From cffffeb678e9a1078eeba0f19c9607cda9f31bed Mon Sep 17 00:00:00 2001 From: seth Date: Wed, 7 Feb 2024 18:03:24 -0500 Subject: modules/nixos+darwin: move to traits + archetypes model --- modules/darwin/archetypes/default.nix | 5 ++ modules/darwin/archetypes/personal.nix | 21 ++++++ modules/darwin/base.nix | 18 ----- modules/darwin/base/default.nix | 7 ++ modules/darwin/base/nix.nix | 16 +++++ modules/darwin/base/programs.nix | 16 +++++ modules/darwin/default.nix | 7 +- modules/darwin/desktop.nix | 39 ---------- modules/darwin/desktop/default.nix | 11 +++ modules/darwin/desktop/fonts.nix | 20 ++++++ modules/darwin/desktop/homebrew.nix | 29 ++++++++ modules/darwin/desktop/programs.nix | 20 ++++++ modules/darwin/suites/default.nix | 5 -- modules/darwin/suites/personal.nix | 11 --- modules/darwin/traits/default.nix | 5 ++ modules/darwin/traits/users.nix | 5 ++ modules/nixos/archetypes/default.nix | 6 ++ modules/nixos/archetypes/personal.nix | 32 +++++++++ modules/nixos/archetypes/server.nix | 68 ++++++++++++++++++ modules/nixos/base.nix | 90 ----------------------- modules/nixos/base/default.nix | 28 ++++++++ modules/nixos/base/documentation.nix | 15 ++++ modules/nixos/base/networking.nix | 31 ++++++++ modules/nixos/base/nix.nix | 20 ++++++ modules/nixos/base/programs.nix | 15 ++++ modules/nixos/base/security.nix | 26 +++++++ modules/nixos/default.nix | 8 +-- modules/nixos/desktop/audio.nix | 27 +++++++ modules/nixos/desktop/default.nix | 59 +++------------ modules/nixos/desktop/fonts.nix | 38 ++++++++++ modules/nixos/desktop/programs.nix | 28 ++++++++ modules/nixos/features/containers.nix | 23 ------ modules/nixos/features/default.nix | 7 -- modules/nixos/features/nvk/default.nix | 41 ----------- modules/nixos/features/nvk/mesa.nix | 126 --------------------------------- modules/nixos/features/tailscale.nix | 37 ---------- modules/nixos/server/acme.nix | 25 ------- modules/nixos/server/default.nix | 43 ----------- modules/nixos/server/secrets.nix | 21 ------ modules/nixos/services/cloudflared.nix | 38 ---------- modules/nixos/services/default.nix | 7 -- modules/nixos/services/hercules.nix | 55 -------------- modules/nixos/services/promtail.nix | 47 ------------ modules/nixos/suites/default.nix | 6 -- modules/nixos/suites/personal.nix | 18 ----- modules/nixos/suites/server.nix | 23 ------ modules/nixos/traits/acme.nix | 46 ++++++++++++ modules/nixos/traits/cloudflared.nix | 50 +++++++++++++ modules/nixos/traits/containers.nix | 23 ++++++ modules/nixos/traits/default.nix | 15 ++++ modules/nixos/traits/hercules.nix | 49 +++++++++++++ modules/nixos/traits/locale.nix | 25 +++++++ modules/nixos/traits/nvk/default.nix | 43 +++++++++++ modules/nixos/traits/nvk/mesa.nix | 126 +++++++++++++++++++++++++++++++++ modules/nixos/traits/promtail.nix | 49 +++++++++++++ modules/nixos/traits/secrets.nix | 17 +++++ modules/nixos/traits/tailscale.nix | 48 +++++++++++++ modules/nixos/traits/user-setup.nix | 45 ++++++++++++ modules/nixos/traits/users.nix | 44 ++++++++++++ modules/shared/base/default.nix | 23 ++++++ modules/shared/base/documentation.nix | 19 +++++ modules/shared/base/nix.nix | 43 +++++++++++ modules/shared/base/programs.nix | 16 +++++ modules/shared/default.nix | 22 +----- modules/shared/nix.nix | 34 --------- modules/shared/suites/default.nix | 5 -- modules/shared/suites/personal.nix | 15 ---- modules/shared/traits/default.nix | 6 ++ modules/shared/traits/home-manager.nix | 21 ++++++ modules/shared/traits/locale.nix | 19 +++++ modules/shared/users/default.nix | 15 ---- modules/shared/users/seth.nix | 35 --------- 72 files changed, 1233 insertions(+), 863 deletions(-) create mode 100644 modules/darwin/archetypes/default.nix create mode 100644 modules/darwin/archetypes/personal.nix delete mode 100644 modules/darwin/base.nix create mode 100644 modules/darwin/base/default.nix create mode 100644 modules/darwin/base/nix.nix create mode 100644 modules/darwin/base/programs.nix delete mode 100644 modules/darwin/desktop.nix create mode 100644 modules/darwin/desktop/default.nix create mode 100644 modules/darwin/desktop/fonts.nix create mode 100644 modules/darwin/desktop/homebrew.nix create mode 100644 modules/darwin/desktop/programs.nix delete mode 100644 modules/darwin/suites/default.nix delete mode 100644 modules/darwin/suites/personal.nix create mode 100644 modules/darwin/traits/default.nix create mode 100644 modules/darwin/traits/users.nix create mode 100644 modules/nixos/archetypes/default.nix create mode 100644 modules/nixos/archetypes/personal.nix create mode 100644 modules/nixos/archetypes/server.nix delete mode 100644 modules/nixos/base.nix create mode 100644 modules/nixos/base/default.nix create mode 100644 modules/nixos/base/documentation.nix create mode 100644 modules/nixos/base/networking.nix create mode 100644 modules/nixos/base/nix.nix create mode 100644 modules/nixos/base/programs.nix create mode 100644 modules/nixos/base/security.nix create mode 100644 modules/nixos/desktop/audio.nix create mode 100644 modules/nixos/desktop/fonts.nix create mode 100644 modules/nixos/desktop/programs.nix delete mode 100644 modules/nixos/features/containers.nix delete mode 100644 modules/nixos/features/default.nix delete mode 100644 modules/nixos/features/nvk/default.nix delete mode 100644 modules/nixos/features/nvk/mesa.nix delete mode 100644 modules/nixos/features/tailscale.nix delete mode 100644 modules/nixos/server/acme.nix delete mode 100644 modules/nixos/server/default.nix delete mode 100644 modules/nixos/server/secrets.nix delete mode 100644 modules/nixos/services/cloudflared.nix delete mode 100644 modules/nixos/services/default.nix delete mode 100644 modules/nixos/services/hercules.nix delete mode 100644 modules/nixos/services/promtail.nix delete mode 100644 modules/nixos/suites/default.nix delete mode 100644 modules/nixos/suites/personal.nix delete mode 100644 modules/nixos/suites/server.nix create mode 100644 modules/nixos/traits/acme.nix create mode 100644 modules/nixos/traits/cloudflared.nix create mode 100644 modules/nixos/traits/containers.nix create mode 100644 modules/nixos/traits/default.nix create mode 100644 modules/nixos/traits/hercules.nix create mode 100644 modules/nixos/traits/locale.nix create mode 100644 modules/nixos/traits/nvk/default.nix create mode 100644 modules/nixos/traits/nvk/mesa.nix create mode 100644 modules/nixos/traits/promtail.nix create mode 100644 modules/nixos/traits/secrets.nix create mode 100644 modules/nixos/traits/tailscale.nix create mode 100644 modules/nixos/traits/user-setup.nix create mode 100644 modules/nixos/traits/users.nix create mode 100644 modules/shared/base/default.nix create mode 100644 modules/shared/base/documentation.nix create mode 100644 modules/shared/base/nix.nix create mode 100644 modules/shared/base/programs.nix delete mode 100644 modules/shared/nix.nix delete mode 100644 modules/shared/suites/default.nix delete mode 100644 modules/shared/suites/personal.nix create mode 100644 modules/shared/traits/default.nix create mode 100644 modules/shared/traits/home-manager.nix create mode 100644 modules/shared/traits/locale.nix delete mode 100644 modules/shared/users/default.nix delete mode 100644 modules/shared/users/seth.nix (limited to 'modules') diff --git a/modules/darwin/archetypes/default.nix b/modules/darwin/archetypes/default.nix new file mode 100644 index 0000000..b4bd1b5 --- /dev/null +++ b/modules/darwin/archetypes/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./personal.nix + ]; +} diff --git a/modules/darwin/archetypes/personal.nix b/modules/darwin/archetypes/personal.nix new file mode 100644 index 0000000..34f9ec4 --- /dev/null +++ b/modules/darwin/archetypes/personal.