phase 3: new flake.nix + extract common-{nix,doas,shell-fish}; rewire imports

- New unified flake with two nixpkgs channels (unstable for desktops, 25.11 for muffin) - modules/common-{doas,shell-fish,nix}.nix extracted from duplicated blocks - modules/desktop-common.nix: renamed from system/common.nix; secret paths point to secrets/desktop/ - hosts/{mreow,yarn}/default.nix import desktop-common; yarn imports modules/no-rgb.nix - hosts/muffin/default.nix imports common-* + server-prefixed modules + services/; duplicate doas/fish/nix blocks removed; gc retention preserved as mkForce override - modules/age-secrets.nix: file paths → ../secrets/server/*.age - services/{minecraft,matrix/livekit}: secret paths → ../secrets/server/ - home/profiles/*.nix: ./progs/ → ../progs/ - hosts/{mreow,yarn}/home.nix: imports rewired to ../../home/profiles/ and ../../home/progs/ - home/progs/pi.nix and hosts/yarn/home.nix: secret reads → ../../secrets/home/ - tests/*.nix: ../modules/security.nix → ../modules/server-security.nix; ../modules/overlays.nix → ../lib/overlays.nix - lib/default.nix: takes explicit lib param (defaults to nixpkgs-stable.lib)
2026-04-18 00:58:55 -04:00
parent 05fd05deda
commit 1719d54ee0
28 changed files with 562 additions and 203 deletions
--- a/hosts/mreow/default.nix
+++ b/hosts/mreow/default.nix
@@ -8,8 +8,8 @@
 }:
 {
  imports = [
-    ./common.nix
-    ./disk_mreow.nix
+    ../../modules/desktop-common.nix
+    ./disk.nix

    inputs.nixos-hardware.nixosModules.framework-amd-ai-300-series
  ];
--- a/hosts/mreow/home.nix
+++ b/hosts/mreow/home.nix
@@ -6,12 +6,12 @@
 }:
 {
  imports = [
-    ./gui.nix
-    ./desktop.nix
-    ./progs/borg.nix
+    ../../home/profiles/gui.nix
+    ../../home/profiles/desktop.nix
+    ../../home/progs/borg.nix

    # effects headphones too
-    # ./progs/framework-13-easyeffects.nix
+    # ../../home/progs/framework-13-easyeffects.nix
  ];

  # media controls
--- a/hosts/muffin/default.nix
+++ b/hosts/muffin/default.nix
@@ -11,68 +11,74 @@
 }:
 {
  imports = [
-    ./modules/hardware.nix
-    ./modules/zfs.nix
-    ./modules/impermanence.nix
-    ./modules/usb-secrets.nix
-    ./modules/age-secrets.nix
-    ./modules/secureboot.nix
-    ./modules/no-rgb.nix
-    ./modules/security.nix
-    ./modules/ntfy-alerts.nix
-    ./modules/power.nix
+    # common across all hosts
+    ../../modules/common-doas.nix
+    ../../modules/common-shell-fish.nix
+    ../../modules/common-nix.nix

-    ./services/postgresql.nix
-    ./services/jellyfin
-    ./services/caddy
-    ./services/immich.nix
-    ./services/gitea.nix
-    ./services/gitea-actions-runner.nix
-    ./services/minecraft.nix
+    # muffin-only system modules
+    ./hardware.nix
+    ../../modules/zfs.nix
+    ../../modules/server-impermanence.nix
+    ../../modules/usb-secrets.nix
+    ../../modules/age-secrets.nix
+    ../../modules/server-lanzaboote-agenix.nix
+    ../../modules/no-rgb.nix
+    ../../modules/server-security.nix
+    ../../modules/ntfy-alerts.nix
+    ../../modules/server-power.nix

-    ./services/wg.nix
-    ./services/qbittorrent.nix
-    ./services/bitmagnet.nix
+    ../../services/postgresql.nix
+    ../../services/jellyfin
+    ../../services/caddy
+    ../../services/immich.nix
+    ../../services/gitea.nix
+    ../../services/gitea-actions-runner.nix
+    ../../services/minecraft.nix

-    ./services/arr/prowlarr.nix
-    ./services/arr/sonarr.nix
-    ./services/arr/radarr.nix
-    ./services/arr/bazarr.nix
-    ./services/arr/jellyseerr.nix
-    ./services/arr/recyclarr.nix
-    ./services/arr/arr-search.nix
-    ./services/arr/torrent-audit.nix
-    ./services/arr/init.nix
+    ../../services/wg.nix
+    ../../services/qbittorrent.nix
+    ../../services/bitmagnet.nix

