15 files changed, 157 insertions, 41 deletions

diff --git a/flake.lock b/flake.lock
index 3d488e93..02a78711 100644
--- a/flake.lock
+++ b/flake.lock
@@ -66,6 +66,26 @@
         "type": "github"
       }
     },
+    "deploy-rs": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": "nixpkgs",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1727447169,
+        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
+        "type": "github"
+      },
+      "original": {
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "type": "github"
+      }
+    },
     "devshell": {
       "inputs": {
         "nixpkgs": [
@@ -103,6 +123,22 @@
         "type": "github"
       }
     },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -126,7 +162,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1731533236,
@@ -144,7 +180,7 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -273,7 +309,7 @@
       "inputs": {
         "devshell": "devshell",
         "flake-parts": "flake-parts",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
         "lastModified": 1731876430,
@@ -326,16 +362,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731755305,
-        "narHash": "sha256-v5P3dk5JdiT+4x69ZaB18B8+Rcu3TIOrcdG4uEX7WZ8=",
+        "lastModified": 1702272962,
+        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "057f63b6dc1a2c67301286152eb5af20747a9cb4",
+        "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -374,6 +410,22 @@
     },
     "nixpkgs_2": {
       "locked": {
+        "lastModified": 1731755305,
+        "narHash": "sha256-v5P3dk5JdiT+4x69ZaB18B8+Rcu3TIOrcdG4uEX7WZ8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "057f63b6dc1a2c67301286152eb5af20747a9cb4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
         "lastModified": 1732014248,
         "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
         "owner": "NixOS",
@@ -388,7 +440,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
       "locked": {
         "lastModified": 1710765496,
         "narHash": "sha256-p7ryWEeQfMwTB6E0wIUd5V2cFTgq+DRRBz2hYGnJZyA=",
@@ -426,9 +478,9 @@
     },
     "pre-commit-hooks": {
       "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "gitignore": "gitignore",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_4",
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
@@ -449,17 +501,18 @@
       "inputs": {
         "agenix": "agenix",
         "darwin": "darwin_2",
+        "deploy-rs": "deploy-rs",
         "golink": "golink",
         "home-manager": "home-manager_2",
         "nh-darwin": "nh-darwin",
         "nix-index-database": "nix-index-database",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
         "nixpkgs-small": "nixpkgs-small",
         "personal": "personal",
         "searchix": "searchix",
         "secrets": "secrets",
-        "utils": "utils"
+        "utils": "utils_2"
       }
     },
     "searchix": {
@@ -574,9 +627,42 @@
         "type": "github"
       }
     },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "utils": {
       "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "utils_2": {
+      "inputs": {
+        "systems": "systems_5"
       },
       "locked": {
         "lastModified": 1731533236,
diff --git a/flake.nix b/flake.nix
index d0853ec4..c0137b59 100644
--- a/flake.nix
+++ b/flake.nix
@@ -17,6 +17,7 @@
     utils.url = "github:numtide/flake-utils";
     agenix.url = "github:ryantm/agenix";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
+    deploy-rs.url = "github:serokell/deploy-rs";
     personal = {
       url = "git+file:packages";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -45,6 +46,7 @@
     , secrets
     , agenix
     , personal
+    , deploy-rs
     , searchix
     , golink
     , ...
