Apparently, depot could be stopped. Who knew?

config/profiles/base/access.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+
+{
+  security.sudo.wheelNeedsPassword = lib.mkForce false;
+
+  users.users.root = {
+    hashedPassword =
+      "$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB.";
+    openssh.authorizedKeys.keys = with pkgs.lib;
+      concatLists (mapAttrsToList
+        (name: user:
+          if elem "wheel" user.extraGroups then
+            user.openssh.authorizedKeys.keys
+          else
+            [ ])
+        config.users.users);
+  };
+}

config/profiles/base/base16.nix

@@ -0,0 +1,10 @@
+{ config, ... }:
+
+{
+  base16 = {
+    console = {
+      enable = true;
+      scheme = "rebecca.rebecca";
+    };
+  };
+}

config/profiles/base/default.nix

@@ -0,0 +1,23 @@
+{ config, meta, lib, pkgs, ... }:
+
+{
+  imports = with meta; [
+    users.kat.base
+#    users.kairi.base TODO
+    users.arc
+    users.hexchen
+    ./system.nix
+    ./dns.nix
+    ./home.nix
+    ./profiles.nix
+    ./shell.nix
+    ./base16.nix
+    ./net.nix
+    ./access.nix
+    ./locale.nix
+    ./nix.nix
+    ./ssh.nix
+    ./packages.nix
+    ./secrets.nix
+  ];
+}

config/profiles/base/dns.nix

@@ -0,0 +1,8 @@
+{ config, ... }:
+
+{
+  network.dns = {
+    email = "kat@kittywit.ch";
+    tld = "kittywit.ch.";
+  };
+}

config/profiles/base/home.nix

@@ -0,0 +1,23 @@
+{ meta, config, lib, sources, tf, ... }:
+
+with lib;
+
+{
+  options.home-manager.users = mkOption {
+    type = types.attrsOf (types.submoduleWith {
+      modules = singleton ../../modules/home;
+      specialArgs = {
+        inherit sources tf meta;
+        superConfig = config;
+        modulesPath = sources.home-manager + "/modules";
+      };
+    });
+  };
+
+  config = {
+    home-manager = {
+      useUserPackages = true;
+      useGlobalPkgs = true;
+    };
+  };
+}

config/profiles/base/locale.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+
+{
+  fonts.fonts = [
+    pkgs.tamzen
+  ];
+  i18n.defaultLocale = "en_GB.UTF-8";
+  time.timeZone = "Europe/London";
+  console = {
+    packages = [ pkgs.tamzen ];
+    keyMap = "uk";
+  };
+}

config/profiles/base/net.nix

@@ -0,0 +1,7 @@
+{ config, lib, ... }:
+
+{
+  network.nftables.enable = lib.mkDefault true;
+  network.enable = true;
+  network.dns.enable = true;
+}

config/profiles/base/nix.nix

@@ -0,0 +1,31 @@
+{ config, lib, pkgs, sources, ... }:
+
+{
+  boot.loader.grub.configurationLimit = 8;
+  boot.loader.systemd-boot.configurationLimit = 8;
+
+  environment.systemPackages = [
+    (pkgs.writeShellScriptBin "nixFlakes" ''
+      exec ${pkgs.nixUnstable}/bin/nix --experimental-features "nix-command flakes" "$@"
+    '')
+  ];
+
+  nix = {
+    nixPath = [
+      "nixpkgs=${sources.nixpkgs}"
+      "nur=${sources.nur}"
+      "arc=${sources.arcexprs}"
+      "ci=${sources.ci}"
+    ];
+    sandboxPaths = [
+      "/var/run/nscd/socket"
+    ];
+    binaryCaches = [ "https://arc.cachix.org" "https://kittywitch.cachix.org" ];
+    binaryCachePublicKeys =
+      [ "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=" "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0=" ];
+    autoOptimiseStore = true;
+    gc.automatic = lib.mkDefault true;
+    gc.options = lib.mkDefault "--delete-older-than 1w";
+    trustedUsers = [ "root" "@wheel" ];
+  };
+}

config/profiles/base/packages.nix

@@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    smartmontools
+    hddtemp
+    lm_sensors
+    cachix
+    pinentry-curses
+    gnupg
+  ];
+}

