hektor/nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor: simplify 'user' options

Browse Source
This commit is contained in:
Hektor Misplon
2026-04-21 13:59:03 +02:00
parent 38818e7508
commit 6a30a431f8
24 changed files with 94 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
deploy/colmena.nix
View File

@@ -12,7 +12,7 @@ let
imports = [ ../hosts/${hostname} ]; imports = [ ../hosts/${hostname} ];
deployment = { deployment = {
targetHost = self.nixosConfigurations.${hostname}.config.ssh.publicHostname; targetHost = self.nixosConfigurations.${hostname}.config.ssh.publicHostname;
targetUser = self.nixosConfigurations.${hostname}.config.ssh.username; targetUser = self.nixosConfigurations.${hostname}.config.host.username;
buildOnTarget = builtins.any (t: t != "local" && t != "arm") tags; buildOnTarget = builtins.any (t: t != "local" && t != "arm") tags;
inherit tags; inherit tags;
}; };

7
home/hosts/work/default.nix
View File

@@ -5,9 +5,6 @@
... ...
}: }:
let
username = "hektor";
in
{ {
imports = [ imports = [
inputs.sops-nix.homeManagerModules.sops inputs.sops-nix.homeManagerModules.sops
@@ -57,8 +54,8 @@ in
home = { home = {
stateVersion = "25.05"; stateVersion = "25.05";
inherit username; username = "hektor";
homeDirectory = "/home/${username}"; homeDirectory = "/home/${config.home.username}";
}; };
targets.genericLinux.nixGL = { targets.genericLinux.nixGL = {

45
home/modules/default.nix
View File

@@ -6,25 +6,32 @@
}: }:
{ {
options.nixgl.wrap = lib.mkOption { options = {
type = lib.types.functionTo lib.types.package; host.username = lib.mkOption {
default = if config.lib ? nixGL then config.lib.nixGL.wrap else lib.id; type = lib.types.str;
readOnly = true; default = config.home.username;
}; };
options.wrapApp = lib.mkOption { nixgl.wrap = lib.mkOption {
type = lib.types.raw; type = lib.types.functionTo lib.types.package;
default = default = if config.lib ? nixGL then config.lib.nixGL.wrap else lib.id;
pkg: flags: readOnly = true;
if config.lib ? nixGL then };
pkg.overrideAttrs (old: {
nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ pkgs.makeWrapper ]; wrapApp = lib.mkOption {
postInstall = (old.postInstall or "") + '' type = lib.types.raw;
wrapProgram $out/bin/${pkg.meta.mainProgram} --add-flags "${flags}" default =
''; pkg: flags:
}) if config.lib ? nixGL then
else pkg.overrideAttrs (old: {
pkg; nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ pkgs.makeWrapper ];
readOnly = true; postInstall = (old.postInstall or "") + ''
wrapProgram $out/bin/${pkg.meta.mainProgram} --add-flags "${flags}"
'';
})
else
pkg;
readOnly = true;
};
}; };
} }

23
hosts/andromache/default.nix
View File

@@ -51,31 +51,17 @@ in
../../modules/yubikey ../../modules/yubikey
]; ];
home-manager.users.${config.host.username} = import ../../home/hosts/andromache { home-manager.users.${config.host.username} = import ../../home/hosts/andromache;
inherit
inputs
config
pkgs
lib
;
};
ssh.username = config.host.username;
ssh.authorizedHosts = [ "astyanax" ]; ssh.authorizedHosts = [ "astyanax" ];
secrets = { secrets.nixSigningKey.enable = true;
inherit (config.host) username;
nixSigningKey.enable = true;
};
tailscale.enable = true; tailscale.enable = true;
docker.user = config.host.username; docker.enable = true;
hcloud = { hcloud.enable = true;
enable = true;
inherit (config.host) username;
};
disko.devices = { disko.devices = {
disk.data = { disk.data = {
@@ -107,7 +93,6 @@ in
my.yubikey = { my.yubikey = {
enable = false; enable = false;
inherit (config.host) username;
keys = [ keys = [
{ {
handle = "<KeyHandle1>"; handle = "<KeyHandle1>";

