Migrated legion over. Started migrating hijiri

README.md

@@ -8,7 +8,7 @@ Collection of my personal Nix configurations and opinionated NixOS, nix-darwin,
 ## Project structure
 - hosts - per-machine configurations
   - kazuki - my linux arm server
-  - legion - my linux x86 server[^1]
+  - legion - my linux x86 server
   - hijiri - my macbook[^1]
   - hijiri-vm - linux vm running on my macbook
   - miyagi - my work machine[^1]

assets/ssh.nix

@@ -13,5 +13,6 @@
 
   system = {
     kazuki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyYhYWDNmKSrpcslD3NzWW+lQmDcLJdjLh7CSkL4hW5 root@kazuki";
+    legion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Ktyj0FSn8KLRwRGd0Tp/qNUPXV7+XyxAsWGWdMYp8 root@legion";
   };
 }

effects.nix

@@ -1,4 +1,4 @@
-{self, ...}: {
+{
   defaultEffectSystem = "aarch64-linux";
 
   hercules-ci = {
@@ -7,12 +7,4 @@
       when.dayOfWeek = "Mon";
     };
   };
-
-  herculesCI = {
-    onPush = {
-      default.enable = true;
-
-      wrappers.outputs = self.packages.aarch64-linux;
-    };
-  };
 }

flake.lock

@@ -282,6 +282,30 @@
         "type": "gitlab"
       }
     },
+    "nh": {
+      "inputs": {
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nix-filter": "nix-filter",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1694971480,
+        "narHash": "sha256-5UKSMDiboMIs15WN6jbctJgYfnGPfkHhvWWaboB2rGk=",
+        "owner": "viperML",
+        "repo": "nh",
+        "rev": "4b88da6fc89bf06d6598ce9a881590a7cc0dcafd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "viperML",
+        "repo": "nh",
+        "type": "github"
+      }
+    },
     "niko-nur": {
       "inputs": {
         "flake-parts": [
@@ -303,6 +327,21 @@
         "type": "github"
       }
     },
+    "nix-filter": {
+      "locked": {
+        "lastModified": 1687178632,
+        "narHash": "sha256-HS7YR5erss0JCaUijPeyg2XrisEb959FIct3n2TMGbE=",
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "rev": "d90c75e8319d0dd9be67d933d8eb9d0894ec9174",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1687274257,
@@ -441,6 +480,7 @@
         "hercules-ci-effects": "hercules-ci-effects",
         "home-manager": "home-manager",
         "mailserver": "mailserver",
+        "nh": "nh",
         "niko-nur": "niko-nur",
         "nixpkgs": "nixpkgs_5",
         "racket": "racket",

flake.nix

@@ -19,15 +19,19 @@
       ];
 
       perSystem = {
-        pkgs,
         inputs',
+        pkgs,
+        lib,
         ...
       }: {
         devShells.default = pkgs.mkShellNoCC {
-          packages = [
+          packages =
+            [
               inputs'.deploy-rs.packages.deploy-rs
               inputs'.agenix.packages.agenix
-          ];
+            ]
+            # TODO: Contribute darwin support to nh
+            ++ lib.optionals (!pkgs.stdenv.isDarwin) [inputs'.nh.packages.default];
         };
 
         formatter = pkgs.alejandra;
@@ -54,11 +58,9 @@
     };
     niko-nur = {
       url = "github:nrabulinski/nur-packages";
-      inputs = {
       # Not overriding nixpkgs to get cache hits
-        # nixpkgs.follows = "nixpkgs";
+      # inputs.nixpkgs.follows = "nixpkgs";
-        flake-parts.follows = "flake-parts";
+      inputs.flake-parts.follows = "flake-parts";
-      };
     };
     darwin = {
       url = "github:lnl7/nix-darwin";
@@ -68,11 +70,9 @@
     darwin-old-for-agenix.url = "github:lnl7/nix-darwin/22620845fee1cc16f4ea639509c50fd989ccc1ce";
     agenix = {
       url = "github:ryantm/agenix";
-      inputs = {
+      inputs.nixpkgs.follows = "nixpkgs";
-        nixpkgs.follows = "nixpkgs";
+      inputs.darwin.follows = "darwin-old-for-agenix";
-        darwin.follows = "darwin-old-for-agenix";
+      inputs.home-manager.follows = "home-manager";
-        home-manager.follows = "home-manager";
-      };
     };
     mailserver = {
       url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
@@ -84,10 +84,8 @@
     };
     wrapper-manager-hm-compat = {
       url = "github:nrabulinski/wrapper-manager-hm-compat";
-      inputs = {
+      inputs.nixpkgs.follows = "nixpkgs";
-        nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
-        home-manager.follows = "home-manager";
-      };
     };
     # stylix = {
     #   url = "github:danth/stylix";
@@ -106,10 +104,13 @@
     };
     hercules-ci-effects = {
       url = "github:hercules-ci/hercules-ci-effects";
-      inputs = {
+      inputs.flake-parts.follows = "flake-parts";
-        flake-parts.follows = "flake-parts";
+      inputs.hercules-ci-agent.follows = "hercules-ci-agent";
-        hercules-ci-agent.follows = "hercules-ci-agent";
     };
+    nh = {
+      url = "github:viperML/nh";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-parts.follows = "flake-parts";
     };
   };
 
