refactor: enable firewall explicitely for 'hecuba' host

Reviewed-on: #1

dots/.config/kitty/kitty.conf

@@ -136,7 +136,7 @@ map f5 goto_tab 5
 map f6 goto_tab 6
 map f7 goto_tab 7
 map f8 goto_tab 8
-map kitty_mod+c new_tab
+# map kitty_mod+c new_tab # FIXME: conflict with 'copy'
 map cmd+t
 map kitty_mod+q
 map cmd+w

dots/.config/nvim/after/plugin/treesitter.lua

@@ -4,6 +4,9 @@ local keymap = vim.keymap
 local opt = vim.opt
 local treesitter_configs = require("nvim-treesitter.configs")
 
+local nixCatsUtils = require("nixCatsUtils")
+local is_nix = nixCatsUtils.isNixCats
+
 treesitter_configs.setup({
   -- Basically added what I might need from the docs
   -- <https://github.com/nvim-treesitter/nvim-treesitter?tab=readme-ov-file#supported-languages>
@@ -86,7 +89,7 @@ treesitter_configs.setup({
     enable = true,
   },
   sync_install = false,
-  auto_install = true,
+  auto_install = not is_nix,
   ignore_install = {},
   modules = {},
   textobjects = {

dots/.config/nvim/flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixCats": {
       "locked": {
-        "lastModified": 1763330129,
-        "narHash": "sha256-KbOeWIF52SV53BOeETGO2C5ewaV2Ex9iaXH7G72gOr8=",
+        "lastModified": 1764009888,
+        "narHash": "sha256-hJekfTiW1792txgRSM4LcHnz1lDSY87LYbsJEn2V378=",
         "owner": "BirdeeHub",
         "repo": "nixCats-nvim",
-        "rev": "c81551ed87db2aefab30a12cf7425ff94dc0ad64",
+        "rev": "16ac3281f322ea15d39843829e42a44d22da3715",
         "type": "github"
       },
       "original": {
@@ -17,11 +17,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1763464769,
-        "narHash": "sha256-AJHrsT7VoeQzErpBRlLJM1SODcaayp0joAoEA35yiwM=",
+        "lastModified": 1764733908,
+        "narHash": "sha256-QJiih52NU+nm7XQWCj+K8SwUdIEayDQ1FQgjkYISt4I=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6f374686605df381de8541c072038472a5ea2e2d",
+        "rev": "cadcc8de247676e4751c9d4a935acb2c0b059113",
         "type": "github"
       },
       "original": {

flake.nix

@@ -5,7 +5,6 @@
     };
     nixos-hardware = {
       url = "github:NixOS/nixos-hardware/master";
-      inputs.nixpkgs.follows = "nixpkgs";
     };
     disko = {
       url = "github:nix-community/disko/latest";

home/hosts/astyanax/default.nix

@@ -10,13 +10,14 @@ let
 in
 {
   imports = [
-    ../../modules/dconf.nix # TODO: Only enable when on Gnome?
+    ../../modules/desktop/niri
     ../../modules/git.nix
     ../../modules/k9s.nix
     (import ../../modules/taskwarrior.nix {
       inherit config;
       inherit pkgs;
     })
+    (import ../../modules/keepassxc.nix { inherit pkgs; })
   ];
 
   home.stateVersion = "25.05";
@@ -54,7 +55,6 @@ in
       enableBashIntegration = true;
     };
     home-manager.enable = true;
-    keepassxc = import ../../modules/keepassxc.nix;
   };
 
   home.packages = import ./packages.nix {

home/hosts/astyanax/packages.nix

@@ -29,6 +29,7 @@ with pkgs;
   pass
   pnpm
   ripgrep
+  signal-desktop
   silver-searcher
   sops
   sshfs

home/hosts/work/default.nix

@@ -13,6 +13,7 @@ in
     ../../modules/dconf.nix
     ../../modules/git.nix
     ../../modules/k9s.nix
+    (import ../../modules/keepassxc.nix { inherit pkgs; })
   ];
 
