Clean up config & add comments.

2025-07-16 18:46:12 +08:00 · 2025-07-16 18:46:12 +08:00 · c2fc35e12d
commit c2fc35e12d
parent b504700e61
18 changed files with 162 additions and 114 deletions
--- a/flake.nix
+++ b/flake.nix
@ -25,38 +25,44 @@
    sops-nix,
    ...
  } @ inputs: let
-    flock.lib = import ./lib inputs;
-    inherit (flock.lib) mergeHosts mkHost;
+    # Import helpers & make functions available.
+    helpers = import ./helpers.nix inputs;
+    inherit (helpers) mergeHosts mkHost;
  in
    mergeHosts [
+      # ThinkPad T480.
      (mkHost "muskduck" {
        suite = "desktop";
-        extraModules = [
+        hostModules = [
          lanzaboote.nixosModules.lanzaboote
          nixos-hardware.nixosModules.lenovo-thinkpad-t480
        ];
      })

+      # Raspberry Pi 4B.
      (mkHost "weebill" {
        suite = "server";
        platform = "aarch64-linux";
-        extraModules = [
+        hostModules = [
          nixos-hardware.nixosModules.raspberry-pi-4
        ];
      })

+      # VM running a Minecraft server.
      (mkHost "minecraft" {
-        suite = "vm";
-        user = "docker";
+        suite = "server/vm";
+        docker = true;
      })

+      # Container running Technitium DNS Server.
      (mkHost "technitium" {
-        suite = "lxc";
+        suite = "server/lxc";
      })

+      # Container running Mozilla's syncstorage-rs
      (mkHost "firefox-syncserver" {
-        suite = "lxc";
-        extraModules = [
+        suite = "server/lxc";
+        hostModules = [
          sops-nix.nixosModules.sops
        ];
      })
--- a/helpers.nix
+++ b/helpers.nix
@ -0,0 +1,95 @@
+inputs:
+with inputs;
+with inputs.nixpkgs.lib; {
+  # Merge NixOS hosts.
+  mergeHosts = lists.foldl' (
+    a: b: attrsets.recursiveUpdate a b
+  ) {};
+
+  # Create a NixOS host.
+  mkHost = hostname: {
+    platform ? "x86_64-linux",
+    suite ? "",
+    docker ? false,
+    hostModules ? [],
+  }: let
+    # System architecture.
+    system = platform;
+
+    # Secrets directory.
+    secrets = builtins.toString inputs.secrets;
+
+    # Extra modules to import.
+    extraModules =
+      hostModules # Host-specific modules.
+      ++ optionals (docker == true) [./suites/server/docker] # Enable docker if required.
+      ++ (filesystem.listFilesRecursive ./modules); # Custom modules.
+
+    # nixpkgs config.
+    pkgs = import nixpkgs {
+      inherit system;
+
+      config = {
+        # Allow installation of proprietary software.
+        allowUnfree = true;
+        # Allow the installation of packages marked as insecure in nixpkgs.
+        permittedInsecurePackages = [
+          "dotnet-sdk-6.0.428" # For WebOne.
+          "dotnet-runtime-6.0.36" # For WebOne.
+        ];
+      };
+
+      # Import my overlay.
+      overlays = [
+        (import ./overlay.nix {inherit inputs system;})
+      ];
+    };
+
+    # deploy-rs overlay.
+    deployPkgs = import nixpkgs {
+      inherit system;
+      overlays = [
+        deploy-rs.overlays.default
+        (self: super: {
+          deploy-rs = {
+            inherit (pkgs) deploy-rs;
+            lib = super.deploy-rs.lib;
+          };
+        })
+      ];
+    };
+  in
+    {
+      nixosConfigurations.${hostname} = nixosSystem {
+        inherit system pkgs;
+
+        specialArgs = {
+          # Make some variables accesible to modules.
+          inherit
+            hostname
+            platform
+            suite
+            secrets
+            ;
+        };
+
+        modules =
+          [
+            nixvim.nixosModules.nixvim # Neovim.
+            ./suites/${suite} # Collection of configuration options for different types of systems.
+            ./hosts/${hostname} # Host-specific config.
+          ]
+          ++ extraModules;
+      };
+    }
+    // optionalAttrs (strings.hasPrefix "server" suite) {
+      deploy.nodes.${hostname} = {
+        hostname = "${hostname}.local";
+        profiles.system = {
+          user = "root";
+          sshuser = "fern";
+          path = deploypkgs.deploy-rs.lib.activate.nixos self.nixosconfigurations.${hostname};
+        };
+      };
+    };
+}
--- a/hosts/docker/default.nix
+++ b/hosts/docker/default.nix
@ -1,14 +1,17 @@
 {
+  # Root filesystem.
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/cac60222-9b38-4938-8b17-5fddd67e8e26";
    fsType = "ext4";
  };

