Getting more idomatic nix modules setup... will tackle users dir later

flake.nix

@@ -79,6 +79,7 @@
             inherit user;
             nixpkgs = joe_nixpkgs;
             home-manager = joe_home-manager;
+            allowUnfree = true;
           };
         }
         {
@@ -90,6 +91,7 @@
             inherit user;
             nixpkgs = gpdPocket3_nixpkgs;
             home-manager = gpdPocket3_home-manager;
+            allowUnfree = true;
           };
         }
         {
@@ -107,6 +109,7 @@
             };
             nixpkgs = h002_nixpkgs;
             home-manager = h002_home-manager;
+            allowUnfree = true;
           };
         }
       ];
@@ -127,14 +130,15 @@
         // {
           "${nixConfig.name}" =
             let
-              lib = nixConfig.settings.nixpkgs.lib;
+              settings = nixConfig.settings;
+              lib = settings.nixpkgs.lib;
               ylib = nypkgs.legacyPackages.${nixConfig.opts.system}.lib;
             in
             (lib.nixosSystem {
               modules =
                 [
-                  ./hosts/_common/configuration.nix
                   cosmic.nixosModules.default
+                  ./hosts/configuration.nix
                 ]
                 ++ ylib.umport {
                   path = lib.fileset.maybeMissing ./modules;
@@ -144,7 +148,7 @@
                 inherit ylib;
                 settings =
                   directories
-                  // nixConfig.settings
+                  // settings
                   // {
                     system = nixConfig.opts // {
                       hostname = nixConfig.name;

hosts/_common/components/audio.nix

@@ -1,7 +0,0 @@
-{ pkgs, ... }:
-{
-  # Enable sound.
-  hardware.pulseaudio.enable = true;
-  hardware.pulseaudio.package = pkgs.pulseaudioFull;
-  environment.systemPackages = [ pkgs.pavucontrol ];
-}

hosts/_common/components/caps_to_escape_in_tty.nix

@@ -1,10 +0,0 @@
-{ pkgs, ... }:
-{
-  # I want this globally even for root so doing it outside of home manager
-  services.xserver.xkb.options = "caps:escape";
-  console = {
-    earlySetup = true;
-    packages = with pkgs; [ terminus_font ];
-    useXkbConfig = true; # use xkb.options in tty. (caps -> escape)
-  };
-}

hosts/_common/components/cosmic.nix

@@ -1,12 +0,0 @@
-{ cosmic, ... }:
-{
-  nix.settings = {
-    substituters = [ "https://cosmic.cachix.org/" ];
-    trusted-public-keys = [ "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE=" ];
-  };
-
-  imports = [ cosmic.nixosModules.default ];
-
-  services.desktopManager.cosmic.enable = true;
-  services.displayManager.cosmic-greeter.enable = true;
-}

hosts/_common/components/docker.nix

@@ -1,10 +0,0 @@
-{ settings, ... }:
-{
-  virtualisation.docker.enable = true;
-  users.extraGroups.docker.members = [ settings.user.username ];
-  environment.shellAliases = {
-    dockerv = "docker volume";
-    dockeri = "docker image";
-    dockerc = "docker container";
-  };
-}

hosts/_common/components/font_jetbrainsmono.nix

@@ -1,7 +0,0 @@
-{ pkgs, ... }:
-{
-  fonts.packages = with pkgs; [
-    (nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
-  ];
-}
-

hosts/_common/components/gnome_wayland.nix

@@ -1,20 +0,0 @@
-{ pkgs, ... }:
-{
-  services.xserver = {
-    enable = true;
-    displayManager.gdm = {
-      enable = true;
-      autoSuspend = false;
-      wayland = true;
-    };
-    desktopManager.gnome.enable = true;
-  };
-  services.gnome.core-utilities.enable = false;
-  environment.systemPackages = with pkgs; [
-    gnome.dconf-editor
-    # wayland clipboard in terminal
-    wl-clipboard
-  ];
-  environment.sessionVariables.NIXOS_OZONE_WL = "1";
-}
-

