flake.nix

@@ -61,7 +61,7 @@
           pkgs = import nixpkgs {
             inherit system;
             config.allowUnfree = true;
-            overlays = [ nur.overlays.default agenix.overlays.default ];
+            overlays = [ nur.overlays.default ];
           };
           pkgs-unstable = import nixpkgs-unstable {
             inherit system;
@@ -105,6 +105,12 @@
 
         "tchristensen@beocat" = mkHomeConfiguration { hostname = "beocat"; };
 
+        "millironx@harmony" = mkHomeConfiguration {
+          hostname = "harmony";
+          arch = "aarch64";
+          desktop = true;
+        };
+
         "millironx@odyssey" = mkHomeConfiguration {
           hostname = "odyssey";
           desktop = true;

homes/common.nix

@@ -31,7 +31,6 @@ in {
       };
     };
     packages = with pkgs; [
-      agenix
       btop
       cowsay
       figlet
@@ -87,6 +86,14 @@ in {
     };
     sessionPath = [ "$HOME/.local/bin" ];
     activation = {
+      recordHmGitHash = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+        cd "$HOME/.config/home-manager" || exit 1
+        if [ -z "$(${pkgs.git}/bin/git status --porcelain --untracked-files=no)" ]; then
+          run echo "$(${pkgs.git}/bin/git rev-parse HEAD)" | tee $HOME/.cache/hm-git-hash
+        else
+          run echo '*' | tee $HOME/.cache/hm-git-hash
+        fi
+      '';
       installRunic = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
         run ${pkgs.julia-bin}/bin/julia --project=@runic --startup-file=no -e 'using Pkg; Pkg.add(name="Runic", version="${runic_version}")'
       '';

homes/harmony.nix

@@ -0,0 +1,95 @@
+{ config, lib, pkgs, pkgs-unstable, ... }: {
+  # harmony is an Asahi Fedora box
+  # I don't use NixOS, so there are some programs that don't interact well with
+  # the base system (or won't even install) when installed from Nix.
+  # There is no uniform way to trigger dnf package installs from Nix, so I'm
+  # just going to list my packages here. I hope to create a custom script that
+  # mimics the ideas of a Brewfile someday
+  # TODO: Create a Brewfile equivalent for dnf
+
+  # dnf repos:
+  # https://github.com/terrapkg/packages?tab=readme-ov-file
+  # https://pkgs.tailscale.com/stable/fedora/tailscale.repo
+  # https://packagecloud.io/filips/FirefoxPWA
+
+  # copr repos:
+  # iucar/rstudio
+
+  # dnf packages:
+  # apptainer
+  # chromium
+  # firefoxpwa - The nix version installs an "immutable" runtime, which simply launches extra browser windows on non-NixOS
+  # inkscape
+  # kate
+  # kdiff3
+  # krita
+  # lutris
+  # musescore
+  # nextcloud-client
+  # nextcloud-client-dolphin
+  # obs-studio
+  # podman-compose
+  # podman-docker
+  # qownnotes
+  # qt
+  # rssguard
+  # rstudio-desktop
+  # steam
+  # supertuxkart
+  # tailscale
+  # thunderbird
+  # vlc
+  # vorta - The vorta package is aarch64 compatible, but you cannot see any icons, and it cannot access local ssh keys, so we have to use the dnf package instead
+  # yakuake
+  # zed
+  # zsh
+  # R
+  # https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm
+  home = {
+    username = "millironx";
+    homeDirectory = "/home/millironx";
+    # Signal desktop is not available in any other package repository for aarch64 linux
+    # Similarly, Bitwarden is non-functional in all other forms using a 16k page size
+    packages = with pkgs; [
+      trayscale
+      veracrypt
+      pkgs-unstable.signal-desktop
+      pkgs.bitwarden-desktop
+    ];
+  };
+  programs = {
+    git = {
+      signing = {
+        key = "0x37A3041D1C8C4524!";
+        signByDefault = true;
+      };
+    };
+  };
+  services = {
+    gpg-agent = { sshKeys = [ "207D13371E19752A67AA2686C16354D9963821DB" ]; };
+  };
+  xdg = {
+    configFile = {
+      "nextflow.config".text = ''
+        params {
+            config_profile_description = 'harmony Asahi Linux local profile'
+            config_profile_contact     = 'Thomas A. Christensen II <25492070+MillironX@users.noreply.github.com>'
+            config_profile_url         = null
+
+            max_memory = 12.GB
+            max_cpus   = 12
+            max_time   = 7.d
+        }
+
+        apptainer {
+            enabled    = true
+            autoMounts = true
+        }
+
+        process {
+            executor = 'local'
+        }
+      '';
+    };
+  };
+}