-  fileSystems."/home/docker/volumes" = {
+  # Docker data directory
+  fileSystems."/home/fern/docker/data" = {
    device = "/dev/disk/by-uuid/95461a94-ad91-43b9-b502-2b5d4496b84e";
    fsType = "ext4";
  };

+  # Swap.
  swapDevices = [
    {device = "/dev/disk/by-uuid/025beadb-a89b-4abe-8d0c-b55401316319";}
  ];
--- a/hosts/firefox-syncserver/default.nix
+++ b/hosts/firefox-syncserver/default.nix
@ -4,7 +4,7 @@
  secrets,
  ...
 }: {
-  # Secrets.
+  # Import secrets.
  sops = {
    age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
    defaultSopsFile = "${secrets}/sops.yaml";
--- a/hosts/minecraft/default.nix
+++ b/hosts/minecraft/default.nix
@ -1,14 +1,17 @@
 {
+  # Root filesystem.
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/cbd70e61-fcdc-4b1f-af03-d3da8a2866ea";
    fsType = "ext4";
  };

-  fileSystems."/home/docker/volumes" = {
+  # Docker data directory.
+  fileSystems."/home/fern/docker/data" = {
    device = "/dev/disk/by-uuid/3730e48a-8784-4c49-8692-473c9b4bc8c3";
    fsType = "ext4";
  };

+  # Swap.
  swapDevices = [
    {device = "/dev/disk/by-uuid/3123f58e-63a9-44fa-ac29-3e79dc520b8f";}
  ];
--- a/hosts/muskduck/default.nix
+++ b/hosts/muskduck/default.nix
@ -1,4 +1,5 @@
 {
+  # Kernel modules
  boot.initrd.availableKernelModules = [
    "xhci_pci"
    "nvme"
@ -8,6 +9,7 @@

  boot.kernelModules = ["kvm-intel"];

+  # Root filesystem.
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/63d79656-aa5b-466a-b369-be5eac3f51ab";
    fsType = "ext4";
@ -15,6 +17,7 @@

  boot.initrd.luks.devices."luks-93fa00bc-777f-4359-bad5-880c29faca0d".device = "/dev/disk/by-uuid/93fa00bc-777f-4359-bad5-880c29faca0d";

+  # EFI/boot partition.
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/EBD7-3E1C";
    fsType = "vfat";
@ -24,7 +27,9 @@
    ];
  };

+  # Allow CPU microcode.
  hardware.cpu.intel.updateMicrocode = true;

+  # Allows remote deployment on ARM systems (ie. Raspberry Pi).
  boot.binfmt.emulatedSystems = ["aarch64-linux"];
 }
--- a/hosts/technitium/default.nix
+++ b/hosts/technitium/default.nix
--- a/hosts/weebill/default.nix
+++ b/hosts/weebill/default.nix
@ -1,4 +1,5 @@
 {pkgs, ...}: {
+  # Boot loader.
  boot = {
    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
    initrd.availableKernelModules = [
@ -13,12 +14,14 @@
  };

  fileSystems = {
+    # Root filesystem.
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
      options = ["noatime"];
    };