   nixpkgs.config.allowUnfree = true;
@@ -34,7 +35,6 @@ in
       inherit config;
     };
     gh.enable = true;
-    keepassxc = import ../../modules/keepassxc.nix;
     kubecolor.enable = true;
   };
 

home/modules/desktop/niri/config.kdl

@@ -0,0 +1,183 @@
+input {
+    touchpad {
+        tap
+        natural-scroll
+    }
+    mouse {
+        accel-profile "flat"
+    }
+}
+
+// NOTE: monitors are managed using `shikane` instead, as I assume this to be
+// too limited for multiple multimonitor configurations. Below is an example
+// for a simple, fixed, vertical dual monitor setup
+
+// output "eDP-1" {
+//   position x=0 y=1440
+// }
+//
+// output "DP-5" {
+//   position x=0 y=0
+// }
+
+layout {
+    gaps 4
+    struts {}
+    center-focused-column "never"
+    preset-column-widths {
+        proportion 0.382
+        proportion 0.618
+        proportion 1.0
+    }
+    default-column-width { }
+    focus-ring {
+        off
+    }
+    border {
+        width 2
+        active-color "#555555"
+        inactive-color "#55555511"
+        urgent-color "#ff0000"
+    }
+    shadow {
+        on
+        softness 32
+        spread 4
+        offset x=0 y=0
+        color "#0007"
+    }
+}
+
+spawn-at-startup "wlsunset -l 51.05 -L 3.72"
+spawn-at-startup "waybar"
+
+hotkey-overlay {
+    skip-at-startup
+}
+
+prefer-no-csd
+
+screenshot-path "~/doc/screenshots/%Y-%m-%d %H-%M-%S.png"
+
+// https://yalter.github.io/niri/Configuration:-Animations
+animations {
+    slowdown 0.66
+}
+
+window-rule {
+    match app-id=r#"firefox$"# title="^Picture-in-Picture$"
+    open-floating true
+}
+
+window-rule {
+    match app-id=r#"^org\.keepassxc\.KeePassXC$"#
+    block-out-from "screen-capture"
+}
+
+window-rule {
+    geometry-corner-radius 0
+    clip-to-geometry true
+}
+
+gestures {
+  hot-corners {
+    off
+  }
+}
+
+binds {
+    Mod+Slash { show-hotkey-overlay; }
+
+    Mod+Return hotkey-overlay-title="Open a Terminal: kitty"     { spawn "kitty"; }
+    Mod+P hotkey-overlay-title="Run an Application: fuzzel"      { spawn "fuzzel"; }
+    Super+Alt+L hotkey-overlay-title="Lock the Screen: swaylock" { spawn "swaylock"; }
+
+    XF86AudioRaiseVolume allow-when-locked=true { spawn-sh "wpctl set-volume @DEFAULT_AUDIO_SINK@ 0.1+"; }
+    XF86AudioLowerVolume allow-when-locked=true { spawn-sh "wpctl set-volume @DEFAULT_AUDIO_SINK@ 0.1-"; }
+    XF86AudioMute        allow-when-locked=true { spawn-sh "wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"; }
+    XF86AudioMicMute     allow-when-locked=true { spawn-sh "wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"; }
+
+    Mod+Shift+XF86Display { power-off-monitors; }
+    XF86MonBrightnessUp allow-when-locked=true   { spawn "brightnessctl" "--class=backlight" "set" "+10%"; }
+    XF86MonBrightnessDown allow-when-locked=true { spawn "brightnessctl" "--class=backlight" "set" "10%-"; }
+
+    Mod+O repeat=false            { toggle-overview; }
