From 6a30a431f81f17db3f3d69b03470635ce0b84cad Mon Sep 17 00:00:00 2001 From: hektor Date: Tue, 21 Apr 2026 13:59:03 +0200 Subject: [PATCH] refactor: simplify 'user' options --- deploy/colmena.nix | 2 +- home/hosts/work/default.nix | 7 ++-- home/modules/default.nix | 45 ++++++++++++++---------- hosts/andromache/default.nix | 23 +++--------- hosts/astyanax/default.nix | 19 +++------- hosts/eetion-02/default.nix | 1 - hosts/eetion/default.nix | 1 - hosts/hecuba/default.nix | 3 +- hosts/vm/default.nix | 9 +---- images/sd-image-orange-pi-aarch64.nix | 7 +++- images/sd-image-raspberry-pi-aarch64.nix | 7 +++- modules/ai-tools/default.nix | 3 +- modules/anki/default.nix | 3 +- modules/common/default.nix | 5 +++ modules/docker/default.nix | 24 +++---------- modules/git/default.nix | 2 +- modules/hcloud/default.nix | 11 +++--- modules/nfc/default.nix | 10 +++--- modules/secrets/default.nix | 9 ++--- modules/ssh/authorized-keys.nix | 10 +++--- modules/ssh/extract-keys.nix | 2 +- modules/syncthing/default.nix | 17 ++++----- modules/taskwarrior/default.nix | 3 +- modules/yubikey/default.nix | 10 ++---- 24 files changed, 94 insertions(+), 139 deletions(-) diff --git a/deploy/colmena.nix b/deploy/colmena.nix index 0e7ad4d7..b0cfff07 100644 --- a/deploy/colmena.nix +++ b/deploy/colmena.nix @@ -12,7 +12,7 @@ let imports = [ ../hosts/${hostname} ]; deployment = { targetHost = self.nixosConfigurations.${hostname}.config.ssh.publicHostname; - targetUser = self.nixosConfigurations.${hostname}.config.ssh.username; + targetUser = self.nixosConfigurations.${hostname}.config.host.username; buildOnTarget = builtins.any (t: t != "local" && t != "arm") tags; inherit tags; }; diff --git a/home/hosts/work/default.nix b/home/hosts/work/default.nix index a9b491b1..e61f9d5b 100644 --- a/home/hosts/work/default.nix +++ b/home/hosts/work/default.nix @@ -5,9 +5,6 @@ ... }: -let - username = "hektor"; -in { imports = [ inputs.sops-nix.homeManagerModules.sops @@ -57,8 +54,8 @@ in home = { stateVersion = "25.05"; - inherit username; - homeDirectory = "/home/${username}"; + username = "hektor"; + homeDirectory = "/home/${config.home.username}"; }; targets.genericLinux.nixGL = { diff --git a/home/modules/default.nix b/home/modules/default.nix index 0c53d84f..7e7c9c0d 100644 --- a/home/modules/default.nix +++ b/home/modules/default.nix @@ -6,25 +6,32 @@ }: { - options.nixgl.wrap = lib.mkOption { - type = lib.types.functionTo lib.types.package; - default = if config.lib ? nixGL then config.lib.nixGL.wrap else lib.id; - readOnly = true; - }; + options = { + host.username = lib.mkOption { + type = lib.types.str; + default = config.home.username; + }; - options.wrapApp = lib.mkOption { - type = lib.types.raw; - default = - pkg: flags: - if config.lib ? nixGL then - pkg.overrideAttrs (old: { - nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ pkgs.makeWrapper ]; - postInstall = (old.postInstall or "") + '' - wrapProgram $out/bin/${pkg.meta.mainProgram} --add-flags "${flags}" - ''; - }) - else - pkg; - readOnly = true; + nixgl.wrap = lib.mkOption { + type = lib.types.functionTo lib.types.package; + default = if config.lib ? nixGL then config.lib.nixGL.wrap else lib.id; + readOnly = true; + }; + + wrapApp = lib.mkOption { + type = lib.types.raw; + default = + pkg: flags: + if config.lib ? nixGL then + pkg.overrideAttrs (old: { + nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ pkgs.makeWrapper ]; + postInstall = (old.postInstall or "") + '' + wrapProgram $out/bin/${pkg.meta.mainProgram} --add-flags "${flags}" + ''; + }) + else + pkg; + readOnly = true; + }; }; } diff --git a/hosts/andromache/default.nix b/hosts/andromache/default.nix index ad938f89..337e541b 100644 --- a/hosts/andromache/default.nix +++ b/hosts/andromache/default.nix @@ -51,31 +51,17 @@ in ../../modules/yubikey ]; - home-manager.users.${config.host.username} = import ../../home/hosts/andromache { - inherit - inputs - config - pkgs - lib - ; - }; + home-manager.users.