inventory.yaml

@@ -3,13 +3,20 @@ ungrouped:
   hosts:
     localhost:
       ansible_connection: local
+    harmony:
+      ansible_connection: local
     odyssey:
       ansible_connection: local
 
+asahi:
+  hosts:
+    harmony:
+
 amd64:
   hosts:
     odyssey:
 
 fedora:
   hosts:
+    harmony:
     odyssey:

playbooks/config.yaml

@@ -11,7 +11,7 @@
         mode: "755"
     - name: Create Firefox DNS policy
       ansible.builtin.template:
-        src: "policies.json"
+        src: "{{ playbook_dir }}/../templates/policies.json"
         dest: /etc/firefox/policies/policies.json
         mode: "644"
 

playbooks/nix.yaml

@@ -45,8 +45,7 @@
       register: home_manager_exists
     - name: Init home-manager
       ansible.builtin.shell: |
-        /nix/var/nix/profiles/default/bin/nix run home-manager -- switch \
-        --flake git+https://code.millironx.com/millironx/nix-dotfiles#{{ ansible_user_id }}@{{ ansible_hostname }}
+        /nix/var/nix/profiles/default/bin/nix run home-manager -- switch --flake git+https://code.millironx.com/millironx/nix-dotfiles#{{ ansible_user_id }}@{{ ansible_hostname }}
       when: not home_manager_exists.stat.exists
       register: home_manager_init
       changed_when: home_manager_init.rc == 0

playbooks/packages.yaml

@@ -1,9 +1,55 @@
 ---
-- name: Configure dnf packages
+# These are repos and packages that are useless or unavailable on Asahi Linux,
+# or have completely separate install procedures.
+- name: Configure amd64-specific dnf packages
+  hosts: amd64
+  become: true
+  tasks:
+    - name: Install x86-specific dnf packages
+      ansible.builtin.dnf:
+        name:
+          - libdvdcss
+          - mkvtoolnix
+          - mpv
+          - protontricks
+          - x264
+          - x264-libs
+        state: present
+    - name: Install VeraCrypt
+      ansible.builtin.dnf:
+        name: https://launchpad.net/veracrypt/trunk/1.26.20/+download/veracrypt-1.26.20-Fedora-40-x86_64.rpm
+        state: present
+        disable_gpg_check: true
+
+- name: Configure amd64-specific Flatpaks
+  hosts: amd64
+  become: false
+  tasks:
+    - name: Install x86-specific Flatpaks
+      community.general.flatpak:
+        name:
+          - com.bitwarden.desktop
+          - com.slack.Slack
+          - dev.deedles.Trayscale
+          - org.signal.Signal
+        state: latest
+        method: user
+        remote: flathub
+
+- name: Configure Asahi Linux-specific dnf packages
+  hosts: asahi
+  become: true
+  tasks:
+    - name: Install aarch64-specific dnf packages
+      ansible.builtin.dnf:
+        name:
+          - veracrypt
+
+- name: Configure common (all arch) dnf packages
   hosts: fedora
   become: true
   tasks:
-    - name: Install dnf packages
+    - name: Install common (all arch) dnf packages
       ansible.builtin.dnf:
         name:
           - chromium
@@ -18,19 +64,15 @@
           - kdenlive
           - kdiff3
           - krita
-          - libdvdcss
           - libjpeg-devel
           - libpng-devel
           - libtiff-devel
           - libwebp-devel
-          - mkvtoolnix
-          - mpv
           - musescore
           - nextcloud-client
           - nextcloud-client-dolphin
           - obs-studio
           - onedrive
-          - protontricks
           - qownnotes
           - qt
           - rssguard
@@ -40,8 +82,6 @@
           - thunderbird
           - vlc
           - vorta
-          - x264
-          - x264-libs
           - yakuake
           - zed
           - zsh
@@ -52,11 +92,6 @@
         name: https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm
         state: present
         disable_gpg_check: true
-    - name: Install VeraCrypt
-      ansible.builtin.dnf:
-        name: https://launchpad.net/veracrypt/trunk/1.26.20/+download/veracrypt-1.26.20-Fedora-40-x86_64.rpm
-        state: present
-        disable_gpg_check: true
     - name: Install rig (R installation manager)
       ansible.builtin.dnf:
         name: https://github.com/r-lib/rig/releases/download/latest/r-rig-latest-1.{{ ansible_architecture }}.rpm
@@ -74,23 +109,19 @@
         name: "*"
         state: latest # noqa: package-latest
 
