Modularise NixOS and home-manager configs

2022-02-20 15:59:07 +00:00 · 2022-02-20 15:59:07 +00:00 · 26ab49d91c
commit 26ab49d91c
parent 31d21e7870
10 changed files with 356 additions and 271 deletions
--- a/flake.nix
+++ b/flake.nix
@ -39,10 +39,10 @@
      ...
    }:
    let
-      inherit (builtins) mapAttrs attrValues;
-      inherit (lib) recurseIntoAttrs filterAttrs;
+      inherit (builtins) mapAttrs;
+      inherit (lib) recurseIntoAttrs filterAttrs evalModules;
      inherit (lib.flake) flattenTree eachDefaultSystem;
-      inherit (lib.my) inlineModules mkDefaultSystemsPkgs flakePackageOverlay;
+      inherit (lib.my) mkDefaultSystemsPkgs flakePackageOverlay;

      # Extend a lib with extras that _must not_ internally reference private nixpkgs. flake-utils doesn't, but many
      # other flakes (e.g. home-manager) probably do internally.
@ -90,41 +90,40 @@
        }))
        pkgsFlakes;

-      modules = mapAttrs (_: f: ./. + "/nixos/modules/${f}") {
-        common = "common.nix";
-        user = "user.nix";
-        build = "build.nix";
-        dynamic-motd = "dynamic-motd.nix";
-        tmproot = "tmproot.nix";
-        firewall = "firewall.nix";
-        server = "server.nix";
-        deploy-rs = "deploy-rs.nix";
-      };
-      homeModules = mapAttrs (_: f: ./. + "/home-manager/modules/${f}") {
-        common = "common.nix";
-        gui = "gui.nix";
+      configs = [
+        # Systems
+        nixos/boxes/colony.nix
+        nixos/installer.nix
+
+        # Homes
+        home-manager/configs/castle.nix
+      ];
+
+      nixfiles = evalModules {
+        modules = [
+          {
+            _module.args = {
+              inherit lib pkgsFlakes hmFlakes inputs;
+              pkgs' = configPkgs';
+            };
+          }
+
+          ./nixos
+          ./home-manager
+        ] ++ configs;
      };
    in
    # Platform independent stuff
    {
      lib = lib.my;
      nixpkgs = pkgs';
+      inherit nixfiles;

-      nixosModules = inlineModules modules;
-      homeModules = inlineModules homeModules;
+      nixosModules = nixfiles.config.nixos.modules;
+      homeModules = nixfiles.config.home-manager.modules;

-      nixosConfigurations = import ./nixos {
-        inherit lib pkgsFlakes hmFlakes inputs;
-        pkgs' = configPkgs';
-        modules = attrValues modules;
-        homeModules = attrValues homeModules;
-      };
-
-      homeConfigurations = import ./home-manager {
-        inherit lib hmFlakes inputs;
-        pkgs' = configPkgs';
-        modules = attrValues homeModules;
-      };
+      nixosConfigurations = mapAttrs (_: s: s.configuration) nixfiles.config.nixos.systems;
+      homeConfigurations = mapAttrs (_: s: s.configuration) nixfiles.config.home-manager.homes;

      deploy = {
        nodes = filterAttrs (_: n: n != null)
@ -142,7 +141,7 @@
    # Stuff for each platform
    {
      checks = flattenTree {
-        homeConfigurations = recurseIntoAttrs self.homes;
+        homeConfigurations = recurseIntoAttrs (mapAttrs (_: h: h.activationPackage) self.homeConfigurations);
        deploy = recurseIntoAttrs (pkgs.deploy-rs.lib.deployChecks self.deploy);
      };

--- a/home-manager/configs/castle.nix
+++ b/home-manager/configs/castle.nix
@ -1,20 +1,29 @@
-{ pkgs, ... }:
 {
-  # So home-manager will inject the sourcing of ~/.nix-profile/etc/profile.d/nix.sh
-  targets.genericLinux.enable = true;
+  home-manager.homes."dev@castle" = {
+    system = "x86_64-linux";
+    nixpkgs = "unstable";
+    homeDirectory = "/home/dev";
+    username = "dev";

