cleanup, make checks pass

flake.nix

@@ -36,11 +36,13 @@
         ];
         specialArgs = {inherit inputs system;};
       };
-    mkRaspi = pkgs: hostname:
+    mkRaspi = pkgs: hostname: let
-      pkgs.lib.nixosSystem {
       system = "aarch64-linux";
+    in
+      pkgs.lib.nixosSystem {
+        inherit system;
         modules = [(./. + "/nixos/boxes/${hostname}") sops.nixosModules.sops];
-        specialArgs = {inherit inputs;};
+        specialArgs = {inherit inputs system;};
       };
     mkKiosk = pkgs: system: hostname:
       pkgs.lib.nixosSystem {
@@ -52,13 +54,15 @@
 
           home-manager.nixosModules.home-manager
           {
-            home-manager.useGlobalPkgs = true;
+            home-manager = {
-            home-manager.useUserPackages = true;
+              useGlobalPkgs = true;
-            home-manager.users.cyryl = {
+              useUserPackages = true;
+              users.cyryl = {
                 imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
                 _module.args.inputs = inputs;
                 _module.args.system = system;
               };
+            };
           }
         ];
         specialArgs = {
@@ -86,13 +90,15 @@
           {programs.nix-ld.dev.enable = true;}
           home-manager.nixosModules.home-manager
           {
-            home-manager.useGlobalPkgs = true;
+            home-manager = {
-            home-manager.useUserPackages = true;
+              useGlobalPkgs = true;
-            home-manager.users.cyryl = {
+              useUserPackages = true;
+              users.cyryl = {
                 imports = [./nixos/home-manager ./nixos/home-manager/linux.nix];
                 _module.args.inputs = inputs;
                 _module.args.system = system;
               };
+            };
           }
         ];
         specialArgs = {
@@ -138,13 +144,15 @@
           (./. + "/nixos/boxes/form3")
           home-manager.darwinModules.home-manager
           {
-            home-manager.useGlobalPkgs = true;
+            home-manager = {
-            home-manager.useUserPackages = true;
+              useGlobalPkgs = true;
-            home-manager.users.cyryl = {
+              useUserPackages = true;
+              users.cyryl = {
                 imports = [./nixos/home-manager];
                 _module.args.inputs = inputs;
                 _module.args.system = system;
               };
+            };
           }
         ];
       };
@@ -154,7 +162,6 @@
       foryog = mkWorkstation nixpkgs-nixos-unstable "x86_64-linux" "foryog";
       thinky = mkWorkstation nixpkgs-stable "x86_64-linux" "thinky";
       bolty = mkServer nixpkgs-stable "x86_64-linux" "bolty";
-      vpsfree1 = mkServer nixpkgs-stable "x86_64-linux" "vpsfree1";
       cupsnet = mkServer nixpkgs-stable "aarch64-linux" "cupsnet";
       mb1 = mkServer nixpkgs-stable "x86_64-linux" "mb1";
       homescreen = mkRaspi nixpkgs-stable "homescreen";

nixos/boxes/bolty/bolty-boot.nix

@@ -15,10 +15,13 @@
     zfs.forceImportRoot = false;
   };
 
-  services.btrfs.autoScrub.enable = true;
+  services = {
-  services.zfs.autoScrub.enable = true;
+    btrfs.autoScrub.enable = true;
-  services.zfs.trim.enable = true;
+    zfs = {
-
+      autoScrub.enable = true;
+      trim.enable = true;
+    };
+  };
   boot.kernelParams = ["zfs.zfs_arc_max=17179869184"];
 
   boot.zfs.extraPools = ["data"];

nixos/boxes/bolty/default.nix

@@ -7,13 +7,11 @@
     ../cli.nix
     ../send-logs.nix
     ./bolty-boot.nix
-    ./gitea-runner.nix
     ./grafana.nix
     ./home-assistant.nix
     ./home-security.nix
     ./influxdb.nix
     ./logs.nix
-    ./mastodon.nix
     ./nas.nix
     ./networking.nix
     ./nix-store-server.nix

nixos/boxes/bolty/home-assistant.nix

@@ -14,7 +14,9 @@ in {
   imports = [../nginx.nix ./virtualisation.nix];
 
