Reorganize repository

modules/base/bluetooth/default.nix

@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.chvp.base.bluetooth.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.base.bluetooth.enable {
+    chvp.base.zfs.systemLinks = [{ path = "/var/lib/bluetooth"; type = "cache"; }];
+
+    hardware.bluetooth.enable = true;
+    services.blueman.enable = true;
+
+    home-manager.users.charlotte = lib.mkIf config.chvp.graphical.enable ({ ... }: {
+      services.blueman-applet.enable = true;
+    });
+  };
+}

modules/base/default.nix

@@ -0,0 +1,114 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./bluetooth
+    ./emacs
+    ./mail
+    ./network
+    ./nix
+    ./smartd
+    ./ssh
+    ./sshd
+    ./tmux
+    ./zfs
+    ./zsh
+  ];
+
+  options.chvp = {
+    stateVersion = lib.mkOption {
+      example = "20.09";
+    };
+
+    dataPrefix = lib.mkOption {
+      default = "";
+      example = "/data";
+    };
+
+    cachePrefix = lib.mkOption {
+      default = "";
+      example = "/cache";
+    };
+  };
+
+  config = {
+    home-manager.useGlobalPkgs = true;
+
+    system.stateVersion = config.chvp.stateVersion;
+    home-manager.users = {
+      charlotte = { ... }: {
+        home.stateVersion = config.chvp.stateVersion;
+      };
+      root = { ... }: {
+        home.stateVersion = config.chvp.stateVersion;
+      };
+    };
+
+    environment.systemPackages = with pkgs; [ htop moreutils ncdu ripgrep unzip zip ];
+
+    console = {
+      colors = [
+        "f8f8f8"
+        "a60000"
+        "005e00"
+        "813e00"
+        "0031a9"
+        "721045"
+        "00538b"
+        "282828"
+        "ffffff"
+        "972500"
+        "315b00"
+        "70480f"
+        "2544bb"
+        "8f0075"
+        "30517f"
+        "000000"
+      ];
+      font = "Lat2-Terminus16";
+      keyMap = "us";
+    };
+
+    i18n = {
+      defaultLocale = "en_IE.UTF-8";
+      extraLocaleSettings = {
+        LC_TIME = "en_GB.UTF-8";
+      };
+    };
+
+    security = {
+      sudo.enable = false;
+      doas = {
+        enable = true;
+        extraRules = [
+          {
+            users = [ "charlotte" ];
+            noPass = true;
+            cmd = "nix-collect-garbage";
+            runAs = "root";
+          }
+        ];
+      };
+    };
+
+    services.fwupd.enable = true;
+
+    users = {
+      mutableUsers = false;
+      defaultUserShell = pkgs.zsh;
+      users = {
+        charlotte = {
+          isNormalUser = true;
+          home = "/home/charlotte";
+          description = "Charlotte Van Petegem";
+          extraGroups = [ "systemd-journal" ];
+          passwordFile = config.age.secrets."passwords/users/charlotte".path;
+        };
+        root.passwordFile = config.age.secrets."passwords/users/root".path;
+      };
+    };
+
+    age.secrets."passwords/users/charlotte".file = ../../secrets/passwords/users/charlotte.age;
+    age.secrets."passwords/users/root".file = ../../secrets/passwords/users/root.age;
+  };
+}

