From f79b3d6ff727d9b1243a0befda55d6053b1e305e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= <nikodem@rabulinski.com>
Date: Wed, 20 Sep 2023 09:47:17 +0200
Subject: [PATCH] Migrated legion over. Started migrating hijiri

---
 README.md                                     |   2 +-
 assets/ssh.nix                                |   1 +
 effects.nix                                   |  10 +-
 flake.lock                                    |  40 ++++++++
 flake.nix                                     |  49 ++++-----
 hosts/default.nix                             |  95 ++++++++++++------
 hosts/hijiri-vm/default.nix                   |   7 +-
 hosts/hijiri/default.nix                      |   5 +
 hosts/kazuki/default.nix                      |  12 +--
 hosts/kazuki/mail.nix                         |   1 +
 hosts/legion/default.nix                      |  16 +--
 hosts/legion/disks.nix                        |   8 +-
 hosts/legion/hardware.nix                     |   4 +-
 hosts/legion/initrd.nix                       |  14 ---
 hosts/legion/machine-id                       |   1 +
 hosts/legion/msmtp.nix                        |  34 +++++++
 hosts/legion/nas/default.nix                  |   9 +-
 hosts/legion/nas/media.nix                    |   4 +-
 modules/darwin/default.nix                    |   5 +
 modules/darwin/settei/default.nix             |   6 ++
 modules/darwin/settei/sane-defaults.nix       |  17 ++++
 modules/default.nix                           |   1 +
 modules/flake/configurations.nix              |  21 ++--
 modules/nixos/common/hercules.nix             |  32 +++---
 modules/nixos/settei/default.nix              |  15 +--
 modules/nixos/settei/sane-defaults.nix        |  64 +++---------
 modules/shared/settei/default.nix             |  19 ++++
 .../{nixos => shared}/settei/flake-qol.nix    |   2 +-
 modules/shared/settei/sane-defaults.nix       |  58 +++++++++++
 modules/{nixos => shared}/settei/user.nix     |   2 +-
 secrets/alert-nrab-lol-pass.age               |  18 ++--
 secrets/alert-plain-pass.age                  |   9 ++
 secrets/hercules-cache.age                    |  14 +++
 secrets/hercules-token.age                    | Bin 607 -> 728 bytes
 secrets/kazuki-cachix.age                     | Bin 665 -> 0 bytes
 secrets/leet-nrab-lol-pass.age                | Bin 489 -> 474 bytes
 secrets/legion-niko-pass.age                  | Bin 0 -> 458 bytes
 secrets/secrets.nix                           |   6 +-
 secrets/vault-cert-env.age                    |  16 +--
 wrappers/helix/default.nix                    |   8 +-
 40 files changed, 397 insertions(+), 228 deletions(-)
 create mode 100644 hosts/hijiri/default.nix
 delete mode 100644 hosts/legion/initrd.nix
 create mode 100644 hosts/legion/machine-id
 create mode 100644 hosts/legion/msmtp.nix
 create mode 100644 modules/darwin/default.nix
 create mode 100644 modules/darwin/settei/default.nix
 create mode 100644 modules/darwin/settei/sane-defaults.nix
 create mode 100644 modules/shared/settei/default.nix
 rename modules/{nixos => shared}/settei/flake-qol.nix (92%)
 create mode 100644 modules/shared/settei/sane-defaults.nix
 rename modules/{nixos => shared}/settei/user.nix (95%)
 create mode 100644 secrets/alert-plain-pass.age
 create mode 100644 secrets/hercules-cache.age
 delete mode 100644 secrets/kazuki-cachix.age
 create mode 100644 secrets/legion-niko-pass.age

diff --git a/README.md b/README.md
index ceff714..cf09670 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ Collection of my personal Nix configurations and opinionated NixOS, nix-darwin,
 ## Project structure
 - hosts - per-machine configurations
   - kazuki - my linux arm server
-  - legion - my linux x86 server[^1]
+  - legion - my linux x86 server
   - hijiri - my macbook[^1]
   - hijiri-vm - linux vm running on my macbook
   - miyagi - my work machine[^1]
diff --git a/assets/ssh.nix b/assets/ssh.nix
index 0d6107f..2ccf33f 100644
--- a/assets/ssh.nix
+++ b/assets/ssh.nix
@@ -13,5 +13,6 @@
 
   system = {
     kazuki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyYhYWDNmKSrpcslD3NzWW+lQmDcLJdjLh7CSkL4hW5 root@kazuki";
+    legion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Ktyj0FSn8KLRwRGd0Tp/qNUPXV7+XyxAsWGWdMYp8 root@legion";
   };
 }
diff --git a/effects.nix b/effects.nix
index 832e826..13bebcc 100644
--- a/effects.nix
+++ b/effects.nix
@@ -1,4 +1,4 @@
-{self, ...}: {
+{
   defaultEffectSystem = "aarch64-linux";
 
   hercules-ci = {
@@ -7,12 +7,4 @@
       when.dayOfWeek = "Mon";
     };
   };
-
-  herculesCI = {
-    onPush = {
-      default.enable = true;
-
-      wrappers.outputs = self.packages.aarch64-linux;
-    };
-  };
 }
diff --git a/flake.lock b/flake.lock
index 4c075b8..30ec171 100644
--- a/flake.lock
+++ b/flake.lock
@@ -282,6 +282,30 @@
         "type": "gitlab"
       }
     },
+    "nh": {
+      "inputs": {
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nix-filter": "nix-filter",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1694971480,
+        "narHash": "sha256-5UKSMDiboMIs15WN6jbctJgYfnGPfkHhvWWaboB2rGk=",
+        "owner": "viperML",
+        "repo": "nh",
+        "rev": "4b88da6fc89bf06d6598ce9a881590a7cc0dcafd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "viperML",
+        "repo": "nh",
+        "type": "github"
+      }
+    },
     "niko-nur": {
       "inputs": {
         "flake-parts": [
@@ -303,6 +327,21 @@
         "type": "github"
       }
     },
+    "nix-filter": {
+      "locked": {
+        "lastModified": 1687178632,
+        "narHash": "sha256-HS7YR5erss0JCaUijPeyg2XrisEb959FIct3n2TMGbE=",
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "rev": "d90c75e8319d0dd9be67d933d8eb9d0894ec9174",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1687274257,
@@ -441,6 +480,7 @@
         "hercules-ci-effects": "hercules-ci-effects",
         "home-manager": "home-manager",
         "mailserver": "mailserver",
+        "nh": "nh",
         "niko-nur": "niko-nur",
         "nixpkgs": "nixpkgs_5",
         "racket": "racket",
diff --git a/flake.nix b/flake.nix
index 43c4486..4f0ae2e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -19,15 +19,19 @@
       ];
 