-  my = {
-    ssh.matchBlocks = {
-      home = {
-        host =
-          "vm keep.core fw firewall moat.vm storage cellar.vm lxd ship.vm docker whale.vm kerberos gatehouse.lxd " +
-          "nginx.lxd upnp.lxd souterrain.lxd drawbridge.lxd mailcow.lxd";
-        user = "root";
+    configuration = { pkgs, ... }:
+      {
+        # So home-manager will inject the sourcing of ~/.nix-profile/etc/profile.d/nix.sh
+        targets.genericLinux.enable = true;
+
+        my = {
+          ssh.matchBlocks = {
+            home = {
+              host =
+                "vm keep.core fw firewall moat.vm storage cellar.vm lxd ship.vm docker whale.vm kerberos gatehouse.lxd " +
+                "nginx.lxd upnp.lxd souterrain.lxd drawbridge.lxd mailcow.lxd";
+              user = "root";
+            };
+          };
+        };
+
+        programs = {
+          kakoune.enable = true;
+        };
      };
-    };
-  };
-
-  programs = {
-    kakoune.enable = true;
  };
 }
--- a/home-manager/default.nix
+++ b/home-manager/default.nix
@ -1,51 +1,69 @@
-{ lib, hmFlakes, inputs, pkgs', modules }:
+{ lib, hmFlakes, inputs, pkgs', config, ... }:
 let
-  inherit (builtins) removeAttrs mapAttrs;
-  inherit (lib) flatten optional recursiveUpdate;
-  inherit (lib.my) homeStateVersion;
+  inherit (builtins) head tail mapAttrs attrValues;
+  inherit (lib) flatten optional mkOption mkOptionType;
+  inherit (lib.my) homeStateVersion mkOpt' commonOpts inlineModule';

-  mkHome = name: {
-    system,
-    nixpkgs ? "unstable",
-    home-manager ? nixpkgs,
-    config,
-    ...
-  }@args:
-  let
-    rest = removeAttrs args [ "nixpkgs" "home-manager" "config" ];
-  in
+  cfg = config.home-manager;
+
+  mkHome = {
+    config',
+    defs,
+  }:
  # homeManagerConfiguration doesn't allow us to set lib directly (inherits from passed pkgs)
-  hmFlakes.${home-manager}.lib.homeManagerConfiguration (recursiveUpdate rest {
-    configuration = config;
+  hmFlakes.${config'.home-manager}.lib.homeManagerConfiguration {
+    inherit (config') system homeDirectory username;
+    # Pull the first def as `configuration` and add any others to `extraModules` (they should end up in the same list
+    # of modules to evaluate anyway)
+    configuration = head defs;
    # Passing pkgs here doesn't set the global pkgs, just where it'll be imported from (and where the global lib is
    # derived from). We want home-manager to import pkgs itself so it'll apply config and overlays modularly. Any config
    # and overlays previously applied will be passed on by `homeManagerConfiguration` though.
-    pkgs = pkgs'.${nixpkgs}.${system};
-    extraModules = modules ++ [
+    pkgs = pkgs'.${config'.nixpkgs}.${config'.system};
+    extraSpecialArgs = { inherit inputs; };
+    extraModules = (attrValues cfg.modules) ++ [
      {
        warnings = flatten [
-          (optional (nixpkgs != home-manager)
+          (optional (config'.nixpkgs != config'.home-manager)
          ''
-            Using nixpkgs ${nixpkgs} with home-manager ${home-manager} may cause issues.
+            Using nixpkgs ${config'.nixpkgs} with home-manager ${config'.home-manager} may cause issues.
          '')
        ];

        _module.args = {
-          inherit inputs;
-          pkgs' = mapAttrs (_: p: p.${system}) pkgs';
+          pkgs' = mapAttrs (_: p: p.${config'.system}) pkgs';
        };
      }
-      (homeStateVersion home-manager)
-    ];
-  });
-in
-mapAttrs mkHome {
-  "dev@castle" = {
-    system = "x86_64-linux";
-    nixpkgs = "unstable";
-    config = configs/castle.nix;
+      (homeStateVersion config'.home-manager)
+    ] ++ (tail defs);
+  };