-- name: Configure Flatpaks
+- name: Configure common (all arch) Flatpaks
   hosts: fedora
   become: false
   tasks:
-    - name: Install Flatpaks
+    - name: Install common (all arch) Flatpaks
       community.general.flatpak:
         name:
-          - com.bitwarden.desktop
           - com.github.tchx84.Flatseal
           - com.logseq.Logseq
-          - com.slack.Slack
-          - dev.deedles.Trayscale
           - io.freetubeapp.FreeTube
           - io.github.alainm23.planify
           - io.github.dweymouth.supersonic
           - io.openrct2.OpenRCT2
-          - org.signal.Signal
           - org.zulip.Zulip
           - net.ankiweb.Anki
         state: latest

playbooks/repos.yaml

@@ -1,6 +1,6 @@
 ---
-- name: Configure dnf package repositories
-  hosts: fedora
+- name: Configure amd64-specific package repositories
+  hosts: amd64
   become: true
   tasks:
     - name: Install RPM Fusion free repository
@@ -20,6 +20,31 @@
     - name: Install Zotero COPR repository
       community.general.copr:
         name: "mozes/zotero7"
+
+# Asahi Linux comes with its own strange version of RPMFusion installed, so
+# RPMFusion is installed only on amd64 systems. In addition, VeraCrypt and
+# Zotero *are* available via COPR, but from different repos than their amd64
+# counterparts.
+# Also, Asahi has its own version string, so we have to manually specify the
+# chroot for COPR repos added via Ansible. This is handled automatically when
+# using `dnf copr enable ...`, but not via Ansible.
+- name: Configure Asahi Linux-specific package repositories
+  hosts: asahi
+  become: true
+  tasks:
+    - name: Install Zotero COPR repository
+      community.general.copr:
+        name: "isaksamsten/Zotero"
+        chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64"
+    - name: Install VeraCrypt COPR repository
+      community.general.copr:
+        name: "architektapx/veracrypt"
+        chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64"
+
+- name: Configure common (all arch) package repositories
+  hosts: fedora
+  become: true
+  tasks:
     - name: Install Tailscale repo
       ansible.builtin.yum_repository:
         name: tailscale-stable
@@ -85,7 +110,7 @@
       register: terra_priority
       changed_when: terra_priority.rc != 0
 