+    Mod+Delete repeat=false { close-window; }
+
+    Mod+H { focus-column-left; }
+    Mod+J { focus-window-or-workspace-down; }
+    Mod+K { focus-window-or-workspace-up; }
+    Mod+L { focus-column-right; }
+
+    Mod+Shift+H { move-column-left; }
+    Mod+Shift+J { move-window-down-or-to-workspace-down; }
+    Mod+Shift+K { move-window-up-or-to-workspace-up; }
+    Mod+Shift+L { move-column-right; }
+
+    Mod+Home      { focus-column-first; }
+    Mod+End       { focus-column-last; }
+    Mod+Ctrl+Home { move-column-to-first; }
+    Mod+Ctrl+End  { move-column-to-last; }
+
+    Mod+Left        { focus-monitor-left; }
+    Mod+Down        { focus-monitor-down; }
+    Mod+Up          { focus-monitor-up; }
+    Mod+Right       { focus-monitor-right; }
+    Mod+Shift+Left  { move-column-to-monitor-left; }
+    Mod+Shift+Down  { move-column-to-monitor-down; }
+    Mod+Shift+Up    { move-column-to-monitor-up; }
+    Mod+Shift+Right { move-column-to-monitor-right; }
+
+    Mod+Ctrl+Up   { move-workspace-down; }
+    Mod+Ctrl+Down { move-workspace-up; }
+
+    // Mod+WheelScrollDown       cooldown-ms=150 { focus-workspace-down; }
+    // Mod+WheelScrollUp         cooldown-ms=150 { focus-workspace-up; }
+    // Mod+Shift+WheelScrollDown cooldown-ms=150 { move-window-down-or-to-workspace-down; }
+    // Mod+Shift+WheelScrollUp   cooldown-ms=150 { move-window-up-or-to-workspace-up; }
+
+    // Mod+A { focus-workspace 1; }
+    // Mod+S { focus-workspace 2; }
+    // Mod+D { focus-workspace 3; }
+    // Mod+F { focus-workspace 4; }
+    // Mod+Shift+A { move-column-to-workspace 1; }
+    // Mod+Shift+S { move-column-to-workspace 2; }
+    // Mod+Shift+D { move-column-to-workspace 3; }
+    // Mod+Shift+F { move-column-to-workspace 4; }
+
+    Mod+Tab { focus-workspace-previous; }
+
+    Mod+BracketLeft  { consume-or-expel-window-left; }
+    Mod+BracketRight { consume-or-expel-window-right; }
+
+    Mod+Comma  { consume-window-into-column; }
+    Mod+Period { expel-window-from-column; }
+
+    Mod+N       { switch-preset-column-width; }
+    Mod+Shift+N { switch-preset-window-height; }
+    Mod+Ctrl+R  { reset-window-height; }
+
+    Mod+Space       { maximize-column; }
+    Mod+Shift+Space { fullscreen-window; }
+
+    Mod+Escape       { toggle-window-floating; }
+    Mod+Shift+Escape { switch-focus-between-floating-and-tiling; }
+
+    Mod+Ctrl+F { expand-column-to-available-width; }
+
+    Mod+C      { center-column; }
+    Mod+Ctrl+C { center-visible-columns; }
+
+    Mod+Minus       { set-column-width "-10%"; }
+    Mod+Equal       { set-column-width "+10%"; }
+    Mod+Shift+Minus { set-window-height "-10%"; }
+    Mod+Shift+Equal { set-window-height "+10%"; }
+
+    Mod+W { toggle-column-tabbed-display; }
+
+    Print      { screenshot; }
+    Ctrl+Print { screenshot-screen; }
+    Alt+Print  { screenshot-window; }
+
+    Mod+Shift+Delete { quit; }
+}