-    homeDirectory = "/home/dev";
-    username = "dev";
+  homeOpts = with lib.types; { config, ... }: {
+    options = {
+      inherit (commonOpts) system nixpkgs home-manager;
+      # TODO: docCustom for home-manager?
+      homeDirectory = mkOpt' str null "Absolute path to home directory.";
+      username = mkOpt' str null "Username for the configuration.";
+
+      configuration = mkOption {
+        description = "home-manager configuration module.";
+        type = mkOptionType {
+          name = "home-manager configuration";
+          merge = _: defs: mkHome {
+            config' = config;
+            defs = map (d: inlineModule' d.file d.value) defs;
+          };
+        };
+      };
+    };
+  };
+in
+{
+  imports = [ modules/_list.nix ];
+  options = with lib.types; {
+    home-manager = {
+      modules = mkOpt' (attrsOf commonOpts.moduleType) { } "home-manager modules to be exported by nixfiles.";
+      homes = mkOpt' (attrsOf (submodule homeOpts)) { } "home-manager configurations to be exported by nixfiles.";
+    };
  };
 }
--- a/home-manager/modules/_list.nix
+++ b/home-manager/modules/_list.nix
@ -0,0 +1,6 @@
+{
+  home-manager.modules = {
+    common = ./common.nix;
+    gui = ./gui.nix;
+  };
+}
--- a/lib.nix
+++ b/lib.nix
@ -3,11 +3,10 @@ let
  inherit (builtins) replaceStrings elemAt mapAttrs;
  inherit (lib)
    genAttrs mapAttrs' mapAttrsToList filterAttrsRecursive nameValuePair types
-    mkOption mkOverride mkForce;
+    mkOption mkOverride mkForce mergeEqualOption;
  inherit (lib.flake) defaultSystems;
 in
 rec {
-  addPrefix = prefix: mapAttrs' (n: v: { name = "${prefix}${n}"; value = v; });
  # Yoinked from nixpkgs/nixos/modules/services/networking/nat.nix
  isIPv6 = ip: builtins.length (lib.splitString ":" ip) > 2;
  parseIPPort = ipp:
@ -31,13 +30,6 @@ rec {
    let
      app = pkgs.writeShellApplication args;
    in mkApp "${app}/bin/${app.meta.mainProgram}";
-  inlineModules = modules: mapAttrs
-    (_: path:
-      {
-        _file = path;
-        imports = [ (import path) ];
-      })
-    modules;
  flakePackageOverlay' = flake: pkg: system: (final: prev:
    let
      pkg' = if pkg != null then flake.packages.${system}.${pkg} else flake.defaultPackage.${system};
@ -48,6 +40,12 @@ rec {
    });
  flakePackageOverlay = flake: flakePackageOverlay' flake null;

+  inlineModule' = path: module: {
+    _file = path;
+    imports = [ module ];
+  };
+  inlineModule = path: inlineModule' path (import path);
+
  # Merge together modules which are defined as functions with others that aren't
  naiveModule = with types; (coercedTo (attrsOf anything) (conf: { ... }: conf) (functionTo (attrsOf anything)));

@ -75,6 +73,17 @@ rec {
    home.stateVersion = mkForce (if hmBranch == "unstable" then "22.05" else "21.11");
  };

+  commonOpts = with types; {
+    moduleType = mkOptionType {
+      name = "Inline flake-exportable module";
+      merge = loc: defs: inlineModule (mergeEqualOption loc defs);
+    };
+
+    system = mkOpt' (enum defaultSystems) null "Nix-style system string.";
+    nixpkgs = mkOpt' (enum [ "master" "unstable" "stable" "mine" ]) "unstable" "Branch of nixpkgs to use.";
+    home-manager = mkOpt' (enum [ "unstable" "stable" ]) "unstable" "Branch of home-manager to use.";
+  };
+
  deploy-rs =
  with types;
  let
--- a/nixos/boxes/colony.nix
+++ b/nixos/boxes/colony.nix
@ -1,44 +1,53 @@
-{ lib, pkgs, modulesPath, ... }:
 {
-  imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
+  nixos.systems.colony = {
+    system = "x86_64-linux";
+    nixpkgs = "stable";
+    home-manager = "unstable";
+    docCustom = false;