@@ -158,7 +160,44 @@
           (secrets + "/default.nix")
         ];
       };
-    };
+
+      checks = builtins.mapAttrs
+        (system: deployLib:
+          deployLib.deployChecks self.deploy)
+        deploy-rs.lib;
+
+      deploy = {
+        remoteBuild = true;
+        interactiveSudo = true;
+        nodes.linde = {
+          hostname = "linde";
+          profiles.system = {
+            path = deploy-rs.lib.${utils.lib.system.aarch64-linux}.activate.nixos
+              self.nixosConfigurations.linde;
+          };
+          profiles.alan = {
+            user = "alan";
+            path = deploy-rs.lib.${utils.lib.system.aarch64-linux}.activate.home-manager
+              self.homeConfigurations."alan@linde";
+          };
+        };
+      };
+    } // utils.lib.eachDefaultSystem (system:
+    let
+      pkgs = import nixpkgs { inherit system; };
+    in
+    {
+      devShells = {
+        default = pkgs.mkShell {
+          packages = [
+            deploy-rs.packages.${system}.default
+            agenix.packages.${system}.default
+          ];
+        };
+      };
+    });
+
+
   nixConfig = {
     extra-substituters = [
       "https://toyvo.cachix.org"
diff --git a/secrets/acme.age b/secrets/acme.age
index 27a71c73..d46debdb 100644
--- a/secrets/acme.age
+++ b/secrets/acme.age
Binary files differdiff --git a/secrets/binarycache.age b/secrets/binarycache.age
index 04a2c3c6..70e5b3a9 100644
--- a/secrets/binarycache.age
+++ b/secrets/binarycache.age
Binary files differdiff --git a/secrets/dex.age b/secrets/dex.age
index d6e9442c..b88721ea 100644
--- a/secrets/dex.age
+++ b/secrets/dex.age
Binary files differdiff --git a/secrets/dyndns.age b/secrets/dyndns.age
index e8497c7c..bee83fca 100644
--- a/secrets/dyndns.age
+++ b/secrets/dyndns.age
Binary files differdiff --git a/secrets/golink.age b/secrets/golink.age
index a1af6525..53855e7a 100644
--- a/secrets/golink.age
+++ b/secrets/golink.age
@@ -1,9 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 cvV2sw 6UTWDB2JH4kB3r/zz7R4/NlbG/XIeXsa9FRaP7P3L2w
-niFrU0fGTSGYUsAw+zJ/zMtGx9NqATFShJuULDNG3RA
--> piv-p256 u9NeZg A+P9esCjzfQJN8O52vHYsapoLP73syi8W1fSXwezY4FX
-3yST9wj5Y7pTbQVfXYeJ3qlgPTxJqU7TmNZ16dVmcWU
--> piv-p256 VBDKjg A4M+lG9Qc/be6wmqE43KU2eUmYIpmI23WKBCC25Cs6nO
-nYJDRiJWCFc3La0ILnBmR5YSdHqpYiDvD/qEmnb4BwA
---- JtVpBWG/IgNELZgC39bXTI9ae48HdvOWbbxe4SnUwZ0
-�r,v�~>9���(Pv�<�E�ѣo���
hL(��Y(/�� ��)����S//�8
�[��q񵓅�w�b�2���1��������l��򋢅Q��
\ No newline at end of file
+-> ssh-ed25519 cvV2sw sKOQF184MHp+13KvA7JJRnzkvvIeRZhKYHSz+43/YQo
+Lv69lCDhhJPMt87ZV4m8jf9p70mJ/thgO60Wxjmhe4U
+-> piv-p256 VBDKjg AyF9lzorXDLEr1g3wG/jm3AnqyXc/aewIyfIkEozmT8y
+KSAOa4Vat8gyrfSd+RtPkWuhxPQy6GkBruCW+qh7Ghg
