rrvsh/pantheon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(nixos): move system config options to main nixos module

Browse source
This commit is contained in:
Mohammad Rafiq 2025-06-16 19:17:47 +08:00
parent bf63f44875
commit 91c2790b62
No known key found for this signature in database
20 changed files with 124 additions and 149 deletions
Download patch file Download diff file Expand all files Collapse all files

2
homes/x86_64-linux/rafiq/cli/multiplexer.nix
View file

@ -17,7 +17,7 @@
default_tab_template { default_tab_template {
pane size=1 borderless=true { pane size=1 borderless=true {
plugin location="file:${pkgs.zjstatus}/bin/zjstatus.wasm" { plugin location="file:${pkgs.zjstatus}/bin/zjstatus.wasm" {
format_left "{mode} ${osConfig.system.hostname}" format_left "{mode} ${osConfig.hostname}"
format_center "{tabs}" format_center "{tabs}"
format_right "{datetime}" format_right "{datetime}"
format_space "" format_space ""

2
lib/modules/default.nix
View file

@ -27,7 +27,7 @@ let
server.networking.ddns.domains = singleton (mkRootDomain cfg.domain); server.networking.ddns.domains = singleton (mkRootDomain cfg.domain);
server.web-servers.nginx.proxies = singleton { server.web-servers.nginx.proxies = singleton {
source = cfg.domain; source = cfg.domain;
target = "http://${config.system.hostname}:${toString cfg.port}"; target = "http://${config.hostname}:${toString cfg.port}";
}; };
}; };
in in

84
modules/nixos/default.nix
View file

@ -1,4 +1,10 @@
{ lib, config, ... }: {
inputs,
lib,
config,
pkgs,
...
}:
let let
inherit (lib) mkOption; inherit (lib) mkOption;
inherit (lib.types) inherit (lib.types)
@ -7,6 +13,7 @@ let
coercedTo coercedTo
submodule submodule
; ;
inherit (lib.pantheon) mkStrOption;
rootDir = submodule { rootDir = submodule {
options = { options = {
directory = mkOption { type = str; }; directory = mkOption { type = str; };
@ -27,6 +34,12 @@ let
in in
{ {
options = { options = {
hostname = mkStrOption;
mainUser = {
name = mkStrOption;
publicKey = mkStrOption;
email = mkStrOption;
};
persistDirs = mkOption { persistDirs = mkOption {
type = listOf (coercedTo str (d: { directory = d; }) rootDir); type = listOf (coercedTo str (d: { directory = d; }) rootDir);
default = [ ]; default = [ ];
@ -42,5 +55,74 @@ in
"/var/lib/systemd" "/var/lib/systemd"
"/var/lib/nixos" "/var/lib/nixos"
]; ];
stylix = {
enable = true;
base16Scheme = "${pkgs.base16-schemes}/share/themes/atelier-cave.yaml";
};
nixpkgs.config.allowUnfree = true;
nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
nix.settings = {
experimental-features = [
"nix-command"
"flakes"
"pipe-operators"
];
trusted-users = [ "@wheel" ];
};
time.timeZone = "Asia/Singapore";
i18n.defaultLocale = "en_US.UTF-8";
users.mutableUsers = false;
users.groups.users = {
gid = 100;
members = [ "${config.mainUser.name}" ];
};
users.users."${config.mainUser.name}" = {
linger = true;
uid = 1000;
isNormalUser = true;
hashedPasswordFile = config.sops.secrets."${config.mainUser.name}/hashedPassword".path;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ config.mainUser.publicKey ];
};
users.users.root.openssh.authorizedKeys.keys = lib.singleton config.mainUser.publicKey;
services.getty.autologinUser = config.mainUser.name;
security.sudo.wheelNeedsPassword = false;
sops = {
defaultSopsFile = lib.snowfall.fs.get-file "secrets/secrets.yaml";
age.sshKeyPaths = [ "/persist/home/rafiq/.ssh/id_ed25519" ];
secrets = {
"keys/openrouter" = { };
"keys/tailscale" = { };
"keys/gemini" = { };
"keys/cvt-jira" = { };
"keys/cloudflare" = { };
"keys/telegram_bot" = { };
"misc/cvt-jira-link" = { };
"rafiq/hashedPassword".neededForUsers = true;
"rafiq/personalEmailPassword" = { };
"rafiq/workEmailPassword" = { };
"rafiq/oldSMBCredentials" = { };
"librechat/creds_key" = { };
"librechat/creds_iv" = { };
"librechat/jwt_secret" = { };
"librechat/jwt_refresh_secret" = { };
"librechat/meili_master_key" = { };
};
templates = {
"smb-credentials".content = ''
username=rafiq
password=${config.sops.placeholder."rafiq/oldSMBCredentials"}
'';
};
};
environment.shellInit = # sh
''
export GEMINI_API_KEY=$(sudo cat ${config.sops.secrets."keys/gemini".path})
export CVT_JIRA_KEY=$(sudo cat ${config.sops.secrets."keys/cvt-jira".path})
export CVT_JIRA_LINK=$(sudo cat ${config.sops.secrets."misc/cvt-jira-link".path})
'';
system.stateVersion = "25.05"; # Did you read the comment?
}; };
} }

