chore: update flake and make necessary changes, disable immich for now

2025-10-10 23:00:39 +02:00 · 2025-09-05 20:48:22 +02:00 · 2025-09-05 20:48:22 +02:00 · 3c322bbdbf
commit 3c322bbdbf
parent 20477ecdc5
13 changed files with 228 additions and 156 deletions
--- a/config/optional/laptop.nix
+++ b/config/optional/laptop.nix
@ -1,21 +1,17 @@
 {
  systemd.network.wait-online.anyInterface = true;

-  services = {
-    # tlp.enable = true;
-    physlock.enable = true;
-    logind = {
-      lidSwitch = "ignore";
-      lidSwitchDocked = "ignore";
-      lidSwitchExternalPower = "ignore";
-      extraConfig = ''
-        HandlePowerKey=suspend
-        HandleSuspendKey=suspend
-        HandleHibernateKey=suspend
-        PowerKeyIgnoreInhibited=yes
-        SuspendKeyIgnoreInhibited=yes
-        HibernateKeyIgnoreInhibited=yes
-      '';
-    };
+  # services.tlp.enable = true;
+  services.physlock.enable = true;
+  services.logind.settings.Login = {
+    LidSwitch = "ignore";
+    LidSwitchDocked = "ignore";
+    LidSwitchExternalPower = "ignore";
+    HandlePowerKey = "suspend";
+    HandleSuspendKey = "suspend";
+    HandleHibernateKey = "suspend";
+    PowerKeyIgnoreInhibited = "yes";
+    SuspendKeyIgnoreInhibited = "yes";
+    HibernateKeyIgnoreInhibited = "yes";
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -12,11 +12,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1750173260,
-        "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
+        "lastModified": 1754433428,
+        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
+        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
        "type": "github"
      },
      "original": {
@ -36,12 +36,12 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1752094135,
-        "narHash": "sha256-kd5/x5SshFVFHWUf/7rRqXQ06aUaD6VJdUYRCDUHHo0=",
-        "owner": "oddlama",
-        "repo": "agenix-rekey",
-        "rev": "395cdb1631e9715e37d0e859a2b1da63f0ae333b",
-        "type": "github"
+        "dirtyRev": "647162ded97dd656efa95951a76bf694559618a0-dirty",
+        "dirtyShortRev": "647162d-dirty",
+        "lastModified": 1757081179,
+        "narHash": "sha256-ITukwc/nWVjn8bEZ/iBMAhbuwHFnm+zfP+C6UyFiFrA=",
+        "type": "git",
+        "url": "file:///home/malte/projects/agenix-rekey"
      },
      "original": {
        "owner": "oddlama",
@ -85,11 +85,11 @@
    },
    "crane_3": {
      "locked": {
-        "lastModified": 1753316655,
-        "narHash": "sha256-tzWa2kmTEN69OEMhxFy+J2oWSvZP5QhEgXp3TROOzl0=",
+        "lastModified": 1754269165,
+        "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "f35a3372d070c9e9ccb63ba7ce347f0634ddf3d2",
+        "rev": "444e81206df3f7d92780680e45858e31d2f07a08",
        "type": "github"
      },
      "original": {
@ -273,11 +273,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753140376,
-        "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
+        "lastModified": 1756733629,
+        "narHash": "sha256-dwWGlDhcO5SMIvMSTB4mjQ5Pvo2vtxvpIknhVnSz2I8=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
+        "rev": "a5c4f2ab72e3d1ab43e3e65aa421c6f2bd2e12a1",
        "type": "github"
      },
      "original": {
@ -490,11 +490,11 @@
    "flake-compat_9": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
        "type": "github"
      },
      "original": {
@ -547,11 +547,11 @@
        "nixpkgs-lib": "nixpkgs-lib_2"
      },
      "locked": {
-        "lastModified": 1753121425,
-        "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=",
+        "lastModified": 1756770412,
+        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e",
+        "rev": "4524271976b625a4a605beefd893f270620fd751",
        "type": "github"
      },
      "original": {
@ -586,11 +586,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753121425,