       perSystem = {
-        pkgs,
         inputs',
+        pkgs,
+        lib,
         ...
       }: {
         devShells.default = pkgs.mkShellNoCC {
-          packages = [
-            inputs'.deploy-rs.packages.deploy-rs
-            inputs'.agenix.packages.agenix
-          ];
+          packages =
+            [
+              inputs'.deploy-rs.packages.deploy-rs
+              inputs'.agenix.packages.agenix
+            ]
+            # TODO: Contribute darwin support to nh
+            ++ lib.optionals (!pkgs.stdenv.isDarwin) [inputs'.nh.packages.default];
         };
 
         formatter = pkgs.alejandra;
@@ -54,11 +58,9 @@
     };
     niko-nur = {
       url = "github:nrabulinski/nur-packages";
-      inputs = {
-        # Not overriding nixpkgs to get cache hits
-        # nixpkgs.follows = "nixpkgs";
-        flake-parts.follows = "flake-parts";
-      };
+      # Not overriding nixpkgs to get cache hits
+      # inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-parts.follows = "flake-parts";
     };
     darwin = {
       url = "github:lnl7/nix-darwin";
@@ -68,11 +70,9 @@
     darwin-old-for-agenix.url = "github:lnl7/nix-darwin/22620845fee1cc16f4ea639509c50fd989ccc1ce";
     agenix = {
       url = "github:ryantm/agenix";
-      inputs = {
-        nixpkgs.follows = "nixpkgs";
-        darwin.follows = "darwin-old-for-agenix";
-        home-manager.follows = "home-manager";
-      };
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.darwin.follows = "darwin-old-for-agenix";
+      inputs.home-manager.follows = "home-manager";
     };
     mailserver = {
       url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
@@ -84,10 +84,8 @@
     };
     wrapper-manager-hm-compat = {
       url = "github:nrabulinski/wrapper-manager-hm-compat";
-      inputs = {
-        nixpkgs.follows = "nixpkgs";
-        home-manager.follows = "home-manager";
-      };
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
     };
     # stylix = {
     #   url = "github:danth/stylix";
@@ -106,10 +104,13 @@
     };
     hercules-ci-effects = {
       url = "github:hercules-ci/hercules-ci-effects";
-      inputs = {
-        flake-parts.follows = "flake-parts";
-        hercules-ci-agent.follows = "hercules-ci-agent";
-      };
+      inputs.flake-parts.follows = "flake-parts";
+      inputs.hercules-ci-agent.follows = "hercules-ci-agent";
+    };
+    nh = {
+      url = "github:viperML/nh";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-parts.follows = "flake-parts";
     };
   };
 
@@ -120,6 +121,7 @@
       "https://nix-community.cachix.org"
       "https://cache.nixos.org/"
       "https://hercules-ci.cachix.org"
+      "https://nrabulinski.cachix.org"
     ];
     trusted-public-keys = [
       "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
@@ -127,6 +129,7 @@
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
       "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
       "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0="
+      "nrabulinski.cachix.org-1:Q5FD7+1c68uH74CQK66UWNzxhanZW8xcg1LFXxGK8ic="
     ];
   };
 }
diff --git a/hosts/default.nix b/hosts/default.nix
index 3874c61..73c7346 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -5,35 +5,54 @@
   lib,
   ...
 }: {
-  builders = {
-    nixos = name: module: let
-      defaultOptions = {
-        username,
-        inputs',
-        lib,
-        ...
-      }: {
-        _file = ./default.nix;
+  imports = [
+    ./kazuki
+    ./hijiri-vm
+    ./hijiri
+    ./legion
+    ./installer
+  ];
 
-        settei = {
-          username = lib.mkDefault "niko";
-          sane-defaults = {
-            enable = lib.mkDefault true;
-            allSshKeys = config.assets.sshKeys.user;
-          };
-          flake-qol = {
-            enable = true;
-            inputs = inputs // {settei = self;};
-          };
-          user = {
-            enable = true;
-            config = {
-              home.packages = lib.attrValues inputs'.settei.packages;
-            };
+  builders = let
+    sharedOptions = {
+      inputs',
+      lib,
+      ...
+    }: {
+      _file = ./default.nix;
+
+      settei = {
+        username = lib.mkDefault "niko";
+        sane-defaults = {
+          enable = lib.mkDefault true;
+          allSshKeys = config.assets.sshKeys.user;
+        };
+        flake-qol = {
+          enable = true;
+          inputs = inputs // {settei = self;};
+        };
+        user = {
+          enable = true;
+          config = {
+            home.packages = let
+              wrappers = lib.attrValues inputs'.settei.packages;
+              extraPkgs = [inputs'.nh.packages.default];
+            in
+              wrappers ++ extraPkgs;
+
+            programs.git.enable = true;
+            home.sessionVariables.EDITOR = "hx";
           };
         };
+      };
+
+      time.timeZone = lib.mkDefault "Europe/Warsaw";
+    };
+  in {
+    nixos = name: module: let
+      defaultOptions = {
+        _file = ./default.nix;
 
-        time.timeZone = lib.mkDefault "Europe/Warsaw";
         i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
       };
     in
@@ -46,17 +65,29 @@
           inputs.hercules-ci-agent.nixosModules.agent-service
           self.nixosModules.settei
           self.nixosModules.common
+          sharedOptions
+          defaultOptions
+          module
+        ];
+        specialArgs.configurationName = name;
+      };
+
+    darwin = name: module: let
+      defaultOptions = {
+        _file = ./default.nix;
+      };
+    in
+      inputs.darwin.lib.darwinSystem {
+        modules = [
+          inputs.agenix.darwinModules.age
+          inputs.home-manager.darwinModules.home-manager
+          inputs.hercules-ci-agent.darwinModules.agent-service
+          self.darwinModules.settei
+          sharedOptions
           defaultOptions
           module
         ];
         specialArgs.configurationName = name;
       };
   };
-
-  imports = [
-    ./kazuki
-    ./hijiri-vm
-    # ./legion
-    ./installer
-  ];
 }
diff --git a/hosts/hijiri-vm/default.nix b/hosts/hijiri-vm/default.nix
index 7a7681f..55c4cbd 100644
--- a/hosts/hijiri-vm/default.nix
+++ b/hosts/hijiri-vm/default.nix
@@ -1,9 +1,4 @@
 {
-  self,
-  inputs,
-  config,
-  ...
-}: {
   configurations.nixos.hijiri-vm = {
     modulesPath,
     lib,
@@ -15,7 +10,7 @@
       ./disks.nix
     ];
 
-    nixpkgs.system = "aarch64-linux";
+    nixpkgs.hostPlatform = "aarch64-linux";
 
     boot = {
       loader.systemd-boot.enable = true;
diff --git a/hosts/hijiri/default.nix b/hosts/hijiri/default.nix
new file mode 100644
index 0000000..0900b97
--- /dev/null
+++ b/hosts/hijiri/default.nix
@@ -0,0 +1,5 @@
+{
+  configurations.darwin.hijiri = {
+    nixpkgs.hostPlatform = "aarch64-darwin";
+  };
+}
diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix
index 9c1d694..0411661 100644
--- a/hosts/kazuki/default.nix
+++ b/hosts/kazuki/default.nix
@@ -1,9 +1,6 @@
 {
-  config,
-  self,
-  ...
-}: {
   configurations.nixos.kazuki = {
+    config,
     modulesPath,
     lib,
     ...
@@ -17,7 +14,7 @@
       ./vault.nix
     ];
 
