Consolidated and moved modules/{nixos,darwin} to modules/system

README.md

@@ -14,8 +14,8 @@ Collection of my personal Nix configurations and opinionated NixOS, nix-darwin,
   - miyagi - my work machine[^1]
 - modules - options which in principle should be reusable by others
   - */common - common options between my machines which aren't meant to be reusable by others
-  - nixos
-    - settei - my opinionated nixos options
+  - system
+    - settei - my opinionated nixos/nix-darwin options
   - flake - flake-parts modules
 - secrets - agenix secrets
 - wrappers - nix packages wrapped with my configs (see: [wrapper-manager](https://github.com/viperML/wrapper-manager))

modules/darwin/common/default.nix

@@ -1,7 +0,0 @@
-{
-  imports = [
-    ../../shared/common
-  ];
-
-  system.stateVersion = 4;
-}

modules/darwin/default.nix

@@ -1,6 +0,0 @@
-{config, ...}: {
-  flake.darwinModules = {
-    settei = import ./settei {inherit (config) perInput;};
-    common = ./common;
-  };
-}

modules/darwin/settei/default.nix

@@ -1,6 +0,0 @@
-{perInput}: {
-  imports = [
-    (import ../../shared/settei {inherit perInput;})
-    ./sane-defaults.nix
-  ];
-}

modules/darwin/settei/sane-defaults.nix

@@ -1,15 +0,0 @@
-# For sane-default options shared between NixOS and darwin, see modules/shared/settei/sane-defaults.nix
-{
-  config,
-  lib,
-  username,
-  ...
-}: {
-  config = lib.mkIf config.settei.sane-defaults.enable {
-    services.nix-daemon.enable = true;
-
-    security.pam.enableSudoTouchIdAuth = true;
-
-    users.users.${username}.home = "/Users/${username}";
-  };
-}

modules/default.nix

@@ -1,7 +1,6 @@
 {
   imports = [
-    ./nixos
-    ./darwin
+    ./system
     ./flake
   ];
 }

modules/nixos/common/default.nix

@@ -1,17 +0,0 @@
-{lib, ...}: {
-  imports = [
-    ../../shared/common
-    ./hercules.nix
-  ];
-
-  system.stateVersion = "22.05";
-
-  # https://github.com/NixOS/nixpkgs/issues/254807
-  boot.swraid.enable = false;
-
-  i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
-
-  settei.user.config = {
-    services.ssh-agent.enable = true;
-  };
-}

modules/nixos/common/hercules.nix

@@ -1,34 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: {
-  _file = ./hercules.nix;
-
-  options.common.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration";
-
-  config = let
-    herculesUser = config.systemd.services.hercules-ci-agent.serviceConfig.User;
-  in
-    lib.mkIf config.common.hercules.enable {
-      age.secrets.hercules-token = {
-        file = ../../../secrets/hercules-token.age;
-        owner = herculesUser;
-      };
-      age.secrets.hercules-cache = {
-        file = ../../../secrets/hercules-cache.age;
-        owner = herculesUser;
-      };
-
-      services.hercules-ci-agent = {
-        enable = true;
-        settings = {
-          clusterJoinTokenPath = config.age.secrets.hercules-token.path;
-          concurrentTasks = lib.mkDefault 4;
-          binaryCachesPath = config.age.secrets.hercules-cache.path;
-          secretsJsonPath = pkgs.writeText "secrets.json" "{}";
-        };
-      };
-    };
-}

modules/nixos/default.nix

@@ -1,6 +0,0 @@
-{config, ...}: {
-  flake.nixosModules = {
-    settei = import ./settei {inherit (config) perInput;};
-    common = ./common;
-  };
-}

modules/nixos/settei/default.nix

@@ -1,6 +0,0 @@
-{perInput}: {
-  imports = [
-    (import ../../shared/settei {inherit perInput;})
-    ./sane-defaults.nix
-  ];
-}

