From a128dd5f4015d4736c349cac542f2ba69a168ae1 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Wed, 31 Jul 2024 15:49:44 +0200
Subject: [PATCH] feat: remove old "freeform" globals and use new structured
 globals

---
 STRUCTURE.md                       |   2 +-
 config/boot.nix                    |   3 +-
 config/secrets.nix                 |   5 +-
 globals.nix                        |  16 ++++-
 hosts/envoy/idmail.nix             |   3 +-
 hosts/envoy/net.nix                |   5 +-
 hosts/envoy/stalwart-mail.nix      |   3 +-
 hosts/sentinel/coturn.nix          |   3 +-
 hosts/sentinel/default.nix         |   2 +-
 hosts/sentinel/net.nix             |   3 +-
 hosts/sentinel/oauth2.nix          |   4 +-
 hosts/sire/guests/ai.nix           |  10 ++-
 hosts/sire/guests/grafana.nix      |   2 +-
 hosts/sire/guests/immich.nix       |   2 +-
 hosts/sire/guests/influxdb.nix     |   3 +-
 hosts/sire/guests/loki.nix         |   3 +-
 hosts/sire/guests/minecraft.nix    |   5 +-
 hosts/sire/guests/paperless.nix    |   2 +-
 hosts/ward/guests/adguardhome.nix  |   8 +--
 hosts/ward/guests/forgejo.nix      |   2 +-
 hosts/ward/guests/kanidm.nix       |   7 +-
 hosts/ward/guests/netbird.nix      |   6 +-
 hosts/ward/guests/radicale.nix     |   8 ++-
 hosts/ward/guests/vaultwarden.nix  |   3 +-
 hosts/ward/guests/web-proxy.nix    |   2 +-
 hosts/ward/kea.nix                 |   5 +-
 hosts/zackbiene/home-assistant.nix |   4 +-
 modules/backups.nix                |   7 +-
 modules/globals.nix                | 109 +++++++++++++++++++++++++++++
 nix/globals.nix                    |  14 +++-
 nix/storage-box.nix                |   8 ++-
 secrets/global.nix.age             | Bin 2695 -> 2917 bytes
 users/config/shell/starship.nix    |   6 +-
 users/myuser/default.nix           |   5 +-
 users/root/default.nix             |   3 +-
 35 files changed, 214 insertions(+), 59 deletions(-)

diff --git a/STRUCTURE.md b/STRUCTURE.md
index fe982e2..8ee8c0c 100644
--- a/STRUCTURE.md
+++ b/STRUCTURE.md
@@ -35,7 +35,7 @@ Make sure to utilize the github search if you know what you need!
 - `pkgs/` Custom packages and scripts
 
 - `secrets/` Global secrets and age identities
-  - `global.nix.age` Repository-wide global secrets. Available on nodes via the repo module as `config.repo.secrets.global`.
+  - `global.nix.age` Repository-wide global secrets. Will be merged with regular globals, structure is defined by `modules/globals.nix`.
   - `backup.pub` Backup age-identity in case I ever lose my YubiKey or it breaks.
   - `yk1-nix-rage.pub` Master YubiKey split-identity. Used as a key-grab.
 
diff --git a/config/boot.nix b/config/boot.nix
index 28def1a..0e7d650 100644
--- a/config/boot.nix
+++ b/config/boot.nix
@@ -1,5 +1,6 @@
 {
   config,
+  globals,
   lib,
   pkgs,
   ...
@@ -8,7 +9,7 @@
     boot = {
       initrd.systemd = {
         enable = true;
-        emergencyAccess = config.repo.secrets.global.root.hashedPassword;
+        emergencyAccess = globals.root.hashedPassword;
         # TODO good idea? targets.emergency.wants = ["network.target" "sshd.service"];
         extraBin.ip = "${pkgs.iproute2}/bin/ip";
         extraBin.ping = "${pkgs.iputils}/bin/ping";
diff --git a/config/secrets.nix b/config/secrets.nix
index 6afbbd3..cd9885e 100644
--- a/config/secrets.nix
+++ b/config/secrets.nix
@@ -8,10 +8,7 @@
   repo.secretFiles = let
     local = config.node.secretsDir + "/local.nix.age";
   in
-    {
-      global = ../secrets/global.nix.age;
-    }
-    // lib.optionalAttrs (lib.pathExists local) {inherit local;};
+    lib.optionalAttrs (lib.pathExists local) {inherit local;};
 
   # Setup secret rekeying parameters
   age.rekey = {
diff --git a/globals.nix b/globals.nix
index cf8b6ef..b225c17 100644
--- a/globals.nix
+++ b/globals.nix
@@ -1,6 +1,20 @@
-{config, ...}: let
+{
+  inputs,
+  config,
+  lib,
+  ...
+}: let
   inherit (config) globals;
+
+  # Try to access the extra builtin we loaded via nix-plugins.
+  # Throw an error if that doesn't exist.
+  rageImportEncrypted = assert lib.assertMsg (builtins ? extraBuiltins.rageImportEncrypted) "The extra builtin 'rageImportEncrypted' is not available, so repo.secrets cannot be decrypted. Did you forget to add nix-plugins and point it to `./nix/extra-builtins.nix` ?";
+    builtins.extraBuiltins.rageImportEncrypted;
 in {
+  imports = [
+    (rageImportEncrypted inputs.self.secretsConfig.masterIdentities ./secrets/global.nix.age)
+  ];
+
   globals = {
     net = {
       home-wan = {
diff --git a/hosts/envoy/idmail.nix b/hosts/envoy/idmail.nix
index 4e590d2..b89444a 100644
--- a/hosts/envoy/idmail.nix
+++ b/hosts/envoy/idmail.nix
@@ -1,9 +1,10 @@
 {
   config,
+  globals,
   lib,
   ...
 }: let
-  mailDomains = config.repo.secrets.global.domains.mail;
+  mailDomains = globals.domains.mail;
   primaryDomain = mailDomains.primary;
   idmailDomain = "alias.${primaryDomain}";
 in {
diff --git a/hosts/envoy/net.nix b/hosts/envoy/net.nix
index b0a6d47..3c36b09 100644
--- a/hosts/envoy/net.nix
+++ b/hosts/envoy/net.nix
@@ -1,13 +1,14 @@
 {
   config,
+  globals,
   lib,
   ...
 }: let
   icfg = config.repo.secrets.local.networking.interfaces.wan;
 in {
   networking.hostId = config.repo.secrets.local.networking.hostId;
-  networking.domain = config.repo.secrets.global.domains.mail.primary;
-  networking.hosts."127.0.0.1" = ["mx1.${config.repo.secrets.global.domains.mail.primary}"];
+  networking.domain = globals.domains.mail.primary;
+  networking.hosts."127.0.0.1" = ["mail.${globals.domains.mail.primary}"];
 
