Modularise NixOS and home-manager configs

nixos/boxes/colony.nix

@@ -1,44 +1,53 @@
-{ lib, pkgs, modulesPath, ... }:
 {
-  imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
+  nixos.systems.colony = {
+    system = "x86_64-linux";
+    nixpkgs = "stable";
+    home-manager = "unstable";
+    docCustom = false;
 
-  my = {
-    firewall = {
-      trustedInterfaces = [ "blah" ];
-      nat = {
-        externalInterface = "eth0";
-        forwardPorts = [
-          {
-            proto = "tcp";
-            sourcePort = 2222;
-            destination = "127.0.0.1:22";
-          }
-        ];
+    configuration = { lib, pkgs, modulesPath, ... }:
+      {
+        imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
+
+        my = {
+          firewall = {
+            trustedInterfaces = [ "blah" ];
+            nat = {
+              externalInterface = "eth0";
+              forwardPorts = [
+                {
+                  proto = "tcp";
+                  sourcePort = 2222;
+                  destination = "127.0.0.1:22";
+                }
+              ];
+            };
+          };
+          server.enable = true;
+          tmproot.unsaved.ignore = [
+            "/var/db/dhcpcd/enp1s0.lease"
+          ];
+        };
+
+        fileSystems = {
+          "/boot" = {
+            device = "/dev/disk/by-label/ESP";
+            fsType = "vfat";
+          };
+          "/nix" = {
+            device = "/dev/disk/by-label/nix";
+            fsType = "ext4";
+          };
+          "/persist" = {
+            device = "/dev/disk/by-label/persist";
+            fsType = "ext4";
+            neededForBoot = true;
+          };
+        };
+
+        networking = {
+          interfaces.enp1s0.useDHCP = true;
+        };
       };
-    };
-    server.enable = true;
-    tmproot.unsaved.ignore = [
-      "/var/db/dhcpcd/enp1s0.lease"
-    ];
-  };
-
-  fileSystems = {
-    "/boot" = {
-      device = "/dev/disk/by-label/ESP";
-      fsType = "vfat";
-    };
-    "/nix" = {
-      device = "/dev/disk/by-label/nix";
-      fsType = "ext4";
-    };
-    "/persist" = {
-      device = "/dev/disk/by-label/persist";
-      fsType = "ext4";
-      neededForBoot = true;
-    };
-  };
-
-  networking = {
-    interfaces.enp1s0.useDHCP = true;
   };
 }

nixos/default.nix

@@ -1,71 +1,64 @@
-{ lib, pkgsFlakes, hmFlakes, inputs, pkgs', modules, homeModules }:
+{ lib, pkgsFlakes, hmFlakes, inputs, pkgs', config, ... }:
 let
   inherit (builtins) attrValues mapAttrs;
-  inherit (lib) flatten optional optionals mkDefault mkForce;
-  inherit (lib.my) homeStateVersion;
+  inherit (lib) substring flatten optional optionals mkDefault mkOption mkOptionType;
+  inherit (lib.my) homeStateVersion mkOpt' mkBoolOpt' commonOpts inlineModule';
+
+  cfg = config.nixos;
 
   mkSystem =
-    name: {
-      system,
-
-      nixpkgs ? "unstable",
-      home-manager ? nixpkgs,
-      hmNixpkgs ? home-manager,
-
-      config,
-      # This causes a (very slow) docs rebuild on every change to a module's options it seems
-      docCustom ? true,
+    {
+      name,
+      config',
+      defs,
     }:
     let
       # The flake contains `nixosSystem`, so we do need it (if we didn't have the TODO hacked version anyway)
-      pkgsFlake = pkgsFlakes.${nixpkgs};
+      pkgsFlake = pkgsFlakes.${config'.nixpkgs};
       # TODO: This is mostly yoinked from nixpkgs/flake.nix master (as of 2022/02/11) since 21.11's version has hacky
       # vm build stuff that breaks our impl. REMOVE WHEN 22.05 IS OUT!
       nixosSystem' = args:
         import "${pkgsFlake}/nixos/lib/eval-config.nix" (args // {
           modules = args.modules ++ [{
             system.nixos.versionSuffix =
-              ".${lib.substring 0 8 pkgsFlake.lastModifiedDate}.${pkgsFlake.shortRev}";
+              ".${substring 0 8 pkgsFlake.lastModifiedDate}.${pkgsFlake.shortRev}";
             system.nixos.revision = pkgsFlake.rev;
           }];
         });
 