-        "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=",
+        "lastModified": 1754091436,
+        "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e",
+        "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd",
        "type": "github"
      },
      "original": {
@ -607,11 +607,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753121425,
-        "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=",
+        "lastModified": 1754487366,
+        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e",
+        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
        "type": "github"
      },
      "original": {
@ -852,15 +852,15 @@
        ]
      },
      "locked": {
-        "lastModified": 1749289734,
-        "narHash": "sha256-noC2IBKVH4NHJ3m59rqtdWNYUQY9Q98SC7K5RDw+3aw=",
-        "owner": "oddlama",
+        "lastModified": 1757075491,
+        "narHash": "sha256-a+NMGl5tcvm+hyfSG2DlVPa8nZLpsumuRj1FfcKb2mQ=",
+        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "a7a0101db4bdef8da592ba5804e7c7444baa0493",
+        "rev": "f56bf065f9abedc7bc15e1f2454aa5c8edabaacf",
        "type": "github"
      },
      "original": {
-        "owner": "oddlama",
+        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
@ -919,16 +919,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1748294338,
-        "narHash": "sha256-FVO01jdmUNArzBS7NmaktLdGA5qA3lUMJ4B7a05Iynw=",
+        "lastModified": 1754860581,
+        "narHash": "sha256-EM0IE63OHxXCOpDHXaTyHIOk2cNvMCGPqLt/IdtVxgk=",
        "owner": "NuschtOS",
        "repo": "ixx",
-        "rev": "cc5f390f7caf265461d4aab37e98d2292ebbdb85",
+        "rev": "babfe85a876162c4acc9ab6fb4483df88fa1f281",
        "type": "github"
      },
      "original": {
        "owner": "NuschtOS",
-        "ref": "v0.0.8",
+        "ref": "v0.1.1",
        "repo": "ixx",
        "type": "github"
      }
@ -945,11 +945,11 @@
        "rust-overlay": "rust-overlay_3"
      },
      "locked": {
-        "lastModified": 1753693791,
-        "narHash": "sha256-pZQyCkqIFwGA77np+vqVQZgg2P0qPAI6x6kC3w6+PjE=",
+        "lastModified": 1756744479,
+        "narHash": "sha256-EyZXusK/wRD3V9vDh00W2Re3Eg8UQ+LjVBQrrH9dq1U=",
        "owner": "nix-community",
        "repo": "lanzaboote",
-        "rev": "785a5701b22259b85735301b1aad19c2bee15498",
+        "rev": "747b7912f49e2885090c83364d88cf853a020ac1",
        "type": "github"
      },
      "original": {
@ -980,11 +980,11 @@
        "spectrum": "spectrum"
      },
      "locked": {
-        "lastModified": 1753388547,
-        "narHash": "sha256-zbjlS9sa2BbtE80YA9C9DMXwCADba3NjUROw/7Rpt7Y=",
+        "lastModified": 1756913421,
+        "narHash": "sha256-bApi+D4wQJe4tG03VySlb4lJOBWqpl8DK8niSfKT87U=",
        "owner": "astro",
        "repo": "microvm.nix",
-        "rev": "9694139d7c761e857ac9d025f9110a92cd8f7686",
+        "rev": "2ba6697616834ff8c58ebc6180e4833c6d781b82",
        "type": "github"
      },
      "original": {
@ -1086,11 +1086,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753589988,
-        "narHash": "sha256-y1JlcMB2dKFkrr6g+Ucmj8L//IY09BtSKTH/A7OU7mU=",
+        "lastModified": 1756612744,
+        "narHash": "sha256-/glV6VAq8Va3ghIbmhET3S1dzkbZqicsk5h+FtvwiPE=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "f0736b09c43028fd726fb70c3eb3d1f0795454cf",
+        "rev": "3fe768e1f058961095b4a0d7a2ba15dc9736bdc6",
        "type": "github"
      },
      "original": {
@ -1184,11 +1184,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1753122741,
-        "narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=",
+        "lastModified": 1756925795,
+        "narHash": "sha256-kUb5hehaikfUvoJDEc7ngiieX88TwWX/bBRX9Ar6Tac=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22",
+        "rev": "ba6fab29768007e9f2657014a6e134637100c57d",
