From a73cefb9df7ffa37ca68f94af564f1d3f47c7fba Mon Sep 17 00:00:00 2001 From: Jelle Spreeuwenberg Date: Tue, 21 Apr 2026 16:04:06 +0200 Subject: [PATCH] refactor: compose hosts and home-manager features explicitly --- modules/features/cli-base.nix | 17 ++++ modules/features/desktop-base.nix | 50 ---------- modules/features/desktop-session.nix | 17 ++++ modules/features/dev-tools.nix | 2 +- modules/features/ergon-workstation.nix | 11 ++- modules/features/home-manager-base.nix | 26 ----- modules/features/host-base.nix | 30 ++++++ modules/features/kiri-server.nix | 12 +++ modules/features/kiri-workstation.nix | 21 ++-- modules/features/local-apps.nix | 2 +- modules/features/meta.nix | 16 +--- modules/features/networking.nix | 2 +- modules/features/noctalia.nix | 24 ++++- modules/features/personal-productivity.nix | 13 +++ modules/features/qbittorrent-client.nix | 4 +- modules/features/region-nl.nix | 2 +- modules/features/services/deluge.nix | 4 +- modules/features/services/openssh.nix | 11 +-- modules/features/ssh.nix | 2 +- modules/features/standard-boot.nix | 2 +- modules/features/user-base.nix | 29 ------ modules/features/workstation-base.nix | 29 ++++++ modules/hosts/orion/default.nix | 26 +++-- modules/hosts/polaris/default.nix | 22 ++++- modules/hosts/zenith/default.nix | 28 ++++-- modules/lib.nix | 76 +++++++++++++-- modules/secrets/sops.nix | 41 ++++---- modules/users.nix | 106 +-------------------- 28 files changed, 322 insertions(+), 303 deletions(-) create mode 100644 modules/features/cli-base.nix delete mode 100644 modules/features/desktop-base.nix create mode 100644 modules/features/desktop-session.nix delete mode 100644 modules/features/home-manager-base.nix create mode 100644 modules/features/host-base.nix create mode 100644 modules/features/kiri-server.nix create mode 100644 modules/features/personal-productivity.nix delete mode 100644 modules/features/user-base.nix create mode 100644 modules/features/workstation-base.nix diff --git a/modules/features/cli-base.nix b/modules/features/cli-base.nix new file mode 100644 index 0000000..94572d3 --- /dev/null +++ b/modules/features/cli-base.nix @@ -0,0 +1,17 @@ +{ config, ... }: +let + homeModules = config.flake.modules.homeManager; +in +{ + flake.modules.homeManager.cli-base = { + imports = [ + homeModules.terminal + homeModules.shell + homeModules.neovim + homeModules.git + homeModules.dev-tools + homeModules.podman + homeModules.gemini + ]; + }; +} diff --git a/modules/features/desktop-base.nix b/modules/features/desktop-base.nix deleted file mode 100644 index 89d6444..0000000 --- a/modules/features/desktop-base.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, ... }: -let - nixosModules = config.flake.modules.nixos; -in -{ - flake.modules.nixos."core-base" = { - imports = [ - nixosModules."meta-host" - nixosModules."home-manager-base" - nixosModules.nix - nixosModules."region-nl" - nixosModules."sops-host" - ]; - }; - - flake.modules.nixos."server-base" = { - imports = [ - nixosModules."core-base" - nixosModules.openssh - ]; - }; - - flake.modules.nixos."workstation-base" = { - imports = [ - nixosModules."core-base" - nixosModules."standard-boot" - nixosModules.sddm - nixosModules.niri - nixosModules.audio - nixosModules.bluetooth - nixosModules.flatpak - nixosModules.fonts - nixosModules.networking - nixosModules.printing - nixosModules."qbittorrent-client" - ]; - - users.mutableUsers = false; - - services.dbus.implementation = "broker"; - - programs.nix-ld.enable = true; - environment.localBinInPath = true; - }; - - flake.modules.nixos."portable-host" = { - hardware.enableRedistributableFirmware = true; - services.fwupd.enable = true; - }; -} diff --git a/modules/features/desktop-session.nix b/modules/features/desktop-session.nix new file mode 100644 index 0000000..d47b67d --- /dev/null +++ b/modules/features/desktop-session.nix @@ -0,0 +1,17 @@ +{ config, ... }: +let + homeModules = config.flake.modules.homeManager; +in +{ + flake.modules.homeManager.desktop-session = { + imports = [ + homeModules.niri + homeModules.clipboard + homeModules.local-apps + homeModules.mpv + homeModules.vicinae + homeModules.xdg + homeModules.theme + ]; + }; +} diff --git a/modules/features/dev-tools.nix b/modules/features/dev-tools.nix index f25f353..eb4c8f2 100644 --- a/modules/features/dev-tools.nix +++ b/modules/features/dev-tools.nix @@ -1,5 +1,5 @@ { - flake.modules.homeManager."dev-tools" = + flake.modules.homeManager.dev-tools = { config, ... }: { home.sessionVariables.CARGO_HOME = "${config.xdg.dataHome}/cargo"; diff --git a/modules/features/ergon-workstation.nix b/modules/features/ergon-workstation.nix index 8d21966..946621b 100644 --- a/modules/features/ergon-workstation.nix +++ b/modules/features/ergon-workstation.nix @@ -3,7 +3,14 @@ let homeModules = config.flake.modules.homeManager; in { - flake.modules.homeManager."ergon-workstation" = { - imports = [ homeModules.nix ]; + flake.modules.homeManager.ergon-workstation = { + imports = [ + homeModules.cli-base + homeModules.desktop-session + homeModules.personal-productivity + homeModules.ssh-client + homeModules.sops + homeModules.nix + ]; }; } diff --git a/modules/features/home-manager-base.nix b/modules/features/home-manager-base.nix deleted file mode 100644 index 9dd0f7a..0000000 --- a/modules/features/home-manager-base.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - inputs, - config, - ... -}: -let - homeModules = config.flake.modules.homeManager; -in -{ - flake.modules.nixos."home-manager-base" = - { ... }: - { - imports = [ inputs.home-manager.nixosModules.home-manager ]; - - home-manager = { - useGlobalPkgs = true; - backupFileExtension = "bak"; - extraSpecialArgs = { inherit inputs; }; - sharedModules = [ homeModules."meta-context" ]; - }; - - security.sudo.extraConfig = '' - Defaults env_keep+=SSH_AUTH_SOCK - ''; - }; -} diff --git a/modules/features/host-base.nix b/modules/features/host-base.nix new file mode 100644 index 0000000..39df47f --- /dev/null +++ b/modules/features/host-base.nix @@ -0,0 +1,30 @@ +{ + config, + inputs, + ... +}: +let + nixosModules = config.flake.modules.nixos; + homeModules = config.flake.modules.homeManager; +in +{ + flake.modules.nixos.host-base = { + imports = [ + nixosModules.meta + inputs.home-manager.nixosModules.home-manager + nixosModules.nix + nixosModules.region-nl + ]; + + home-manager = { + useGlobalPkgs = true; + backupFileExtension = "bak"; + extraSpecialArgs = { inherit inputs; }; + sharedModules = [ homeModules.meta ]; + }; + + security.sudo.extraConfig = '' + Defaults env_keep+=SSH_AUTH_SOCK + ''; + }; +} diff --git a/modules/features/kiri-server.nix b/modules/features/kiri-server.nix new file mode 100644 index 0000000..17baa88 --- /dev/null +++ b/modules/features/kiri-server.nix @@ -0,0 +1,12 @@ +{ config, ... }: +let + homeModules = config.flake.modules.homeManager; +in +{ + flake.modules.homeManager.kiri-server = { + imports = [ + homeModules.cli-base + homeModules.syncthing + ]; + }; +} diff --git a/modules/features/kiri-workstation.nix