Add common hosts config

hosts/aspi/default.nix

@@ -20,7 +20,24 @@
   ...
 }:
 {
-  imports = [ ./hardware-configuration.nix ];
+  imports = [
+    # inputs.hardware.nixosModules.common-cpu-amd # TODO something useful for me?
+
+    ./hardware-configuration.nix
+
+    ../common/global
+    ../common/users/gabriel
+
+    ../common/optional/peripherals.nix
+    ../common/optional/greetd.nix
+    ../common/optional/pipewire.nix
+    ../common/optional/quietboot.nix
+    ../common/optional/wireless.nix
+    ../common/optional/lxd.nix
+
+    ../common/optional/starcitizen-fixes.nix
+
+  ];
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
   boot.blacklistedKernelModules = [ "pcspkr" ]; # Disables "beep"

hosts/common/global/default.nix

@@ -0,0 +1,67 @@
+# Common config for all hosts
+
+{
+  inputs,
+  outputs,
+  ...
+}:
+{
+  imports =
+    [
+      ./fish.nix # fish for admin
+      ./locale.nix
+      ./nix.nix
+      ./openssh.nix
+      ./podman.nix
+      ./sops.nix
+    ]
+    ++ [
+      inputs.home-manager.nixosModules.home-manager
+    ]
+    ++ (builtins.attrValues outputs.nixosModules);
+
+  home-manager.useGlobalPkgs = true;
+  home-manager.extraSpecialArgs = {
+    inherit inputs outputs;
+  };
+
+  # Apply overlays
+  nixpkgs = {
+    overlays = builtins.attrValues outputs.overlays;
+    config = {
+      allowUnfree = true;
+    };
+  };
+
+  nix.settings.auto-optimise-store = true;
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
+  # Setup binary caches
+  nix.settings = {
+    substituters = [
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+      "https://hyprland.cachix.org"
+      "http://binarycache.julian-mutter.de"
+    ];
+    trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+      "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E="
+    ];
+
+    trusted-users = [ "@wheel" ]; # needed for devenv to add custom caches
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
+  programs.nix-ld.enable = true;
+
+}

hosts/common/global/fish.nix

@@ -0,0 +1,10 @@
+{
+  programs.fish = {
+    enable = true;
+    vendor = {
+      completions.enable = true;
+      config.enable = true;
+      functions.enable = true;
+    };
+  };
+}

hosts/common/global/locale.nix

@@ -0,0 +1,16 @@
+{
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "de_DE.UTF-8";
+    LC_IDENTIFICATION = "de_DE.UTF-8";
+    LC_MEASUREMENT = "de_DE.UTF-8";
+    LC_MONETARY = "de_DE.UTF-8";
+    LC_NAME = "de_DE.UTF-8";
+    LC_NUMERIC = "en_US.UTF-8";
+    LC_PAPER = "de_DE.UTF-8";
+    LC_TELEPHONE = "de_DE.UTF-8";
+    LC_TIME = "de_DE.UTF-8";
+  };
+}

hosts/common/global/nix.nix

@@ -0,0 +1,49 @@
+{
+  lib,
+  ...
+}:
+{
+  nix.settings.auto-optimise-store = lib.mkDefault true;
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+    "ca-derivations"
+  ];
+  # warn-dirty = false;
+
+  # Setup binary caches
+  nix.settings = {
+    substituters = [
+      "https://nix-community.cachix.org"
+      "https://cache.nixos.org/"
+      "https://hyprland.cachix.org"
+      "http://binarycache.julian-mutter.de"
+    ];
+    trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+      "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E="
+    ];
+
+    trusted-users = [
+      "root"
+      "@wheel"
+    ]; # needed for devenv to add custom caches
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    # Keep the last 3 generations
+    options = "--delete-older-than +3";
+  };
+
+  programs.nix-ld.enable = true;
+
+  # TODO: is this useful?, what does it do?
+  # nix.settings.flake-registry = ""; # Disable global flake registry
+  # Add each flake input as a registry and nix_path
+  # registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
+  # nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+
+}

hosts/common/global/openssh.nix

@@ -0,0 +1,52 @@
+{
+  outputs,
+  lib,
+  config,
+  ...
+}:
+let
+  hosts = lib.attrNames outputs.nixosConfigurations;
+in
+{
+  services.openssh = {
+    enable = true;
+    settings = {
+      # Harden
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+
+      # TODO: what does this d
+      # Let WAYLAND_DISPLAY be forwarded
+      AcceptEnv = "WAYLAND_DISPLAY";
+      X11Forwarding = true;
+    };
+
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+  };
+
+  # TODO: is automatic known hosts file even necessary?
+  # programs.ssh = {
+  #   # Each hosts public key
+  #   knownHosts = lib.genAttrs hosts (hostname: {
+  #     publicKeyFile = ../../${hostname}/ssh_host_ed25519_key.pub;
+  #     extraHostNames =
+  #       [
+  #         "${hostname}.m7.rs"
+  #       ]
+  #       ++
+  #         # Alias for localhost if it's the same host
+  #         (lib.optional (hostname == config.networking.hostName) "localhost")
+  #       # Alias to m7.rs and git.m7.rs if it's alcyone
+  #       ++ (lib.optionals (hostname == "alcyone") [
+  #         "m7.rs"
+  #         "git.m7.rs"
+  #       ]);
+  #   });
+  # };
+
+}

