refactor(sops): changed config around and centralised systems

systems/modules/common.nix

@@ -1,58 +1,57 @@
 {
   inputs,
-  pkgs,
   config,
   ...
 }:
 {
   imports = [
-    ./networking.nix
-    ./shell.nix
-    ./stylix.nix
-    ./sops.nix
-    ./pipewire.nix
+    ./programs/tailscale.nix
+    ./programs/zsh.nix
     inputs.nix-index-database.nixosModules.nix-index
+    inputs.sops-nix.nixosModules.sops
   ];
 
   users.mutableUsers = false; # Always reset users on system activation
   users.users.rafiq = {
     isNormalUser = true;
     description = "rafiq";
-    hashedPasswordFile = config.sops.secrets.hashed_password_rafiq.path;
+    hashedPasswordFile = config.sops.secrets.password.path;
     extraGroups = [
       "networkmanager"
       "wheel"
     ];
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv8HqazE294YdyGaXK6q2EniDlTpGaUL071kk9+W0GJ rafiq@nemesis"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbZfOYt6zydLyO4f9JAsxb1i6kHAjYzqa0SOqef6MKM rafiq@orpheus"
-    ];
-  };
-  environment = {
-    sessionVariables = {
-      CWP_JIRA_ACCESS_KEY_FILE = config.sops.secrets.cwp_jira_access_key.path;
-      CWP_JIRA_LINK_FILE = config.sops.secrets.cwp_jira_link.path;
-    };
-
-    systemPackages = with pkgs; [
-      git
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n rafiq"
     ];
   };
 
   security.sudo.wheelNeedsPassword = false;
-
-  # Enable basic fonts for reasonable Unicode coverage
-  fonts.enableDefaultPackages = true;
-
   nixpkgs.config.allowUnfree = true;
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-  ];
-  nix.settings.trusted-users = [
-    "root"
-    "@wheel"
-  ];
+  nix = {
+    settings.experimental-features = [
+      "nix-command"
+      "flakes"
+      "pipe-operators"
+    ];
+
+    # Add binary caches to avoid having to compile them
+    settings = {
+      substituters = [
+        "https://hyprland.cachix.org"
+        "https://cuda-maintainers.cachix.org"
+        "https://nix-community.cachix.org"
+        "https://nvf.cachix.org"
+        "https://yazi.cachix.org"
+      ];
+      trusted-public-keys = [
+        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+        "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "nvf.cachix.org-1:GMQWiUhZ6ux9D5CvFFMwnc2nFrUHTeGaXRlVBXo+naI="
+        "yazi.cachix.org-1:Dcdz63NZKfvUCbDGngQDAZq6kOroIrFoyO064uvLh8k="
+      ];
+    };
+  };
 
   time.timeZone = "Asia/Singapore";
 
@@ -70,11 +69,39 @@
     LC_TIME = "en_SG.UTF-8";
   };
 
-  nix.gc = {
-    automatic = true;
-    dates = "daily";
-    options = "-d";
+  programs.nix-index-database.comma.enable = true;
+
+  networking = {
+    networkmanager.enable = true;
+    networkmanager.wifi.backend = "iwd";
+
+    # Configures a simple stateful firewall.
+    # By default, it doesn't allow any incoming connections.
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22 # SSH
+      ];
+      allowedUDPPorts = [ ];
+    };
+
+    interfaces.enp12s0.wakeOnLan.policy = [
+      "phy"
+      "unicast"
+      "multicast"
+      "broadcast"
+      "arp"
+      "magic"
+      "secureon"
+    ];
+    interfaces.enp12s0.wakeOnLan.enable = true;
   };
 
-  programs.nix-index-database.comma.enable = true;
+  services.openssh.enable = true;
+
+  sops = {
+    defaultSopsFile = ../../secrets/secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets.password.neededForUsers = true;
+  };
 }

systems/modules/desktop.nix

@@ -1,7 +1,34 @@
+{ inputs, ... }:
 {
   imports = [
+    ../../themes/cursors/banana-cursor.nix
+    ../../themes/darkviolet.nix
+    ../../themes/fonts/sauce-code-pro.nix
+    ./programs/getty.nix
     ./programs/hyprland.nix
     ./programs/hyprlock.nix
-    ./programs/getty.nix
+    inputs.stylix.nixosModules.stylix
   ];
+
+  # Enable basic fonts for reasonable Unicode coverage
+  fonts.enableDefaultPackages = true;
+
+  stylix = {
+    enable = true;
+    image = ../../media/wallpaper.jpg;
+    homeManagerIntegration.autoImport = false;
+    homeManagerIntegration.followSystem = false;
+  };
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    extraConfig = { };
+    jack.enable = true;
+    pulse.enable = true;
+    alsa = {
+      enable = true;
+      support32Bit = true;
+    };
+  };
 }