   globals.monitoring.ping.envoy = {
     hostv4 = lib.net.cidr.ip icfg.hostCidrv4;
diff --git a/hosts/envoy/stalwart-mail.nix b/hosts/envoy/stalwart-mail.nix
index bf21bd1..ecc59bc 100644
--- a/hosts/envoy/stalwart-mail.nix
+++ b/hosts/envoy/stalwart-mail.nix
@@ -1,10 +1,11 @@
 {
   config,
+  globals,
   lib,
   pkgs,
   ...
 }: let
-  mailDomains = config.repo.secrets.global.domains.mail;
+  mailDomains = globals.domains.mail;
   primaryDomain = mailDomains.primary;
   stalwartDomain = "mail.${primaryDomain}";
   dataDir = "/var/lib/stalwart-mail";
diff --git a/hosts/sentinel/coturn.nix b/hosts/sentinel/coturn.nix
index bf32ea1..f266807 100644
--- a/hosts/sentinel/coturn.nix
+++ b/hosts/sentinel/coturn.nix
@@ -1,5 +1,6 @@
 {
   config,
+  globals,
   lib,
   pkgs,
   ...
@@ -11,7 +12,7 @@
     mkForce
     ;
 
-  hostDomain = config.repo.secrets.global.domains.me;
+  hostDomain = globals.domains.me;
   coturnDomain = "coturn.${hostDomain}";
 in {
   age.secrets.coturn-password-netbird = {
diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix
index a56c2ee..41f9f4c 100644
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@@ -26,7 +26,7 @@
   services.nginx.enable = true;
   services.nginx.recommendedSetup = true;
 
-  services.nginx.virtualHosts.${config.repo.secrets.global.domains.me} = {
+  services.nginx.virtualHosts.${globals.domains.me} = {
     forceSSL = true;
     useACMEWildcardHost = true;
     locations."/".root = pkgs.runCommand "index.html" {} ''
diff --git a/hosts/sentinel/net.nix b/hosts/sentinel/net.nix
index fec1b5b..2078375 100644
--- a/hosts/sentinel/net.nix
+++ b/hosts/sentinel/net.nix
@@ -1,12 +1,13 @@
 {
   config,
+  globals,
   lib,
   ...
 }: let
   icfg = config.repo.secrets.local.networking.interfaces.wan;
 in {
   networking.hostId = config.repo.secrets.local.networking.hostId;
-  networking.domain = config.repo.secrets.global.domains.me;
+  networking.domain = globals.domains.me;
 
   globals.monitoring.ping.sentinel = {
     hostv4 = lib.net.cidr.ip icfg.hostCidrv4;
diff --git a/hosts/sentinel/oauth2.nix b/hosts/sentinel/oauth2.nix
index 656443f..8d8a346 100644
--- a/hosts/sentinel/oauth2.nix
+++ b/hosts/sentinel/oauth2.nix
@@ -6,8 +6,8 @@
 }: {
   meta.oauth2-proxy = {
     enable = true;
-    cookieDomain = config.repo.secrets.global.domains.me;
-    portalDomain = "oauth2.${config.repo.secrets.global.domains.me}";
+    cookieDomain = globals.domains.me;
+    portalDomain = "oauth2.${globals.domains.me}";
     # TODO portal redirect to dashboard (in case someone clicks on kanidm "Web services")
   };
 
diff --git a/hosts/sire/guests/ai.nix b/hosts/sire/guests/ai.nix
index 5f9cf6d..dc7fee9 100644
--- a/hosts/sire/guests/ai.nix
+++ b/hosts/sire/guests/ai.nix
@@ -1,5 +1,9 @@
-{config, ...}: let
-  openWebuiDomain = "chat.${config.repo.secrets.global.domains.me}";
+{
+  config,
+  globals,
+  ...
+}: let
+  openWebuiDomain = "chat.${globals.domains.me}";
 in {
   microvm.mem = 1024 * 16;
   microvm.vcpu = 20;
@@ -76,7 +80,7 @@ in {
         oauth2 = {
           enable = true;
           allowedGroups = ["access_openwebui"];
-          X-Email = "\${upstream_http_x_auth_request_preferred_username}@${config.repo.secrets.global.domains.personal}";
+          X-Email = "\${upstream_http_x_auth_request_preferred_username}@${globals.domains.personal}";
         };
         extraConfig = ''
           client_max_body_size 128M;
diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix
index a85c95c..0f049dc 100644
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@@ -6,7 +6,7 @@
   ...
 }: let
   wardWebProxyCfg = nodes.ward-web-proxy.config;
-  grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}";
+  grafanaDomain = "grafana.${globals.domains.me}";
 in {
   wireguard.proxy-sentinel = {
     client.via = "sentinel";
diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix
index 64f3a14..39d1942 100644
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@@ -7,7 +7,7 @@
 }: let
   sentinelCfg = nodes.sentinel.config;
   wardWebProxyCfg = nodes.ward-web-proxy.config;
-  immichDomain = "immich.${config.repo.secrets.global.domains.me}";
+  immichDomain = "immich.${globals.domains.me}";
 