+--- An2Se6RNs1BNB3AR8ATrMeLkKpUXTZC09XYr94Cx/Qg
+���g��I �l������oN�Z�Ss8'#��Dh�{�br~��
+c��4}A�b�u��.��:>9�X��뒯f"CA"}o��䊶��0����`G�
\ No newline at end of file
diff --git a/secrets/identities/se.txt b/secrets/identities/se.txt
deleted file mode 100644
index e1c6b851..00000000
--- a/secrets/identities/se.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-# created: 2024-04-10T12:44:17Z
-# access control: any biometry or passcode
-# public key: age1se1qdx3wrvaxevk3g40ngqreqc9n4gl0rwcjdvnptz5vw96jjjuf2rv2wp8c5m
-AGE-PLUGIN-SE-1QJPQZ7P3SGQHGVYP75XQYUNTXXQ7UVQTPSPKY6TYQSZ85T758GCYSRQRWP6KYPZPQ3X3WRVAXEVK3G40NGQREQC9N4GL0RWCJDVNPTZ5VW96JJJUF2RV2XR0REV8SUYMVLR9LK9VWDZGRRTNSKQL0ATZYYWS9NAZZACW5QMMXQYQCQMJDDHSYQGQXQRSCQNTWSPQZPPS9CXQYAMTQS599D2V5HHZE0VLL5MW9EW28X23MP9NRSULQL3GAHD0RU0M5EG3F38XWDKEJM6LPWTNQPCVQF3XXQSPPYCQWRQZDDMQYQGZXQTSCQMTD9JQGY8R2D8H498GF5PMR8WYFNAUD7L8XQNSCQMJDDKSGGYSRXZGXMRKCX08VHSJTFQWK28KT7SX2TYS6HLC3CQQUE303RKEEUC85RQZV4JRZAPSWGXQXCTRDSCKKVPFPSPK7CMTXY3RQGQVQD3HQMCVR9ZX2ANFVDJ57AMWV4EYZAT5DPJKUARFVDSHG6T0DCCQJRQYDAJX2MQPQYQNQ2SVQ3HHXEMWXY3RQGQVQD3HQMCVR9ZX2ANFVDJ57AMWV4EYZAT5DPJKUARFVDSHG6T0DCCQWRQZDASSZQGP9T2Q6F
\ No newline at end of file
diff --git a/secrets/paperless.age b/secrets/paperless.age
index 5c1f3992..679b5623 100644
--- a/secrets/paperless.age
+++ b/secrets/paperless.age
Binary files differdiff --git a/secrets/powerdns.age b/secrets/powerdns.age
index d4815b6f..c7d62dd3 100644
--- a/secrets/powerdns.age
+++ b/secrets/powerdns.age
Binary files differdiff --git a/secrets/secrets.nix b/secrets/secrets.nix
index b1c7601e..be2acf14 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,7 +1,6 @@
 let
   users = {
     alan = [
-      "age1se1qdx3wrvaxevk3g40ngqreqc9n4gl0rwcjdvnptz5vw96jjjuf2rv2wp8c5m" # mba age-plugin-se
       "age1se1qwz9tsr7fq6m7rh3fj44fh6vcth53x9lcff9jeangg43v66vznxus3vp5mz" # marvin age-plugin-se
     ];
   };
diff --git a/secrets/syncthing.age b/secrets/syncthing.age
index fdfe7b50..8aaceefb 100644
--- a/secrets/syncthing.age
+++ b/secrets/syncthing.age
@@ -1,11 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 hzg5VQ wv5wtwIkKlae6IDbbQ23DGZz23lstyHJoCipm4nrLGI
-hsT5wzeldD0hNAOEvhVJRbzBAUevh5dkFuM8rOuyYEY
--> piv-p256 u9NeZg ApESqdHU3d997Q2RSCBE6D7qKXN0iC04i9kOz+LTaw6T
-To7FjOkAsqnkOea+PjKjaWwebpJYaF24vpb9+3DzgYo
--> piv-p256 VBDKjg AlTfg6Of00vfMiZsr6qIORhX8H4RAm99NdpELXH3i3p4
-xwtTcAx9oXhUbz6IS6naqdff+k456UeDYVwq4MlkKqw
---- Bx89AY9wMHwJMAhfppkqO6HoPhKMPOCVKr5kKH7EcYc
-���s*��4��P�84��@��{�D�}��_2r�0�x_!��|L1.ۑٸ*=�` ?����l�#�z'-�`�O�_�=/	�}1b�q��[TK=�
-z1�)��Օ��Cy�S>��g���*��$h�#N�J*6���q�rt~S/Nj���«�%ԬcMD�Y��K�}�<ϟnH��ʶ
-b�Xx/�֭~����ZX��Lt�_�oG#w���|H�]�
