autoformatted files

flake.nix

@@ -8,26 +8,43 @@
     sops-nix.url = "github:Mic92/sops-nix";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
   };
-  outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix, lanzaboote, microvm}@inputs: let 
+  outputs = {
-  imports = { imports = [
+    self,
-	sops-nix.nixosModules.sops
+    nixpkgs,
-        passInputs mkLocalModsInput
+    nixpkgs-unstable,
+    sops-nix,
+    lanzaboote,
+    microvm,
+  } @ inputs: let
+    imports = {
+      imports = [
+        sops-nix.nixosModules.sops
+        passInputs
+        mkLocalModsInput
         lanzaboote.nixosModules.lanzaboote
-	inputs.microvm.nixosModules.host
+        inputs.microvm.nixosModules.host
-	];};
+      ];
-  passInputs = ({lib,config,...}:{
+    };
-    options.flakePath = lib.mkOption {type = lib.types.path;};
+    passInputs = {
-    config.flakePath = ./.;
+      lib,
-    options.inputs = lib.mkOption {type = lib.types.attrs;};
+      config,
-    config.inputs = inputs;
+      ...
-    options.pkgsInstances = lib.mkOption {type = lib.types.attrs;};
+    }: {
-    config.pkgsInstances = {
+      options.flakePath = lib.mkOption {type = lib.types.path;};
-      unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
+      config.flakePath = ./.;
+      options.inputs = lib.mkOption {type = lib.types.attrs;};
+      config.inputs = inputs;
+      options.pkgsInstances = lib.mkOption {type = lib.types.attrs;};
+      config.pkgsInstances = {
+        unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
+      };
+    };
+    inherit (nixpkgs) lib;
+    mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
+    mkLocalModsInput = mkLocalMods {
+      prefix = ["lyn"];
+      dir = ./modules;
     };
-  });
-  inherit (nixpkgs) lib;
-  mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
-  mkLocalModsInput = (mkLocalMods {prefix = ["lyn"]; dir = ./modules;});
   in {
     nixosConfigurations = {
       "forgenite" = nixpkgs.lib.nixosSystem {
@@ -35,28 +52,28 @@
         modules = [
           ./hosts/forgenite
           imports
-	      ];
+        ];
       };
       "forgejo-ci" = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
           ./hosts/forgejo-ci
           imports
-	      ];
+        ];
       };
       "supernova" = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
           ./hosts/supernova
-	        imports
+          imports
-	        ];
+        ];
       };
       "wg-gateway" = nixpkgs.lib.nixosSystem {
         system = "aarch64-linux";
         modules = [
           ./hosts/wg-gateway
-	        imports
+          imports
-	      ];
+        ];
       };
     };
   };

hosts/forgejo-ci/default.nix

@@ -1,11 +1,17 @@
-{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
+{
-  imports =
+  config,
-    [
+  pkgs,
-      ./hardware-configuration.nix
+  lib,
-    ];
+  inputs,
+  ...
+}:
+with config.lyn.lib; {
+  imports = [
+    ./hardware-configuration.nix
+  ];
   lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
   lyn.users.lyn.enable = true;
-  lyn.kernel.latest.enable = true; 
+  lyn.kernel.latest.enable = true;
   lyn.kernel.hardened.enable = true;
   lyn.profiles.base.enable = true;
   lyn.profiles.vm.enable = true;
@@ -16,5 +22,5 @@
 
   networking.hostName = "forgejo-ci"; # Define your hostname.
 
-  system.stateVersion = "23.05"; 
+  system.stateVersion = "23.05";
 }

hosts/forgenite/default.nix

@@ -1,12 +1,17 @@
-{ config, pkgs, lib, inputs, ... }: {
+{
-  imports =
+  config,
-    [
+  pkgs,
-      ./hardware-configuration.nix
+  lib,
-    ];
+  inputs,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+  ];
   lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
   lyn.users.lyn.enable = true;
   lyn.kernel.latest.enable = true;
-  lyn.kernel.hardened.enable =true;
+  lyn.kernel.hardened.enable = true;
   lyn.profiles.base.enable = true;
   lyn.profiles.vm.enable = true;
 