-  my = {
-    firewall = {
-      trustedInterfaces = [ "blah" ];
-      nat = {
-        externalInterface = "eth0";
-        forwardPorts = [
-          {
-            proto = "tcp";
-            sourcePort = 2222;
-            destination = "127.0.0.1:22";
-          }
-        ];
+    configuration = { lib, pkgs, modulesPath, ... }:
+      {
+        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
+
+        my = {
+          firewall = {
+            trustedInterfaces = [ "blah" ];
+            nat = {
+              externalInterface = "eth0";
+              forwardPorts = [
+                {
+                  proto = "tcp";
+                  sourcePort = 2222;
+                  destination = "127.0.0.1:22";
+                }
+              ];
+            };
+          };
+          server.enable = true;
+          tmproot.unsaved.ignore = [
+            "/var/db/dhcpcd/enp1s0.lease"
+          ];
+        };
+
+        fileSystems = {
+          "/boot" = {
+            device = "/dev/disk/by-label/ESP";
+            fsType = "vfat";
+          };
+          "/nix" = {
+            device = "/dev/disk/by-label/nix";
+            fsType = "ext4";
+          };
+          "/persist" = {
+            device = "/dev/disk/by-label/persist";
+            fsType = "ext4";
+            neededForBoot = true;
+          };
+        };
+
+        networking = {
+          interfaces.enp1s0.useDHCP = true;
+        };
      };
-    };
-    server.enable = true;
-    tmproot.unsaved.ignore = [
-      "/var/db/dhcpcd/enp1s0.lease"
-    ];
-  };
-
-  fileSystems = {
-    "/boot" = {
-      device = "/dev/disk/by-label/ESP";
-      fsType = "vfat";
-    };
-    "/nix" = {
-      device = "/dev/disk/by-label/nix";
-      fsType = "ext4";
-    };
-    "/persist" = {
-      device = "/dev/disk/by-label/persist";
-      fsType = "ext4";
-      neededForBoot = true;
-    };
-  };
-
-  networking = {
-    interfaces.enp1s0.useDHCP = true;
  };
 }
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -1,71 +1,64 @@
-{ lib, pkgsFlakes, hmFlakes, inputs, pkgs', modules, homeModules }:
+{ lib, pkgsFlakes, hmFlakes, inputs, pkgs', config, ... }:
 let
  inherit (builtins) attrValues mapAttrs;
-  inherit (lib) flatten optional optionals mkDefault mkForce;
-  inherit (lib.my) homeStateVersion;
+  inherit (lib) substring flatten optional optionals mkDefault mkOption mkOptionType;
+  inherit (lib.my) homeStateVersion mkOpt' mkBoolOpt' commonOpts inlineModule';
+
+  cfg = config.nixos;

  mkSystem =
-    name: {
-      system,
-
-      nixpkgs ? "unstable",
-      home-manager ? nixpkgs,
-      hmNixpkgs ? home-manager,
-
-      config,
-      # This causes a (very slow) docs rebuild on every change to a module's options it seems
-      docCustom ? true,
+    {
+      name,
+      config',
+      defs,
    }:
    let
      # The flake contains `nixosSystem`, so we do need it (if we didn't have the TODO hacked version anyway)
-      pkgsFlake = pkgsFlakes.${nixpkgs};
+      pkgsFlake = pkgsFlakes.${config'.nixpkgs};
      # TODO: This is mostly yoinked from nixpkgs/flake.nix master (as of 2022/02/11) since 21.11's version has hacky
      # vm build stuff that breaks our impl. REMOVE WHEN 22.05 IS OUT!
      nixosSystem' = args:
        import "${pkgsFlake}/nixos/lib/eval-config.nix" (args // {
          modules = args.modules ++ [{
            system.nixos.versionSuffix =
-              ".${lib.substring 0 8 pkgsFlake.lastModifiedDate}.${pkgsFlake.shortRev}";
+              ".${substring 0 8 pkgsFlake.lastModifiedDate}.${pkgsFlake.shortRev}";
            system.nixos.revision = pkgsFlake.rev;
          }];
        });

-      modules' = [
-          # Importing modules from module args causes infinite recursion
-          inputs.impermanence.nixosModule
-          hmFlake.nixosModule
-          inputs.agenix.nixosModules.age
-      ] ++ modules;
-      pkgs = pkgs'.${nixpkgs}.${system};
-      allPkgs = mapAttrs (_: p: p.${system}) pkgs';
+      pkgs = pkgs'.${config'.nixpkgs}.${config'.system};
+      allPkgs = mapAttrs (_: p: p.${config'.system}) pkgs';