@�T���Uf��= �B����+��^�͏�������Lquo�h�q���ƮP}܁T}%LG�'s�}3�[cjA7��5��mJ�����<�r���
\ No newline at end of file
+-> ssh-ed25519 hzg5VQ 9e1BgipAId3LjsLpniXggoryekJEq4FEfLIW1WeO0z0
+ip1jn2t9kSMsBnKZRMCjyQvgsHI3BassRsIBS9TmBsA
+-> piv-p256 VBDKjg A0SEwDXCXNRaYtLBczMqSGUzK8JcgyOQFLCA2aPnpZNT
+lzDhFPiIwXSx7RxzzhDgO8mP1E0ZFDFSLLyjbvzH7Oc
+--- hDr0PEKB6B6IoM3lc9880HSUHuLXkaGgqurADuUK2jI
+sH�}����xo/���e3:LSQ�d�\�[�S�S[�}�'"g��! 8��x͋b�MP���+w�˜d ����D��zR���([�U-nM�sd
��#�l�M ��VD�2i�ij���_,�~4�ND���M�l��2n?U��I����c �m�!?F0%��f�؝�[�4��3�F)q$_f�{',(�
B.��ef��I����iɦ(�a���6}Hb�u������C3�������&<@}�8u��ED��=q(��l%�<}���!MEar*�F(���SEԙ�4�<X`�t��8��FXb���w
\ No newline at end of file
diff --git a/system/linde.nix b/system/linde.nix
index 6e5e54ed..bffa2645 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -13,7 +13,6 @@ let
   net-gw = "172.31.1.1";
   net-ip6 = "2a01:4f8:c012:23a4::1";
   net-rdnsip = "2a01:4f8:c012:23a4::53";
-  net-acmeip = "2a01:4f8:c012:23a4::715";
   net-mask6 = "64";
   net-gw6 = "fe80::1";
   domain = "alanpearce.eu";
@@ -163,7 +162,6 @@ in
       ${net-ip4} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-ip6} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-rdnsip} = [ "dns" ];
-      ${net-acmeip} = [ "acme" ];
     };
     firewall = {
       enable = true;
@@ -221,7 +219,6 @@ in
         address = [
           "${net-ip6}/${net-mask6}"
           "${net-rdnsip}/${net-mask6}"
-          "${net-acmeip}/${net-mask6}"
         ];
         addresses = [{
           Address = "${net-ip4}/${net-mask4}";
diff --git a/system/settings/configuration/nix.nix b/system/settings/configuration/nix.nix
index 105efaae..28da18c0 100644
--- a/system/settings/configuration/nix.nix
+++ b/system/settings/configuration/nix.nix
@@ -13,11 +13,15 @@
       warn-dirty = false;
       substituters = [
         "https://nix-community.cachix.org"
+        "https://deploy-rs.cachix.org"
         "https://binarycache.alanpearce.eu"
+        "https://deploy-rs.cachix.org"
       ];
 
       trusted-public-keys = [
+        "deploy-rs.cachix.org-1:xfNobmiwF/vzvK1gpfediPwpdIP0rpDV2rYqx40zdSI="
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "deploy-rs.cachix.org-1:xfNobmiwF/vzvK1gpfediPwpdIP0rpDV2rYqx40zdSI="
         "binarycache.alanpearce.eu:ZwqO3XMuajPictjwih8OY2+RXnOKpjZEZFHJjGSxAI4="
       ];
     };
diff --git a/system/settings/user-interface.nix b/system/settings/user-interface.nix
index 27f1d9aa..a1d31c3b 100644
--- a/system/settings/user-interface.nix
+++ b/system/settings/user-interface.nix
@@ -6,7 +6,7 @@
   documentation.info.enable = true;
 
   environment.systemPackages = with pkgs; [
-    epdfview
+    qpdfview
 
     lxappearance
     lxrandr