hosts/_common/components/gnome_xorg.nix

@@ -1,18 +0,0 @@
-{ pkgs, ... }:
-{
-  services.xserver = {
-    enable = true;
-    displayManager.gdm = {
-      enable = true;
-      autoSuspend = false;
-      wayland = false;
-    };
-    desktopManager.gnome.enable = true;
-  };
-  services.gnome.core-utilities.enable = false;
-  environment.systemPackages = with pkgs; [
-    gnome.dconf-editor
-    xclip
-  ];
-}
-

hosts/_common/components/nebula.nix

@@ -1,51 +0,0 @@
-{ pkgs, ... }:
-{
-  environment.systemPackages = with pkgs; [
-    nebula
-    traceroute # for debugging
-  ];
-
-  networking.firewall.allowedUDPPorts = [ 4242 ];
-
-  systemd.services."nebula" = {
-    description = "Nebula VPN service";
-    wants = [ "basic.target" ];
-    after = [
-      "basic.target"
-      "network.target"
-    ];
-    before = [ "sshd.service" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "notify";
-      Restart = "always";
-      RestartSec = 1;
-      ExecStart = "${pkgs.nebula}/bin/nebula -config /etc/nebula/config.yml";
-      UMask = "0027";
-      CapabilityBoundingSet = "CAP_NET_ADMIN";
-      AmbientCapabilities = "CAP_NET_ADMIN";
-      LockPersonality = true;
-      NoNewPrivileges = true;
-      PrivateDevices = false; # needs access to /dev/net/tun (below)
-      DeviceAllow = "/dev/net/tun rw";
-      DevicePolicy = "closed";
-      PrivateTmp = true;
-      PrivateUsers = false; # CapabilityBoundingSet needs to apply to the host namespace
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHome = true;
-      ProtectHostname = true;
-      ProtectKernelLogs = true;
-      ProtectKernelModules = true;
-      ProtectKernelTunables = true;
-      ProtectProc = "invisible";
-      ProtectSystem = "strict";
-      RestrictNamespaces = true;
-      RestrictSUIDSGID = true;
-    };
-    unitConfig = {
-      StartLimitIntervalSec = 5;
-      StartLimitBurst = 3;
-    };
-  };
-}

hosts/_common/components/neovim.nix

@@ -1,7 +0,0 @@
-{ settings, ringofstorms-nvim, ... }:
-{
-  environment.systemPackages = [
-    ringofstorms-nvim.packages.${settings.system.system}.neovim
-  ];
-}
-

hosts/_common/components/plasma_wayland.nix

@@ -1,21 +0,0 @@
-{ pkgs, ... }:
-{
-  services.xserver = {
-    enable = true;
-    displayManager.gdm = {
-      enable = true;
-      autoSuspend = false;
-      wayland = true;
-    };
-    displayManager.defaultSession = "plasma";
-    displayManager.sddm.wayland.enable = true;
-    desktopManager.plasma6 = {
-      enable = true;
-    };
-  };
-  environment.systemPackages = with pkgs; [
-    xclip
-  ];
-}
-
-

hosts/_common/components/plasma_xorg.nix

@@ -1,19 +0,0 @@
-{ pkgs, ... }:
-{
-  services.xserver = {
-    enable = true;
-    displayManager.gdm = {
-      enable = true;
-      autoSuspend = false;
-      wayland = false;
-    };
-    displayManager.defaultSession = "plasmax11";
-    desktopManager.plasma6 = {
-      enable = true;
-    };
-  };
-  environment.systemPackages = with pkgs; [
-    xclip
-  ];
-}
-

hosts/_common/components/ssh.nix

@@ -1,21 +0,0 @@
-{ ... }:
-{
-  # Use fail2ban
-  services.fail2ban = {
-    enable = true;
-  };
-
-  # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [
-    22 # sshd
-  ];
-
-  # Enable the OpenSSH daemon.
-  services.openssh = {
-    enable = true;
-    settings = {
-      LogLevel = "VERBOSE";
-      PermitRootLogin = "yes";
-    };
-  };
-}