-    nixpkgs.system = "aarch64-linux";
+    nixpkgs.hostPlatform = "aarch64-linux";
 
     boot = {
       loader.systemd-boot.enable = true;
@@ -26,10 +23,5 @@
     };
 
     common.hercules.enable = true;
-    age.secrets.kazuki-cachix = {
-      file = ../../secrets/kazuki-cachix.age;
-      owner = config.systemd.services.hercules-ci-agent.serviceConfig.User;
-    };
-    services.hercules-ci-agent.settings.binaryCachesPath = config.age.secrets.kazuki-cachix.path;
   };
 }
diff --git a/hosts/kazuki/mail.nix b/hosts/kazuki/mail.nix
index 808361b..f4b77b8 100644
--- a/hosts/kazuki/mail.nix
+++ b/hosts/kazuki/mail.nix
@@ -1,4 +1,5 @@
 {config, ...}: {
+  # nix shell nixpkgs#apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
   age.secrets = {
     leet-nrab-lol.file = ../../secrets/leet-nrab-lol-pass.age;
     alert-nrab-lol.file = ../../secrets/alert-nrab-lol-pass.age;
diff --git a/hosts/legion/default.nix b/hosts/legion/default.nix
index 120d8b6..d643316 100644
--- a/hosts/legion/default.nix
+++ b/hosts/legion/default.nix
@@ -1,18 +1,17 @@
-{config, ...}: let
-  inherit (config.assets) sshKeys;
-in {
+{
   configurations.nixos.legion = {
     config,
     lib,
+    username,
     ...
   }: {
     imports = [
       ./hardware.nix
       # ./disks.nix
-      ./initrd.nix
+      ./msmtp.nix
     ];
 
-    nixpkgs.system = "x86_64-linux";
+    nixpkgs.hostPlatform = "x86_64-linux";
 
     specialisation = {
       nas.configuration = ./nas;
@@ -28,10 +27,15 @@ in {
       hostName = "legion";
       hostId = builtins.substring 0 8 (builtins.readFile ./machine-id);
       networkmanager.enable = true;
-      useDHCP = true;
       firewall.trustedInterfaces = ["tailscale0"];
     };
+    systemd.services.NetworkManager-wait-online.enable = false;
 
     powerManagement.cpuFreqGovernor = "performance";
+
+    age.secrets.niko-pass.file = ../../secrets/legion-niko-pass.age;
+    users.users.${username}.hashedPasswordFile = config.age.secrets.niko-pass.path;
+
+    common.hercules.enable = true;
   };
 }
diff --git a/hosts/legion/disks.nix b/hosts/legion/disks.nix
index 1589606..5b1194d 100644
--- a/hosts/legion/disks.nix
+++ b/hosts/legion/disks.nix
@@ -1,6 +1,10 @@
-args: let
+args:
+/*
+let
   bootDevice = args.bootDevice or "/dev/nvme0n1";
-in {
+in
+*/
+{
   assertions = [
     {
       assertion = false;
diff --git a/hosts/legion/hardware.nix b/hosts/legion/hardware.nix
index 756a876..3b5b717 100644
--- a/hosts/legion/hardware.nix
+++ b/hosts/legion/hardware.nix
@@ -1,9 +1,11 @@
-{...}: {
+{config, ...}: {
   boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "uas"];
   boot.extraModulePackages = with config.boot.kernelPackages; [acpi_call];
   boot.kernelModules = ["kvm-intel" "i2c-dev" "acpi_call"];
   boot.blacklistedKernelModules = ["nouveau"];
 
+  # Needed for enableAllFirmware
+  nixpkgs.config.allowUnfree = true;
   hardware = {
     enableAllFirmware = true;
     cpu.intel.updateMicrocode = true;
diff --git a/hosts/legion/initrd.nix b/hosts/legion/initrd.nix
deleted file mode 100644
index b9d4527..0000000
--- a/hosts/legion/initrd.nix
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-  config,
-  username,
-  ...
-}: {
-  boot.initrd = {
-    availableKernelModules = ["ath10k_pci" "r8169"];
-    network.enable = true;
-    network.ssh = {
-      enable = true;
-      authorizedKeys = config.users.users.${username}.openssh.authorizedKeys.keys;
-    };
-  };
-}
diff --git a/hosts/legion/machine-id b/hosts/legion/machine-id
new file mode 100644
index 0000000..2a76224
--- /dev/null
+++ b/hosts/legion/machine-id
@@ -0,0 +1 @@
+524209a432724c7abaf04398cdd6eecd
diff --git a/hosts/legion/msmtp.nix b/hosts/legion/msmtp.nix
new file mode 100644
index 0000000..fea94f5
--- /dev/null
+++ b/hosts/legion/msmtp.nix
@@ -0,0 +1,34 @@
+# TODO: Potentially make this a common module?
+{
+  pkgs,
+  config,
+  username,
+  ...
+}: let
+  mail = "alert@nrab.lol";
+  aliases = pkgs.writeText "mail-aliases" ''
+    ${username}: nikodem@rabulinski.com
+    root: ${mail}
+  '';
+in {
+  age.secrets.alert-plaintext.file = ../../secrets/alert-plain-pass.age;
+
+  programs.msmtp = {
+    enable = true;
+    setSendmail = true;
+    defaults = {
+      inherit aliases;
+      tls = "on";
+      auth = "login";
+      tls_starttls = "off";
+    };
+    accounts = {
+      default = {
+        host = "mail.nrab.lol";
+        passwordeval = "cat ${config.age.secrets.alert-plaintext.path}";
+        user = mail;
+        from = mail;
+      };
+    };
+  };
+}
diff --git a/hosts/legion/nas/default.nix b/hosts/legion/nas/default.nix
index 426b69a..2e715eb 100644
--- a/hosts/legion/nas/default.nix
+++ b/hosts/legion/nas/default.nix
@@ -1,5 +1,6 @@
 {
   pkgs,
+  lib,
   username,
   ...
 }: {
@@ -7,7 +8,7 @@
     ./media.nix
   ];
 
-  boot.supportedFilesystems = ["zfs"];
+  boot.supportedFilesystems = ["ext4" "zfs"];
 
   boot.zfs.extraPools = ["yottapool"];
   services.zfs = {
@@ -15,7 +16,7 @@
     zed.settings = {
       ZED_DEBUG_LOG = "/tmp/zed.debug.log";
       ZED_EMAIL_ADDR = [username];
-      ZED_EMAIL_PROG = "${pkgs.msmtp}/bin/msmtp";
+      ZED_EMAIL_PROG = lib.getExe pkgs.msmtp;
       ZED_EMAIL_OPTS = "@ADDRESS@";
 