-- name: Configure Flatpack remotes
+- name: Configure Flathub remote
   hosts: fedora
   become: false
   tasks:

secrets.nix

@@ -6,30 +6,28 @@ let
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxTfeg+GZsfmG8TuEV1xW1gXknAIKzZ3UjZ3guRY+EW root@nixos";
   bosephus-millironx =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaDPqRJHoqgY2pseh/mnhjaGWXprHk2s5I52LhHpHcF millironx@bosephus";
+  odyssey-millironx =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9Aj7BtQp1Roa0tgopDrUo7g2am5WJ43lO1d1fDUz45 millironx@odyssey";
   corianne-host =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKKkucebeb1GcerOZAAs5GQsgTS8kXw5W41b9Fy9+hp root@corianne.local";
   corianne-millironx =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgL2lO9RJBdQYANoxGyWXcNKi5/NZkRHHo/rNqaYMc/ millironx@corianne";
-  mcentire-host =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINT51tQgsKzTIQc9WSQj01h/gPRvAD3k9jRhXppY7xmd root@nixos";
-  odyssey-millironx =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9Aj7BtQp1Roa0tgopDrUo7g2am5WJ43lO1d1fDUz45 millironx@odyssey";
+  harmony-millironx =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFBYxsCkw+ObDzIvU8z/rSlYcQx0JIt1bCVxKcDxeNNZ millironx@harmony";
+
   system-administrators = [
     anderson-millironx
     bosephus-millironx
     odyssey-millironx
     corianne-millironx
+    harmony-millironx
   ];
 
 in {
-  "secrets/ansible-vault-password.age".publicKeys = system-administrators;
-  "secrets/borgmatic-passphrase.age".publicKeys = system-administrators
-    ++ [ mcentire-host ];
-  "secrets/borgmatic-ssh-config.age".publicKeys = system-administrators
-    ++ [ mcentire-host ];
-  "secrets/darwin-policies-json.age".publicKeys = system-administrators
-    ++ [ corianne-host ];
   "secrets/network-information.age".publicKeys = system-administrators
     ++ [ bosephus-host ];
   "secrets/pihole.age".publicKeys = system-administrators ++ [ bosephus-host ];
+  "secrets/ansible-vault-password.age".publicKeys = system-administrators;
+  "secrets/darwin-policies-json.age".publicKeys = system-administrators
+    ++ [ corianne-host ];
 }

secrets/ansible-vault-password.age

@@ -1,11 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 il3lzQ WthM+rK9ntTt0GkP6Z7kuFeOCMkYdY5OkoxtIY8xnk8
-howoRiqpwVW+K4ybhHngRfqobGOqSlye6da6+QJg2xU
--> ssh-ed25519 1g/xww 7iNs/T1MXDvZTtbz3s9Dx8CERfL4TBpn4fwhSv8j+yQ
-cHXWpo3FEmkD2867IhdCpG4Pkq+LRkvi54OvTeSQA8s
--> ssh-ed25519 +kBihw HXgixNdqoB102vJDQ74UhC2wUIpYNv21ZvfFRgPmyX4
-09wYp8mUSl0ixLbtbK3E+u/7KVx8bYXTAwbzWN9TX/k
--> ssh-ed25519 dbKeHw PhePJgvp9fRMEJdtYwq3MV+CfNbEs1xJrQefJPQtl3Y
-muMZYzYC8aHJBq96Z12pvxA32Cs4KFcG/0YHVT6tX8o
---- lunvYfBDg4+g00hMQJc6ZHQiBQ9k/qubJBYQ+p6aXhc
-çÏš:V¬nÎß›ÎTFW=–òrÌÇTvMö_=!³ÕŸ’Ǧ’~N³<0E>0
I»P©em·®Ì®¡.ê’3Ã÷/T[
+-> ssh-ed25519 il3lzQ 8BY+QUEGqILKLs6ROw7llEOhx0GgrfFeKDcEgHePUFw
+SPiG48tkp5ewFc6/uNj+541B6YJODGmDFEbET2BfoZ0
+-> ssh-ed25519 1g/xww HyUG/jNJgHCceV/9vaaoSHc681x6Gg/uY+RIfQxIBxU
+6XVufQ4A9r8HPU9QLZ/idx3NjDf+UeKVMhtk9+Awy4E
+-> ssh-ed25519 +kBihw XjhEk6TF6M5OalqVQNpAemlmgMIJnfuH6M600DnJql0
+3zQPJZcsfnbUqRf5XWTJNbyqMb/rsSBIkS7YlYsyMcs
+-> ssh-ed25519 dbKeHw nIG5Z+XdJ3dyMxFOxyFMHw5sUkRJ2dsooJbIScNwlxM
+brJoiOSQcwgs3vNSk8eK6dzH3zfQGFNdEWj3jjMM5e0
+-> ssh-ed25519 Svnssw +VFbKj457mYT3GXQSacQ13J8MSkYe6A26ssNbqh8LAQ
+rJzIG170BcRlsLERhnfaqgRFeAL4Yw7zvtb1gGvUkCU
+--- ebIxmIBuNqNgfVWvOJc/0OpFBf3Q7pmApGgHYjrtJI8
+¹ì¤AòeO:(7_ãŽx¦‹¹0œ‘×·“°	Âj¹ f°V Û/D.8â¿€µÌ1ß <EFBFBD>©¯[Ñq°¾f!7ht0Y