+    # AFP share.
    "/srv/iMac" = {
      device = "/dev/disk/by-uuid/48843b25-4d8c-4638-a5f8-fb3901e1165e";
      fsType = "ext4";
--- a/lib/default.nix
+++ b/lib/default.nix
@ -1,81 +0,0 @@
-inputs:
-with inputs;
-with inputs.nixpkgs.lib; {
-  mergeHosts = lists.foldl' (
-    a: b: attrsets.recursiveUpdate a b
-  ) {};
-
-  mkHost = hostname: {
-    platform ? "x86_64-linux",
-    suite,
-    user ? "fern",
-    extraModules ? [],
-  }: let
-    system = platform;
-    secrets = builtins.toString inputs.secrets;
-
-    pkgs = import nixpkgs {
-      inherit system;
-      config = {
-        allowUnfree = true;
-        permittedInsecurePackages = [
-          "dotnet-sdk-6.0.428"
-          "dotnet-runtime-6.0.36"
-        ];
-      };
-      overlays = [
-        (import ../overlays {inherit inputs system;})
-      ];
-    };
-
-    deployPkgs = import nixpkgs {
-      inherit system;
-      overlays = [
-        deploy-rs.overlays.default
-        (self: super: {
-          deploy-rs = {
-            inherit (pkgs) deploy-rs;
-            lib = super.deploy-rs.lib;
-          };
-        })
-      ];
-    };
-  in
-    {
-      nixosConfigurations.${hostname} = nixosSystem {
-        inherit system pkgs;
-
-        specialArgs = {
-          inherit
-            hostname
-            platform
-            suite
-            user
-            secrets
-            ; # Inherit variables.
-        };
-
-        modules =
-          [
-            nixvim.nixosModules.nixvim
-            ../suites/common.nix
-            ../suites/${suite}.nix
-            ../hosts/${hostname}.nix
-          ]
-          ++ (filesystem.listFilesRecursive ../modules)
-          ++ extraModules;
-      };
-    }
-    // optionalAttrs ((suite == "server")
-      || (suite == "vm")
-      || (suite == "lxc")) {
-      deploy.nodes.${hostname} = {
-        hostname = "${hostname}.local";
-        profiles.system = {
-          user = "root";
-          sshUser = user;
-          path = deployPkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.${hostname};
-        };
-      };
-    };
-}
--- a/modules/webone/default.nix
+++ b/modules/webone/default.nix
@ -10,6 +10,7 @@ in {
  options.services.webone.enable = mkEnableOption "Enable WebOne HTTP proxy.";

  config = mkIf cfg.enable {
+    # Create user & group for service.
    users.groups.webone = {};

    users.users.webone = {
@ -19,6 +20,7 @@ in {
      group = "webone";
    };

+    # Create config directory and log file, and set ownership to webone user.
    systemd.tmpfiles.settings = {
      "10-webone" = {
        "/var/log/webone.log" = {
@ -38,6 +40,7 @@ in {
      };
    };

+    # Create a systemd service.
    systemd.services.webone = {
      description = "WebOne HTTP Proxy Server";
      documentation = ["https://github.com/atauenis/webone/wiki/"];
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -6,10 +6,10 @@
 with inputs;
  final: prev: {
    # WebOne HTTP proxy.
-    webone = prev.pkgs.callPackage ../packages/webone {};
+    webone = prev.pkgs.callPackage ./packages/webone {};

    # Yazi Gruvbox theme.
-    yazi-flavour-gruvbox-dark = prev.pkgs.callPackage ../packages/yazi-flavour-gruvbox {};
+    yazi-flavour-gruvbox-dark = prev.pkgs.callPackage ./packages/yazi-flavour-gruvbox {};

    # Latest FluffyChat.
    fluffychat =
--- a/packages/webone/default.nix
+++ b/packages/webone/default.nix
@ -18,6 +18,7 @@ buildDotnetModule rec {
  projectFile = "WebOne.csproj";
  nugetDeps = ./deps.nix;