       ZED_NOTIFY_INTERVAL_SECS = 3600;
@@ -26,8 +27,8 @@
     };
   };
 
-  fileSystems."/nix-cache" = {
-    device = "/dev/disk/by-label/CACHE";
+  fileSystems."/bulk" = {
+    device = "/dev/disk/by-label/BULK";
     fsType = "ext4";
   };
 }
diff --git a/hosts/legion/nas/media.nix b/hosts/legion/nas/media.nix
index 65c05ed..84752ca 100644
--- a/hosts/legion/nas/media.nix
+++ b/hosts/legion/nas/media.nix
@@ -1,4 +1,4 @@
-{
+{username, ...}: {
   services.jellyfin.enable = true;
   services.radarr.enable = true;
   services.sonarr.enable = true;
@@ -13,6 +13,6 @@
     jellyfin.extraGroups = ["radarr" "sonarr"];
     radarr.extraGroups = ["deluge"];
     sonarr.extraGroups = ["deluge"];
-    niko.extraGroups = ["deluge"];
+    ${username}.extraGroups = ["deluge"];
   };
 }
diff --git a/modules/darwin/default.nix b/modules/darwin/default.nix
new file mode 100644
index 0000000..aab4e64
--- /dev/null
+++ b/modules/darwin/default.nix
@@ -0,0 +1,5 @@
+{config, ...}: {
+  flake.darwinModules = {
+    settei = import ./settei {inherit (config) perInput;};
+  };
+}
diff --git a/modules/darwin/settei/default.nix b/modules/darwin/settei/default.nix
new file mode 100644
index 0000000..3b18865
--- /dev/null
+++ b/modules/darwin/settei/default.nix
@@ -0,0 +1,6 @@
+{perInput}: {
+  imports = [
+    (import ../../shared/settei {inherit perInput;})
+    ./sane-defaults.nix
+  ];
+}
diff --git a/modules/darwin/settei/sane-defaults.nix b/modules/darwin/settei/sane-defaults.nix
new file mode 100644
index 0000000..b58d101
--- /dev/null
+++ b/modules/darwin/settei/sane-defaults.nix
@@ -0,0 +1,17 @@
+# For sane-default options shared between NixOS and darwin, see modules/shared/settei/sane-defaults.nix
+{
+  config,
+  lib,
+  username,
+  ...
+}: {
+  config = lib.mkIf config.settei.sane-defaults.enable {
+    services.nix-daemon.enable = true;
+
+    security.pam.enableSudoTouchIdAuth = true;
+
+    users.users.${username}.home = "/Users/${username}";
+
+    system.stateVersion = 4;
+  };
+}
diff --git a/modules/default.nix b/modules/default.nix
index cf105c1..9268452 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
     ./nixos
+    ./darwin
     ./flake
   ];
 }
diff --git a/modules/flake/configurations.nix b/modules/flake/configurations.nix
index f1e64c3..79bccba 100644
--- a/modules/flake/configurations.nix
+++ b/modules/flake/configurations.nix
@@ -7,10 +7,8 @@
   lib,
   flake-parts-lib,
   ...
-}: let
-  inherit (lib) mkOption mapAttrs;
-  inherit (flake-parts-lib) mkSubmoduleOptions;
-in {
+}:
+with lib; {
   _file = ./configurations.nix;
 
   options = {
@@ -18,37 +16,36 @@ in {
     # Probably should hardly ever be overriden
     builders = {
       nixos = mkOption {
-        type = lib.types.functionTo lib.types.unspecified;
+        type = types.functionTo types.unspecified;
         default = _name: nixpkgs.lib.nixosSystem;
       };
       darwin = mkOption {
-        type = lib.types.functionTo lib.types.unspecified;
+        type = types.functionTo types.unspecified;
         default = _name: darwin.lib.darwinSystem;
       };
       home = mkOption {
-        type = lib.types.functionTo lib.types.unspecified;
+        type = types.functionTo types.unspecified;
         default = _name: home-manager.lib.homeManagerConfiguration;
       };
     };
 
     configurations = {
       nixos = mkOption {
-        type = lib.types.unspecified;
+        type = types.attrsOf types.deferredModule;
         default = {};
       };
       darwin = mkOption {
-        type = lib.types.unspecified;
+        type = types.attrsOf types.deferredModule;
         default = {};
       };
       home = mkOption {
-        type = lib.types.unspecified;
+        type = types.attrsOf types.deferredModule;
         default = {};
       };
     };
   };
 
-  config.
-    flake = {
+  config.flake = {
     nixosConfigurations =
       mapAttrs
       config.builders.nixos
diff --git a/modules/nixos/common/hercules.nix b/modules/nixos/common/hercules.nix
index 2f2dea7..b372e00 100644
--- a/modules/nixos/common/hercules.nix
+++ b/modules/nixos/common/hercules.nix
@@ -1,6 +1,5 @@
 {
   config,
-  pkgs,
   lib,
   ...
 }: {
@@ -8,19 +7,26 @@
 
   options.common.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration";
 
-  config = lib.mkIf config.common.hercules.enable {
-    age.secrets.hercules-token = {
-      file = ../../secrets/hercules-token.age;
-      owner = config.systemd.services.hercules-ci-agent.serviceConfig.User;
-    };
+  config = let
+    herculesUser = config.systemd.services.hercules-ci-agent.serviceConfig.User;
+  in
+    lib.mkIf config.common.hercules.enable {
+      age.secrets.hercules-token = {
+        file = ../../../secrets/hercules-token.age;
+        owner = herculesUser;
+      };
+      age.secrets.hercules-cache = {
+        file = ../../../secrets/hercules-cache.age;
+        owner = herculesUser;
+      };
 
