titaniumtown/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

merge common-*.nix files
Some checks failed
Build and Deploy / mreow (push) Successful in 1h37m19s
Details
Build and Deploy / muffin (push) Has been cancelled
Details
Build and Deploy / yarn (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Simon Gardling
2026-04-22 17:53:27 -04:00
parent 3317ac7997
commit c3cc94a305
7 changed files with 78 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
AGENTS.md
View File

@@ -21,7 +21,7 @@ flake.nix # 3 hosts, 2 channels
deploy.sh # wrapper: current-host rebuild or `muffin` deploy-rs
hosts/<host>/ # host entrypoints (default.nix, home.nix, disk.nix, …)
modules/ # flat namespace; see module naming below
common-*.nix # imported by ALL hosts (nix settings, doas, fish shim)
common.nix # imported by ALL hosts (nix settings, doas, fish shim)
desktop-*.nix # imported by mreow/yarn only
server-*.nix # imported by muffin only
<bare>.nix # scoped by filename (age-secrets, zfs, no-rgb, …)

21
hosts/muffin/default.nix
View File

@@ -11,10 +11,7 @@
}:
{
imports = [
# common across all hosts
../../modules/common-doas.nix
../../modules/common-shell-fish.nix
../../modules/common-nix.nix
../../modules/common.nix
# muffin-only system modules
./hardware.nix
@@ -95,8 +92,6 @@
services.deployGuard.enable = true;
services.kmscon.enable = true;
# Disable serial getty on ttyS0 to prevent dmesg warnings
systemd.services."serial-getty@ttyS0".enable = false;
@@ -154,10 +149,6 @@
};
};
environment.etc = {
"issue".text = "";
};
# Set your time zone.
time.timeZone = "America/New_York";
@@ -170,19 +161,12 @@
];
};
#fwupd for updating firmware
services.fwupd = {
enable = true;
extraRemotes = [ "lvfs-testing" ];
};
environment.systemPackages = with pkgs; [
helix
lm_sensors
bottom
htop
doas-sudo-shim
neofetch
borgbackup
@@ -275,9 +259,6 @@
hashedPasswordFile = config.age.secrets.hashedPass.path;
};
# programs.fish + bash→fish redirect and security.doas block are in
# modules/common-shell-fish.nix and modules/common-doas.nix.
services.murmur = {
enable = true;
openFirewall = true;

15
modules/common-doas.nix
View File

@@ -1,15 +0,0 @@
{ username, ... }:
{
# doas replaces sudo on every host
security = {
doas.enable = true;
sudo.enable = false;
doas.extraRules = [
{
users = [ username ];
keepEnv = true;
persist = true;
}
];
};
}

22
modules/common-nix.nix
View File

@@ -1,22 +0,0 @@
{ lib, ... }:
{
# Common Nix daemon settings. Host-specific overrides (binary cache substituters,
# gc retention) live in the host's default.nix.
nix = {
optimise.automatic = true;
gc = {
automatic = true;
dates = "weekly";
# Default retention: override per-host via lib.mkForce if different.
options = lib.mkDefault "--delete-older-than 30d";
};
settings = {
experimental-features = [
"nix-command"
"flakes"
];
};
};
}

16
modules/common-shell-fish.nix
View File

@@ -1,16 +0,0 @@
{ pkgs, lib, ... }:
{
# https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
# Login shells stay bash but immediately `exec fish` so fish is the effective shell
# without breaking scripts that hardcode #!/bin/bash.
programs.fish.enable = true;
programs.bash = {
interactiveShellInit = ''
if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
then
shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
exec ${lib.getExe pkgs.fish} $LOGIN_OPTION
fi
'';
};
}

75
modules/common.nix Normal file
View File

@@ -0,0 +1,75 @@
{
config,
lib,
pkgs,
username,
...
}:
{
# Common Nix daemon settings. Host-specific overrides (binary cache substituters,
# gc retention) live in the host's default.nix.
nix = {
optimise.automatic = true;
gc = {
automatic = true;
dates = "weekly";
# Default retention: override per-host via lib.mkForce if different.
options = lib.mkDefault "--delete-older-than 30d";
};
settings = {
experimental-features = [
"nix-command"
"flakes"
];
};
};
# https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
# Login shells stay bash but immediately `exec fish` so fish is the effective shell
# without breaking scripts that hardcode #!/bin/bash.
programs.fish.enable = true;
programs.bash = {
interactiveShellInit = ''
if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
then
shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
exec ${lib.getExe pkgs.fish} $LOGIN_OPTION
fi
'';
};
# doas replaces sudo on every host
security = {
doas.enable = true;
sudo.enable = false;
doas.extraRules = [
{
users = [ username ];
keepEnv = true;
persist = true;
}
];
};
services.kmscon.enable = true;
environment.systemPackages = with pkgs; [
doas-sudo-shim
];
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
environment.etc = {
# override default nixos /etc/issue
"issue".text = "";
};
# for updating firmware
services.fwupd = {
enable = true;
extraRemotes = [ "lvfs-testing" ];
};
}

25
modules/desktop-common.nix
View File

@@ -10,10 +10,7 @@
}:
{
imports = [
# shared across all hosts
./common-doas.nix
./common-shell-fish.nix
./common-nix.nix
./common.nix
# desktop-only modules
./desktop-vm.nix
@@ -31,11 +28,6 @@
# allow overclocking (I actually underclock but lol)
hardware.amdgpu.overdrive.ppfeaturemask = "0xFFFFFFFF";
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
services.kmscon.enable = true;
# Add niri to display manager session packages
services.displayManager.sessionPackages = [ niri-package ];
@@ -350,23 +342,10 @@
# 1gb huge pages
"hugepagesz=1G"
"hugepages=3"
];
};
environment.etc = {
# override default nixos /etc/issue
"issue".text = "";
};
services = {
# fwupd for updating firmware
fwupd = {
enable = true;
extraRemotes = [ "lvfs-testing" ];
};
# auto detect network printers
avahi = {
enable = true;
@@ -466,8 +445,6 @@
dmidecode
doas-sudo-shim
glib
usbutils
libmtp