${config.host.username} = import ../../home/hosts/andromache; - ssh.username = config.host.username; ssh.authorizedHosts = [ "astyanax" ]; - secrets = { - inherit (config.host) username; - nixSigningKey.enable = true; - }; + secrets.nixSigningKey.enable = true; tailscale.enable = true; - docker.user = config.host.username; + docker.enable = true; - hcloud = { - enable = true; - inherit (config.host) username; - }; + hcloud.enable = true; disko.devices = { disk.data = { @@ -107,7 +93,6 @@ in my.yubikey = { enable = false; - inherit (config.host) username; keys = [ { handle = ""; diff --git a/hosts/astyanax/default.nix b/hosts/astyanax/default.nix index 5eabf078..40d7be77 100644 --- a/hosts/astyanax/default.nix +++ b/hosts/astyanax/default.nix @@ -47,26 +47,15 @@ in ../../modules/yubikey ]; - home-manager.users.${config.host.username} = import ../../home/hosts/astyanax { - inherit - inputs - config - pkgs - lib - ; - }; + home-manager.users.${config.host.username} = import ../../home/hosts/astyanax; - ssh.username = config.host.username; ssh.authorizedHosts = [ "andromache" ]; - secrets = { - inherit (config.host) username; - nixSigningKey.enable = true; - }; + secrets.nixSigningKey.enable = true; tailscale.enable = true; - docker.user = config.host.username; - nfc.user = config.host.username; + docker.enable = true; + nfc.enable = true; desktop.ly.enable = true; audio.automation.enable = true; diff --git a/hosts/eetion-02/default.nix b/hosts/eetion-02/default.nix index 13d36b48..f8dc4755 100644 --- a/hosts/eetion-02/default.nix +++ b/hosts/eetion-02/default.nix @@ -12,7 +12,6 @@ ]; ssh = { - inherit (config.host) username; publicHostname = config.host.name; authorizedHosts = [ "andromache" diff --git a/hosts/eetion/default.nix b/hosts/eetion/default.nix index a0dc7a91..8d22f3d4 100644 --- a/hosts/eetion/default.nix +++ b/hosts/eetion/default.nix @@ -13,7 +13,6 @@ ]; ssh = { - inherit (config.host) username; publicHostname = config.host.name; authorizedHosts = [ "andromache" diff --git a/hosts/hecuba/default.nix b/hosts/hecuba/default.nix index f19fee7c..b11387ca 100644 --- a/hosts/hecuba/default.nix +++ b/hosts/hecuba/default.nix @@ -19,7 +19,6 @@ networking.hostName = config.host.name; ssh = { - inherit (config.host) username; publicHostname = "server.hektormisplon.xyz"; authorizedHosts = [ "andromache" @@ -27,7 +26,7 @@ ]; }; - docker.user = config.host.username; + docker.enable = true; fileSystems."/" = { device = "/dev/disk/by-label/nixos"; diff --git a/hosts/vm/default.nix b/hosts/vm/default.nix index f6f2d1b0..1b24563b 100644 --- a/hosts/vm/default.nix +++ b/hosts/vm/default.nix @@ -1,7 +1,6 @@ { inputs, config, - pkgs, ... }: { @@ -29,13 +28,7 @@ ../../modules/x ]; - home-manager.users.${config.host.username} = import ../../home/hosts/vm { - inherit inputs config pkgs; - }; - - ssh.username = config.host.username; - - secrets.username = config.host.username; + home-manager.users.${config.host.username} = import ../../home/hosts/vm; disko = { devices.disk.main = { diff --git a/images/sd-image-orange-pi-aarch64.nix b/images/sd-image-orange-pi-aarch64.nix index f0686acb..2c1cf928 100644 --- a/images/sd-image-orange-pi-aarch64.nix +++ b/images/sd-image-orange-pi-aarch64.nix @@ -12,10 +12,15 @@ let in { imports = [ + ../modules/common/host.nix ../modules/ssh ]; - ssh.username = username; + host = { + inherit username; + name = "orange-pi"; + }; + ssh.authorizedHosts = [ "andromache" "astyanax" diff --git a/images/sd-image-raspberry-pi-aarch64.nix b/images/sd-image-raspberry-pi-aarch64.nix index 8ac5af62..3ec2962f 100644 --- a/images/sd-image-raspberry-pi-aarch64.nix +++ b/images/sd-image-raspberry-pi-aarch64.nix @@ -12,10 +12,15 @@ let in { imports = [ + ../modules/common/host.nix ../modules/ssh ]; - ssh.username = username; + host = { + inherit username; + name = "raspberry-pi"; + }; + ssh.authorizedHosts = [ "andromache" "astyanax" diff --git a/modules/ai-tools/default.nix b/modules/ai-tools/default.nix index bf3121e5..d8c5ed8c 100644 --- a/modules/ai-tools/default.nix +++ b/modules/ai-tools/default.nix @@ -1,7 +1,8 @@ { config, myUtils, ... }: let - inherit (config.secrets) sopsDir username; + inherit (config.secrets) sopsDir; + inherit (config.host) username; owner = config.users.users.