19
hosts/astyanax/default.nix
View File

@@ -47,26 +47,15 @@ in
../../modules/yubikey ../../modules/yubikey
]; ];
home-manager.users.${config.host.username} = import ../../home/hosts/astyanax { home-manager.users.${config.host.username} = import ../../home/hosts/astyanax;
inherit
inputs
config
pkgs
lib
;
};
ssh.username = config.host.username;
ssh.authorizedHosts = [ "andromache" ]; ssh.authorizedHosts = [ "andromache" ];
secrets = { secrets.nixSigningKey.enable = true;
inherit (config.host) username;
nixSigningKey.enable = true;
};
tailscale.enable = true; tailscale.enable = true;
docker.user = config.host.username; docker.enable = true;
nfc.user = config.host.username; nfc.enable = true;
desktop.ly.enable = true; desktop.ly.enable = true;
audio.automation.enable = true; audio.automation.enable = true;

1
hosts/eetion-02/default.nix
View File

@@ -12,7 +12,6 @@
]; ];
ssh = { ssh = {
inherit (config.host) username;
publicHostname = config.host.name; publicHostname = config.host.name;
authorizedHosts = [ authorizedHosts = [
"andromache" "andromache"

1
hosts/eetion/default.nix
View File

@@ -13,7 +13,6 @@
]; ];
ssh = { ssh = {
inherit (config.host) username;
publicHostname = config.host.name; publicHostname = config.host.name;
authorizedHosts = [ authorizedHosts = [
"andromache" "andromache"

3
hosts/hecuba/default.nix
View File

@@ -19,7 +19,6 @@
networking.hostName = config.host.name; networking.hostName = config.host.name;
ssh = { ssh = {
inherit (config.host) username;
publicHostname = "server.hektormisplon.xyz"; publicHostname = "server.hektormisplon.xyz";
authorizedHosts = [ authorizedHosts = [
"andromache" "andromache"
@@ -27,7 +26,7 @@
]; ];
}; };
docker.user = config.host.username; docker.enable = true;
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-label/nixos"; device = "/dev/disk/by-label/nixos";

9
hosts/vm/default.nix
View File

@@ -1,7 +1,6 @@
{ {
inputs, inputs,
config, config,
pkgs,
... ...
}: }:
{ {
@@ -29,13 +28,7 @@
../../modules/x ../../modules/x
]; ];
home-manager.users.${config.host.username} = import ../../home/hosts/vm { home-manager.users.${config.host.username} = import ../../home/hosts/vm;
inherit inputs config pkgs;
};
ssh.username = config.host.username;
secrets.username = config.host.username;
disko = { disko = {
devices.disk.main = { devices.disk.main = {

7
images/sd-image-orange-pi-aarch64.nix
View File

@@ -12,10 +12,15 @@ let
in in
{ {
imports = [ imports = [
../modules/common/host.nix
../modules/ssh ../modules/ssh
]; ];
ssh.username = username; host = {
inherit username;
name = "orange-pi";
};
ssh.authorizedHosts = [ ssh.authorizedHosts = [
"andromache" "andromache"
"astyanax" "astyanax"

7
images/sd-image-raspberry-pi-aarch64.nix
View File

@@ -12,10 +12,15 @@ let
in in
{ {
imports = [ imports = [
../modules/common/host.nix
../modules/ssh ../modules/ssh
]; ];
ssh.username = username; host = {
inherit username;
name = "raspberry-pi";
};
ssh.authorizedHosts = [ ssh.authorizedHosts = [
"andromache" "andromache"
"astyanax" "astyanax"

3
modules/ai-tools/default.nix
View File

@@ -1,7 +1,8 @@
{ config, myUtils, ... }: { config, myUtils, ... }:
let let
inherit (config.secrets) sopsDir username; inherit (config.secrets) sopsDir;
inherit (config.host) username;
owner = config.users.users.${username}.name; owner = config.users.users.${username}.name;
in in
{ {

3
modules/anki/default.nix
View File

@@ -1,7 +1,8 @@
{ config, myUtils, ... }: { config, myUtils, ... }:
let let
inherit (config.secrets) sopsDir username; inherit (config.secrets) sopsDir;
inherit (config.host) username;
owner = config.users.users.${username}.name; owner = config.users.users.${username}.name;
in in
{ {