   networking.firewall.allowedTCPPorts = [port 1883 8089];
-  services.mosquitto = {
+
+  services = {
+    mosquitto = {
       enable = true;
       package = inputs.nixpkgs-nixos-unstable.legacyPackages."${system}".mosquitto;
       dataDir = "/data/mosquitto";
@@ -30,7 +32,7 @@ in {
         }
       ];
     };
-  services.zigbee2mqtt = {
+    zigbee2mqtt = {
       enable = true;
       package = inputs.nixpkgs-master.legacyPackages."${system}".zigbee2mqtt;
       settings = {
@@ -46,7 +48,7 @@ in {
         };
       };
     };
-  services.nginx = {
+    nginx = {
       virtualHosts = {
         "bolty.raptor-carp.ts.net" = {
           forceSSL = true;
@@ -60,6 +62,7 @@ in {
         };
       };
     };
+  };
 
   systemd.services.nginx-tailscale-certs = {
     script = ''

nixos/boxes/bolty/networking.nix

@@ -6,23 +6,25 @@
   ...
 }: {
   networking.hostName = "bolty";
-  systemd.network.enable = true;
   networking.networkmanager.enable = false;
-  systemd.network.netdevs."br0".netdevConfig = {
+
+  systemd.network = {
+    enable = true;
+    netdevs."br0".netdevConfig = {
       Name = "br0";
       Kind = "bridge";
     };
-  systemd.network.networks."br0" = {
+    networks."br0" = {
       name = "br0";
       address = ["10.0.0.8/24"];
       gateway = ["10.0.0.1"];
       DHCP = "no";
       dns = ["100.100.100.100" "9.9.9.9"];
     };
-
+    networks."eth" = {
-  systemd.network.networks."eth" = {
       name = "enp4s0";
       networkConfig.Bridge = "br0";
       DHCP = "no";
     };
+  };
 }

nixos/boxes/bolty/print-server.nix

@@ -4,10 +4,13 @@
   lib,
   ...
 }: {
-  networking.firewall.enable = true;
+  networking.firewall = {
-  networking.firewall.allowedTCPPorts = [631 6566];
+    enable = true;
-  networking.firewall.allowedUDPPorts = [631 6566];
+    allowedTCPPorts = [631 6566];
-  services.printing = {
+    allowedUDPPorts = [631 6566];
+  };
+  services = {
+    printing = {
       enable = true;
       drivers = with pkgs; [epson-escpr];
       listenAddresses = ["*:631"];
@@ -19,6 +22,19 @@
         DefaultEncryption Never
       '';
     };
+    udev.packages = [];
+
+    saned = {
+      enable = true;
+      extraConfig = ''
+        100.69.222.80
+        10.0.24.0/24
+        10.0.0.1/24
+        foureighty
+        hagath
+      '';
+    };
+  };
 
   hardware.printers.ensurePrinters = [
     {
@@ -37,17 +53,5 @@
     snapshot = true;
   };
 
-  services.udev.packages = [];
-
   environment.systemPackages = with pkgs; [gawk];
-  services.saned = {
-    enable = true;
-    extraConfig = ''
-      100.69.222.80
-      10.0.24.0/24
-      10.0.0.1/24
-      foureighty
-      hagath
-    '';
-  };
 }

nixos/boxes/bolty/real-hardware.nix

@@ -4,11 +4,13 @@
   lib,
   ...
 }: {
-  hardware.enableRedistributableFirmware = true;
-  services.smartd.enable = true;
-  services.fstrim.enable = true;
   environment.systemPackages = with pkgs; [smartmontools];
-  services.fwupd.enable = true;
+  hardware.enableRedistributableFirmware = true;
-  services.thermald.enable = true;
+  services = {
-  services.haveged.enable = true;
+    smartd.enable = true;
+    fstrim.enable = true;
+    fwupd.enable = true;
+    thermald.enable = true;
+    haveged.enable = true;
+  };
 }

nixos/boxes/bolty/tailscale-cert.nix

@@ -12,7 +12,8 @@
 in {
   imports = [];
 
-  systemd.services.tailscale-cert-make-path = {
+  systemd.services = {
+    tailscale-cert-make-path = {
       script = ''
         mkdir -p ${basePath}
       '';
@@ -21,7 +22,7 @@ in {
       wantedBy = ["multi-user.target"];
     };
 