-      hmFlake = hmFlakes.${home-manager};
+      modules' = [ hmFlakes.${config'.home-manager}.nixosModule ] ++ (attrValues cfg.modules);
    in
    nixosSystem' {
      # Gotta override lib here unforunately, eval-config.nix likes to import its own (unextended) lib. We explicitly
      # don't pass pkgs so that it'll be imported with modularly applied config and overlays.
      lib = pkgs.lib;
+
+      # Put the inputs in specialArgs to avoid infinite recursion when modules try to do imports
+      specialArgs = { inherit inputs; };
+
      # `baseModules` informs the manual which modules to document
      baseModules =
-        (import "${pkgsFlake}/nixos/modules/module-list.nix") ++ (optionals docCustom modules');
-      modules = (optionals (!docCustom) modules') ++ [
-        (modArgs: {
+        (import "${pkgsFlake}/nixos/modules/module-list.nix") ++ (optionals config'.docCustom modules');
+      modules = (optionals (!config'.docCustom) modules') ++ [
+        (sysModArgs: {
          warnings = flatten [
-            (optional (modArgs.config.home-manager.useGlobalPkgs && (nixpkgs != home-manager))
+            (optional (sysModArgs.config.home-manager.useGlobalPkgs && (config'.nixpkgs != config'.home-manager))
            ''
-              Using global nixpkgs ${nixpkgs} with home-manager ${home-manager} may cause problems.
+              Using global nixpkgs ${config'.nixpkgs} with home-manager ${config'.home-manager} may cause problems.
            '')
          ];

          _module.args = {
-            inherit inputs;
            pkgs' = allPkgs;
          };

          system.name = name;
          networking.hostName = mkDefault name;
          nixpkgs = {
-            inherit system;
+            inherit (config') system;
            # Make sure any previously set config / overlays (e.g. lib which will be inherited by home-manager down the
            # line) are passed on when nixpkgs is imported.
            inherit (pkgs) config overlays;
@ -74,45 +67,61 @@ let
          # Unfortunately it seems there's no way to fully decouple home-manager's lib from NixOS's pkgs.lib. :(
          # https://github.com/nix-community/home-manager/blob/7c2ae0bdd20ddcaafe41ef669226a1df67f8aa06/nixos/default.nix#L22
          home-manager = {
+            extraSpecialArgs = { inherit inputs; };
            # Optimise if system and home-manager nixpkgs are the same
-            useGlobalPkgs = mkDefault (nixpkgs == home-manager);
-            sharedModules = homeModules ++ [
+            useGlobalPkgs = mkDefault (config'.nixpkgs == config'.home-manager);
+            sharedModules = (attrValues config.home-manager.modules) ++ [
              {
                warnings = flatten [
-                  (optional (!modArgs.config.home-manager.useGlobalPkgs && (hmNixpkgs != home-manager))
+                  (optional (!sysModArgs.config.home-manager.useGlobalPkgs && (config'.hmNixpkgs != config'.home-manager))
                  ''
-                    Using per-user nixpkgs ${hmNixpkgs} with home-manager ${home-manager} may cause issues.
+                    Using per-user nixpkgs ${config'.hmNixpkgs} with home-manager ${config'.home-manager}
+                    may cause issues.
                  '')
                ];

-                # pkgsPath is used by home-manager's nixkpgs module to import nixpkgs (i.e. if !useGlobalPkgs)
+                # pkgsPath is used by home-manager's nixpkgs module to import nixpkgs (i.e. if !useGlobalPkgs)
                _module.args = {
-                  inherit inputs;
-                  pkgsPath = toString pkgsFlakes.${hmNixpkgs};
+                  pkgsPath = toString pkgsFlakes.${config'.hmNixpkgs};
                  pkgs' = allPkgs;
                };
              }
-              (homeStateVersion home-manager)
+              (homeStateVersion config'.home-manager)
            ];
          };
        })
-        config
-      ];
+      ] ++ defs;
    };
-in
-mapAttrs mkSystem {
-  colony = {
-    system = "x86_64-linux";
-    nixpkgs = "stable";
-    home-manager = "unstable";
-    config = boxes/colony.nix;
-    docCustom = false;
-  };