home/modules/desktop/niri/default.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    ../../fuzzel
+    ../../waybar
+  ];
+
+  home = {
+    file.".config/niri/config.kdl".source = ./config.kdl;
+    packages = with pkgs; [ wlsunset ];
+  };
+}

home/modules/fuzzel/default.nix

@@ -0,0 +1,28 @@
+{
+  programs.fuzzel = {
+    enable = true;
+    settings = {
+      main = {
+        font = "Iosevka Term SS08";
+        horizontal-pad = 0;
+        vertical-pad = 0;
+      };
+      colors = {
+        background = "ccccccff";
+        text = "111111ff";
+        prompt = "ccccccff";
+        placeholder = "aaaaaaff";
+        input = "111111ff";
+        selection = "eeeeeeff";
+        selection-text = "111111ff";
+        selection-match = "333333ff";
+        counter = "111111ff";
+        border = "111111ff";
+      };
+      border = {
+        width = 2;
+        radius = 0;
+      };
+    };
+  };
+}

home/modules/keepassxc.nix

@@ -1,4 +1,11 @@
+{ pkgs, ... }:
+
 {
+  programs.keepassxc = {
     enable = true;
-  # TODO: https://mynixos.com/home-manager/option/programs.keepassxc.settings
+    settings = {
+      Browser.Enabled = true;
+    };
+  };
+  # programs.firefox.nativeMessagingHosts = [ pkgs.keepassxc ]; # FIXME: Resolve 'Access error for config file /home/h/.config/keepassxc/keepassxc.ini' error
 }

home/modules/waybar/config.jsonc

@@ -0,0 +1,57 @@
+[
+  {
+    "height": 16,
+    "spacing": 4,
+    "modules-left": ["niri/workspaces"],
+    "modules-right": [
+      "pulseaudio",
+      "memory",
+      "cpu",
+      "network",
+      "clock",
+      "battery",
+    ],
+    "clock": {
+      "format": "W{:%V %d %b %H:%M}",
+      "tooltip-format": "{calendar}",
+      "format-alt": "{:%Y-%m-%d %H:%M:%S}",
+    },
+    "battery": {
+      "bat": "BAT0",
+      "adapter": "ADP1",
+      "interval": 5,
+      "full-at": 99,
+      "states": {
+        "good": 80,
+        "warning": 20,
+        "critical": 10,
+      },
+      "format": "{capacity}%--",
+      "format-charging": "{capacity}%++",
+      "format-plugged": "{capacity}%",
+      "format-alt": "{time} {power}W",
+    },
+    "pulseaudio": {
+      "format": "VOL {volume}%",
+      "format-muted": "muted",
+      "on-click": "pavucontrol",
+    },
+    "memory": {
+      "interval": 2,
+      "format": "RAM {percentage}%",
+      "format-alt": "RAM {used:0.1f}G/{total:0.1f}G",
+    },
+    "cpu": {
+      "interval": 2,
+      "format": "CPU {usage}%",
+      "format-alt": "CPU {avg_frequency}GHz",
+    },
+    "network": {
+      "interval": 5,
+      "format-wifi": "{ifname} {ipaddr} {essid}",
+      "format-ethernet": "{ifname} {ipaddr}",
+      "format-disconnected": "{ifname} disconnected",
+      "tooltip-format": "{ifname}: {ipaddr}/{cidr}",
+    },
+  },
+]

home/modules/waybar/default.nix

@@ -0,0 +1,8 @@
+{
+  programs.waybar = {
+    enable = true;
+  };
+
+  home.file.".config/waybar/config.jsonc".source = ./config.jsonc;
+  home.file.".config/waybar/style.css".source = ./style.css;
+}

home/modules/waybar/style.css

@@ -0,0 +1,56 @@
+* {
+  font-family:
+    Iosevka Term SS08,
+    monospace;
+  font-size: 12px;
+  border-radius: 0px;
+}
+
+.modules-left,
+.modules-center,
+.modules-right {
+  margin: 4px;
+  margin-bottom: 0;
+}
+
+window#waybar {
+  background-color: transparent;
+}
+
+window#waybar.hidden {
+  opacity: 0.2;
+}
+
+#workspaces button {
+  padding: 0;
+  background-color: transparent;
+}
+
+#workspaces button:hover {
+  background: #000000;
+}
+
+#workspaces button.focused,
+#workspaces button.active {
+  background-color: #111111;
+}
+
+#workspaces button.urgent {
+  background-color: #eb4d4b;
+}
+
+#clock,
+#battery,
+#pulseaudio,
+#memory,
+#cpu,
+#network {
+  padding: 0 4px;
+  color: #ffffff;
+  background-color: #111111;
+}
+
+#window,
+#workspaces {
+  margin: 0;
+}