-  systemd.services.tailscale-cert = {
+    tailscale-cert = {
       after = ["network.target" "network-online.target" "tailscaled.service"];
       wants = ["tailscaled.service"];
       wantedBy = ["multi-user.target"];
@@ -48,7 +49,7 @@ in {
         tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}
       '';
     };
-
+  };
   systemd.timers.tailscale-renew = {
     wantedBy = ["timers.target"];
     description = "Renew tailscale server cert";

nixos/boxes/cupsnet/boot.nix

@@ -5,12 +5,14 @@
   lib,
   ...
 }: {
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot = {
-  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "ahci" "usbhid" "sr_mod"];
+    kernelPackages = pkgs.linuxPackages_latest;
+    initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "ahci" "usbhid" "sr_mod"];
 
-  boot.loader.grub = {
+    loader.grub = {
       devices = ["/dev/vda"];
       efiSupport = true;
       efiInstallAsRemovable = true;
     };
+  };
 }

nixos/boxes/form3/default.nix

@@ -51,16 +51,18 @@ in {
   home-manager.users.cyryl = {...}: {
     imports = [];
     home.packages = with pkgs; [awscli kubectl cargo-update];
-    programs.git.userEmail = lib.mkForce "cyryl.plotnicki@form3.tech";
+    programs = {
-    programs.git.extraConfig = {
+      git.userEmail = lib.mkForce "cyryl.plotnicki@form3.tech";
+      git.extraConfig = {
         user.signingkey = "6441B1BC81F8FB1561C9AFF5534222210FE423ED";
         commit.gpgsign = true;
         "url \"git@github.com:\"".insteadOf = "https://github.com/";
       };
-    programs.gpg.enable = true;
+      gpg.enable = true;
-    programs.gpg.homedir = "/Users/cyryl/.gnupg";
+      gpg.homedir = "/Users/cyryl/.gnupg";
-    programs.zsh.loginExtra = ''
+      zsh.loginExtra = ''
         eval "$(/opt/homebrew/bin/brew shellenv)"
       '';
     };
+  };
 }

nixos/boxes/foryog/default.nix

@@ -26,13 +26,16 @@
   services.restic.backups.home-to-b2 = {
     repository = lib.mkForce "b2:cyplo-restic-foureighty:/";
   };
-  boot.kernelParams = ["initcall_debug" ''dyndbg="file suspend.c +p"'' "no_console_suspend"];
+
-  boot.tmp.cleanOnBoot = true;
+  boot = {
-  boot.binfmt.emulatedSystems = ["aarch64-linux"];
+    kernelParams = ["initcall_debug" ''dyndbg="file suspend.c +p"'' "no_console_suspend"];
-  boot.plymouth = {
+    tmp.cleanOnBoot = true;
+    binfmt.emulatedSystems = ["aarch64-linux"];
+    plymouth = {
       enable = true;
       logo = ./boot.png;
     };
+  };
 
   zramSwap = {
     enable = true;
@@ -42,13 +45,15 @@
 
   time.timeZone = "Europe/London";
 
-  hardware.trackpoint.enable = true;
+  hardware = {
-  hardware.keyboard.qmk.enable = true;
+    trackpoint.enable = true;
+    keyboard.qmk.enable = true;
+    opengl.extraPackages = with pkgs; [libva];
+  };
+
   services.udev.packages = [pkgs.qmk-udev-rules];
   programs.ccache.enable = true;
-  hardware.opengl.extraPackages = with pkgs; [libva];
   programs.steam.enable = true;
-  nixpkgs.config.allowUnfree = true;
 
   home-manager.users.cyryl = {...}: {
     imports = [

nixos/boxes/foureighty/default.nix

@@ -45,9 +45,10 @@
     device = "0000:00:02.0";
   };
   hardware.trackpoint.enable = true;
-  services.hardware.bolt.enable = true;
+  services = {
+    hardware.bolt.enable = true;
 
-  services.xserver = {
+    xserver = {
       libinput = {
         enable = true;
         touchpad = {
@@ -63,7 +64,9 @@
         };
       };
     };
-  services.fprintd = {enable = true;};
+    fprintd = {enable = true;};
+  };
+
   programs.ccache.enable = true;
   hardware.opengl.extraPackages = with pkgs; [libva];
   programs.steam.enable = true;

nixos/boxes/foureighty/hardware-configuration.nix

@@ -13,9 +13,11 @@
       availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"];
     };
 