hosts/common/global/podman.nix

@@ -0,0 +1,12 @@
+{ config, ... }:
+let
+  dockerEnabled = config.virtualisation.docker.enable;
+in
+{
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = !dockerEnabled;
+    dockerSocket.enable = !dockerEnabled;
+    defaultNetwork.settings.dns_enabled = true;
+  };
+}

hosts/common/global/sops.nix

@@ -0,0 +1,22 @@
+{
+  inputs,
+  config,
+  ...
+}:
+let
+  isEd25519 = k: k.type == "ed25519";
+  getKeyPath = k: k.path;
+  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+in
+{
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+
+  sops.age = {
+    sshKeyPaths = map getKeyPath keys;
+
+    # TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!)
+    keyFile = "/home/julian/.config/sops/age/keys.txt";
+    # Generate key if none of the above worked. With this, building will still work, just without secrets
+    generateKey = true;
+  };
+}

modules/nixos/locales/default.nix

@@ -1,47 +0,0 @@
-{
-  # Snowfall Lib provides a customized `lib` instance with access to your flake's library
-  # as well as the libraries available from your flake's inputs.
-  lib,
-  # An instance of `pkgs` with your overlays and packages applied is also available.
-  pkgs,
-  # You also have access to your flake's inputs.
-  inputs,
-
-  # Additional metadata is provided by Snowfall Lib.
-  namespace, # The namespace used for your flake, defaulting to "internal" if not set.
-  system, # The system architecture for this host (eg. `x86_64-linux`).
-  target, # The Snowfall Lib target for this system (eg. `x86_64-iso`).
-  format, # A normalized name for the system target (eg. `iso`).
-  virtual, # A boolean to determine whether this system is a virtual target using nixos-generators.
-  systems, # An attribute map of your defined hosts.
-
-  # All other arguments come from the module system.
-  config,
-  ...
-}:
-
-let
-  cfg = config.modules.locales;
-in
-{
-  options.modules.locales = {
-    enable = lib.mkOption { default = false; };
-  };
-
-  config = lib.mkIf cfg.enable {
-    # Select internationalisation properties.
-    i18n.defaultLocale = "en_US.UTF-8";
-
-    i18n.extraLocaleSettings = {
-      LC_ADDRESS = "de_DE.UTF-8";
-      LC_IDENTIFICATION = "de_DE.UTF-8";
-      LC_MEASUREMENT = "de_DE.UTF-8";
-      LC_MONETARY = "de_DE.UTF-8";
-      LC_NAME = "de_DE.UTF-8";
-      LC_NUMERIC = "en_US.UTF-8";
-      LC_PAPER = "de_DE.UTF-8";
-      LC_TELEPHONE = "de_DE.UTF-8";
-      LC_TIME = "de_DE.UTF-8";
-    };
-  };
-}

modules/nixos/sops/default.nix

@@ -1,46 +0,0 @@
-{
-  # Snowfall Lib provides a customized `lib` instance with access to your flake's library
-  # as well as the libraries available from your flake's inputs.
-  lib,
-  # An instance of `pkgs` with your overlays and packages applied is also available.
-  pkgs,
-  # You also have access to your flake's inputs.
-  inputs,
-
-  # Additional metadata is provided by Snowfall Lib.
-  namespace, # The namespace used for your flake, defaulting to "internal" if not set.
-  system, # The system architecture for this host (eg. `x86_64-linux`).
-  target, # The Snowfall Lib target for this system (eg. `x86_64-iso`).
-  format, # A normalized name for the system target (eg. `iso`).
-  virtual, # A boolean to determine whether this system is a virtual target using nixos-generators.
-  systems, # An attribute map of your defined hosts.
-
-  # All other arguments come from the module system.
-  config,
-  ...
-}:
-
-let
-  cfg = config.modules.sops;
-in
-{
-  options.modules.sops = {
-    enable = lib.mkOption { default = false; };
-  };
-
-  config = lib.mkIf cfg.enable {
-    sops.defaultSopsFile = ../../../secrets/secrets.yaml;
-    sops.defaultSopsFormat = "yaml";
-
-    # Automatically generate age key from ssh key
-    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    # This is using an age key that is expected to already be in the filesystem
-    sops.age.keyFile = "/home/julian/.config/sops/age/keys.txt";
-    # Generate key if none of the above worked. With this, building will still work, just without secrets
-    sops.age.generateKey = true;
-
-    # List of defined secrets
-    # They all become files linked inside the "/run/secrets/" directory
-
-  };
-}