b/modules/features/kiri-workstation.nix index 5d7f469..95c4c1c 100644 --- a/modules/features/kiri-workstation.nix +++ b/modules/features/kiri-workstation.nix @@ -3,21 +3,16 @@ let homeModules = config.flake.modules.homeManager; in { - flake.modules.homeManager."kiri-workstation" = { + flake.modules.homeManager.kiri-workstation = { imports = [ + homeModules.cli-base + homeModules.desktop-session + homeModules.personal-productivity + homeModules.ssh-client + homeModules.sops homeModules.nix - homeModules.bitwarden - homeModules.email - homeModules.pim - homeModules.mpv - homeModules.niri - homeModules.clipboard - homeModules."local-apps" - homeModules."qbittorrent-client" - homeModules.vicinae - homeModules.xdg - homeModules.theme - homeModules.noctalia + homeModules.syncthing + homeModules.qbittorrent-client ]; }; } diff --git a/modules/features/local-apps.nix b/modules/features/local-apps.nix index e1344ea..a42e897 100644 --- a/modules/features/local-apps.nix +++ b/modules/features/local-apps.nix @@ -1,5 +1,5 @@ { - flake.modules.homeManager."local-apps" = + flake.modules.homeManager.local-apps = { pkgs, ... }: { home.sessionVariables.BROWSER = "vivaldi"; diff --git a/modules/features/meta.nix b/modules/features/meta.nix index b91cd5e..f8d3907 100644 --- a/modules/features/meta.nix +++ b/modules/features/meta.nix @@ -99,18 +99,6 @@ let type = lib.types.str; }; - kind = lib.mkOption { - type = lib.types.enum [ - "server" - "workstation" - ]; - }; - - traits = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = [ ]; - }; - displays = lib.mkOption { type = lib.types.attrsOf displayType; default = { }; @@ -125,13 +113,13 @@ let ); in { - flake.modules.nixos."meta-host" = { + flake.modules.nixos.meta = { options.meta.host = lib.mkOption { type = hostType; }; }; - flake.modules.homeManager."meta-context" = { + flake.modules.homeManager.meta = { options.meta = { host = lib.mkOption { type = lib.types.nullOr hostType; diff --git a/modules/features/networking.nix b/modules/features/networking.nix index e0a970b..c914340 100644 --- a/modules/features/networking.nix +++ b/modules/features/networking.nix @@ -1,5 +1,5 @@ { - flake.modules.nixos."server-firewall" = { + flake.modules.nixos.server-firewall = { networking = { firewall.enable = true; firewall.allowPing = false; diff --git a/modules/features/noctalia.nix b/modules/features/noctalia.nix index e7649a0..0a6ea52 100644 --- a/modules/features/noctalia.nix +++ b/modules/features/noctalia.nix @@ -1,3 +1,19 @@ +{ + config, + lib, + ... +}: +let + homeModules = config.flake.modules.homeManager; + baseSettings = import ./_noctalia-config.nix; + portableSettings = lib.recursiveUpdate baseSettings { + bar.widgets.right = baseSettings.bar.widgets.right ++ [ + { + id = "Battery"; + } + ]; + }; +in { flake.modules.homeManager.noctalia = { @@ -17,7 +33,13 @@ } ); - settings = import ./_noctalia-config.nix; + settings = baseSettings; }; }; + + flake.modules.homeManager.noctalia-portable = { + imports = [ homeModules.noctalia ]; + + programs.noctalia-shell.settings = lib.mkForce portableSettings; + }; } diff --git a/modules/features/personal-productivity.nix b/modules/features/personal-productivity.nix new file mode 100644 index 0000000..6850516 --- /dev/null +++ b/modules/features/personal-productivity.nix @@ -0,0 +1,13 @@ +{ config, ... }: +let + homeModules = config.flake.modules.homeManager; +in +{ + flake.modules.homeManager.personal-productivity = { + imports = [ + homeModules.bitwarden + homeModules.email + homeModules.pim + ]; + }; +} diff --git a/modules/features/qbittorrent-client.nix b/modules/features/qbittorrent-client.nix index cf0b8d5..3d3c1bc 100644 --- a/modules/features/qbittorrent-client.nix +++ b/modules/features/qbittorrent-client.nix @@ -1,12 +1,12 @@ { - flake.modules.nixos."qbittorrent-client" = { + flake.modules.nixos.qbittorrent-client = { networking.firewall = { allowedTCPPorts = [ 43864 ]; allowedUDPPorts = [ 43864 ]; }; }; - flake.modules.homeManager."qbittorrent-client" = + flake.modules.homeManager.qbittorrent-client = { pkgs, ... }: { home.packages = [ pkgs.qbittorrent ]; diff --git a/modules/features/region-nl.nix b/modules/features/region-nl.nix index e372cf7..c8ed307 100644 --- a/modules/features/region-nl.nix +++ b/modules/features/region-nl.nix @@ -1,6 +1,6 @@ { ... }: { - flake.modules.nixos."region-nl" = { + flake.modules.nixos.region-nl = { time.timeZone = "Europe/Amsterdam"; i18n.defaultLocale = "en_US.UTF-8"; diff --git a/modules/features/services/deluge.nix b/modules/features/services/deluge.nix index 9c673ef..1d48022 100644 --- a/modules/features/services/deluge.nix +++ b/modules/features/services/deluge.nix @@ -1,5 +1,5 @@ { - flake.modules.nixos."deluge-service" = + flake.modules.nixos.deluge-service = { ... }: { sops.secrets.deluge-auth-file = { }; @@ -10,7 +10,7 @@ }; }; - flake.modules.homeManager."deluge-client" = + flake.modules.homeManager.deluge-client = { pkgs, ... }: { home.packages = [ pkgs.deluge ]; diff --git a/modules/features/services/openssh.nix b/modules/features/services/openssh.nix index 7104b40..9c88d8f 100644 --- a/modules/features/services/openssh.nix +++ b/modules/features/services/openssh.nix @@ -1,6 +1,6 @@ { ... }: { - flake.modules.nixos."ssh-agent-auth" = { + flake.modules.nixos.ssh-agent-auth = { security.pam = { sshAgentAuth.enable = true; services.sudo.sshAgentAuth = true; @@ -12,18 +12,15 @@ config, ... }: - let - isServer = config.meta.host.kind == "server"; - hostUserNames = builtins.attrNames config.meta.host.users; - in { + services.openssh.openFirewall = true; + services.openssh = { enable = true; - openFirewall = isServer; settings = { PermitRootLogin = "no"; PasswordAuthentication = false; - AllowUsers = hostUserNames; + AllowUsers = builtins.attrNames config.meta.host.users; }; }; }; diff --git a/modules/features/ssh.nix b/modules/features/ssh.nix index e4e4cd4..ef6f9c9 100644 --- a/modules/features/ssh.nix +++ b/modules/features/ssh.nix @@ -1,5 +1,5 @@ { - flake.modules.homeManager."ssh-client" = + flake.modules.homeManager.ssh-client = { config, ... }: { programs.ssh = { diff --git a/modules/features/standard-boot.nix b/modules/features/standard-boot.nix index 45ca816..e3ada86 100644 --- a/modules/features/standard-boot.nix +++ b/modules/features/standard-boot.nix @@ -1,6 +1,6 @@ { ... }: { - flake.modules.nixos."standard-boot" = + flake.modules.nixos.standard-boot = { config, pkgs, ... }: { boot = { diff --git a/modules/features/user-base.nix b/modules/features/user-base.nix deleted file mode 100644 index dbe2af5..0000000 --- a/modules/features/user-base.