systems/modules/networking.nix

@@ -1,55 +0,0 @@
-#
-# Common networking settings for all machines.
-# Anything system-specific should not be here.
-#
-{
-  imports = [
-    ./programs/tailscale.nix
-  ];
-
-  networking = {
-    networkmanager.enable = true;
-    networkmanager.wifi.backend = "iwd";
-
-    # Configures a simple stateful firewall.
-    # By default, it doesn't allow any incoming connections.
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [
-        22 # SSH
-      ];
-      allowedUDPPorts = [ ];
-    };
-
-    interfaces.enp12s0.wakeOnLan.policy = [
-      "phy"
-      "unicast"
-      "multicast"
-      "broadcast"
-      "arp"
-      "magic"
-      "secureon"
-    ];
-    interfaces.enp12s0.wakeOnLan.enable = true;
-  };
-
-  # Add binary caches to avoid having to compile them
-  nix.settings = {
-    substituters = [
-      "https://hyprland.cachix.org"
-      "https://cuda-maintainers.cachix.org"
-      "https://nix-community.cachix.org"
-      "https://nvf.cachix.org"
-      "https://yazi.cachix.org"
-    ];
-    trusted-public-keys = [
-      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-      "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      "nvf.cachix.org-1:GMQWiUhZ6ux9D5CvFFMwnc2nFrUHTeGaXRlVBXo+naI="
-      "yazi.cachix.org-1:Dcdz63NZKfvUCbDGngQDAZq6kOroIrFoyO064uvLh8k="
-    ];
-  };
-
-  services.openssh.enable = true;
-}

systems/modules/pipewire.nix

@@ -1,13 +0,0 @@
-{
-  security.rtkit.enable = true;
-  services.pipewire = {
-    enable = true;
-    extraConfig = { };
-    jack.enable = true;
-    pulse.enable = true;
-    alsa = {
-      enable = true;
-      support32Bit = true;
-    };
-  };
-}

systems/modules/shell.nix

@@ -1,5 +0,0 @@
-{
-  imports = [
-    ./programs/zsh.nix
-  ];
-}

systems/modules/sops.nix

@@ -1,23 +0,0 @@
-{ inputs, config, ... }:
-{
-  imports = [ inputs.sops-nix.nixosModules.sops ];
-  sops = {
-    defaultSopsFile = ../../secrets/secrets.yaml;
-    age.sshKeyPaths = [
-      "/home/rafiq/.ssh/id_ed25519"
-      "/home/rafiq/.ssh/rafiq-master"
-    ];
-    secrets = {
-      hashed_password_rafiq = {
-        neededForUsers = true;
-      };
-      cwp_jira_access_key = { };
-      cwp_jira_link = { };
-      cargo_api_key = {
-        mode = "0440";
-        owner = config.users.users.rafiq.name;
-        group = config.users.users.rafiq.group;
-      };
-    };
-  };
-}

systems/modules/stylix.nix

@@ -1,15 +0,0 @@
-{ inputs, pkgs, ... }:
-{
-  imports = [
-    inputs.stylix.nixosModules.stylix
-    ../../themes/darkviolet.nix
-    ../../themes/fonts/sauce-code-pro.nix
-    ../../themes/cursors/banana-cursor.nix
-  ];
-  stylix = {
-    enable = true;
-    image = ../../media/wallpaper.jpg;
-    homeManagerIntegration.autoImport = false;
-    homeManagerIntegration.followSystem = false;
-  };
-}

systems/nemesis.nix

@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
+{
   imports = [
     ./hw-nemesis.nix
     ./modules/common.nix
@@ -10,10 +11,5 @@
 
   networking.hostName = "nemesis";
   system.stateVersion = "24.11";
-  boot.binfmt.emulatedSystems = ["wasm32-wasi" "x86_64-windows" "aarch64-linux"];
   boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.kernelModules = ["dm_crypt"];
-  boot.plymouth = {
-    enable = true;
-  };
 }