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + ... +}: let + cfg = config.archetypes.personal; +in { + options.archetypes.personal = { + enable = lib.mkEnableOption "personal archetype"; + }; + + config = lib.mkIf cfg.enable { + base.enable = true; + desktop.enable = true; + + traits = { + home-manager.enable = true; + users.seth.enable = true; + }; + }; +} diff --git a/modules/darwin/base.nix b/modules/darwin/base.nix deleted file mode 100644 index 9fc0d86..0000000 --- a/modules/darwin/base.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - lib, - inputs, - ... -}: { - imports = [../shared]; - - # not sure why i have to force this - environment.etc."nix/inputs/nixpkgs".source = lib.mkForce inputs.nixpkgs.outPath; - - programs = { - bash.enable = true; - vim.enable = true; - zsh.enable = true; - }; - - services.nix-daemon.enable = true; -} diff --git a/modules/darwin/base/default.nix b/modules/darwin/base/default.nix new file mode 100644 index 0000000..5066832 --- /dev/null +++ b/modules/darwin/base/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ../../shared + ./nix.nix + ./programs.nix + ]; +} diff --git a/modules/darwin/base/nix.nix b/modules/darwin/base/nix.nix new file mode 100644 index 0000000..dd593f9 --- /dev/null +++ b/modules/darwin/base/nix.nix @@ -0,0 +1,16 @@ +{ + config, + lib, + inputs, + ... +}: let + cfg = config.base.nixSettings; + enable = config.base.enable && cfg.enable; +in { + config = lib.mkIf enable { + # not sure why i have to force this + environment.etc."nix/inputs/nixpkgs".source = lib.mkForce inputs.nixpkgs.outPath; + + services.nix-daemon.enable = true; + }; +} diff --git a/modules/darwin/base/programs.nix b/modules/darwin/base/programs.nix new file mode 100644 index 0000000..bb6d4f5 --- /dev/null +++ b/modules/darwin/base/programs.nix @@ -0,0 +1,16 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultPrograms; + enable = config.base.enable && cfg.enable; +in { + config = lib.mkIf enable { + programs = { + bash.enable = true; + vim.enable = true; + zsh.enable = true; + }; + }; +} diff --git a/modules/darwin/default.nix b/modules/darwin/default.nix index 4dfa561..1b6cd03 100644 --- a/modules/darwin/default.nix +++ b/modules/darwin/default.nix @@ -1,7 +1,8 @@ { flake.darwinModules = { - default = ./base.nix; - desktop = ./desktop.nix; - suites = ./suites; + default = ./base; + archetypes = ./archetypes; + desktop = ./desktop; + traits = ./traits; }; } diff --git a/modules/darwin/desktop.nix b/modules/darwin/desktop.nix deleted file mode 100644 index c6eb106..0000000 --- a/modules/darwin/desktop.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - cfg = config.desktop; -in { - options.desktop.enable = lib.mkEnableOption "base desktop settings"; - - config = lib.mkIf cfg.enable { - fonts.fonts = with pkgs; - lib.mkDefault [ - (nerdfonts.override {fonts = ["FiraCode"];}) - ]; - - homebrew = { - enable = lib.mkDefault true; - - onActivation = lib.mkDefault { - autoUpdate = true; - cleanup = "zap"; - upgrade = true; - }; - - caskArgs = { - no_quarantine = true; - require_sha = false; - }; - - casks = [ - "chromium" - "iterm2" - ]; - }; - - programs.gnupg.agent.enable = lib.mkDefault true; - }; -} diff --git a/modules/darwin/desktop/default.nix b/modules/darwin/desktop/default.nix new file mode 100644 index 0000000..cdfb246 --- /dev/null +++ b/modules/darwin/desktop/default.nix @@ -0,0 +1,11 @@ +{lib, ...}: { + options.desktop = { + enable = lib.mkEnableOption "base desktop settings"; + }; + + imports = [ + ./fonts.nix + ./homebrew.nix + ./programs.nix + ]; +} diff --git a/modules/darwin/desktop/fonts.nix b/modules/darwin/desktop/fonts.nix new file mode 100644 index 0000000..39d8531 --- /dev/null +++ b/modules/darwin/desktop/fonts.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.desktop.fonts; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.fonts = { + enable = lib.mkEnableOption "desktop fonts" // {default = true;}; + }; + + config = lib.mkIf enable { + fonts.fonts = with pkgs; + lib.mkDefault [ + (nerdfonts.override {fonts = ["FiraCode"];}) + ]; + }; +} diff --git a/modules/darwin/desktop/homebrew.nix b/modules/darwin/desktop/homebrew.nix new file mode 100644 index 0000000..1015ff9 --- /dev/null +++ b/modules/darwin/desktop/homebrew.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + ... +}: let + cfg = config.desktop.homebrew; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.homebrew = { + enable = lib.mkEnableOption "Homebrew integration" // {default = true;}; + }; + + config = lib.mkIf enable { + homebrew = { + enable = true; + + onActivation = lib.mkDefault { + autoUpdate = true; + cleanup = "zap"; + upgrade = true; + }; + + caskArgs = { + no_quarantine = true; + require_sha = false; + }; + }; + }; +} diff --git a/modules/darwin/desktop/programs.nix b/modules/darwin/desktop/programs.nix new file mode 100644 index 0000000..b681c59 --- /dev/null +++ b/modules/darwin/desktop/programs.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + ... +}: let + cfg = config.desktop.defaultPrograms; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.defaultPrograms = { + enable = lib.mkEnableOption "default desktop programs" // {default = true;}; + }; + + config = lib.mkIf enable { + homebrew.casks = [ + "chromium" + "iterm2" + ]; + programs.gnupg.agent.enable = lib.mkDefault true; + }; +} diff --git a/modules/darwin/suites/default.nix b/modules/darwin/suites/default.nix deleted file mode 100644 index b4bd1b5..0000000 --- a/modules/darwin/suites/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - imports = [ - ./personal.nix - ]; -} diff --git a/modules/darwin/suites/personal.nix b/modules/darwin/suites/personal.nix deleted file mode 100644 index 6f37936..0000000 --- a/modules/darwin/suites/personal.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.suites.personal; -in { - config = lib.mkIf cfg.enable { - desktop.enable = true; - }; -} diff --git a/modules/darwin/traits/default.nix b/modules/darwin/traits/default.nix new file mode 100644 index 0000000..e6e5275 --- /dev/null +++ b/modules/darwin/traits/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./users.nix + ]; +} diff --git a/modules/darwin/traits/users.nix b/modules/darwin/traits/users.nix new file mode 100644 index 0000000..b0a2078 --- /dev/null +++ b/modules/darwin/traits/users.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ../../../users/seth/darwin.nix + ]; +} diff --git a/modules/nixos/archetypes/default.nix b/modules/nixos/archetypes/default.nix new file mode 100644 index 0000000..dfdb4e4 --- /dev/null +++ b/modules/nixos/archetypes/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./server.nix + ./personal.nix + ]; +} diff --git a/modules/nixos/archetypes/personal.nix b/modules/nixos/archetypes/personal.nix new file mode 100644 index 0000000..7122708 --- /dev/null +++ b/modules/nixos/archetypes/personal.