feat(nix): integrate cratesNix across Darwin and home modules

darwin/default.nix

@@ -3,6 +3,7 @@
   inputs,
   nix-darwin,
   overlays,
+  nixpkgs,
   ...
 }: (builtins.mapAttrs (
     name: device:
@@ -11,6 +12,7 @@
         specialArgs = {
           inherit device inputs;
           stablePkgs = inputs.nixpkgs-stable.legacyPackages.${device.system};
+          cratesNix = inputs.crates-nix.mkLib {pkgs = nixpkgs.legacyPackages.${device.system};};
         };
         modules = [
           inputs.home-manager.darwinModules.home-manager

darwin/kuro/configuration.nix

@@ -28,7 +28,7 @@
       extra-nix-path = nixpkgs=flake:nixpkgs
       builders-use-substitutes = true
     '';
-    package = pkgs.nixVersions.latest;
+    package = pkgs.nixVersions.nix_2_32;
     buildMachines = [
       ../../builders/tako.nix
       ../../builders/shiro.nix

flake.lock

@@ -595,10 +595,10 @@
     "crates-io-index_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1763363725,
+        "lastModified": 1769156654,
-        "narHash": "sha256-cxr5xIKZFP45yV1ZHFTB1sHo5YGiR3FA8D9vAfDizMo=",
+        "narHash": "sha256-sARuZUnbpOTz6FBpO1j1TlLdA4Wj7bcZc0vTLJhOBzc=",
         "ref": "refs/heads/master",
-        "rev": "0382002e816a4cbd17d8d5b172f08b848aa22ff6",
+        "rev": "fa8b4a3aa55113e4e9e504aaae8d6b7ebd0db564",
         "shallow": true,
         "type": "git",
         "url": "https://github.com/rust-lang/crates.io-index"
@@ -632,7 +632,9 @@
     },
     "crates-nix_2": {
       "inputs": {
-        "crates-io-index": "crates-io-index_2"
+        "crates-io-index": [
+          "crates-io-index"
+        ]
       },
       "locked": {
         "lastModified": 1763364255,
@@ -3492,6 +3494,7 @@
         "anyrun-rink": "anyrun-rink",
         "arion": "arion",
         "command-runner": "command-runner",
+        "crates-io-index": "crates-io-index_2",
         "crates-nix": "crates-nix_2",
         "csshacks": "csshacks",
         "d2": "d2",

flake.nix

@@ -230,7 +230,14 @@
       url = "github:xatuke/handoff";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    crates-nix.url = "github:uttarayan21/crates.nix";
+    crates-io-index = {
+      url = "git+https://github.com/rust-lang/crates.io-index?shallow=1";
+      flake = false;
+    };
+    crates-nix = {
+      url = "github:uttarayan21/crates.nix";
+      inputs.crates-io-index.follows = "crates-io-index";
+    };
     headplane = {
       url = "github:tale/headplane";
       inputs.nixpkgs.follows = "nixpkgs";

home/default.nix

@@ -35,26 +35,6 @@
     username = device.user;
     homeDirectory = lib.mkForce device.home;
 
-    file = {
-      ".config/fish/themes".source = pkgs.catppuccinThemes.fish + "/themes";
-      ".cargo/config.toml".text =
-        # toml
-        ''
-          [alias]
-          lldb = ["with", "rust-lldb", "--"]
-          t = ["nextest", "run"]
-
-          [net]
-          git-fetch-with-cli = true
-
-          [registries.catscii]
-          index = "https://git.shipyard.rs/catscii/crate-index.git"
-
-          [http]
-          user-agent = "shipyard J0/QFq2Sa5y6nTxJQAb8t+e/3qLSub1/sa3zn0leZv6LKG/zmQcoikT9U3xPwbzp8hQ="
-        '';
-    };
-
     sessionVariables = {
       EDITOR = "nvim";
       SHELL = "${pkgs.bash}/bin/bash";

home/module.nix

@@ -1,6 +1,7 @@
 {
   device,
   inputs,
+  pkgs,
   ...
 }: {
   nixpkgs.config.allowUnfree = true;
@@ -12,6 +13,7 @@
       inherit inputs;
       inherit device;
       stablePkgs = inputs.nixpkgs-stable.legacyPackages.${device.system};
+      cratesNix = inputs.crates-nix.mkLib {inherit pkgs;};
     };
     users.${device.user}.imports = [
       inputs.nixvim.homeModules.nixvim

home/programs/cargo.nix

@@ -0,0 +1,21 @@
+{cratesNix, ...}: {
+  home.file.".cargo/config.toml".text =
+    # toml
+    ''
+      [alias]
+      lldb = ["with", "rust-lldb", "--"]
+      t = ["nextest", "run"]
+
+      [net]
+      git-fetch-with-cli = true
+
+      [registries.kellnr]
+      index = "sparse+https://crates.darksailor.dev/api/v1/crates/"
+
+      [registry]
+      global-credential-providers = ["cargo:token", "/etc/profiles/per-user/fs0c131y/bin/cargo-credential-1password --account my.1password.com"]
+    '';
+  home.packages = [
+    (cratesNix.buildCrate "cargo-credential-1password" {})
+  ];
+}

home/programs/default.nix

@@ -74,5 +74,6 @@
     # ./zellij.nix
     ./dysk.nix
     ./binwalk.nix
+    ./cargo.nix
   ];
 }

home/programs/fish.nix

@@ -6,6 +6,9 @@
   ...
 }:
 {
+  home.file = {
+    ".config/fish/themes".source = pkgs.catppuccinThemes.fish + "/themes";
+  };
   programs.fish = {
     enable = true;
     shellAbbrs = {