+  # Uses outdated dotnet 6.
  dotnet-sdk = dotnetCorePackages.sdk_6_0;
  dotnet-runtime = dotnetCorePackages.runtime_6_0;

--- a/suites/default.nix
+++ b/suites/default.nix
@ -52,10 +52,10 @@ with lib; {
  networking.hostName = hostname;

  # Define a user account.
-  users.users.${user} = {
+  users.users.fern = {
    isNormalUser = true;
    uid = 1000;
-    description = mkIf (user == "fern") "Fern Garden";
+    description = "Fern Garden";
    extraGroups = [
      "wheel"
      "networkmanager"
@ -95,6 +95,9 @@ with lib; {
  # https://discourse.nixos.org/t/slow-build-at-building-man-cache/52365/2
  documentation.man.generateCaches = false;

+  # Enable all terminfo (for ghostty).
+  environment.enableAllTerminfo = true;
+
  # Install some packages.
  programs = {
    git.enable = true;
@ -102,9 +105,11 @@ with lib; {

    nixvim = {
      enable = true;
+
+      # Set $EDITOR
      defaultEditor = true;

-      # For telescope.
+      # For telescope grep.
      dependencies.ripgrep.enable = true;

      # Space as leader.
@ -127,7 +132,10 @@ with lib; {

      colorschemes.gruvbox = {
        enable = true;
-        settings.contrast = "hard";
+        settings = {
+          contrast = "hard";
+          overrides.SignColumn.bg = "none";
+        };
      };

      opts = rec {
--- a/suites/desktop/default.nix
+++ b/suites/desktop/default.nix
@ -4,6 +4,8 @@
  ...
 }:
 with lib; {
+  imports = [../.]; # Common config.
+
  # Configure the bootloader.
  boot = {
    # Enable secure boot.
--- a/suites/server/default.nix
+++ b/suites/server/default.nix
@ -1,15 +1,9 @@
 {
-  user,
-  lib,
-  ...
-}:
-with lib; {
+  imports = [../.]; # Common config.
+
  # Passwordless sudo.
  security.sudo.wheelNeedsPassword = false;

-  # Enable all terminfo (for ghostty).
-  environment.enableAllTerminfo = true;
-
  # Enable sshd.
  services.openssh = {
    enable = true;
@ -20,14 +14,11 @@ with lib; {
    };
  };

-  users.users.${user} = {
+  # Add authorized ssh pubkeys.
+  users.users.fern = {
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETPyuxUVEmYyEW6PVC6BXqkhULHd/RvMm8fMbYhjTMV fern@muskduck"
      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMoJvPcUJDVVzO4dHROCFNlgJdDZSP5xyPx2s40zcx5QAAAABHNzaDo= YubiKey5NFC"
    ];
-    extraGroups = mkIf (user == "docker") ["docker"]; # if docker is enabled.
  };
-
-  # Enable docker.
-  virtualisation.docker.enable = mkIf (user == "docker") true;
 }
--- a/suites/server/docker/default.nix
+++ b/suites/server/docker/default.nix
@ -0,0 +1,9 @@
+{
+  # Add user to docker group.
+  users.users.fern = {
+    extraGroups = ["docker"];
+  };
+
+  # Enable docker.
+  virtualisation.docker.enable = true;
+}
--- a/suites/server/lxc/default.nix
+++ b/suites/server/lxc/default.nix
@ -1,6 +1,6 @@
 {modulesPath, ...}: {
  imports = [
    (modulesPath + "/virtualisation/proxmox-lxc.nix")
-    ./server.nix
+    ../. # Server config.
  ];
 }
--- a/suites/server/vm/default.nix
+++ b/suites/server/vm/default.nix
@ -6,7 +6,7 @@
 with lib; {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
-    ./server.nix
+    ../. # Server config.
  ];

  # Load kernel modules.