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + ... +}: let + cfg = config.archetypes.personal; +in { + options.archetypes = { + personal.enable = lib.mkEnableOption "personal archetype"; + }; + + config = lib.mkIf cfg.enable { + base.enable = true; + + traits = { + home-manager.enable = true; + + locale = { + en_US.enable = true; + US-east.enable = true; + }; + + secrets.enable = true; + tailscale.enable = true; + user-setup.enable = true; + + users = { + seth.enable = true; + }; + }; + }; +} diff --git a/modules/nixos/archetypes/server.nix b/modules/nixos/archetypes/server.nix new file mode 100644 index 0000000..31e0bf5 --- /dev/null +++ b/modules/nixos/archetypes/server.nix @@ -0,0 +1,68 @@ +{ + config, + lib, + pkgs, + inputs, + ... +}: let + cfg = config.archetypes.server; +in { + options.archetypes = { + server.enable = lib.mkEnableOption "server archetype"; + }; + + config = lib.mkIf cfg.enable { + base = { + enable = true; + documentation.enable = false; + }; + + traits = { + cloudflared.enable = true; + + locale = { + en_US.enable = true; + US-east.enable = true; + }; + + secrets.enable = true; + + tailscale = { + enable = true; + ssh.enable = true; + }; + + user-setup.enable = true; + users = { + hostUser.enable = true; + }; + }; + + _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system}; + + boot = { + tmp.cleanOnBoot = lib.mkDefault true; + kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened; + }; + + documentation = { + enable = false; + man.enable = false; + }; + + environment = { + defaultPackages = lib.mkForce []; + etc."nix/inputs/nixpkgs".source = inputs.nixpkgs-stable.outPath; + }; + + nix = { + gc = { + dates = "*-*-1,5,9,13,17,21,25,29 00:00:00"; + options = "-d --delete-older-than 2d"; + }; + + registry.n.flake = inputs.nixpkgs-stable; + settings.allowed-users = [config.networking.hostName]; + }; + }; +} diff --git a/modules/nixos/base.nix b/modules/nixos/base.nix deleted file mode 100644 index a5c4318..0000000 --- a/modules/nixos/base.nix +++ /dev/null @@ -1,90 +0,0 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: let - inherit (lib) mkDefault; -in { - imports = [ - ../shared - ]; - - environment.systemPackages = with pkgs; [man-pages man-pages-posix]; - - documentation.nixos.enable = false; - - # not sure why i can't use this on darwin? - environment.etc."nix/inputs/nixpkgs".source = lib.mkDefault inputs.nixpkgs.outPath; - - i18n = { - supportedLocales = [ - "en_US.UTF-8/UTF-8" - ]; - - defaultLocale = "en_US.UTF-8"; - }; - - networking.networkmanager = { - enable = mkDefault true; - dns = mkDefault "systemd-resolved"; - }; - - nix = { - channel.enable = mkDefault false; - gc.dates = mkDefault "weekly"; - settings.trusted-users = ["root" "@wheel"]; - }; - - programs = { - git.enable = mkDefault true; - vim.defaultEditor = mkDefault true; - }; - - security = { - apparmor.enable = mkDefault true; - audit.enable = mkDefault true; - auditd.enable = mkDefault true; - polkit.enable = mkDefault true; - rtkit.enable = mkDefault true; - sudo.execWheelOnly = true; - }; - - services = { - dbus.apparmor = mkDefault "enabled"; - - resolved = { - enable = mkDefault true; - dnssec = mkDefault "allow-downgrade"; - extraConfig = mkDefault '' - [Resolve] - DNS=1.1.1.1 1.0.0.1 - DNSOverTLS=yes - ''; - }; - - journald.extraConfig = '' - MaxRetentionSec=1w - ''; - }; - - system.activationScripts."upgrade-diff" = { - supportsDryActivation = true; - text = '' - ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig" - ''; - }; - - users = { - defaultUserShell = pkgs.bash; - mutableUsers = false; - - users.root = { - home = mkDefault "/root"; - uid = mkDefault config.ids.uids.root; - group = mkDefault "root"; - hashedPasswordFile = mkDefault config.age.secrets.rootPassword.path; - }; - }; -} diff --git a/modules/nixos/base/default.nix b/modules/nixos/base/default.nix new file mode 100644 index 0000000..31cd6ff --- /dev/null +++ b/modules/nixos/base/default.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + pkgs, + ... +}: { + imports = [ + ../../shared + ./documentation.nix + ./networking.nix + ./nix.nix + ./programs.nix + ./security.nix + ]; + + services.journald.extraConfig = '' + MaxRetentionSec=1w + ''; + + system.activationScripts."upgrade-diff" = { + supportsDryActivation = true; + text = '' + ${lib.getExe pkgs.nvd} \ + --nix-bin-dir=${config.nix.package}/bin \ + diff /run/current-system "$systemConfig" + ''; + }; +} diff --git a/modules/nixos/base/documentation.nix b/modules/nixos/base/documentation.nix new file mode 100644 index 0000000..5792c80 --- /dev/null +++ b/modules/nixos/base/documentation.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.base.documentation; + enable = config.base.enable && cfg.enable; +in { + config = lib.mkIf enable { + documentation.nixos.enable = false; + + environment.systemPackages = with pkgs; [man-pages man-pages-posix]; + }; +} diff --git a/modules/nixos/base/networking.nix b/modules/nixos/base/networking.nix new file mode 100644 index 0000000..895127c --- /dev/null +++ b/modules/nixos/base/networking.nix @@ -0,0 +1,31 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.networking; + enable = config.base.enable && cfg.enable; +in { + options.base.networking = { + enable = lib.mkEnableOption "base network settings" // {default = true;}; + }; + + config = lib.mkIf enable { + networking.networkmanager = { + enable = lib.mkDefault true; + dns = "systemd-resolved"; + }; + + services = { + resolved = { + enable = lib.mkDefault true; + dnssec = "allow-downgrade"; + extraConfig = lib.mkDefault '' + [Resolve] + DNS=1.1.1.1 1.0.0.1 + DNSOverTLS=yes + ''; + }; + }; + }; +} diff --git a/modules/nixos/base/nix.nix b/modules/nixos/base/nix.nix new file mode 100644 index 0000000..720a074 --- /dev/null +++ b/modules/nixos/base/nix.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + inputs, + ... +}: let + cfg = config.base.nixSettings; + enable = config.base.enable && cfg.enable; +in { + config = lib.mkIf enable { + # not sure why i can't use this on darwin? + environment.etc."nix/inputs/nixpkgs".source = lib.mkDefault inputs.nixpkgs.outPath; + + nix = { + channel.enable = lib.mkDefault false; + gc.dates = lib.mkDefault "weekly"; + settings.trusted-users = ["root" "@wheel"]; + }; + }; +} diff --git a/modules/nixos/base/programs.nix b/modules/nixos/base/programs.nix new file mode 100644 index 0000000..7d1a15b --- /dev/null +++ b/modules/nixos/base/programs.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultPrograms; + enable = config.base.enable && cfg.enable; +in { + config = lib.mkIf enable { + programs = { + git.enable = true; + vim.defaultEditor = true; + }; + }; +} diff --git a/modules/nixos/base/security.nix b/modules/nixos/base/security.nix new file mode 100644 index 0000000..4401f81 --- /dev/null +++ b/modules/nixos/base/security.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.security; + enable = config.base.enable && cfg.enable; +in { + options.base.security = { + enable = lib.mkEnableOption "base security settings" // {default = true;}; + }; + + config = lib.mkIf enable { + security = { + apparmor.enable = lib.mkDefault true; + audit.enable = lib.mkDefault true; + auditd.enable = lib.mkDefault true; + polkit.enable = lib.mkDefault true; + sudo.execWheelOnly = true; + }; + + services = { + dbus.apparmor = lib.mkDefault "enabled"; + }; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index a7ba7f9..a334bb3 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,10 +1,8 @@ { flake.nixosModules = { - default = ./base.nix; + default = ./base; + archetypes = ./archetypes; desktop = ./desktop; - features = ./features; - server = ./server; - services = ./services; - suites = ./suites; + traits = ./traits; }; } diff --git a/modules/nixos/desktop/audio.nix b/modules/nixos/desktop/audio.nix new file mode 100644 index 0000000..1e47ab2 --- /dev/null +++ b/modules/nixos/desktop/audio.