0
modules/nixos/hardware/audio.nix → modules/nixos/desktop/audio/default.nix
View file

4
modules/nixos/desktop/services/default.nix
View file

@ -22,7 +22,7 @@ in
capSysAdmin = true; capSysAdmin = true;
openFirewall = true; openFirewall = true;
settings = { settings = {
sunshine_name = config.system.hostname; sunshine_name = config.hostname;
origin_web_ui_allowed = "wan"; origin_web_ui_allowed = "wan";
}; };
applications = { }; applications = { };
@ -35,7 +35,7 @@ in
home-manager.sharedModules = singleton { home-manager.sharedModules = singleton {
services.spotifyd.enable = true; services.spotifyd.enable = true;
services.spotifyd.settings.global = { services.spotifyd.settings.global = {
device_name = "${config.system.hostname}"; device_name = "${config.hostname}";
device_type = "computer"; device_type = "computer";
zeroconf_port = 5353; zeroconf_port = 5353;
}; };

40
modules/nixos/hardware/default.nix
View file

@ -1,37 +1,15 @@
{ { lib, ... }:
lib,
config,
...
}:
let let
inherit (lib) singleton; inherit (lib) singleton;
in in
{ {
imports = [ config = {
./audio.nix services.fwupd.enable = true;
]; persistDirs = singleton "/var/lib/bluetooth";
hardware.bluetooth = {
options.hardware = { enable = true;
platform = lib.pantheon.mkStrOption; settings.General.Experimental = true;
};
hardware.xone.enable = true;
}; };
config = lib.mkMerge [
{
services.fwupd.enable = true;
persistDirs = singleton "/var/lib/bluetooth";
hardware.bluetooth = {
enable = true;
settings.General.Experimental = true;
};
hardware.xone.enable = true;
}
(lib.mkIf (config.hardware.platform == "amd") {
hardware.cpu.amd.updateMicrocode = true;
boot.kernelModules = [ "kvm-amd" ];
})
(lib.mkIf (config.hardware.platform == "intel") {
hardware.cpu.intel.updateMicrocode = true;
boot.kernelModules = [ "kvm-intel" ];
})
];
} }

3
modules/nixos/hardware/platform/default.nix Normal file
View file

@ -0,0 +1,3 @@
{
imports = [ ./x86_64.nix ];
}

18
modules/nixos/hardware/platform/x86_64.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, lib, ... }:
let
inherit (lib) singleton mkOption;
inherit (lib.types) enum;
cfg = config.hardware.platform;
in
{
options.hardware.platform = mkOption {
type = enum [
"amd"
"intel"
];
};
config = {
hardware.cpu.${cfg}.updateMicrocode = true;
boot.kernelModules = singleton "kvm-${cfg}";
};
}

2
modules/nixos/networking/default.nix
View file

@ -6,7 +6,7 @@ in
networking = { networking = {
enableIPv6 = false; enableIPv6 = false;
useDHCP = mkDefault true; useDHCP = mkDefault true;
hostName = config.system.hostname; hostName = config.hostname;
networkmanager.enable = true; networkmanager.enable = true;
}; };

2
modules/nixos/server/web-apps/librechat/default.nix
View file

@ -20,7 +20,7 @@ mkWebApp {
inherit (upstreamCfg) user group; inherit (upstreamCfg) user group;
}; };
extraOptions.mongodbURI = mkStrOption // { extraOptions.mongodbURI = mkStrOption // {
default = "mongodb://${config.system.hostname}:27017/LibreChat"; default = "mongodb://${config.hostname}:27017/LibreChat";
}; };
extraConfig = { extraConfig = {
services.librechat = { services.librechat = {

2
modules/nixos/server/web-servers/default.nix
View file

@ -18,7 +18,7 @@ in
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { defaults = {
inherit (config.system.mainUser) email; inherit (config.mainUser) email;
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
credentialFiles."CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path; credentialFiles."CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path;
}; };

16
modules/nixos/system/default.nix
View file

@ -7,25 +7,9 @@
{ {
imports = [ imports = [
./boot.nix ./boot.nix
./users.nix
./localisation.nix
./nix-config.nix
./secrets.nix
]; ];
options.system = { options.system = {
hostname = lib.pantheon.mkStrOption;
mainUser.name = lib.pantheon.mkStrOption;
mainUser.publicKey = lib.pantheon.mkStrOption;
mainUser.email = lib.pantheon.mkStrOption;
bootloader = lib.pantheon.mkStrOption; bootloader = lib.pantheon.mkStrOption;
}; };
config = {
stylix = {
enable = true;
base16Scheme = "${pkgs.base16-schemes}/share/themes/atelier-cave.yaml";
};
system.stateVersion = "25.05"; # Did you read the comment?
};
} }