${username}.name; in { diff --git a/modules/anki/default.nix b/modules/anki/default.nix index 2b516352..7da7147c 100644 --- a/modules/anki/default.nix +++ b/modules/anki/default.nix @@ -1,7 +1,8 @@ { config, myUtils, ... }: let - inherit (config.secrets) sopsDir username; + inherit (config.secrets) sopsDir; + inherit (config.host) username; owner = config.users.users.${username}.name; in { diff --git a/modules/common/default.nix b/modules/common/default.nix index 2e0e51c2..1cd9e811 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -73,6 +73,11 @@ in myUtils ; }; + sharedModules = [ + { + host.username = lib.mkDefault config.host.username; + } + ]; }; }; } diff --git a/modules/docker/default.nix b/modules/docker/default.nix index dfb6c59c..f834a813 100644 --- a/modules/docker/default.nix +++ b/modules/docker/default.nix @@ -2,29 +2,17 @@ let cfg = config.docker; + inherit (config.host) username; in { options.docker = { + enable = lib.mkEnableOption "docker"; rootless = lib.mkOption { type = lib.types.bool; default = false; }; - user = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; }; config = lib.mkMerge [ - { - warnings = lib.flatten [ - (lib.optional ( - cfg.rootless && cfg.user != null - ) "'virtualisation.docker.user' is ignored when rootless mode is enabled") - (lib.optional ( - !cfg.rootless && cfg.user == null - ) "'virtualisation.docker.user' is not set (no user is added to the docker group)") - ]; - } (lib.mkIf cfg.rootless { virtualisation.docker = { enable = false; @@ -34,11 +22,9 @@ in }; }; }) - (lib.mkIf (!cfg.rootless && cfg.user != null) { - virtualisation.docker = { - enable = true; - }; - users.users.${cfg.user}.extraGroups = [ "docker" ]; + (lib.mkIf (cfg.enable && !cfg.rootless) { + virtualisation.docker.enable = true; + users.users.${username}.extraGroups = [ "docker" ]; }) ]; } diff --git a/modules/git/default.nix b/modules/git/default.nix index 1557b375..80306c90 100644 --- a/modules/git/default.nix +++ b/modules/git/default.nix @@ -4,7 +4,7 @@ }: let - inherit (config.secrets) username; + inherit (config.host) username; owner = config.users.users.${username}.name; in { diff --git a/modules/hcloud/default.nix b/modules/hcloud/default.nix index a9591f2f..e41765a8 100644 --- a/modules/hcloud/default.nix +++ b/modules/hcloud/default.nix @@ -7,25 +7,22 @@ let cfg = config.hcloud; + inherit (config.host) username; inherit (config.secrets) sopsDir; in { options.hcloud = { enable = lib.mkEnableOption "hcloud CLI configuration"; - username = lib.mkOption { - type = lib.types.str; - description = "Username for hcloud CLI configuration"; - }; }; config = lib.mkIf cfg.enable { sops.secrets = myUtils.mkSopsSecrets sopsDir "hcloud" [ "api-token" ] { - owner = config.users.users.${cfg.username}.name; + owner = config.users.users.${username}.name; }; sops.templates."hcloud/cli.toml" = { - owner = config.users.users.${cfg.username}.name; - path = "/home/${cfg.username}/.config/hcloud/cli.toml"; + owner = config.users.users.${username}.name; + path = "/home/${username}/.config/hcloud/cli.toml"; content = '' active_context = "server" diff --git a/modules/nfc/default.nix b/modules/nfc/default.nix index 477b2e4d..ff124a74 100644 --- a/modules/nfc/default.nix +++ b/modules/nfc/default.nix @@ -2,15 +2,13 @@ let cfg = config.nfc; + inherit (config.host) username; in { options.nfc = { - user = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; + enable = lib.mkEnableOption "NFC device access"; }; - config = lib.mkIf (cfg.user != null) { - users.users.${cfg.user}.extraGroups = [ "dialout" ]; + config = lib.mkIf cfg.enable { + users.users.${username}.extraGroups = [ "dialout" ]; }; } diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix index 45c37909..f847c7e2 100644 --- a/modules/secrets/default.nix +++ b/modules/secrets/default.nix @@ -9,8 +9,9 @@ let cfg = config.secrets; + inherit (config.host) username; inherit (cfg) sopsDir; - owner = config.users.users.