hosts/_common/components/stormd.nix

@@ -1,29 +0,0 @@
-{ pkgs, ... }:
-{
-  # environment.systemPackages = with pkgs; [
-  # ];
-
-  # TODO make a derivation for stormd binary and get it properlly in the store. This is super janky and the binary just has to exist there right now.
-
-  # networking.firewall.allowedUDPPorts = [ 4242 ];
-
-  systemd.services."stormd" = {
-    description = "Stormd service";
-    wants = [ "basic.target" ];
-    after = [
-      "basic.target"
-      "network.target"
-    ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "notify";
-      Restart = "always";
-      RestartSec = 1;
-      ExecStart = "/etc/stormd/stormd daemon";
-    };
-    unitConfig = {
-      StartLimitIntervalSec = 5;
-      StartLimitBurst = 3;
-    };
-  };
-}

hosts/_common/components/systemd_boot.nix

@@ -1,15 +0,0 @@
-{ ... }:
-{
-  # Use the systemd-boot EFI boot loader.
-  boot.loader = {
-    systemd-boot = {
-      enable = true;
-      consoleMode = "keep";
-    };
-    timeout = 5;
-    efi = {
-      canTouchEfiVariables = true;
-    };
-  };
-}
-

hosts/_common/configuration.nix

@@ -1,147 +0,0 @@
-{
-  lib,
-  pkgs,
-  settings,
-  ...
-}:
-let
-  defaultLocal = "en_US.UTF-8";
-in
-{
-  imports = [
-    # Secrets management
-    ./ragenix.nix
-    # Include the results of the hardware scan.
-    (/${settings.hostsDir}/${settings.system.hostname}/hardware-configuration.nix)
-    # Include the specific machine's config.
-    (/${settings.hostsDir}/${settings.system.hostname}/configuration.nix)
-  ];
-
-  # Enable flakes
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-  ];
-
-  # allow mounting ntfs filesystems
-  boot.supportedFilesystems = [ "ntfs" ];
-
-  # Fallback quickly if substituters are not available.
-  nix.settings.connect-timeout = 5;
-  nix.settings.download-attempts = 3;
-  # The default at 10 is rarely enough.
-  nix.settings.log-lines = 50;
-  # Avoid disk full issues
-  nix.settings.max-free = (3000 * 1024 * 1024);
-  nix.settings.min-free = (1000 * 1024 * 1024);
-  # Avoid copying unnecessary stuff over SSH
-  nix.settings.builders-use-substitutes = true;
-  # Slower but mroe robust during crash TODO enable once we upgrade nix
-  # nix.settings.fsync-store-paths = true;
-  # nix.settings.fsync-metadata = true;
-  nix.settings.auto-optimise-store = true;
-
-  # ==========
-  #   Common
-  # ==========
-  networking = {
-    hostName = settings.system.hostname;
-    extraHosts = ''
-      127.0.0.1 local.belljm.com
-      127.0.0.1 n0.local.belljm.com
-      127.0.0.1 n1.local.belljm.com
-      127.0.0.1 n2.local.belljm.com
-      127.0.0.1 n3.local.belljm.com
-      127.0.0.1 n4.local.belljm.com
-    '';
-    # Use nftables not iptables
-    nftables.enable = true;
-    firewall.enable = true;
-  };
-  # TODO do I want this dynamic at all? Roaming?
-  time.timeZone = "America/Chicago";
-
-  # nix helper
-  programs.nh = {
-    enable = true;
-    clean.enable = true;
-    clean.extraArgs = "--keep 3";
-    # TODO this may need to be defined higher up if it is ever different for a machine...
-    flake = "/home/${settings.user.username}/.config/nixos-config";
-  };
-
-  # Select internationalization properties.
-  i18n.defaultLocale = defaultLocal;
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = defaultLocal;
-    LC_IDENTIFICATION = defaultLocal;
-    LC_MEASUREMENT = defaultLocal;
-    LC_MONETARY = defaultLocal;
-    LC_NAME = defaultLocal;
-    LC_NUMERIC = defaultLocal;
-    LC_PAPER = defaultLocal;
-    LC_TELEPHONE = defaultLocal;
-    LC_TIME = defaultLocal;
-  };
-
-  # Some basics
-  nixpkgs.config.allowUnfree = true;
-  environment.systemPackages = with pkgs; [
-    # Basics
-    vim
-    wget
-    curl
-    fastfetch
-    bat
-    htop
-    unzip
-    git
-    fzf
-    ripgrep
-    lsof
-    killall
-    hdparm
-    speedtest-cli
-
-    # TODO keep in common or move to specific machines, I want this for my pocket 3 video KDM module but I use ffmpeg on most machines anyways?
-    ffmpeg-full
-  ];
-
-  environment.shellAliases = {
-    n = "nvim";
-    nn = "nvim --headless '+SessionDelete' +qa > /dev/null 2>&1 && nvim";
-    bat = "bat --theme Coldark-Dark";
-    cat = "bat --pager=never -p";
-    # TODO this may not be needed now that I am using `nh` clean mode (see /hosts/_common/configuration.nix#programs.nh)
-    nix-boot-clean = "find '/boot/loader/entries' -type f ! -name 'windows.conf' | head -n -4 | xargs -I {} rm {}; nix store gc; nixos-rebuild boot; echo; df";
-
-    # general unix
-    date_compact = "date +'%Y%m%d'";
-    date_short = "date +'%Y-%m-%d'";
-    ls = "ls --color -Ga";
-    ll = "ls --color -Gal";
-    lss = "du --max-depth=0 -h * 2>/dev/null";
-    psg = "ps aux | head -n 1 && ps aux | grep -v 'grep' | grep";
-    cl = "clear";
-
-    # git
-    stash = "git stash";
-    pop = "git stash pop";
-    branch = "git checkout -b";
-    status = "git status";
-    diff = "git diff";
-    branches = "git branch -a";
-    gcam = "git commit -a -m";
-    stashes = "git stash list";
-
-    # ripgrep
-    rg = "rg --no-ignore";
-    rgf = "rg --files 2>/dev/null | rg";
-
-    # Neofetch is dead
-    neofetch = "fastfetch";
-  };
-  environment.shellInit = builtins.readFile ./shellInit.sh;
-
-  system.stateVersion = "23.11";
-}