5
modules/common/default.nix
View File

@@ -73,6 +73,11 @@ in
myUtils myUtils
; ;
}; };
sharedModules = [
{
host.username = lib.mkDefault config.host.username;
}
];
}; };
}; };
} }

24
modules/docker/default.nix
View File

@@ -2,29 +2,17 @@
let let
cfg = config.docker; cfg = config.docker;
inherit (config.host) username;
in in
{ {
options.docker = { options.docker = {
enable = lib.mkEnableOption "docker";
rootless = lib.mkOption { rootless = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = false; default = false;
}; };
user = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
};
}; };
config = lib.mkMerge [ config = lib.mkMerge [
{
warnings = lib.flatten [
(lib.optional (
cfg.rootless && cfg.user != null
) "'virtualisation.docker.user' is ignored when rootless mode is enabled")
(lib.optional (
!cfg.rootless && cfg.user == null
) "'virtualisation.docker.user' is not set (no user is added to the docker group)")
];
}
(lib.mkIf cfg.rootless { (lib.mkIf cfg.rootless {
virtualisation.docker = { virtualisation.docker = {
enable = false; enable = false;
@@ -34,11 +22,9 @@ in
}; };
}; };
}) })
(lib.mkIf (!cfg.rootless && cfg.user != null) { (lib.mkIf (cfg.enable && !cfg.rootless) {
virtualisation.docker = { virtualisation.docker.enable = true;
enable = true; users.users.${username}.extraGroups = [ "docker" ];
};
users.users.${cfg.user}.extraGroups = [ "docker" ];
}) })
]; ];
} }

2
modules/git/default.nix
View File

@@ -4,7 +4,7 @@
}: }:
let let
inherit (config.secrets) username; inherit (config.host) username;
owner = config.users.users.${username}.name; owner = config.users.users.${username}.name;
in in
{ {

11
modules/hcloud/default.nix
View File

@@ -7,25 +7,22 @@
let let
cfg = config.hcloud; cfg = config.hcloud;
inherit (config.host) username;
inherit (config.secrets) sopsDir; inherit (config.secrets) sopsDir;
in in
{ {
options.hcloud = { options.hcloud = {
enable = lib.mkEnableOption "hcloud CLI configuration"; enable = lib.mkEnableOption "hcloud CLI configuration";
username = lib.mkOption {
type = lib.types.str;
description = "Username for hcloud CLI configuration";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
sops.secrets = myUtils.mkSopsSecrets sopsDir "hcloud" [ "api-token" ] { sops.secrets = myUtils.mkSopsSecrets sopsDir "hcloud" [ "api-token" ] {
owner = config.users.users.${cfg.username}.name; owner = config.users.users.${username}.name;
}; };
sops.templates."hcloud/cli.toml" = { sops.templates."hcloud/cli.toml" = {
owner = config.users.users.${cfg.username}.name; owner = config.users.users.${username}.name;
path = "/home/${cfg.username}/.config/hcloud/cli.toml"; path = "/home/${username}/.config/hcloud/cli.toml";
content = '' content = ''
active_context = "server" active_context = "server"

10
modules/nfc/default.nix
View File

@@ -2,15 +2,13 @@
let let
cfg = config.nfc; cfg = config.nfc;
inherit (config.host) username;
in in
{ {
options.nfc = { options.nfc = {
user = lib.mkOption { enable = lib.mkEnableOption "NFC device access";
type = lib.types.nullOr lib.types.str;
default = null;
};
}; };
config = lib.mkIf (cfg.user != null) { config = lib.mkIf cfg.enable {
users.users.${cfg.user}.extraGroups = [ "dialout" ]; users.users.${username}.extraGroups = [ "dialout" ];
}; };
} }