9
modules/nixos/system/localisation.nix
View file

@ -1,9 +0,0 @@
{ config, lib, ... }:
{
config = lib.mkMerge [
{
time.timeZone = "Asia/Singapore";
i18n.defaultLocale = "en_US.UTF-8";
}
];
}

17
modules/nixos/system/nix-config.nix
View file

@ -1,17 +0,0 @@
{ config, inputs, ... }:
{
config = {
nixpkgs.config.allowUnfree = true;
nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
nix.settings = {
experimental-features = [
"nix-command"
"flakes"
"pipe-operators"
];
trusted-users = [ "@wheel" ];
};
};
}

37
modules/nixos/system/secrets.nix
View file

@ -1,37 +0,0 @@
{ lib, config, ... }:
{
sops = {
defaultSopsFile = lib.snowfall.fs.get-file "secrets/secrets.yaml";
age.sshKeyPaths = [ "/persist/home/rafiq/.ssh/id_ed25519" ];
secrets = {
"keys/openrouter" = { };
"keys/tailscale" = { };
"keys/gemini" = { };
"keys/cvt-jira" = { };
"keys/cloudflare" = { };
"keys/telegram_bot" = { };
"misc/cvt-jira-link" = { };
"rafiq/hashedPassword".neededForUsers = true;
"rafiq/personalEmailPassword" = { };
"rafiq/workEmailPassword" = { };
"rafiq/oldSMBCredentials" = { };
"librechat/creds_key" = { };
"librechat/creds_iv" = { };
"librechat/jwt_secret" = { };
"librechat/jwt_refresh_secret" = { };
"librechat/meili_master_key" = { };
};
templates = {
"smb-credentials".content = ''
username=rafiq
password=${config.sops.placeholder."rafiq/oldSMBCredentials"}
'';
};
};
environment.shellInit = # sh
''
export GEMINI_API_KEY=$(sudo cat ${config.sops.secrets."keys/gemini".path})
export CVT_JIRA_KEY=$(sudo cat ${config.sops.secrets."keys/cvt-jira".path})
export CVT_JIRA_LINK=$(sudo cat ${config.sops.secrets."misc/cvt-jira-link".path})
'';
}

27
modules/nixos/system/users.nix
View file

@ -1,27 +0,0 @@
{
config,
lib,
...
}:
{
config = lib.mkMerge [
{
users.mutableUsers = false;
users.groups.users = {
gid = 100;
members = [ "${config.system.mainUser.name}" ];
};
users.users."${config.system.mainUser.name}" = {
linger = true;
uid = 1000;
isNormalUser = true;
hashedPasswordFile = config.sops.secrets."${config.system.mainUser.name}/hashedPassword".path;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ config.system.mainUser.publicKey ];
};
users.users.root.openssh.authorizedKeys.keys = lib.singleton config.system.mainUser.publicKey;
services.getty.autologinUser = config.system.mainUser.name;
security.sudo.wheelNeedsPassword = false;
}
];
}

2
systems/x86_64-linux/apollo/default.nix
View file

@ -4,9 +4,9 @@
}: }:
{ {
imports = lib.singleton ../common.nix; imports = lib.singleton ../common.nix;
hostname = "apollo";
system = { system = {
hostname = "apollo";
bootloader = "systemd-boot"; bootloader = "systemd-boot";
}; };

2
systems/x86_64-linux/common.nix
View file

@ -3,7 +3,7 @@ let
inherit (pkgs) zsh; inherit (pkgs) zsh;
in in
{ {
system.mainUser = { mainUser = {
name = "rafiq"; name = "rafiq";
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n"; publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n";
email = "rafiq@rrv.sh"; email = "rafiq@rrv.sh";

2
systems/x86_64-linux/mellinoe/default.nix
View file

@ -3,9 +3,9 @@
../common.nix ../common.nix
../desktop.nix ../desktop.nix
]; ];
hostname = "mellinoe";
system = { system = {
hostname = "mellinoe";
bootloader = "systemd-boot"; bootloader = "systemd-boot";
}; };

2
systems/x86_64-linux/nemesis/default.nix
View file

@ -3,9 +3,9 @@
../common.nix ../common.nix
../desktop.nix ../desktop.nix
]; ];
hostname = "nemesis";
system = { system = {
hostname = "nemesis";
bootloader = "systemd-boot"; bootloader = "systemd-boot";
}; };