refactoring to use flake-parts and automatic imports of hosts

This is the first step in a large refactoring to use flake-parts, and to
automatically imports hosts based on paths.

13 files changed, 206 insertions, 417 deletions

diff --git a/nix/machines/common/network.nix b/nix/machines/common/network.nix
deleted file mode 100644
index fb31099..0000000
--- a/nix/machines/common/network.nix
+++ /dev/null
@@ -1,41 +0,0 @@
-{
-  lib,
-  pkgs,
-  config,
-  ...
-}:
-{
-  networking.firewall.allowPing = true;
-
-  # Default to systemd-networkd usage.
-  networking.useNetworkd = lib.mkDefault true;
-  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
-
-  # Use systemd-resolved for DoT support.
-  services.resolved = {
-    enable = true;
-    dnssec = "false";
-    extraConfig = ''
-      DNSOverTLS=yes
-    '';
-  };
-
-  # Used by systemd-resolved, not directly by resolv.conf.
-  networking.nameservers = [
-    "8.8.8.8#dns.google"
-    "1.0.0.1#cloudflare-dns.com"
-  ];
-
-  networking.firewall.logRefusedConnections = false;
-
-  boot.kernel.sysctl = {
-    "net.ipv4.tcp_fastopen" = 3;
-    "net.ipv4.tcp_tw_reuse" = 1;
-  };
-
-  environment.systemPackages = with pkgs; [
-    mtr
-    tcpdump
-    traceroute
-  ];
-}
diff --git a/nix/machines/darwin-shared.nix b/nix/machines/darwin-shared.nix
deleted file mode 100644
index 978b43a..0000000
--- a/nix/machines/darwin-shared.nix
+++ /dev/null
@@ -1,111 +0,0 @@
-{ pkgs, ... }:
-{
-  nix = {
-    extraOptions = ''
-      tarball-ttl = 900
-    '';
-    gc = {
-      automatic = true;
-      interval = {
-        Weekday = 0;
-        Hour = 0;
-        Minute = 0;
-      };
-      options = "--delete-older-than 30d";
-    };
-    package = pkgs.nixVersions.stable;
-    settings = {
-      substituters = [
-        "https://cache.nixos.org"
-        "https://nix-community.cachix.org"
-      ];
-      trusted-public-keys = [
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      ];
-      trusted-users = [
-        "@admin"
-        "fcuny"
-      ];
-      experimental-features = [
-        "nix-command"
-        "flakes"
-      ];
-    };
-  };
-
-  system.primaryUser = "fcuny";
-
-  system.defaults = {
-    dock = {
-      autohide = true;
-      dashboard-in-overlay = false;
-      launchanim = false; # Don't animate opening applications.
-      mru-spaces = false; # don’t rearrange spaces based on the most recent use
-      orientation = "left";
-      show-recents = false;
-      showhidden = false;
-      tilesize = 60; # Default is 64.
-      wvous-br-corner = 1; # Disable Notes hot corner.
-    };
-    finder.AppleShowAllExtensions = true;
-
-    CustomUserPreferences = {
-      "com.apple.desktopservices" = {
-        # Avoid creating .DS_Store files on network or USB volumes
-        DSDontWriteNetworkStores = true;
-        DSDontWriteUSBStores = true;
-      };
-    };
-
-    # Requires the directory to already exist.
-    # See system.activationScripts.postUserActivation
-    screencapture.location = "~/Documents/screenshots";
-    SoftwareUpdate.AutomaticallyInstallMacOSUpdates = true;
-  };
-
-  # TODO:  - The `system.activationScripts.postUserActivation` option has
-  #     been removed, as all activation now takes place as `root`. Please
-  #     restructure your custom activation scripts appropriately,
-  #     potentially using `sudo` if you need to run commands as a user.
-  # system.activationScripts.postUserActivation.text = ''
-  #   mkdir -p ~/Documents/screenshots
-  # '';
-
-  fonts.packages = with pkgs; [
-    source-code-pro
-  ];
-
-  system.keyboard = {
-    enableKeyMapping = true;
-    remapCapsLockToControl = true;