hosts/configuration.nix

@@ -0,0 +1,71 @@
+{
+  settings,
+  ...
+}:
+let
+  defaultLocal = "en_US.UTF-8";
+in
+{
+  imports = [
+    # Secrets management
+    ./ragenix.nix
+    # Include the results of the hardware scan.
+    (/${settings.hostsDir}/${settings.system.hostname}/hardware-configuration.nix)
+    # Include the specific machine's config.
+    (/${settings.hostsDir}/${settings.system.hostname}/configuration.nix)
+  ];
+
+  # Enable flakes
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
+  # allow mounting ntfs filesystems
+  boot.supportedFilesystems = [ "ntfs" ];
+
+  # Fallback quickly if substituters are not available.
+  nix.settings.connect-timeout = 5;
+  nix.settings.download-attempts = 3;
+  # The default at 10 is rarely enough.
+  nix.settings.log-lines = 50;
+  # Avoid disk full issues
+  nix.settings.max-free = (3000 * 1024 * 1024);
+  nix.settings.min-free = (1000 * 1024 * 1024);
+  # Avoid copying unnecessary stuff over SSH
+  nix.settings.builders-use-substitutes = true;
+  # Slower but mroe robust during crash TODO enable once we upgrade nix
+  # nix.settings.fsync-store-paths = true;
+  # nix.settings.fsync-metadata = true;
+  nix.settings.auto-optimise-store = true;
+
+  # nix helper
+  programs.nh = {
+    enable = true;
+    clean.enable = true;
+    clean.extraArgs = "--keep 3";
+    # TODO this may need to be defined higher up if it is ever different for a machine...
+    flake = "/home/${settings.user.username}/.config/nixos-config";
+  };
+
+  # TODO do I want this dynamic at all? Roaming?
+  time.timeZone = "America/Chicago";
+  # Select internationalization properties.
+  i18n.defaultLocale = defaultLocal;
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = defaultLocal;
+    LC_IDENTIFICATION = defaultLocal;
+    LC_MEASUREMENT = defaultLocal;
+    LC_MONETARY = defaultLocal;
+    LC_NAME = defaultLocal;
+    LC_NUMERIC = defaultLocal;
+    LC_PAPER = defaultLocal;
+    LC_TELEPHONE = defaultLocal;
+    LC_TIME = defaultLocal;
+  };
+
+  # Some basics
+  nixpkgs.config.allowUnfree = settings.allowUnfree;
+
+  system.stateVersion = "23.11";
+}