@@ -24,6 +29,4 @@
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "24.05"; # Did you read the comment?
- 
 }
-

hosts/supernova/default.nix

@@ -1,16 +1,22 @@
-{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
+{
-    imports =
+  config,
-    [
+  pkgs,
-      ./hardware-configuration.nix
+  lib,
-      ./virtualization.nix
+  inputs,
-    ];
+  ...
-  lyn.kernel.latest.enable = true; 
+}:
+with config.lyn.lib; {
+  imports = [
+    ./hardware-configuration.nix
+    ./virtualization.nix
+  ];
+  lyn.kernel.latest.enable = true;
   lyn.profiles.base.enable = true;
   lyn.profiles.headless.enable = true;
   lyn.users.lyn.enable = true;
   networking.hostName = "supernova";
   boot.loader.efi.canTouchEfiVariables = true;
-  
+
   # this is overridden by the secureboot profile, still here so the system retains a bootloader in case secure boot profile is disabled:
   boot.loader.systemd-boot.enable = true;
 
@@ -23,33 +29,37 @@
 
   # Kernel hardening
   lyn.kernel.hardened.enable = true;
-  ## Don't print any errors/logs to the console 
+  ## Don't print any errors/logs to the console
   boot.consoleLogLevel = 0;
- 
+
   # Secure boot
   lyn.profiles.secureboot.enable = true;
 
   # FDE + initrd stuff
-  boot.kernelParams = [ "ip=dhcp" ];
+  boot.kernelParams = ["ip=dhcp"];
   boot.loader.timeout = 2;
   boot.initrd = {
-    availableKernelModules = [ "r8169" ];
+    availableKernelModules = ["r8169"];
     systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
     secrets = {"/root/initrd-ssh-key" = "/root/initrd-ssh-key";};
     network = {
-    enable = true;
-    ssh = {
       enable = true;
-      port = 2222;
+      ssh = {
-      # WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.
+        enable = true;
-      hostKeys = [ /root/initrd-ssh-key ];
+        port = 2222;
-      # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
+        # WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.
-      # authorizedKeys = [ "ssh-rsa ..." ];
+        hostKeys = [/root/initrd-ssh-key];
-      authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
+        # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
+        # authorizedKeys = [ "ssh-rsa ..." ];
+        authorizedKeys = with lib;
+          concatLists (mapAttrsToList (name: user:
+            if elem "wheel" user.extraGroups
+            then user.openssh.authorizedKeys.keys
+            else [])
+          config.users.users);
+      };
     };
   };
-  };
 
-  
+  system.stateVersion = "24.05";
-  system.stateVersion = "24.05";  
 }

hosts/supernova/hardware-configuration.nix

@@ -1,41 +1,45 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
+  config,
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+  lib,
-    ];
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.initrd.kernelModules = ["dm-snapshot"];
-  boot.kernelModules = [ "kvm-amd" ];
+  boot.kernelModules = ["kvm-amd"];
-  boot.extraModulePackages = [ ];
+  boot.extraModulePackages = [];
 
   boot.initrd.systemd.enable = true;
   boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/db8a5cf9-c54b-4e6a-b3f9-e6323eb962a6";
   # doubles SSD performance because r/w queue is unnecessary here
   boot.initrd.luks.devices."root".bypassWorkqueues = true;
 
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "/dev/mapper/vg-root";
+    device = "/dev/mapper/vg-root";
-      fsType = "btrfs";
+    fsType = "btrfs";
-      options = ["x-systemd.device-timeout=0"];
+    options = ["x-systemd.device-timeout=0"];
-    };
+  };
 
-  fileSystems."/boot" =
+  fileSystems."/boot" = {
-    { device = "/dev/disk/by-uuid/0374-0967";
+    device = "/dev/disk/by-uuid/0374-0967";
-      fsType = "vfat";
+    fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" "umask=0077" "x-systemd.device-timeout=0"];
+    options = ["fmask=0022" "dmask=0022" "umask=0077" "x-systemd.device-timeout=0"];
-    };
+  };
 
