WIP refactor

common/flake.nix

@@ -22,9 +22,10 @@
           {
             imports = [
               ./options.nix
+              ./general
               ./boot
               ./users
-              ./general
+              ./programs
             ];
           };
       };

common/programs/default.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  imports = [
+    ./qFlipper.nix
+    ./rustDev.nix
+    ./uhkAgent.nix
+    ./tailnet.nix
+    ./ssh.nix
+    ./docker.nix
+  ];
+}

common/programs/docker.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  ccfg = import ../config.nix;
+  cfg_path = [
+    ccfg.custom_config_key
+    "programs"
+    "docker"
+  ];
+  cfg = lib.attrsets.getAttrFromPath cfg_path config;
+
+  users_cfg = config.${ccfg.custom_config_key}.users;
+in
+{
+  options =
+    { }
+    // lib.attrsets.setAttrByPath cfg_path {
+      enable = lib.mkEnableOption "docker";
+    };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.docker = {
+      enable = true;
+      autoPrune.enable = true;
+    };
+    # TODO add admins?
+    users.extraGroups.docker.members = lib.mkIf (users_cfg.primary != null) [ users_cfg.primary ];
+    environment.shellAliases = {
+      dockerv = "docker volume";
+      dockeri = "docker image";
+      dockerc = "docker container";
+    };
+  };
+}

common/programs/qFlipper.nix

@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  ccfg = import ../config.nix;
+  cfg_path = [
+    ccfg.custom_config_key
+    "programs"
+    "qFlipper"
+  ];
+  cfg = lib.attrsets.getAttrFromPath cfg_path config;
+in
+{
+  options =
+    { }
+    // lib.attrsets.setAttrByPath cfg_path {
+      enable = lib.mkEnableOption "qFlipper";
+    };
+
+  config = lib.mkIf cfg.enable {
+    hardware.flipperzero.enable = true;
+    environment.systemPackages = with pkgs; [ qFlipper ];
+    services.udev.extraRules = ''
+      #Flipper Zero serial port
+      SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="5740", ATTRS{manufacturer}=="Flipper Devices Inc.", GROUP="users", TAG+="uaccess"
+      #Flipper Zero DFU
+      SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", ATTRS{manufacturer}=="STMicroelectronics", GROUP="users", TAG+="uaccess"
+    '';
+  };
+}

common/programs/rustDev.nix

@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  ccfg = import ../config.nix;
+  cfg_path = [
+    ccfg.custom_config_key
+    "programs"
+    "rustDev"
+  ];
+  cfg = lib.attrsets.getAttrFromPath cfg_path config;
+in
+{
+  options =
+    { }
+    // lib.attrsets.setAttrByPath cfg_path {
+      enable = lib.mkEnableOption "rust development tools";
+      repl = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Enable the evcxr repl for `rust` command.";
+      };
+      # TODO?
+      # channel = lib.mkOption {
+      #   type = lib.types.str;
+      #   default = "stable";
+      #   description = "The Rust release channel to use (e.g., stable, beta, nightly).";
+      # };
+      # version = lib.mkOption {
+      #   type = lib.types.str;
+      #   default = "latest";
+      #   description = "The specific version of Rust to use. Use 'latest' for the latest stable release.";
+      # };
+    };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages =
+      with pkgs;
+      [
+        rustup
+        gcc
+      ]
+      ++ (if cfg.repl then [ pkgs.evcxr ] else [ ]);
+
+    environment.shellAliases = lib.mkIf cfg.repl {
+      rust = "evcxr";
+    };
+  };
+
+}

common/programs/ssh.nix

@@ -0,0 +1,94 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  ccfg = import ../config.nix;
+  cfg_path = [
+    ccfg.custom_config_key
+    "programs"
+    "ssh"
+  ];
+  cfg = lib.attrsets.getAttrFromPath cfg_path config;
+in
+{
+  options =
+    { }
+    // lib.attrsets.setAttrByPath cfg_path {
+      enable = lib.mkEnableOption "ssh";
+      sshPortOpen = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Open the ssh port.";
+      };
+      fail2Ban = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Enable fail2ban.";
+      };
+      allowRootPasswordLogin = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Allow root password login.";
+      };
+    };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      openssh
+      autossh
+    ];
+
+    # Use fail2ban
+    services.fail2ban = lib.mkIf cfg.fail2Ban {
+      enable = true;
+    };
+
+    # Open ports in the firewall if enabled.
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.sshPortOpen [
+      22 # sshd
+    ];
+
+    # Enable the OpenSSH daemon.
+    services.openssh = {
+      enable = true;
+      settings = {
+        LogLevel = "VERBOSE";
+        PermitRootLogin = "yes";
+        PasswordAuthentication = if cfg.allowRootPasswordLogin then true else false;
+      };
+    };
+
+    # Ensure SSH key pair generation for non-root users
+    systemd.services = lib.mapAttrs' (name: _: {
+      name = "generate_ssh_key_${name}";
+      value = {
+        description = "Generate SSH key pair for ${name}";
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          User = name;
+          Type = "oneshot";
+        };
+        script = ''
+          #!/run/current-system/sw/bin/bash
+          if [ ! -f /home/${name}/.ssh/id_ed25519 ]; then
+            if [ -v DRY_RUN ]; then
+              echo "DRY_RUN is set. Would generate SSH key for ${name}.";
+            else
+              echo "Generating SSH key for ${name}.";
+              mkdir -p /home/${name}/.ssh;
+              chmod 700 /home/${name}/.ssh;
+              /run/current-system/sw/bin/ssh-keygen -t ed25519 -f /home/${name}/.ssh/id_ed25519 -N "";
+            fi
+          else
+            echo "SSH key already exists for ${name}.";
+          fi
+        '';
+      };
+    }) config.mods.common.users;
+
+  };
+
+}

common/programs/tailnet.nix

@@ -0,0 +1,51 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  ccfg = import ../config.nix;
+  cfg_path = [
+    ccfg.custom_config_key
+    "programs"
+    "tailnet"
+  ];
+  cfg = lib.attrsets.getAttrFromPath cfg_path config;
+in
+{
+  options =
+    { }
+    // lib.attrsets.setAttrByPath cfg_path {
+      enable = lib.mkEnableOption "rust development tools";
+      useSecretsAuth = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Whether to use secrets authentication for Tailscale";
+      };
+      useHeadscale = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Whether to use headscale login server.";
+      };
+
+    };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [ tailscale ];
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      useRoutingFeatures = "client";
+      authKeyFile = lib.mkIf cfg.useSecretsAuth config.age.secrets.headscale_auth.path;
+      # https://tailscale.com/kb/1241/tailscale-up
+      extraUpFlags = lib.mkIf cfg.useHeadscale [
+        "--login-server=https://headscale.joshuabell.xyz"
+        "--no-logs-support"
+      ];
+    };
+    networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
+    networking.firewall.checkReversePath = "loose";
+  };
+
+}

common/programs/uhkAgent.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  ccfg = import ../config.nix;
+  cfg_path = [
+    ccfg.custom_config_key
+    "programs"
+    "uhkAgent"
+  ];
+  cfg = lib.attrsets.getAttrFromPath cfg_path config;
+in
+{
+  options =
+    { }
+    // lib.attrsets.setAttrByPath cfg_path {
+      enable = lib.mkEnableOption "uhk agent (ultimate hacking keyboard)";
+    };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      uhk-agent
+      uhk-udev-rules
+    ];
+    services.udev.packages = [ pkgs.uhk-udev-rules ];
+  };
+
+}