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + ... +}: let + cfg = config.desktop.audio; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.audio = { + enable = lib.mkEnableOption "desktop audio configuration" // {default = true;}; + }; + + config = lib.mkIf enable { + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + + services = { + pipewire = lib.mkDefault { + enable = true; + wireplumber.enable = true; + alsa.enable = true; + jack.enable = true; + pulse.enable = true; + }; + }; + }; +} diff --git a/modules/nixos/desktop/default.nix b/modules/nixos/desktop/default.nix index 12023ef..17392c4 100644 --- a/modules/nixos/desktop/default.nix +++ b/modules/nixos/desktop/default.nix @@ -1,68 +1,25 @@ { config, lib, - pkgs, ... }: let cfg = config.desktop; in { - options.desktop.enable = lib.mkEnableOption "base desktop settings"; + options.desktop = { + enable = lib.mkEnableOption "desktop settings"; + }; imports = [ + ./audio.nix + ./fonts.nix + ./programs.nix + ./budgie ./gnome ./plasma ]; config = lib.mkIf cfg.enable { - environment = { - noXlibs = lib.mkForce false; - systemPackages = with pkgs; [wl-clipboard xclip]; - }; - - fonts = { - enableDefaultPackages = lib.mkDefault true; - - packages = with pkgs; [ - (nerdfonts.override {fonts = ["FiraCode" "Hack" "Noto"];}) - noto-fonts - noto-fonts-extra - noto-fonts-color-emoji - noto-fonts-cjk-sans - ]; - - fontconfig = { - enable = lib.mkDefault true; - cache32Bit = true; - defaultFonts = lib.mkDefault { - serif = ["Noto Serif"]; - sansSerif = ["Noto Sans"]; - emoji = ["Noto Color Emoji"]; - monospace = ["Noto Sans Mono"]; - }; - }; - }; - - hardware.pulseaudio.enable = false; - - programs = { - chromium.enable = lib.mkDefault true; - firefox.enable = lib.mkDefault true; - xwayland.enable = lib.mkDefault true; - }; - - services = { - pipewire = lib.mkDefault { - enable = true; - wireplumber.enable = true; - alsa.enable = true; - jack.enable = true; - pulse.enable = true; - }; - - xserver.enable = lib.mkDefault true; - }; - - xdg.portal.enable = lib.mkDefault true; + services.xserver.enable = true; }; } diff --git a/modules/nixos/desktop/fonts.nix b/modules/nixos/desktop/fonts.nix new file mode 100644 index 0000000..212f88c --- /dev/null +++ b/modules/nixos/desktop/fonts.nix @@ -0,0 +1,38 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.desktop.fonts; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.fonts = { + enable = lib.mkEnableOption "desktop fonts" // {default = true;}; + }; + + config = lib.mkIf enable { + fonts = { + enableDefaultPackages = true; + + packages = with pkgs; [ + (nerdfonts.override {fonts = ["FiraCode" "Hack" "Noto"];}) + noto-fonts + noto-fonts-extra + noto-fonts-color-emoji + noto-fonts-cjk-sans + ]; + + fontconfig = { + enable = true; + cache32Bit = lib.mkDefault true; + defaultFonts = lib.mkDefault { + serif = ["Noto Serif"]; + sansSerif = ["Noto Sans"]; + emoji = ["Noto Color Emoji"]; + monospace = ["Noto Sans Mono"]; + }; + }; + }; + }; +} diff --git a/modules/nixos/desktop/programs.nix b/modules/nixos/desktop/programs.nix new file mode 100644 index 0000000..94bde49 --- /dev/null +++ b/modules/nixos/desktop/programs.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.desktop.defaultPrograms; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.defaultPrograms = { + enable = lib.mkEnableOption "default desktop programs" // {default = true;}; + }; + + config = lib.mkIf enable { + environment = { + noXlibs = lib.mkForce false; + systemPackages = with pkgs; [wl-clipboard xclip]; + }; + + programs = { + chromium.enable = true; + firefox.enable = true; + xwayland.enable = true; + }; + + xdg.portal.enable = true; + }; +} diff --git a/modules/nixos/features/containers.nix b/modules/nixos/features/containers.nix deleted file mode 100644 index 290f7b0..0000000 --- a/modules/nixos/features/containers.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - cfg = config.features.containers; -in { - options.features.containers = { - enable = lib.mkEnableOption "containers support"; - }; - - config.virtualisation = lib.mkIf cfg.enable { - podman = { - enable = true; - enableNvidia = lib.mkDefault (builtins.elem "nvidia" (config.services.xserver.videoDrivers or [])); - extraPackages = with pkgs; [podman-compose]; - autoPrune.enable = true; - }; - - oci-containers.backend = "podman"; - }; -} diff --git a/modules/nixos/features/default.nix b/modules/nixos/features/default.nix deleted file mode 100644 index 607277f..0000000 --- a/modules/nixos/features/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./containers.nix - ./nvk - ./tailscale.nix - ]; -} diff --git a/modules/nixos/features/nvk/default.nix b/modules/nixos/features/nvk/default.nix deleted file mode 100644 index 977dd3b..0000000 --- a/modules/nixos/features/nvk/default.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - cfg = config.features.nvk; - mesa = import ./mesa.nix pkgs; - mesa32 = import ./mesa.nix pkgs.pkgsi686Linux; -in { - options.features.nvk.enable = lib.mkEnableOption "nvk"; - - config = lib.mkIf cfg.enable { - # make sure we're loading new gsp firmware - boot.kernelParams = [ - "nouveau.config=NvGspRm=1" - "nouveau.debug=info,VBIOS=info,gsp=debug" - ]; - - environment.sessionVariables = { - # (fake) advertise vk 1.3 - MESA_VK_VERSION_OVERRIDE = "1.3"; - }; - - hardware.opengl = { - package = mesa.drivers; - package32 = mesa32.drivers; - }; - - system.replaceRuntimeDependencies = [ - { - original = pkgs.mesa.out; - replacement = mesa.out; - } - { - original = pkgs.pkgsi686Linux.mesa.out; - replacement = mesa32.out; - } - ]; - }; -} diff --git a/modules/nixos/features/nvk/mesa.nix b/modules/nixos/features/nvk/mesa.nix deleted file mode 100644 index 4b622c6..0000000 --- a/modules/nixos/features/nvk/mesa.nix +++ /dev/null @@ -1,126 +0,0 @@ -/* -thanks to the chaotic-cx LUG for their mesa-git expression, it inspired some of this -https://github.com/chaotic-cx/nyx/blob/a4e9fa0795880c3330d9f86cab466a7402d6d4f5/pkgs/mesa-git/default.nix - -MIT License - -Copyright (c) 2023 Pedro Henrique Lara Campos - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. -*/ -{ - lib, - pkgs, - ... -}: let - cargoDeps = { - proc-macro2 = { - version = "1.0.70"; - hash = "sha256-OSePu/X7T2Rs5lFpCHf4nRxYEaPUrLJ3AMHLPNt4/Ts="; - }; - quote = { - version = "1.0.33"; - hash = "sha256-Umf8pElgKGKKlRYPxCOjPosuavilMCV54yLktSApPK4="; - }; - syn = { - version = "2.0.39"; - hash = "sha256-I+eLkPL89F0+hCAyzjLj8tFUW6ZjYnHcvyT6MG2Hvno="; - }; - unicode-ident = { - version = "1.0.12"; - hash = "sha256-M1S5rD+uH/Z1XLbbU2g622YWNPZ1V5Qt6k+s6+wP7ks="; - }; - }; - mesa = - (pkgs.mesa.override { - # we use the new flag for this - enablePatentEncumberedCodecs = false; - - vulkanDrivers = - if pkgs.stdenv.isLinux - then - [ - "amd" # AMD (aka RADV) - "microsoft-experimental" # WSL virtualized GPU (aka DZN/Dozen) - "swrast" # software renderer (aka Lavapipe) - "nouveau-experimental" # nvk - ] - ++ lib.optionals (pkgs.stdenv.hostPlatform.isAarch -> lib.versionAtLeast pkgs.stdenv.hostPlatform.parsed.cpu.version "6") [ - # QEMU virtualized GPU (aka VirGL) - # Requires ATOMIC_INT_LOCK_FREE == 2. - "virtio" - ] - ++ lib.optionals pkgs.stdenv.isAarch64 [ - "broadcom" # Broadcom VC5 (Raspberry Pi 4, aka V3D) - "freedreno" # Qualcomm Adreno (all Qualcomm SoCs) - "imagination-experimental" # PowerVR Rogue (currently N/A) - "panfrost" # ARM Mali Midgard and up (T/G series) - ] - ++ lib.optionals pkgs.stdenv.hostPlatform.isx86 [ - "intel" # Intel (aka ANV), could work on non-x86 with PCIe cards, but doesn't build - "intel_hasvk" # Intel Haswell/Broadwell, "legacy" Vulkan driver (https://www.phoronix.com/news/Intel-HasVK-Drop-Dead-Code) - ] - else ["auto"]; - }) - .overrideAttrs (new: old: { - version = "24.0.0"; - - src = pkgs.fetchurl { - urls = [ - "https://archive.mesa3d.org/mesa-${new.version}.tar.xz" - "https://mesa.freedesktop.org/archive/mesa-${new.version}.tar.xz" - ]; - - hash = "sha256-YoWlu7v0P92vtLO3JrFIpKIiRg6JK9G2mq/004DJg1U="; - }; - - nativeBuildInputs = old.nativeBuildInputs ++ [pkgs.rustc pkgs.rust-bindgen]; - - patches = let - badPatches = [ - "0001-dri-added-build-dependencies-for-systems-using-non-s.patch" - "0002-util-Update-util-libdrm.h-stubs-to-allow-loader.c-to.patch" - "0003-glx-fix-automatic-zink-fallback-loading-between-hw-a.patch" - ]; - in - lib.filter (patch: !