@@ -120,6 +121,7 @@
       "https://nix-community.cachix.org"
       "https://cache.nixos.org/"
       "https://hercules-ci.cachix.org"
+      "https://nrabulinski.cachix.org"
     ];
     trusted-public-keys = [
       "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
@@ -127,6 +129,7 @@
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
       "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
       "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0="
+      "nrabulinski.cachix.org-1:Q5FD7+1c68uH74CQK66UWNzxhanZW8xcg1LFXxGK8ic="
     ];
   };
 }

hosts/default.nix

@@ -5,10 +5,16 @@
   lib,
   ...
 }: {
-  builders = {
+  imports = [
-    nixos = name: module: let
+    ./kazuki
-      defaultOptions = {
+    ./hijiri-vm
-        username,
+    ./hijiri
+    ./legion
+    ./installer
+  ];
+
+  builders = let
+    sharedOptions = {
       inputs',
       lib,
       ...
@@ -28,12 +34,25 @@
         user = {
           enable = true;
           config = {
-              home.packages = lib.attrValues inputs'.settei.packages;
+            home.packages = let
+              wrappers = lib.attrValues inputs'.settei.packages;
+              extraPkgs = [inputs'.nh.packages.default];
+            in
+              wrappers ++ extraPkgs;
+
+            programs.git.enable = true;
+            home.sessionVariables.EDITOR = "hx";
           };
         };
       };
 
       time.timeZone = lib.mkDefault "Europe/Warsaw";
+    };
+  in {
+    nixos = name: module: let
+      defaultOptions = {
+        _file = ./default.nix;
+
         i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
       };
     in
@@ -46,17 +65,29 @@
           inputs.hercules-ci-agent.nixosModules.agent-service
           self.nixosModules.settei
           self.nixosModules.common
+          sharedOptions
+          defaultOptions
+          module
+        ];
+        specialArgs.configurationName = name;
+      };
+
+    darwin = name: module: let
+      defaultOptions = {
+        _file = ./default.nix;
+      };
+    in
+      inputs.darwin.lib.darwinSystem {
+        modules = [
+          inputs.agenix.darwinModules.age
+          inputs.home-manager.darwinModules.home-manager
+          inputs.hercules-ci-agent.darwinModules.agent-service
+          self.darwinModules.settei
+          sharedOptions
           defaultOptions
           module
         ];
         specialArgs.configurationName = name;
       };
   };
-
-  imports = [
-    ./kazuki
-    ./hijiri-vm
-    # ./legion
-    ./installer
-  ];
 }

hosts/hijiri-vm/default.nix

@@ -1,9 +1,4 @@
 {
-  self,
-  inputs,
-  config,
-  ...
-}: {
   configurations.nixos.hijiri-vm = {
     modulesPath,
     lib,
@@ -15,7 +10,7 @@
       ./disks.nix
     ];
 
-    nixpkgs.system = "aarch64-linux";
+    nixpkgs.hostPlatform = "aarch64-linux";
 
     boot = {
       loader.systemd-boot.enable = true;

hosts/hijiri/default.nix

@@ -0,0 +1,5 @@
+{
+  configurations.darwin.hijiri = {
+    nixpkgs.hostPlatform = "aarch64-darwin";
+  };
+}

hosts/kazuki/default.nix

@@ -1,9 +1,6 @@
 {
-  config,
-  self,
-  ...
-}: {
   configurations.nixos.kazuki = {
+    config,
     modulesPath,
     lib,
     ...
@@ -17,7 +14,7 @@
       ./vault.nix
     ];
 