   ipImmichMachineLearning = "10.89.0.10";
   ipImmichPostgres = "10.89.0.12";
diff --git a/hosts/sire/guests/influxdb.nix b/hosts/sire/guests/influxdb.nix
index edbcde5..3ab5ab8 100644
--- a/hosts/sire/guests/influxdb.nix
+++ b/hosts/sire/guests/influxdb.nix
@@ -1,5 +1,6 @@
 {
   config,
+  globals,
   lib,
   nodes,
   pkgs,
@@ -7,7 +8,7 @@
 }: let
   sentinelCfg = nodes.sentinel.config;
   wardCfg = nodes.ward.config;
-  influxdbDomain = "influxdb.${config.repo.secrets.global.domains.me}";
+  influxdbDomain = "influxdb.${globals.domains.me}";
   influxdbPort = 8086;
 in {
   wireguard.proxy-sentinel = {
diff --git a/hosts/sire/guests/loki.nix b/hosts/sire/guests/loki.nix
index 42de6cd..7702125 100644
--- a/hosts/sire/guests/loki.nix
+++ b/hosts/sire/guests/loki.nix
@@ -1,11 +1,12 @@
 {
   config,
+  globals,
   nodes,
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
   wardWebProxyCfg = nodes.ward-web-proxy.config;
-  lokiDomain = "loki.${config.repo.secrets.global.domains.me}";
+  lokiDomain = "loki.${globals.domains.me}";
 in {
   wireguard.proxy-sentinel = {
     client.via = "sentinel";
diff --git a/hosts/sire/guests/minecraft.nix b/hosts/sire/guests/minecraft.nix
index ead8bcd..d7a3a7b 100644
--- a/hosts/sire/guests/minecraft.nix
+++ b/hosts/sire/guests/minecraft.nix
@@ -1,13 +1,14 @@
 # FIXME: todo: host the proxy on sentinel so the IPs are not lost in natting
 {
   config,
-  pkgs,
+  globals,
   lib,
+  pkgs,
   ...
 }: let
   inherit (lib) getExe;
 
-  minecraftDomain = "mc.${config.repo.secrets.global.domains.me}";
+  minecraftDomain = "mc.${globals.domains.me}";
   dataDir = "/var/lib/minecraft";
 
   minecraft-attach = pkgs.writeShellApplication {
diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix
index 3b7bc2a..20c25de 100644
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@@ -8,7 +8,7 @@
 }: let
   sentinelCfg = nodes.sentinel.config;
   wardWebProxyCfg = nodes.ward-web-proxy.config;
-  paperlessDomain = "paperless.${config.repo.secrets.global.domains.me}";
+  paperlessDomain = "paperless.${globals.domains.me}";
   paperlessBackupDir = "/var/cache/paperless-backup";
 in {
   microvm.mem = 1024 * 9;
diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix
index b4d5f9a..c62abd9 100644
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@@ -5,7 +5,7 @@
   pkgs,
   ...
 }: let
-  adguardhomeDomain = "adguardhome.${config.repo.secrets.global.domains.me}";
+  adguardhomeDomain = "adguardhome.${globals.domains.me}";
 in {
   wireguard.proxy-sentinel = {
     client.via = "sentinel";
@@ -88,7 +88,7 @@ in {
           # wireguard address for influxdb
           {
             inherit (globals.services.influxdb) domain;
-            answer = config.repo.secrets.global.domains.me;
+            answer = globals.domains.me;
           }
         ]
         # Use the local mirror-proxy for some services (not necessary, just for speed)
@@ -102,8 +102,8 @@ in {
           globals.services.influxdb.domain
           globals.services.loki.domain
           globals.services.paperless.domain
-          "home.${config.repo.secrets.global.domains.me}"
-          "fritzbox.${config.repo.secrets.global.domains.me}"
+          "home.${globals.domains.me}"
+          "fritzbox.${globals.domains.me}"
         ];
       filters = [
         {
diff --git a/hosts/ward/guests/forgejo.nix b/hosts/ward/guests/forgejo.nix
index a8b8b33..cef3be9 100644
--- a/hosts/ward/guests/forgejo.nix
+++ b/hosts/ward/guests/forgejo.nix
@@ -6,7 +6,7 @@
   pkgs,
   ...
 }: let
-  forgejoDomain = "git.${config.repo.secrets.global.domains.me}";
+  forgejoDomain = "git.${globals.domains.me}";
 in {
   wireguard.proxy-sentinel = {
     client.via = "sentinel";
diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix
index ac87743..5012370 100644
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@@ -3,8 +3,7 @@
   globals,
   ...
 }: let
-  inherit (config.repo.secrets.global) domains;
-  kanidmDomain = "auth.${domains.me}";
+  kanidmDomain = "auth.${globals.domains.me}";
   kanidmPort = 8300;
 
   mkRandomSecret = {
@@ -108,7 +107,7 @@ in {
       adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
       idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
 
-      inherit (config.repo.secrets.global.kanidm) persons;
+      inherit (globals.kanidm) persons;
 
       # Immich
       groups."immich.access" = {};
@@ -191,7 +190,7 @@ in {
       groups."web-sentinel.openwebui" = {};
       systems.oauth2.web-sentinel = {
         displayName = "Web Sentinel";
-        originUrl = "https://oauth2.${domains.me}/";
+        originUrl = "https://oauth2.${globals.domains.me}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
         preferShortUsername = true;
         scopeMaps."web-sentinel.access" = ["openid" "email"];
diff --git a/hosts/ward/guests/netbird.nix b/hosts/ward/guests/netbird.nix
index c24626e..9ed45b9 100644
--- a/hosts/ward/guests/netbird.nix
+++ b/hosts/ward/guests/netbird.nix
@@ -6,7 +6,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
-  netbirdDomain = "netbird.${config.repo.secrets.global.domains.me}";
+  netbirdDomain = "netbird.${globals.domains.me}";
 in {
   wireguard.proxy-sentinel = {
     client.via = "sentinel";
@@ -48,8 +48,8 @@ in {
       dashboard.settings.AUTH_AUTHORITY = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird";
 