config/profiles/base/profiles.nix

@@ -0,0 +1,55 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  options = {
+    deploy.profile = {
+      gui = mkEnableOption "Graphical System";
+      vfio = mkEnableOption "VFIO";
+      trusted = mkEnableOption "Trusted Submodule";
+      hardware = {
+        acs-override = mkEnableOption "ACS IOMMU Override";
+        amdgpu = mkEnableOption "AMD GPU";
+        hcloud-imperative = mkEnableOption "Imperative Hetzner Cloud Setup";
+        intel = mkEnableOption "Intel CPU";
+        laptop = mkEnableOption "Laptop";
+        wifi = mkEnableOption "WiFi, home network";
+        ryzen = mkEnableOption "AMD Ryzen CPU";
+        ms-7b86 = mkEnableOption "MSI B450-A Pro Max";
+        rm-310 = mkEnableOption "Intel DQ67OW";
+        eeepc-1015pem = mkEnableOption "Asus Eee PC 1015PEM";
+        v330-14arr = mkEnableOption "Lenovo Ideapad v330-14ARR";
+      };
+    };
+    home-manager.users = mkOption {
+      type = types.attrsOf (types.submoduleWith {
+        modules = [
+          ({ superConfig, ... }: {
+            options.deploy.profile = {
+              gui = mkEnableOption "Graphical System";
+              vfio = mkEnableOption "VFIO";
+              trusted = mkEnableOption "Trusted Submodule";
+              hardware = {
+                acs-override = mkEnableOption "ACS IOMMU Override";
+                amdgpu = mkEnableOption "AMD GPU";
+                hcloud-imperative = mkEnableOption "Imperative Hetzner Cloud Setup";
+                intel = mkEnableOption "Intel CPU";
+                laptop = mkEnableOption "Laptop";
+                wifi = mkEnableOption "WiFi, home network";
+                ryzen = mkEnableOption "AMD Ryzen CPU";
+                ms-7b86 = mkEnableOption "MSI B450-A Pro Max";
+                rm-310 = mkEnableOption "Intel DQ67OW";
+                eeepc-1015pem = mkEnableOption "Asus Eee PC 1015PEM";
+                v330-14arr = mkEnableOption "Lenovo Ideapad v330-14ARR";
+              };
+            };
+            config = {
+              deploy.profile = superConfig.deploy.profile;
+            };
+          })
+        ];
+      });
+    };
+  };
+}

config/profiles/base/secrets.nix

@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+{
+  secrets = {
+    root = "/var/lib/kat/secrets";
+    persistentRoot = "/var/lib/kat/secrets";
+    external = true;
+  };
+}

config/profiles/base/shell.nix

@@ -0,0 +1,8 @@
+{ config, ... }:
+
+{
+  programs.zsh = {
+    enable = true;
+    enableCompletion = true;
+  };
+}

config/profiles/base/ssh.nix

@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  network.firewall = {
+    public = {
+      tcp.ports = singleton 62954;
+      udp.ranges = [{
+        from = 60000;
+        to = 61000;
+      }];
+    };
+    private = {
+      tcp.ports = singleton 62954;
+      udp.ranges = [{
+        from = 60000;
+        to = 61000;
+      }];
+    };
+  };
+
+  services.openssh = {
+    enable = true;
+    ports = lib.mkDefault [ 62954 ];
+    passwordAuthentication = false;
+    challengeResponseAuthentication = false;
+    permitRootLogin = lib.mkDefault "prohibit-password";
+    kexAlgorithms = [ "curve25519-sha256@libssh.org" ];
+    extraConfig = ''
+      StreamLocalBindUnlink yes
+      LogLevel VERBOSE 
+    '';
+  };
+  programs.mosh.enable = true;
+}

config/profiles/base/system.nix

@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+  hardware.enableRedistributableFirmware = lib.mkDefault true;
+  boot.tmpOnTmpfs = true;
+  boot.zfs.enableUnstable = true;
+  boot.kernel.sysctl = {
+    "net.core.rmem_max" = "16777216";
+    "net.core.wmem_max" ="16777216";
+    "net.ipv4.tcp_rmem" = "4096 87380 16777216";
+    "net.ipv4.tcp_wmem" = "4096 65536 16777216";
+  };
+  services.journald.extraConfig = "SystemMaxUse=512M";
+  users.mutableUsers = false;
+}