hosts/andromache/default.nix

@@ -8,27 +8,28 @@
 
 let
   username = "h";
+  wolInterfaces = import ./wol-interfaces.nix;
 in
 {
   imports = [
-    ../../modules/common.nix
+    ../../modules/common
     inputs.disko.nixosModules.disko
     inputs.sops-nix.nixosModules.sops
     inputs.home-manager.nixosModules.default
     ./hard.nix
-    ../../modules/bootloader.nix
-    (import ../../modules/disko.zfs-encrypted-root.nix {
+    ../../modules/boot/bootloader.nix
+    (import ../../modules/disko/zfs-encrypted-root.nix {
       device = "/dev/nvme1n1";
       inherit lib;
       inherit config;
     })
-    ../../modules/gnome.nix
-    ../../modules/bluetooth.nix
+    ../../modules/desktops/niri
+    ../../modules/bluetooth
     ../../modules/keyboard
-    (import ../../modules/networking.nix { hostName = "andromache"; })
-    ../../modules/users.nix
-    ../../modules/audio.nix
-    ../../modules/localization.nix
+    (import ../../modules/networking { hostName = "andromache"; })
+    ../../modules/users
+    ../../modules/audio
+    ../../modules/localization
     ../../modules/fonts
     ../../modules/ssh/hardened-openssh.nix
     (import ../../modules/secrets {
@@ -36,10 +37,11 @@ in
       inherit inputs;
       inherit config;
     })
-    ../../modules/docker.nix
+    ../../modules/docker
   ];
 
   secrets.username = username;
+  docker.user = username;
 
   disko.devices = {
     disk.data = {
@@ -87,10 +89,6 @@ in
     };
   };
 
-  networking = {
-    hostId = "80eef97e";
-  };
-
   services.xserver = {
     videoDrivers = [ "nvidia" ];
   };
@@ -103,16 +101,18 @@ in
   services.syncthing = {
     enable = true;
     openDefaultPorts = true;
+    settings = {
+      devices = {
+        # "device1" = {
+        #   id = "DEVICE-ID-GOES-HERE";
+        # };
+      };
       folders = {
         "/home/${username}/sync" = {
           id = "sync";
           devices = [ ];
         };
       };
-    devices = {
-      # "device1" = {
-      #   id = "DEVICE-ID-GOES-HERE";
-      # };
     };
   };
 
@@ -122,9 +122,11 @@ in
   };
 
   networking = {
+    hostId = "80eef97e";
     interfaces = {
       eno1 = {
         wakeOnLan.enable = true;
+        macAddress = wolInterfaces.eno1.macAddress;
       };
     };
     firewall = {

hosts/andromache/wol-interfaces.nix

@@ -0,0 +1,3 @@
+{
+  eno1.macAddress = "02:68:b3:29:da:98";
+}

hosts/astyanax/default.nix

@@ -9,28 +9,29 @@
 let
   username = "h";
   hostName = "astyanax";
+  wolInterfaces = import ../andromache/wol-interfaces.nix;
 in
 {
   imports = [
-    ../../modules/common.nix
+    ../../modules/common
     inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-intel
     inputs.disko.nixosModules.disko
     inputs.sops-nix.nixosModules.sops
     inputs.home-manager.nixosModules.default
     ./hard.nix
-    ../../modules/bootloader.nix
-    (import ../../modules/disko.zfs-encrypted-root.nix {
+    ../../modules/boot/bootloader.nix
+    (import ../../modules/disko/zfs-encrypted-root.nix {
       inherit lib;
       inherit config;
       device = "/dev/nvme0n1";
     })
-    ../../modules/gnome.nix
-    ../../modules/bluetooth.nix
+    ../../modules/desktops/niri
+    ../../modules/bluetooth
     ../../modules/keyboard
-    (import ../../modules/networking.nix { hostName = hostName; })
-    ../../modules/users.nix
-    ../../modules/audio.nix
-    ../../modules/localization.nix
+    (import ../../modules/networking { hostName = hostName; })
+    ../../modules/users
+    ../../modules/audio
+    ../../modules/localization
     ../../modules/fonts
     ../../modules/ssh/hardened-openssh.nix
     (import ../../modules/secrets {
@@ -43,7 +44,16 @@ in
 
   secrets.username = username;
 