-  swapDevices =
+  swapDevices = [
-    [ { 
+    {
-      device = "/dev/mapper/vg-swap"; 
+      device = "/dev/mapper/vg-swap";
       options = ["x-systemd.device-timeout=0"];
     }
-    ];
+  ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

hosts/supernova/virtualization.nix

@@ -1,4 +1,3 @@
-{ ... }:{
+{...}: {
   lyn.profiles.hypervisor.enable = true;
-  
+}
-}

hosts/wg-gateway/default.nix

@@ -1,32 +1,35 @@
-{ config, lib, pkgs, ... }:
-
 {
-  imports =
+  config,
-    [ # Include the results of the hardware scan.
+  lib,
-      ./hardware-configuration.nix
+  pkgs,
-    ];
+  ...
-    boot.loader.systemd-boot.enable = true;
+}: {
-    boot.loader.efi.canTouchEfiVariables = true;
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
 
-    lyn.kernel.latest.enable = true;
+  lyn.kernel.latest.enable = true;
-    lyn.profiles.base.enable = true;
+  lyn.profiles.base.enable = true;
-    lyn.profiles.secureboot.enable = true;
+  lyn.profiles.secureboot.enable = true;
-    lyn.users.lyn.enable = true;
+  lyn.users.lyn.enable = true;
 
-    # network
+  # network
-    networking.useDHCP = false;
+  networking.useDHCP = false;
-    networking.hostName = "wg-gateway"; # Define your hostname.
+  networking.hostName = "wg-gateway"; # Define your hostname.
-    systemd.network.enable = true;
+  systemd.network.enable = true;
-    systemd.network.networks."10-wan" = {
+  systemd.network.networks."10-wan" = {
     matchConfig.Name = "enp1s0";
     networkConfig.DHCP = "ipv4";
     address = [
       "2a01:4f8:1c1b:d2db::/64"
     ];
     routes = [
-      { routeConfig.Gateway = "fe80::1"; }
+      {routeConfig.Gateway = "fe80::1";}
     ];
   };
 
-    system.stateVersion = "24.05";  
+  system.stateVersion = "24.05";
-}
+}

hosts/wg-gateway/hardware-configuration.nix

@@ -1,34 +1,38 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
+  config,
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+  lib,
-    ];
+  pkgs,
-  boot.initrd.kernelModules = [ "virtio_gpu" ];
+  modulesPath,
-  boot.kernelParams = [ "console=tty" ];
+  ...
-  boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" "sr_mod" ];
+}: {
-  boot.kernelModules = [ ];
+  imports = [
-  boot.extraModulePackages = [ ];
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+  boot.initrd.kernelModules = ["virtio_gpu"];
+  boot.kernelParams = ["console=tty"];
+  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_scsi" "sr_mod"];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
 
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "/dev/disk/by-uuid/7cb49846-af34-40ec-b144-decc9c284e94";
+    device = "/dev/disk/by-uuid/7cb49846-af34-40ec-b144-decc9c284e94";
-      fsType = "ext4";
+    fsType = "ext4";
-    };
+  };
 
-  fileSystems."/boot" =
+  fileSystems."/boot" = {
-    { device = "/dev/disk/by-uuid/BEFA-C7BC";
+    device = "/dev/disk/by-uuid/BEFA-C7BC";
-      fsType = "vfat";
+    fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
+    options = ["fmask=0077" "dmask=0077"];
-    };
+  };
 
-  swapDevices =
+  swapDevices = [
-    [ { device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710"; }
+    {device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710";}
-    ];
+  ];
 
   # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-}
+}

meta/default.nix

@@ -1,6 +1,5 @@
 {
-    imports = [
+  imports = [
-	./mkLocalMods.nix
+    ./mkLocalMods.nix
-    ];
+  ];
 }
-