9
modules/secrets/default.nix
View File

@@ -9,8 +9,9 @@
let let
cfg = config.secrets; cfg = config.secrets;
inherit (config.host) username;
inherit (cfg) sopsDir; inherit (cfg) sopsDir;
owner = config.users.users.${cfg.username}.name; owner = config.users.users.${username}.name;
mkSopsSecrets = myUtils.mkSopsSecrets sopsDir; mkSopsSecrets = myUtils.mkSopsSecrets sopsDir;
in in
{ {
@@ -18,10 +19,6 @@ in
options = { options = {
secrets = { secrets = {
username = lib.mkOption {
type = lib.types.str;
};
sopsDir = lib.mkOption { sopsDir = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "${toString inputs.nix-secrets}/secrets"; default = "${toString inputs.nix-secrets}/secrets";
@@ -43,7 +40,7 @@ in
# ``` # ```
# age-plugin-yubikey --identity > <keyfile-path> # age-plugin-yubikey --identity > <keyfile-path>
# ``` # ```
age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt"; age.keyFile = "/home/${username}/.config/sops/age/keys.txt";
secrets = lib.mkMerge [ secrets = lib.mkMerge [
(mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; }) (mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; })

10
modules/ssh/authorized-keys.nix
View File

@@ -1,14 +1,14 @@
{ lib, config, ... }: { lib, config, ... }:
let
inherit (config.host) username;
in
{ {
options.ssh = { options.ssh = {
authorizedHosts = lib.mkOption { authorizedHosts = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
default = [ ]; default = [ ];
}; };
username = lib.mkOption {
type = lib.types.str;
default = "h";
};
publicHostname = lib.mkOption { publicHostname = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = ""; default = "";
@@ -16,7 +16,7 @@
}; };
# auto generate authorized_keys from `authorizedHosts` # auto generate authorized_keys from `authorizedHosts`
config.users.users.${config.ssh.username}.openssh.authorizedKeys.keys = lib.flatten ( config.users.users.${username}.openssh.authorizedKeys.keys = lib.flatten (
map ( map (
hostname: hostname:
let let

2
modules/ssh/extract-keys.nix
View File

@@ -1,6 +1,6 @@
{ lib, config, ... }: { lib, config, ... }:
let let
inherit (config.ssh) username; inherit (config.host) username;
in in
{ {
# auto extract SSH keys # auto extract SSH keys

17
modules/syncthing/default.nix
View File

@@ -7,23 +7,18 @@
with lib; with lib;
let let
cfg = config.my.syncthing; inherit (config.host) username;
in in
{ {
options.my.syncthing.username = mkOption {
type = types.str;
default = "h";
};
config = { config = {
users.groups.${cfg.username} = { }; users.groups.${username} = { };
users.users.${cfg.username}.extraGroups = [ cfg.username ]; users.users.${username}.extraGroups = [ username ];
services.syncthing = { services.syncthing = {
enable = true; enable = true;
user = cfg.username; user = username;
group = cfg.username; group = username;
configDir = "/home/${cfg.username}/.local/state/syncthing"; configDir = "/home/${username}/.local/state/syncthing";
openDefaultPorts = true; openDefaultPorts = true;
}; };
}; };

3
modules/taskwarrior/default.nix
View File

@@ -1,7 +1,8 @@
{ config, myUtils, ... }: { config, myUtils, ... }:
let let
inherit (config.secrets) sopsDir username; inherit (config.secrets) sopsDir;
inherit (config.host) username;
owner = config.users.users.${username}.name; owner = config.users.users.${username}.name;
in in
{ {

10
modules/yubikey/default.nix
View File

@@ -9,18 +9,14 @@ with lib;
let let
cfg = config.my.yubikey; cfg = config.my.yubikey;
inherit (config.host) username;
formatKey = key: ":${key.handle},${key.userKey},${key.coseType},${key.options}"; formatKey = key: ":${key.handle},${key.userKey},${key.coseType},${key.options}";
authfileContent = username: keys: username + lib.concatMapStrings formatKey keys; authfileContent = u: keys: u + lib.concatMapStrings formatKey keys;
in in
{ {
options.my.yubikey = { options.my.yubikey = {
enable = mkEnableOption "yubiKey U2F authentication"; enable = mkEnableOption "yubiKey U2F authentication";
username = mkOption {
type = types.str;
default = "h";
};
origin = mkOption { origin = mkOption {
type = types.str; type = types.str;
default = "pam://yubi"; default = "pam://yubi";
@@ -61,7 +57,7 @@ in
interactive = true; interactive = true;
cue = true; cue = true;
inherit (cfg) origin; inherit (cfg) origin;
authfile = pkgs.writeText "u2f-mappings" (authfileContent cfg.username cfg.keys); authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.keys);
}; };
}; };
services = { services = {