${cfg.username}.name; + owner = config.users.users.${username}.name; mkSopsSecrets = myUtils.mkSopsSecrets sopsDir; in { @@ -18,10 +19,6 @@ in options = { secrets = { - username = lib.mkOption { - type = lib.types.str; - }; - sopsDir = lib.mkOption { type = lib.types.str; default = "${toString inputs.nix-secrets}/secrets"; @@ -43,7 +40,7 @@ in # ``` # age-plugin-yubikey --identity > # ``` - age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt"; + age.keyFile = "/home/${username}/.config/sops/age/keys.txt"; secrets = lib.mkMerge [ (mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; }) diff --git a/modules/ssh/authorized-keys.nix b/modules/ssh/authorized-keys.nix index 5226b683..72b57df8 100644 --- a/modules/ssh/authorized-keys.nix +++ b/modules/ssh/authorized-keys.nix @@ -1,14 +1,14 @@ { lib, config, ... }: + +let + inherit (config.host) username; +in { options.ssh = { authorizedHosts = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ ]; }; - username = lib.mkOption { - type = lib.types.str; - default = "h"; - }; publicHostname = lib.mkOption { type = lib.types.str; default = ""; @@ -16,7 +16,7 @@ }; # auto generate authorized_keys from `authorizedHosts` - config.users.users.${config.ssh.username}.openssh.authorizedKeys.keys = lib.flatten ( + config.users.users.${username}.openssh.authorizedKeys.keys = lib.flatten ( map ( hostname: let diff --git a/modules/ssh/extract-keys.nix b/modules/ssh/extract-keys.nix index 058bf835..0b12fb96 100644 --- a/modules/ssh/extract-keys.nix +++ b/modules/ssh/extract-keys.nix @@ -1,6 +1,6 @@ { lib, config, ... }: let - inherit (config.ssh) username; + inherit (config.host) username; in { # auto extract SSH keys diff --git a/modules/syncthing/default.nix b/modules/syncthing/default.nix index f4d2acaa..0483eb76 100644 --- a/modules/syncthing/default.nix +++ b/modules/syncthing/default.nix @@ -7,23 +7,18 @@ with lib; let - cfg = config.my.syncthing; + inherit (config.host) username; in { - options.my.syncthing.username = mkOption { - type = types.str; - default = "h"; - }; - config = { - users.groups.${cfg.username} = { }; - users.users.${cfg.username}.extraGroups = [ cfg.username ]; + users.groups.${username} = { }; + users.users.${username}.extraGroups = [ username ]; services.syncthing = { enable = true; - user = cfg.username; - group = cfg.username; - configDir = "/home/${cfg.username}/.local/state/syncthing"; + user = username; + group = username; + configDir = "/home/${username}/.local/state/syncthing"; openDefaultPorts = true; }; }; diff --git a/modules/taskwarrior/default.nix b/modules/taskwarrior/default.nix index 7be02621..2767797b 100644 --- a/modules/taskwarrior/default.nix +++ b/modules/taskwarrior/default.nix @@ -1,7 +1,8 @@ { config, myUtils, ... }: let - inherit (config.secrets) sopsDir username; + inherit (config.secrets) sopsDir; + inherit (config.host) username; owner = config.users.users.${username}.name; in { diff --git a/modules/yubikey/default.nix b/modules/yubikey/default.nix index 0a305fe8..b4fef386 100644 --- a/modules/yubikey/default.nix +++ b/modules/yubikey/default.nix @@ -9,18 +9,14 @@ with lib; let cfg = config.my.yubikey; + inherit (config.host) username; formatKey = key: ":${key.handle},${key.userKey},${key.coseType},${key.options}"; - authfileContent = username: keys: username + lib.concatMapStrings formatKey keys; + authfileContent = u: keys: u + lib.concatMapStrings formatKey keys; in { options.my.yubikey = { enable = mkEnableOption "yubiKey U2F authentication"; - username = mkOption { - type = types.str; - default = "h"; - }; - origin = mkOption { type = types.str; default = "pam://yubi"; @@ -61,7 +57,7 @@ in interactive = true; cue = true; inherit (cfg) origin; - authfile = pkgs.writeText "u2f-mappings" (authfileContent cfg.username cfg.keys); + authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.keys); }; }; services = {