14 files changed, 237 insertions, 61 deletions

diff --git a/flake.lock b/flake.lock
index 3d488e93..19b9cd30 100644
--- a/flake.lock
+++ b/flake.lock
@@ -66,6 +66,26 @@
         "type": "github"
       }
     },
+    "deploy-rs": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": "nixpkgs",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1727447169,
+        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
+        "type": "github"
+      },
+      "original": {
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "type": "github"
+      }
+    },
     "devshell": {
       "inputs": {
         "nixpkgs": [
@@ -103,6 +123,22 @@
         "type": "github"
       }
     },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -126,7 +162,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1731533236,
@@ -144,7 +180,7 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -273,7 +309,7 @@
       "inputs": {
         "devshell": "devshell",
         "flake-parts": "flake-parts",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
         "lastModified": 1731876430,
@@ -326,16 +362,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731755305,
-        "narHash": "sha256-v5P3dk5JdiT+4x69ZaB18B8+Rcu3TIOrcdG4uEX7WZ8=",
+        "lastModified": 1702272962,
+        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "057f63b6dc1a2c67301286152eb5af20747a9cb4",
+        "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -374,6 +410,22 @@
     },
     "nixpkgs_2": {
       "locked": {
+        "lastModified": 1731755305,
+        "narHash": "sha256-v5P3dk5JdiT+4x69ZaB18B8+Rcu3TIOrcdG4uEX7WZ8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "057f63b6dc1a2c67301286152eb5af20747a9cb4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
         "lastModified": 1732014248,
         "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
         "owner": "NixOS",
@@ -388,7 +440,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
       "locked": {
         "lastModified": 1710765496,
         "narHash": "sha256-p7ryWEeQfMwTB6E0wIUd5V2cFTgq+DRRBz2hYGnJZyA=",
@@ -426,9 +478,9 @@
     },
     "pre-commit-hooks": {
       "inputs": {
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "gitignore": "gitignore",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_4",
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
@@ -449,17 +501,18 @@
       "inputs": {
         "agenix": "agenix",
         "darwin": "darwin_2",
+        "deploy-rs": "deploy-rs",
         "golink": "golink",
         "home-manager": "home-manager_2",
         "nh-darwin": "nh-darwin",
         "nix-index-database": "nix-index-database",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
         "nixpkgs-small": "nixpkgs-small",
         "personal": "personal",
         "searchix": "searchix",
         "secrets": "secrets",
-        "utils": "utils"
+        "utils": "utils_2"
       }
     },
     "searchix": {
@@ -473,11 +526,11 @@
         "simple-css": "simple-css"
       },
       "locked": {
-        "lastModified": 1732097766,
-        "narHash": "sha256-jb936r49JL4ZHeyrs8thL3RAY4EW3F5oxutmbJNqsJs=",
+        "lastModified": 1732730423,
+        "narHash": "sha256-BDFakTnbh+xeBccZu4zSEuKFUar59sOIgpEmvzxh174=",
         "ref": "refs/heads/main",
-        "rev": "1f0be0997233e9a681811f7f633de5997ef4b9fa",
-        "revCount": 284,
+        "rev": "ec4946ee959b2d7d28287e9cd4643a0698833f6b",
+        "revCount": 286,
         "type": "git",
         "url": "https://git.alanpearce.eu/searchix"
       },
@@ -574,9 +627,42 @@
         "type": "github"
       }
     },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "utils": {
       "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "utils_2": {
+      "inputs": {
+        "systems": "systems_5"
       },
       "locked": {
         "lastModified": 1731533236,
diff --git a/flake.nix b/flake.nix
index d0853ec4..bb326751 100644
--- a/flake.nix
+++ b/flake.nix
@@ -17,14 +17,12 @@
     utils.url = "github:numtide/flake-utils";
     agenix.url = "github:ryantm/agenix";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
+    deploy-rs.url = "github:serokell/deploy-rs";
     personal = {
       url = "git+file:packages";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    searchix = {
-      url = "git+https://git.alanpearce.eu/searchix";
-      inputs.nixpkgs.follows = "nixpkgs-small";
-    };
+    searchix.url = "git+https://git.alanpearce.eu/searchix";
     golink = {
       url = "github:tailscale/golink";
       inputs.nixpkgs.follows = "nixpkgs-small";
@@ -45,6 +43,7 @@
     , secrets
     , agenix
     , personal
+    , deploy-rs
     , searchix
     , golink
     , ...
@@ -101,6 +100,7 @@
         specialArgs = { inherit inputs; };
         modules = [
           agenix.nixosModules.default
+          nixos-hardware.nixosModules.friendlyarm-nanopi-r5s
           ./system/nanopi.nix
         ];
       };
@@ -158,7 +158,44 @@
           (secrets + "/default.nix")
         ];
       };
-    };
+
+      checks = builtins.mapAttrs
+        (system: deployLib:
+          deployLib.deployChecks self.deploy)
+        deploy-rs.lib;
+
+      deploy = {
+        remoteBuild = true;
+        interactiveSudo = true;
+        nodes.linde = {
+          hostname = "linde";
+          profiles.system = {
+            path = deploy-rs.lib.${utils.lib.system.aarch64-linux}.activate.nixos
+              self.nixosConfigurations.linde;
+          };
+          profiles.alan = {
+            user = "alan";
+            path = deploy-rs.lib.${utils.lib.system.aarch64-linux}.activate.home-manager
+              self.homeConfigurations."alan@linde";
+          };
+        };
+      };
+    } // utils.lib.eachDefaultSystem (system:
+    let
+      pkgs = import nixpkgs { inherit system; };
+    in
+    {
+      devShells = {
+        default = pkgs.mkShell {
+          packages = [
+            deploy-rs.packages.${system}.default
+            agenix.packages.${system}.default
+          ];
+        };
+      };
+    });
+
+
   nixConfig = {
     extra-substituters = [
       "https://toyvo.cachix.org"
diff --git a/secrets/redis-website.age b/secrets/redis-website.age
new file mode 100644
index 00000000..c28e4d49
--- /dev/null
+++ b/secrets/redis-website.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cvV2sw WjKi0Y30MLKz+gFIJq5Lnie/aODMvzrDX+hiHfaPXUs
+9vRdGtOho2jLMFezA4+6w9v3yySe9nHFcaDqBJi0ZGE
+-> piv-p256 VBDKjg A+wOv0SEzn47kbJhQMWWTcOcRV/aB6UAOX0xdcz3d8Wo
+SlCae0RyX188XcgHlQOa/1jpzqaaYq6w2m+FCaXa4qU
+--- aEDkTWQh00KXlzeyGew4qTnFyjvhmSubgUWnonUAJP0
+��L\V7�{�u��C����f�#�1𖽃M��/��vUn-�}�CL-vc�AN�S������Yq
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index be2acf14..3cfcf017 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -13,6 +13,8 @@ let
   secrets = with machines; {
     acme = [ linde nanopi ];
 