home/programs/sops.nix

@@ -12,4 +12,12 @@
     defaultSopsFormat = "yaml";
     age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
   };
+  launchd.agents.sops-nix = pkgs.lib.mkIf pkgs.stdenv.isDarwin {
+    enable = true;
+    config = {
+      EnvironmentVariables = {
+        PATH = pkgs.lib.mkForce "/usr/bin:/bin:/usr/sbin:/sbin";
+      };
+    };
+  };
 }

nixos/tako/services/kellnr.nix

@@ -2,11 +2,18 @@
 # -p 8000:8000 \
 # -e "KELLNR_ORIGIN__HOSTNAME=kellnr.example.com" \
 # -v $(pwd):/opt/kdata ghcr.io/kellnr/kellnr:5
-{...}: let
+# E.g. docker run -v /path/to/config.toml:/usr/local/cargo/config.toml:ro ghcr.io/kellnr/kellnr:5.2.4
+{config, ...}: let
   port = 8899;
   domain = "crates.darksailor.dev";
 in {
   sops = {
+    secrets."kellnr/password" = {};
+    secrets."kellnr/token" = {};
+    templates."kellnr.env".content = ''
+      KELLNR_SETUP__ADMIN_PWD=${config.sops.placeholder."kellnr/password"}
+      KELLNR_SETUP__ADMIN_TOKEN=${config.sops.placeholder."kellnr/token"}
+    '';
   };
   virtualisation.oci-containers = {
     backend = "docker";
@@ -20,26 +27,31 @@ in {
         environment = {
           KELLNR_ORIGIN__HOSTNAME = domain;
           KELLNR_DOCS__ENABLED = "true";
+          KELLNR_ORIGIN__PROTOCOL = "https";
+          KELLNR_ORIGIN__PORT = "443";
         };
+        environmentFiles = [
+          config.sops.templates."kellnr.env".path
+        ];
       };
     };
   };
   services.caddy.virtualHosts."${domain}".extraConfig = ''
-    import auth
+    # import auth
     reverse_proxy localhost:${toString port}
   '';
-  services.authelia = {
+  # services.authelia = {
-    instances.darksailor = {
+  #   instances.darksailor = {
-      settings = {
+  #     settings = {
-        access_control = {
+  #       access_control = {
-          rules = [
+  #         rules = [
-            {
+  #           {
-              inherit domain;
+  #             inherit domain;
-              policy = "one_factor";
+  #             policy = "one_factor";
-            }
+  #           }
-          ];
+  #         ];
-        };
+  #       };
-      };
+  #     };
-    };
+  #   };
-  };
+  # };
 }

secrets/secrets.yaml

@@ -81,6 +81,7 @@ pihole:
 nas:
     password: ENC[AES256_GCM,data:lWb/l3srLrA=,iv:SN8+ziMJZZ1F+RT6JhoqWXcr1c4pSAkiT6gYfsi2LS4=,tag:g5Whb9nV8FHrOA5/Nbg0Fw==,type:str]
 kellnr:
+    token: ENC[AES256_GCM,data:te5psUTLr8+NLsliJAgz71j8AT3BUkJ8f0eGgnsRbbk2zF9fH3cCfZbry+mmxwvhmwL8ktNexaPUixatNDrWpA==,iv:Ao6Iqr3z8/3azo9H9lPUeVwto7nQMlMuAZp4Q9fIwJE=,tag:r2FXoxgrvlaCnQlngg12qg==,type:str]
     password: ENC[AES256_GCM,data:OZkfHckKHu/EM6+PquknU+aKmyyFw5o25ZENqNGc0d/vYiNBo4FBdCZwj1W0efo43+hTgsxVj7QCDSxFgROdOg==,iv:2G3fy5dIufL7tXEgRaOGBFNaVoKbfKqcFnRiZN1I1F4=,tag:iyHQD5oXy44tL18W7Fw35g==,type:str]
 sops:
     age:
@@ -93,7 +94,7 @@ sops:
             VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
             ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-14T06:29:20Z"
+    lastmodified: "2026-01-23T07:40:21Z"
-    mac: ENC[AES256_GCM,data:86cBNjAgiF9XBClEN0GCg74JP2O3nMzYAIkpsoU14HE2T9H1PzfDO3kzTaujfyVTw2PRfOPko8xvQrg8L8eSSAbO1h/I4Ta34L0Pc8Ud7zlDjKaa+a31nOlrdBLom1qGZytlI/IRgdBTexjMZPprsHbrS9pCwd3bUnH5YhcRBF0=,iv:s88NUl5tSq5pe3J+WI0JP0olAExkH1Gxs0KW8dzNkrY=,tag:VOKYIP3aPGON7BwNm28PQg==,type:str]
+    mac: ENC[AES256_GCM,data:lmpI0sQJbEz0U8oxJ+gLZTfFBwCyJYdaiCmKcRU1juL7/mqyRYrB4Dh8lMMmW5I+n0Z1P0zZ5+CD/WnRXcqdZ/Yj40ZlaUgIdsH1qMImvdv1wld0OIThDWKxoTSywGcbaMz7PpAsC5FNoRo5v/uBT9y42xBXoxw8urdHCrIi21Y=,iv:KFL4fuyqv1TKg36kHxSZiiHTi4MoGEnRP5JyB6BQq78=,tag:sVbK6UwRC+f0Z3HSCtZ2qQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0