        "type": "github"
      },
      "original": {
@ -1220,11 +1220,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1753939845,
-        "narHash": "sha256-K2ViRJfdVGE8tpJejs8Qpvvejks1+A4GQej/lBk5y7I=",
+        "lastModified": 1756787288,
+        "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "94def634a20494ee057c76998843c015909d6311",
+        "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1",
        "type": "github"
      },
      "original": {
@ -1248,11 +1248,11 @@
    },
    "nixpkgs-lib_2": {
      "locked": {
-        "lastModified": 1751159883,
-        "narHash": "sha256-urW/Ylk9FIfvXfliA1ywh75yszAbiTEVgpPeinFyVZo=",
+        "lastModified": 1754788789,
+        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "14a40a1d7fb9afa4739275ac642ed7301a9ba1ab",
+        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
        "type": "github"
      },
      "original": {
@ -1299,11 +1299,11 @@
        "systems": "systems_6"
      },
      "locked": {
-        "lastModified": 1753977315,
-        "narHash": "sha256-AM3CZh+Emk/cr5Gf6RUf2xzkWdRB+yewP1YWoRxUbYQ=",
+        "lastModified": 1756946299,
+        "narHash": "sha256-N4PjGA0rittpNZGscKPel+mr/dMcKF73j0yr4rbG3T0=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "a16c89c175277309fd3dd065fb5bc4eab450ae07",
+        "rev": "63496f00c681b3e200bd17878a43ec68b7139a66",
        "type": "github"
      },
      "original": {
@ -1322,11 +1322,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753450833,
-        "narHash": "sha256-Pmpke0JtLRzgdlwDC5a+aiLVZ11JPUO5Bcqkj0nHE/k=",
+        "lastModified": 1755555503,
+        "narHash": "sha256-WiOO7GUOsJ4/DoMy2IC5InnqRDSo2U11la48vCCIjjY=",
        "owner": "NuschtOS",
        "repo": "search",
-        "rev": "40987cc1a24feba378438d691f87c52819f7bd75",
+        "rev": "6f3efef888b92e6520f10eae15b86ff537e1d2ea",
        "type": "github"
      },
      "original": {
@ -1534,11 +1534,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750779888,
-        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
+        "lastModified": 1755960406,
+        "narHash": "sha256-RF7j6C1TmSTK9tYWO6CdEMtg6XZaUKcvZwOCD2SICZs=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+        "rev": "e891a93b193fcaf2fc8012d890dc7f0befe86ec2",
        "type": "github"
      },
      "original": {
@ -1708,11 +1708,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1753584741,
-        "narHash": "sha256-i147iFSy4K4PJvID+zoszLbRi2o+YV8AyG4TUiDQ3+I=",
+        "lastModified": 1754189623,
+        "narHash": "sha256-fstu5eb30UYwsxow0aQqkzxNxGn80UZjyehQVNVHuBk=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "69dfe029679e73b8d159011c9547f6148a85ca6b",
+        "rev": "c582ff7f0d8a7ea689ae836dfb1773f1814f472a",
        "type": "github"
      },
      "original": {
@ -1772,11 +1772,11 @@
    "spectrum": {
      "flake": false,
      "locked": {
-        "lastModified": 1751265943,
-        "narHash": "sha256-XoHSo6GEElzRUOYAEg/jlh5c8TDsyDESFIux3nU/NMc=",
+        "lastModified": 1754675037,
+        "narHash": "sha256-afS08F7lfMUBR4qrBxinN1kuxu+DoHQ5TPNVp9VS/OA=",
        "ref": "refs/heads/main",
-        "rev": "37c8663fab86fdb202fece339ef7ac7177ffc201",
-        "revCount": 904,
+        "rev": "586577f3015397afacd83bc185454f4cc3c8028f",
+        "revCount": 955,
        "type": "git",
        "url": "https://spectrum-os.org/git/spectrum"
      },
@ -1967,11 +1967,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1754061284,
-        "narHash": "sha256-ONcNxdSiPyJ9qavMPJYAXDNBzYobHRxw0WbT38lKbwU=",
+        "lastModified": 1756662192,
+        "narHash": "sha256-F1oFfV51AE259I85av+MAia221XwMHCOtZCMcZLK2Jk=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "58bd4da459f0a39e506847109a2a5cfceb837796",
+        "rev": "1aabc6c05ccbcbf4a635fb7a90400e44282f61c4",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -29,8 +29,7 @@