(lib.elem (baseNameOf patch) badPatches)) old.patches; - - postPatch = let - cargoFetch = crate: - pkgs.fetchurl { - url = "https://crates.io/api/v1/crates/${crate}/${cargoDeps.${crate}.version}/download"; - inherit (cargoDeps.${crate}) hash; - }; - - cargoSubproject = crate: '' - ln -s ${cargoFetch crate} subprojects/packagecache/${crate}-${cargoDeps.${crate}.version}.tar.gz - ''; - - subprojects = lib.concatMapStringsSep "\n" cargoSubproject (lib.attrNames cargoDeps); - in - old.postPatch - + '' - mkdir subprojects/packagecache - ${subprojects} - ''; - - mesonFlags = old.mesonFlags ++ lib.optional (!pkgs.stdenv.hostPlatform.is32bit) "-D video-codecs=all"; - }); -in - mesa diff --git a/modules/nixos/features/tailscale.nix b/modules/nixos/features/tailscale.nix deleted file mode 100644 index 9eba428..0000000 --- a/modules/nixos/features/tailscale.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.features.tailscale; -in { - options.features.tailscale = { - enable = lib.mkEnableOption "Tailscale"; - ssh.enable = lib.mkEnableOption "Tailscale SSH"; - }; - - config = lib.mkIf cfg.enable { - age.secrets = lib.mkIf cfg.ssh.enable { - tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age"; - }; - - networking.firewall = - { - trustedInterfaces = ["tailscale0"]; - } - // lib.optionalAttrs cfg.ssh.enable { - allowedTCPPorts = [22]; - }; - - services.tailscale = - { - enable = true; - openFirewall = true; - } - // lib.optionalAttrs cfg.ssh.enable { - authKeyFile = config.age.secrets.tailscaleAuthKey.path; - extraUpFlags = ["--ssh"]; - }; - }; -} diff --git a/modules/nixos/server/acme.nix b/modules/nixos/server/acme.nix deleted file mode 100644 index a08c8ae..0000000 --- a/modules/nixos/server/acme.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.server.acme; -in { - options.server.acme.enable = lib.mkEnableOption "ACME support"; - - config = lib.mkIf cfg.enable { - age.secrets = { - cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age"; - }; - - security.acme = { - acceptTerms = true; - defaults = { - email = "getchoo@tuta.io"; - dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets.cloudflareApiKey.path; - }; - }; - }; -} diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix deleted file mode 100644 index baf05f9..0000000 --- a/modules/nixos/server/default.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: let - cfg = config.server; -in { - options.server.enable = lib.mkEnableOption "base server settings"; - - imports = [ - ./acme.nix - ./secrets.nix - ]; - - config = lib.mkIf cfg.enable { - _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system}; - - boot = { - tmp.cleanOnBoot = lib.mkDefault true; - kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened; - }; - environment.etc."nix/inputs/nixpkgs".source = inputs.nixpkgs-stable.outPath; - - documentation = { - enable = false; - man.enable = false; - }; - - environment.defaultPackages = lib.mkForce []; - - nix = { - gc = { - dates = "*-*-1,5,9,13,17,21,25,29 00:00:00"; - options = "-d --delete-older-than 2d"; - }; - - registry.n.flake = inputs.nixpkgs-stable; - settings.allowed-users = [config.networking.hostName]; - }; - }; -} diff --git a/modules/nixos/server/secrets.nix b/modules/nixos/server/secrets.nix deleted file mode 100644 index 0f38995..0000000 --- a/modules/nixos/server/secrets.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.server.secrets; -in { - options.server.secrets.enable = lib.mkEnableOption "secrets management"; - - config = lib.mkIf cfg.enable { - age = { - identityPaths = ["/etc/age/key"]; - - secrets = { - rootPassword.file = secretsDir + "/rootPassword.age"; - userPassword.file = secretsDir + "/userPassword.age"; - }; - }; - }; -} diff --git a/modules/nixos/services/cloudflared.nix b/modules/nixos/services/cloudflared.nix deleted file mode 100644 index 42f5908..0000000 --- a/modules/nixos/services/cloudflared.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.server.services.cloudflared; - inherit (lib) mkEnableOption mkIf; - inherit (config.services) nginx; -in { - options.server.services.cloudflared = { - enable = mkEnableOption "cloudflared"; - }; - - config = mkIf cfg.enable { - age.secrets.cloudflaredCreds = { - file = secretsDir + "/cloudflaredCreds.age"; - mode = "400"; - owner = "cloudflared"; - group = "cloudflared"; - }; - - services.cloudflared = { - enable = true; - tunnels = { - "${config.networking.hostName}-nginx" = { - default = "http_status:404"; - - ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) ( - _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";} - ); - - credentialsFile = config.age.secrets.cloudflaredCreds.path; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix deleted file mode 100644 index 3423b79..0000000 --- a/modules/nixos/services/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./cloudflared.nix - ./hercules.nix - ./promtail.nix - ]; -} diff --git a/modules/nixos/services/hercules.nix b/modules/nixos/services/hercules.nix deleted file mode 100644 index 879367c..0000000 --- a/modules/nixos/services/hercules.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ - config, - lib, - unstable, - secretsDir, - ... -}: let - cfg = config.server.services.hercules-ci; - inherit (lib) mkEnableOption mkIf; - - hercArgs = { - mode = "400"; - owner = "hercules-ci-agent"; - group = "hercules-ci-agent"; - }; -in { - options.server.services.hercules-ci = { - enable = mkEnableOption "hercules-ci"; - secrets.enable = mkEnableOption "secrets management for hercules-ci"; - }; - - config = mkIf cfg.enable { - age.secrets = mkIf cfg.secrets.enable { - binaryCache = - { - file = secretsDir + "/binaryCache.age"; - } - // hercArgs; - - clusterToken = - { - file = secretsDir + "/clusterToken.age"; - } - // hercArgs; - - secretsJson = - { - file = secretsDir + "/secretsJson.age"; - } - // hercArgs; - }; - - services = { - hercules-ci-agent = { - enable = true; - package = unstable.hercules-ci-agent; - settings = { - binaryCachesPath = config.age.secrets.binaryCache.path; - clusterJoinTokenPath = config.age.secrets.clusterToken.path; - secretsJsonPath = config.age.secrets.secretsJson.path; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/promtail.nix b/modules/nixos/services/promtail.nix deleted file mode 100644 index ced1ece..0000000 --- a/modules/nixos/services/promtail.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.server.services.promtail; - inherit (lib) mkEnableOption mkIf mkOption types; -in { - options.server.services.promtail = { - enable = mkEnableOption "Promtail"; - - clients = mkOption { - type = types.listOf types.attrs; - default = [{}]; - description = "clients for promtail"; - }; - }; - - config.services.promtail = mkIf cfg.enable { - enable = true; - configuration = { - inherit (cfg) clients; - server.disable = true; - - scrape_configs = [ - { - job_name = "journal"; - - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = "${config.networking.hostName}"; - }; - }; - - relabel_configs = [ - { - source_labels = ["__journal__systemd_unit"]; - target_label = "unit"; - } - ]; - } - ]; - }; - }; -} diff --git a/modules/nixos/suites/default.nix b/modules/nixos/suites/default.nix deleted file mode 100644 index 0d11285..0000000 --- a/modules/nixos/suites/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./personal.nix - ./server.nix - ]; -} diff --git a/modules/nixos/suites/personal.nix b/modules/nixos/suites/personal.nix deleted file mode 100644 index 830062b..0000000 --- a/modules/nixos/suites/personal.