modules/base/emacs/base-init.el

@@ -0,0 +1,202 @@
+;;; init --- My emacs init file
+;;; Commentary:
+;;; Code:
+(eval-when-compile
+  (require 'use-package)
+  (require 'use-package-ensure)
+  (setq use-package-verbose nil)
+  (setq use-package-always-ensure t))
+
+;; Dependencies that inject `:keywords' into `use-package' should be
+;; included before all other packages.
+;; For :diminish in (use-package). Hides minor modes from the status line.
+(use-package diminish)
+;; For :general in (use-package). Keybinding management framework.
+(use-package general
+  :config
+  (general-evil-setup t)
+
+  ;; Create bindings under the leader
+  (general-create-definer lmap
+    :states '(normal visual insert emacs motion)
+    :prefix "SPC"
+    :non-normal-prefix "C-SPC"
+    )
+
+  (lmap
+    ""     nil ;; Unbind SPC, I don't use it for navigation anyway.
+
+    "SPC"  '(:ignore t :which-key "mode")
+
+    ":"    '(eval-expression :which-key "eval")
+
+    "b"    '(:ignore t :which-key "buffer")
+    "bd"   '(kill-this-buffer :which-key "kill")
+
+    "f"    '(:ignore t :which-key "file")
+    "ff"   '(find-file :which-key "find")
+    "fs"   '(save-buffer :which-key "save")
+
+    "h"    '(:ignore t :which-key "help")
+    "hb"   '(describe-bindings :which-key "bindings")
+    "hf"   '(describe-function :which-key "function")
+    "hv"   '(describe-variable :which-key "variable")
+
+    "q"    '(:ignore t :which-key "quit")
+    "qq"   '(delete-frame :which-key "quit")
+
+    "s"    '(:ignore t :which-key "search")
+
+    "w"    '(:ignore t :which-key "window")
+    "wv"   '(split-window-vertically :which-key "split vertical")
+    "ws"   '(split-window-horizontally :which-key "split horizontal")
+    "wd"   '(delete-window :which-key "delete")
+
+    "x"    '(execute-extended-command :which-key "exec")
+    )
+  )
+
+;; Better defaults that aren't defaults for some reason.
+(use-package better-defaults
+  ;; But don't enable ido-mode...
+  :config (ido-mode nil)
+  )
+
+;; Autocomplete
+(use-package company
+  :diminish (company-mode)
+  :config (global-company-mode)
+  )
+
+;; Prescient in company
+(use-package company-prescient
+  :config (company-prescient-mode 1)
+  )
+
+;; Replacements for emacs built-ins that better integrate with `selectrum'.
+(use-package consult
+  :demand t
+  :custom (consult-project-root-function #'projectile-project-root "Use projectile to determine project roots.")
+  :general
+  (lmap
+    "bb"  '(consult-buffer :which-key "switch")
+    "fr"  '(consult-recent-file :which-key "recent")
+    "ha"  '(consult-apropos :which-key "apropos")
+    "ss"  '(consult-line :which-key "search")
+    )
+  )
+
+;; General emacs settings
+(use-package emacs
+  :ensure nil ;; Not a real package, but a place to collect global settings
+  :hook
+  ;; Always display line numbers for text-based modes
+  ((text-mode prog-mode) . display-line-numbers-mode)
+  ;; Enable basic auto pairs. Maybe replace this with something more
+  ;; advanced later? Look into configuring pairs for frequently used
+  ;; major modes.
+  ((text-mode prog-mode) . electric-pair-mode)
+  :custom
+  (inhibit-startup-screen t "Don't show default startup screen")
+  :config
+  ;; Only ask for y/n, never for yes/no.
+  (defalias 'yes-or-no-p 'y-or-n-p)
+
+  ;; Font configuration
+  (defun font-settings ()
+    "Setup font settings."
+    (when window-system (set-frame-font "Fira Code 9"))
+    (set-fontset-font t 'symbol "Noto Color Emoji")
+    (set-fontset-font t 'symbol "Symbola" nil 'append))
+  (if (daemonp)
+      (add-hook 'server-after-make-frame-hook #'font-settings)
+    (font-settings))
+  )
+
+;; Vim keybindings
+(use-package evil
+  :custom
+  (evil-want-keybinding nil "Disable default evil keybindings, since
+    evil-collection is a superset. See
+    https://github.com/emacs-evil/evil-collection/issues/60.")
+  (evil-want-integration t "Also needed for evil-collection")
+  :config (evil-mode 1)
+  )
+
+;; Vim keybindings in other packages
+(use-package evil-collection
+  :after (evil)
+  :config (evil-collection-init)
+  )
+
+;; Linting
+(use-package flycheck
+  :diminish (flycheck-mode)
+  :config (global-flycheck-mode)
+  )
+
+;; Annotations in selection interface
+(use-package marginalia
+  :demand t
+  :custom
+  (marginalia-annotators '(marginalia-annotators-heavy marginalia-annotators-light nil))
+  :config
+  (marginalia-mode)
+  (advice-add #'marginalia-cycle :after (lambda () (selectrum-exhibit 'keep-selected)))
+  :general
+  (minibuffer-local-map "M-a" 'marginalia-cycle)
+  )
+
+;; Theming
+(use-package modus-themes
+  :custom
+  (modus-themes-bold-constructs t "Use bold accents")
+  (modus-themes-syntax 'alt-syntax-yellow-comments "Show comments in yellow instead of gray")
+  (modus-themes-promts 'intense-accented "Colours are nice")
+  (modus-themes-mode-line 'borderless "Thin borders are ugly")
+  (modus-themes-region 'bg-only "Don't lose syntax highlighting in the active region")
+  :config
+  (modus-themes-load-themes)
+  (modus-themes-load-operandi)
+  )
+
+;; Orderless filtering
+(use-package orderless
+  :after (selectrum)
+  :custom
+  (completion-styles '(orderless) "Use orderless for filtering")
+  (orderless-skip-highlighting (lambda () selectrum-is-active) "This and the setting below are performance optimisations.")
+  (selectrum-highlight-candidates-function #'orderless-highlight-matches "They make sure only the shown candidates are highlighted.")
+  (orderless-matching-styles '(orderless-regexp orderless-initialism orderless-prefixes) "More matching styles for more flexible matching.")
+  :config
+  ;; Highlight multiple parts in company matches
+  (defun just-one-face (fn &rest args)
+    (let ((orderless-match-faces [completions-common-part]))
+      (apply fn args)))
+
+  (advice-add 'company-capf--candidates :around #'just-one-face)
+  )
+
+;; Sorting when filtering
+(use-package prescient
+  :config (prescient-persist-mode 1)
+  )
+
+;; List item selection interface
+(use-package selectrum
+  :custom (selectrum-max-window-height 20 "Allow selector to be a bit higher")
+  :config (selectrum-mode 1)
+  :diminish (selectrum-mode)
+  )
+
+;; Prescient integration in selectrum
+(use-package selectrum-prescient
+  :custom (selectrum-prescient-enable-filtering nil "`orderless' manages the filtering part.")
+  :config (selectrum-prescient-mode 1))
+
+;; Show keybindings
+(use-package which-key
+  :diminish (which-key-mode)
+  :config (which-key-mode)
+  )
+