+    redis-website = [ linde ];
+
     binarycache = [ linde ];
     paperless = [ linde ];
     powerdns = [ linde ];
diff --git a/system/linde.nix b/system/linde.nix
index 6e5e54ed..ba88075d 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -13,7 +13,7 @@ let
   net-gw = "172.31.1.1";
   net-ip6 = "2a01:4f8:c012:23a4::1";
   net-rdnsip = "2a01:4f8:c012:23a4::53";
-  net-acmeip = "2a01:4f8:c012:23a4::715";
+  net-redisip = "2a01:4f8:c012:23a4::6379";
   net-mask6 = "64";
   net-gw6 = "fe80::1";
   domain = "alanpearce.eu";
@@ -43,6 +43,7 @@ in
     binarycache.file = ../secrets/binarycache.age;
     dex.file = ../secrets/dex.age;
     powerdns.file = ../secrets/powerdns.age;
+    redis-website.file = ../secrets/redis-website.age;
     golink = let golink = config.services.golink; in {
       # hope this doesn't collide...
       path = "${golink.dataDir}/.config/tsnet-golink/auth.key";
@@ -163,7 +164,7 @@ in
       ${net-ip4} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-ip6} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-rdnsip} = [ "dns" ];
-      ${net-acmeip} = [ "acme" ];
+      ${net-redisip} = [ "redis" ];
     };
     firewall = {
       enable = true;
@@ -176,6 +177,7 @@ in
         443
         53
         853
+        6379
         9418
         6922
       ];
@@ -221,7 +223,7 @@ in
         address = [
           "${net-ip6}/${net-mask6}"
           "${net-rdnsip}/${net-mask6}"
-          "${net-acmeip}/${net-mask6}"
+          "${net-redisip}/${net-mask6}"
         ];
         addresses = [{
           Address = "${net-ip4}/${net-mask4}";
@@ -630,6 +632,9 @@ in
     certs."stats.alanpearce.eu" = {
       extraDomainNames = [ "*.stats.alanpearce.eu" ];
     };
+    certs."redis.alanpearce.eu" = {
+      group = "redis-website";
+    };
   };
   users.groups.acme.members = [
     "caddy"
@@ -962,6 +967,25 @@ in
     Requires = [ "etcd.service" ];
   };
 