-    services.hercules-ci-agent = {
-      enable = true;
-      settings = {
-        clusterJoinTokenPath = config.age.secrets.hercules-token.path;
-        concurrentTasks = lib.mkDefault 4;
-        binaryCachesPath = pkgs.writeText "empty-caches.json" "{}";
+      services.hercules-ci-agent = {
+        enable = true;
+        settings = {
+          clusterJoinTokenPath = config.age.secrets.hercules-token.path;
+          concurrentTasks = lib.mkDefault 4;
+          binaryCachesPath = config.age.secrets.hercules-cache.path;
+        };
       };
     };
-  };
 }
diff --git a/modules/nixos/settei/default.nix b/modules/nixos/settei/default.nix
index 7d6ee0f..3b18865 100644
--- a/modules/nixos/settei/default.nix
+++ b/modules/nixos/settei/default.nix
@@ -1,19 +1,6 @@
 {perInput}: {
-  lib,
-  config,
-  ...
-}: {
-  _file = ./default.nix;
-
   imports = [
+    (import ../../shared/settei {inherit perInput;})
     ./sane-defaults.nix
-    (import ./flake-qol.nix {inherit perInput;})
-    ./user.nix
   ];
-
-  options.settei = with lib; {
-    username = mkOption {
-      type = types.str;
-    };
-  };
 }
diff --git a/modules/nixos/settei/sane-defaults.nix b/modules/nixos/settei/sane-defaults.nix
index 9dca8f8..58904bc 100644
--- a/modules/nixos/settei/sane-defaults.nix
+++ b/modules/nixos/settei/sane-defaults.nix
@@ -1,39 +1,19 @@
-# This module is supposed to be a reusable set of options you probably would want to set anyway
-#
-# Other default options which don't necessairly make sense for other people go into hosts/default.nix
+# For sane-default options shared between NixOS and darwin, see modules/shared/settei/sane-defaults.nix
 {
-  lib,
   config,
+  username,
+  lib,
   ...
-} @ args: {
-  _file = ./sane-defaults.nix;
-
-  options.settei.sane-defaults = with lib; {
-    enable = mkEnableOption "Personal sane defaults (but they should make sense for anyone)";
-    allSshKeys = mkOption {
-      type = types.attrsOf types.singleLineStr;
-      default = {};
-    };
-  };
-
-  config = lib.mkIf config.settei.sane-defaults.enable (let
-    cfg = config.settei;
-    inherit (cfg) username;
-    configName = optionName:
-      args.configurationName
-      or (throw "pass configurationName to module arguments or set ${optionName} yourself");
-  in {
-    _module.args = {
-      username = lib.mkDefault username;
-    };
-
+} @ args: let
+  cfg = config.settei.sane-defaults;
+in {
+  config = lib.mkIf cfg.enable {
     # https://github.com/NixOS/nixpkgs/issues/254807
     boot.swraid.enable = false;
 
     hardware.enableRedistributableFirmware = true;
 
     services.openssh.enable = true;
-    services.tailscale.enable = true;
     programs.mosh.enable = lib.mkDefault true;
 
     users = {
@@ -45,41 +25,21 @@
         extraGroups = ["wheel"];
         openssh.authorizedKeys.keys = let
           filteredKeys = let
-            configName' = configName "users.users.${username}.openssh.authorizedKeys";
+            configName' =
+              args.configurationName
+              or (throw "pass configurationName to module arguments or set users.users.${username}.openssh.authorizedKeys yourself");
           in
-            lib.filterAttrs (name: _: name != configName') cfg.sane-defaults.allSshKeys;
+            lib.filterAttrs (name: _: name != configName') cfg.allSshKeys;
         in
           lib.mkDefault (lib.attrValues filteredKeys);
       };
       groups.${username} = {};
     };
 
-    networking.hostName = lib.mkDefault (configName "networking.hostName");
-
-    nix = {
-      settings = {
-        experimental-features = ["nix-command" "flakes" "repl-flake" "auto-allocate-uids"];
-        trusted-users = lib.optionals (!config.security.sudo.wheelNeedsPassword) [username];
-        auto-allocate-uids = true;
-        extra-substituters = [
-          "https://hyprland.cachix.org"
-          "https://cache.garnix.io"
-          "https://nix-community.cachix.org"
-          "https://hercules-ci.cachix.org"
-        ];
-        trusted-public-keys = [
-          "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-          "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
-          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-          "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0="
-        ];
-      };
-    };
-
     # TODO: Actually this should be extraRules which makes wheel users without any password set
     #       be able to use sudo with no password
     security.sudo.wheelNeedsPassword = false;
 
     system.stateVersion = "22.05";
-  });
+  };
 }
diff --git a/modules/shared/settei/default.nix b/modules/shared/settei/default.nix
new file mode 100644
index 0000000..7d6ee0f
--- /dev/null
+++ b/modules/shared/settei/default.nix
@@ -0,0 +1,19 @@
+{perInput}: {
+  lib,
+  config,
+  ...
+}: {
+  _file = ./default.nix;
+
+  imports = [
+    ./sane-defaults.nix
+    (import ./flake-qol.nix {inherit perInput;})
+    ./user.nix
+  ];
+
+  options.settei = with lib; {
+    username = mkOption {
+      type = types.str;
+    };
+  };
+}
diff --git a/modules/nixos/settei/flake-qol.nix b/modules/shared/settei/flake-qol.nix
similarity index 92%
rename from modules/nixos/settei/flake-qol.nix
rename to modules/shared/settei/flake-qol.nix
index 065dc89..b4b6636 100644
--- a/modules/nixos/settei/flake-qol.nix
+++ b/modules/shared/settei/flake-qol.nix
@@ -43,7 +43,7 @@ in {
 
       nix = {
         registry = lib.mapAttrs (_: flake: {inherit flake;}) cfg.inputs-flakes;
-        nixPath = map (name: "${name}=flake:${name}") (lib.attrNames cfg.inputs-flakes);
+        nixPath = lib.mapAttrsToList (name: _: "${name}=flake:${name}") cfg.inputs-flakes;
       };
     };
 }
diff --git a/modules/shared/settei/sane-defaults.nix b/modules/shared/settei/sane-defaults.nix
new file mode 100644
index 0000000..0140d5b
--- /dev/null
+++ b/modules/shared/settei/sane-defaults.nix
@@ -0,0 +1,58 @@
+# This module is supposed to be a reusable set of options you probably would want to set anyway
+#
+# Other default options which don't necessairly make sense for other people go into hosts/default.nix
+{
+  config,
+  pkgs,
+  lib,
+  ...
+} @ args: {
+  _file = ./sane-defaults.nix;
+
+  options.settei.sane-defaults = with lib; {
+    enable = mkEnableOption "Personal sane defaults (but they should make sense for anyone)";
+    allSshKeys = mkOption {
+      type = types.attrsOf types.singleLineStr;
+      default = {};
+    };
+  };
+
+  config = lib.mkIf config.settei.sane-defaults.enable (let
+    cfg = config.settei;
+    inherit (cfg) username;
+    adminNeedsPassword = pkgs.stdenv.isLinux -> config.security.sudo.wheelNeedsPassword;
+  in {
+    _module.args = {
+      username = lib.mkDefault username;
+    };
+
+    services.tailscale.enable = true;
+
+    networking.hostName = lib.mkDefault (
+      args.configurationName
+      or (throw "pass configurationName to module arguments or set networking.hostName yourself")
+    );
+
+    nix = {
+      settings = {
+        experimental-features = ["nix-command" "flakes" "repl-flake" "auto-allocate-uids"];
+        trusted-users = lib.optionals (!adminNeedsPassword) [username];
+        auto-allocate-uids = true;
+        extra-substituters = [
+          "https://hyprland.cachix.org"
+          "https://cache.garnix.io"
+          "https://nix-community.cachix.org"
+          "https://hercules-ci.cachix.org"
+          "https://nrabulinski.cachix.org"
+        ];
+        trusted-public-keys = [
+          "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+          "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+          "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0="
+          "nrabulinski.cachix.org-1:Q5FD7+1c68uH74CQK66UWNzxhanZW8xcg1LFXxGK8ic="
+        ];
+      };
+    };
+  });
+}
diff --git a/modules/nixos/settei/user.nix b/modules/shared/settei/user.nix
similarity index 95%
rename from modules/nixos/settei/user.nix
rename to modules/shared/settei/user.nix
index 348c8d6..4ba3c13 100644
--- a/modules/nixos/settei/user.nix
+++ b/modules/shared/settei/user.nix
@@ -36,7 +36,7 @@ in {
         home = {
           inherit username;
           homeDirectory = config.users.users.${username}.home;
-          stateVersion = config.system.stateVersion;
+          stateVersion = "22.05";
         };
 
