6 files changed, 135 insertions, 0 deletions

diff --git a/modules/nixos/base/default.nix b/modules/nixos/base/default.nix
new file mode 100644
index 0000000..31cd6ff
--- /dev/null
+++ b/modules/nixos/base/default.nix
@@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ../../shared
+    ./documentation.nix
+    ./networking.nix
+    ./nix.nix
+    ./programs.nix
+    ./security.nix
+  ];
+
+  services.journald.extraConfig = ''
+    MaxRetentionSec=1w
+  '';
+
+  system.activationScripts."upgrade-diff" = {
+    supportsDryActivation = true;
+    text = ''
+      ${lib.getExe pkgs.nvd} \
+        --nix-bin-dir=${config.nix.package}/bin \
+        diff /run/current-system "$systemConfig"
+    '';
+  };
+}
diff --git a/modules/nixos/base/documentation.nix b/modules/nixos/base/documentation.nix
new file mode 100644
index 0000000..5792c80
--- /dev/null
+++ b/modules/nixos/base/documentation.nix
@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.base.documentation;
+  enable = config.base.enable && cfg.enable;
+in {
+  config = lib.mkIf enable {
+    documentation.nixos.enable = false;
+
+    environment.systemPackages = with pkgs; [man-pages man-pages-posix];
+  };
+}
diff --git a/modules/nixos/base/networking.nix b/modules/nixos/base/networking.nix
new file mode 100644
index 0000000..895127c
--- /dev/null
+++ b/modules/nixos/base/networking.nix
@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.base.networking;
+  enable = config.base.enable && cfg.enable;
+in {
+  options.base.networking = {
+    enable = lib.mkEnableOption "base network settings" // {default = true;};
+  };
+
+  config = lib.mkIf enable {
+    networking.networkmanager = {
+      enable = lib.mkDefault true;
+      dns = "systemd-resolved";
+    };
+
+    services = {
+      resolved = {
+        enable = lib.mkDefault true;
+        dnssec = "allow-downgrade";
+        extraConfig = lib.mkDefault ''
+          [Resolve]
+          DNS=1.1.1.1 1.0.0.1
+          DNSOverTLS=yes
+        '';
+      };
+    };
+  };
+}
diff --git a/modules/nixos/base/nix.nix b/modules/nixos/base/nix.nix
new file mode 100644
index 0000000..720a074
--- /dev/null
+++ b/modules/nixos/base/nix.nix
@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}: let
+  cfg = config.base.nixSettings;
+  enable = config.base.enable && cfg.enable;
+in {
+  config = lib.mkIf enable {
+    # not sure why i can't use this on darwin?
+    environment.etc."nix/inputs/nixpkgs".source = lib.mkDefault inputs.nixpkgs.outPath;
+
+    nix = {
+      channel.enable = lib.mkDefault false;
+      gc.dates = lib.mkDefault "weekly";
+      settings.trusted-users = ["root" "@wheel"];
+    };
+  };
+}
diff --git a/modules/nixos/base/programs.nix b/modules/nixos/base/programs.nix
new file mode 100644
index 0000000..7d1a15b
--- /dev/null
+++ b/modules/nixos/base/programs.nix
@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.base.defaultPrograms;
+  enable = config.base.enable && cfg.enable;
+in {
+  config = lib.mkIf enable {
+    programs = {
+      git.enable = true;
+      vim.defaultEditor = true;
+    };
+  };
+}
diff --git a/modules/nixos/base/security.nix b/modules/nixos/base/security.nix
new file mode 100644
index 0000000..4401f81
--- /dev/null
+++ b/modules/nixos/base/security.nix
@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.base.security;
+  enable = config.base.enable && cfg.enable;
+in {
+  options.base.security = {
+    enable = lib.mkEnableOption "base security settings" // {default = true;};
+  };
+
+  config = lib.mkIf enable {
+    security = {
+      apparmor.enable = lib.mkDefault true;
+      audit.enable = lib.mkDefault true;
+      auditd.enable = lib.mkDefault true;
+      polkit.enable = lib.mkDefault true;
+      sudo.execWheelOnly = true;
+    };
+
+    services = {
+      dbus.apparmor = lib.mkDefault "enabled";
+    };
+  };
+}