    flake-parts.url = "github:hercules-ci/flake-parts";

    home-manager = {
-      # FIXME: only using a fork to fix https://github.com/nix-community/home-manager/issues/6638
-      url = "github:oddlama/home-manager";
+      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };

--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@ -19,7 +19,7 @@ let
    "photos.${globals.domains.me}"
    "s3.photos.${globals.domains.me}"
    globals.services.mealie.domain
-    globals.services.immich.domain
+    # globals.services.immich.domain
    globals.services.influxdb.domain
    globals.services.loki.domain
    globals.services.paperless.domain
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@ -145,9 +145,9 @@
      // mkMicrovm "paperless" {
        enablePaperlessDataset = true;
      }
-      // mkMicrovm "immich" {
-        enableStorageDataset = true;
-      }
+      # // mkMicrovm "immich" {
+      #   enableStorageDataset = true;
+      # }
      // mkMicrovm "ai" { }
      // mkMicrovm "minecraft" { }
      // mkMicrovm "ente" {
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -21,7 +21,7 @@ let
    "photos.${globals.domains.me}"
    "s3.photos.${globals.domains.me}"
    globals.services.mealie.domain
-    globals.services.immich.domain
+    # globals.services.immich.domain
    globals.services.influxdb.domain
    globals.services.loki.domain
    globals.services.paperless.domain
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -91,42 +91,41 @@ in
        ];
        dhcp.enabled = false;
      };
-      filtering.rewrites =
-        [
-          # Undo the /etc/hosts entry so we don't answer with the internal
-          # wireguard address for influxdb
-          {
-            inherit (globals.services.influxdb) domain;
-            answer = globals.domains.me;
-          }
-        ]
-        # Use the local mirror-proxy for some services (not necessary, just for speed)
-        ++
-          map
-            (domain: {
-              inherit domain;
-              answer = globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4;
-            })
-            [
-              # FIXME: dont hardcode, filter global service domains by internal state
-              # FIXME: new entry here? make new firezone entry too.
-              # FIXME: new entry here? make new firezone gateway on ward entry too.
-              globals.services.grafana.domain
-              "accounts.photos.${globals.domains.me}"
-              "albums.photos.${globals.domains.me}"
-              "api.photos.${globals.domains.me}"
-              "cast.photos.${globals.domains.me}"
-              "photos.${globals.domains.me}"
-              "s3.photos.${globals.domains.me}"
-              globals.services.mealie.domain
-              globals.services.immich.domain
-              globals.services.influxdb.domain
-              globals.services.loki.domain
-              globals.services.paperless.domain
-              globals.services.esphome.domain
-              globals.services.home-assistant.domain
-              "fritzbox.${globals.domains.personal}"
-            ];
+      filtering.rewrites = [
+        # Undo the /etc/hosts entry so we don't answer with the internal
+        # wireguard address for influxdb
+        {
+          inherit (globals.services.influxdb) domain;
+          answer = globals.domains.me;
+        }
+      ]
+      # Use the local mirror-proxy for some services (not necessary, just for speed)
+      ++
+        map
+          (domain: {
+            inherit domain;
+            answer = globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4;
+          })
+          [
+            # FIXME: dont hardcode, filter global service domains by internal state
+            # FIXME: new entry here? make new firezone entry too.
