From 91c2790b62b279290ab2ced52a807e804cbb85d0 Mon Sep 17 00:00:00 2001 From: Mohammad Rafiq Date: Mon, 16 Jun 2025 19:17:47 +0800 Subject: [PATCH] refactor(nixos): move system config options to main nixos module --- homes/x86_64-linux/rafiq/cli/multiplexer.nix | 2 +- lib/modules/default.nix | 2 +- modules/nixos/default.nix | 84 ++++++++++++++++++- .../audio.nix => desktop/audio/default.nix} | 0 modules/nixos/desktop/services/default.nix | 4 +- modules/nixos/hardware/default.nix | 40 ++------- modules/nixos/hardware/platform/default.nix | 3 + modules/nixos/hardware/platform/x86_64.nix | 18 ++++ modules/nixos/networking/default.nix | 2 +- .../server/web-apps/librechat/default.nix | 2 +- modules/nixos/server/web-servers/default.nix | 2 +- modules/nixos/system/default.nix | 16 ---- modules/nixos/system/localisation.nix | 9 -- modules/nixos/system/nix-config.nix | 17 ---- modules/nixos/system/secrets.nix | 37 -------- modules/nixos/system/users.nix | 27 ------ systems/x86_64-linux/apollo/default.nix | 2 +- systems/x86_64-linux/common.nix | 2 +- systems/x86_64-linux/mellinoe/default.nix | 2 +- systems/x86_64-linux/nemesis/default.nix | 2 +- 20 files changed, 124 insertions(+), 149 deletions(-) rename modules/nixos/{hardware/audio.nix => desktop/audio/default.nix} (100%) create mode 100644 modules/nixos/hardware/platform/default.nix create mode 100644 modules/nixos/hardware/platform/x86_64.nix delete mode 100644 modules/nixos/system/localisation.nix delete mode 100644 modules/nixos/system/nix-config.nix delete mode 100644 modules/nixos/system/secrets.nix delete mode 100644 modules/nixos/system/users.nix diff --git a/homes/x86_64-linux/rafiq/cli/multiplexer.nix b/homes/x86_64-linux/rafiq/cli/multiplexer.nix index 6eb8971..700db4a 100644 --- a/homes/x86_64-linux/rafiq/cli/multiplexer.nix +++ b/homes/x86_64-linux/rafiq/cli/multiplexer.nix @@ -17,7 +17,7 @@ default_tab_template { pane size=1 borderless=true { plugin location="file:${pkgs.zjstatus}/bin/zjstatus.wasm" { - format_left "{mode} ${osConfig.system.hostname}" + format_left "{mode} ${osConfig.hostname}" format_center "{tabs}" format_right "{datetime}" format_space "" diff --git a/lib/modules/default.nix b/lib/modules/default.nix index 8b19dca..9e92b21 100644 --- a/lib/modules/default.nix +++ b/lib/modules/default.nix @@ -27,7 +27,7 @@ let server.networking.ddns.domains = singleton (mkRootDomain cfg.domain); server.web-servers.nginx.proxies = singleton { source = cfg.domain; - target = "http://${config.system.hostname}:${toString cfg.port}"; + target = "http://${config.hostname}:${toString cfg.port}"; }; }; in diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 1b5b271..d7c523f 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,4 +1,10 @@ -{ lib, config, ... }: +{ + inputs, + lib, + config, + pkgs, + ... +}: let inherit (lib) mkOption; inherit (lib.types) @@ -7,6 +13,7 @@ let coercedTo submodule ; + inherit (lib.pantheon) mkStrOption; rootDir = submodule { options = { directory = mkOption { type = str; }; @@ -27,6 +34,12 @@ let in { options = { + hostname = mkStrOption; + mainUser = { + name = mkStrOption; + publicKey = mkStrOption; + email = mkStrOption; + }; persistDirs = mkOption { type = listOf (coercedTo str (d: { directory = d; }) rootDir); default = [ ]; @@ -42,5 +55,74 @@ in "/var/lib/systemd" "/var/lib/nixos" ]; + stylix = { + enable = true; + base16Scheme = "${pkgs.base16-schemes}/share/themes/atelier-cave.yaml"; + }; + nixpkgs.config.allowUnfree = true; + nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; + + nix.settings = { + experimental-features = [ + "nix-command" + "flakes" + "pipe-operators" + ]; + + trusted-users = [ "@wheel" ]; + }; + time.timeZone = "Asia/Singapore"; + i18n.defaultLocale = "en_US.UTF-8"; + users.mutableUsers = false; + users.groups.users = { + gid = 100; + members = [ "${config.mainUser.name}" ]; + }; + users.users."