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.suites.personal; -in { - config = lib.mkIf cfg.enable { - age = { - identityPaths = ["/etc/age/key"]; - secrets = { - rootPassword.file = secretsDir + "/rootPassword.age"; - sethPassword.file = secretsDir + "/sethPassword.age"; - }; - }; - }; -} diff --git a/modules/nixos/suites/server.nix b/modules/nixos/suites/server.nix deleted file mode 100644 index ac0c001..0000000 --- a/modules/nixos/suites/server.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.suites.server; -in { - options.suites.server = { - enable = lib.mkEnableOption "Server configuration set"; - }; - - config = lib.mkIf cfg.enable { - features.tailscale = { - enable = true; - ssh.enable = true; - }; - - server = { - enable = true; - secrets.enable = true; - }; - }; -} diff --git a/modules/nixos/traits/acme.nix b/modules/nixos/traits/acme.nix new file mode 100644 index 0000000..a377b25 --- /dev/null +++ b/modules/nixos/traits/acme.nix @@ -0,0 +1,46 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.traits.acme; +in { + options.traits.acme = { + enable = lib.mkEnableOption "ACME support"; + + manageSecrets = + lib.mkEnableOption "automatic management of secrets" + // { + default = config.traits.secrets.enable; + }; + + useDns = lib.mkEnableOption "the usage of dns to get certs" // {default = true;}; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + security.acme = { + acceptTerms = true; + defaults = + { + email = "getchoo@tuta.io"; + } + // lib.optionalAttrs cfg.useDns { + dnsProvider = "cloudflare"; + } + // lib.optionalAttrs cfg.manageSecrets { + credentialsFile = config.age.secrets.cloudflareApiKey.path; + }; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets = { + cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age"; + }; + }) + ] + ); +} diff --git a/modules/nixos/traits/cloudflared.nix b/modules/nixos/traits/cloudflared.nix new file mode 100644 index 0000000..9905d33 --- /dev/null +++ b/modules/nixos/traits/cloudflared.nix @@ -0,0 +1,50 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.traits.cloudflared; + inherit (config.services) nginx; +in { + options.traits.cloudflared = { + enable = lib.mkEnableOption "cloudflared"; + manageSecrets = + lib.mkEnableOption "automatically managed secrets" + // { + default = config.traits.secrets.enable; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + services.cloudflared = { + enable = true; + tunnels = { + "${config.networking.hostName}-nginx" = + { + default = "http_status:404"; + + ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) ( + _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";} + ); + } + // lib.optionalAttrs cfg.manageSecrets { + credentialsFile = config.age.secrets.cloudflaredCreds.path; + }; + }; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets.cloudflaredCreds = { + file = secretsDir + "/cloudflaredCreds.age"; + mode = "400"; + owner = "cloudflared"; + group = "cloudflared"; + }; + }) + ] + ); +} diff --git a/modules/nixos/traits/containers.nix b/modules/nixos/traits/containers.nix new file mode 100644 index 0000000..43c748c --- /dev/null +++ b/modules/nixos/traits/containers.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.traits.containers; +in { + options.traits.containers = { + enable = lib.mkEnableOption "containers support"; + }; + + config.virtualisation = lib.mkIf cfg.enable { + podman = { + enable = true; + enableNvidia = lib.mkDefault (builtins.elem "nvidia" (config.services.xserver.videoDrivers or [])); + extraPackages = with pkgs; [podman-compose]; + autoPrune.enable = true; + }; + + oci-containers.backend = "podman"; + }; +} diff --git a/modules/nixos/traits/default.nix b/modules/nixos/traits/default.nix new file mode 100644 index 0000000..6eda57f --- /dev/null +++ b/modules/nixos/traits/default.nix @@ -0,0 +1,15 @@ +{ + imports = [ + ./acme.nix + ./cloudflared.nix + ./containers.nix + ./hercules.nix + ./locale.nix + ./nvk + ./promtail.nix + ./secrets.nix + ./tailscale.nix + ./user-setup.nix + ./users.nix + ]; +} diff --git a/modules/nixos/traits/hercules.nix b/modules/nixos/traits/hercules.nix new file mode 100644 index 0000000..fc3dbd0 --- /dev/null +++ b/modules/nixos/traits/hercules.nix @@ -0,0 +1,49 @@ +{ + config, + lib, + unstable, + secretsDir, + ... +}: let + cfg = config.traits.hercules-ci; +in { + options.traits.hercules-ci = { + enable = lib.mkEnableOption "hercules-ci"; + manageSecrets = lib.mkEnableOption "automatic secrets management"; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + services = { + hercules-ci-agent = { + enable = true; + package = unstable.hercules-ci-agent; + settings = { + binaryCachesPath = config.age.secrets.binaryCache.path; + clusterJoinTokenPath = config.age.secrets.clusterToken.path; + secretsJsonPath = config.age.secrets.secretsJson.path; + }; + }; + }; + } + + (let + hercArgs = { + mode = "400"; + owner = "hercules-ci-agent"; + group = "hercules-ci-agent"; + }; + + mkSecrets = lib.mapAttrs (_: file: lib.recursiveUpdate hercArgs {inherit file;}); + in + lib.mkIf cfg.manageSecrets { + age.secrets = mkSecrets { + binaryCache = secretsDir + "/binaryCache.age"; + clusterToken = secretsDir + "/clusterToken.age"; + secretsJson = secretsDir + "/secretsJson.age"; + }; + }) + ] + ); +} diff --git a/modules/nixos/traits/locale.nix b/modules/nixos/traits/locale.nix new file mode 100644 index 0000000..1de19ce --- /dev/null +++ b/modules/nixos/traits/locale.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + ... +}: let + cfg = config.traits.locale; +in { + options.traits.locale = { + en_US = { + enable = lib.mkEnableOption "en_US locale"; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.en_US.enable { + i18n = { + supportedLocales = [ + "en_US.UTF-8/UTF-8" + ]; + + defaultLocale = "en_US.UTF-8"; + }; + }) + ]; +} diff --git a/modules/nixos/traits/nvk/default.nix b/modules/nixos/traits/nvk/default.nix new file mode 100644 index 0000000..8e849ce --- /dev/null +++ b/modules/nixos/traits/nvk/default.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.traits.nvk; + mesa = import ./mesa.nix pkgs; + mesa32 = import ./mesa.nix pkgs.pkgsi686Linux; +in { + options.traits.nvk = { + enable = lib.mkEnableOption "nvk drivers"; + }; + + config = lib.mkIf cfg.enable { + # make sure we're loading new gsp firmware + boot.kernelParams = [ + "nouveau.config=NvGspRm=1" + "nouveau.debug=info,VBIOS=info,gsp=debug" + ]; + + environment.sessionVariables = { + # (fake) advertise vk 1.3 + MESA_VK_VERSION_OVERRIDE = "1.3"; + }; + + hardware.opengl = { + package = mesa.drivers; + package32 = mesa32.drivers; + }; + + system.replaceRuntimeDependencies = [ + { + original = pkgs.mesa.out; + replacement = mesa.out; + } + { + original = pkgs.pkgsi686Linux.mesa.out; + replacement = mesa32.out; + } + ]; + }; +} diff --git a/modules/nixos/traits/nvk/mesa.nix b/modules/nixos/traits/nvk/mesa.nix new file mode 100644 index 0000000..4b622c6 --- /dev/null +++ b/modules/nixos/traits/nvk/mesa.nix @@ -0,0 +1,126 @@ +/* +thanks to the chaotic-cx LUG for their mesa-git expression, it inspired some of this +https://github.com/chaotic-cx/nyx/blob/a4e9fa0795880c3330d9f86cab466a7402d6d4f5/pkgs/mesa-git/default.nix + +MIT License + +Copyright (c) 2023 Pedro Henrique Lara Campos + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. +*/ +{ + lib, + pkgs, + ... +}: let + cargoDeps = { + proc-macro2 = { + version = "1.0.70"; + hash = "sha256-OSePu/X7T2Rs5lFpCHf4nRxYEaPUrLJ3AMHLPNt4/Ts="; + }; + quote = { + version = "1.0.33"; + hash = "sha256-Umf8pElgKGKKlRYPxCOjPosuavilMCV54yLktSApPK4="; + }; + syn = { + version = "2.0.39"; + hash = "sha256-I+eLkPL89F0+hCAyzjLj8tFUW6ZjYnHcvyT6MG2Hvno="; + }; + unicode-ident = { + version = "1.0.12"; + hash = "sha256-M1S5rD+uH/Z1XLbbU2g622YWNPZ1V5Qt6k+s6+wP7ks="; + }; + }; + mesa = + (pkgs.mesa.override { + # we use the new flag for this + enablePatentEncumberedCodecs = false; + + vulkanDrivers = + if pkgs.stdenv.isLinux + then + [ + "amd" # AMD (aka RADV) + "microsoft-experimental" # WSL virtualized GPU (aka DZN/Dozen) + "swrast" # software renderer (aka Lavapipe) + "nouveau-experimental" # nvk + ] + ++ lib.optionals (pkgs.stdenv.hostPlatform.isAarch -> lib.versionAtLeast pkgs.stdenv.hostPlatform.parsed.cpu.version "6") [ + # QEMU virtualized GPU (aka VirGL) + # Requires ATOMIC_INT_LOCK_FREE == 2. + "virtio" + ] + ++ lib.optionals pkgs.stdenv.isAarch64 [ + "broadcom" # Broadcom VC5 (Raspberry Pi 4, aka V3D) + "freedreno" # Qualcomm Adreno (all Qualcomm SoCs) + "imagination-experimental" # PowerVR Rogue (currently N/A) + "panfrost" # ARM Mali Midgard and up (T/G series) + ] + ++ lib.optionals pkgs.stdenv.hostPlatform.isx86 [ + "intel" # Intel (aka ANV), could work on non-x86 with PCIe cards, but doesn't build + "intel_hasvk" # Intel Haswell/Broadwell, "legacy" Vulkan driver (https://www.phoronix.com/news/Intel-HasVK-Drop-Dead-Code) + ] + else ["auto"]; + }) + .overrideAttrs (new: old: { + version = "24.0.0"; + + src = pkgs.fetchurl { + urls = [ + "https://archive.mesa3d.org/mesa-${new.version}.tar.xz" + "https://mesa.freedesktop.org/archive/mesa-${new.version}.tar.xz" + ]; + + hash = "sha256-YoWlu7v0P92vtLO3JrFIpKIiRg6JK9G2mq/004DJg1U="; + }; + + nativeBuildInputs = old.nativeBuildInputs ++ [pkgs.rustc pkgs.rust-bindgen]; + + patches = let + badPatches = [ + "0001-dri-added-build-dependencies-for-systems-using-non-s.patch" + "0002-util-Update-util-libdrm.h-stubs-to-allow-loader.c-to.patch" + "0003-glx-fix-automatic-zink-fallback-loading-between-hw-a.patch" + ]; + in + lib.filter (patch: !(lib.elem (baseNameOf patch) badPatches)) old.patches; + + postPatch = let + cargoFetch = crate: + pkgs.fetchurl { + url = "https://crates.io/api/v1/crates/${crate}/${cargoDeps.${crate}.version}/download"; + inherit (cargoDeps.${crate}) hash; + }; + + cargoSubproject = crate: '' + ln -s ${cargoFetch crate} subprojects/packagecache/${crate}-${cargoDeps.${crate}.version}.tar.gz + ''; + + subprojects = lib.concatMapStringsSep "\n" cargoSubproject (lib.attrNames cargoDeps); + in + old.postPatch + + '' + mkdir subprojects/packagecache + ${subprojects} + ''; + + mesonFlags = old.mesonFlags ++ lib.optional (!pkgs.stdenv.hostPlatform.is32bit) "-D video-codecs=all"; + }); +in + mesa diff --git a/modules/nixos/traits/promtail.nix b/modules/nixos/traits/promtail.nix new file mode 100644 index 0000000..5e08b25 --- /dev/null +++ b/modules/nixos/traits/promtail.nix @@ -0,0 +1,49 @@ +{ + config, + lib, + ... +}: let + cfg = config.traits.promtail; + inherit (lib) types; +in { + options.traits.promtail = { + enable = lib.mkEnableOption "Promtail"; + + clients = lib.mkOption { + type = types.listOf types.attrs; + default = [{}]; + description = "clients for promtail"; + }; + }; + + config = lib.mkIf cfg.enable { + services.promtail = { + enable = true; + configuration = { + inherit (cfg) clients; + server.disable = true; + + scrape_configs = [ + { + job_name = "journal"; + + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "${config.networking.hostName}"; + }; + }; + + relabel_configs = [ + { + source_labels = ["__journal__systemd_unit"]; + target_label = "unit"; + } + ]; + } + ]; + }; + }; + }; +} diff --git a/modules/nixos/traits/secrets.nix b/modules/nixos/traits/secrets.nix new file mode 100644 index 0000000..085d8f3 --- /dev/null +++ b/modules/nixos/traits/secrets.nix @@ -0,0 +1,17 @@ +{ + config, + lib, + ... +}: let + cfg = config.traits.secrets; +in { + options.traits.secrets = { + enable = lib.mkEnableOption "secrets management"; + }; + + config = lib.mkIf cfg.enable { + age = { + identityPaths = ["/etc/age/key"]; + }; + }; +} diff --git a/modules/nixos/traits/tailscale.nix b/modules/nixos/traits/tailscale.nix new file mode 100644 index 0000000..93616b5 --- /dev/null +++ b/modules/nixos/traits/tailscale.nix @@ -0,0 +1,48 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.traits.tailscale; +in { + options.traits.tailscale = { + enable = lib.mkEnableOption "Tailscale"; + ssh.enable = lib.mkEnableOption "Tailscale SSH"; + manageSecrets = + lib.mkEnableOption "the use of agenix for auth" + // { + default = config.traits.secrets.enable && cfg.ssh.enable; + }; + }; + + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + networking.firewall = + { + trustedInterfaces = ["tailscale0"]; + } + // lib.optionalAttrs cfg.ssh.enable { + allowedTCPPorts = [22]; + }; + + services.tailscale = + { + enable = true; + openFirewall = true; + } + // lib.optionalAttrs cfg.ssh.enable { + extraUpFlags = ["--ssh"]; + } + // lib.optionalAttrs cfg.manageSecrets { + authKeyFile = config.age.secrets.tailscaleAuthKey.path; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets = lib.mkIf cfg.manageSecrets { + tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age"; + }; + }) + ]); +} diff --git a/modules/nixos/traits/user-setup.nix b/modules/nixos/traits/user-setup.nix new file mode 100644 index 0000000..a8a4cd6 --- /dev/null +++ b/modules/nixos/traits/user-setup.nix @@ -0,0 +1,45 @@ +{ + config, + lib, + pkgs, + secretsDir, + ... +}: let + cfg = config.traits.user-setup; +in { + options.traits.user-setup = { + enable = lib.mkEnableOption "basic immutable user & root configurations"; + manageSecrets = + lib.mkEnableOption "automatic management of secrets" + // { + default = config.traits.secrets.enable; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + users = { + defaultUserShell = pkgs.bash; + mutableUsers = false; + + users.root = + { + home = lib.mkDefault "/root"; + uid = lib.mkDefault config.ids.uids.root; + group = lib.mkDefault "root"; + } + // lib.optionalAttrs cfg.manageSecrets { + hashedPasswordFile = config.age.secrets.rootPassword.path; + }; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets = { + rootPassword.file = secretsDir + "/rootPassword.age"; + }; + }) + ] + ); +} diff --git a/modules/nixos/traits/users.nix b/modules/nixos/traits/users.nix new file mode 100644 index 0000000..3302366 --- /dev/null +++ b/modules/nixos/traits/users.nix @@ -0,0 +1,44 @@ +{ + config, + lib, + pkgs, + secretsDir, + ... +}: let + cfg = config.traits.users; + inherit (config.networking) hostName; +in { + imports = [ + ../../../users/seth/nixos.nix + ]; + + options.traits.users = { + hostUser = { + enable = lib.mkEnableOption "${hostName} user configuration"; + manageSecrets = + lib.mkEnableOption "automatically manage secrets" + // { + default = config.traits.secrets.enable; + }; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.hostUser.enable { + users.users.${hostName} = { + isNormalUser = true; + shell = pkgs.bash; + }; + }) + + (lib.mkIf (cfg.hostUser.enable && cfg.hostUser.manageSecrets) { + age.secrets = { + userPassword.file = secretsDir + "/userPassword.age"; + }; + + users.users.