       management = {
-        singleAccountModeDomain = "internal.${config.repo.secrets.global.domains.me}";
-        dnsDomain = "internal.${config.repo.secrets.global.domains.me}";
+        singleAccountModeDomain = "internal.${globals.domains.me}";
+        dnsDomain = "internal.${globals.domains.me}";
         disableAnonymousMetrics = true;
         oidcConfigEndpoint = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird/.well-known/openid-configuration";
         turnDomain = globals.services.coturn.domain;
diff --git a/hosts/ward/guests/radicale.nix b/hosts/ward/guests/radicale.nix
index fe78ba8..ce6ead4 100644
--- a/hosts/ward/guests/radicale.nix
+++ b/hosts/ward/guests/radicale.nix
@@ -1,5 +1,9 @@
-{config, ...}: let
-  radicaleDomain = "radicale.${config.repo.secrets.global.domains.personal}";
+{
+  config,
+  globals,
+  ...
+}: let
+  radicaleDomain = "radicale.${globals.domains.personal}";
 in {
   wireguard.proxy-sentinel = {
     client.via = "sentinel";
diff --git a/hosts/ward/guests/vaultwarden.nix b/hosts/ward/guests/vaultwarden.nix
index f1f2c51..6f53c5e 100644
--- a/hosts/ward/guests/vaultwarden.nix
+++ b/hosts/ward/guests/vaultwarden.nix
@@ -1,9 +1,10 @@
 {
   config,
+  globals,
   lib,
   ...
 }: let
-  vaultwardenDomain = "pw.${config.repo.secrets.global.domains.personal}";
+  vaultwardenDomain = "pw.${globals.domains.personal}";
 in {
   wireguard.proxy-sentinel = {
     client.via = "sentinel";
diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix
index cba4861..9689b35 100644
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@@ -4,7 +4,7 @@
   ...
 }: let
   inherit (config.repo.secrets.local) acme;
-  fritzboxDomain = "fritzbox.${config.repo.secrets.global.domains.me}";
+  fritzboxDomain = "fritzbox.${globals.domains.me}";
 in {
   wireguard.proxy-home = {
     client.via = "ward";
diff --git a/hosts/ward/kea.nix b/hosts/ward/kea.nix
index f7e0205..d12d553 100644
--- a/hosts/ward/kea.nix
+++ b/hosts/ward/kea.nix
@@ -1,5 +1,4 @@
 {
-  config,
   lib,
   globals,
   utils,
@@ -67,11 +66,11 @@ in {
               ip-address = globals.net.home-lan.hosts.sire-samba.ipv4;
             }
             {
-              hw-address = config.repo.secrets.global.macs.wallbox;
+              hw-address = globals.macs.wallbox;
               ip-address = globals.net.home-lan.hosts.wallbox.ipv4;
             }
             {
-              hw-address = config.repo.secrets.global.macs.home-assistant;
+              hw-address = globals.macs.home-assistant;
               ip-address = globals.net.home-lan.hosts.home-assistant-temp.ipv4;
             }
           ];
diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix
index 7ef3b09..f23b5db 100644
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/zackbiene/home-assistant.nix
@@ -6,8 +6,8 @@
   pkgs,
   ...
 }: let
-  homeDomain = "home.${config.repo.secrets.global.domains.me}";
-  fritzboxDomain = "fritzbox.${config.repo.secrets.global.domains.me}";
+  homeDomain = "home.${globals.domains.me}";
+  fritzboxDomain = "fritzbox.${globals.domains.me}";
 in {
   wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
     config.services.home-assistant.config.http.server_port
diff --git a/modules/backups.nix b/modules/backups.nix
index 9aed2f5..ff84d5c 100644
--- a/modules/backups.nix
+++ b/modules/backups.nix
@@ -1,5 +1,6 @@
 {
   config,
+  globals,
   lib,
   ...
 }: let
@@ -19,13 +20,13 @@ in {
     type = types.attrsOf (types.submodule (submod: {
       options = {
         name = mkOption {
-          description = "The name of the storage box to backup to. The box must be defined in the global secrets. Defaults to the attribute name.";
+          description = "The name of the storage box to backup to. The box must be defined in the globals. Defaults to the attribute name.";
           default = submod.config._module.args.name;
           type = types.str;
         };
 
         subuser = mkOption {
-          description = "The name of the storage box subuser as defined in the global secrets, mapping this user to a subuser id.";
+          description = "The name of the storage box subuser as defined in the globals, mapping this user to a subuser id.";
           type = types.str;
         };
 