-    nixpkgs.system = "aarch64-linux";
+    nixpkgs.hostPlatform = "aarch64-linux";
 
     boot = {
       loader.systemd-boot.enable = true;
@@ -26,10 +23,5 @@
     };
 
     common.hercules.enable = true;
-    age.secrets.kazuki-cachix = {
-      file = ../../secrets/kazuki-cachix.age;
-      owner = config.systemd.services.hercules-ci-agent.serviceConfig.User;
-    };
-    services.hercules-ci-agent.settings.binaryCachesPath = config.age.secrets.kazuki-cachix.path;
   };
 }

hosts/kazuki/mail.nix

@@ -1,4 +1,5 @@
 {config, ...}: {
+  # nix shell nixpkgs#apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
   age.secrets = {
     leet-nrab-lol.file = ../../secrets/leet-nrab-lol-pass.age;
     alert-nrab-lol.file = ../../secrets/alert-nrab-lol-pass.age;

hosts/legion/default.nix

@@ -1,18 +1,17 @@
-{config, ...}: let
+{
-  inherit (config.assets) sshKeys;
-in {
   configurations.nixos.legion = {
     config,
     lib,
+    username,
     ...
   }: {
     imports = [
       ./hardware.nix
       # ./disks.nix
-      ./initrd.nix
+      ./msmtp.nix
     ];
 
-    nixpkgs.system = "x86_64-linux";
+    nixpkgs.hostPlatform = "x86_64-linux";
 
     specialisation = {
       nas.configuration = ./nas;
@@ -28,10 +27,15 @@ in {
       hostName = "legion";
       hostId = builtins.substring 0 8 (builtins.readFile ./machine-id);
       networkmanager.enable = true;
-      useDHCP = true;
       firewall.trustedInterfaces = ["tailscale0"];
     };
+    systemd.services.NetworkManager-wait-online.enable = false;
 
     powerManagement.cpuFreqGovernor = "performance";
+
+    age.secrets.niko-pass.file = ../../secrets/legion-niko-pass.age;
+    users.users.${username}.hashedPasswordFile = config.age.secrets.niko-pass.path;
+
+    common.hercules.enable = true;
   };
 }

hosts/legion/disks.nix

@@ -1,6 +1,10 @@
-args: let
+args:
+/*
+let
   bootDevice = args.bootDevice or "/dev/nvme0n1";
-in {
+in
+*/
+{
   assertions = [
     {
       assertion = false;

hosts/legion/hardware.nix

@@ -1,9 +1,11 @@
-{...}: {
+{config, ...}: {
   boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "uas"];
   boot.extraModulePackages = with config.boot.kernelPackages; [acpi_call];
   boot.kernelModules = ["kvm-intel" "i2c-dev" "acpi_call"];
   boot.blacklistedKernelModules = ["nouveau"];
 
+  # Needed for enableAllFirmware
+  nixpkgs.config.allowUnfree = true;
   hardware = {
     enableAllFirmware = true;
     cpu.intel.updateMicrocode = true;

hosts/legion/initrd.nix

@@ -1,14 +0,0 @@
-{
-  config,
-  username,
-  ...
-}: {
-  boot.initrd = {
-    availableKernelModules = ["ath10k_pci" "r8169"];
-    network.enable = true;
-    network.ssh = {
-      enable = true;
-      authorizedKeys = config.users.users.${username}.openssh.authorizedKeys.keys;
-    };
-  };
-}

hosts/legion/machine-id

@@ -0,0 +1 @@
+524209a432724c7abaf04398cdd6eecd

hosts/legion/msmtp.nix

@@ -0,0 +1,34 @@
+# TODO: Potentially make this a common module?
+{
+  pkgs,
+  config,
+  username,
+  ...
+}: let
+  mail = "alert@nrab.lol";
+  aliases = pkgs.writeText "mail-aliases" ''
+    ${username}: nikodem@rabulinski.com
+    root: ${mail}
+  '';
+in {
+  age.secrets.alert-plaintext.file = ../../secrets/alert-plain-pass.age;
+
+  programs.msmtp = {
+    enable = true;
+    setSendmail = true;
+    defaults = {
+      inherit aliases;
+      tls = "on";
+      auth = "login";
+      tls_starttls = "off";
+    };
+    accounts = {
+      default = {
+        host = "mail.nrab.lol";
+        passwordeval = "cat ${config.age.secrets.alert-plaintext.path}";
+        user = mail;
+        from = mail;
+      };
+    };
+  };
+}

hosts/legion/nas/default.nix

@@ -1,5 +1,6 @@
 {
   pkgs,
+  lib,
   username,
   ...
 }: {
@@ -7,7 +8,7 @@
     ./media.nix
   ];
 