modules/base/emacs/default.nix

@@ -0,0 +1,65 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.chvp.base.emacs = {
+    fullConfig = lib.mkOption {
+      readOnly = true;
+      default = builtins.readFile ./base-init.el + (lib.concatStringsSep "\n" config.chvp.base.emacs.extraConfig) + ''
+        (provide 'init)
+        ;;; init.el ends here
+      '';
+    };
+    extraConfig = lib.mkOption {
+      default = [ ];
+    };
+    package = lib.mkOption {
+      readOnly = true;
+      default = pkgs.emacsWithPackagesFromUsePackage {
+        config = config.chvp.base.emacs.fullConfig;
+        package = pkgs.emacsPgtk;
+        alwaysEnsure = true;
+        # mu4e is included in the mu package and should be used from there
+        extraEmacsPackages = epkgs: lib.optional config.chvp.graphical.mail.enable pkgs.mu;
+      };
+    };
+  };
+
+  config = {
+    nixpkgs.overlays = [
+      (self: super: {
+        mu = super.mu.overrideAttrs (old: {
+          version = "1.5.13";
+          src = self.fetchFromGitHub {
+            owner = "djcb";
+            repo = "mu";
+            rev = "6d67e146fecb5aa512a7eff4b8044225af0dc5ce";
+            sha256 = "0ip7nd7z2l60a3dc1aic34hpab4alb0rmxlk9778nz3v88735iik";
+          };
+        });
+      })
+    ];
+    chvp.base.zfs.homeLinks = [
+      { path = ".emacs.d"; type = "cache"; }
+    ];
+
+    home-manager.users.charlotte = { ... }: {
+      services.emacs = {
+        enable = true;
+        client.enable = true;
+        socketActivation.enable = true;
+        package = config.chvp.base.emacs.package;
+      };
+      home = {
+        file = {
+          ".emacs.d/early-init.el".source = ./early-init.el;
+          ".emacs.d/init.el".text = config.chvp.base.emacs.fullConfig;
+        };
+        packages = [
+          (pkgs.writeShellScriptBin "emacs" ''${config.chvp.base.emacs.package}/bin/emacsclient -c "$@"'')
+          (pkgs.writeShellScriptBin "emacsclient" ''${config.chvp.base.emacs.package}/bin/emacsclient "$@"'')
+        ];
+        sessionVariables = { EDITOR = "emacs"; };
+      };
+    };
+  };
+}

