refactor: split base and system module

hosts/default.nix

@@ -41,6 +41,7 @@ with lib; let
               inputs.dankMaterialShell.nixosModules.dankMaterialShell
               inputs.niri.nixosModules.niri
               ../modules/base
+              ../modules/system
               ../modules/programs
               ../modules/desktop
               (mkSystemImports hostname)

modules/base/default.nix

@@ -2,22 +2,10 @@ _: {
   options.fireproof.base = {};
 
   imports = [
-    ./boot.nix
     ./defaults.nix
     ./gc.nix
     ./home-manager.nix
-    ./hosts.nix
-    ./keyd.nix
-    ./ld.nix
-    ./networking.nix
     ./nix.nix
     ./secrets.nix
-    ./security.nix
-    ./ssh.nix
-    ./time.nix
-    ./usb.nix
-    ./user.nix
-    ./yubikey.nix
-    ./tailscale.nix
   ];
 }

modules/base/nix.nix

@@ -1,5 +1,11 @@
-_: {
+{username, ...}: {
   nix.settings = {
+    trusted-users = [
+      "root"
+      "@wheel"
+      username
+    ];
+
     experimental-features = "nix-command flakes";
     substituters = [
       "https://hyprland.cachix.org"

modules/base/security.nix

@@ -1,9 +0,0 @@
-{username, ...}: {
-  security.sudo.wheelNeedsPassword = false;
-  nix.settings.trusted-users = [
-    "root"
-    "@wheel"
-    username
-  ];
-  services.gnome.gnome-keyring.enable = true;
-}

modules/system/default.nix

@@ -0,0 +1,18 @@
+_: {
+  options.fireproof.base = {};
+
+  imports = [
+    ./boot.nix
+    ./hosts.nix
+    ./keyd.nix
+    ./ld.nix
+    ./networking.nix
+    ./security.nix
+    ./ssh.nix
+    ./time.nix
+    ./usb.nix
+    ./user.nix
+    ./yubikey.nix
+    ./tailscale.nix
+  ];
+}

modules/system/security.nix

@@ -0,0 +1,4 @@
+_: {
+  security.sudo.wheelNeedsPassword = false;
+  services.gnome.gnome-keyring.enable = true;
+}

modules/system/ssh.nix

@@ -9,6 +9,7 @@
   # Load all public keys from ../../secrets/hosts/*/id_ed25519.pub
   allHosts = lib.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir ../../secrets/hosts));
   publicKeys = map (x: builtins.readFile (../../secrets/hosts + ("/" + x) + "/id_ed25519.pub")) allHosts;
+  workEnabled = config.fireproof.work.enable;
 in {
   age.secrets.ssh-key = {
     rekeyFile = ../../secrets/hosts + ("/" + hostname) + /id_ed25519.age;
@@ -16,7 +17,7 @@ in {
     mode = "0600";
     owner = username;
   };
-  age.secrets.ssh-key-ao = {
+  age.secrets.ssh-key-ao = lib.mkIf workEnabled {
     rekeyFile = ../../secrets/ssh-key-ao.age;
     mode = "0600";
     owner = username;
@@ -37,6 +38,7 @@ in {
           hostname = "x.nickolaj.com";
           user = "nickolaj";
         };
+      } // lib.optionalAttrs workEnabled {
         # Work hostnames definded in ./networking.nix
         "bastion.ao" = {
           user = "nij";
@@ -84,7 +86,7 @@ in {
     settings.KbdInteractiveAuthentication = false;
   };
 
-  systemd.user.services."add-ssh-keys" = {
+  systemd.user.services."add-ssh-keys" = lib.mkIf workEnabled {
     description = "Add SSH keys to ssh-agent";
     after = ["network.target" "ssh-agent.service"];
     requires = ["ssh-agent.service"];