modules/nixos/settei/sane-defaults.nix

@@ -1,56 +0,0 @@
-# For sane-default options shared between NixOS and darwin, see modules/shared/settei/sane-defaults.nix
-{
-  config,
-  username,
-  lib,
-  ...
-} @ args: let
-  cfg = config.settei.sane-defaults;
-  nmEnabled = config.networking.networkmanager.enable;
-in {
-  config = lib.mkIf cfg.enable {
-    hardware.enableRedistributableFirmware = true;
-
-    services.openssh.enable = true;
-    programs.mosh.enable = lib.mkDefault true;
-
-    users = {
-      mutableUsers = false;
-      users.${username} = {
-        isNormalUser = true;
-        home = "/home/${username}";
-        group = username;
-        extraGroups = ["wheel"];
-        # FIXME: Move to common
-        openssh.authorizedKeys.keys = let
-          configName' =
-            args.configurationName
-            or (throw "pass configurationName to module arguments or set users.users.${username}.openssh.authorizedKeys yourself");
-          filteredKeys = lib.filterAttrs (name: _: name != configName') cfg.allSshKeys;
-        in
-          lib.mkDefault (lib.attrValues filteredKeys);
-      };
-      groups.${username} = {};
-    };
-
-    # TODO: Actually this should be extraRules which makes wheel users without any password set
-    #       be able to use sudo with no password
-    security.sudo.wheelNeedsPassword = false;
-
-    # When NetworkManager isn't in use, add tailscale DNS address manually
-    # FIXME: Move to common
-    networking = lib.mkIf (!nmEnabled && config.services.tailscale.enable && cfg.tailnet != null) {
-      nameservers = [
-        "100.100.100.100"
-        "1.1.1.1"
-        "1.0.0.1"
-      ];
-      search = [cfg.tailnet];
-    };
-
-    # NetworkManager probably means desktop system so we don't want to slow down boot times
-    systemd.services = lib.mkIf nmEnabled {
-      NetworkManager-wait-online.enable = false;
-    };
-  };
-}

modules/shared/common/default.nix

@@ -1,24 +0,0 @@
-{
-  config,
-  configurationName,
-  lib,
-  ...
-}: {
-  settei.user.config = {
-    programs.git = {
-      enable = true;
-      difftastic.enable = true;
-      lfs.enable = true;
-      userName = "Nikodem Rabuliński";
-      userEmail = lib.mkDefault "nikodem@rabulinski.com";
-      signing = {
-        key = config.settei.sane-defaults.allSshKeys.${configurationName};
-        signByDefault = true;
-      };
-      extraConfig = {
-        gpg.format = "ssh";
-        push.followTags = true;
-      };
-    };
-  };
-}

modules/shared/settei/sane-defaults.nix

@@ -1,65 +0,0 @@
-# This module is supposed to be a reusable set of options you probably would want to set anyway.
-# For options specific to nixos or darwin go to modules/{nixos,darwin}/settei/sane-defaults.nix
-{
-  config,
-  pkgs,
-  lib,
-  ...
-} @ args: {
-  _file = ./sane-defaults.nix;
-
-  options.settei.sane-defaults = with lib; {
-    enable = mkEnableOption "Personal sane defaults (but they should make sense for anyone)";
-    allSshKeys = mkOption {
-      type = types.attrsOf types.singleLineStr;
-      default = {};
-    };
-    tailnet = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-    };
-  };
-
-  config = lib.mkIf config.settei.sane-defaults.enable (let
-    cfg = config.settei;
-    inherit (cfg) username;
-    adminNeedsPassword = pkgs.stdenv.isLinux -> config.security.sudo.wheelNeedsPassword;
-  in {
-    _module.args = {
-      username = lib.mkDefault username;
-    };
-
-    # FIXME: Move to common
-    services.tailscale.enable = true;
-
-    networking.hostName = lib.mkDefault (
-      args.configurationName
-      or (throw "pass configurationName to module arguments or set networking.hostName yourself")
-    );
-
-    # Flakes are unusable without git present so pull it into the environment by default
-    settei.user.config.programs.git.enable = lib.mkDefault true;
-
-    nix = {
-      settings = {
-        experimental-features = ["nix-command" "flakes" "repl-flake" "auto-allocate-uids"];
-        trusted-users = lib.optionals (!adminNeedsPassword) [username];
-        auto-allocate-uids = true;
-        extra-substituters = [
-          "https://hyprland.cachix.org"
-          "https://cache.garnix.io"
-          "https://nix-community.cachix.org"
-          "https://hercules-ci.cachix.org"
-          "https://nrabulinski.cachix.org"
-        ];
-        trusted-public-keys = [
-          "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-          "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
-          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-          "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0="
-          "nrabulinski.cachix.org-1:Q5FD7+1c68uH74CQK66UWNzxhanZW8xcg1LFXxGK8ic="
-        ];
-      };
-    };
-  });
-}