hosts/gpdPocket3/configuration.nix

@@ -7,18 +7,6 @@
 }:
 {
   imports = [
-    # Common components this machine uses
-    (settings.hostsDir + "/_common/components/neovim.nix")
-    (settings.hostsDir + "/_common/components/systemd_boot.nix")
-    (settings.hostsDir + "/_common/components/ssh.nix")
-    (settings.hostsDir + "/_common/components/caps_to_escape_in_tty.nix")
-    (settings.hostsDir + "/_common/components/font_jetbrainsmono.nix")
-    # (settings.hostsDir + "/_common/components/audio.nix")
-    (settings.hostsDir + "/_common/components/home_manager.nix")
-    # (settings.hostsDir + "/_common/components/gnome_wayland.nix")
-    # (settings.hostsDir + "/_common/components/cosmic.nix")
-    (settings.hostsDir + "/_common/components/docker.nix")
-    (settings.hostsDir + "/_common/components/nebula.nix")
     # Users this machine has
     (settings.usersDir + "/root/configuration.nix")
     (settings.usersDir + "/josh/configuration.nix")
@@ -27,7 +15,18 @@
     # ./stupid-keyboard-2.nix
   ];
 
-  mods.de_cosmic.enable = true;
+  # My custom modules
+  mods = {
+    boot_systemd.enable = true;
+    shell_common.enable = true;
+    de_cosmic.enable = true;
+    neovim.enable = true;
+    tty_caps_esc.enable = true;
+    docker.enable = true;
+    fonts.enable = true;
+    nebula.enable = true;
+    ssh.enable = true;
+  };
 
   # machine specific configuration
   # ==============================

hosts/h002/configuration.nix

@@ -5,14 +5,6 @@
 }:
 {
   imports = [
-    # Common components this machine uses
-    (settings.hostsDir + "/_common/components/neovim.nix")
-    (settings.hostsDir + "/_common/components/ssh.nix")
-    (settings.hostsDir + "/_common/components/caps_to_escape_in_tty.nix")
-    (settings.hostsDir + "/_common/components/audio.nix")
-    (settings.hostsDir + "/_common/components/home_manager.nix")
-    (settings.hostsDir + "/_common/components/docker.nix")
-    (settings.hostsDir + "/_common/components/nebula.nix")
     # Users this machine has
     (settings.usersDir + "/root/configuration.nix")
     (settings.usersDir + "/luser/configuration.nix")
@@ -20,9 +12,17 @@
     # (settings.hostsDir + "/h002/nixserver.nix")
   ];
 
-  boot.loader.grub = {
-    enable = true;
-    device = "/dev/sdb";
+  # My custom modules
+  mods = {
+    boot_grub = true;
+    shell_common.enable = true;
+    de_gnome_xorg.enable = true;
+    audio_pulse.enable = true;
+    neovim.enable = true;
+    tty_caps_esc.enable = true;
+    docker.enable = true;
+    nebula.enable = true;
+    ssh.enable = true;
   };
 
   # machine specific configuration

hosts/joe/configuration.nix

@@ -6,24 +6,25 @@
 }:
 {
   imports = [
-    # Common components this machine uses
-    (settings.hostsDir + "/_common/components/neovim.nix")
-    (settings.hostsDir + "/_common/components/systemd_boot.nix")
-    (settings.hostsDir + "/_common/components/ssh.nix")
-    (settings.hostsDir + "/_common/components/caps_to_escape_in_tty.nix")
-    (settings.hostsDir + "/_common/components/font_jetbrainsmono.nix")
-    (settings.hostsDir + "/_common/components/audio.nix")
-    (settings.hostsDir + "/_common/components/home_manager.nix")
-    (settings.hostsDir + "/_common/components/gnome_xorg.nix")
-    (settings.hostsDir + "/_common/components/docker.nix")
-    # (settings.hostsDir + "/_common/components/stormd.nix") TODO figure out why this is failing
-    (settings.hostsDir + "/_common/components/nebula.nix")
     # Users this machine has
     (settings.usersDir + "/root/configuration.nix")
     (settings.usersDir + "/josh/configuration.nix")
   ];
 
