${name}" = {
+              sopsFile = "${sopsDir}/${file}";
+              key = name;
+            }
+            // opts;
+          }) names
+        );
+    in
+    lib.foldl' lib.mergeAttrs { } (lib.mapAttrsToList mkGroup groups);
+
+  sopsAvailability =
+    config: osConfig:
+    let
+      osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? secrets;
+      hmSopsAvailable = config ? sops && config.sops ? secrets;
+      preferOs = osSopsAvailable;
+    in
+    {
+      available = osSopsAvailable || hmSopsAvailable;
+      secrets = if preferOs then osConfig.sops.secrets else config.sops.secrets;
+      templates = if preferOs then osConfig.sops.templates else config.sops.templates;
+    };
+}