-    loader.systemd-boot.enable = true;
+    loader = {
-    loader.efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
-    loader.efi.efiSysMountPoint = "/boot/efi";
+      efi.canTouchEfiVariables = true;
+      efi.efiSysMountPoint = "/boot/efi";
+    };
   };
 
   boot.initrd.secrets = {"/crypto_keyfile.bin" = null;};

nixos/boxes/homescreen/default.nix

@@ -11,23 +11,24 @@
     hostName = "homescreen";
     networkmanager = {enable = true;};
   };
-  hardware.enableRedistributableFirmware = true;
 
   environment.systemPackages = with pkgs; [neovim htop btop atop];
 
-  services.fail2ban.enable = true;
+  hardware = {
+    raspberry-pi."4".fkms-3d.enable = true;
 
-  services.openssh = {
+    enableRedistributableFirmware = true;
+    deviceTree.filter = lib.mkForce "*rpi-*.dtb";
+  };
+  services = {
+    fail2ban.enable = true;
+
+    openssh = {
       enable = true;
       permitRootLogin = "prohibit-password";
       passwordAuthentication = false;
     };
-
+    xserver = {
-  hardware.raspberry-pi."4".fkms-3d.enable = true;
-
-  hardware.deviceTree.filter = lib.mkForce "*rpi-*.dtb";
-
-  services.xserver = {
       enable = true;
       displayManager = {
         lightdm.enable = true;
@@ -37,14 +38,16 @@
       desktopManager.gnome.enable = true;
       libinput.enable = true;
     };
+  };
 
   users = {
     mutableUsers = false;
     users.kiosk = {isNormalUser = true;};
-  };
+    extraUsers.root.openssh.authorizedKeys.keys = [
-  users.extraUsers.root.openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo4R+6J3h6Ix3xWpOMdU7Es1/YxFchHw0c+kcCOJxFb cyryl@foureighty"
     ];
+  };
+
   fileSystems = {
     "/" = {
       device = "/dev/disk/by-label/NIXOS_SD";
@@ -57,6 +60,7 @@
       options = ["nofail" "noauto"];
     };
   };
+
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 
   security.allowUserNamespaces = true;

nixos/boxes/skinnyv/default.nix

@@ -19,11 +19,14 @@
     ../../zsh
   ];
 
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot = {
-  boot.loader.systemd-boot.enable = true;
+    kernelPackages = pkgs.linuxPackages_latest;
-  boot.loader.efi.canTouchEfiVariables = true;
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
     time.timeZone = "Europe/London";
-
+  };
   services.thermald.enable = true;
   home-manager.users.cyryl = {...}: {
     imports = [../../home-manager/programs/kitty.nix];

nixos/common-hardware.nix

@@ -1,12 +1,18 @@
-{ config, pkgs, nixpkgs-nixos-unstable-and-unfree, lib, ... }: {
+{
+  config,
+  pkgs,
+  nixpkgs-nixos-unstable-and-unfree,
+  lib,
+  ...
+}: {
   boot.kernelModules = ["fuse"];
-  services.smartd.enable = true;
 
   sound.enable = true;
 
   networking.networkmanager = {
     enable = true;
-    dispatcherScripts = [{
+    dispatcherScripts = [
+      {
         source = pkgs.writeText "upHook" ''
           enable_disable_wifi ()
           {
@@ -27,37 +33,21 @@
           fi
         '';
         type = "basic";
-    }];
+      }
+    ];
   };
 
-  hardware.enableRedistributableFirmware = true;
-  hardware.cpu.intel.updateMicrocode = true;
-
-  hardware.bluetooth = {
-    enable = true;
-    package = pkgs.bluez;
-    settings = { General = { Enable = "Source,Sink,Media,Socket"; }; };
-  };
-
-  hardware.pulseaudio.enable = false;
   security.rtkit.enable = true;
-  services.pipewire = {
+
+  services = {
+    smartd.enable = true;
+    pipewire = {
       enable = true;
       alsa.enable = true;
       alsa.support32Bit = true;
       pulse.enable = true;
-    extraConfig.pipewire."92-low-latency" = {
-      context.properties = {
-        default.clock.rate = 48000;
-        default.clock.quantum = 32;
-        default.clock.min-quantum = 32;
-        default.clock.max-quantum = 32;
     };
-    };
+    printing = {
-  };
-
-  environment.systemPackages = with pkgs; [ ghostscript poppler ];
-  services.printing = {
       enable = true;
       drivers = with pkgs; [
         epson-escpr
@@ -69,13 +59,28 @@
       '';
     };
 