-  installer = {
-    system = "x86_64-linux";
-    nixpkgs = "unstable";
-    config = ./installer.nix;
-    docCustom = false;
+  systemOpts = with lib.types; { name, config, ... }: {
+    options = {
+      inherit (commonOpts) system nixpkgs home-manager;
+      hmNixpkgs = commonOpts.nixpkgs;
+      # This causes a (very slow) docs rebuild on every change to a module's options it seems
+      docCustom = mkBoolOpt' false "Whether to document nixfiles' custom NixOS modules.";
+
+      configuration = mkOption {
+        description = "NixOS configuration module.";
+        # Based on the definition of containers.<name>.config
+        type = mkOptionType {
+          name = "Toplevel NixOS config";
+          merge = _: defs: mkSystem {
+            inherit name;
+            config' = config;
+            defs = map (d: inlineModule' d.file d.value) defs;
+          };
+        };
+      };
+    };
+  };
+in
+{
+  imports = [ modules/_list.nix ];
+
+  options = with lib.types; {
+    nixos = {
+      modules = mkOpt' (attrsOf commonOpts.moduleType) { } "NixOS modules to be exported by nixfiles.";
+      systems = mkOpt' (attrsOf (submodule systemOpts)) { } "NixOS systems to be exported by nixfiles.";
+    };
  };
 }
--- a/nixos/installer.nix
+++ b/nixos/installer.nix
@ -1,97 +1,106 @@
-{ lib, pkgs, modulesPath, config, ... }:
-let
-  inherit (lib) mkDefault mkForce mkImageMediaOverride;
-
-  installRoot = "/mnt";
-in
 {
-  imports = [
-    # Lots of kernel modules and firmware
-    "${modulesPath}/profiles/all-hardware.nix"
-    # Useful tools to have
-    "${modulesPath}/profiles/base.nix"
-  ];
+  nixos.systems.installer = {
+    system = "x86_64-linux";
+    nixpkgs = "unstable";
+    docCustom = false;

-  config = {
-    my = {
-      # Whatever installer mechanism is chosen will provied an appropriate `/`
-      tmproot.enable = false;
-      firewall.nat.enable = false;
-      deploy.enable = false;
-      user.enable = false;
+    configuration =
+      { lib, pkgs, modulesPath, config, ... }:
+      let
+        inherit (lib) mkDefault mkForce mkImageMediaOverride;

-      server.enable = true;
-    };
+        installRoot = "/mnt";
+      in
+      {
+        imports = [
+          # Lots of kernel modules and firmware
+          "${modulesPath}/profiles/all-hardware.nix"
+          # Useful tools to have
+          "${modulesPath}/profiles/base.nix"
+        ];