         programs.home-manager.enable = true;
diff --git a/secrets/alert-nrab-lol-pass.age b/secrets/alert-nrab-lol-pass.age
index 3cd5201..7fa96b1 100644
--- a/secrets/alert-nrab-lol-pass.age
+++ b/secrets/alert-nrab-lol-pass.age
@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw jmpsgact3iy0+A1ggWzK98D1e7R/44F9TgzFSg6BIWA
-K6S7UNkJNh859EgPdMTpYol4vaSD0nfjsu6SMk9F5Vo
--> ssh-ed25519 GKhvwg YGAiny4ZXIqplrdFqETxB4chp9IqJt5fHb+NK4Bvan0
-0rgp0zJiGX5t4x/FKoLDJWMJW1hPsfVNMd4bPmv6Xdo
--> }Z-grease dI \ a^Wyct @c5
-H3cGSMZsNUPMewieU4NK6zr4IlLt+hivE3FnRBrNzll7WGBd942TAFQ8YRa9sIbJ
-b9mvv1dqYmoS7MBVAGJvLgaX
---- C9QLdKcJPuN/raiGvmopHeYM2tnURzDMzV8DRAmffR0
-`0�D��`Vo��/������T~{({�:���hx���j^�Bn�'T�0[�U��g=�_DD�U�!��-���5BZ��:�s�}PF���f�h
\ No newline at end of file
+-> ssh-ed25519 84j9mw bG9/dNwxbn7mVFKLraVw594U+CUVNXmDX56xODpn8m8
+wMuzPr8LdQEdeyF4LCKepSgRU1oWl2znplE/8T+AMVw
+-> ssh-ed25519 GKhvwg gZ4nVDAdjyhXyoDsIr+LBnLaF94zJLe9hoDN8jRY2Sw
+cdz0BUiD1YwnN7FWJcqzYYU83HzDYWlQgc+qPPMUtcE
+-> `#k-grease A3Jo
+IPGUbK+Mg0+gFt44tyFi
+--- 6g1g/jyT0Yg+lgfmdUpZzUN5ryWGWIKYABUVw6crzfA
+oe�E�^=�*J�nTj՘oq\nT.�T�e�
+Y:�y,bź���]�"�޾S�FЉ�p)�ڵۜ�JH.J��g�E���r������OL
\ No newline at end of file
diff --git a/secrets/alert-plain-pass.age b/secrets/alert-plain-pass.age
new file mode 100644
index 0000000..29341a2
--- /dev/null
+++ b/secrets/alert-plain-pass.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 ioPMHA GErPiwFO6TluW+/QapeT0BhWH2yVd54UfCsi5s8STm8
+/rOO0+oXHGnJ54PdgPSJ/UWeZm1Ibtptnz+tv6zhTLA
+-> ssh-ed25519 GKhvwg MtNidti8d7qz3NERKPdoU0UtNj/SZp2htzXYB3NUMXM
+WKdKJtjfsWFgoO09wpw87JdOaGNqDpC9MRs7Fumfn/g
+-> 'JP4o}-grease Thf
+jq5xoH6w3eDeGBGf1jKPCxEl
+--- sI/u3P4XIpQOMPXhtCy4XqRo+FSi5IdUDNxw0S88gWc
+@�;��|U:B{��x3���!9A2�ۀS����Ng#ً͇r68�S2�
\ No newline at end of file
diff --git a/secrets/hercules-cache.age b/secrets/hercules-cache.age
new file mode 100644
index 0000000..e7f01f6
--- /dev/null
+++ b/secrets/hercules-cache.age
@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw UohYhuFXjwI+Ya6a2nIjFt1FSpp/S1fss8+ZffKf91M
+q8q6+vScXETWtB8YDO84X6D5KTptP4JhNtW4yH8D2dw
+-> ssh-ed25519 ioPMHA 0NAryvpJ42YzfO4/cNE6UvRzqEk4rjM4PTInqiSj/Qk
+/V72hnrePBIiO0U6817ij91W2G3lHS/yZjLXu9ngMyw
+-> ssh-ed25519 GKhvwg Lqt8W9uLyyEqtdQMriomn/D/s4yy/F7qID1N6FbbSVw
+vSC+r50g8xVE+bKNJ7QMtZD9uacainZ+KK7U8Lb4B/A
+-> kW{-]#L<-grease 7>z.Yr}9 YOwZ f"i}Y;^=
+l3YcF04OxddtsUHtQLBW9qotCY+Wghl7y2HsRtEXnwBjRiyzvCjc/RMQ70/f4WW7
+xIS9WI00LtKj8rAoNmvOsIDkMzKvuutQmmZYBJEk
+--- L1zbOMuts43q3o1ziGlV4VBu3DyKYO6jNVZlJt4CUdg
+���2�͔��u��m\��:�;�b��7�a��H7M�L!{uW��X�Z�v�݊L�����H���V\�?�*��,$d�6S3J�Ҥ"D�/eRkmIM�M�ڑ��rMI�p�S��)�x�k�+�l�uuGӮ���3M����{�N��ٍ�B�[���i�`�o ��ɡ�[Q�1��rh�-ŕ��
+?��f�;5~�5T"l��,�ŋ�݋?��i��(��[w��X
+<nxD�_�s�t$�3%#g���_!�{��!��ߜ~8��)̘��O�����Xۀ�g���0�<)��G�I�d��������f'��d�aC^����=�EH����apnh�~�A��ɶ/H'
\ No newline at end of file
diff --git a/secrets/hercules-token.age b/secrets/hercules-token.age
index 06175fb6dda49d5866669465543918974c4b63c5..92ded9f0812b8063cba532aa8468e4d6a133fe20 100644
GIT binary patch
delta 696
zcmcc5a)Wh(PJME*d0|n$fmxMjj<I%0acNMNvrCzIURid5esX1IUTLsNYEY7AeztFp
z1y@yQgr~Q=WtgXNrDIrGakhD|VSrPCsY$qDPJn?+W>H3vOK3^5d04JNGMBEMLUD11
zZfc5=si~o*LS}w|uZN>Tseeh4lYd@NR+^`YVX1pwetlJ;Teh=)Vu5*jc4d)euC{Sl
zaDl5)u7`^+m%e#<S!q^aaE518u4R>@w?(FFZk}^Wl&OA*XNsjupoz14a6m{(g?A)|
zb?)97W##D#Nrna?W`!BaffdERS*78wjvl2EX(j>sE@kF^zE!S;<<9k0Vfx|a6)x@;
zTve%NQKngrc`hYx1ukXIr6s=FZpP^aX&IrV9^nC@MJdVdX2GE*sp+A`Am3%%MTG07
z7o{c^rz#kvr|P>HB`Q=FhAQ|(Ir^s?TPhSK<vHtcxhMK28)T(=I%b3<C1*ss29<N^
z>gp=^mb?3VnukVK)oZ(z`Mc)_nv{h*76utsXq!eESUR~D8>JU%XP3LCS4HM?El5xB
zD)`eO;U^_m5@aTwa_8-tGp6l3S3a1o!WZ;d*4Q%B@N(9Nxh4}2Jy&}@rN)Nwy=J5K
z%iu%LU!?DOaQo+lx$`<UiWwf)z7djfYURwXYZFej8?V{btfIhFd8K~thuDYf1!~&l
z9o|h+VLQ2oE3sRxpOJy_wPb(lnR{;UD;w|rZmd*m(tUGeZ_F!$MH<t8Exa%2d;aP^
zPIuuil6?Y4r)Znc<9@61CaC_+44aF*x{j~i#8*W!ZT=?oZ%gl<Iht*9m1za~h0A7q
zmU!%b!)j;ks%KuQOB~7-!h~5C8y+Z|Q&O~a-!XRkO4nzn{9ay5S^vE4Z`Z1i$?m&P
aT9y<Yy1RBs29KdA-=6H-Vr4sDHvj;M(-DRM