-  # test
+  # My custom modules
+  mods = {
+    boot_systemd.enable = true;
+    shell_common.enable = true;
+    de_gnome_xorg.enable = true;
+    audio_pulse.enable = true;
+    neovim.enable = true;
+    tty_caps_esc.enable = true;
+    docker.enable = true;
+    fonts.enable = true;
+    nebula.enable = true;
+    ssh.enable = true;
+    # storage.enable = true; # TODO figure out why this is failing
+  };
 
   networking.firewall.allowedTCPPorts = [
     5173 # test

hosts/ragenix.nix

@@ -6,8 +6,6 @@
   ragenix,
   ...
 }:
-let
-in
 # TODO auto import secret files here
 # secretsFile = (settings.secretsDir + /secrets.nix);
 {

modules/_template.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  pkgs,
+  settings,
+  ...
+}:
+with lib;
+let
+  name = "NAME";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption (lib.mdDoc "Enable ${name}");
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # TODO
+  };
+}

modules/audio_pulse.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+let
+  name = "audio_pulse";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption (lib.mdDoc "Enable ${name}");
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Enable sound.
+    hardware.pulseaudio.enable = true;
+    hardware.pulseaudio.package = pkgs.pulseaudioFull;
+    environment.systemPackages = [ pkgs.pavucontrol ];
+  };
+}

modules/boot/grub.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib;
+let
+  name = "boot_grub";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption (lib.mdDoc "Enable ${name}");
+      device = mkDefaultOption {
+        type = types.str;
+        default = "/dev/sda";
+        description = ''
+          The device to install GRUB on.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    boot.loader.grub = {
+      enable = true;
+      device = cfg.device;
+    };
+  };
+}

modules/boot/systemd.nix

@@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib;
+let
+  name = "boot_systemd";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption (lib.mdDoc "Enable ${name}");
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Use the systemd-boot EFI boot loader.
+    boot.loader = {
+      systemd-boot = {
+        enable = true;
+        consoleMode = "keep";
+      };
+      timeout = 5;
+      efi = {
+        canTouchEfiVariables = true;
+      };
+    };
+  };
+}

modules/de/gnome_wayland.nix

@@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+let
+  name = "de_gnome_wayland";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption (lib.mdDoc "Enable GNOME with wayland desktop environment");
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.xserver = {
+      enable = true;
+      displayManager.gdm = {
+        enable = true;
+        autoSuspend = false;
+        wayland = true;
+      };
+      desktopManager.gnome.enable = true;
+    };
+    services.gnome.core-utilities.enable = false;
+    environment.systemPackages = with pkgs; [
+      gnome.dconf-editor
+      # wayland clipboard in terminal
+      wl-clipboard
+    ];
+    environment.sessionVariables.NIXOS_OZONE_WL = "1";
+  };
+}

modules/de/gnome_xorg.nix

@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+let
+  name = "de_gnome_xorg";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption "Enable GNOME with wayland desktop environment";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.xserver = {
+      enable = true;
+      displayManager.gdm = {
+        enable = true;
+        autoSuspend = false;
+        wayland = false;
+      };
+      desktopManager.gnome.enable = true;
+    };
+    services.gnome.core-utilities.enable = false;
+    environment.systemPackages = with pkgs; [
+      gnome.dconf-editor
+      xclip
+    ];
+  };
+}

modules/de_gnome_wayland.nix

@@ -1,21 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib;
-let
-  name = "de_gnome_wayland";
-  cfg = config.my_modules.${name};
-in
-{
-  options = {
-    my_modules.${name} = {
-      enable = mkEnableOption (lib.mdDoc "Enable GNOME with wayland desktop environment");
-    };
-  };
-
-  config = mkIf cfg.enable {
-    # TODO
-  };
-}

modules/de_gnome_xorg.nix

@@ -1,22 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib;
-let
-  name = "de_gnome_xorg";
-  cfg = config.my_modules.${name};
-in
-{
-  options = {
-    my_modules.${name} = {
-      enable = mkEnableOption "Enable GNOME with wayland desktop environment";
-    };
-  };
-
-  config = mkIf cfg.enable {
-    # TODO
-  };
-}
-

modules/docker.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  settings,
+  ...
+}:
+with lib;
+let
+  name = "docker";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption (lib.mdDoc "Enable ${name}");
+    };
+  };
+
+  config = mkIf cfg.enable {
+    virtualisation.docker.enable = true;
+    users.extraGroups.docker.members = [ settings.user.username ];
+    environment.shellAliases = {
+      dockerv = "docker volume";
+      dockeri = "docker image";
+      dockerc = "docker container";
+    };
+  };
+}