-  boot.supportedFilesystems = ["zfs"];
+  boot.supportedFilesystems = ["ext4" "zfs"];
 
   boot.zfs.extraPools = ["yottapool"];
   services.zfs = {
@@ -15,7 +16,7 @@
     zed.settings = {
       ZED_DEBUG_LOG = "/tmp/zed.debug.log";
       ZED_EMAIL_ADDR = [username];
-      ZED_EMAIL_PROG = "${pkgs.msmtp}/bin/msmtp";
+      ZED_EMAIL_PROG = lib.getExe pkgs.msmtp;
       ZED_EMAIL_OPTS = "@ADDRESS@";
 
       ZED_NOTIFY_INTERVAL_SECS = 3600;
@@ -26,8 +27,8 @@
     };
   };
 
-  fileSystems."/nix-cache" = {
+  fileSystems."/bulk" = {
-    device = "/dev/disk/by-label/CACHE";
+    device = "/dev/disk/by-label/BULK";
     fsType = "ext4";
   };
 }

hosts/legion/nas/media.nix

@@ -1,4 +1,4 @@
-{
+{username, ...}: {
   services.jellyfin.enable = true;
   services.radarr.enable = true;
   services.sonarr.enable = true;
@@ -13,6 +13,6 @@
     jellyfin.extraGroups = ["radarr" "sonarr"];
     radarr.extraGroups = ["deluge"];
     sonarr.extraGroups = ["deluge"];
-    niko.extraGroups = ["deluge"];
+    ${username}.extraGroups = ["deluge"];
   };
 }

modules/darwin/default.nix

@@ -0,0 +1,5 @@
+{config, ...}: {
+  flake.darwinModules = {
+    settei = import ./settei {inherit (config) perInput;};
+  };
+}

modules/darwin/settei/default.nix

@@ -0,0 +1,6 @@
+{perInput}: {
+  imports = [
+    (import ../../shared/settei {inherit perInput;})
+    ./sane-defaults.nix
+  ];
+}

modules/darwin/settei/sane-defaults.nix

@@ -0,0 +1,17 @@
+# For sane-default options shared between NixOS and darwin, see modules/shared/settei/sane-defaults.nix
+{
+  config,
+  lib,
+  username,
+  ...
+}: {
+  config = lib.mkIf config.settei.sane-defaults.enable {
+    services.nix-daemon.enable = true;
+
+    security.pam.enableSudoTouchIdAuth = true;
+
+    users.users.${username}.home = "/Users/${username}";
+
+    system.stateVersion = 4;
+  };
+}

modules/default.nix

@@ -1,6 +1,7 @@
 {
   imports = [
     ./nixos
+    ./darwin
     ./flake
   ];
 }

modules/flake/configurations.nix

@@ -7,10 +7,8 @@
   lib,
   flake-parts-lib,
   ...
-}: let
+}:
-  inherit (lib) mkOption mapAttrs;
+with lib; {
-  inherit (flake-parts-lib) mkSubmoduleOptions;
-in {
   _file = ./configurations.nix;
 
   options = {
@@ -18,37 +16,36 @@ in {
     # Probably should hardly ever be overriden
     builders = {
       nixos = mkOption {
-        type = lib.types.functionTo lib.types.unspecified;
+        type = types.functionTo types.unspecified;
         default = _name: nixpkgs.lib.nixosSystem;
       };
       darwin = mkOption {
-        type = lib.types.functionTo lib.types.unspecified;
+        type = types.functionTo types.unspecified;
         default = _name: darwin.lib.darwinSystem;
       };
       home = mkOption {
-        type = lib.types.functionTo lib.types.unspecified;
+        type = types.functionTo types.unspecified;
         default = _name: home-manager.lib.homeManagerConfiguration;
       };
     };
 
     configurations = {
       nixos = mkOption {
-        type = lib.types.unspecified;
+        type = types.attrsOf types.deferredModule;
         default = {};
       };
       darwin = mkOption {
-        type = lib.types.unspecified;
+        type = types.attrsOf types.deferredModule;
         default = {};
       };
       home = mkOption {
-        type = lib.types.unspecified;
+        type = types.attrsOf types.deferredModule;
         default = {};
       };
     };
   };
 
