all repos — flake @ a7abfba6833aa22d659b81c99a14756acd8953f7

got my cool flake 

ivy: git
vi did:web:vt3e.cat
Tue, 05 May 2026 20:37:01 +0100
commit

a7abfba6833aa22d659b81c99a14756acd8953f7

parent

8e07b34fd14b326d037be884e12600f18dd6c4e1

3 files changed, 25 insertions(+), 1 deletions(-)

jump to
M hosts/ivy/services/at/tranquil.nixhosts/ivy/services/at/tranquil.nix 
@@ -6,7 +6,7 @@ {
   services.tranquil-pds = {
     enable = true;
 
-    environmentFiles = [ "/var/lib/secrets/tranquil" ];
+    environmentFiles = [ "/var/secrets/tranquil" ];
     database.createLocally = true;
 
     settings = {
M hosts/ivy/services/default.nixhosts/ivy/services/default.nix 
@@ -1,6 +1,7 @@
 {
   imports = [
     ./at
+    ./git.nix
     ./vaultwarden.nix
     ./immich.nix
     ./navidrome.nix
A hosts/ivy/services/git.nix 
@@ -0,0 +1,23 @@
+{ pkgs, ... }:
+{
+  groups.git = { };
+  users.users.git = {
+    isSystemUser = true;
+    group = "git";
+    home = "/var/lib/git-server";
+    createHome = true;
+    shell = "${pkgs.git}/bin/git-shell";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDXt8vkpi9jOp9dCjoS8u0dC4fDdgb73w8z7VNI42FB did:web:vt3e.cat"
+    ];
+  };
+
+  services.openssh.extraConfig = ''
+    Match user git
+      AllowTcpForwarding no
+      AllowAgentForwarding no
+      PasswordAuthentication no
+      PermitTTY no
+      X11Forwarding no
+  '';
+}