modules/base/emacs/early-init.el

@@ -0,0 +1,43 @@
+;;; early-init --- My emacs early init file
+;;; Commentary:
+;;; Code:
+(defun hm/reduce-gc ()
+  "Reduce the frequency of garbage collection."
+  (setq gc-cons-threshold most-positive-fixnum
+        gc-cons-percentage 0.6))
+
+(defun hm/restore-gc ()
+  "Restore the frequency of garbage collection."
+  (setq gc-cons-threshold 16777216
+        gc-cons-percentage 0.1))
+
+;; Make GC more rare during init, while minibuffer is active, and
+;; when shutting down. In the latter two cases we try doing the
+;; reduction early in the hook.
+(hm/reduce-gc)
+(add-hook 'minibuffer-setup-hook #'hm/reduce-gc -50)
+(add-hook 'kill-emacs-hook #'hm/reduce-gc -50)
+
+;; But make it more regular after startup and after closing minibuffer.
+(add-hook 'emacs-startup-hook #'hm/restore-gc)
+(add-hook 'minibuffer-exit-hook #'hm/restore-gc)
+
+;; Avoid unnecessary regexp matching while loading .el files.
+(defvar hm/file-name-handler-alist file-name-handler-alist)
+(setq file-name-handler-alist nil)
+
+(defun hm/restore-file-name-handler-alist ()
+  "Restore the 'file-name-handler-alist' variable."
+  (setq file-name-handler-alist hm/file-name-handler-alist)
+  (makunbound 'hm/file-name-handler-alist))
+
+(add-hook 'emacs-startup-hook #'hm/restore-file-name-handler-alist)
+
+;; Nix manages our packages
+(setq package-enable-at-startup nil)
+
+;; Avoid expensive frame resizing. Inspired by Doom Emacs.
+(setq frame-inhibit-implied-resize t)
+
+(provide 'early-init)
+;;; early-init.el ends here

modules/base/mail/default.nix

@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.ssmtp = {
+    enable = true;
+    authUser = "webmaster@vanpetegem.me";
+    authPassFile = config.age.secrets."passwords/services/ssmtp-pass".path;
+    domain = "${config.networking.hostName}.vanpetegem.me";
+    hostName = "mail.vanpetegem.me:465";
+    root = "webmaster@vanpetegem.me";
+    setSendmail = true;
+    useTLS = true;
+  };
+
+  age.secrets."passwords/services/ssmtp-pass".file = ../../../secrets/passwords/services/ssmtp-pass.age;
+}

modules/base/network/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  imports = [
+    ./ovh.nix
+    ./networkmanager.nix
+  ];
+}

modules/base/network/networkmanager.nix

@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.chvp.base.network.networkmanager.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.base.network.networkmanager.enable {
+    chvp.base.zfs.systemLinks = [
+      { path = "/etc/NetworkManager/system-connections"; type = "data"; }
+    ];
+
+    networking.networkmanager = {
+      enable = true;
+      wifi.macAddress = "random";
+    };
+
+    users.users.charlotte.extraGroups = [ "networkmanager" ];
+    home-manager.users.charlotte = { ... }: {
+      home.packages = with pkgs; [ networkmanagerapplet ];
+    };
+  };
+}