-      modules' = [
-          # Importing modules from module args causes infinite recursion
-          inputs.impermanence.nixosModule
-          hmFlake.nixosModule
-          inputs.agenix.nixosModules.age
-      ] ++ modules;
-      pkgs = pkgs'.${nixpkgs}.${system};
-      allPkgs = mapAttrs (_: p: p.${system}) pkgs';
+      pkgs = pkgs'.${config'.nixpkgs}.${config'.system};
+      allPkgs = mapAttrs (_: p: p.${config'.system}) pkgs';
 
-      hmFlake = hmFlakes.${home-manager};
+      modules' = [ hmFlakes.${config'.home-manager}.nixosModule ] ++ (attrValues cfg.modules);
     in
     nixosSystem' {
       # Gotta override lib here unforunately, eval-config.nix likes to import its own (unextended) lib. We explicitly
       # don't pass pkgs so that it'll be imported with modularly applied config and overlays.
       lib = pkgs.lib;
+
+      # Put the inputs in specialArgs to avoid infinite recursion when modules try to do imports
+      specialArgs = { inherit inputs; };
+
       # `baseModules` informs the manual which modules to document
       baseModules =
-        (import "${pkgsFlake}/nixos/modules/module-list.nix") ++ (optionals docCustom modules');
-      modules = (optionals (!docCustom) modules') ++ [
-        (modArgs: {
+        (import "${pkgsFlake}/nixos/modules/module-list.nix") ++ (optionals config'.docCustom modules');
+      modules = (optionals (!config'.docCustom) modules') ++ [
+        (sysModArgs: {
           warnings = flatten [
-            (optional (modArgs.config.home-manager.useGlobalPkgs && (nixpkgs != home-manager))
+            (optional (sysModArgs.config.home-manager.useGlobalPkgs && (config'.nixpkgs != config'.home-manager))
             ''
-              Using global nixpkgs ${nixpkgs} with home-manager ${home-manager} may cause problems.
+              Using global nixpkgs ${config'.nixpkgs} with home-manager ${config'.home-manager} may cause problems.
             '')
           ];
 
           _module.args = {
-            inherit inputs;
             pkgs' = allPkgs;
           };
 
           system.name = name;
           networking.hostName = mkDefault name;
           nixpkgs = {
-            inherit system;
+            inherit (config') system;
             # Make sure any previously set config / overlays (e.g. lib which will be inherited by home-manager down the
             # line) are passed on when nixpkgs is imported.
             inherit (pkgs) config overlays;
@@ -74,45 +67,61 @@ let
           # Unfortunately it seems there's no way to fully decouple home-manager's lib from NixOS's pkgs.lib. :(
           # https://github.com/nix-community/home-manager/blob/7c2ae0bdd20ddcaafe41ef669226a1df67f8aa06/nixos/default.nix#L22
           home-manager = {
+            extraSpecialArgs = { inherit inputs; };
             # Optimise if system and home-manager nixpkgs are the same
-            useGlobalPkgs = mkDefault (nixpkgs == home-manager);
-            sharedModules = homeModules ++ [
+            useGlobalPkgs = mkDefault (config'.nixpkgs == config'.home-manager);
+            sharedModules = (attrValues config.home-manager.modules) ++ [
               {
                 warnings = flatten [
-                  (optional (!modArgs.config.home-manager.useGlobalPkgs && (hmNixpkgs != home-manager))
+                  (optional (!sysModArgs.config.home-manager.useGlobalPkgs && (config'.hmNixpkgs != config'.home-manager))
                   ''
-                    Using per-user nixpkgs ${hmNixpkgs} with home-manager ${home-manager} may cause issues.
+                    Using per-user nixpkgs ${config'.hmNixpkgs} with home-manager ${config'.home-manager}
+                    may cause issues.
                   '')
                 ];
 
-                # pkgsPath is used by home-manager's nixkpgs module to import nixpkgs (i.e. if !useGlobalPkgs)
+                # pkgsPath is used by home-manager's nixpkgs module to import nixpkgs (i.e. if !useGlobalPkgs)
                 _module.args = {
-                  inherit inputs;
-                  pkgsPath = toString pkgsFlakes.${hmNixpkgs};
+                  pkgsPath = toString pkgsFlakes.${config'.hmNixpkgs};
                   pkgs' = allPkgs;
                 };
               }
-              (homeStateVersion home-manager)
+              (homeStateVersion config'.home-manager)
             ];
           };
         })
-        config
-      ];
+      ] ++ defs;
     };
-in
-mapAttrs mkSystem {
-  colony = {
-    system = "x86_64-linux";
-    nixpkgs = "stable";
-    home-manager = "unstable";
-    config = boxes/colony.nix;
-    docCustom = false;
-  };
 