-  };
-
-  # Touch ID for sudo auth
-  security.pam.services.sudo_local.touchIdAuth = true;
-
-  environment.shells = [ pkgs.fish ];
-
-  programs.fish.enable = true;
-  programs.fish.shellInit = ''
-    # Nix
-    if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish'
-      source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish'
-    end
-    # End Nix
-  '';
-
-  ## this sets the PATH for GUI apps
-  ## needs a restart
-  launchd.user.agents = {
-    user-paths = {
-      command = "/bin/launchctl config user path '/opt/homebrew/bin:/Users/fcuny/.nix-profile/bin:/etc/profiles/per-user/fcuny/bin:/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin:/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin'";
-      serviceConfig.RunAtLoad = true;
-    };
-  };
-
-  programs.ssh.knownHosts = {
-    "github.com".publicKey =
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-  };
-}
diff --git a/nix/machines/darwin/aarch64-darwin/hq-kwny2vh41p.nix b/nix/machines/darwin/aarch64-darwin/hq-kwny2vh41p.nix
new file mode 100644
index 0000000..c44ccaf
--- /dev/null
+++ b/nix/machines/darwin/aarch64-darwin/hq-kwny2vh41p.nix
@@ -0,0 +1,96 @@
+{
+  adminUser,
+  pkgs,
+  self,
+  ...
+}:
+{
+
+  imports = [
+    "${self}/nix/profiles/home-manager.nix"
+    "${self}/nix/profiles/darwin.nix"
+  ];
+
+  nix = {
+    extraOptions = ''
+      tarball-ttl = 900
+    '';
+    gc = {
+      automatic = true;
+      interval = {
+        Weekday = 0;
+        Hour = 0;
+        Minute = 0;
+      };
+      options = "--delete-older-than 30d";
+    };
+    package = pkgs.nixVersions.stable;
+    settings = {
+      substituters = [
+        "https://cache.nixos.org"
+        "https://nix-community.cachix.org"
+      ];
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+      trusted-users = [
+        "@admin"
+        "fcuny"
+      ];
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+    };
+  };
+
+  system.primaryUser = adminUser.name;
+
+  # https://github.com/nix-darwin/nix-darwin/issues/1339
+  ids.gids.nixbld = 30000;
+
+  networking.hostName = "mba-m2";
+
+  fonts.packages = with pkgs; [
+    source-code-pro
+  ];
+
+  # The user should already exist, but we need to set this up so Nix knows
+  # what our home directory is (https://github.com/LnL7/nix-darwin/issues/423).
+  users = {
+    users.${adminUser.name} = {
+      home = "/Users/${adminUser.name}";
+      shell = pkgs.fish;
+    };
+  };
+
+  environment.shells = [ pkgs.fish ];
+
+  programs.fish.enable = true;
+  programs.fish.shellInit = ''
+    # Nix
+    if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish'
+      source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish'
+    end
+    # End Nix
+  '';
+
+  programs.ssh.knownHosts = {
+    "github.com".publicKey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+  };
+
+  home-manager.users.${adminUser.name} = {
+    home.stateVersion = "23.05";
+    home.username = "${adminUser.name}";
+    home.homeDirectory = "/Users/${adminUser.name}";
+    home.packages = with pkgs; [ grpcurl ];
+    imports = [
+      ../../../users/profiles/mac.nix
+      ../../../users/profiles/work.nix
+    ];
+    inherit (adminUser) userinfo;
+    programs.git.userEmail = "fcuny@roblox.com";
+  };
+}
diff --git a/nix/machines/darwin/aarch64-darwin/mba-m2.nix b/nix/machines/darwin/aarch64-darwin/mba-m2.nix
new file mode 100644
index 0000000..59fd21b
--- /dev/null
+++ b/nix/machines/darwin/aarch64-darwin/mba-m2.nix
@@ -0,0 +1,98 @@
+{
+  adminUser,
+  pkgs,
+  self,
+  ...
+}:
+{
+  imports = [
+    "${self}/nix/profiles/home-manager.nix"
+    "${self}/nix/profiles/darwin.nix"
