refactor: split base and system module

modules/system/boot.nix

@@ -0,0 +1,4 @@
+{lib, ...}: {
+  boot.loader.systemd-boot.enable = lib.mkDefault true;
+  boot.loader.efi.canTouchEfiVariables = true;
+}

modules/system/default.nix

@@ -0,0 +1,18 @@
+_: {
+  options.fireproof.base = {};
+
+  imports = [
+    ./boot.nix
+    ./hosts.nix
+    ./keyd.nix
+    ./ld.nix
+    ./networking.nix
+    ./security.nix
+    ./ssh.nix
+    ./time.nix
+    ./usb.nix
+    ./user.nix
+    ./yubikey.nix
+    ./tailscale.nix
+  ];
+}

modules/system/hosts.nix

@@ -0,0 +1,14 @@
+{config, ...}: {
+  age.secrets.hosts-private = {
+    # Contains IP addresses that i have no business sharing
+    rekeyFile = ../../secrets/hosts-private.age;
+  };
+
+  # Inject the private hosts file, because setting networking.hostFiles doesn't work
+  system.activationScripts.hosts-private = ''
+    cat /etc/hosts > /etc/hosts.bak
+    rm /etc/hosts
+    cat /etc/hosts.bak "${config.age.secrets.hosts-private.path}" >> /etc/hosts
+    rm /etc/hosts.bak
+  '';
+}

modules/system/keyd.nix

@@ -0,0 +1,17 @@
+_: {
+  services.keyd = {
+    enable = true;
+    keyboards.mouse = {
+      ids = [
+        "046d:c051:4ae65a29" # Work mouse
+        "046d:407f:ee6ee407" # Home mouse
+      ];
+      settings = {
+        main = {
+          # Bind mouse-back to meta if held
+          mouse1 = "overload(meta, mouse1)";
+        };
+      };
+    };
+  };
+}

modules/system/ld.nix

@@ -0,0 +1,3 @@
+_: {
+  programs.nix-ld.enable = true;
+}

modules/system/networking.nix

@@ -0,0 +1,5 @@
+{hostname, ...}: {
+  networking = {
+    hostName = hostname;
+  };
+}

modules/system/security.nix

@@ -0,0 +1,4 @@
+_: {
+  security.sudo.wheelNeedsPassword = false;
+  services.gnome.gnome-keyring.enable = true;
+}

modules/system/ssh.nix

@@ -0,0 +1,106 @@
+{
+  config,
+  pkgs,
+  username,
+  hostname,
+  lib,
+  ...
+}: let
+  # Load all public keys from ../../secrets/hosts/*/id_ed25519.pub
+  allHosts = lib.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir ../../secrets/hosts));
+  publicKeys = map (x: builtins.readFile (../../secrets/hosts + ("/" + x) + "/id_ed25519.pub")) allHosts;
+  workEnabled = config.fireproof.work.enable;
+in {
+  age.secrets.ssh-key = {
+    rekeyFile = ../../secrets/hosts + ("/" + hostname) + /id_ed25519.age;
+    path = "/home/" + username + "/.ssh/id_ed25519";
+    mode = "0600";
+    owner = username;
+  };
+  age.secrets.ssh-key-ao = lib.mkIf workEnabled {
+    rekeyFile = ../../secrets/ssh-key-ao.age;
+    mode = "0600";
+    owner = username;
+  };
+
+  fireproof.home-manager = {
+    home.file.".ssh/id_ed25519.pub".source = ../../secrets/hosts + ("/" + hostname) + "/id_ed25519.pub";
+    programs.ssh = {
+      enable = true;
+      forwardAgent = true;
+      serverAliveInterval = 60;
+      serverAliveCountMax = 10;
+      matchBlocks = {
+        "*" = {
+          identityFile = "${config.age.secrets.ssh-key.path}";
+        };
+        homelab = {
+          hostname = "x.nickolaj.com";
+          user = "nickolaj";
+        };
+      } // lib.optionalAttrs workEnabled {
+        # Work hostnames definded in ./networking.nix
+        "bastion.ao" = {
+          user = "nij";
+          identityFile = "${config.age.secrets.ssh-key-ao.path}";
+        };
+        "clickhouse.ao" = {
+          user = "ubuntu";
+          hostname = "51.158.205.48";
+          identityFile = "${config.age.secrets.ssh-key-ao.path}";
+        };
+        "flex.ao" = {
+          user = "nij";
+          hostname = "192.168.2.5";
+          proxyJump = "bastion.ao";
+          identityFile = "${config.age.secrets.ssh-key-ao.path}";
+        };
+        "scw.ao" = {
+          user = "nij";
+          hostname = "51.15.81.1";
+          proxyJump = lib.mkDefault "dev.ao";
+          identityFile = "${config.age.secrets.ssh-key-ao.path}";
+        };
+        "dev.ao" = {
+          user = "nij";
+          hostname = "192.168.2.28";
+          proxyJump = lib.mkDefault "bastion.ao";
+          identityFile = "${config.age.secrets.ssh-key-ao.path}";
+        };
+        "staging.ao" = {
+          user = "staging";
+          hostname = "172.16.2.102";
+          proxyJump = lib.mkDefault "bastion.ao";
+          identityFile = "${config.age.secrets.ssh-key-ao.path}";
+        };
+      };
+    };
+  };
+
+  programs.ssh.startAgent = true;
+  services.gnome.gcr-ssh-agent.enable = false;
+
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+  };
+
+  systemd.user.services."add-ssh-keys" = lib.mkIf workEnabled {
+    description = "Add SSH keys to ssh-agent";
+    after = ["network.target" "ssh-agent.service"];
+    requires = ["ssh-agent.service"];
+    wantedBy = ["default.target"];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStartPre = ''
+        ${pkgs.coreutils}/bin/sleep 5
+      '';
+      ExecStart = ''
+        ${pkgs.openssh}/bin/ssh-add -q ${config.age.secrets.ssh-key-ao.path}
+      '';
+    };
+  };
+
+  users.users.${username}.openssh.authorizedKeys.keys = publicKeys;
+}

modules/system/tailscale.nix

@@ -0,0 +1,3 @@
+_: {
+  services.tailscale.enable = true;
+}

modules/system/time.nix

@@ -0,0 +1,3 @@
+_: {
+  time.timeZone = "Europe/Copenhagen";
+}

modules/system/usb.nix

@@ -0,0 +1,4 @@
+_: {
+  services.devmon.enable = true;
+  services.udisks2.enable = true;
+}

modules/system/user.nix

@@ -0,0 +1,17 @@
+{
+  username,
+  config,
+  ...
+}: let
+  inherit (config.age) secrets;
+in {
+  config = {
+    age.secrets.hashed-user-password.rekeyFile = ../../secrets/hashed-user-password.age;
+
+    users.users.${username} = {
+      isNormalUser = true;
+      extraGroups = ["wheel"];
+      hashedPasswordFile = secrets.hashed-user-password.path;
+    };
+  };
+}

modules/system/yubikey.nix

@@ -0,0 +1,3 @@
+_: {
+  services.pcscd.enable = true;
+}