-  installer = {
-    system = "x86_64-linux";
-    nixpkgs = "unstable";
-    config = ./installer.nix;
-    docCustom = false;
+  systemOpts = with lib.types; { name, config, ... }: {
+    options = {
+      inherit (commonOpts) system nixpkgs home-manager;
+      hmNixpkgs = commonOpts.nixpkgs;
+      # This causes a (very slow) docs rebuild on every change to a module's options it seems
+      docCustom = mkBoolOpt' false "Whether to document nixfiles' custom NixOS modules.";
+
+      configuration = mkOption {
+        description = "NixOS configuration module.";
+        # Based on the definition of containers.<name>.config
+        type = mkOptionType {
+          name = "Toplevel NixOS config";
+          merge = _: defs: mkSystem {
+            inherit name;
+            config' = config;
+            defs = map (d: inlineModule' d.file d.value) defs;
+          };
+        };
+      };
+    };
+  };
+in
+{
+  imports = [ modules/_list.nix ];
+
+  options = with lib.types; {
+    nixos = {
+      modules = mkOpt' (attrsOf commonOpts.moduleType) { } "NixOS modules to be exported by nixfiles.";
+      systems = mkOpt' (attrsOf (submodule systemOpts)) { } "NixOS systems to be exported by nixfiles.";
+    };
   };
 }

nixos/installer.nix

@@ -1,97 +1,106 @@
-{ lib, pkgs, modulesPath, config, ... }:
-let
-  inherit (lib) mkDefault mkForce mkImageMediaOverride;
-
-  installRoot = "/mnt";
-in
 {
-  imports = [
-    # Lots of kernel modules and firmware
-    "${modulesPath}/profiles/all-hardware.nix"
-    # Useful tools to have
-    "${modulesPath}/profiles/base.nix"
-  ];
+  nixos.systems.installer = {
+    system = "x86_64-linux";
+    nixpkgs = "unstable";
+    docCustom = false;
 
-  config = {
-    my = {
-      # Whatever installer mechanism is chosen will provied an appropriate `/`
-      tmproot.enable = false;
-      firewall.nat.enable = false;
-      deploy.enable = false;
-      user.enable = false;
+    configuration =
+      { lib, pkgs, modulesPath, config, ... }:
+      let
+        inherit (lib) mkDefault mkForce mkImageMediaOverride;
 
-      server.enable = true;
-    };
+        installRoot = "/mnt";
+      in
+      {
+        imports = [
+          # Lots of kernel modules and firmware
+          "${modulesPath}/profiles/all-hardware.nix"
+          # Useful tools to have
+          "${modulesPath}/profiles/base.nix"
+        ];
 