@@ -45,7 +46,7 @@ in {
       (boxCfg: {
         "storage-box-${boxCfg.name}" = {
           hetznerStorageBox = let
-            box = config.repo.secrets.global.hetzner.storageboxes.${boxCfg.name};
+            box = globals.hetzner.storageboxes.${boxCfg.name};
           in {
             enable = true;
             inherit (box) mainUser;
diff --git a/modules/globals.nix b/modules/globals.nix
index 0c7e723..90b4dbf 100644
--- a/modules/globals.nix
+++ b/modules/globals.nix
@@ -21,6 +21,24 @@ in {
       default = {};
       type = types.submodule {
         options = {
+          root = {
+            hashedPassword = mkOption {
+              type = types.str;
+              description = "My root user's password hash.";
+            };
+          };
+
+          myuser = {
+            name = mkOption {
+              type = types.str;
+              description = "My unix username.";
+            };
+            hashedPassword = mkOption {
+              type = types.str;
+              description = "My unix password hash.";
+            };
+          };
+
           net = mkOption {
             type = types.attrsOf (types.submodule (netSubmod: {
               options = {
@@ -195,6 +213,97 @@ in {
               });
             };
           };
+
+          domains = {
+            me = mkOption {
+              type = types.str;
+              description = "My main domain.";
+            };
+
+            personal = mkOption {
+              type = types.str;
+              description = "My personal domain.";
+            };
+
+            mail.all = mkOption {
+              type = types.listOf types.str;
+              description = "All domains to configure on the mail server.";
+            };
+
+            mail.primary = mkOption {
+              type = types.str;
+              description = "The primary mail domain.";
+            };
+          };
+
+          macs = mkOption {
+            default = {};
+            type = types.attrsOf types.str;
+            description = "Known MAC addresses for external devices.";
+          };
+
+          hetzner.storageboxes = mkOption {
+            default = {};
+            description = "Storage box configurations.";
+            type = types.attrsOf (types.submodule {
+              options = {
+                mainUser = mkOption {
+                  type = types.str;
+                  description = "Main username for the storagebox";
+                };
+
+                users = mkOption {
+                  default = {};
+                  description = "Subuser configurations.";
+                  type = types.attrsOf (types.submodule {
+                    options = {
+                      subUid = mkOption {
+                        type = types.int;
+                        description = "The subuser id";
+                      };
+
+                      path = mkOption {
+                        type = types.str;
+                        description = "The home path for this subuser (i.e. backup destination)";
+                      };
+                    };
+                  });
+                };
+              };
+            });
+          };
+
+          # Mirror of the kanidm.persons option.
+          kanidm.persons = mkOption {
+            description = "Provisioning of kanidm persons";
+            default = {};
+            type = types.attrsOf (types.submodule {
+              options = {
+                displayName = mkOption {
+                  description = "Display name";
+                  type = types.str;
+                };
+
+                legalName = mkOption {
+                  description = "Full legal name";
+                  type = types.nullOr types.str;
+                  default = null;
+                };
+
+                mailAddresses = mkOption {
+                  description = "Mail addresses. First given address is considered the primary address.";
+                  type = types.listOf types.str;
+                  default = [];
+                };
+
+                groups = mkOption {
+                  description = "List of groups this person should belong to.";
+                  type = types.listOf types.str;
+                  default = [];
+                };
+              };
+            });
+          };
         };
       };
     };
diff --git a/nix/globals.nix b/nix/globals.nix
index 450ed1e..ed16b8e 100644
--- a/nix/globals.nix
+++ b/nix/globals.nix
@@ -9,6 +9,7 @@
         prefix = ["globals"];
         specialArgs = {
           inherit (inputs.self.pkgs.x86_64-linux) lib;
+          inherit inputs;
         };
         modules = [
           ../modules/globals.nix
@@ -27,7 +28,18 @@
     in {
       # Make sure the keys of this attrset are trivially evaluatable to avoid infinite recursion,
       # therefore we inherit relevant attributes from the config.