-    ./services/soulseek.nix
+    ../../services/arr/prowlarr.nix
+    ../../services/arr/sonarr.nix
+    ../../services/arr/radarr.nix
+    ../../services/arr/bazarr.nix
+    ../../services/arr/jellyseerr.nix
+    ../../services/arr/recyclarr.nix
+    ../../services/arr/arr-search.nix
+    ../../services/arr/torrent-audit.nix
+    ../../services/arr/init.nix

-    # ./services/llama-cpp.nix
-    ./services/trilium.nix
+    ../../services/soulseek.nix

-    ./services/ups.nix
+    # ../../services/llama-cpp.nix
+    ../../services/trilium.nix

-    ./services/grafana
+    ../../services/ups.nix

-    ./services/bitwarden.nix
-    ./services/firefox-syncserver.nix
+    ../../services/grafana

-    ./services/matrix
+    ../../services/bitwarden.nix
+    ../../services/firefox-syncserver.nix

-    ./services/monero
+    ../../services/matrix

-    ./services/graphing-calculator.nix
+    ../../services/monero

-    ./services/ssh.nix
+    ../../services/graphing-calculator.nix

-    ./services/syncthing.nix
+    ../../services/ssh.nix

-    ./services/ntfy
+    ../../services/syncthing.nix

-    ./services/mollysocket.nix
+    ../../services/ntfy

-    ./services/harmonia.nix
+    ../../services/mollysocket.nix

-    ./services/ddns-updater.nix
+    ../../services/harmonia.nix
+
+    ../../services/ddns-updater.nix
  ];

  # Hosts entries for CI/CD deploy targets
@@ -110,17 +116,8 @@
    }
  ];

-  nix = {
-    # optimize the store
-    optimise.automatic = true;
-
-    # garbage collection
-    gc = {
-      automatic = true;
-      dates = "weekly";
-      options = "--delete-older-than 7d";
-    };
-  };
+  # muffin overrides default gc retention (30d in common-nix.nix)
+  nix.gc.options = lib.mkForce "--delete-older-than 7d";

  # Intel Arc A380 (DG2, 56a5) uses the i915 driver on kernel 6.12.
  # The xe driver's iHD media driver integration has buffer mapping
@@ -276,31 +273,8 @@
    hashedPasswordFile = config.age.secrets.hashedPass.path;
  };

-  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
-  programs.fish.enable = true;
-  programs.bash = {
-    interactiveShellInit = ''
-      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
-      then
-        shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
-        exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
-      fi
-    '';
-  };
-
-  security = {
-    #lets use doas and not sudo!
-    doas.enable = true;
-    sudo.enable = false;
-    # Configure doas
-    doas.extraRules = [
-      {
-        users = [ username ];
-        keepEnv = true;
-        persist = true;
-      }
-    ];
-  };
+  # programs.fish + bash→fish redirect and security.doas block are in
+  # modules/common-shell-fish.nix and modules/common-doas.nix.

  services.murmur = {
    enable = true;
--- a/hosts/yarn/default.nix
+++ b/hosts/yarn/default.nix
@@ -8,10 +8,10 @@
 }:
 {
  imports = [
-    ./disk_yarn.nix
-    ./common.nix
+    ../../modules/desktop-common.nix
+    ../../modules/no-rgb.nix
+    ./disk.nix
    ./impermanence.nix
-    ./no-rgb.nix
    ./vr.nix

    inputs.impermanence.nixosModules.impermanence
--- a/hosts/yarn/home.nix
+++ b/hosts/yarn/home.nix
@@ -7,8 +7,8 @@
 }:
 {
  imports = [
-    ./gui.nix
-    ./desktop.nix
+    ../../home/profiles/gui.nix
+    ../../home/profiles/desktop.nix
    inputs.json2steamshortcut.homeModules.default
  ];

@@ -31,7 +31,7 @@
  services.steam-shortcuts = {
    enable = true;
    overwriteExisting = true;
-    steamUserId = lib.strings.toInt (lib.strings.trim (builtins.readFile ./secrets/steam-user-id));
+    steamUserId = lib.strings.toInt (lib.strings.trim (builtins.readFile ../../secrets/home/steam-user-id));
    shortcuts = [
      {
        AppName = "Prism Launcher";