+            # FIXME: new entry here? make new firezone gateway on ward entry too.
+            globals.services.grafana.domain
+            "accounts.photos.${globals.domains.me}"
+            "albums.photos.${globals.domains.me}"
+            "api.photos.${globals.domains.me}"
+            "cast.photos.${globals.domains.me}"
+            "photos.${globals.domains.me}"
+            "s3.photos.${globals.domains.me}"
+            globals.services.mealie.domain
+            # globals.services.immich.domain
+            globals.services.influxdb.domain
+            globals.services.loki.domain
+            globals.services.paperless.domain
+            globals.services.esphome.domain
+            globals.services.home-assistant.domain
+            "fritzbox.${globals.domains.personal}"
+          ];
      filters = [
        {
          name = "AdGuard DNS filter";
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -37,7 +37,7 @@ in

  age.secrets.kanidm-oauth2-forgejo = mkRandomSecret;
  age.secrets.kanidm-oauth2-grafana = mkRandomSecret;
-  age.secrets.kanidm-oauth2-immich = mkRandomSecret;
+  # age.secrets.kanidm-oauth2-immich = mkRandomSecret;
  age.secrets.kanidm-oauth2-firezone = mkRandomSecret;
  age.secrets.kanidm-oauth2-mealie = mkRandomSecret;
  age.secrets.kanidm-oauth2-paperless = mkRandomSecret;
@ -115,27 +115,27 @@ in

      inherit (globals.kanidm) persons;

-      # Immich
-      groups."immich.access" = { };
-      systems.oauth2.immich = {
-        displayName = "Immich";
-        originUrl = [
-          "https://${globals.services.immich.domain}/auth/login"
-          "https://${globals.services.immich.domain}/api/oauth/mobile-redirect"
-        ];
-        originLanding = "https://${globals.services.immich.domain}/";
-        basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
-        preferShortUsername = true;
-        # XXX: PKCE is currently not supported by immich
-        allowInsecureClientDisablePkce = true;
-        # XXX: RS256 is used instead of ES256 so additionally we need legacy crypto
-        enableLegacyCrypto = true;
-        scopeMaps."immich.access" = [
-          "openid"
-          "email"
-          "profile"
-        ];
-      };
+      # # Immich
+      # groups."immich.access" = { };
+      # systems.oauth2.immich = {
+      #   displayName = "Immich";
+      #   originUrl = [
+      #     "https://${globals.services.immich.domain}/auth/login"
+      #     "https://${globals.services.immich.domain}/api/oauth/mobile-redirect"
+      #   ];
+      #   originLanding = "https://${globals.services.immich.domain}/";
+      #   basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
+      #   preferShortUsername = true;
+      #   # XXX: PKCE is currently not supported by immich
+      #   allowInsecureClientDisablePkce = true;
+      #   # XXX: RS256 is used instead of ES256 so additionally we need legacy crypto
+      #   enableLegacyCrypto = true;
+      #   scopeMaps."immich.access" = [
+      #     "openid"
+      #     "email"
+      #     "profile"
+      #   ];
+      # };

      # Firezone
      groups."firezone.access" = { };
--- a/nix/agenix-rekey.nix
+++ b/nix/agenix-rekey.nix
@ -12,7 +12,7 @@
    # The identities that are used to rekey agenix secrets and to
    # decrypt all repository-wide secrets.
    secretsConfig = {
-      masterIdentities = [ ../secrets/yk1-nix-rage.pub ];
+      masterIdentities = [ "\"$DEVSHELL_DIR\"/secrets/yk1-nix-rage.pub" ];
      extraEncryptionPubkeys = [ ../secrets/backup.pub ];
    };
  };
--- a/nix/devshell.nix
+++ b/nix/devshell.nix
@ -26,7 +26,7 @@

      devshells.default = {
        packages = [
-          (builtins.trace "alarm: we pinned nix_2_24 because of https://github.com/shlevy/nix-plugins/issues/20" pkgs.nixVersions.nix_2_24) # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
+          pkgs.nix # Always use the nix version from this flake's nixpkgs version, so that nix-plugins (below) doesn't fail because of different nix versions.