-  config.
+  config.flake = {
-    flake = {
     nixosConfigurations =
       mapAttrs
       config.builders.nixos

modules/nixos/common/hercules.nix

@@ -1,6 +1,5 @@
 {
   config,
-  pkgs,
   lib,
   ...
 }: {
@@ -8,10 +7,17 @@
 
   options.common.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration";
 
-  config = lib.mkIf config.common.hercules.enable {
+  config = let
+    herculesUser = config.systemd.services.hercules-ci-agent.serviceConfig.User;
+  in
+    lib.mkIf config.common.hercules.enable {
       age.secrets.hercules-token = {
-      file = ../../secrets/hercules-token.age;
+        file = ../../../secrets/hercules-token.age;
-      owner = config.systemd.services.hercules-ci-agent.serviceConfig.User;
+        owner = herculesUser;
+      };
+      age.secrets.hercules-cache = {
+        file = ../../../secrets/hercules-cache.age;
+        owner = herculesUser;
       };
 
       services.hercules-ci-agent = {
@@ -19,7 +25,7 @@
         settings = {
           clusterJoinTokenPath = config.age.secrets.hercules-token.path;
           concurrentTasks = lib.mkDefault 4;
-        binaryCachesPath = pkgs.writeText "empty-caches.json" "{}";
+          binaryCachesPath = config.age.secrets.hercules-cache.path;
         };
       };
     };

modules/nixos/settei/default.nix

@@ -1,19 +1,6 @@
 {perInput}: {
-  lib,
-  config,
-  ...
-}: {
-  _file = ./default.nix;
-
   imports = [
+    (import ../../shared/settei {inherit perInput;})
     ./sane-defaults.nix
-    (import ./flake-qol.nix {inherit perInput;})
-    ./user.nix
   ];
-
-  options.settei = with lib; {
-    username = mkOption {
-      type = types.str;
-    };
-  };
 }

modules/nixos/settei/sane-defaults.nix

@@ -1,39 +1,19 @@
-# This module is supposed to be a reusable set of options you probably would want to set anyway
+# For sane-default options shared between NixOS and darwin, see modules/shared/settei/sane-defaults.nix
-#
-# Other default options which don't necessairly make sense for other people go into hosts/default.nix
 {
-  lib,
   config,
+  username,
+  lib,
   ...
-} @ args: {
+} @ args: let
-  _file = ./sane-defaults.nix;
+  cfg = config.settei.sane-defaults;
-
+in {
-  options.settei.sane-defaults = with lib; {
+  config = lib.mkIf cfg.enable {
-    enable = mkEnableOption "Personal sane defaults (but they should make sense for anyone)";
-    allSshKeys = mkOption {
-      type = types.attrsOf types.singleLineStr;
-      default = {};
-    };
-  };
-
-  config = lib.mkIf config.settei.sane-defaults.enable (let
-    cfg = config.settei;
-    inherit (cfg) username;
-    configName = optionName:
-      args.configurationName
-      or (throw "pass configurationName to module arguments or set ${optionName} yourself");
-  in {
-    _module.args = {
-      username = lib.mkDefault username;
-    };
-
     # https://github.com/NixOS/nixpkgs/issues/254807
     boot.swraid.enable = false;
 
     hardware.enableRedistributableFirmware = true;
 
     services.openssh.enable = true;
-    services.tailscale.enable = true;
     programs.mosh.enable = lib.mkDefault true;
 
     users = {
@@ -45,41 +25,21 @@
         extraGroups = ["wheel"];
         openssh.authorizedKeys.keys = let
           filteredKeys = let
-            configName' = configName "users.users.${username}.openssh.authorizedKeys";
+            configName' =
+              args.configurationName
+              or (throw "pass configurationName to module arguments or set users.users.${username}.openssh.authorizedKeys yourself");
           in
-            lib.filterAttrs (name: _: name != configName') cfg.sane-defaults.allSshKeys;
+            lib.filterAttrs (name: _: name != configName') cfg.allSshKeys;
         in
           lib.mkDefault (lib.attrValues filteredKeys);
       };
       groups.${username} = {};
     };
 