+  ];
+
+  nix = {
+    extraOptions = ''
+      tarball-ttl = 900
+    '';
+    gc = {
+      automatic = true;
+      interval = {
+        Weekday = 0;
+        Hour = 0;
+        Minute = 0;
+      };
+      options = "--delete-older-than 30d";
+    };
+    package = pkgs.nixVersions.stable;
+    settings = {
+      substituters = [
+        "https://cache.nixos.org"
+        "https://nix-community.cachix.org"
+      ];
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+      trusted-users = [
+        "@admin"
+        "fcuny"
+      ];
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+    };
+  };
+
+  system.primaryUser = adminUser.name;
+
+  # https://github.com/nix-darwin/nix-darwin/issues/1339
+  ids.gids.nixbld = 30000;
+
+  networking.hostName = "mba-m2";
+
+  fonts.packages = with pkgs; [
+    source-code-pro
+  ];
+
+  # The user should already exist, but we need to set this up so Nix knows
+  # what our home directory is (https://github.com/LnL7/nix-darwin/issues/423).
+  users = {
+    users.${adminUser.name} = {
+      home = "/Users/${adminUser.name}";
+      shell = pkgs.fish;
+    };
+  };
+
+  environment.shells = [ pkgs.fish ];
+
+  programs.fish.enable = true;
+  programs.fish.shellInit = ''
+    # Nix
+    if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish'
+      source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish'
+    end
+    # End Nix
+  '';
+
+  programs.ssh.knownHosts = {
+    "github.com".publicKey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+  };
+
+  home-manager.users.${adminUser.name} = {
+    home.stateVersion = "23.05";
+    home.username = "${adminUser.name}";
+    home.homeDirectory = "/Users/${adminUser.name}";
+    home.packages = with pkgs; [
+      element-desktop
+      vlc-bin
+      zoom-us
+    ];
+    imports = [
+      ../../../users/profiles/mac.nix
+      ../../../users/profiles/media.nix
+    ];
+    inherit (adminUser) userinfo;
+  };
+}
diff --git a/nix/machines/hq-kwny2vh41p/default.nix b/nix/machines/hq-kwny2vh41p/default.nix
deleted file mode 100644
index 1ae15f2..0000000
--- a/nix/machines/hq-kwny2vh41p/default.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{ ... }:
-{
-  imports = [ ../darwin-shared.nix ];
-
-  system.stateVersion = 5;
-}
diff --git a/nix/machines/mba-m2/default.nix b/nix/machines/mba-m2/default.nix
deleted file mode 100644
index 565360c..0000000
--- a/nix/machines/mba-m2/default.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ ... }:
-{
-  imports = [ ../darwin-shared.nix ];
-
-  # https://github.com/nix-darwin/nix-darwin/issues/1339
-  ids.gids.nixbld = 30000;
-
-  system.stateVersion = 5;
-
-  networking.hostName = "mba-m2";
-}
diff --git a/nix/machines/vm-synology/default.nix b/nix/machines/nixos/x86_64-linux/vm-synology.nix
index ec508d8..02030fc 100644
--- a/nix/machines/vm-synology/default.nix
+++ b/nix/machines/nixos/x86_64-linux/vm-synology.nix
@@ -1,36 +1,35 @@
-{ pkgs, ... }:
+{ self, pkgs, ... }:
 {
   age = {
     secrets = {
       restic_gcs_credentials = {
-        file = ../../../secrets/restic_gcs_credentials.age;
+        file = "${self}/secrets/restic_gcs_credentials.age";
       };
       restic_password = {
-        file = ../../../secrets/restic_password.age;
+        file = "${self}/secrets/restic_password.age";
       };
       cloudflared-tunnel = {
-        file = ../../../secrets/cloudflared_cragmont.age;
+        file = "${self}/secrets/cloudflared_cragmont.age";
       };
       cloudflared-cert = {
-        file = ../../../secrets/cloudflared_cert.age;
+        file = "${self}/secrets/cloudflared_cert.age";
       };
     };
   };
 
