Full rewrite

system/boot/default.nix

@@ -0,0 +1,5 @@
+_: {
+  imports = [
+    ./systemd-boot.nix
+  ];
+}

system/boot/systemd-boot.nix

@@ -0,0 +1,11 @@
+_: {
+  boot.loader = {
+    systemd-boot = {
+      enable = true;
+      memtest86.enable = true;
+      editor = true;
+    };
+    efi.canTouchEfiVariables = true;
+    timeout = 3;
+  };
+}

system/default.nix

@@ -1,13 +1,12 @@
-{lib, ...}:
-{
-    imports = [
-        ./network.nix
-        ./users.nix
-        ./nix.nix
-        ./packages.nix
-    ];
-
-    # Internationalisation properties
-    time.timeZone = "CET";
-    i18n.defaultLocale = "en_US.UTF-8";
+_: {
+  imports = [
+    ./hardware
+    ./boot
+    ./services
+    ./programs
+    ./system.nix
+    ./nix.nix
+    ./network.nix
+    ./localisation.nix
+  ];
 }

system/hardware/cpu/amd.nix

@@ -0,0 +1,9 @@
+{ config, lib, ... }:
+let
+  dev = config.myOptions.device;
+in
+{
+  config = lib.mkIf (builtins.elem dev.cpu.type [ "amd" "vm-amd" ]) {
+    hardware.cpu.amd.updateMicrocode = true;
+  };
+}

system/hardware/cpu/default.nix

@@ -0,0 +1,6 @@
+_: {
+  imports = [
+    ./amd.nix
+    ./intel.nix
+  ];
+}

system/hardware/cpu/intel.nix

@@ -0,0 +1,9 @@
+{ config, lib, ... }:
+let
+  dev = config.myOptions.device;
+in
+{
+  config = lib.mkIf (builtins.elem dev.cpu.type [ "intel" "vm-intel" ]) {
+    hardware.cpu.intel.updateMicrocode = true;
+  };
+}

system/hardware/default.nix

@@ -0,0 +1,5 @@
+_: {
+  imports = [
+    ./cpu
+  ];
+}

system/localisation.nix

@@ -0,0 +1,4 @@
+_: {
+  time.timeZone = "CET";
+  i18n.defaultLocale = "en_US.UTF-8";
+}

system/nix.nix

@@ -1,5 +1,7 @@
 {pkgs, ...}:
 {
+  system.autoUpgrade.enable = false;
+
   nix = {
     settings = {
       # nix often takes up a lot of space, with /nix/store growing beyond reasonable sizes
@@ -8,6 +10,10 @@
       auto-optimise-store = true;
       # enable flakes support
       experimental-features = [ "nix-command" "flakes" ];
+
+      # Keep all dependencies used to build
+      keep-outputs = true;
+      keep-derivations = true;
     };
 
     # Enable automatic garbage collection, deleting entries older than 14 days
@@ -31,5 +37,5 @@
   nixpkgs.config.allowUnfree = true;
 
   # Git is needed for flakes
-  environment.systemPackages = with pkgs; [git];
+  environment.systemPackages = [pkgs.git];
 }

system/options/cachix.nix

@@ -1,14 +0,0 @@
-_: {
-  nix.settings = {
-    substituters = [
-        "https://nix-community.cachix.org"
-        "https://nixpkgs-wayland.cachix.org"
-        "https://viperml.cachix.org"
-    ];
-    trusted-public-keys = [
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
-        "viperml.cachix.org-1:qZhKBMTfmcLL+OG6fj/hzsMEedgKvZVFRRAhq7j8Vh8="
-    ];
-  };
-}

system/options/oomd.nix

@@ -1,9 +0,0 @@
-_: {
-    systemd.oomd = {
-        enable = true;
-        enableSystemSlice = true;
-        enableRootSlice = true;
-        enableUserSlices = true;
-    };
-}
-

system/options/systemd-boot.nix

@@ -1,12 +0,0 @@
-_: {
-    boot.loader = {
-        systemd-boot = {
-            enable = true;
-            memtest86.enable = true;
-            editor = true;
-        };
-        efi.canTouchEfiVariables = true;
-        timeout = 3;
-    };
-}
-

system/packages.nix

@@ -1,9 +0,0 @@
-{pkgs, ...}:
-{
-  # Basic list of must-have packages for all systems
-  environment.systemPackages = with pkgs; [
-    vim
-    gnupg
-    delta
-  ];
-}