modules/base/network/ovh.nix

@@ -0,0 +1,62 @@
+{ config, lib, ... }:
+
+{
+  options.chvp.base.network.ovh = {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+    };
+    publicIPV4 = lib.mkOption {
+      example = {
+        ip = "1.2.3.4";
+        gateway = "1.2.3.254";
+      };
+    };
+    publicIPV6 = lib.mkOption {
+      example = {
+        ip = "1:2:3:4::";
+        gateway = "1:2:3:ff:ff:ff:ff:ff";
+      };
+    };
+    internalIPV4 = lib.mkOption {
+      example = "192.168.0.1";
+    };
+  };
+
+  config = lib.mkIf config.chvp.base.network.ovh.enable {
+    networking = with config.chvp.base.network.ovh; {
+      useDHCP = false;
+      interfaces = {
+        eno1.useDHCP = false;
+        eno2.useDHCP = false;
+        eno3 = {
+          useDHCP = false;
+          ipv4.addresses = [{
+            address = publicIPV4.ip;
+            prefixLength = 24;
+          }];
+          ipv6 = {
+            addresses = [{
+              address = publicIPV6.ip;
+              prefixLength = 64;
+            }];
+            routes = [{
+              address = publicIPV6.gateway;
+              prefixLength = 128;
+            }];
+          };
+        };
+        eno4 = {
+          useDHCP = false;
+          ipv4.addresses = [{
+            address = internalIPV4;
+            prefixLength = 16;
+          }];
+        };
+      };
+      defaultGateway = publicIPV4.gateway;
+      defaultGateway6 = publicIPV6.gateway;
+      nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
+    };
+  };
+}

modules/base/nix/default.nix

@@ -0,0 +1,113 @@
+{ config, lib, pkgs, ... }:
+let
+  baseDirenv = {
+    programs.direnv = {
+      enable = true;
+      enableZshIntegration = true;
+      nix-direnv = {
+        enable = true;
+        enableFlakes = true;
+      };
+    };
+  };
+  baseNixIndex = {
+    home.packages = with pkgs; [ nix-index ];
+    programs.zsh.initExtra = ''
+      source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh
+    '';
+    systemd.user = {
+      services.nix-index = {
+        Unit = {
+          Description = "Service to run nix-index";
+        };
+        Service = {
+          Type = "oneshot";
+          ExecStart = "${pkgs.nix-index}/bin/nix-index";
+        };
+      };
+      timers.nix-index = {
+        Unit = {
+          Description = "Timer that starts nix-index every two hours";
+          PartOf = [ "nix-index.service" ];
+        };
+        Timer = {
+          OnCalendar = "00/2:30";
+        };
+        Install = {
+          WantedBy = [ "default.target" ];
+        };
+      };
+    };
+  };
+in
+{
+  options.chvp.base.nix = {
+    enableDirenv = lib.mkOption {
+      default = true;
+      example = false;
+    };
+    unfreePackages = lib.mkOption {
+      default = [ ];
+      example = [ "teams" ];
+    };
+    # Note that this is only enabled for charlotte, until https://github.com/bennofs/nix-index/issues/143 is resolved.
+    enableNixIndex = lib.mkOption {
+      default = true;
+      example = false;
+    };
+  };
+
+  config = {
+    chvp.base = {
+      emacs.extraConfig = [
+        ''
+          ;; Nix syntax support
+          (use-package nix-mode :mode "\\.nix\\'")
+        ''
+      ] ++ lib.optional config.chvp.base.nix.enableDirenv ''
+        ;; Direnv integration in emacs.
+        (use-package direnv :config (direnv-mode))
+      '';
+      zfs = {
+        homeLinks =
+          (lib.optional config.chvp.base.nix.enableDirenv { path = ".local/share/direnv"; type = "cache"; }) ++
+          (lib.optional config.chvp.base.nix.enableNixIndex { path = ".cache/nix-index"; type = "cache"; });
+        systemLinks =
+          (lib.optional config.chvp.base.nix.enableDirenv { path = "/root/.local/share/direnv"; type = "cache"; });
+      };
+    };
+
+    nix = {
+      gc = {
+        automatic = true;
+        dates = "hourly";
+        options = "--delete-older-than 7d";
+      };
+      optimise = {
+        automatic = true;
+        dates = [ "hourly" ];
+      };
+      trustedUsers = [ "@wheel" ];
+      extraOptions = ''
+        substituters = https://cache.nixos.org https://nix-community.cachix.org
+        trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
+      '' + (lib.optionalString config.chvp.base.nix.enableDirenv ''
+        keep-outputs = true
+        keep-derivations = true
+      '');
+    };
+
+    nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) config.chvp.base.nix.unfreePackages;
+    nixpkgs.overlays = [
+      (self: super: {
+        nix = super.nixUnstable;
+      })
+    ];
+
+    home-manager.users.charlotte = { ... }:
+      lib.recursiveUpdate
+        (lib.optionalAttrs config.chvp.base.nix.enableDirenv baseDirenv)
+        (lib.optionalAttrs config.chvp.base.nix.enableNixIndex baseNixIndex);
+    home-manager.users.root = { ... }: lib.optionalAttrs config.chvp.base.nix.enableDirenv baseDirenv;
+  };
+}