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, ... }: -let - homeModules = config.flake.modules.homeManager; -in -{ - flake.modules.homeManager."common-user-base" = { - imports = [ - homeModules.terminal - homeModules.shell - homeModules.neovim - homeModules.git - homeModules."dev-tools" - homeModules.podman - homeModules.gemini - ]; - }; - - flake.modules.homeManager."server-user-base" = { - imports = [ homeModules."common-user-base" ]; - }; - - flake.modules.homeManager."workstation-user-base" = { - imports = [ - homeModules."common-user-base" - homeModules."ssh-client" - homeModules."sops-admin" - ]; - }; -} diff --git a/modules/features/workstation-base.nix b/modules/features/workstation-base.nix new file mode 100644 index 0000000..684b3f2 --- /dev/null +++ b/modules/features/workstation-base.nix @@ -0,0 +1,29 @@ +{ config, ... }: +let + nixosModules = config.flake.modules.nixos; +in +{ + flake.modules.nixos.workstation-base = { + imports = [ + nixosModules.host-base + nixosModules.sops-admin-key-file + nixosModules.standard-boot + nixosModules.sddm + nixosModules.niri + nixosModules.audio + nixosModules.bluetooth + nixosModules.flatpak + nixosModules.fonts + nixosModules.networking + nixosModules.printing + nixosModules.qbittorrent-client + ]; + + users.mutableUsers = false; + + services.dbus.implementation = "broker"; + + programs.nix-ld.enable = true; + environment.localBinInPath = true; + }; +} diff --git a/modules/hosts/orion/default.nix b/modules/hosts/orion/default.nix index 9031ae1..2ea6940 100644 --- a/modules/hosts/orion/default.nix +++ b/modules/hosts/orion/default.nix @@ -1,10 +1,15 @@ -{ config, ... }: +{ + inputs, + config, + ... +}: let nixosModules = config.flake.modules.nixos; + homeModules = config.flake.modules.homeManager; metaLib = config.meta.lib; in { - flake.modules.nixos."orion-admin" = + flake.modules.nixos.orion-admin = { pkgs, ... }: { users.users.kiri = { @@ -21,22 +26,27 @@ in flake.modules.nixos.orion = metaLib.mkHost { name = "orion"; - kind = "server"; users = { inherit (metaLib.users) kiri; }; imports = [ - nixosModules."server-base" + nixosModules.host-base + nixosModules.sops-host-ssh-key + nixosModules.openssh nixosModules.caddy - nixosModules."server-firewall" - nixosModules."ssh-agent-auth" - nixosModules."orion-admin" + nixosModules.server-firewall + nixosModules.ssh-agent-auth + nixosModules.orion-admin nixosModules.vaultwarden nixosModules.radicale nixosModules.actual nixosModules.gitea - nixosModules."user-kiri" + (metaLib.mkHostUser { + account = metaLib.users.kiri; + needsPassword = false; + homeImports = [ homeModules.kiri-server ]; + }) ./_hardware.nix ./_disk.nix ]; diff --git a/modules/hosts/polaris/default.nix b/modules/hosts/polaris/default.nix index cac3f17..827a9e3 100644 --- a/modules/hosts/polaris/default.nix +++ b/modules/hosts/polaris/default.nix @@ -5,12 +5,12 @@ }: let nixosModules = config.flake.modules.nixos; + homeModules = config.flake.modules.homeManager; metaLib = config.meta.lib; in { flake.modules.nixos.polaris = metaLib.mkHost { name = "polaris"; - kind = "workstation"; displays = { "LG Electronics LG ULTRAGEAR 103NTYT8R290" = { @@ -33,10 +33,24 @@ in }; imports = [ - nixosModules."workstation-base" + nixosModules.workstation-base nixosModules.steam - nixosModules."user-kiri" - nixosModules."user-ergon" + (metaLib.mkHostUser { + account = metaLib.users.kiri; + needsPassword = true; + homeImports = [ + homeModules.kiri-workstation + homeModules.noctalia + ]; + }) + (metaLib.mkHostUser { + account = metaLib.users.ergon; + needsPassword = true; + homeImports = [ + homeModules.ergon-workstation + homeModules.noctalia + ]; + }) ./_hardware.nix ] ++ (with inputs.nixos-hardware.nixosModules; [ diff --git a/modules/hosts/zenith/default.nix b/modules/hosts/zenith/default.nix index 6e6d7e8..c8287e3 100644 --- a/modules/hosts/zenith/default.nix +++ b/modules/hosts/zenith/default.nix @@ -5,13 +5,12 @@ }: let nixosModules = config.flake.modules.nixos; + homeModules = config.flake.modules.homeManager; metaLib = config.meta.lib; in { flake.modules.nixos.zenith = metaLib.mkHost { name = "zenith"; - kind = "workstation"; - traits = [ "portable" ]; displays = { "California Institute of Technology 0x1410 Unknown" = { @@ -35,10 +34,27 @@ in }; imports = [ - nixosModules."workstation-base" - nixosModules."portable-host" - nixosModules."user-kiri" - nixosModules."user-ergon" + nixosModules.workstation-base + (metaLib.mkHostUser { + account = metaLib.users.kiri; + needsPassword = true; + homeImports = [ + homeModules.kiri-workstation + homeModules.noctalia-portable + ]; + }) + (metaLib.mkHostUser { + account = metaLib.users.ergon; + needsPassword = true; + homeImports = [ + homeModules.ergon-workstation + homeModules.noctalia-portable + ]; + }) + { + hardware.enableRedistributableFirmware = true; + services.fwupd.enable = true; + } ./_hardware.nix inputs.nixos-hardware.nixosModules.lenovo-yoga-7-14ARH7-amdgpu ]; diff --git a/modules/lib.nix b/modules/lib.nix index 5cc627c..7ae48f2 100644 --- a/modules/lib.nix +++ b/modules/lib.nix @@ -7,8 +7,6 @@ let mkHost = { name, - kind, - traits ? [ ], displays ? { }, users ? { }, imports ? [ ], @@ -18,9 +16,7 @@ let meta.host = { inherit displays - kind name - traits users ; }; @@ -52,11 +48,69 @@ let "reverse_proxy :${toString port}" else '' - reverse_proxy :${toString port} { - ${body} - } + reverse_proxy :${toString port} { + ${body} + } ''; }; + + mkHostUser = + { + account, + homeImports, + needsPassword ? false, + stateVersion ? "24.05", + }: + { + config, + pkgs, + ... + }: + let + name = account.name; + primaryEmails = lib.filter (email: email.primary) (builtins.attrValues account.emails); + in + { + assertions = [ + { + assertion = builtins.length primaryEmails == 1; + message = "User ${name} must define exactly one primary email entry."; + } + ]; + + programs.zsh.enable = true; + + sops.secrets = lib.optionalAttrs needsPassword { + "hashed-password-${name}".neededForUsers = true; + }; + + users.users.${name} = { + name = account.name; + home = account.homeDirectory; + isNormalUser = true; + shell = pkgs.zsh; + extraGroups = [ + "wheel" + "networkmanager" + ]; + } + // lib.optionalAttrs needsPassword { + hashedPasswordFile = config.sops.secrets."hashed-password-${name}".path; + }; + + home-manager.users.${name} = { + imports = homeImports; + meta = { + host = config.meta.host; + user = account; + }; + home = { + username = account.name; + homeDirectory = account.homeDirectory; + inherit stateVersion; + }; + }; + }; in { options.meta.lib.mkHost = lib.mkOption { @@ -73,6 +127,13 @@ in readOnly = true; }; + options.meta.lib.mkHostUser = lib.mkOption { + type = lib.types.raw; + description = "Internal helper for explicit per-host user assembly."; + internal = true; + readOnly = true; + }; + options.meta.lib.users = lib.mkOption { type = lib.types.attrs; description = "Canonical user attrsets shared by host definitions."; @@ -84,6 +145,7 @@ in inherit mkCaddyReverseProxy mkHost + mkHostUser ; }; } diff --git a/modules/secrets/sops.nix b/modules/secrets/sops.nix index d046866..61fa3cd 100644 --- a/modules/secrets/sops.nix +++ b/modules/secrets/sops.nix @@ -1,43 +1,42 @@ { inputs, + config, ... }: let + nixosModules = config.flake.modules.nixos; sopsAdminKeyPath = "/var/lib/sops/keys.txt"; in { - flake.modules.nixos."sops-host" = - { - config, - lib, - ... - }: + flake.modules.nixos.sops = { + imports = [ inputs.sops-nix.nixosModules.sops ]; + + sops.defaultSopsFile = ./secrets.yaml; + }; + + flake.modules.nixos.sops-admin-key-file = + { lib, ... }: let - useHostSshKey = config.meta.host.kind == "server"; - useAdminKeyFile = config.meta.host.kind != "server"; adminKeyDir = builtins.dirOf sopsAdminKeyPath; in { - imports = [ inputs.sops-nix.nixosModules.sops ]; + imports = [ nixosModules.sops ]; - sops = { - defaultSopsFile = ./secrets.yaml; - age = - lib.optionalAttrs useHostSshKey { - sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - } - // lib.optionalAttrs useAdminKeyFile { - keyFile = sopsAdminKeyPath; - }; - }; + sops.age.keyFile = sopsAdminKeyPath; - systemd.tmpfiles.rules = lib.optionals useAdminKeyFile [ + systemd.tmpfiles.rules = [ "d ${adminKeyDir} 0750 root wheel -" "z ${sopsAdminKeyPath} 0640 root wheel -" ]; }; - flake.modules.homeManager."sops-admin" = + flake.modules.nixos.sops-host-ssh-key = { + imports = [ nixosModules.sops ]; + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + }; + + flake.modules.homeManager.sops = { pkgs, ... diff --git a/modules/users.nix b/modules/users.nix index d43b3ff..0ca11e8 100644 --- a/modules/users.nix +++ b/modules/users.nix @@ -1,11 +1,5 @@ -{ - config, - lib, - ... -}: +{ ... }: let - homeModules = config.flake.modules.homeManager; - kiri = { name = "kiri"; realName = "Jelle Spreeuwenberg"; @@ -46,98 +40,6 @@ let }; }; }; - - mkUserModules = - { - name, - extraHomeImports ? [ ], - }: - let - userModuleName = "user-${name}"; - workstationModuleName = "${name}-workstation"; - in - { - nixos = - { - config, - pkgs, - ... - }: - let - account = config.meta.host.users.${name}; - primaryEmails = lib.filter (email: email.primary) (builtins.attrValues account.emails); - isWorkstation = config.meta.host.kind == "workstation"; - hasWorkstationModule = builtins.hasAttr workstationModuleName homeModules; - baseModuleName = if isWorkstation then "workstation-user-base" else "server-user-base"; - in - { - assertions = [ - { - assertion = builtins.length primaryEmails == 1; - message = "User ${name} must define exactly one primary email entry."; - } - ]; - - programs.zsh.enable = true; - - sops.secrets = lib.optionalAttrs isWorkstation { - "hashed-password-${name}".neededForUsers = true; - }; - - users.users.${name} = { - name = account.name; - home = account.homeDirectory; - isNormalUser = true; - shell = pkgs.zsh; - extraGroups = [ - "wheel" - "networkmanager" - ]; - } - // lib.optionalAttrs isWorkstation { - hashedPasswordFile = config.sops.secrets."hashed-password-${name}".path; - }; - - home-manager.users.${name} = { - imports = [ - homeModules.${baseModuleName} - homeModules.${userModuleName} - ] - ++ extraHomeImports - ++ lib.optionals (isWorkstation && hasWorkstationModule) [ - homeModules.${workstationModuleName} - ]; - meta = { - host = config.meta.host; - user = account; - }; - }; - }; - - homeManager = - { config, ... }: - let - account = config.meta.user; - in - { - home = { - username = account.name; - homeDirectory = account.homeDirectory; - stateVersion = "24.05"; - }; - }; - }; - - kiriModules = mkUserModules { - name = "kiri"; - extraHomeImports = [ - homeModules.syncthing - ]; - }; - - ergonModules = mkUserModules { - name = "ergon"; - }; in { meta.lib.users = { @@ -146,10 +48,4 @@ in kiri ; }; - - flake.modules.nixos."user-kiri" = kiriModules.nixos; - flake.modules.nixos."user-ergon" = ergonModules.nixos; - - flake.modules.homeManager."user-kiri" = kiriModules.homeManager; - flake.modules.homeManager."user-ergon" = ergonModules.homeManager; }