-    environment.sessionVariables = {
-      INSTALL_ROOT = installRoot;
-    };
-    users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.authorizedKeys ];
-    home-manager.users.root = {
-      programs = {
-        starship.settings = {
-          hostname.ssh_only = false;
+        config = {
+          my = {
+            # Whatever installer mechanism is chosen will provied an appropriate `/`
+            tmproot.enable = false;
+            firewall.nat.enable = false;
+            deploy.enable = false;
+            user.enable = false;
+
+            server.enable = true;
+          };
+
+          environment.sessionVariables = {
+            INSTALL_ROOT = installRoot;
+          };
+          users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.authorizedKeys ];
+          home-manager.users.root = {
+            programs = {
+              starship.settings = {
+                hostname.ssh_only = false;
+              };
+            };
+
+            home.shellAliases = {
+              show-hw-config = "nixos-generate-config --show-hardware-config --root $INSTALL_ROOT";
+            };
+          };
+
+          services = {
+            openssh = {
+              permitRootLogin = mkImageMediaOverride "prohibit-password";
+            };
+          };
+
+          # Will be set dynamically
+          networking.hostName = "";
+
+          # This should be overridden by whatever boot mechanism is used
+          fileSystems."/" = mkDefault {
+            device = "none";
+            fsType = "tmpfs";
+          };
+
+          systemd.tmpfiles.rules = [
+            "d ${installRoot} 0755 root root"
+          ];
+          boot.postBootCommands =
+            ''
+              ${pkgs.nettools}/bin/hostname "installer-$(${pkgs.coreutils}/bin/head -c4 /dev/urandom | \
+                ${pkgs.coreutils}/bin/od -A none -t x4 | \
+                ${pkgs.gawk}/bin/awk '{ print $1 }')"
+            '';
+
+          environment.systemPackages = with pkgs; [
+            # We disable networking.useDHCP, so bring these in for the user
+            # dhcpcd probably has more features, but dhclient actually seems a bit more simple
+            (pkgs.writeShellScriptBin "dhclient" ''exec ${pkgs.dhcp}/bin/dhclient -v "$@"'')
+            dhcpcd
+          ];
+
+          # Much of this onwards is yoinked from modules/profiles/installation-device.nix
+          # Good to have docs in the installer!
+          # TODO: docs rebuilding every time?
+          documentation.enable = mkForce false;
+          documentation.nixos.enable = mkForce false;
+
+          # Enable wpa_supplicant, but don't start it by default.
+          networking.wireless.enable = mkDefault true;
+          networking.wireless.userControlled.enable = true;
+          systemd.services.wpa_supplicant.wantedBy = mkForce [];
+
+          # Tell the Nix evaluator to garbage collect more aggressively.
+          # This is desirable in memory-constrained environments that don't
+          # (yet) have swap set up.
+          environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
+
+          # Make the installer more likely to succeed in low memory
+          # environments.  The kernel's overcommit heustistics bite us
+          # fairly often, preventing processes such as nix-worker or
+          # download-using-manifests.pl from forking even if there is
+          # plenty of free memory.
+          boot.kernel.sysctl."vm.overcommit_memory" = "1";
         };
       };
-
-      home.shellAliases = {
-        show-hw-config = "nixos-generate-config --show-hardware-config --root $INSTALL_ROOT";
-      };
-    };
-
-    services = {
-      openssh = {
-        permitRootLogin = mkImageMediaOverride "prohibit-password";
-      };
-    };
-
-    # Will be set dynamically
-    networking.hostName = "";
-
-    # This should be overridden by whatever boot mechanism is used
-    fileSystems."/" = mkDefault {
-      device = "none";
-      fsType = "tmpfs";
-    };
-
-    systemd.tmpfiles.rules = [
-      "d ${installRoot} 0755 root root"
-    ];
-    boot.postBootCommands =
-      ''
-        ${pkgs.nettools}/bin/hostname "installer-$(${pkgs.coreutils}/bin/head -c4 /dev/urandom | \
-          ${pkgs.coreutils}/bin/od -A none -t x4 | \
-          ${pkgs.gawk}/bin/awk '{ print $1 }')"
-      '';
-
-    environment.systemPackages = with pkgs; [
-      # We disable networking.useDHCP, so bring these in for the user
-      # dhcpcd probably has more features, but dhclient actually seems a bit more simple
-      (pkgs.writeShellScriptBin "dhclient" ''exec ${pkgs.dhcp}/bin/dhclient -v "$@"'')
-      dhcpcd
-    ];
-
-    # Much of this onwards is yoinked from modules/profiles/installation-device.nix
-    # Good to have docs in the installer!
-    # TODO: docs rebuilding every time?
-    documentation.enable = mkForce false;
-    documentation.nixos.enable = mkForce false;
-
-    # Enable wpa_supplicant, but don't start it by default.
-    networking.wireless.enable = mkDefault true;
-    networking.wireless.userControlled.enable = true;
-    systemd.services.wpa_supplicant.wantedBy = mkForce [];
-
-    # Tell the Nix evaluator to garbage collect more aggressively.
-    # This is desirable in memory-constrained environments that don't
-    # (yet) have swap set up.
-    environment.variables.GC_INITIAL_HEAP_SIZE = "1M";
-
-    # Make the installer more likely to succeed in low memory
-    # environments.  The kernel's overcommit heustistics bite us
-    # fairly often, preventing processes such as nix-worker or
-    # download-using-manifests.pl from forking even if there is
-    # plenty of free memory.
-    boot.kernel.sysctl."vm.overcommit_memory" = "1";
   };
 }

nixos/modules/_list.nix

@@ -0,0 +1,12 @@
+{
+  nixos.modules = {
+    common = ./common.nix;
+    user = ./user.nix;
+    build = ./build.nix;
+    dynamic-motd = ./dynamic-motd.nix;
+    tmproot = ./tmproot.nix;
+    firewall = ./firewall.nix;
+    server = ./server.nix;
+    deploy-rs = ./deploy-rs.nix;
+  };
+}

nixos/modules/common.nix

@@ -17,6 +17,11 @@ in
     documentation.nixos.options.warningsAreErrors = dummyOption;
   };
 
+  imports = [
+    inputs.impermanence.nixosModule
+    inputs.agenix.nixosModules.age
+  ];
+
   config = mkMerge [
     {
       home-manager = {