meta/mkLocalMods.nix

@@ -1,54 +1,107 @@
-{lib, ...}:
+{lib, ...}: let
-let
+  inherit (import ./packagesFromDirectoryRecursive.nix {inherit lib;}) packagesFromDirectoryRecursive;
-inherit (import ./packagesFromDirectoryRecursive.nix {inherit lib;} ) packagesFromDirectoryRecursive;
+  mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
-	mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
+  #kv = key: value: {inherit key value;};
-	#kv = key: value: {inherit key value;};
+  recurseNaive = curPath: fn:
-	recurseNaive = curPath: fn: mapAttrKVs (k: v: let 
+    mapAttrKVs (
-		match = builtins.match "(.*)[.]nix" k;
+      k: v: let
-	in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));}
+        match = builtins.match "(.*)[.]nix" k;
-		else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;}
+      in
-		else {key = null; value = null;}
+        if v == "regular" && match != null
-	) (builtins.readDir curPath);
+        then {
+          key = builtins.elemAt match 0;
+          value = fn (curPath + ("/" + k));
+        }
+        else if v == "directory"
+        then {
+          key = k;
+          value = recurseNaive (curPath + ("/" + k)) fn;
+        }
+        else {
+          key = null;
+          value = null;
+        }
+    ) (builtins.readDir curPath);
 
-	getAttrKVsRec = prefix: as: lib.flatten (lib.mapAttrsToList (k: v:
+  getAttrKVsRec = prefix: as:
-		if lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v
+    lib.flatten (lib.mapAttrsToList (
-		else [{path = prefix ++ [k]; value = v;}]
+        k: v:
-	) as);
+          if lib.isAttrs v
+          then getAttrKVsRec (prefix ++ [k]) v
+          else [
+            {
+              path = prefix ++ [k];
+              value = v;
+            }
+          ]
+      )
+      as);
 
-	getPathKVsRec = prefix: dir: getAttrKVsRec prefix (packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; });
+  getPathKVsRec = prefix: dir:
+    getAttrKVsRec prefix (packagesFromDirectoryRecursive {
+      callPackage = path: x: path;
+      directory = dir;
+    });
 
-	unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
+  unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
-	transformLocalMod = {path, value}: let 
+  transformLocalMod = {
-	modFn = if lib.isFunction (import value) then import value else (p: import value);
+    path,
-	newMod = p: let
+    value,
-		paramNew = p // {
+  }: let
-			cfg = lib.getAttrFromPath path p.config;
+    modFn =
-		};
+      if lib.isFunction (import value)
+      then import value
+      else (p: import value);
+    newMod = p: let
+      paramNew =
+        p
+        // {
+          cfg = lib.getAttrFromPath path p.config;
+        };
 
-		pathStr = builtins.concatStringsSep "." path;
+      pathStr = builtins.concatStringsSep "." path;
-		modRaw = modFn paramNew;
+      modRaw = modFn paramNew;
-		modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]);
+      modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]);
 
-		mod = modRaw.mod or {};
+      mod = modRaw.mod or {};
-		fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
+      fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
-		enablePath = path ++ ["enable"];
+      enablePath = path ++ ["enable"];
 
-		imports = [ {
+      imports = [
-			_file = fileCtx "`opt` processor";
+        {
-			key = fileCtx "`opt` processor";
+          _file = fileCtx "`opt` processor";
-			options = lib.setAttrByPath path (modRaw.opt or {});
+          key = fileCtx "`opt` processor";
-		} {
+          options = lib.setAttrByPath path (modRaw.opt or {});
-			_file = fileCtx "`enable` definition";
+        }
-			key = fileCtx "`enable` definition";
+        {
-			options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
+          _file = fileCtx "`enable` definition";
-		} ({config, ...}: {
+          key = fileCtx "`enable` definition";
-			_file = fileCtx "config wrapper";
+          options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
-			key = fileCtx "config wrapper";
+        }
-			config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config; 
+        ({config, ...}: {
-		})];
+          _file = fileCtx "config wrapper";
+          key = fileCtx "config wrapper";
+          config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config;
+        })
+      ];
 
-		newMod = modUni // { imports = modUni.imports ++ imports; config = {}; };
+      newMod =
-	in newMod; in lib.mirrorFunctionArgs modFn newMod;
+        modUni
+        // {
+          imports = modUni.imports ++ imports;
+          config = {};
+        };
+    in
+      newMod;
+  in
+    lib.mirrorFunctionArgs modFn newMod;
 