-      inherit (globalsSystem.config.globals) net services monitoring;
+      inherit
+        (globalsSystem.config.globals)
+        domains
+        hetzner
+        kanidm
+        macs
+        monitoring
+        myuser
+        net
+        root
+        services
+        ;
     };
   };
 }
diff --git a/nix/storage-box.nix b/nix/storage-box.nix
index e1be2fd..c195684 100644
--- a/nix/storage-box.nix
+++ b/nix/storage-box.nix
@@ -1,9 +1,13 @@
 {inputs, ...}: {
-  perSystem = {pkgs, ...}: {
+  perSystem = {
+    config,
+    pkgs,
+    ...
+  }: {
     apps.setupHetznerStorageBoxes = import (inputs.nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") {
       inherit pkgs;
       nixosConfigurations = inputs.self.nodes;
-      decryptIdentity = builtins.head inputs.self.secretsConfig.masterIdentities;
+      decryptIdentity = builtins.head config.secretsConfig.masterIdentities;
     };
   };
 }
diff --git a/secrets/global.nix.age b/secrets/global.nix.age
index 279bbe639b25b5235b183aa038b72065967af81c..5c98fc10e42ecbfd8880f25b0e458fadc8c0cc4c 100644
GIT binary patch
delta 2914
zcmV-o3!U_b73CI?Ab(UcYjS!sYFBniV^&CJOi(vNOn7EAGFL-OdRSItaCvP~QdmJz
zIAKs|I0{f!QgTIjVNYsRWj0txYEV`$MnyI&W_l|}RCh&HI8;h#c{q1udR1gZK?*HC
zAaH4REpRe5HXwL$Q)M_&AVFzFWJXwLFKIG$Loil!F?e!0W`AX4F?Cl=Y;;0qOG|BN
zWHEU)ZZ=PJD^ChIMQLM2L2EN^Y%_RbT260ybw@K}FjRU$OEFJLWpGegW;1nqbva96
zOH~RjJ|KNjel2HmWnpt=AVNDQRxWcOO;tuqDhh2^Ojky5N;7UjRW&wnFlTpSX-8F0
zG%;B>LvU<jV}C?YV`xe-HFPvsPc?5;Gf8etSY<CVPEm4qayMlwLt;=0M|5RjOnPT_
zL_#@nLR4o8EiEk|MrJ}`NKsQqD`8<uWH@43R9QD!cx-JoL{~RXGfXQ%c}QU}X=GGM
zLuxn*Iwh_c+$wAyVRhh<$Sof1X~onaQp{0>mzqqAPk*r+)4O!?{62u=AK_31$NN8#
zDiO%jD8}=zTGj7yZTOjqTMA0Hj6(ItJha6RCIVQXd*o9B)yXXh)c7jY>+tkOXrxP3
z$-#>Mlb-UgNTj*-08f0Z@cc>IK2K9ojbUWu(IW9|QR~bV^ghaS7EnTcDXIV`dx9bN
z%!g6Bjenduhe2V3YcL!~ey)gyQoW*MdP-Iy=M~&%LGLkh|Mv+d&}+zi<@SlE(<k1c
zXZ2+X3Bj;Sl{H_<8jT_1>M@R|Bfd3hzaB07Hs4mx2)FaI_f=<&&opVzww#`UdL7v$
z61S^YfDka6$qN|hnFBx4NtU*Fe+DGKU~mhOb${*tX-QpNz#Rm?vqXZ$#7tVAQtk_B
z`$^59)-k35oZg2yXdUgc?qNR|6e9%QlFCU%T5pbl>pDqpR-i$S8hL{$wf&Q$euybA
zW!M)i(Fw%M_z&gw3mS^99Ic!q4;Un^2sv?o1BfQHTni;_?BhZIP}RvfGHkQ`&PzY&
zrGIh#LMU%JO#lv^3U*nc_|N_ErG9jH7!*>_xz^0;WEcyO;JO|qfj^JXwzQD&fYlvV
z*OhSCr%{X-5}Q&;8Ka`(KGv{Fd`iU|NM4-NZ664Kdy?M|zQV7~@2qE~+KeI^VUUXL
zo<gPX%;})5e*L(kvtpdyVgdm4i6|n6R(}O<vfA3BYc`};6<?ZGs;TL?3lbqVrYGXA
z;kO~Ms`3{J-Rhpk|JY65$!Cjm$?E%YkAk8k#q>fgrCK{Ge?b-!ZR=Kz06+3FAv)ik
zyCF-DN{lE2EH&80#~Gp%9OB@rRi91_P-HBwyxg;&K`6KTNFFJwKUYFm7C^*xA%8~1
zkN!_f-Lftq4WA~QLCY`Z1K_q!(p{iFDs5OBP|c^6u+(_ibH1x54@Tn~k`h%-yl&`=
z3l!pB*WZid0Zv^rb2&q5x;G@63<=$t1Tlezq!x*V=r(JVSfuJDF=5yO2Xoz-SU$8>
zYZ^M18j!3<8qmrG{_i!ehr4Gu7JpK(uze~7dle8!)IWxAn;^u^lQ~|w)67hy;hSKo
zko)gREd@-FXyP+0BsLf<x!>_l`4{g4d8{ZUwRt~rM`EmQRE8eMn@6oMP-gH^N`qXx
z80awd?{g&Y(qR?v3+PV3suAKuAQp?ky44<r=5+BXB7LrqL;(}7GZmPQPk(WCALWn)
zDtG?nr8vDZe9W?E3GhEtYo|hDWIBH1GC>1pzqm4GmGYDgg%ln5MM9P>Sd9KGbx`Hp
z@tsqCJfmgNviN#aWEpZ5{1N9NxKva-V>?Iy*&dRK5dP+lOS=?v<nUm)3Jr)50K>+v
zDok6z-=Kj4t3xO>Ihrv4Qh)pDw4dX-3I_JRA~#f~)RkzCv<TOs>XsjFU}B(j)M1zu
zRot~SDkf!0C(0(g7@A=?g>?$V|By9hc83}zwGLAOj?y?ZuBOr6OEP1p<u?vy3fv`;
z4!yNINR^P%4SCt*07D7N<2CKfV3y=TljP`h_};Lr?)mW{H0=2qpMM07%8K9p2QFCe
zulP((08hshea|7x1Xljm$46b&Al7ssIyX@H^)1j)35{+AeWKprij(U@X_C6L^9IJo
zhtbEpwQ#Lt`AUIZ)@un-?c-4Gp9d+S9PuYnn~IAR*|9dPskQUGdJ;#v->e&Y`MnA|
zZbaU1e<OTq=qAZTet%$X@rk}Wi5*kaqR@Rv-L(F6XfRj6B30C`EcL=_D-s;68G*JA
zHP4~{!qjsfyW%O>hbhzxnFr0wNZeYpoB1~pOv8~EE34QRo^ry}3M{y4O?A%-S{*L_
zgEcn-IHxhk;ckXshh2A+uhoxqD`cbQ_9~Vk%LvCa7O3}Q$bYOcH!YZZs2m85OwtCf
zxE?FpRP2QBiKI-fozgb_+aQ|5o4yW$uc^_jW2kVePYNr}yPxYC0Wo{*S(@lhV9!g)
zW@H!66MCywhi5{J=q%OtsG4KoymdfC3dNN*Vkkn{rR<U+I|Xu~f($;W;ohebTsEO<
zTcW#gmSrhKHh+dzigEhkfZLuE=N9C*WUvRAlu)mjbSF$+^!+<TOxymZXU8`r8XBlE
zcdibc5u<yFZw@VM>DLxGr?{EHYzPa*N+d8S*5(J}VXoI<!}sknKOu9&)$A;vGh&||
zx0HXER);5*r;#k9F+adZh@|kx+g&r8Kf9k9US-E4nSaOWNM&9(K{^e>Mr<S4ojwd)
zm@h;YhMkq_XfP07r19D5dVK|;+!$svH;|AvY1ee#=&g*PSOYOwf0YvZ?Q%vW>v+Lp
z^;WPPglYfE6WVjmvcWDadRfN$3Y0z-VqcbgfR&4n{_G%1|5tV(D!4-el0yoUbE%PF
zc$9OO$A4M>aR-n9ElJ0ExN$08E=FjfO>x6U0=fNsv1x1gF3*4bJ+B~{l?Cru5tB46
zR!U98FNEqVrh{2CXnU_1bfgQ~iRpBvMlz2;CYBO;{T&j6wKss#j%vluE$85v4BAUh
zHDCm)b7kpy8CQKM8j55gjq5&ZC#wUpH6YRx)PM5qv9}7KZc;{K3)hjuR<u0yR>vEi
zeeG+j7f<Ju$vrLk-vy%6?ux_9l{!E``fffU;Yx6~wksEN758Yaokt8SP~v^df_bos
zP=owEp|q|`Iqvn6(_56MlVN{<^Cwl#W@U|z;<Rs^lT@qTW_5;MH_PJ{)$|P>;^F7*
z5`P8$l7#E742!R=>XnB9WV@9s;O1yeb2Pw(eQFKhw4sh4eEJLt*oXupuR2NdL(Nsd
z+<!l0&V3MPpmtE8n@LoXxC?)n=$nzL3{_jXZu#XFYuJ~OrKGzinpRV$%@&3HYDnrT
z1&q^sDKWXGLKKiDQ5q$lSrPX?a}>NPx_`W0SyVcS&a2rvFU6@xnVHw@UXP8--3uJ+
z1zoD~t`xhnr(UOl>hfoSLDMvo>zY)m^gtRv-yl2DzYzq`tJ!)m?ZuluwORHyXQLkb
z+~)SauJyjsid9m(WCe^y(!5ZeNg}q-(LEt=?9B)%XPhtD%oiN=Z~m{#99VfT3V+DG
zTIEy=h(8k(=#j&y?Ljq>@mFWw6<lOlrrwY17zi>0U`#Q4LNXNgn-FyZ#qOek*>pB-
zhV(aL7ru(nmLV1B^wwHO!libj<37ZD?%>KI*DX@gRTRyQFjV(j%E0NY&!cU+*xp7V
zRVW(zBB`dUXUbKT#Wpm@Zt{?j!CO~FU9dlfp#jVN@z{kcfM?R2xKkv#VqTs2^=4qG
zU;K6xp568Sn2O>UKmGGwEFg}6HWDA11PoSRh>x@{BX&q;f}a*mJ;Ze@H|f$nn)Cpm
MF{|!{4fc$3eP#JuJOBUy