modules/fonts.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  settings,
+  ...
+}:
+with lib;
+let
+  name = "fonts";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption (lib.mdDoc "Enable ${name}");
+    };
+  };
+
+  config = mkIf cfg.enable {
+    fonts.packages = with pkgs; [
+      (nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
+    ];
+  };
+}

modules/nebula.nix

@@ -0,0 +1,70 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+let
+  name = "nebula";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption (lib.mdDoc "Enable ${name}");
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      nebula
+      traceroute # for debugging
+    ];
+
+    networking.firewall.allowedUDPPorts = [ 4242 ];
+
+    systemd.services."nebula" = {
+      description = "Nebula VPN service";
+      wants = [ "basic.target" ];
+      after = [
+        "basic.target"
+        "network.target"
+      ];
+      before = [ "sshd.service" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "notify";
+        Restart = "always";
+        RestartSec = 1;
+        ExecStart = "${pkgs.nebula}/bin/nebula -config /etc/nebula/config.yml";
+        UMask = "0027";
+        CapabilityBoundingSet = "CAP_NET_ADMIN";
+        AmbientCapabilities = "CAP_NET_ADMIN";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = false; # needs access to /dev/net/tun (below)
+        DeviceAllow = "/dev/net/tun rw";
+        DevicePolicy = "closed";
+        PrivateTmp = true;
+        PrivateUsers = false; # CapabilityBoundingSet needs to apply to the host namespace
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RestrictNamespaces = true;
+        RestrictSUIDSGID = true;
+      };
+      unitConfig = {
+        StartLimitIntervalSec = 5;
+        StartLimitBurst = 3;
+      };
+    };
+
+  };
+}

modules/neovim.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  settings,
+  ringofstorms-nvim,
+  ...
+}:
+with lib;
+let
+  name = "neovim";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption (lib.mdDoc "Enable ${name}");
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [
+      ringofstorms-nvim.packages.${settings.system.system}.neovim
+    ];
+  };
+}

modules/shell/common.nix

@@ -0,0 +1,90 @@
+{
+  config,
+  lib,
+  pkgs,
+  settings,
+  ...
+}:
+with lib;
+let
+  name = "shell_common";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption (lib.mdDoc "Enable ${name}");
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking = {
+      hostName = settings.system.hostname;
+      extraHosts = ''
+        127.0.0.1 local.belljm.com
+        127.0.0.1 n0.local.belljm.com
+        127.0.0.1 n1.local.belljm.com
+        127.0.0.1 n2.local.belljm.com
+        127.0.0.1 n3.local.belljm.com
+        127.0.0.1 n4.local.belljm.com
+      '';
+      # Use nftables not iptables
+      nftables.enable = true;
+      firewall.enable = true;
+    };
+
+    environment.systemPackages = with pkgs; [
+      # Basics
+      vim
+      nano
+      wget
+      curl
+      fastfetch
+      bat
+      htop
+      unzip
+      git
+      fzf
+      ripgrep
+      lsof
+      killall
+      hdparm
+      speedtest-cli
+      ffmpeg-full
+    ];
+
+    environment.shellAliases = {
+      n = "nvim";
+      nn = "nvim --headless '+SessionDelete' +qa > /dev/null 2>&1 && nvim";
+      bat = "bat --theme Coldark-Dark";
+      cat = "bat --pager=never -p";
+      # TODO this may not be needed now that I am using `nh` clean mode (see /hosts/_common/configuration.nix#programs.nh)
+      nix-boot-clean = "find '/boot/loader/entries' -type f ! -name 'windows.conf' | head -n -4 | xargs -I {} rm {}; nix store gc; nixos-rebuild boot; echo; df";
+
+      # general unix
+      date_compact = "date +'%Y%m%d'";
+      date_short = "date +'%Y-%m-%d'";
+      ls = "ls --color -Ga";
+      ll = "ls --color -Gal";
+      lss = "du --max-depth=0 -h * 2>/dev/null";
+      psg = "ps aux | head -n 1 && ps aux | grep -v 'grep' | grep";
+      cl = "clear";
+
+      # git
+      stash = "git stash";
+      pop = "git stash pop";
+      branch = "git checkout -b";
+      status = "git status";
+      diff = "git diff";
+      branches = "git branch -a";
+      gcam = "git commit -a -m";
+      stashes = "git stash list";
+
+      # ripgrep
+      rg = "rg --no-ignore";
+      rgf = "rg --files 2>/dev/null | rg";
+    };
+
+    environment.shellInit = builtins.readFile ./common.sh;
+  };
+}