        ];

        commands = [
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@ -34,6 +34,9 @@
          modules = [
            {
              nixpkgs.config.allowUnfree = true;
+              nixpkgs.config.permittedInsecurePackages = [
+                "qtwebengine-5.15.19" # teamspeak3, whatever I don't visit any untrusted servers
+              ];
              nixpkgs.overlays = (import ../pkgs/default.nix inputs) ++ [
                inputs.idmail.overlays.default
                # inputs.nixos-cosmic.overlays.default
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -5,6 +5,7 @@ _inputs: [
    git-fuzzy = prev.callPackage ./git-fuzzy { };
    segoe-ui-ttf = prev.callPackage ./segoe-ui-ttf.nix { };
    zsh-histdb-skim = prev.callPackage ./zsh-skim-histdb.nix { };
+    nix-plugins = prev.callPackage ./nix-plugins.nix { };
    neovim-clean = prev.neovim-unwrapped.overrideAttrs (old: {
      nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ prev.makeWrapper ];
      postInstall = ''
--- a/pkgs/nix-plugins.nix
+++ b/pkgs/nix-plugins.nix
@ -0,0 +1,74 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  nix,
+  cmake,
+  pkg-config,
+  capnproto,
+  boost,
+  writeText,
+}:
+
+let
+  patch = writeText "patch" ''
+    diff --git a/extra-builtins.cc b/extra-builtins.cc
+    index 3a0f90e..bb10f8b 100644
+    --- a/extra-builtins.cc
+    +++ b/extra-builtins.cc
+    @@ -1,10 +1,10 @@
+    -#include <config.h>
+    -#include <primops.hh>
+    -#include <globals.hh>
+    -#include <config-global.hh>
+    -#include <eval-settings.hh>
+    -#include <common-eval-args.hh>
+    -#include <filtering-source-accessor.hh>
+    +#include <nix/cmd/common-eval-args.hh>
+    +#include <nix/expr/eval-settings.hh>
+    +#include <nix/expr/primops.hh>
+    +#include <nix/fetchers/filtering-source-accessor.hh>
+    +#include <nix/store/globals.hh>
+    +#include <nix/util/configuration.hh>
+    +#include <nix/util/config-global.hh>
+
+     #include "nix-plugins-config.h"
+  '';
+in
+
+stdenv.mkDerivation rec {
+  pname = "nix-plugins";
+  version = "15.0.0";
+
+  # src = fetchFromGitHub {
+  #   owner = "patrickdag";
+  #   repo = "nix-plugins";
+  #   rev = "c85627e50bf92807091321029fca3f700c3f13e2";
+  #   hash = "sha256-lfQ+tDrNj8+nMw1mUl4ombjxdRpIKmAvcimxN4n1Iyo=";
+  # };
+  src = fetchFromGitHub {
+    owner = "shlevy";
+    repo = "nix-plugins";
+    tag = version;
+    hash = "sha256-C4VqKHi6nVAHuXVhqvTRRyn0Bb619ez4LzgUWPH1cbM=";
+  };
+  patches = [ patch ];
+
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+  ];
+
+  buildInputs = [
+    nix
+    boost
+    capnproto
+  ];
+
+  meta = {
+    description = "Collection of miscellaneous plugins for the nix expression language";
+    homepage = "https://github.com/shlevy/nix-plugins";
+    license = lib.licenses.mit;
+    platforms = lib.platforms.all;
+  };
+}