modules/base/smartd/default.nix

@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = [ pkgs.smartmontools ];
+  services.smartd = {
+    enable = true;
+    autodetect = true;
+    notifications = {
+      mail = {
+        enable = true;
+        sender = "${config.networking.hostName}@vanpetegem.me";
+        recipient = "webmaster@vanpetegem.me";
+      };
+      wall.enable = false;
+    };
+  };
+}

modules/base/ssh/default.nix

@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+let
+  ssh = pkgs.symlinkJoin {
+    name = "ssh";
+    paths = [
+      (
+        pkgs.writeShellScriptBin "ssh" ''
+          export TERM=xterm-256color
+          ${pkgs.openssh}/bin/ssh $@
+        ''
+      )
+      pkgs.openssh
+    ];
+  };
+  base = home: {
+    programs.ssh = {
+      enable = true;
+      compression = true;
+      controlMaster = "auto";
+      controlPersist = "10m";
+      hashKnownHosts = true;
+      userKnownHostsFile = "${config.chvp.cachePrefix}${home}/.ssh/known_hosts";
+      serverAliveInterval = 10;
+      extraOptionOverrides = {
+        IdentityFile = "${config.chvp.dataPrefix}${home}/.ssh/id_ed25519";
+        HostKeyAlgorithms = "ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa";
+      };
+      matchBlocks = import ./hosts.secret.nix;
+    };
+    home.packages = lib.mkIf config.chvp.graphical.enable [ ssh ];
+  };
+in
+{
+  home-manager.users.root = { ... }: (base "/root");
+  home-manager.users.charlotte = { ... }: (base "/home/charlotte");
+}

modules/base/sshd/default.nix

@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+
+{
+  chvp.base.zfs.ensureExists = [ "${config.chvp.dataPrefix}/etc/ssh" ];
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = false;
+    permitRootLogin = "prohibit-password";
+    hostKeys = [
+      { bits = 4096; path = "${config.chvp.dataPrefix}/etc/ssh/ssh_host_rsa_key"; type = "rsa"; }
+      { path = "${config.chvp.dataPrefix}/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
+    ];
+    authorizedKeysFiles = [ "/run/secrets/authorized_keys/%u" ];
+  };
+
+  age.secrets."authorized_keys/root".file = ../../../secrets/authorized_keys/root.age;
+  age.secrets."authorized_keys/charlotte" = {
+    file = ../../../secrets/authorized_keys/charlotte.age;
+    owner = "charlotte";
+  };
+}

modules/base/tmux/default.nix

@@ -0,0 +1,22 @@
+{ ... }:
+let
+  base = {
+    programs.tmux = {
+      enable = true;
+      clock24 = true;
+      extraConfig = ''
+        bind q kill-session
+        bind v run-shell "tmux setw main-pane-width $(($(tmux display -p '#{window_width}') * 70 / 100)); tmux select-layout main-vertical"
+        bind h run-shell "tmux setw main-pane-height $(($(tmux display -p '#{window_height}') * 70 / 100)); tmux select-layout main-horizontal"
+
+        set -g default-terminal "screen-256color"
+        set -sg escape-time 10
+      '';
+      keyMode = "vi";
+    };
+  };
+in
+{
+  home-manager.users.charlotte = { ... }: base;
+  home-manager.users.root = { ... }: base;
+}