secrets/borgmatic-passphrase.age

@@ -1,15 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 il3lzQ NZt+Qn166/k1xA8H+0i40Nf0QUcNoo/mPB4xEsbc52g
-WDnvHlN0EAM3kcH4P0w9Fl6LaPYFLK9uhbL2C/asXkQ
--> ssh-ed25519 1g/xww 607VONmCuvQWVfbXOwtW36OrLDSmC1b3FJfcXG8coVk
-aKmWBrjrk3cUfGJuEwmuzgiMfeqaDM4sFA9lSEyXb2A
--> ssh-ed25519 +kBihw mUCQloe1iMe4TupQmQRV/SsvDl7GYAy9qNgd/9QuRVs
-pl5NvOjZpOmslTm34qhyIY8ihbGfvi5TUMNIN+KftQA
--> ssh-ed25519 dbKeHw mDRPmYMHU/U39xGm+cPt/DDX1VFwJR9q7Ej393eygjc
-sneArlOp/HU1N9aXQjGunmcL2lSJ+uUfnLUKJrfuwWY
--> ssh-ed25519 +C0WRg +swZ49g3n/MdCXcaVVN+oJppbhVOeYyVhJBA/0O+zFI
-PleOEzaPcOWCQKSULfZ1V8MIcuzS7W0J6KoqSQWuM44
---- RtNvvt/RSfurXkC29xKp02PWD5+8Ikrdh3JJHzcUECM
-r»
-Ç”<EFBFBD>j‹	µ&õúý‘(ÝÑöF-WlEÏ®Å3~K@BóO,Úh…J®-ÌéŽ^‡,#»ÝèÁy¶ü<C2B6>ù¡Ú¦B²½Ân#ñ×ÞqÖ´r3æ9PjsgîdiÆ…õвìÏ?‰¦Šo>ˆ<^Ó+E4ˆ
<ÿü)K7;š/«œÀèx‡èùߎ–Ø”…ý‘”Œ
-bï…hØ