-    networking.hostName = lib.mkDefault (configName "networking.hostName");
-
-    nix = {
-      settings = {
-        experimental-features = ["nix-command" "flakes" "repl-flake" "auto-allocate-uids"];
-        trusted-users = lib.optionals (!config.security.sudo.wheelNeedsPassword) [username];
-        auto-allocate-uids = true;
-        extra-substituters = [
-          "https://hyprland.cachix.org"
-          "https://cache.garnix.io"
-          "https://nix-community.cachix.org"
-          "https://hercules-ci.cachix.org"
-        ];
-        trusted-public-keys = [
-          "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-          "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
-          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-          "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0="
-        ];
-      };
-    };
-
     # TODO: Actually this should be extraRules which makes wheel users without any password set
     #       be able to use sudo with no password
     security.sudo.wheelNeedsPassword = false;
 
     system.stateVersion = "22.05";
-  });
+  };
 }

modules/shared/settei/default.nix

@@ -0,0 +1,19 @@
+{perInput}: {
+  lib,
+  config,
+  ...
+}: {
+  _file = ./default.nix;
+
+  imports = [
+    ./sane-defaults.nix
+    (import ./flake-qol.nix {inherit perInput;})
+    ./user.nix
+  ];
+
+  options.settei = with lib; {
+    username = mkOption {
+      type = types.str;
+    };
+  };
+}

modules/shared/settei/flake-qol.nix

@@ -43,7 +43,7 @@ in {
 
       nix = {
         registry = lib.mapAttrs (_: flake: {inherit flake;}) cfg.inputs-flakes;
-        nixPath = map (name: "${name}=flake:${name}") (lib.attrNames cfg.inputs-flakes);
+        nixPath = lib.mapAttrsToList (name: _: "${name}=flake:${name}") cfg.inputs-flakes;
       };
     };
 }

modules/shared/settei/sane-defaults.nix

@@ -0,0 +1,58 @@
+# This module is supposed to be a reusable set of options you probably would want to set anyway
+#
+# Other default options which don't necessairly make sense for other people go into hosts/default.nix
+{
+  config,
+  pkgs,
+  lib,
+  ...
+} @ args: {
+  _file = ./sane-defaults.nix;
+
+  options.settei.sane-defaults = with lib; {
+    enable = mkEnableOption "Personal sane defaults (but they should make sense for anyone)";
+    allSshKeys = mkOption {
+      type = types.attrsOf types.singleLineStr;
+      default = {};
+    };
+  };
+
+  config = lib.mkIf config.settei.sane-defaults.enable (let
+    cfg = config.settei;
+    inherit (cfg) username;
+    adminNeedsPassword = pkgs.stdenv.isLinux -> config.security.sudo.wheelNeedsPassword;
+  in {
+    _module.args = {
+      username = lib.mkDefault username;
+    };
+
+    services.tailscale.enable = true;
+
+    networking.hostName = lib.mkDefault (
+      args.configurationName
+      or (throw "pass configurationName to module arguments or set networking.hostName yourself")
+    );
+
+    nix = {
+      settings = {
+        experimental-features = ["nix-command" "flakes" "repl-flake" "auto-allocate-uids"];
+        trusted-users = lib.optionals (!adminNeedsPassword) [username];
+        auto-allocate-uids = true;
+        extra-substituters = [
+          "https://hyprland.cachix.org"
+          "https://cache.garnix.io"
+          "https://nix-community.cachix.org"
+          "https://hercules-ci.cachix.org"
+          "https://nrabulinski.cachix.org"
+        ];
+        trusted-public-keys = [
+          "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+          "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+          "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0="
+          "nrabulinski.cachix.org-1:Q5FD7+1c68uH74CQK66UWNzxhanZW8xcg1LFXxGK8ic="
+        ];
+      };
+    };
+  });
+}

modules/shared/settei/user.nix

@@ -36,7 +36,7 @@ in {
         home = {
           inherit username;
           homeDirectory = config.users.users.${username}.home;
-          stateVersion = config.system.stateVersion;
+          stateVersion = "22.05";
         };
 
         programs.home-manager.enable = true;