modules/base/zfs/default.nix

@@ -0,0 +1,172 @@
+{ config, lib, ... }:
+
+{
+  options.chvp.base.zfs = {
+    encrypted = lib.mkOption {
+      default = false;
+      example = true;
+    };
+    systemLinks = lib.mkOption {
+      default = [ ];
+      example = [
+        { path = "/var/lib/docker"; type = "cache"; }
+        { path = "/var/lib/docker/volumes"; type = "data"; }
+      ];
+    };
+    homeLinks = lib.mkOption {
+      default = [ ];
+      example = [
+        { path = ".config/syncthing"; type = "data"; }
+        { path = ".cache/nix-index"; type = "cache"; }
+      ];
+    };
+    ensureExists = lib.mkOption {
+      default = [ ];
+      example = [ "/data/etc/ssh" ];
+    };
+    backups = lib.mkOption {
+      default = [ ];
+      example = [{
+        path = "rpool/safe/data";
+        remotePath = "zdata/recv/<hostname>/safe/data";
+        fast = false;
+        location = "lasting-integrity.vanpetegem.me";
+      }];
+    };
+    rootDataset = lib.mkOption {
+      example = "rpool/local/root";
+    };
+  };
+
+  config = {
+    chvp.dataPrefix = lib.mkDefault "/data";
+    chvp.cachePrefix = lib.mkDefault "/cache";
+
+    boot = {
+      supportedFilesystems = [ "zfs" ];
+      zfs.requestEncryptionCredentials = config.chvp.base.zfs.encrypted;
+      initrd.postDeviceCommands = lib.mkAfter ''
+        zfs rollback -r ${config.chvp.base.zfs.rootDataset}@blank
+      '';
+    };
+
+    services = {
+      znapzend = {
+        enable = config.chvp.base.zfs.backups != [ ];
+        pure = true;
+        autoCreation = true;
+        zetup = builtins.listToAttrs
+          (map
+            (elem: {
+              name = elem.path;
+              value = {
+                enable = true;
+                plan =
+                  if elem.fast then
+                    "1hour=>15min,1day=>1hour,1week=>1day,4week=>1week" else
+                    "1day=>1hour,1week=>1day,4week=>1week,1year=>1month,10year=>6month";
+                timestampFormat = "%Y-%m-%d--%H%M%SZ";
+                destinations."${elem.location}" = {
+                  plan =
+                    if elem.fast then
+                      "1day=>1hour,1week=>1day,4week=>1week,1year=>4week,10year=>1year" else
+                      "1day=>1hour,1week=>1day,4week=>1week,1year=>1month,10year=>6month";
+                  host = "${elem.location}";
+                  dataset = elem.remotePath;
+                };
+              };
+            })
+            config.chvp.base.zfs.backups);
+
+      };
+      zfs = {
+        autoScrub.enable = true;
+        trim.enable = true;
+      };
+    };
+
+    systemd.services =
+      let
+        ensureExistsScript = lib.concatStringsSep "\n" (map (path: "mkdir -p ${path}") config.chvp.base.zfs.ensureExists);
+        makeLinkScript = config: lib.concatStringsSep "\n" (map (location: ''mkdir -p "${location.path}"'') config);
+        systemLinksScript = makeLinkScript config.chvp.base.zfs.systemLinks;
+        homeLinksScript = makeLinkScript config.chvp.base.zfs.homeLinks;
+      in
+      {
+        make-system-links-destinations = {
+          script = ''
+            ${systemLinksScript}
+            mkdir -p /home/charlotte
+            chown charlotte:users /home/charlotte
+          '';
+          after = [ "local-fs.target" ];
+          wants = [ "local-fs.target" ];
+          before = [ "shutdown.target" "sysinit.target" ];
+          conflicts = [ "shutdown.target" ];
+          wantedBy = [ "sysinit.target" ];
+          serviceConfig = {
+            RemainAfterExit = "yes";
+            Type = "oneshot";
+            UMask = "0077";
+          };
+          unitConfig = {
+            DefaultDependencies = "no";
+          };
+        };
+
+        make-home-links-destinations = {
+          script = homeLinksScript;
+          after = [ "local-fs.target" "make-system-links-destinations.service" ];
+          wants = [ "local-fs.target" "make-system-links-destinations.service" ];
+          before = [ "shutdown.target" "sysinit.target" ];
+          conflicts = [ "shutdown.target" ];
+          wantedBy = [ "sysinit.target" ];
+          serviceConfig = {
+            RemainAfterExit = "yes";
+            Type = "oneshot";
+            User = "charlotte";
+            Group = "users";
+            UMask = "0077";
+            WorkingDirectory = "/home/charlotte";
+          };
+          unitConfig = {
+            DefaultDependencies = "no";
+          };
+        };
+      };
+
+    systemd.mounts =
+      (map
+        (location: {
+          what = "/${location.type}${location.path}";
+          where = "${location.path}";
+          type = "none";
+          options = "bind";
+          after = [ "local-fs.target" "make-system-links-destinations.service" ];
+          wants = [ "local-fs.target" "make-system-links-destinations.service" ];
+          before = [ "umount.target" "sysinit.target" ];
+          conflicts = [ "umount.target" ];
+          wantedBy = [ "sysinit.target" ];
+          unitConfig = {
+            DefaultDependencies = "no";
+          };
+        })
+        config.chvp.base.zfs.systemLinks) ++
+      (map
+        (location: {
+          what = "/${location.type}/home/charlotte/${location.path}";
+          where = "/home/charlotte/${location.path}";
+          type = "none";
+          options = "bind";
+          after = [ "local-fs.target" "make-home-links-destinations.service" ];
+          wants = [ "local-fs.target" "make-home-links-destinations.service" ];
+          before = [ "umount.target" "sysinit.target" ];
+          conflicts = [ "umount.target" ];
+          wantedBy = [ "sysinit.target" ];
+          unitConfig = {
+            DefaultDependencies = "no";
+          };
+        })
+        config.chvp.base.zfs.homeLinks);
+  };
+}