-  environment.systemPackages = [ inputs.nvim.packages.x86_64-linux.nvim ];
+  environment.systemPackages = [
+    inputs.nvim.packages.x86_64-linux.nvim
+    (pkgs.writeShellApplication {
+      name = "wol-andromache";
+      runtimeInputs = [ pkgs.wakeonlan ];
+      text = ''
+        wakeonlan ${wolInterfaces.eno1.macAddress}
+      '';
+    })
+  ];
 
   home-manager = {
     useGlobalPkgs = true;

hosts/hecuba/default.nix

@@ -0,0 +1,55 @@
+{ pkgs, ... }:
+
+# Also see <https://wiki.nixos.org/wiki/Install_NixOS_on_Hetzner_Cloud>
+
+{
+  imports = [
+    ./hard.nix
+    ../../modules/common
+    ../../modules/ssh/hardened-openssh.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+  ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "ext4";
+  };
+  swapDevices = [
+    {
+      device = "/dev/disk/by-label/swap";
+    }
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  users.users = {
+    root.hashedPassword = "!";
+    username = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOXPEhdKOVnb6mkeLLUcFGt+mnUR5pMie17JtjrxwgO h@andromache"
+      ];
+    };
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  networking = {
+    firewall.enable = true;
+  };
+
+  services.openssh = {
+    enable = true;
+    harden = true;
+  };
+}

hosts/hecuba/hard.nix

@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/vm/default.nix

@@ -11,19 +11,19 @@ let
 in
 {
   imports = [
-    ../../modules/common.nix
+    ../../modules/common
     inputs.disko.nixosModules.disko
     inputs.sops-nix.nixosModules.sops
     inputs.home-manager.nixosModules.default
     ./hard.nix
     ./disk.nix
-    ../../modules/bootloader.nix
+    ../../modules/boot/bootloader.nix
     ../../modules/keyboard
     (import ../../modules/networking.nix { hostName = "vm"; })
-    ../../modules/users.nix
-    ../../modules/audio.nix
-    ../../modules/localization.nix
-    ../../modules/x.nix
+    ../../modules/users
+    ../../modules/audio
+    ../../modules/localization
+    ../../modules/x
     ../../modules/fonts
     ../../modules/ssh/hardened-openssh.nix
     (import ../../modules/secrets {

modules/audio/default.nix

@@ -9,4 +9,5 @@
     alsa.support32Bit = true;
     pulse.enable = true;
   };
+  services.pulseaudio.extraConfig = "load-module module-switch-on-connect";
 }

modules/bluetooth.nix

@@ -1,3 +0,0 @@
-{
-  hardware.bluetooth.enable = true;
-}

modules/bluetooth/default.nix

@@ -0,0 +1,15 @@
+{
+  hardware.bluetooth = {
+    enable = true;
+    powerOnBoot = true;
+    settings = {
+      General = {
+        Experimental = true;
+        FastConnectable = true;
+      };
+      Policy = {
+        AutoEnable = true;
+      };
+    };
+  };
+}

modules/desktops/niri/default.nix

@@ -0,0 +1,8 @@
+{
+  programs.niri.enable = true;
+
+  services.dbus.enable = true;
+  xdg = {
+    portal.enable = true;
+  };
+}

modules/docker.nix

@@ -1,9 +0,0 @@
-{
-  virtualisation.docker = {
-    enable = false;
-    rootless = {
-      enable = true;
-      setSocketVariable = true;
-    };
-  };
-}

modules/docker/default.nix

@@ -0,0 +1,44 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.docker;
+in
+{
+  options.docker = {
+    rootless = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+    user = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+    };
+  };
+  config = lib.mkMerge [
+    {
+      warnings = lib.flatten [
+        (lib.optional (
+          cfg.rootless && cfg.user != null
+        ) "'virtualisation.docker.user' is ignored when rootless mode is enabled")
+        (lib.optional (
+          !cfg.rootless && cfg.user == null
+        ) "'virtualisation.docker.user' is not set (no user is added to the docker group)")
+      ];
+    }
+    (lib.mkIf cfg.rootless {
+      virtualisation.docker = {
+        enable = false;
+        rootless = {
+          enable = true;
+          setSocketVariable = true;
+        };
+      };
+    })
+    (lib.mkIf (!cfg.rootless && cfg.user != null) {
+      virtualisation.docker = {
+        enable = true;
+      };
+      users.users.${cfg.user}.extraGroups = [ "docker" ];
+    })
+  ];
+}