-  hardware.printers.ensurePrinters = [
+    udev.packages = [];
+  };
+
+  environment.systemPackages = with pkgs; [ghostscript poppler];
+
+  hardware = {
+    enableRedistributableFirmware = true;
+    cpu.intel.updateMicrocode = true;
+
+    bluetooth = {
+      enable = true;
+      package = pkgs.bluez;
+      settings = {General = {Enable = "Source,Sink,Media,Socket";};};
+    };
+
+    pulseaudio.enable = false;
+    printers.ensurePrinters = [
       {
         description = "Epson XP-540 via bolty";
         name = "epson_xp540_via_bolty";
         deviceUri = "ipp://bolty:631/printers/epson_xp540";
-      model =
+        model = "epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd";
-        "epson-inkjet-printer-escpr/Epson-XP-540_Series-epson-escpr-en.ppd";
         ppdOptions = {
           PageSize = "A4";
           Duplex = "DuplexNoTumble";
@@ -84,8 +89,7 @@
       {
         description = "Samsung SCX-4623 Series";
         name = "samsung-SCX-4623";
-      deviceUri =
+        deviceUri = "usb://Samsung/SCX-4623%20Series?serial=Z2TYBFFZC01007W&interface=1";
-        "usb://Samsung/SCX-4623%20Series?serial=Z2TYBFFZC01007W&interface=1";
         model = "samsung/SCX-4623FW.ppd";
         ppdOptions = {
           PageSize = "A4";
@@ -94,8 +98,7 @@
       }
     ];
 
-  services.udev.packages = [ ];
+    sane = {
-  hardware.sane = {
       enable = true;
       snapshot = true;
       extraBackends = with pkgs; [
@@ -104,7 +107,7 @@
         gawk
       ];
     };
-
+  };
   powerManagement = {
     enable = lib.mkForce true;
     resumeCommands = ''

nixos/common.nix

@@ -20,6 +20,7 @@ in {
   boot.supportedFilesystems = ["ntfs"];
   environment.enableDebugInfo = true;
 
+  nixpkgs.config.allowUnfree = true;
   environment.systemPackages = with pkgs; [
     ccache
     curl

nixos/distributed-builds.nix

@@ -3,7 +3,8 @@
   pkgs,
   ...
 }: {
-  nix.buildMachines = [
+  nix = {
+    buildMachines = [
       {
         hostName = "bolty";
         sshUser = "nix-builder";
@@ -16,10 +17,11 @@
       }
     ];
 
-  nix.extraOptions = ''
+    extraOptions = ''
       builders-use-substitutes = true
     '';
-  nix.distributedBuilds = true;
+    distributedBuilds = true;
-  nix.settings.substituters = ["https://cache.nixos.org/" "ssh://nix-ssh@bolty.raptor-carp.ts.net"];
+    settings.substituters = ["https://cache.nixos.org/" "ssh://nix-ssh@bolty.raptor-carp.ts.net"];
-  nix.settings.trusted-public-keys = ["cyplodev-store-key:a/+PEufePs7giWqYyRqy+TgUKLMbY+RQuJQu2aUjdl8="];
+    settings.trusted-public-keys = ["cyplodev-store-key:a/+PEufePs7giWqYyRqy+TgUKLMbY+RQuJQu2aUjdl8="];
+  };
 }

nixos/git/home.nix

@@ -20,9 +20,11 @@
       colour.ui = true;
       core.fsmonitor = true;
       credential = {helper = "cache";};
-      diff.algorithm = "histogram";
+      diff = {
-      diff.renameLimit = 2048;
+        algorithm = "histogram";
-      diff.renames = "copy";
+        renameLimit = 2048;
+        renames = "copy";
+      };
       help.autocorrect = 1;
       init.defaultBranch = "main";
       merge.renamelimit = 8192;

nixos/gui/default.nix

@@ -22,9 +22,11 @@
 
     imports = [];
 