   imports = [
-    ./backups.nix
-    ./git.nix
-    ./hardware.nix
-    ./ingress.nix
-    ./nginx.nix
-    ../common/network.nix
+    "${self}/nix/profiles/git-server.nix"
+    "${self}/nix/profiles/hardware/synology.nix"
+    "${self}/nix/profiles/disk/vm.nix"
+    "${self}/nix/profiles/server.nix"
+    # ./backups.nix
+    # ./ingress.nix
+    # ./nginx.nix
   ];
 
   # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
   networking.hostName = "vm-synology";
-  boot.kernelPackages = pkgs.linuxPackages_latest;
 
   nix = {
     package = pkgs.nixVersions.latest;
@@ -46,31 +45,9 @@
     };
   };
 
-  time.timeZone = "America/Los_Angeles";
-
-  # Don't require password for sudo
-  security.sudo.wheelNeedsPassword = false;
-
-  # Virtualization settings
-  virtualisation.docker.enable = true;
-
-  # Select internationalisation properties.
-  i18n = {
-    defaultLocale = "en_US.UTF-8";
-  };
-
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.mutableUsers = false;
 
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-    curl
-    git
-    vim
-    jq
-  ];
-
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
   services.openssh.settings.PasswordAuthentication = true;
@@ -80,8 +57,6 @@
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
   ];
 
