phase 3: new flake.nix + extract common-{nix,doas,shell-fish}; rewire imports

- New unified flake with two nixpkgs channels (unstable for desktops, 25.11 for muffin) - modules/common-{doas,shell-fish,nix}.nix extracted from duplicated blocks - modules/desktop-common.nix: renamed from system/common.nix; secret paths point to secrets/desktop/ - hosts/{mreow,yarn}/default.nix import desktop-common; yarn imports modules/no-rgb.nix - hosts/muffin/default.nix imports common-* + server-prefixed modules + services/; duplicate doas/fish/nix blocks removed; gc retention preserved as mkForce override - modules/age-secrets.nix: file paths → ../secrets/server/*.age - services/{minecraft,matrix/livekit}: secret paths → ../secrets/server/ - home/profiles/*.nix: ./progs/ → ../progs/ - hosts/{mreow,yarn}/home.nix: imports rewired to ../../home/profiles/ and ../../home/progs/ - home/progs/pi.nix and hosts/yarn/home.nix: secret reads → ../../secrets/home/ - tests/*.nix: ../modules/security.nix → ../modules/server-security.nix; ../modules/overlays.nix → ../lib/overlays.nix - lib/default.nix: takes explicit lib param (defaults to nixpkgs-stable.lib)
2026-04-18 00:58:55 -04:00
parent 05fd05deda
commit 1719d54ee0
28 changed files with 562 additions and 203 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -0,0 +1,370 @@
+{
+  description = "Unified NixOS flake for mreow (laptop), yarn (desktop), muffin (server)";
+
+  inputs = {
+    # Two channels: unstable for desktops, 25.11 for server.
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11";
+
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    home-manager-stable = {
+      url = "github:nix-community/home-manager/release-25.11";
+      inputs.nixpkgs.follows = "nixpkgs-stable";
+    };
+
+    # Shared across all hosts
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.rust-overlay.follows = "rust-overlay";
+    };
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
+    disko = {
+      url = "github:nix-community/disko/latest";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    impermanence = {
+      url = "github:nix-community/impermanence";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
+
+    # Desktop (mreow + yarn)
+    rust-overlay = {
+      url = "github:oxalica/rust-overlay";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    zen-browser = {
+      url = "github:0xc000022070/zen-browser-flake";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
+    firefox-addons = {
+      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    niri = {
+      url = "github:sodiboo/niri-flake";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs-stable.follows = "nixpkgs";
+    };
+    emacs-overlay = {
+      url = "github:nix-community/emacs-overlay";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs-stable.follows = "nixpkgs";
+    };
+    nix-flatpak.url = "github:gmodena/nix-flatpak/";
+    nix-doom-emacs-unstraightened = {
+      url = "github:marienz/nix-doom-emacs-unstraightened";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.emacs-overlay.follows = "emacs-overlay";
+    };
+    jovian-nixos = {
+      url = "github:Jovian-Experiments/Jovian-NixOS";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    noctalia = {
+      url = "github:noctalia-dev/noctalia-shell";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    nix-cachyos-kernel = {
+      url = "github:xddxdd/nix-cachyos-kernel/release";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    llm-agents = {
+      url = "github:numtide/llm-agents.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    json2steamshortcut = {
+      url = "github:ChrisOboe/json2steamshortcut";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    # Server (muffin) — follows nixpkgs-stable
+    nix-minecraft = {
+      url = "github:Infinidoge/nix-minecraft";
+      inputs.nixpkgs.follows = "nixpkgs-stable";
+    };
+    vpn-confinement.url = "github:Maroka-chan/VPN-Confinement";
+    llamacpp = {
+      url = "github:TheTom/llama-cpp-turboquant/feature/turboquant-kv-cache";
+      inputs.nixpkgs.follows = "nixpkgs-stable";
+    };
+    srvos = {
+      url = "github:nix-community/srvos";
+      inputs.nixpkgs.follows = "nixpkgs-stable";
+    };
+    deploy-rs = {
+      url = "github:serokell/deploy-rs";
+      inputs.nixpkgs.follows = "nixpkgs-stable";
+    };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs-stable";
