restructure

flake.nix

@@ -2,8 +2,9 @@
   description = "Lyns flake";
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    sops-nix.url = "github:Mic92/sops-nix";
   };
-  outputs = { self, nixpkgs }@inputs: {
+  outputs = { self, nixpkgs, sops-nix }@inputs: {
   nixosConfigurations = {
     "forgejo" = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
@@ -12,6 +13,7 @@
           # old configuration file can still take effect.
           # Note: configuration.nix itself is also a Nixpkgs Module,
           ./configuration.nix
+          sops-nix.nixosModules.sops
         ];
 	specialArgs = { 
 		inherit inputs;

hosts/forgenite/default.nix

@@ -1,16 +1,12 @@
-# Edit this configuration file to define what should be installed on
+{ config, pkgs, lib, inputs, ... }: with lib.meta; {
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running `nixos-help`).
-
-{ config, pkgs, ... }:
-
-{
   imports =
     [
       ./hardware-configuration.nix
-      # comment in backup.nix for borgbackuping forgejo 
-      #./backup.nix
     ];
+
+  # will this work?
+  users.lyn.enable = true;
+  services.forgejo.enable = true;
   # Write path for borgbackup repos for backup.nix
   _module.args.borgrepolistfile = ./borgrepos;
 
@@ -29,16 +25,6 @@
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
 
-  users.users.lyn = {
-    	isNormalUser = true;
-   	extraGroups = [ "wheel"];
-    	openssh.authorizedKeys.keys = [
-		"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"
-	];
-	packages = with pkgs; [
-    ];
-};
-
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
@@ -49,9 +35,6 @@
     htop
   ];
 
- 
-
-
   # Enable the OpenSSH daemon.
   services.openssh = {
 	enable = true;
@@ -62,44 +45,6 @@
 	};
 	openFirewall = true;
   };
-  #Forgejo
-  services.forgejo = {
-    enable = true;
-    settings.server = {
-      ROOT_URL = "https://git.shibe.pro";
-      DOMAIN = "git.shibe.pro";
-      HTTP_PORT = 48540;
-      OFFLINE_MODE = true; # disable gravatar, CDN
-    };
-    settings.actions = {
-       ENABLED = true;
-    };
-    settings."repository.upload" = {
-	FILE_MAX_SIZE = 4095;
-	MAX_FILES = 20;
-    };
-    settings."attachment" = {
-        MAX_SIZE = 4095;
-        MAX_FILES = 20;
-    };
-
-    settings.service = {
-	DISABLE_REGISTRATION = true;
-	DEFAULT_KEEP_EMAIL_PRIVATE = true;
-    };
-    database = {
-      user = "forgejo";
-      passwordFile = "/etc/nixos/forgejo-dbpassword";
-      name = "forgejodb";
-      type = "mysql";
-    };
-  };
-
-  # Allow forgejo user to adjust authorized_keys dynamically
-  services.openssh.extraConfig = ''
-    Match User forgejo
-      AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys
-  '';
 
   #enable qemu-guestagent
   services.qemuGuest.enable = true;
@@ -110,8 +55,6 @@
   networking.firewall.enable = true;
   networking.firewall.allowPing = true;
 
-  # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [48540 ];
   # networking.firewall.allowedUDPPorts = [ ... ];
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;

meta/enable.nix

@@ -0,0 +1,8 @@
+{lib, config, ...}: {
+    lib.meta.enable = list: lib.genAttrs 
+	list 
+	(name: 
+	    ${name}.enable = true;
+	)
+    ;
+}

meta/mkLocalModule.nix

@@ -0,0 +1,23 @@
+{lib, config, ...}: {
+    lib.mkLocalModule = pathInterpolation: optDesc: config: let 
+    #example_input = ./some/subdir/MARKER/a/b/c/d/e/f/g;
+    marker = "local-modules";
+    splitAfterMarker = marker: input: builtins.foldl' (acc: new:
+      if acc == false then # marker not found yet
+        if new == marker then [] else acc
+      else # marker found
+        if builtins.typeOf new == "string" 
+          then acc ++ [new]
+          else acc
+    ) false (builtins.split "/" (builtins.toString input));
+    path = splitAfterMarker marker pathInterpolation;
+    inputs = {
+      #optDesc = "enable this";
+      inherit optDesc: config;
+    };
+    mod = {config, ...}: {
+      options = lib.setAttrsByPath path (lib.mkEnableOption inputs.optDesc);
+      config = lib.mkIf (lib.getAttrByPath path config) inputs.config;
+    };
+  in mod;
+}

services/forgejo.nix

@@ -0,0 +1,41 @@
+{pkgs, lib, config}:
+with lib with builtins; {
+  services.forgejo = {
+    enable = true;
+    settings.server = {
+      ROOT_URL = "https://git.shibe.pro";
+      DOMAIN = "git.shibe.pro";
+      HTTP_PORT = 48540;
+      OFFLINE_MODE = true; # disable gravatar, CDN
+    };
+    settings.actions = {
+       ENABLED = true;
+    };
+    settings."repository.upload" = {
+	FILE_MAX_SIZE = 4095;
+	MAX_FILES = 20;
+    };
+    settings."attachment" = {
+        MAX_SIZE = 4095;
+        MAX_FILES = 20;
+    };
+
+    settings.service = {
+	DISABLE_REGISTRATION = true;
+	DEFAULT_KEEP_EMAIL_PRIVATE = true;
+    };
+    database = {
+      user = "forgejo";
+      passwordFile = "/etc/nixos/forgejo-dbpassword";
+      name = "forgejodb";
+      type = "mysql";
+    };
+  };
+
+  # Allow forgejo user to adjust authorized_keys dynamically
+  services.openssh.extraConfig = ''
+    Match User forgejo
+      AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys
+  '';
+  networking.firewall.allowedTCPPorts = [48540];
+}

users/lyn/default.nix

@@ -0,0 +1,8 @@
+{lib, config, ...}:{
+    users.users.lyn = {
+    isNormalUser = true;
+   	extraGroups = [ "wheel"];
+	  packages = with pkgs; [
+    ];
+}
+}

users/lyn/ssh.nix

@@ -0,0 +1,3 @@
+{lib, config, ...}: lib.mkLocalModule ./. "Lyn SSH user config" {
+    users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
+}