secrets/alert-nrab-lol-pass.age

@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw jmpsgact3iy0+A1ggWzK98D1e7R/44F9TgzFSg6BIWA
+-> ssh-ed25519 84j9mw bG9/dNwxbn7mVFKLraVw594U+CUVNXmDX56xODpn8m8
-K6S7UNkJNh859EgPdMTpYol4vaSD0nfjsu6SMk9F5Vo
+wMuzPr8LdQEdeyF4LCKepSgRU1oWl2znplE/8T+AMVw
--> ssh-ed25519 GKhvwg YGAiny4ZXIqplrdFqETxB4chp9IqJt5fHb+NK4Bvan0
+-> ssh-ed25519 GKhvwg gZ4nVDAdjyhXyoDsIr+LBnLaF94zJLe9hoDN8jRY2Sw
-0rgp0zJiGX5t4x/FKoLDJWMJW1hPsfVNMd4bPmv6Xdo
+cdz0BUiD1YwnN7FWJcqzYYU83HzDYWlQgc+qPPMUtcE
--> }Z-grease dI \ a^Wyct @c5
+-> `#k-grease A3Jo
-H3cGSMZsNUPMewieU4NK6zr4IlLt+hivE3FnRBrNzll7WGBd942TAFQ8YRa9sIbJ
+IPGUbK+Mg0+gFt44tyFi
-b9mvv1dqYmoS7MBVAGJvLgaX
+--- 6g1g/jyT0Yg+lgfmdUpZzUN5ryWGWIKYABUVw6crzfA
---- C9QLdKcJPuN/raiGvmopHeYM2tnURzDMzV8DRAmffR0
+oe¼EÑ^=Ù*J‘nTjÕ˜oq\nT.’TáeÍ
-`0œDå±þ`Voœß/ü§Ä೯‰T~{({Ô:¨××hx­“šj^þBnÆ'TÓ0[€U›Ðg=›_DDÿUþ!¼·-­¶õ5B
ZŒÄ:<3A>s³}PF¥æ›Ñfàh
+Y:¸y,bźµ¿Ú]±"“Þ¾SÌFЉôp)´ÚµÛœžJH.J¿Œg¤EŠíÏr‚¦¿¶ÿÃOL

secrets/alert-plain-pass.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 ioPMHA GErPiwFO6TluW+/QapeT0BhWH2yVd54UfCsi5s8STm8
+/rOO0+oXHGnJ54PdgPSJ/UWeZm1Ibtptnz+tv6zhTLA
+-> ssh-ed25519 GKhvwg MtNidti8d7qz3NERKPdoU0UtNj/SZp2htzXYB3NUMXM
+WKdKJtjfsWFgoO09wpw87JdOaGNqDpC9MRs7Fumfn/g
+-> 'JP4o}-grease Thf
+jq5xoH6w3eDeGBGf1jKPCxEl
+--- sI/u3P4XIpQOMPXhtCy4XqRo+FSi5IdUDNxw0S88gWc
+@ï;ÖÎ|U:B{ý…x3»§û!9A2‚Û€S<E282AC>ÖúèNg#ً͇r68ãS2‚

secrets/hercules-cache.age

@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw UohYhuFXjwI+Ya6a2nIjFt1FSpp/S1fss8+ZffKf91M
+q8q6+vScXETWtB8YDO84X6D5KTptP4JhNtW4yH8D2dw
+-> ssh-ed25519 ioPMHA 0NAryvpJ42YzfO4/cNE6UvRzqEk4rjM4PTInqiSj/Qk
+/V72hnrePBIiO0U6817ij91W2G3lHS/yZjLXu9ngMyw
+-> ssh-ed25519 GKhvwg Lqt8W9uLyyEqtdQMriomn/D/s4yy/F7qID1N6FbbSVw
+vSC+r50g8xVE+bKNJ7QMtZD9uacainZ+KK7U8Lb4B/A
+-> kW{-]#L<-grease 7>z.Yr}9 YOwZ f"i}Y;^=
+l3YcF04OxddtsUHtQLBW9qotCY+Wghl7y2HsRtEXnwBjRiyzvCjc/RMQ70/f4WW7
+xIS9WI00LtKj8rAoNmvOsIDkMzKvuutQmmZYBJEk
+--- L1zbOMuts43q3o1ziGlV4VBu3DyKYO6jNVZlJt4CUdg
+¿„<EFBFBD>2åÍ”†Ûu¤Ãm\àý:Ý;é›bÍé7Îa–üH
7MÎL!{uWù­Xñ˜<C3B1>ZØvô<76>žÝŠL“·ˆçÒH²¾îªV\Õ?ð¯Ÿ*˜‘,$d¦6S3JŸÒ¤"D‡/eRkmI
MúM‹Ú‘‚‡rMI pûS<C3BB>€)–xÊk¡+»l¢uuGÓ®‡ïÉ3M<33>­Š³{ŽN—áÙ<>†Bç[ú“¡i¶`‹o  ÓÉ¡°[
Qÿ1<C3BF>Ærh‡-Å••¢
+?èçfƒ;5~³5T"lÉó„,ÁÅ‹œÝ‹?„
ðiœ¾(ßË[wÍÖX
+<nxD†_£sì«t$¿3%#g–™Ý_!þ{ —!®²ßœ~8¥û)̘ÛÊOü°µòÐXÛ€žg¶™<C2B6>0¹<)°ùG’Iód¦ãŠ ïñÎÏf'¿ídÎaC^À¨àô=òEH¡…¦—apnhŽ~³AøŒÉ¶/H'