system/programs/default.nix

@@ -0,0 +1,14 @@
+{ pkgs, lib, ... }: {
+  imports = [
+    ./nano.nix
+  ];
+
+  # Basic list of must-have packages for all systems
+  # TODO: Move these to home-manager, no need for system wide deps
+  # although maybe keep vim
+  environment.systemPackages = with pkgs; [
+    vim
+    gnupg
+    delta
+  ];
+}

system/programs/nano.nix

@@ -0,0 +1,49 @@
+{ pkgs, ... }: {
+  programs.nano = {
+    # enabled by default anyway, we can keep it in case my neovim config breaks
+    enable = true;
+    nanorc = ''
+      include ${pkgs.nanorc}/share/*.nanorc # extended syntax highlighting
+
+      # Options
+      # https://github.com/davidhcefx/Modern-Nano-Keybindings
+      set tabsize 4
+      set tabstospaces
+      set linenumbers
+      set numbercolor yellow,normal
+      set indicator                         # side-bar for indicating cur position
+      set smarthome                         # `Home` jumps to line start first
+      set afterends                         # `Ctrl+Right` move to word ends instead of word starts
+      set wordchars "_"                     # recognize '_' as part of a word
+      set zap                               # delete selected text as a whole
+      set historylog                        # remember search history
+      set multibuffer                       # read files into multibuffer instead of insert
+      set mouse                             # enable mouse support
+      bind M-R  redo            main
+      bind ^C   copy            main
+      bind ^X   cut             main
+      bind ^V   paste           main
+      bind ^K   zap             main
+      bind ^H   chopwordleft    all
+      bind ^Q   exit            all
+      bind ^Z   suspend         main
+      bind M-/  comment         main
+      bind ^Space complete      main
+
+      bind M-C  location        main
+      bind ^E   wherewas        all
+      bind M-E  findprevious    all
+      bind ^R   replace         main
+      bind ^B   pageup          all         # vim-like support
+      bind ^F   pagedown        all
+      bind ^G   firstline       all
+      bind M-G  lastline        all
+
+      bind M-1    help          all         # fix ^G been used
+      bind Sh-M-C constantshow  main        # fix M-C, M-F and M-b been used
+      bind Sh-M-F formatter     main
+      bind Sh-M-B linter        main
+    '';
+  };
+}
+

system/services/default.nix

@@ -0,0 +1,5 @@
+_: {
+  imports = [
+    ./ssh.nix
+  ];
+}

system/services/oomd.nix

@@ -0,0 +1,20 @@
+{ lib, ... }: {
+  systemd = {
+    # OOMd: Out Of Memory daemon
+    # By default, this will only kill cgroups. So either systemd services
+    # marked for killing uder OOM or (non-default, but enabled here) the entire user slice.
+    oomd = {
+      enable = true;
+      enableSystemSlice = true;
+      enableRootSlice = true;
+      enableUserSlices = true;
+      extraConfig = {
+        "DefaultMemoryPressureDurationSec" = "20s";
+      };
+    };
+
+    # Make nix builds more likely to get killed than other important services.
+    # The default for user slices is 100, and systemd-coredumpd is 500
+    services.nix-daemon.serviceConfig.OOMScoreAdjust = lib.mkDefault 350;
+  };
+}

system/services/ssh.nix

@@ -0,0 +1,12 @@
+{ ... }: {
+  # TODO: This really shouldn't be a default service in system/
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "prohibit-password";
+      PasswordAuthentication = false;
+      X11Forwarding = false;
+    };
+  };
+}
+

system/system.nix

@@ -0,0 +1,20 @@
+{ config, lib, ... }: with lib; let
+  cfg = config.myOptions.system;
+in
+{
+  networking.hostName = cfg.hostname;
+
+  users = {
+    # Prevent mutating users outside of our configurations.
+    # TODO: Solve this, currentry it fails with no password
+    # specified for root account nor any whell user accounts
+    # and wants us to set pw manually with passwd, which needs
+    # mutableUsers
+    #mutableUsers = false;
+
+    users.${cfg.username} = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+    };
+  };
+}

system/users.nix

@@ -1,8 +0,0 @@
-{pkgs, ...}:
-{
-  users.users.itsdrike = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    initialPassword = "itsdrike";
-  };
-}