delta 554
zcmcb?dY@&2PIzIck7;p4Saz93k!w+fcX6Vpv3IC}nMH-OhlPcYv42*Dv8Q%<M5?x{
zFIT9Eo3mp<MTKcadYNyPVYXLch<}<#QBZ_ip0jyqSW=2#S-MM_qkm?I>%@=Z^%ZG_
zKB-{_VfjX`ZjNb%Vfhu|t|j{E?zxq|72Xz^9_2>m{^7wEh346zT;5rUIUz=7g{Bd1
zRbhU4zJB^9X0HBuC0?mjg~^F&+6HberKSO%Y31JeT)K7&HMJ$W=|!oD#i<G=UWFOz
zl?sN2j$Fn11sRd%WuAs!B^Bk4^_jVqxuO2PKAv2<y1EMP;TERJp%K}I5usVRMiphr
z#X<hbfdP)CrP&oZrj<oy5&01**=}AbuD)D9rmi_)_(!|5;K34uWx7F6O73SrSaxa2
zc^$LO(r-Rg@p(P^<{-e7cj@%;wB>wrRBOZ8oMy}laxps{wejDT|Bo+3H$K=BQ7<lT
z;8WWEsVrZ6m8@VuhVzZ1{!#t>jb|3Gd6q3Cmh-*$-aR8N)6JH8GpeV2KXm%)7p?PK
z1N^V5U+<r&U?lU)+k4&ebzXK4@9g-sMn;HDT(&Q9(%V__#inAPOLAlmR-J!teDT*h
z&jZgze(}7V$I8q6e9vdEi_^6~8=pRTIN0~8$JZq(zw#QHym~GR^63^Ny(@qEYM=Ix
zBEy-_l{4(kC)-a~ZIgOh6}o|Y-_z&5`3zk%r<(n$GVK?9`L9d+oy+daE9$SgFU(<z
F1pq$)=~n;%

diff --git a/secrets/kazuki-cachix.age b/secrets/kazuki-cachix.age
deleted file mode 100644
index c210043a77485e00dda87bddbb6fdbde422a5f2a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 665
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT)Fv+saEmtV0j7*NK
zOet`)F!U&OFER`)EJ!p-FZV4f&M?X|4v$PX^-fPWPER+@N#-&L&vGyE(KgR3b#!z0
z2@1;%DlKx>4>a>m4lNB%3&=O~D+}}q@J>!KFGsh{-8-YKJYAu<z~3o7*|93p$;3S{
zwZOnDGSA$yFe%tC$HU1l%`40@!q+rUJF}qJBcChVt;#pYIoZD|&$KAnD<!hfveMk!
zBh%3{$RJAFH^;Cbz|zOdw9v=2(iLP|aCJ?!ZhBE_VsR=Lm#(g^LZoM9h_6wmSz&~k
ztGSV}kxxa6hf}3VMtNm%W@xTUm2+lFglAw;dPboI*UAl#9xZ!v!uB^~onV(;f8426
zYd;*B%^=70Wd=j@jLvB8(B|}yf4R<!FHMc&S!TM#`>Tulj?y-z)`<4gnfVWt#2-r4
z74-&e*!S^iV8hv&fugntw3#KDTT-XL)H-qNfPL*buOimZEo+W;A6&E9>Fk%d^eqfG
z->8T)o4?v@bpGC)M%kI1>ut3bEWf|J(J@O@a_74B64FoqUA*D8=%&Bn51WaTE=<wz
zZfJB5HCnr>MU1Iv=V7PJJtis#cJQA&q;rDdQtaY$udLm!)jZ7JH*fi-s~rx8(VW)~
zp4?Qs#`5k)^=Zq_y{LVrD$fzN{mFEv7iSJH*&!owG$;4d*_J7JUe)HUT;>+OOVl5j
zi+{9waC(u#^`k1!{wQ-iO}MEnFM4*7-^Mo$TW5S;>gZjX;A*%irHZHLlGSY<6RR)V
zqkdTYeeCB`Qso`g6z}uwfZzht9gi1ZS96`Q?Q^_F`m$r6W*PX~n*J6SkUVfp7yuqr
B7X<(S

diff --git a/secrets/leet-nrab-lol-pass.age b/secrets/leet-nrab-lol-pass.age
index 804d4c13039968e8aed47d21583262f2e42cf814..525856066b866b2ae3115acdae9431ff5e17ad1d 100644
GIT binary patch
delta 440
zcmaFKe2aO4PJMV)gs)>(VTf@~V1Z+mc5#tqiIZPJy0=@gS(<maleuAGT1I41x{J9-
zC|8<KL_lu2Q@&?}sk3KxpjViWqp^R1u}7Y3RiR5oN}6e2vVVG@aaCwxK9{bYLUD11
zZfc5=si~o*g1dJ{S$VobrJ+%fpLwNea7uDXW>8*YXnm5QX`YvfuS;5$Z)mbXSV*CB
zm6L^Oh((qOSAd6mMut&wVTqGzMW%MRVPc+7etA}8VNkleg{x<xd68>`zh{Yisjqo5
z$T~e`Z<`oB-Snc=#Nt$iL<M(4^%Mow0L!FM1)mx&C$sP*?d-xN(<<{6r^pJUl**v&
zN^RfzBun!mx5z}tBB!vt?EKVxkJREY{Rrn$fAipqjBFp1TrOQ*U4>HLsv@&Mk0{S<
zZ)bOxO0QhcfZ)8MG@}g9u*%}{tl(hxsMO%H;4q(vVlLyIzjG%9#h>`J=bGHvX~((e
z?_)dMmV5C?_70y_QzSS)xjO}Z@9LM!G|zJPP&G_G8#J3iPpZ{?F3+#pM?Hs&uV)=T
jr`=t<+2-cy($<3qrB+^iZL@3LoBE{K`^%NyPn7`x5>BB+