+      inputs.home-manager.follows = "home-manager-stable";
+      inputs.darwin.follows = "";
+    };
+    senior_project-website = {
+      url = "github:Titaniumtown/senior-project-website";
+      flake = false;
+    };
+    website = {
+      url = "git+https://git.sigkill.computer/titaniumtown/website";
+      flake = false;
+    };
+    trackerlist = {
+      url = "github:ngosang/trackerslist";
+      flake = false;
+    };
+    ytbn-graphing-software = {
+      url = "git+https://git.sigkill.computer/titaniumtown/YTBN-Graphing-Software";
+    };
+    arr-init = {
+      url = "git+ssh://gitea@git.gardling.com/titaniumtown/arr-init";
+      inputs.nixpkgs.follows = "nixpkgs-stable";
+    };
+    nixpkgs-p2pool-module = {
+      url = "github:JacoMalan1/nixpkgs/create-p2pool-service";
+      flake = false;
+    };
+    qbittorrent-metrics-exporter = {
+      url = "git+https://codeberg.org/anriha/qbittorrent-metrics-exporter";
+      inputs.nixpkgs.follows = "nixpkgs-stable";
+    };
+  };
+
+  outputs =
+    inputs@{
+      self,
+      nixpkgs,
+      nixpkgs-stable,
+      home-manager,
+      home-manager-stable,
+      lanzaboote,
+      nixos-hardware,
+      disko,
+      impermanence,
+      nix-minecraft,
+      vpn-confinement,
+      srvos,
+      deploy-rs,
+      agenix,
+      arr-init,
+      nixpkgs-p2pool-module,
+      jovian-nixos,
+      ...
+    }:
+    let
+      username = "primary";
+      system = "x86_64-linux";
+
+      niriPackage = inputs.niri.packages.${system}.niri-unstable;
+
+      # --- Server (muffin) plumbing ---
+      bootstrapPkgs = import nixpkgs-stable { inherit system; };
+      patchedStableSrc = bootstrapPkgs.applyPatches {
+        name = "nixpkgs-stable-patched";
+        src = nixpkgs-stable;
+        patches = [
+          ./patches/nixpkgs/0001-firefox-syncserver-add-postgresql-backend-support.patch
+        ];
+      };
+      serverPkgs = import patchedStableSrc {
+        inherit system;
+        targetPlatform = system;
+        buildPlatform = builtins.currentSystem;
+      };
+      serviceConfigs = import ./hosts/muffin/service-configs.nix;
+      serverLib = import ./lib {
+        inherit inputs;
+        lib = nixpkgs-stable.lib;
+        pkgs = serverPkgs;
+        service_configs = serviceConfigs;
+      };
+      testSuite = import ./tests/tests.nix {
+        pkgs = serverPkgs;
+        lib = serverLib;
+        inherit inputs;
+        config = self.nixosConfigurations.muffin.config;
+      };
+
+      # --- Host builders ---
+
+      # Desktop: unstable + home-manager-unstable + niri-unstable
+      mkDesktopHost =
+        hostname:
+        nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            inherit inputs username hostname;
+            niri-package = niriPackage;
+          };
+          modules = [
+            home-manager.nixosModules.home-manager
+            (
+              { config, ... }:
+              {
+                home-manager.useUserPackages = true;
+                home-manager.sharedModules = [
+                  inputs.zen-browser.homeModules.twilight
+                ];
+                home-manager.extraSpecialArgs = {
+                  inherit
+                    inputs
+                    hostname
+                    username
+                    ;
+                  niri-package = niriPackage;
+                  homeDirectory = "/home/${username}";
+                  stateVersion = config.system.stateVersion;
+                };
+                home-manager.users.${username} = import ./hosts/${hostname}/home.nix;
+              }
+            )
+            ./hosts/${hostname}/default.nix
+          ];
+        };
+
+      # Server: stable + home-manager-stable + srvos + agenix + patched pkgs
+      muffinHost = serverLib.nixosSystem {
+        inherit system;
+        specialArgs = {
+          inherit
+            username
+            inputs
+            ;
+          hostname = "muffin";
+          eth_interface = "enp4s0";
+          service_configs = serviceConfigs;
+          lib = serverLib;
+        };
+        modules = [
+          # SAFETY! port sanity checks
+          (
+            { config, lib, ... }:
+            let
+              publicPorts = lib.attrValues serviceConfigs.ports.public;
+              privatePorts = lib.attrValues serviceConfigs.ports.private;