secrets/borgmatic-ssh-config.age

@@ -1,15 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 il3lzQ +g4/yAloij23EO70Lwv3NHdzUlI3yM17V+GZVet+DB4
-KoJqTEeF5ol4q+ZwcO+bWsP+hKszCMAUrok0yU+L6WU
--> ssh-ed25519 1g/xww aGc6VKpwoGQyjsPxc4hFPqc5sTzpOx/p7AJL2otF3QE
-u5gZXqSUKLMxKsekgixy5h57GZVmIXChnxOTq5iFv9o
--> ssh-ed25519 +kBihw FESLL/bEja1rrQm4V2VIFM9pEuP8ydNSiHgatiEqWDk
-Y5D1RoMCKuX3HxUpebwNUgJFQJnJR0GILNeg2DOPaDs
--> ssh-ed25519 dbKeHw EiccNUjhFewzAI+OWDrZnGNZbY1uoP99EJhvDn3AKyw
-QQohrq0jZJIwXGkycvn7Q4JFJmkhUwxXZEB5HN217Tg
--> ssh-ed25519 +C0WRg rbfEQSHbKDIvm6p2o9CiJIMNRFWlKaQE7TALCdgauzs
-6NWlDEKfWnYHFwleqOF6fSOzjxNkjdBFeFRl1Cj1L9A
---- E6T4y6crIEiWxE3G9OOQDrRky4919i7FM0zDnPiqUH4
-d¿…ÆbtÃ=p(Wwxé9rðÁ }&l
-èg`úÁe‘p~§Úkø©¦ô¸æP$vU‘—ûýH¯"…-ò±“Æôï,æ4&šNhü<15>›#%‰8]æŸ
@(ÏI¯
ÔBJìY Ž€¢˜4õ×ežÛQ¤<51>½ÎÒsÅ"‚wN’úð²r-¸CŸ½ˆmq¬xîÙ­Åà<C385>±…
-‚<>!q

secrets/network-information.age

@@ -1,15 +1,15 @@
 age-encryption.org/v1
--> ssh-ed25519 il3lzQ DhOVslXJ/kZmHvfCLw3rPiRrR1NxTC6zV6Di9WOUY1o
-i+OTfk7LWc3rT+T8yFGlPabsgVkddPAr3D6oc5hpe/Y
--> ssh-ed25519 1g/xww xiWVbXWJXtgPLnPWC5bRCvdgceKuY/7wrAbWGlBmZWA
-C7rwIOD0xGzTpGRgAycHlspsGaLLwFG6j+6/vPkVtkI
--> ssh-ed25519 +kBihw E2rOacH/0J3YWuplB01z51r/MW3jF36l1C+QeqY6zls
-162dh2KpWV71727zPZ2fpS7btQsQ/IL43kuViypZwWc
--> ssh-ed25519 dbKeHw k4ZekrotAzMlC6+RifphXj108iEra0AH4DrCxOSI/gg
-+9eibvHzF88lm9Qi/FCfW87D9BW25+zkzQbnhe/F3Rw
--> ssh-ed25519 jb0ALQ Z8WYL7/D990/IWBHGKZInn3Rffol0jnraGQyQbqCdWE
-LQa3mmMrA6Qx8wChzlWmB3M2OAtjVep5ryOZH3oZOMA
---- avI87pf1OwXk3BW8w9jW95NK4U/vfUg0pJoqjQ6eCS4
-7
5l7gϹ<C38F>ï<EFBFBD>Nú©ÔU%³Ø*—à-°Œ’^Ð$z1<7A>,”<>4G²Ô°@:~›,SeõŠ@7põÀ
-=‚
Ï>H¿0ÄÍã­…öm
7þm²‚UW
-W-äy¹
<01>îµûè
EÀŸÃŽ8¸+¢<>gM/û-z펈5%lå0l صÓÓΙ |ÃJEz•å‰ yÊ=øaþÎø1ÏjpÇØIÚQæf®Ü<C2AE>Î3
+-> ssh-ed25519 il3lzQ X/F7G7EJbo6QTCGBSp2irApe2qkFUmj2OytrpOVVQ2w
+yjitkwkxhNJLxSK4zF25o2lhZO6drBkjwHYykcPnoIw
+-> ssh-ed25519 1g/xww HriK0yZF3EEh2mB8RpVWBGzuPiK1DB80BeXZAt5Runo
+8ke05EDxykN/tu5wEzL3RvRnleBeWKpblm/iXb0pJ8U
+-> ssh-ed25519 +kBihw bG3XH77yhvMR+HsJMwi1WsXo4aSm5ez80gRlgkTosSo
+/WhUI2gKt94naWkeDrXvxnc2fsJvqmcARJnnhrU9sjw
+-> ssh-ed25519 dbKeHw Bugbp/ovWaODwR6msKnGB3D/dT/ZMmFyr6Za0VAJqBQ
++FfFa1w5/Ok8rIhp+NOBxfqoGFFlGwt8hPhxzibAVf8
+-> ssh-ed25519 Svnssw xpuVCV4OJi8G8R5vuSMio9hoRWmufOsCaEyhLMKarh0
+/82i3ZFwQtMonTj4wfa9KPig9qUIJomVYk3QlpB4rJk
+-> ssh-ed25519 jb0ALQ cbnyjqANs0f/CsiD/peCuJuMJfuaNKIIzbd/87OEV2Y
+iQmJxEOQuharrlkiaOdQXnTSUcsq+b7BzSo+G35QJIw
+--- eDJuMw4WC33Ihy5OBr2gkeewAFBpCa3gO3CYehr5bOo
+VR@ÓX[6g›ÞÈ£îlœèÊ‘mê.ºüÍP4ÇMããiè‘YtìÚ
ƒÌ¾~
þèîx\ƒ<>YÒã’ŠUM¡GdÜ<64>{ƒ¤Í'mÛBîÔ,@Ùø[eÖà“ü‹]{çN¥bN]¸
Òa·!›*ͬçýÕÁ¬`–ïüñYQn9åÐó¹ÂÑã5	'…–ºq5­Þ]„—Â<E28094>úé›-—6:F<>YL¶¾©$}êï