-	mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); };
+  mkLocalMods = {
-in mkLocalMods
+    prefix ? [],
+    dir,
+  }: {
+    _file = "mkLocalMods collector";
+    imports = builtins.map transformLocalMod (getPathKVsRec prefix dir);
+  };
+in
+  mkLocalMods

meta/modules-extracted.nix

@@ -1,8 +1,8 @@
 # https://github.com/NixOS/nixpkgs/blob/a5cfe012401cfebb4b2c28e74857b8ffe1402b4b/lib/modules.nix
-{ lib }:
+{lib}:
-with lib.modules;
+with lib.modules; let
-let
+  inherit
-  inherit (lib)
+    (lib)
     addErrorContext
     all
     any
@@ -36,7 +36,8 @@ let
     optionalAttrs
     optionalString
     recursiveUpdate
-    reverseList sort
+    reverseList
+    sort
     seq
     setAttrByPath
     substring
@@ -50,7 +51,8 @@ let
     zipAttrs
     zipAttrsWith
     ;
-  inherit (lib.options)
+  inherit
+    (lib.options)
     isOption
     mkOption
     showDefs
@@ -58,36 +60,41 @@ let
     showOption
     unknownModule
     ;
-  inherit (lib.strings)
+  inherit
+    (lib.strings)
     isConvertibleWithToString
     ;
 
-  unifyModuleSyntax = file: key: m:
+  unifyModuleSyntax = file: key: m: let
-    let
+    addMeta = config:
-      addMeta = config: if m ? meta
+      if m ? meta
-        then mkMerge [ config { meta = m.meta; } ]
+      then mkMerge [config {meta = m.meta;}]
-        else config;
+      else config;
-      addFreeformType = config: if m ? freeformType
+    addFreeformType = config:
-        then mkMerge [ config { _module.freeformType = m.freeformType; } ]
+      if m ? freeformType
-        else config;
+      then mkMerge [config {_module.freeformType = m.freeformType;}]
+      else config;
+  in
+    if m ? config || m ? options
+    then let
+      badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"];
     in
-    if m ? config || m ? options then
+      if badAttrs != {}
-      let badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"]; in
+      then throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
-      if badAttrs != {} then
+      else {
-        throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
+        _file = toString m._file or file;
-      else
+        _class = m._class or null;
-        { _file = toString m._file or file;
+        key = toString m.key or key;
-          _class = m._class or null;
+        disabledModules = m.disabledModules or [];
-          key = toString m.key or key;
+        imports = m.imports or [];
-          disabledModules = m.disabledModules or [];
+        options = m.options or {};
-          imports = m.imports or [];
+        config = addFreeformType (addMeta (m.config or {}));
-          options = m.options or {};
+      }
-          config = addFreeformType (addMeta (m.config or {}));
-        }
     else
       # shorthand syntax
       throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module."
-      { _file = toString m._file or file;
+      {
+        _file = toString m._file or file;
         _class = m._class or null;
         key = toString m.key or key;
         disabledModules = m.disabledModules or [];
@@ -95,6 +102,4 @@ let
         options = {};
         config = addFreeformType (removeAttrs m ["_class" "_file" "key" "disabledModules" "require" "imports" "freeformType"]);
       };
-
-
 in {inherit unifyModuleSyntax;}

modules/profiles/base.nix

@@ -36,6 +36,32 @@
     htop
   ];
 
+  # Use encrypted Quad9 DNS
+  nameservers = [ "127.0.0.1" "::1" ];
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    settings = {
+      ipv6_servers = true;
+      require_dnssec = true;
+
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+
+      # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+     server_names = [ 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-nofilter-pri'];
+    };
+  };
+
+  systemd.services.dnscrypt-proxy2.serviceConfig = {
+    StateDirectory = "dnscrypt-proxy";
+  };
+
   nix.gc = {
     automatic = true;
     persistent = true;

modules/profiles/hypervisor.nix

@@ -1,4 +1,8 @@
-{inputs, lib, ...}: {
+{
-    microvm.host.enable = true;
+  inputs,
-    networking.useNetworkd = true;
+  lib,
+  ...
+}: {
+  microvm.host.enable = true;
+  networking.useNetworkd = true;
 }

modules/profiles/secureboot.nix

@@ -1,5 +1,9 @@
-{ config, pkgs, lib, ... }:
 {
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
   environment.systemPackages = [
     # For debugging and troubleshooting Secure Boot.
     pkgs.sbctl
@@ -9,5 +13,4 @@
     enable = true;
     pkiBundle = "/etc/secureboot";
   };
-  
+}
-} 