+              allPortNumbers = map (p: p.port) (publicPorts ++ privatePorts);
+              uniquePortNumbers = lib.unique allPortNumbers;
+
+              publicTcp = map (p: p.port) (lib.filter (p: p.proto == "tcp" || p.proto == "both") publicPorts);
+              publicUdp = map (p: p.port) (lib.filter (p: p.proto == "udp" || p.proto == "both") publicPorts);
+              privatePortNumbers = map (p: p.port) privatePorts;
+
+              fwTcp = config.networking.firewall.allowedTCPPorts;
+              fwUdp = config.networking.firewall.allowedUDPPorts;
+
+              missingTcp = lib.filter (p: !(builtins.elem p fwTcp)) publicTcp;
+              missingUdp = lib.filter (p: !(builtins.elem p fwUdp)) publicUdp;
+              leakedTcp = lib.filter (p: builtins.elem p fwTcp) privatePortNumbers;
+              leakedUdp = lib.filter (p: builtins.elem p fwUdp) privatePortNumbers;
+            in
+            {
+              config.assertions = [
+                {
+                  assertion = (lib.length allPortNumbers) == (lib.length uniquePortNumbers);
+                  message = "Duplicate port numbers detected in ports.public / ports.private";
+                }
+                {
+                  assertion = missingTcp == [ ];
+                  message = "Public ports missing from allowedTCPPorts: ${builtins.toString missingTcp}";
+                }
+                {
+                  assertion = missingUdp == [ ];
+                  message = "Public ports missing from allowedUDPPorts: ${builtins.toString missingUdp}";
+                }
+                {
+                  assertion = leakedTcp == [ ] && leakedUdp == [ ];
+                  message = "Private ports leaked into firewall allow-lists — TCP: ${builtins.toString leakedTcp}, UDP: ${builtins.toString leakedUdp}";
+                }
+              ];
+            }
+          )
+
+          srvos.nixosModules.server
+          srvos.nixosModules.mixins-terminfo
+
+          ./hosts/muffin/disk.nix
+          ./hosts/muffin/default.nix
+
+          # Firefox-syncserver: swap upstream module + package for patched versions.
+          {
+            disabledModules = [ "services/networking/firefox-syncserver.nix" ];
+            imports = [
+              "${patchedStableSrc}/nixos/modules/services/networking/firefox-syncserver.nix"
+            ];
+            nixpkgs.overlays = [
+              nix-minecraft.overlay
+              (import ./lib/overlays.nix)
+              (_final: prev: {
+                syncstorage-rs =
+                  prev.callPackage "${patchedStableSrc}/pkgs/by-name/sy/syncstorage-rs/package.nix"
+                    { };
+              })
+            ];
+            nixpkgs.config.allowUnfreePredicate =
+              pkg:
+              builtins.elem (nixpkgs-stable.lib.getName pkg) [
+                "minecraft-server"
+              ];
+          }
+
+          lanzaboote.nixosModules.lanzaboote
+          arr-init.nixosModules.default
+          (import "${nixpkgs-p2pool-module}/nixos/modules/services/networking/p2pool.nix")
+
+          home-manager-stable.nixosModules.home-manager
+          (
+            { ... }:
+            {
+              home-manager.users.${username} = import ./hosts/muffin/home.nix;
+            }
+          )
+        ]
+        ++ (with nixos-hardware.nixosModules; [
+          common-cpu-amd-pstate
+          common-cpu-amd-zenpower
+          common-pc-ssd
+          common-gpu-intel
+        ]);
+      };
+    in
+    {
+      formatter.${system} = nixpkgs.legacyPackages.${system}.nixfmt-tree;
+
+      nixosConfigurations = {
+        mreow = mkDesktopHost "mreow";
+        yarn = mkDesktopHost "yarn";
+        muffin = muffinHost;
+      };
+
+      deploy.nodes.muffin = {
+        hostname = "server-public";
+        profiles.system = {
+          sshUser = "root";
+          user = "root";
+          path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.muffin;
+        };
+      };
+
+      checks.${system} = testSuite;
+
+      packages.${system} = {
+        tests = serverPkgs.linkFarm "all-tests" (
+          serverPkgs.lib.mapAttrsToList (name: test: {
+            name = name;
+            path = test;
+          }) testSuite
+        );
+      }
+      // (serverPkgs.lib.mapAttrs' (name: test: {
+        name = "test-${name}";
+        value = test;
+      }) testSuite);
+
+      lib = serverLib;
+    };
+}