modules/k3s/default.nix

@@ -0,0 +1,79 @@
+{ pkgs, ... }:
+
+{
+  # TODO: see if this works with podman
+  # TODO: check if docker/podman is enabled
+
+  # Rootless K3S
+
+  # FIXME
+  environment.systemPackages = with pkgs; [
+    k3s
+    rootlesskit
+    slirp4netns
+  ];
+
+  # running K3S on rootless docker was causing the following error: "failed to find cpuset cgroup (v2)" (in `docker logs k3d-lab-server-0` output)
+  #
+  # see <https://docs.k3s.io/advanced#known-issues-with-rootless-mode>
+  # see <https://rootlesscontaine.rs/getting-started/common/cgroup2/>
+  # see <https://discourse.nixos.org/t/declarative-rootless-k3s/49839>
+  systemd.services."user@".serviceConfig.Delegate = "cpu cpuset io memory pids";
+
+  # taken from <https://github.com/k3s-io/k3s/blob/main/k3s-rootless.service> as described in <https://docs.k3s.io/advanced#known-issues-with-rootless-mode#Rootless>
+  systemd.user.services."k3s-rootless" = with pkgs; {
+    path = with pkgs; [
+      "${rootlesskit}"
+      "${slirp4netns}"
+      "${fuse-overlayfs}"
+      "${fuse3}"
+      "/run/wrappers"
+    ];
+    # systemd unit file for k3s (rootless)
+    #
+    # Usage:
+    # - [Optional] Enable cgroup v2 delegation, see https://rootlesscontaine.rs/getting-started/common/cgroup2/ .
+    #   This step is optional, but highly recommended for enabling CPU and memory resource limtitation.
+    #
+    # - Copy this file as `~/.config/systemd/user/k3s-rootless.service`.
+    #   Installing this file as a system-wide service (`/etc/systemd/...`) is not supported.
+    #   Depending on the path of `k3s` binary, you might need to modify the `ExecStart=/usr/local/bin/k3s ...` line of this file.
+    #
+    # - Run `systemctl --user daemon-reload`
+    #
+    # - Run `systemctl --user enable --now k3s-rootless`
+    #
+    # - Run `KUBECONFIG=~/.kube/k3s.yaml kubectl get pods -A`, and make sure the pods are running.
+    #
+    # Troubleshooting:
+    # - See `systemctl --user status k3s-rootless` to check the daemon status
+    # - See `journalctl --user -f -u k3s-rootless` to see the daemon log
+    # - See also https://rootlesscontaine.rs/
+    enable = true;
+    description = "k3s (Rootless)";
+    serviceConfig = {
+      # NOTE: Don't try to run `k3s server --rootless` on a terminal, as it doesn't enable cgroup v2 delegation.
+      # If you really need to try it on a terminal, prepend `systemd-run --user -p Delegate=yes --tty` to create a systemd scope.
+      ExecStart = "${k3s}/bin/k3s server --rootless --snapshotter=fuse-overlayfs";
+      ExecReload = "/run/current-system/sw/bin/kill -s HUP $MAINPID";
+      TimeoutSec = 0;
+      RestartSec = 2;
+      Restart = "always";
+      StartLimitBurst = 3;
+      StartLimitInterval = "60s";
+      LimitNOFILE = "infinity";
+      LimitNPROC = "infinity";
+      LimitCORE = "infinity";
+      TasksMax = "infinity";
+      Delegate = "yes";
+      Type = "simple";
+      KillMode = "mixed";
+    };
+
+    wantedBy = [ "default.target" ];
+  };
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+  };
+}

modules/ssh/hardened-openssh.nix

@@ -10,6 +10,7 @@ in
     services.openssh.settings = optionalAttrs cfg.harden {
       PermitRootLogin = "no";
       PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
       ChallengeResponseAuthentication = false;
       X11Forwarding = false;
       AllowAgentForwarding = false;