delta 455
zcmcb`{E~TsPJM1zUPe@DP*HJ3nPaX?wqur4P+^ssrC(N#w@XP?T9S8azNNpre@;<$
zHkWspzEenGlzWDIo~K2Gt8rG5LAhgwho47<yOX}JSAJ$dT7|b;MMa`PGMBEMLUD11
zZfc5=si~o*g1dJ{S$VpGXK9kTw^2ZNnr~=DKv85~QGI$=X_#5QxutJ%RZebjP`Pt%
zX_R(aR%LlQmwBd%bGBtwgtkYHTaKTvMUiEQM?rdEYF?#Zu6b!%g{ymjsY_L0Wq6e<
z$hu$?M>~g5HQn^0)WqUcg{(XU^H?tbkhEa^sxntM=fr?a7iZ73P{R`QLeDgRZx?;H
z;uNF$(C}g-k7W0tY{Rmg5`(hxiUK1`i<~U;iu_2^RL?+Hu2Rp^tjI*m+>(6nj5IG-
zE?r$+1xF)aKW!J^Qp1qE<f6h<i^Aj}KTnS|?Z`lv{G!r`pkRMD=Kycx^2#btu3}@2
z|7HbepX{<)9AjV{CVOY*Jk{i`$zG8c=TB8|c3|>&_BZFrqHKQy_XqbEE?M9EXG`NU
y4VI%v7|xt{u+32Xd<WD0^+j$cr5~)jE<Z^y(yafVa;;_j!`F+W%mr@+9|ZuUcBZBP

diff --git a/secrets/legion-niko-pass.age b/secrets/legion-niko-pass.age
new file mode 100644
index 0000000000000000000000000000000000000000..9b9231d171f90db096283f5de43aaa851b4d5082
GIT binary patch
literal 458
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7%n$JOa8xjGH7Rup
z4M+-fbI&SHFU_wCD=o{@FD^84%yqZOEzR{x&vZ{sO*2SxFXqasw5&=j%k=at$|`ZT
zbawQ0^bf3XNe=c;O$sS=_ArS`Ds(JNF%R?iNk_NM-8-YKJYB)uxWwPb-7&Z@(!#L7
zJv`XV)H^G)#M`OJz}O(E(!k6hGb|}FIU+yV-GHkqF(b)5B`hx`+dSE)GBn)0z&#|n
z$lJ}k)F;O!&po`XJS8C0BR|+bzZhg&ew~|cdQoa(aVl4qe!6>hUVv9%a%zsDo1=ld
zPf@O8L}X!bU_pgpnrlRWcd|=*aEXz2L}h5PyR$x*uCA^^vVN9HdXjgEQ-)cvnR|Jp
zqgiNxdAXssiLqyzg>kBjPoiUnufJ!yp=CN3r$fhbr+^pJHYqG-`BJ>kGMQW4Mx@sJ
zT1~dbGWJZqtyxRYIf|``xRcm9&AG9oRiRuhyU^pb4uevTO-*RBj@ZS!iTmC*-(c#H
l;QcAHbZ^<Y=?~kV2rBIQYiik38sy00v3SGT`_&1Vt^m?dpXUGo

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 68ddd3d..18f90ca 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -5,6 +5,8 @@ in {
   "alert-nrab-lol-pass.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
   "vault-cert-env.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
   # "bitwarden-env-file.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
-  "hercules-token.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
-  "kazuki-cachix.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
+  "hercules-token.age".publicKeys = [keys.system.kazuki keys.system.legion keys.other.bootstrap];
+  "hercules-cache.age".publicKeys = [keys.system.kazuki keys.system.legion keys.other.bootstrap];
+  "alert-plain-pass.age".publicKeys = [keys.system.legion keys.other.bootstrap];
+  "legion-niko-pass.age".publicKeys = [keys.system.legion keys.other.bootstrap];
 }
diff --git a/secrets/vault-cert-env.age b/secrets/vault-cert-env.age
index 7232086..3066029 100644
--- a/secrets/vault-cert-env.age
+++ b/secrets/vault-cert-env.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw 13PBQImkhu4ivVTaeHWkpRfidgOFF7FBLD18amn5+Xs
-ZeZhuWZqI8Poa1ROlaYAXkr6QBM4355lWpYaHAtaTP8
--> ssh-ed25519 GKhvwg gSXVzlieRXepW8s4onx4SDd75LVTyr1Rbc2/1LUIGTw
-AOmJNzvioM7B+114BMBc5xbxfOAbielwizwtNzK2G7k
--> K/_&?-grease 'jg+M|s Cw&g=
-yfPl
---- 8idL6hzmOCas0TKD8rvx7qlSGbzLPFxAOdlnSNi5+sY
-	�=�l��X��s�$xK�2F^�#�_�B��q"�Z��*�����2`0n|#��zS��;U�@:��RGuv>ʺ������	Z�\m���N(
\ No newline at end of file
+-> ssh-ed25519 84j9mw vOJaWCNIGFgf6O0nTt+g1a5y5iKvMlr9nrpF1jTNGmM
+MxiliY7O3k0P47mYrmV6ovZu9+03JCCUvOe8Zu7gi34
+-> ssh-ed25519 GKhvwg XSQNhU9xCPQu7iIcshQxncgqp37J8iS1H6FKDaChPTo
+uH8yhnQc184zK72pwwNod110/ehMiT/eWbHN894XThU
+-> w>U?#&-grease <dWq wD?o*
+wMaIBnm2VLcz0dW+Hhv6
+--- b4aPjwryeAsFAeNWUyMT1hI7G3yQinFIfoYfUxHk3s8
+��|�.os,!��$`#��l)툹x���O(L�,�eȼ�G�Qi=m��6�1��#&�٩8dĊ۔��C$5T"Q¼�̋��
\ No newline at end of file
diff --git a/wrappers/helix/default.nix b/wrappers/helix/default.nix
index 353bd5e..d6994de 100644
--- a/wrappers/helix/default.nix
+++ b/wrappers/helix/default.nix
@@ -1,11 +1,8 @@
-{
-  pkgs,
-  lib,
-  ...
-}: {
+{pkgs, ...}: {
   programs.helix = {
     enable = true;
     settings = {
+      theme = "base16_default_dark";
       editor = {
         true-color = true;
         line-number = "relative";
@@ -15,7 +12,6 @@
         cursorline = true;
         auto-save = true;
         indent-guides.render = true;
-        theme = "base16_default_dark";
       };
     };
     languages = {