${config.mainUser.name}" = { + linger = true; + uid = 1000; + isNormalUser = true; + hashedPasswordFile = config.sops.secrets."${config.mainUser.name}/hashedPassword".path; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ config.mainUser.publicKey ]; + }; + users.users.root.openssh.authorizedKeys.keys = lib.singleton config.mainUser.publicKey; + services.getty.autologinUser = config.mainUser.name; + security.sudo.wheelNeedsPassword = false; + sops = { + defaultSopsFile = lib.snowfall.fs.get-file "secrets/secrets.yaml"; + age.sshKeyPaths = [ "/persist/home/rafiq/.ssh/id_ed25519" ]; + secrets = { + "keys/openrouter" = { }; + "keys/tailscale" = { }; + "keys/gemini" = { }; + "keys/cvt-jira" = { }; + "keys/cloudflare" = { }; + "keys/telegram_bot" = { }; + "misc/cvt-jira-link" = { }; + "rafiq/hashedPassword".neededForUsers = true; + "rafiq/personalEmailPassword" = { }; + "rafiq/workEmailPassword" = { }; + "rafiq/oldSMBCredentials" = { }; + "librechat/creds_key" = { }; + "librechat/creds_iv" = { }; + "librechat/jwt_secret" = { }; + "librechat/jwt_refresh_secret" = { }; + "librechat/meili_master_key" = { }; + }; + templates = { + "smb-credentials".content = '' + username=rafiq + password=${config.sops.placeholder."rafiq/oldSMBCredentials"} + ''; + }; + }; + environment.shellInit = # sh + '' + export GEMINI_API_KEY=$(sudo cat ${config.sops.secrets."keys/gemini".path}) + export CVT_JIRA_KEY=$(sudo cat ${config.sops.secrets."keys/cvt-jira".path}) + export CVT_JIRA_LINK=$(sudo cat ${config.sops.secrets."misc/cvt-jira-link".path}) + ''; + system.stateVersion = "25.05"; # Did you read the comment? }; } diff --git a/modules/nixos/hardware/audio.nix b/modules/nixos/desktop/audio/default.nix similarity index 100% rename from modules/nixos/hardware/audio.nix rename to modules/nixos/desktop/audio/default.nix diff --git a/modules/nixos/desktop/services/default.nix b/modules/nixos/desktop/services/default.nix index f993b41..27679c3 100644 --- a/modules/nixos/desktop/services/default.nix +++ b/modules/nixos/desktop/services/default.nix @@ -22,7 +22,7 @@ in capSysAdmin = true; openFirewall = true; settings = { - sunshine_name = config.system.hostname; + sunshine_name = config.hostname; origin_web_ui_allowed = "wan"; }; applications = { }; @@ -35,7 +35,7 @@ in home-manager.sharedModules = singleton { services.spotifyd.enable = true; services.spotifyd.settings.global = { - device_name = "${config.system.hostname}"; + device_name = "${config.hostname}"; device_type = "computer"; zeroconf_port = 5353; }; diff --git a/modules/nixos/hardware/default.nix b/modules/nixos/hardware/default.nix index 7652c0d..27f8b24 100644 --- a/modules/nixos/hardware/default.nix +++ b/modules/nixos/hardware/default.nix @@ -1,37 +1,15 @@ -{ - lib, - config, - ... -}: +{ lib, ... }: let inherit (lib) singleton; in { - imports = [ - ./audio.nix - ]; - - options.hardware = { - platform = lib.pantheon.mkStrOption; + config = { + services.fwupd.enable = true; + persistDirs = singleton "/var/lib/bluetooth"; + hardware.bluetooth = { + enable = true; + settings.General.Experimental = true; + }; + hardware.xone.enable = true; }; - - config = lib.mkMerge [ - { - services.fwupd.enable = true; - persistDirs = singleton "/var/lib/bluetooth"; - hardware.bluetooth = { - enable = true; - settings.General.Experimental = true; - }; - hardware.xone.enable = true; - } - (lib.mkIf (config.hardware.platform == "amd") { - hardware.cpu.amd.updateMicrocode = true; - boot.kernelModules = [ "kvm-amd" ]; - }) - (lib.mkIf (config.hardware.platform == "intel") { - hardware.cpu.intel.updateMicrocode = true; - boot.kernelModules = [ "kvm-intel" ]; - }) - ]; } diff --git a/modules/nixos/hardware/platform/default.nix b/modules/nixos/hardware/platform/default.nix new file mode 100644 index 0000000..95a0727 --- /dev/null +++ b/modules/nixos/hardware/platform/default.nix @@ -0,0 +1,3 @@ +{ + imports = [ ./x86_64.nix ]; +} diff --git a/modules/nixos/hardware/platform/x86_64.nix b/modules/nixos/hardware/platform/x86_64.nix new file mode 100644 index 0000000..befb6af --- /dev/null +++ b/modules/nixos/hardware/platform/x86_64.nix @@ -0,0 +1,18 @@ +{ config, lib, ... }: +let + inherit (lib) singleton mkOption; + inherit (lib.types) enum; + cfg = config.hardware.platform; +in +{ + options.hardware.platform = mkOption { + type = enum [ + "amd" + "intel" + ]; + }; + config = { + hardware.cpu.${cfg}.updateMicrocode = true; + boot.kernelModules = singleton "kvm-${cfg}"; + }; +} diff --git a/modules/nixos/networking/default.nix b/modules/nixos/networking/default.nix index 3828c80..c103d39 100644 --- a/modules/nixos/networking/default.nix +++ b/modules/nixos/networking/default.nix @@ -6,7 +6,7 @@ in networking = { enableIPv6 = false; useDHCP = mkDefault true; - hostName = config.system.hostname; + hostName = config.hostname; networkmanager.enable = true; }; diff --git a/modules/nixos/server/web-apps/librechat/default.nix b/modules/nixos/server/web-apps/librechat/default.nix index 7562027..1c51941 100644 --- a/modules/nixos/server/web-apps/librechat/default.nix +++ b/modules/nixos/server/web-apps/librechat/default.nix @@ -20,7 +20,7 @@ mkWebApp { inherit (upstreamCfg) user group; }; extraOptions.mongodbURI = mkStrOption // { - default = "mongodb://${config.system.hostname}:27017/LibreChat"; + default = "mongodb://${config.hostname}:27017/LibreChat"; }; extraConfig = { services.librechat = { diff --git a/modules/nixos/server/web-servers/default.nix b/modules/nixos/server/web-servers/default.nix index 8e8570c..1aee593 100644 --- a/modules/nixos/server/web-servers/default.nix +++ b/modules/nixos/server/web-servers/default.nix @@ -18,7 +18,7 @@ in security.acme = { acceptTerms = true; defaults = { - inherit (config.system.mainUser) email; + inherit (config.mainUser) email; dnsProvider = "cloudflare"; credentialFiles."CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path; }; diff --git a/modules/nixos/system/default.nix b/modules/nixos/system/default.nix index 5d876e7..6898a7b 100644 --- a/modules/nixos/system/default.nix +++ b/modules/nixos/system/default.nix @@ -7,25 +7,9 @@ { imports = [ ./boot.nix - ./users.nix - ./localisation.nix - ./nix-config.nix - ./secrets.nix ]; options.system = { - hostname = lib.pantheon.mkStrOption; - mainUser.name = lib.pantheon.mkStrOption; - mainUser.publicKey = lib.pantheon.mkStrOption; - mainUser.email = lib.pantheon.mkStrOption; bootloader = lib.pantheon.mkStrOption; }; - - config = { - stylix = { - enable = true; - base16Scheme = "${pkgs.base16-schemes}/share/themes/atelier-cave.yaml"; - }; - system.stateVersion = "25.05"; # Did you read the comment? - }; } diff --git a/modules/nixos/system/localisation.nix b/modules/nixos/system/localisation.nix deleted file mode 100644 index ce5242e..0000000 --- a/modules/nixos/system/localisation.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, lib, ... }: -{ - config = lib.mkMerge [ - { - time.timeZone = "Asia/Singapore"; - i18n.defaultLocale = "en_US.UTF-8"; - } - ]; -} diff --git a/modules/nixos/system/nix-config.nix b/modules/nixos/system/nix-config.nix deleted file mode 100644 index 85df7df..0000000 --- a/modules/nixos/system/nix-config.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, inputs, ... }: -{ - config = { - nixpkgs.config.allowUnfree = true; - nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; - - nix.settings = { - experimental-features = [ - "nix-command" - "flakes" - "pipe-operators" - ]; - - trusted-users = [ "@wheel" ]; - }; - }; -} diff --git a/modules/nixos/system/secrets.nix b/modules/nixos/system/secrets.nix deleted file mode 100644 index ce0cc40..0000000 --- a/modules/nixos/system/secrets.