-  networking.firewall.enable = false;
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
diff --git a/nix/machines/vm-synology/backups.nix b/nix/machines/vm-synology/backups.nix
deleted file mode 100644
index cf3c65b..0000000
--- a/nix/machines/vm-synology/backups.nix
+++ /dev/null
@@ -1,73 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}:
-let
-  environmentFile = toString (
-    pkgs.writeText "restic-gcs-env" ''
-      GOOGLE_PROJECT_ID=fcuny-infra
-      GOOGLE_APPLICATION_CREDENTIALS=${config.age.secrets.restic_gcs_credentials.path}
-    ''
-  );
-in
-{
-  services.restic.backups.local = {
-    passwordFile = config.age.secrets.restic_password.path;
-    repository = "/srv/data/backups/";
-    initialize = true;
-    paths = [ "/var/lib/gitolite" ];
-    exclude = [
-      "/var/lib/gitolite/.bash_history"
-      "/var/lib/gitolite/.ssh"
-      "/var/lib/gitolite/.viminfo"
-    ];
-    extraBackupArgs = [
-      "--exclude-caches"
-      "--compression=max"
-    ];
-    timerConfig = {
-      OnCalendar = "daily";
-    };
-    pruneOpts = [
-      "--keep-daily 7"
-      "--keep-weekly 4"
-      "--keep-monthly 3"
-    ];
-  };
-
-  services.restic.backups.gcs = {
-    passwordFile = config.age.secrets.restic_password.path;
-    environmentFile = environmentFile;
-    repository = "gs:fcuny-infra-backups:/vm-synology/";
-    initialize = true;
-    paths = [ "/var/lib/gitolite" ];
-    exclude = [
-      "/var/lib/gitolite/.bash_history"
-      "/var/lib/gitolite/.ssh"
-      "/var/lib/gitolite/.viminfo"
-    ];
-    extraBackupArgs = [
-      "--exclude-caches"
-      "--compression=max"
-    ];
-    timerConfig = {
-      OnCalendar = "daily";
-    };
-    pruneOpts = [
-      "--keep-daily 7"
-      "--keep-weekly 4"
-      "--keep-monthly 3"
-    ];
-  };
-
-  environment = {
-    sessionVariables = {
-      RESTIC_REPOSITORY = "/srv/data/backups";
-      RESTIC_PASSWORD_FILE = config.age.secrets.restic_password.path;
-    };
-    systemPackages = with pkgs; [
-      restic
-    ];
-  };
-}
diff --git a/nix/machines/vm-synology/disk.nix b/nix/machines/vm-synology/disk.nix
deleted file mode 100644
index 1641339..0000000
--- a/nix/machines/vm-synology/disk.nix
+++ /dev/null
@@ -1,55 +0,0 @@
-{ lib, ... }:
-{
-  disko.devices = {
-    disk.disk1 = {
-      device = lib.mkDefault "/dev/sda";
-      type = "disk";
-      content = {
-        type = "gpt";
-        partitions = {
-          boot = {
-            name = "boot";
-            size = "1M";
-            type = "EF02";
-          };
-          esp = {
-            name = "ESP";
-            size = "500M";
-            type = "EF00";
-            content = {
-              type = "filesystem";
-              format = "vfat";
-              mountpoint = "/boot";
-            };
-          };
-          root = {
-            name = "root";
-            size = "100%";
-            content = {
-              type = "lvm_pv";
-              vg = "pool";
-            };
-          };
-        };
-      };
-    };
-    lvm_vg = {
-      pool = {
-        type = "lvm_vg";
-        lvs = {
-          root = {
-            size = "100%FREE";
-            content = {
-              type = "filesystem";
-              format = "ext4";
-              mountpoint = "/";
-              mountOptions = [
-                "defaults"
-              ];
-            };
-          };
-        };
-      };
-    };
-  };
-}
diff --git a/nix/machines/vm-synology/git.nix b/nix/machines/vm-synology/git.nix
deleted file mode 100644
index 27eebc7..0000000
--- a/nix/machines/vm-synology/git.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ pkgs, ... }:
-{
-  services.gitolite = {
-    enable = true;
-    adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
-    user = "git";
-    group = "git";
-    extraGitoliteRc = ''
-      # Make dirs/files group readable, needed for webserver/cgit. (Default
-      # setting is 0077.)
-      $RC{UMASK} = 0027;
-      $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner';
-      $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local";
-      push( @{$RC{ENABLE}}, 'symbolic-ref' );
-    '';
-  };
-
-  # let's make sure the default branch is `main'.
-  systemd.tmpfiles.rules = [
-    "C /var/lib/gitolite/.gitconfig - git git 0644 ${pkgs.writeText "gitolite-gitconfig" ''
-      [init]
-      	defaultBranch = main
-    ''}"
-  ];
-}
diff --git a/nix/machines/vm-synology/hardware.nix b/nix/machines/vm-synology/hardware.nix
deleted file mode 100644
index c894a80..0000000
--- a/nix/machines/vm-synology/hardware.nix
+++ /dev/null
@@ -1,32 +0,0 @@
-{ lib, modulesPath, ... }:
-
-{
-  imports = [
-    (modulesPath + "/profiles/qemu-guest.nix")
-    (modulesPath + "/installer/scan/not-detected.nix")
-    ./disk.nix
-  ];
-
-  boot.initrd.availableKernelModules = [
-    "ata_piix"
-    "uhci_hcd"
-    "virtio_pci"
-    "virtio_scsi"
-    "sd_mod"
-    "sr_mod"
-  ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}
diff --git a/nix/machines/vm-synology/ingress.nix b/nix/machines/vm-synology/ingress.nix
deleted file mode 100644
index b6ae596..0000000
--- a/nix/machines/vm-synology/ingress.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{ config, ... }:
-{
-  services.cloudflared = {
-    enable = true;
-    certificateFile = config.age.secrets.cloudflared-cert.path;
-    tunnels = {
-      "cragmont" = {
-        credentialsFile = config.age.secrets.cloudflared-tunnel.path;
-        default = "http_status:404";
-        ingress = {
-          "git.fcuny.net".service = "ssh://127.0.0.1:22";
-        };
-      };
-    };
-  };
-}
diff --git a/nix/machines/vm-synology/nginx.nix b/nix/machines/vm-synology/nginx.nix
deleted file mode 100644
index 2c3b7fb..0000000
--- a/nix/machines/vm-synology/nginx.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-  ...
-}:
-{
-  services.fcuny-net = {
-    enable = true;
-    domain = "fcuny.net";
-    enableSSL = false; # Enable if you want HTTPS
-  };
-}