modules/base/zsh/default.nix

@@ -0,0 +1,49 @@
+{ config, lib, pkgs, ... }:
+
+let
+  base = (home: {
+    home.packages = [ pkgs.autojump ];
+    programs.zsh = {
+      enable = true;
+      enableAutosuggestions = true;
+      autocd = true;
+      dotDir = ".config/zsh";
+      history = {
+        expireDuplicatesFirst = true;
+        path = "${config.chvp.cachePrefix}${home}/.local/share/zsh/history";
+      };
+      initExtra = ''
+        ${pkgs.any-nix-shell}/bin/any-nix-shell zsh --info-right | source /dev/stdin
+      '';
+      oh-my-zsh = {
+        enable = true;
+        plugins = [
+          "autojump"
+          "common-aliases"
+          "extract"
+          "history-substring-search"
+          "git"
+          "systemd"
+          "tmux"
+        ];
+        theme = "robbyrussell";
+      };
+      plugins = [{
+        name = "zsh-syntax-highlighting";
+        src = pkgs.fetchFromGitHub {
+          owner = "zsh-users";
+          repo = "zsh-syntax-highlighting";
+          rev = "0.7.1";
+          sha256 = "03r6hpb5fy4yaakqm3lbf4xcvd408r44jgpv4lnzl9asp4sb9qc0";
+        };
+      }];
+      sessionVariables = { DEFAULT_USER = "charlotte"; };
+    };
+  });
+in
+{
+  chvp.base.zfs.systemLinks = [{ path = "/root/.local/share/autojump"; type = "cache"; }];
+  chvp.base.zfs.homeLinks = [{ path = ".local/share/autojump"; type = "cache"; }];
+  home-manager.users.charlotte = { ... }: (base "/home/charlotte");
+  home-manager.users.root = { ... }: (base "/root");
+}