delta 2690
zcmV-|3VrqE7Kas(Ab)9NI4?n1XKPtdZf|o~QE+!yZ9+FrFgH<JZ(1;6WKl^;XhJns
zOKW*YYYInNI8atbMN?`>c{wvLcu!<>GIVb_FHc!PF-1)<X;egVWl%R-O*L3*Zwf6w
zAaH4REpRe5HXwL$Q)M_&AVD-&Z&G?~O*C#(LqSqOXi8&tOn-T4M^Q#uaW6wnNiQ;I
zLRCk0M{_TFaW@J>LU&J9XJI)}PfKEWD^XNfOi^+<XJ<)yL2XiSb$VztWo|fWa7RZl
zWMc{~J|I0=EoX9NVRL05Ayx`na%^;VQD#g{S~4|POKWg5XliX@Hc)FzHbQq+O;1iv
zYIQG7W_dGjD}QfSRzfRiNK!~_VQ*?@L{U#GH8d|l3Q%Hi3N0-yAXsoRaYIaQc{D^p
zMpbV_WI|avH)BUMO;S~BHEMEsZ)J02Np@;tbTv3Q3Ox=-^;{B@`I`xO3j#TeLSR%X
zQJX*>XL3(lJOElWl9J@aZ7c;r4l@ha#h`z-2hA&0Y=5=kuRSHX#*XL5Us~>9MF=vW
zz5>)+P*Nd~Q%<IIV$QJLQTOr)gn!8>XR(We%?9Qv-@nOQ8M->+mlF{f65b7F1&5Ki
zVsD7UjR8a2^#BX!5;{$nwQpFFk@SdHHhNk=7gQMez{SFps%Kr3{we>+;6{d+LgjM3
zeX&FW4}Z{}>J|DW-6emfHUf{|ux);$pQuaVWQn$BK6*x!G$pK79klogo~-@nekwKN
z<sCk@G!ID70j4Z&poYmE`e4G(R9_biIhU^tWQZA(m2BpzBNmCqpel0d@$I02iKTIl
zhtKqHX#0$5?=(mU7B7!dstC}u)REh`v!snoEq~vV9`5GcvRm$>hSOBHx`~c=qQ(9I
zhSxkr9xsu&<7tUDFGlEo0eGQh=?NbH=u;jKxbv~(gShdahA?iZ-&SK&yRBrfSPzOl
zW%=}_5vEHcSt_XubVWv4Wbk!vSRMipEbYOWkBmCO!^8>5Jk@w!N`vUN`7ILrz#<b;
z$A70eW2{qmgk#c9GxDBSEcf`Q%tcmb6NDWwa$21rwd2;g)W7Z3%#ZvwC_4l+%)Erf
z-zrp#WG$i(t=f41q)|?r=n%DOnJ6Yajw=bFf^ba~pV9mQQy}1;_A=iq!_F*%!+)wa
z;w9?H*Kt`R0ty27l6Xm*_I0E`80R#rWPjI?$sExiHcNx<?~hS&o^++eu~0)u(KtQw
z(JkVyhbm6_0(;Ok8j22Ly>m2dZM9IyG|;p7RBluYcP9Xf%&KPlL!vh;6+Aja2};s4
z;>y&qjS>rFGBg~Yze@8)>KS~6jP2a6r5ju6nXO>j>ooiCeA_sm<j9f2T8q-ZkbmKM
zY7uC=UsQ)GiOtu=upGGmju#Z}mqV*eo~lSnR(iz?D_|n1zSuZ@AIb}4x0@_#@N8L5
zzeTYli`s*uQ&$9y=2D{}tc+pYZLXCWQvR~bWJDFs5{9R{BD#a|%&RetGGVc(^t6Ta
zSuZLc2*brV$?)m30)SYA2}7YsKYx5*p0Tc7Qxn0SZgZ=3WI2&rP3W9T#8(7DjeLLd
zG7VTH^6;@L+{7h598u4v4qMyGz`*EetC1bdZZ{F4zVV65wp@nOGa_W7%`&=w!2R#H
z+fAu%U6L@E`v=Ad{Q$8qyQ`wBZKp<T5|9_JNWeTSpkc{P<z96=7H@6i9DmX6&<bVB
zYYbTCy~L2C&sX`yBOEd&F1x7wHGRzB!N*T!){C$n_Y&qFYdS5sn3TlG(9n(g4LU|f
z`IQ-OoJRcDD$%2!zP!1o#n%M1k<lBFMwVeGm%Z$A9izLCZ_|6eY8ckZ2Ew)k-)bi8
z+EcoXvrHP?p8S4hGJA3ww|^NoJ48sbeMlq9R;q4*FD9(gRruy=jh6B|3i0JhjRK+W
z+z6Vw_6jO(&n%T>9zd&rS=BXLD@*rZ%pXMNmOEJlm!Op$yWcP|IDbSuGAxpMND;bh
z9SoHdsxFC3NiM!yQxNnu6+}+TTLO_Z_hSN2Hvl8j1>lnAh223$=YK<7BnNT4;9%L`
zLGw__Fha7RPxGj~o$4XKgG9TEe-j1lI6=G}f;rN2q*3^XxKnnThpPBC6a7*)Clys@
zkQhnAUL6H$8kXbWEe}h`?KlB`*T!Yf<MFJ>RCgG3eMS9Pm`L3;&9#utpKsMBz(hHx
z*WYivdJ#&ByNh&7SbwtqJNw)C4i#f%Wa}BuEB-HSoK?+Cqp73Ma?KQe8EN<S|CNc8
zfZCpyvR$+*88+A1HOf3WlJ`{Y;i%&^6qBgo<rh8^6QnC%f)M8HNP}#^$JnQAW&7qr
zPuHnl4E$Z^=NJubDq&SE%Uby6?_uVxld9Np1YRdb_tFb6cYm5rIzHir<I?(NSXrx$
zat9X)rkBN%FA2Eq2U8+2Zc6Z1fd|MsK+{CuF-XsZ>618cs`W0^d(p4Qb6XHniJ2oy
z$>@|Jv{;hDl(a3Hf)2X7L>ISYrPYvuUD!lxcLLy)s}ib5Ygau+gRc2q0d@O4lc$M4
z>CqdYFL;OvbAO^WGQ7aiHrhiK6gR{656zq^3O_&W;*VI5!dI^LD=j0x=G=Q$x$#Rk
zdMbFZDu;thD|;EB{2?&vVh*2Q1j_45VD7>`@WW7-%HKxxx^#ud$e)jElQ01v<!VoT
zxek*(eCkw4I_SQ9Nrk=8jix{kS1*@nvA+f!N)}(GFMn+)u-2`rD{pfsj#OCA+nibp
z+S1TlKBYs{>Pt^k0gxRz67!mN+DPh(9!DTi?%4*f$kwmc=Ix1XjqJdga_*bu(WLGm
zP+$dvu3TJ8vdb=ve6qJGjnn95f@ZS`B41VUXL?d9(Bl<Hzg{=0bbj;(%h3^v1I*}W
za3w^Jj(@E^wlS(0s{58YMWk!PYKKnCi(px(i+&tnPwLt29<@(eK>AZ}x%V**x(TFk
z(xp%z#P4$hLQ*n$kTl8!a1m|@DNxfUn=g9_c+V}K6ftzYqW|pmzaA}d0Aays4+$w3
zUXI=-vTTOqUS=_Oh1zO2M6`)=?+12;-4`Vzbbo%FFC@ve&F$=k)TMH3k2~swf@;il
z@G0x8@(ujhoYmMSr7ObO|Cq1)eT$Y31Fg|(*O*#e+jM)XZQ4Tc{r*@~h>)1YQ1w5K
zA+u9hQh&H2`%_DZ1#^X7cC1`ApB9Xm&%~tm#YlDegmn*hJvC8J;4r9rxdAG7Uah9T
zdVft7LC8_bq?k~2)FecY8_1}~f^BWl%>Rt5?J*qkfGuvIE^Wsv<{B+PK(Dbbc-@*C
ze;8s2sKWA?yg`14b<v#I=A-~yw?-x=4O@NrmMFo5-D>1Z;OTkItFykd)}T<%{9$oF
zwX8ADZ3eYiJG5}$Q?Y}?NjQJ+cem~xhI^L9@^WPP)edFSJ_lq<H&n2Q^&}`KM(un7
zjizNOZo#M)*NbbkO9=3E+^}L$r|H6!%!luR6p^6yL&<(@Ql>|U^Yue`;@z}!bs3Tv
wGNI(WTUfBS)B6y{{@ufZPMAr%Og6$=8y`&?Qk~yY7H;}0n19y%{{igx0B8{ar2qf`

