Actually enforce the roles

system/roles/workstation/services/earlyoom.nix

@@ -1,22 +1,28 @@
-{pkgs, ...}: {
-  # https://dataswamp.org/~solene/2022-09-28-earlyoom.html
-  # avoid the linux kernel locking itself when we're putting too much strain on the memory
-  # this helps avoid having to shut down forcefully when we OOM
-  services.earlyoom = {
-    enable = true;
-    enableNotifications = true; # annoying, but we want to know what's killed
-    freeSwapThreshold = 2;
-    freeMemThreshold = 2;
-    extraArgs = [
-      "-g" # kill all processes within a process group
-      "--avoid 'Hyprland|soffice|soffice.bin|firefox|thunderbird)$'" # things we want to not kill
-      "--prefer '^(electron|.*.exe)$'" # I wish we could kill electron permanently
-    ];
+{pkgs, lib, config, ...}: let
+  inherit (lib) mkIf;
+  deviceType = config.myOptions.device.roles.type;
+  acceptedTypes = ["laptop" "desktop"];
+in {
+  config = mkIf (builtins.elem deviceType acceptedTypes) {
+    # https://dataswamp.org/~solene/2022-09-28-earlyoom.html
+    # avoid the linux kernel locking itself when we're putting too much strain on the memory
+    # this helps avoid having to shut down forcefully when we OOM
+    services.earlyoom = {
+      enable = true;
+      enableNotifications = true; # annoying, but we want to know what's killed
+      freeSwapThreshold = 2;
+      freeMemThreshold = 2;
+      extraArgs = [
+        "-g" # kill all processes within a process group
+        "--avoid 'Hyprland|soffice|soffice.bin|firefox|thunderbird)$'" # things we want to not kill
+        "--prefer '^(electron|.*.exe)$'" # I wish we could kill electron permanently
+      ];
 
-    # we should ideally write the logs into a designated log file; or even better, to the journal
-    # for now we can hope this echo sends the log to somewhere we can observe later
-    killHook = pkgs.writeShellScript "earlyoom-kill-hook" ''
-      echo "Process $EARLYOOM_NAME ($EARLYOOM_PID) was killed"
-    '';
+      # we should ideally write the logs into a designated log file; or even better, to the journal
+      # for now we can hope this echo sends the log to somewhere we can observe later
+      killHook = pkgs.writeShellScript "earlyoom-kill-hook" ''
+        echo "Process $EARLYOOM_NAME ($EARLYOOM_PID) was killed"
+      '';
+    };
   };
 }

system/roles/workstation/services/mount.nix

@@ -1,11 +1,16 @@
-{ config, ... }:
-{
-  services = {
-    # enable GVfs, a userspace virtual filesystem
-    # (allows viewing ftp,sftp,... directly from the file manager)
-    gvfs.enable = true;
+{ lib, config, ...}: let
+  inherit (lib) mkIf;
+  deviceType = config.myOptions.device.roles.type;
+  acceptedTypes = ["laptop" "desktop"];
+in {
+  config = mkIf (builtins.elem deviceType acceptedTypes) {
+    services = {
+      # enable GVfs, a userspace virtual filesystem
+      # (allows viewing ftp,sftp,... directly from the file manager)
+      gvfs.enable = true;
 
-    # Storage daemon required for udiskie auto-mount
-    udisks2.enable = !config.boot.isContainer;
+      # Storage daemon required for udiskie auto-mount
+      udisks2.enable = !config.boot.isContainer;
+    };
   };
 }

system/roles/workstation/services/printing.nix

@@ -1,9 +1,12 @@
-{ config, lib, pkgs, ... }: let
+{ pkgs, lib, config, ...}: let
   inherit (lib) mkIf;
+  deviceType = config.myOptions.device.roles.type;
+  acceptedTypes = ["laptop" "desktop"];
 
   cfg = config.myOptions.workstation.printing;
 in {
-  config = mkIf cfg.enable {
+
+  config = mkIf (builtins.elem deviceType acceptedTypes && cfg.enable) {
     # enable cups and add some drivers for common printers
     services = {
       printing = {