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ lib, config, ... }: -{ - sops = { - defaultSopsFile = lib.snowfall.fs.get-file "secrets/secrets.yaml"; - age.sshKeyPaths = [ "/persist/home/rafiq/.ssh/id_ed25519" ]; - secrets = { - "keys/openrouter" = { }; - "keys/tailscale" = { }; - "keys/gemini" = { }; - "keys/cvt-jira" = { }; - "keys/cloudflare" = { }; - "keys/telegram_bot" = { }; - "misc/cvt-jira-link" = { }; - "rafiq/hashedPassword".neededForUsers = true; - "rafiq/personalEmailPassword" = { }; - "rafiq/workEmailPassword" = { }; - "rafiq/oldSMBCredentials" = { }; - "librechat/creds_key" = { }; - "librechat/creds_iv" = { }; - "librechat/jwt_secret" = { }; - "librechat/jwt_refresh_secret" = { }; - "librechat/meili_master_key" = { }; - }; - templates = { - "smb-credentials".content = '' - username=rafiq - password=${config.sops.placeholder."rafiq/oldSMBCredentials"} - ''; - }; - }; - environment.shellInit = # sh - '' - export GEMINI_API_KEY=$(sudo cat ${config.sops.secrets."keys/gemini".path}) - export CVT_JIRA_KEY=$(sudo cat ${config.sops.secrets."keys/cvt-jira".path}) - export CVT_JIRA_LINK=$(sudo cat ${config.sops.secrets."misc/cvt-jira-link".path}) - ''; -} diff --git a/modules/nixos/system/users.nix b/modules/nixos/system/users.nix deleted file mode 100644 index fa7cb84..0000000 --- a/modules/nixos/system/users.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ - config, - lib, - ... -}: -{ - config = lib.mkMerge [ - { - users.mutableUsers = false; - users.groups.users = { - gid = 100; - members = [ "${config.system.mainUser.name}" ]; - }; - users.users."${config.system.mainUser.name}" = { - linger = true; - uid = 1000; - isNormalUser = true; - hashedPasswordFile = config.sops.secrets."${config.system.mainUser.name}/hashedPassword".path; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ config.system.mainUser.publicKey ]; - }; - users.users.root.openssh.authorizedKeys.keys = lib.singleton config.system.mainUser.publicKey; - services.getty.autologinUser = config.system.mainUser.name; - security.sudo.wheelNeedsPassword = false; - } - ]; -} diff --git a/systems/x86_64-linux/apollo/default.nix b/systems/x86_64-linux/apollo/default.nix index bc6cb05..e9755cf 100644 --- a/systems/x86_64-linux/apollo/default.nix +++ b/systems/x86_64-linux/apollo/default.nix @@ -4,9 +4,9 @@ }: { imports = lib.singleton ../common.nix; + hostname = "apollo"; system = { - hostname = "apollo"; bootloader = "systemd-boot"; }; diff --git a/systems/x86_64-linux/common.nix b/systems/x86_64-linux/common.nix index 6c86ad7..1ac9116 100644 --- a/systems/x86_64-linux/common.nix +++ b/systems/x86_64-linux/common.nix @@ -3,7 +3,7 @@ let inherit (pkgs) zsh; in { - system.mainUser = { + mainUser = { name = "rafiq"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n"; email = "rafiq@rrv.sh"; diff --git a/systems/x86_64-linux/mellinoe/default.nix b/systems/x86_64-linux/mellinoe/default.nix index dcd3141..e5835db 100644 --- a/systems/x86_64-linux/mellinoe/default.nix +++ b/systems/x86_64-linux/mellinoe/default.nix @@ -3,9 +3,9 @@ ../common.nix ../desktop.nix ]; + hostname = "mellinoe"; system = { - hostname = "mellinoe"; bootloader = "systemd-boot"; }; diff --git a/systems/x86_64-linux/nemesis/default.nix b/systems/x86_64-linux/nemesis/default.nix index fe75eec..3899119 100644 --- a/systems/x86_64-linux/nemesis/default.nix +++ b/systems/x86_64-linux/nemesis/default.nix @@ -3,9 +3,9 @@ ../common.nix ../desktop.nix ]; + hostname = "nemesis"; system = { - hostname = "nemesis"; bootloader = "systemd-boot"; };