+  services.redis = {
+    servers = {
+      website = {
+        enable = true;
+        port = 0;
+        bind = net-redisip;
+        databases = 1;
+        maxclients = 6;
+        requirePassFile = config.age.secrets.redis-website.path;
+        settings = {
+          tls-port = 6379;
+          tls-cert-file = "/var/lib/acme/redis.alanpearce.eu/cert.pem";
+          tls-key-file = "/var/lib/acme/redis.alanpearce.eu/key.pem";
+          tls-ca-cert-file = "/etc/ssl/certs/ca-certificates.crt";
+          tls-auth-clients = false;
+        };
+      };
+    };
+  };
 
   services.syncthing = {
     enable = true;
diff --git a/system/marvin.nix b/system/marvin.nix
index 1907aa39..0e022fb7 100644
--- a/system/marvin.nix
+++ b/system/marvin.nix
@@ -11,6 +11,14 @@
     group = "wheel";
   };
 
+  services.redis = {
+    enable = true;
+    bind = "127.0.0.1 ::1";
+    extraConfig = ''
+      save ""
+    '';
+  };
+
   programs.fish.enable = true;
   environment.shells = with pkgs; [
     fish
diff --git a/system/nanopi.nix b/system/nanopi.nix
index 3a95ebfc..3a0b55e3 100755
--- a/system/nanopi.nix
+++ b/system/nanopi.nix
@@ -11,9 +11,6 @@ in
 {
   imports = [
     ./nanopi-hardware.nix
-    <agenix/modules/age.nix>
-    <nixos-hardware/friendlyarm/nanopi-r5s>
-    <home-manager/nixos>
   ];
 
   age.secrets = {
@@ -616,7 +613,6 @@ in
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvcW4Z9VxOQgEJjsRC1uSMwEJ4vru9BwjT+Z50nawp4 lan"
     ];
   };
-  home-manager.users.alan = import ../user/nanopi.nix;
 
   users.groups = {
     linde.members = [ ];
@@ -765,34 +761,34 @@ in
 
   services.samba = {
     enable = true;
-    enableNmbd = false;
-    extraConfig = ''
-      log level = 1
+    nmbd.enable = false;
+    settings = {
+      global = {
+        "log level" = 1;
 
-      interfaces = bridge0
+        "interfaces" = "bridge0";
 
-      min protocol = SMB2
-      disable netbios = yes
-      smb ports = 445
+        "min protocol" = "SMB2";
+        "disable netbios" = true;
+        "smb ports" = 445;
 
-      socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536
-      max xmit = 131072
-      min receivefile size = 131072
+        "socket options" = "IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536";
+        "max xmit" = 131072;
+        "min receivefile size" = 131072;
 
-      aio read size = 1
-      aio write size = 1
+        "aio read size" = 1;
+        "aio write size" = 1;
 
-      load printers = no
-      disable spoolss = yes
+        "load printers" = false;
+        "disable spoolss" = true;
 
-      mdns name = mdns
+        "mdns name" = "mdns";
 
-      follow symlinks = yes
+        "follow symlinks" = true;
 
-      veto files = /Thumbs.db/.DS_Store/._.DS_Store/.apdisk/
-      delete veto files = yes
-    '';
-    shares = {
+        "veto files" = "/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/";
+        "delete veto files" = true;
+      };
       public = {
         path = "/srv/public";
         browseable = "yes";
diff --git a/system/settings/configuration/nix.nix b/system/settings/configuration/nix.nix
index 105efaae..28da18c0 100644
--- a/system/settings/configuration/nix.nix
+++ b/system/settings/configuration/nix.nix
@@ -13,11 +13,15 @@
       warn-dirty = false;
       substituters = [
         "https://nix-community.cachix.org"
+        "https://deploy-rs.cachix.org"
         "https://binarycache.alanpearce.eu"
+        "https://deploy-rs.cachix.org"
       ];
 
       trusted-public-keys = [
+        "deploy-rs.cachix.org-1:xfNobmiwF/vzvK1gpfediPwpdIP0rpDV2rYqx40zdSI="
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "deploy-rs.cachix.org-1:xfNobmiwF/vzvK1gpfediPwpdIP0rpDV2rYqx40zdSI="
         "binarycache.alanpearce.eu:ZwqO3XMuajPictjwih8OY2+RXnOKpjZEZFHJjGSxAI4="
       ];
     };
diff --git a/system/settings/user-interface.nix b/system/settings/user-interface.nix
index 27f1d9aa..a1d31c3b 100644
--- a/system/settings/user-interface.nix
+++ b/system/settings/user-interface.nix
@@ -6,7 +6,7 @@
   documentation.info.enable = true;
 