${hostName} = { + hashedPasswordFile = config.age.secrets.userPassword.path; + }; + }) + ]; +} diff --git a/modules/shared/base/default.nix b/modules/shared/base/default.nix new file mode 100644 index 0000000..9154ae7 --- /dev/null +++ b/modules/shared/base/default.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + inputs, + ... +}: let + cfg = config.base; + inherit (inputs) self; +in { + options.base = { + enable = lib.mkEnableOption "basic configurations"; + }; + + imports = [ + ./documentation.nix + ./nix.nix + ./programs.nix + ]; + + config = lib.mkIf cfg.enable { + system.configurationRevision = self.rev or self.dirtyRev or "dirty-unknown"; + }; +} diff --git a/modules/shared/base/documentation.nix b/modules/shared/base/documentation.nix new file mode 100644 index 0000000..0139f7d --- /dev/null +++ b/modules/shared/base/documentation.nix @@ -0,0 +1,19 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.documentation; + enable = config.base.enable && cfg.enable; +in { + options.base.documentation = { + enable = lib.mkEnableOption "documentation settings" // {default = true;}; + }; + + config = lib.mkIf enable { + documentation = { + doc.enable = false; + info.enable = false; + }; + }; +} diff --git a/modules/shared/base/nix.nix b/modules/shared/base/nix.nix new file mode 100644 index 0000000..6e1bdf3 --- /dev/null +++ b/modules/shared/base/nix.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + inputs, + ... +}: let + cfg = config.base.nixSettings; + enable = config.base.enable && cfg.enable; +in { + options.base.nixSettings = { + enable = lib.mkEnableOption "nix settings" // {default = true;}; + }; + + config = lib.mkIf enable { + nix = { + registry.n.flake = lib.mkDefault inputs.nixpkgs; + + nixPath = [ + "nixpkgs=/etc/nix/inputs/nixpkgs" + ]; + + settings = { + auto-optimise-store = pkgs.stdenv.isLinux; + experimental-features = lib.mkDefault ["nix-command" "flakes" "auto-allocate-uids" "repl-flake"]; + + trusted-substituters = lib.mkDefault ["https://getchoo.cachix.org"]; + trusted-public-keys = lib.mkDefault ["getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE="]; + nix-path = config.nix.nixPath; + }; + + gc = { + automatic = lib.mkDefault true; + options = lib.mkDefault "--delete-older-than 7d"; + }; + }; + + nixpkgs = { + overlays = [inputs.self.overlays.default]; + config.allowUnfree = lib.mkDefault true; + }; + }; +} diff --git a/modules/shared/base/programs.nix b/modules/shared/base/programs.nix new file mode 100644 index 0000000..796fce0 --- /dev/null +++ b/modules/shared/base/programs.nix @@ -0,0 +1,16 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultPrograms; + enable = config.base.enable && cfg.enable; +in { + options.base.defaultPrograms = { + enable = lib.mkEnableOption "default programs" // {default = true;}; + }; + + config = lib.mkIf enable { + programs.gnupg.agent.enable = lib.mkDefault true; + }; +} diff --git a/modules/shared/default.nix b/modules/shared/default.nix index edd1f34..cf3dd84 100644 --- a/modules/shared/default.nix +++ b/modules/shared/default.nix @@ -1,24 +1,6 @@ { - lib, - inputs, - ... -}: let - inherit (inputs) self; -in { imports = [ - ./nix.nix - ./suites - ./users + ./base + ./traits ]; - - system.configurationRevision = self.rev or self.dirtyRev or "dirty-unknown"; - - documentation = { - doc.enable = false; - info.enable = false; - }; - - time.timeZone = lib.mkDefault "America/New_York"; - - programs.gnupg.agent.enable = lib.mkDefault true; } diff --git a/modules/shared/nix.nix b/modules/shared/nix.nix deleted file mode 100644 index 770e7e4..0000000 --- a/modules/shared/nix.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: { - nix = { - registry.n.flake = lib.mkDefault inputs.nixpkgs; - - nixPath = [ - "nixpkgs=/etc/nix/inputs/nixpkgs" - ]; - - settings = { - auto-optimise-store = pkgs.stdenv.isLinux; - experimental-features = lib.mkDefault ["nix-command" "flakes" "auto-allocate-uids" "repl-flake"]; - - trusted-substituters = lib.mkDefault ["https://getchoo.cachix.org"]; - trusted-public-keys = lib.mkDefault ["getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE="]; - nix-path = config.nix.nixPath; - }; - - gc = { - automatic = lib.mkDefault true; - options = lib.mkDefault "--delete-older-than 7d"; - }; - }; - - nixpkgs = { - overlays = [inputs.self.overlays.default]; - config.allowUnfree = lib.mkDefault true; - }; -} diff --git a/modules/shared/suites/default.nix b/modules/shared/suites/default.nix deleted file mode 100644 index b4bd1b5..0000000 --- a/modules/shared/suites/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - imports = [ - ./personal.nix - ]; -} diff --git a/modules/shared/suites/personal.nix b/modules/shared/suites/personal.nix deleted file mode 100644 index 1a9278a..0000000 --- a/modules/shared/suites/personal.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.suites.personal; -in { - options.suites.personal = { - enable = lib.mkEnableOption "Personal configuration set"; - }; - - config = lib.mkIf cfg.enable { - users.seth.enable = lib.mkDefault true; - }; -} diff --git a/modules/shared/traits/default.nix b/modules/shared/traits/default.nix new file mode 100644 index 0000000..fa5ba25 --- /dev/null +++ b/modules/shared/traits/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./locale.nix + ./home-manager.nix + ]; +} diff --git a/modules/shared/traits/home-manager.nix b/modules/shared/traits/home-manager.nix new file mode 100644 index 0000000..732f4f9 --- /dev/null +++ b/modules/shared/traits/home-manager.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + inputs, + inputs', + ... +}: let + cfg = config.traits.home-manager; +in { + options.traits.home-manager = { + enable = lib.mkEnableOption "home-manager configuration"; + }; + + config = lib.mkIf cfg.enable { + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + extraSpecialArgs = {inherit inputs inputs';}; + }; + }; +} diff --git a/modules/shared/traits/locale.nix b/modules/shared/traits/locale.nix new file mode 100644 index 0000000..9c07c14 --- /dev/null +++ b/modules/shared/traits/locale.nix @@ -0,0 +1,19 @@ +{ + config, + lib, + ... +}: let + cfg = config.traits.locale; +in { + options.traits.locale = { + US-east = { + enable = lib.mkEnableOption "eastern United States locale"; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.US-east.enable { + time.timeZone = "America/New_York"; + }) + ]; +} diff --git a/modules/shared/users/default.nix b/modules/shared/users/default.nix deleted file mode 100644 index bb3062e..0000000 --- a/modules/shared/users/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - inputs, - inputs', - ... -}: { - imports = [ - ./seth.nix - ]; - - home-manager = { - useGlobalPkgs = true; - useUserPackages = true; - extraSpecialArgs = {inherit inputs inputs';}; - }; -} diff --git a/modules/shared/users/seth.nix b/modules/shared/users/seth.nix deleted file mode 100644 index 0c98fc9..0000000 --- a/modules/shared/users/seth.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - cfg = config.users.seth; -in { - options.users.seth = { - enable = lib.mkEnableOption "Seth's configuration & home"; - }; - - config = lib.mkIf cfg.enable { - users.users.seth = - { - shell = pkgs.fish; - home = lib.mkDefault ( - if pkgs.stdenv.isDarwin - then "/Users/seth" - else "/home/seth" - ); - } - // lib.optionalAttrs pkgs.stdenv.isLinux { - extraGroups = ["wheel"]; - isNormalUser = true; - hashedPasswordFile = lib.mkDefault config.age.secrets.sethPassword.path; - }; - - programs.fish.enable = lib.mkDefault true; - - home-manager.users.seth = { - imports = [../../../users/seth]; - }; - }; -} -- cgit v1.2.3