diff --git a/users/config/shell/starship.nix b/users/config/shell/starship.nix
index 389ab30..279d5c9 100644
--- a/users/config/shell/starship.nix
+++ b/users/config/shell/starship.nix
@@ -4,9 +4,9 @@
     settings = {
       add_newline = false;
       format = lib.concatStrings [
-        "$username"
-        "$hostname"
-        " $directory "
+        "($username )"
+        "($hostname )"
+        "$directory "
         "($git_branch )"
         "($git_commit )"
         "$git_state"
diff --git a/users/myuser/default.nix b/users/myuser/default.nix
index f1a3456..e48ea44 100644
--- a/users/myuser/default.nix
+++ b/users/myuser/default.nix
@@ -1,17 +1,18 @@
 {
   config,
   lib,
+  globals,
   pkgs,
   minimal,
   ...
 }: let
-  myuser = config.repo.secrets.global.myuser.name;
+  myuser = globals.myuser.name;
 in
   lib.optionalAttrs (!minimal) {
     users.groups.${myuser}.gid = config.users.users.${myuser}.uid;
     users.users.${myuser} = {
       uid = 1000;
-      inherit (config.repo.secrets.global.myuser) hashedPassword;
+      inherit (globals.myuser) hashedPassword;
       createHome = true;
       group = myuser;
       extraGroups = ["wheel" "input" "video"];
diff --git a/users/root/default.nix b/users/root/default.nix
index 7210b29..4f93071 100644
--- a/users/root/default.nix
+++ b/users/root/default.nix
@@ -1,10 +1,11 @@
 {
   config,
+  globals,
   pkgs,
   ...
 }: {
   users.users.root = {
-    inherit (config.repo.secrets.global.root) hashedPassword;
+    inherit (globals.root) hashedPassword;
     openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5Uq+CDy5Pmt3If5M6d8K/Q7HArU6sZ7sgoj3T521Wm"];
     shell = pkgs.zsh;
   };