modules/system/common/default.nix

@@ -0,0 +1,56 @@
+{isLinux}: {
+  config,
+  configurationName,
+  lib,
+  pkgs,
+  ...
+}: let
+  sharedConfig = {
+    settei.user.config = {
+      programs.git = {
+        enable = true;
+        difftastic.enable = true;
+        lfs.enable = true;
+        userName = "Nikodem Rabuliński";
+        userEmail = lib.mkDefault "nikodem@rabulinski.com";
+        signing = {
+          key = config.settei.sane-defaults.allSshKeys.${configurationName};
+          signByDefault = true;
+        };
+        extraConfig = {
+          gpg.format = "ssh";
+          push.followTags = true;
+        };
+      };
+    };
+  };
+
+  linuxConfig = lib.optionalAttrs isLinux {
+    system.stateVersion = "22.05";
+
+    # https://github.com/NixOS/nixpkgs/issues/254807
+    boot.swraid.enable = false;
+
+    i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
+
+    settei.user.config = {
+      services.ssh-agent.enable = true;
+    };
+  };
+
+  darwinConfig = lib.optionalAttrs (!isLinux) {
+    system.stateVersion = 4;
+  };
+in {
+  _file = ./default.nix;
+
+  imports = [
+    (import ./hercules.nix {inherit isLinux;})
+  ];
+
+  config = lib.mkMerge [
+    sharedConfig
+    linuxConfig
+    darwinConfig
+  ];
+}

modules/system/common/hercules.nix

@@ -0,0 +1,40 @@
+{isLinux}: {
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  options = {
+    common.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration";
+  };
+
+  herculesUser =
+    if isLinux
+    then config.systemd.services.hercules-ci-agent.serviceConfig.User
+    else config.launchd.daemons.hercules-ci-agent.serviceConfig.UserName;
+in {
+  _file = ./hercules.nix;
+
+  inherit options;
+
+  config = lib.mkIf config.common.hercules.enable {
+    age.secrets.hercules-token = {
+      file = ../../../secrets/hercules-token.age;
+      owner = herculesUser;
+    };
+    age.secrets.hercules-cache = {
+      file = ../../../secrets/hercules-cache.age;
+      owner = herculesUser;
+    };
+
+    services.hercules-ci-agent = {
+      enable = true;
+      settings = {
+        clusterJoinTokenPath = config.age.secrets.hercules-token.path;
+        concurrentTasks = lib.mkDefault 4;
+        binaryCachesPath = config.age.secrets.hercules-cache.path;
+        secretsJsonPath = pkgs.writeText "secrets.json" "{}";
+      };
+    };
+  };
+}

modules/system/default.nix

@@ -0,0 +1,17 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  flake = lib.genAttrs ["nixosModules" "darwinModules"] (attr: let
+    isLinux = lib.hasPrefix "nixos" attr;
+  in {
+    settei = import ./settei {
+      inherit (config) perInput;
+      inherit isLinux;
+    };
+    common = import ./common {
+      inherit isLinux;
+    };
+  });
+}

modules/system/settei/default.nix

@@ -1,12 +1,18 @@
-{perInput}: {
+{
+  perInput,
+  # TODO: Figure out a nicer way of doing this without infrec?
+  isLinux,
+}: {
   lib,
+  pkgs,
   config,
+  options,
   ...
 }: {
   _file = ./default.nix;
 
   imports = [
-    ./sane-defaults.nix
+    (import ./sane-defaults.nix {inherit isLinux;})
     (import ./flake-qol.nix {inherit perInput;})
     ./user.nix
   ];