secrets/secrets.nix

@@ -5,6 +5,8 @@ in {
   "alert-nrab-lol-pass.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
   "vault-cert-env.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
   # "bitwarden-env-file.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
-  "hercules-token.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
+  "hercules-token.age".publicKeys = [keys.system.kazuki keys.system.legion keys.other.bootstrap];
-  "kazuki-cachix.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
+  "hercules-cache.age".publicKeys = [keys.system.kazuki keys.system.legion keys.other.bootstrap];
+  "alert-plain-pass.age".publicKeys = [keys.system.legion keys.other.bootstrap];
+  "legion-niko-pass.age".publicKeys = [keys.system.legion keys.other.bootstrap];
 }

secrets/vault-cert-env.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 84j9mw 13PBQImkhu4ivVTaeHWkpRfidgOFF7FBLD18amn5+Xs
+-> ssh-ed25519 84j9mw vOJaWCNIGFgf6O0nTt+g1a5y5iKvMlr9nrpF1jTNGmM
-ZeZhuWZqI8Poa1ROlaYAXkr6QBM4355lWpYaHAtaTP8
+MxiliY7O3k0P47mYrmV6ovZu9+03JCCUvOe8Zu7gi34
--> ssh-ed25519 GKhvwg gSXVzlieRXepW8s4onx4SDd75LVTyr1Rbc2/1LUIGTw
+-> ssh-ed25519 GKhvwg XSQNhU9xCPQu7iIcshQxncgqp37J8iS1H6FKDaChPTo
-AOmJNzvioM7B+114BMBc5xbxfOAbielwizwtNzK2G7k
+uH8yhnQc184zK72pwwNod110/ehMiT/eWbHN894XThU
--> K/_&?-grease 'jg+M|s Cw&g=
+-> w>U?#&-grease <dWq wD?o*
-yfPl
+wMaIBnm2VLcz0dW+Hhv6
---- 8idL6hzmOCas0TKD8rvx7qlSGbzLPFxAOdlnSNi5+sY
+--- b4aPjwryeAsFAeNWUyMT1hI7G3yQinFIfoYfUxHk3s8
-	Æ=»lÞ…XæÊsÄ$xKÑ2F^¢#ø_ìB‹ßq"½ZÎü*¢ù®Ôó2`0n|#ÉÑz
SÅõ;UÀ@:¿âšRGuv>ʺÿ§€Ù÷é	Z½\m†¦¼N(
+µá|ý.os,!‡£$`#Ïçl)툹xè¡ûõO(L³,°eȼÇGñQi=m„ 6Ö1›¦#&îÙ©8dÄŠÛ”¥äC$5T"Q¼¯Ì‹þï

wrappers/helix/default.nix

@@ -1,11 +1,8 @@
-{
+{pkgs, ...}: {
-  pkgs,
-  lib,
-  ...
-}: {
   programs.helix = {
     enable = true;
     settings = {
+      theme = "base16_default_dark";
       editor = {
         true-color = true;
         line-number = "relative";
@@ -15,7 +12,6 @@
         cursorline = true;
         auto-save = true;
         indent-guides.render = true;
-        theme = "base16_default_dark";
       };
     };
     languages = {