secrets_harmony.enc

@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+38383539613238613864336630316433666436623334313334393762396536663530336264306661
+3338616565316138616666343862366638643134343931320a633366363539326461346636373738
+66393138653463663536313065623332383166386332303564323939336630333163623637386434
+6538393966633731660a616437356233643234363562366433663437383439326161353330356331
+63346432663036353332303266343361346266396437396131376531303265356233

services/borgmatic.nix

@@ -1,37 +0,0 @@
-{ pkgs, config, ... }: {
-
-  # We don't want to expose the location where borg backups are going, so we
-  # will setup an encrypted ssh config that references the host/username
-  # combo as simply 'borgserver'
-  age.secrets = {
-    borgmatic-ssh-config = { file = ./../secrets/borgmatic-ssh-config.age; };
-    borgmatic-passphrase = { file = ./../secrets/borgmatic-passphrase.age; };
-  };
-
-  services.borgmatic = {
-    enable = true;
-
-    # This is the bare-bones way to get Borgmatic up and running. Other services
-    # are expected to declare their stateful directories by adding to
-    # `services.borgmatic.configurations."${config.networking.hostName}".source_directories`
-    # and to add their databases to
-    # `services.borgmatic.configurations."${config.networking.hostName}".[mariadb|postgresql|etc]_databases`
-
-    configurations."${config.networking.hostName}" = {
-      source_directories = [ "/home" "/root" ];
-      repositories = [{
-        label = "${config.networking.hostName}-default";
-        path = "ssh://borgserver/./repo";
-      }];
-      ssh_command =
-        "${pkgs.openssh}/bin/ssh -F ${config.age.secrets.borgmatic-ssh-config.path}";
-      encryption_passcommand =
-        "${pkgs.coreutils}/bin/cat ${config.age.secrets.borgmatic-passphrase.path}";
-      retention = {
-        keep_daily = 7;
-        keep_weekly = 4;
-        keep_monthly = 6;
-      };
-    };
-  };
-}

systems/linux/mcentire.nix

@@ -4,7 +4,6 @@
   imports = [ # Include the results of the hardware scan.
     ./hardware-configuration/mcentire.nix
     ./../../services/nixos-update.nix
-    ./../../services/borgmatic.nix
     ./../../services/crowdsec.nix
   ];