   environment.systemPackages = with pkgs; [
-    epdfview
+    qpdfview
 
     lxappearance
     lxrandr
diff --git a/user/settings/base.nix b/user/settings/base.nix
index 837f5e3f..f29d43aa 100644
--- a/user/settings/base.nix
+++ b/user/settings/base.nix
@@ -13,6 +13,7 @@
     html.enable = true;
   };
   home.preferXdgDirectories = true;
+  nix.settings.use-xdg-base-directories = true;
   home.sessionVariables =
     let
       conf = config.xdg.configHome;
diff --git a/user/settings/development/golang.nix b/user/settings/development/golang.nix
index c0f92209..34a74896 100644
--- a/user/settings/development/golang.nix
+++ b/user/settings/development/golang.nix
@@ -15,6 +15,13 @@
   home.sessionPath = [
     "$HOME/go/bin"
   ];
+  home.shellAliases = {
+    gom = "go mod";
+    gomt = "go mod tidy";
+    gomd = "go mod download";
+    gog = "go get";
+    gogu = "go get -u";
+  };
   home.sessionVariables.GOTOOLCHAIN = "local"; # use installed go tools
   programs.emacs.extraPackages = epkgs: (with epkgs; [
     go-eldoc
@@ -24,8 +31,4 @@
   programs.neovim.plugins = with pkgs.vimPlugins; [
     coc-go
   ];
-  programs.fish.shellAbbrs = {
-    gmt = "go mod tidy";
-    gmd = "go mod download";
-  };
 }
diff --git a/user/settings/emacs.nix b/user/settings/emacs.nix
index cc9deab6..26071562 100644
--- a/user/settings/emacs.nix
+++ b/user/settings/emacs.nix
@@ -197,12 +197,11 @@ in
     };
     extraConfig = ''
       (with-eval-after-load 'editorconfig
-        (defvar editorconfig-exec-path "${pkgs.editorconfig-core-c}/bin/editorconfig"))
+        (setq editorconfig-exec-path "${pkgs.editorconfig-core-c}/bin/editorconfig"))
     '' + lib.optionalString stdenv.isDarwin ''
-      (with-eval-after-load 'files
-        (defvar insert-directory-program "${pkgs.coreutils-prefixed}/bin/gls"))
       (with-eval-after-load 'dired
-        (defvar dired-use-ls-dired t))
+        (setq insert-directory-program "${pkgs.coreutils-prefixed}/bin/gls"
+              dired-use-ls-dired t))
     '';
   };
   home.packages = with pkgs; [
diff --git a/user/settings/fish.nix b/user/settings/fish.nix
index a487418c..cfefa9ff 100644
--- a/user/settings/fish.nix
+++ b/user/settings/fish.nix
@@ -9,10 +9,18 @@
         fromNixpkgs = pkg: { name = pkg.name; src = pkg.src; };
       in
       with pkgs.fishPlugins; [
-        (fromNixpkgs tide)
         (fromNixpkgs fzf-fish)
         (fromNixpkgs autopair)
         {
+          name = "fishplugin-hydro";
+          src = pkgs.fetchFromGitHub {
+            owner = "alanpearce";
+            repo = "hydro";
+            hash = "sha256-QYq4sU41/iKvDUczWLYRGqDQpVASF/+6brJJ8IxypjE=";
+            rev = "7a8c468ba0dc88a5f8a9c0b8635020bfc3619323";
+          };
+        }
+        {
           name = "ghq";
           src = pkgs.fetchFromGitHub {
             owner = "decors";
@@ -31,6 +39,8 @@
       set FZF_CTRL_T_COMMAND
       set --export FZF_DEFAULT_OPTS '--cycle --layout=reverse --border --height=90% --preview-window=wrap --marker="*"'
       fzf_configure_bindings --directory=\cx\cf
+
+      set --universal hydro_multiline true
     '';
     shellAliases = {
       hist-freq-lines = lib.mkForce "history | sort | uniq -c | sort -gr | head -n100 | less";
diff --git a/user/settings/shell.nix b/user/settings/shell.nix
index 18cab4ab..c33e808e 100644
--- a/user/settings/shell.nix
+++ b/user/settings/shell.nix
@@ -122,11 +122,11 @@ in
       hox = "home-manager expire-generations '-30 days'";
 
       lw = "lorri watch";
-      lw1 = "lorri watch --once";
       lwo = "lorri watch --once";
 
       nsh = "nix shell";
       nb = "nix build";
+      nd = "nix develop";
       nl = "nix log"; # shadows `coreutils.nl`, but I've never used that yet
       nr = "nix run";
       nf = "nix flake";
@@ -136,7 +136,6 @@ in
       nfu = "nix flake update";
       nfl = "nix flake lock";
       nfsh = "nix shell";
-      ndev = "nix develop";
       nlg = "nix-env --list-generations";
       snlg = "sudo nix-env --list-generations --profile /nix/var/nix/profiles/system";
       ngc = "nix-collect-garbage --delete-older-than 30d";