modules/system/settei/sane-defaults.nix

@@ -0,0 +1,130 @@
+{isLinux}: {
+  config,
+  lib,
+  username,
+  ...
+} @ args: let
+  options = {
+    settei.sane-defaults = with lib; {
+      enable = mkEnableOption "Personal sane defaults (but they should make sense for anyone)";
+      allSshKeys = mkOption {
+        type = types.attrsOf types.singleLineStr;
+        default = {};
+      };
+      tailnet = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+    };
+  };
+
+  sharedConfig = let
+    cfg = config.settei;
+    inherit (cfg) username;
+    adminNeedsPassword = isLinux -> config.security.sudo.wheelNeedsPassword;
+  in {
+    _module.args = {
+      username = lib.mkDefault username;
+    };
+
+    # FIXME: Move to common
+    services.tailscale.enable = true;
+
+    networking.hostName = lib.mkDefault (
+      args.configurationName
+      or (throw "pass configurationName to module arguments or set networking.hostName yourself")
+    );
+
+    # Flakes are unusable without git present so pull it into the environment by default
+    settei.user.config.programs.git.enable = lib.mkDefault true;
+
+    nix = {
+      settings = {
+        experimental-features = ["nix-command" "flakes" "repl-flake" "auto-allocate-uids"];
+        trusted-users = lib.optionals (!adminNeedsPassword) [username];
+        auto-allocate-uids = true;
+        extra-substituters = [
+          "https://hyprland.cachix.org"
+          "https://cache.garnix.io"
+          "https://nix-community.cachix.org"
+          "https://hercules-ci.cachix.org"
+          "https://nrabulinski.cachix.org"
+        ];
+        trusted-public-keys = [
+          "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+          "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+          "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0="
+          "nrabulinski.cachix.org-1:Q5FD7+1c68uH74CQK66UWNzxhanZW8xcg1LFXxGK8ic="
+        ];
+      };
+    };
+  };
+
+  linuxConfig = lib.optionalAttrs isLinux (let
+    cfg = config.settei.sane-defaults;
+    nmEnabled = config.networking.networkmanager.enable;
+  in {
+    hardware.enableRedistributableFirmware = true;
+
+    services.openssh.enable = true;
+    programs.mosh.enable = lib.mkDefault true;
+
+    users = {
+      mutableUsers = false;
+      users.${username} = {
+        isNormalUser = true;
+        home = "/home/${username}";
+        group = username;
+        extraGroups = ["wheel"];
+        # FIXME: Move to common
+        openssh.authorizedKeys.keys = let
+          configName' =
+            args.configurationName
+            or (throw "pass configurationName to module arguments or set users.users.${username}.openssh.authorizedKeys yourself");
+          filteredKeys = lib.filterAttrs (name: _: name != configName') cfg.allSshKeys;
+        in
+          lib.mkDefault (lib.attrValues filteredKeys);
+      };
+      groups.${username} = {};
+    };
+
+    # TODO: Actually this should be extraRules which makes wheel users without any password set
+    #       be able to use sudo with no password
+    security.sudo.wheelNeedsPassword = false;
+
+    # When NetworkManager isn't in use, add tailscale DNS address manually
+    # FIXME: Move to common
+    networking = lib.mkIf (!nmEnabled && config.services.tailscale.enable && cfg.tailnet != null) {
+      nameservers = [
+        "100.100.100.100"
+        "1.1.1.1"
+        "1.0.0.1"
+      ];
+      search = [cfg.tailnet];
+    };
+
+    # NetworkManager probably means desktop system so we don't want to slow down boot times
+    systemd.services = lib.mkIf nmEnabled {
+      NetworkManager-wait-online.enable = false;
+    };
+  });
+
+  darwinConfig = lib.optionalAttrs (!isLinux) {
+    services.nix-daemon.enable = true;
+
+    security.pam.enableSudoTouchIdAuth = true;
+
+    users.users.${username}.home = "/Users/${username}";
+  };
+in {
+  _file = ./sane-defaults.nix;
+
+  inherit options;
+
+  config = lib.mkIf config.settei.sane-defaults.enable (lib.mkMerge [
+    sharedConfig
+    linuxConfig
+    darwinConfig
+  ]);
+}

modules/system/settei/user.nix

@@ -43,7 +43,8 @@ in {
       };
     };
   in
-    lib.mkIf cfg.enable ({
+    lib.mkIf cfg.enable (lib.mkMerge [
+      {
         assertions = [
           {
             assertion = hasHomeManager;
@@ -51,5 +52,6 @@ in {
           }
         ];
       }
-      // hmConfig);
+      hmConfig
+    ]);
 }