modules/ssh.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  pkgs,
+  settings,
+  ...
+}:
+with lib;
+let
+  name = "ssh";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption (lib.mdDoc "Enable ${name}");
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Use fail2ban
+    services.fail2ban = {
+      enable = true;
+    };
+
+    # Open ports in the firewall.
+    networking.firewall.allowedTCPPorts = [
+      22 # sshd
+    ];
+
+    # Enable the OpenSSH daemon.
+    services.openssh = {
+      enable = true;
+      settings = {
+        LogLevel = "VERBOSE";
+        PermitRootLogin = "yes";
+      };
+    };
+  };
+}

modules/stormd.nix

@@ -0,0 +1,46 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib;
+let
+  name = "stormd";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption (lib.mdDoc "Enable ${name}");
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # environment.systemPackages = with pkgs; [
+    # ];
+
+    # TODO make a derivation for stormd binary and get it properlly in the store. This is super janky and the binary just has to exist there right now.
+
+    # networking.firewall.allowedUDPPorts = [ 4242 ];
+
+    systemd.services."stormd" = {
+      description = "Stormd service";
+      wants = [ "basic.target" ];
+      after = [
+        "basic.target"
+        "network.target"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "notify";
+        Restart = "always";
+        RestartSec = 1;
+        ExecStart = "/etc/stormd/stormd daemon";
+      };
+      unitConfig = {
+        StartLimitIntervalSec = 5;
+        StartLimitBurst = 3;
+      };
+    };
+  };
+}

modules/tty_caps_esc.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  pkgs,
+  settings,
+  ...
+}:
+with lib;
+let
+  name = "tty_caps_esc";
+  cfg = config.mods.${name};
+in
+{
+  options = {
+    mods.${name} = {
+      enable = mkEnableOption (lib.mdDoc "Enable ${name}");
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.xserver.xkb.options = "caps:escape";
+    console = {
+      earlySetup = true;
+      packages = with pkgs; [ terminus_font ];
+      useXkbConfig = true; # use xkb.options in tty. (caps -> escape)
+    };
+  };
+}

modules/validations.nix

@@ -1,22 +1,29 @@
 { lib, config, ... }:
 {
-  # config.assertions = [
-  #   {
-  #     assertion =
-  #       lib.length (
-  #         lib.filter (x: x) [
-  #           config.my_modules.de_cosmic.enable
-  #           config.my_modules.de_gnome_xorg.enable
-  #           config.my_modules.de_gnome_wayland.enable
-  #         ]
-  #       ) <= 1;
-  #     message = ''
-  #       Configuration Error: Multiple desktop environments are enabled.
-  #       Please enable only one of the following:
-  #         - my_modules.de_cosmic.enable
-  #         - my_modules.de_gnome_xorg.enable
-  #         - my_modules.de_gnome_wayland.enable
-  #     '';
-  #   }
-  # ];
+  config.assertions = [
+    {
+      assertion =
+        lib.length (
+          lib.filter (x: x) [
+            config.mods.de_cosmic.enable
+            config.mods.de_gnome_xorg.enable
+            config.mods.de_gnome_wayland.enable
+          ]
+        ) <= 1;
+      message = ''
+        Configuration Error: Multiple desktop environments are enabled.
+        Please enable only one of the following:
+          - mods.de_cosmic.enable
+          - mods.de_gnome_xorg.enable
+          - mods.de_gnome_wayland.enable
+      '';
+    }
+    {
+      assertion = !(config.mods.de_cosmic.enable && config.mods.audio_pulse.enable);
+      message = ''
+        Configuration Error: cannot use pulse audio with cosmic.
+        Remove: mods.audio_pulse.enable
+      '';
+    }
+  ];
 }