-    programs.chromium.enable = true;
+    programs = {
-    programs.firefox.enable = true;
+      chromium.enable = true;
-    programs.sioyek.enable = true;
+      firefox.enable = true;
+      sioyek.enable = true;
+    };
     home.packages =
       (with pkgs;
         with pkgs.gnome3;

nixos/gui/vscode/home.nix

@@ -7,9 +7,11 @@
   programs.vscode = {
     enable = true;
     userSettings = {
-      editor.fontFamily = "'Berkeley Mono', 'Droid Sans Mono', 'monospace', monospace";
+      editr = {
-      editor.formatOnType = true;
+        fontFamily = "'Berkeley Mono', 'Droid Sans Mono', 'monospace', monospace";
-      editor.fontSize = 16;
+        formatOnType = true;
+        fontSize = 16;
+      };
       files.autoSave = "onFocusChange";
       rust-analyzer.checkOnSave.command = "clippy";
       platformio-ide = {

nixos/home-manager/default.nix

@@ -7,19 +7,20 @@
 }: let
   username = "cyryl";
 in {
-  home.sessionVariables = {
+  home = {
+    inherit username;
+    sessionVariables = {
       LC_ALL = "en_GB.UTF-8";
       LANG = "en_GB.UTF-8";
       PASSWORD_STORE_ENABLE_EXTENSIONS = "true";
     };
 
+    packages = with pkgs; [];
+
+    homeDirectory = lib.mkDefault "/home/${username}";
+    stateVersion = "23.11";
+  };
   news.display = "show";
-
-  home.packages = with pkgs; [];
-
-  home.username = username;
-  home.homeDirectory = lib.mkDefault "/home/${username}";
-  home.stateVersion = "23.11";
   programs.home-manager.enable = true;
 
   imports = [

nixos/home-manager/links.nix

@@ -3,18 +3,20 @@
   pkgs,
   ...
 }: {
-  home.file.".config/nixpkgs/config.nix".source = ../shell-config.nix;
+  home.file = {
-  home.file.".gdbinit".text = ''
+    ".config/nixpkgs/config.nix".source = ../shell-config.nix;
+    ".gdbinit".text = ''
       set auto-load python-scripts on
       add-auto-load-safe-path /home/cyryl/dev/dotfiles/.gdbinit
       set auto-load safe-path /
       source /home/cyryl/dev/dotfiles/.gdbinit
     '';
-  home.file.".gdbinit.d/dashboard".text = ''
+    ".gdbinit.d/dashboard".text = ''
       dashboard -layout breakpoints source expressions stack threads variables
       dashboard variables -style compact 0
       dashboard source -style height 24
       dashboard stack -style compact 1
       dashboard stack -style limit 3
     '';
+  };
 }

nixos/i3/default.nix

@@ -44,12 +44,15 @@
 
     fractalart.enable = true;
     colord.enable = true;
-    xserver.windowManager.i3.enable = true;
+    xserver = {
-    xserver.displayManager.sddm = {
+      enable = true;
+      windowManager.i3.enable = true;
+      displayManager.sddm = {
         enable = true;
         enableHidpi = true;
       };
     };
+  };
   home-manager.users.cyryl = {...}: {
     imports = [./home.nix];
     home.packages = with pkgs; [];

nixos/security.nix

@@ -9,21 +9,24 @@
 
   nix.settings.allowed-users = ["@users"];
 
-  security.apparmor.enable = true;
+  security = {
-  security.apparmor.killUnconfinedConfinables = true;
+    apparmor.enable = true;
-  security.forcePageTableIsolation = true;
+    apparmor.killUnconfinedConfinables = true;
-  security.lockKernelModules = false;
+    forcePageTableIsolation = true;
-  security.protectKernelImage = true;
+    lockKernelModules = false;
-  security.virtualisation.flushL1DataCache = "always";
+    protectKernelImage = true;
+    virtualisation.flushL1DataCache = "always";
+  };
 
   sops.age = {
     keyFile = "/var/lib/sops-nix/key.txt";
     generateKey = true;
   };
 
-  boot.kernelParams = ["slub_debug=FZP" "page_poison=1" "page_alloc.shuffle=1"];
+  boot = {
+    kernelParams = ["slub_debug=FZP" "page_poison=1" "page_alloc.shuffle=1"];
 
-  boot.blacklistedKernelModules = [
+    blacklistedKernelModules = [
       # Obscure network protocols
       "ax25"
       "netrom"
@@ -52,40 +55,43 @@
       "ufs"
     ];
 