modules/profiles/vm.nix

@@ -1,8 +1,13 @@
-{ config, pkgs, lib, modulesPath, ... }:
 {
+  config,
+  pkgs,
+  lib,
+  modulesPath,
+  ...
+}: {
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
   ];
   #enable qemu-guestagent
   services.qemuGuest.enable = true;
-} 
+}

modules/services/forgejo-ci.nix

@@ -1,8 +1,14 @@
-{ config, pkgs, lib, inputs, cfg, ... }:
 {
+  config,
+  pkgs,
+  lib,
+  inputs,
+  cfg,
+  ...
+}: {
   environment.systemPackages = with pkgs; [
     docker
-];
+  ];
 
   # Enable docker
   virtualisation.docker = {
@@ -20,10 +26,10 @@
     instances = {
       "${cfg.instancename}" = {
         enable = true;
-            url = "https://${cfg.domain}";
+        url = "https://${cfg.domain}";
-            name = cfg.instancename;
+        name = cfg.instancename;
-            tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
+        tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
-            labels = [];
+        labels = [];
       };
     };
   };

modules/services/forgejo.nix

@@ -1,5 +1,12 @@
-{pkgs, lib, config, cfg, ...}:
+{
-with lib; with builtins; {
+  pkgs,
+  lib,
+  config,
+  cfg,
+  ...
+}:
+with lib;
+with builtins; {
   opt.domain = lib.mkOption {type = lib.types.str;};
   services.forgejo = {
     enable = true;
@@ -11,20 +18,20 @@ with lib; with builtins; {
       OFFLINE_MODE = true; # disable gravatar, CDN
     };
     settings.actions = {
-       ENABLED = true;
+      ENABLED = true;
     };
     settings."repository.upload" = {
-	FILE_MAX_SIZE = 4095;
+      FILE_MAX_SIZE = 4095;
-	MAX_FILES = 20;
+      MAX_FILES = 20;
     };
     settings."attachment" = {
-        MAX_SIZE = 4095;
+      MAX_SIZE = 4095;
-        MAX_FILES = 20;
+      MAX_FILES = 20;
     };
 
     settings.service = {
-	DISABLE_REGISTRATION = true;
+      DISABLE_REGISTRATION = true;
-	DEFAULT_KEEP_EMAIL_PRIVATE = true;
+      DEFAULT_KEEP_EMAIL_PRIVATE = true;
     };
     database = {
       user = "forgejo";

modules/sops/default.nix

@@ -1,23 +1,27 @@
-{ pkgs, lib, config, ... }:
-let
-  cfg = config.lyn.sops;
-in
 {
+  pkgs,
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.lyn.sops;
+in {
   options.lyn.sops = with lib; {
     secrets = mkOption {
       type = types.attrs;
-      default = { };
+      default = {};
     };
   };
   config = {
-    sops.secrets = lib.mapAttrs
+    sops.secrets =
-      (name: value:
+      lib.mapAttrs
-        let
+      (name: value: let
-          name_split = lib.splitString "/" name;
+        name_split = lib.splitString "/" name;
-        in
+      in
         {
           sopsFile = config.flakePath + /secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
-        } // value)
+        }
+        // value)
       cfg.secrets;
   };
 }

modules/users/lyn/default.nix

@@ -1,11 +1,17 @@
-{lib,pkgs, config, cfg, ...}:{
+{
-    imports = [
+  lib,
-	./ssh.nix
+  pkgs,
-    ];
+  config,
-    users.users.lyn = {   
+  cfg,
+  ...
+}: {
+  imports = [
+    ./ssh.nix
+  ];
+  users.users.lyn = {
     isNormalUser = true;
-   	extraGroups = [ "wheel"];
+    extraGroups = ["wheel"];
-	  packages = with pkgs; [
+    packages = with pkgs; [
     ];
-    };
+  };
 }

modules/users/lyn/ssh.nix

@@ -1,3 +1,7 @@
-{lib, config, ...}: {
+{
-    users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
+  lib,
+  config,
+  ...
+}: {
+  users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
 }