-    environment.sessionVariables = {
-      INSTALL_ROOT = installRoot;
-    };
-    users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.authorizedKeys ];
-    home-manager.users.root = {
-      programs = {
-        starship.settings = {
-          hostname.ssh_only = false;
+        config = {
+          my = {
+            # Whatever installer mechanism is chosen will provied an appropriate `/`
+            tmproot.enable = false;
+            firewall.nat.enable = false;
+            deploy.enable = false;
+            user.enable = false;
+
+            server.enable = true;
+          };
+
+          environment.sessionVariables = {
+            INSTALL_ROOT = installRoot;
+          };
+          users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.authorizedKeys ];
+          home-manager.users.root = {
+            programs = {
+              starship.settings = {
+                hostname.ssh_only = false;
+              };
+            };
+
+            home.shellAliases = {
+              show-hw-config = "nixos-generate-config --show-hardware-config --root $INSTALL_ROOT";
+            };
+          };
+
+          services = {
+            openssh = {
+              permitRootLogin = mkImageMediaOverride "prohibit-password";
+            };
+          };
+
+          # Will be set dynamically
+          networking.hostName = "";
+
+          # This should be overridden by whatever boot mechanism is used
+          fileSystems."/" = mkDefault {
+            device = "none";
+            fsType = "tmpfs";
+          };
+
+          systemd.tmpfiles.rules = [
+            "d ${installRoot} 0755 root root"
+          ];
+          boot.postBootCommands =
+            ''
+              ${pkgs.nettools}/bin/hostname "installer-$(${pkgs.coreutils}/bin/head -c4 /dev/urandom | \
+                ${pkgs.coreutils}/bin/od -A none -t x4 | \
+                ${pkgs.gawk}/bin/awk '{ print $1 }')"
+            '';
+
+          environment.systemPackages = with pkgs; [
+            # We disable networking.useDHCP, so bring these in for the user
+            # dhcpcd probably has more features, but dhclient actually seems a bit more simple
+            (pkgs.writeShellScriptBin "dhclient" ''exec ${pkgs.dhcp}/bin/dhclient -v "$@"'')
+            dhcpcd
+          ];
+
+          # Much of this onwards is yoinked from modules/profiles/installation-device.nix
+          # Good to have docs in the installer!
+          # TODO: docs rebuilding every time?
+          documentation.enable = mkForce false;
+          documentation.nixos.enable = mkForce false;
+
+          # Enable wpa_supplicant, but don't start it by default.
+          networking.wireless.enable = mkDefault true;
+          networking.wireless.userControlled.enable = true;
+          systemd.services.wpa_supplicant.wantedBy = mkForce [];
+
+          # Tell the Nix evaluator to garbage collect more aggressively.
+          # This is desirable in memory-constrained environments that don't
+          # (yet) have swap set up.
+          environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
+
+          # Make the installer more likely to succeed in low memory
+          # environments.  The kernel's overcommit heustistics bite us
+          # fairly often, preventing processes such as nix-worker or
+          # download-using-manifests.pl from forking even if there is
+          # plenty of free memory.
+          boot.kernel.sysctl."vm.overcommit_memory" = "1";
        };
      };
-
-      home.shellAliases = {
-        show-hw-config = "nixos-generate-config --show-hardware-config --root $INSTALL_ROOT";
-      };
-    };
-
-    services = {
-      openssh = {
-        permitRootLogin = mkImageMediaOverride "prohibit-password";
-      };
-    };
-
-    # Will be set dynamically
-    networking.hostName = "";
-
-    # This should be overridden by whatever boot mechanism is used
-    fileSystems."/" = mkDefault {
-      device = "none";
-      fsType = "tmpfs";
-    };
-
-    systemd.tmpfiles.rules = [
-      "d ${installRoot} 0755 root root"
-    ];
-    boot.postBootCommands =
-      ''
-        ${pkgs.nettools}/bin/hostname "installer-$(${pkgs.coreutils}/bin/head -c4 /dev/urandom | \
-          ${pkgs.coreutils}/bin/od -A none -t x4 | \
-          ${pkgs.gawk}/bin/awk '{ print $1 }')"
-      '';
-
-    environment.systemPackages = with pkgs; [
-      # We disable networking.useDHCP, so bring these in for the user
-      # dhcpcd probably has more features, but dhclient actually seems a bit more simple
-      (pkgs.writeShellScriptBin "dhclient" ''exec ${pkgs.dhcp}/bin/dhclient -v "$@"'')
-      dhcpcd
-    ];
-
-    # Much of this onwards is yoinked from modules/profiles/installation-device.nix
-    # Good to have docs in the installer!
-    # TODO: docs rebuilding every time?
-    documentation.enable = mkForce false;
-    documentation.nixos.enable = mkForce false;
-
-    # Enable wpa_supplicant, but don't start it by default.
-    networking.wireless.enable = mkDefault true;
-    networking.wireless.userControlled.enable = true;
-    systemd.services.wpa_supplicant.wantedBy = mkForce [];
-
-    # Tell the Nix evaluator to garbage collect more aggressively.
-    # This is desirable in memory-constrained environments that don't
-    # (yet) have swap set up.
-    environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
-
-    # Make the installer more likely to succeed in low memory
-    # environments.  The kernel's overcommit heustistics bite us
-    # fairly often, preventing processes such as nix-worker or
-    # download-using-manifests.pl from forking even if there is
-    # plenty of free memory.
-    boot.kernel.sysctl."vm.overcommit_memory" = "1";
  };
 }
--- a/nixos/modules/_list.nix
+++ b/nixos/modules/_list.nix
@ -0,0 +1,12 @@
+{
+  nixos.modules = {
+    common = ./common.nix;
+    user = ./user.nix;
+    build = ./build.nix;
+    dynamic-motd = ./dynamic-motd.nix;
+    tmproot = ./tmproot.nix;
+    firewall = ./firewall.nix;
+    server = ./server.nix;
+    deploy-rs = ./deploy-rs.nix;
+  };
+}
--- a/nixos/modules/common.nix
+++ b/nixos/modules/common.nix
@ -17,6 +17,11 @@ in
    documentation.nixos.options.warningsAreErrors = dummyOption;
  };

+  imports = [
+    inputs.impermanence.nixosModule
+    inputs.agenix.nixosModules.age
+  ];
+
  config = mkMerge [
    {
      home-manager = {