+    kernel.sysctl = {
       # Restrict ptrace() usage to processes with a pre-defined relationship
       # (e.g., parent/child)
-  boot.kernel.sysctl."kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
+      "kernel.yama.ptrace_scope" = lib.mkOverride 500 1;
 
       # Hide kptrs even for processes with CAP_SYSLOG
-  boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkOverride 500 2;
+      "kernel.kptr_restrict" = lib.mkOverride 500 2;
 
       # Disable bpf() JIT (to eliminate spray attacks)
-  boot.kernel.sysctl."net.core.bpf_jit_enable" = false;
+      "net.core.bpf_jit_enable" = false;
 
       # Disable ftrace debugging
-  boot.kernel.sysctl."kernel.ftrace_enabled" = false;
+      "kernel.ftrace_enabled" = false;
 
       # Enable strict reverse path filtering (that is, do not attempt to route
       # packets that "obviously" do not belong to the iface's network; dropped
       # packets are logged as martians).
-  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true;
+      "net.ipv4.conf.all.log_martians" = true;
-  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1";
+      "net.ipv4.conf.all.rp_filter" = "1";
-  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true;
+      "net.ipv4.conf.default.log_martians" = true;
-  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1";
+      "net.ipv4.conf.default.rp_filter" = "1";
 
       # Ignore broadcast ICMP (mitigate SMURF)
-  boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true;
+      "net.ipv4.icmp_echo_ignore_broadcasts" = true;
 
       # Ignore incoming ICMP redirects (note: default is needed to ensure that the
       # setting is applied to interfaces added after the sysctls are set)
-  boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false;
+      "net.ipv4.conf.all.accept_redirects" = false;
-  boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false;
+      "net.ipv4.conf.all.secure_redirects" = false;
-  boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false;
+      "net.ipv4.conf.default.accept_redirects" = false;
-  boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false;
+      "net.ipv4.conf.default.secure_redirects" = false;
-  boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false;
+      "net.ipv6.conf.all.accept_redirects" = false;
-  boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false;
+      "net.ipv6.conf.default.accept_redirects" = false;
 
       # Ignore outgoing ICMP redirects (this is ipv4 only)
-  boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false;
+      "net.ipv4.conf.all.send_redirects" = false;
-  boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false;
+      "net.ipv4.conf.default.send_redirects" = false;
+    };
+  };
 }

nixos/server-security.nix

@@ -30,7 +30,9 @@ in {
     openssh.authorizedKeys.keys = authorizedKeys;
   };
 
-  nix.settings.trusted-users = ["root" "nix-builder"];
+  nix = {
-  nix.sshServe.enable = true;
+    settings.trusted-users = ["root" "nix-builder"];
-  nix.sshServe.keys = authorizedKeys;
+    sshServe.enable = true;
+    sshServe.keys = authorizedKeys;
+  };
 }

nixos/sway/default.nix

@@ -52,11 +52,13 @@ in {
         gsettings-desktop-schemas
         lxappearance
       ];
-      file.".config/wofi/style.css".source = ../../.config/wofi/style.css;
+      file = {
-      file.".config/waybar/config".source = ../../.config/waybar/config;
+        ".config/wofi/style.css".source = ../../.config/wofi/style.css;
-      file.".config/waybar/style.css".source =
+        ".config/waybar/config".source = ../../.config/waybar/config;
+        ".config/waybar/style.css".source =
           ../../.config/waybar/style.css;
       };
+    };
     services.udiskie.enable = true;
     xsession.preferStatusNotifierItems = true;
 

nixos/vim/home.nix

@@ -11,12 +11,15 @@
   cocPackage = unstablePackages.vimPlugins.coc-nvim;
   nvimPackage = unstablePackages.neovim-unwrapped;
 in {
-  home.file.".vimrc".source = ../../.vimrc;
+  home = {
-  home.packages = with pkgs; [ripgrep];
+    file.".vimrc".source = ../../.vimrc;
-  home.sessionVariables = {
+    packages = with pkgs; [ripgrep];
+    sessionVariables = {
       EDITOR = "vim";
       VISUAL = "vim";
     };
+  };
+
   programs.zsh.sessionVariables = {
     EDITOR = "vim";
     VISUAL = "vim";