introduced features

components/gui/browser.nix

@@ -34,50 +34,59 @@ in
           home = "${homeFolder}/development-browser";
           homeBackup = "${backupFolder}/development-browser";
           gpu = false;
+          sudoUsers = [ config.users.users.mainUser.name ];
         };
         google = {
           home = "${homeFolder}/google-browser";
           homeBackup = "${backupFolder}/google-browser";
           gpu = false;
+          sudoUsers = [ config.users.users.mainUser.name ];
         };
         finance = {
           home = "${homeFolder}/finance-browser";
           homeBackup = "${backupFolder}/finance-browser";
           gpu = false;
+          sudoUsers = [ config.users.users.mainUser.name ];
         };
         facebook = {
           home = "${homeFolder}/facebook-browser";
           homeBackup = "${backupFolder}/facebook-browser";
           gpu = false;
+          sudoUsers = [ config.users.users.mainUser.name ];
         };
         shopping = {
           home = "${homeFolder}/shopping-browser";
           homeBackup = "${backupFolder}/shopping-browser";
           gpu = false;
+          sudoUsers = [ config.users.users.mainUser.name ];
         };
         jobrad = {
           browserType = "chrome";
           home = "${homeFolder}/jobrad-chrome";
           homeBackup = "${backupFolder}/jobrad-chrome";
           gpu = false;
+          sudoUsers = [ config.users.users.mainUser.name ];
         };
         firefox-tmp = {
           browserType = "firefox";
           home = "${homeFolder}/firefox-tmp";
           homeBackup = "${backupFolder}/firefox-tmp-browser";
           gpu = false;
+          sudoUsers = [ config.users.users.mainUser.name ];
         };
         chromium-tmp = {
           browserType = "chrome";
           home = "${homeFolder}/chromium-tmp";
           homeBackup = "${backupFolder}/chrome-tmp-browser";
           gpu = false;
+          sudoUsers = [ config.users.users.mainUser.name ];
         };
         google-tmp = {
           browserType = "google";
           home = "${homeFolder}/google-tmp";
           homeBackup = "${backupFolder}google-tmp-browser";
           gpu = false;
+          sudoUsers = [ config.users.users.mainUser.name ];
         };
 
       };

components/nixos/boot/default.nix

@@ -1,16 +0,0 @@
-{ lib, config, ... }:
-{
-
-  imports = [
-    ./ssh.nix
-    ./tor.nix
-  ];
-
-  options.components.nixos.boot.enable = lib.mkOption {
-    type = lib.types.bool;
-    default = false;
-  };
-
-  config = lib.mkIf (config.components.nixos.boot.enable) { };
-
-}

components/nixos/boot/tor.nix

@@ -1,95 +0,0 @@
-{ config, lib, pkgs, factsGenerator, clanLib, ... }:
-with lib;
-with types;
-
-{
-  options.components.nixos.boot.tor = {
-    enable = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-    };
-  };
-
-  config = mkMerge [
-
-    # todo : not working at the moment, because onion hostnames are secrets
-    #(
-    #  let
-    #    onionIds = clanLib.readFactFromAllMachines "tor.initrd.hostname";
-    #    generateOnionUnlockScript = machine: onionId: pkgs.writers.writeDashBin "unlock-boot-${machine}-via-tor" ''
-    #      ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
-    #    '';
-    #  in
-    #  {
-    #    # add known hosts
-    #    services.openssh.knownHosts =
-    #      mapAttrs
-    #        (_machine: onionId: {
-    #          hostNames = [ "[${onionId}]:2222" ];
-    #        })
-    #        onionIds;
-    #    # create unlook tor boot script
-    #    environment.systemPackages =
-    #      mapAttrsToList generateOnionUnlockScript onionIds;
-    #  }
-    #)
-
-    # tor part
-    # --------
-    (mkIf (config.components.nixos.boot.tor.enable) {
-
-      # tor secrets
-      clan.core.facts.services."initrd.tor" = factsGenerator.tor {
-        name = "initrd";
-        addressPrefix = "init";
-      };
-      boot.initrd.secrets = {
-        "/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.priv".path;
-        "/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.hostname".path;
-      };
-
-      boot.initrd.systemd.storePaths = [
-        pkgs.tor
-        pkgs.iproute2
-        pkgs.coreutils
-      ];
-      boot.initrd.systemd.contents = {
-        "/etc/tor/tor.rc".text = ''
-          DataDirectory /etc/tor
-          SOCKSPort 127.0.0.1:9050 IsolateDestAddr
-          SOCKSPort 127.0.0.1:9063
-          HiddenServiceDir /etc/tor/onion/bootup
-          HiddenServicePort 2222 127.0.0.1:2222
-        '';
-      };
-
-      boot.initrd.systemd.services.tor = {
-        description = "tor during init";
-        wantedBy = [ "initrd.target" ];
-        after = [ "network.target" "initrd-nixos-copy-secrets.service" ];
-        before = [ "shutdown.target" ];
-        conflicts = [ "shutdown.target" ];
-
-        unitConfig.DefaultDependencies = false;
-        path = [
-          pkgs.tor
-          pkgs.iproute2
-          pkgs.coreutils
-        ];
-        script =
-          ''
-            echo "tor: preparing onion folder"
-            # have to do this otherwise tor does not want to start
-            chmod -R 700 /etc/tor
-
-            echo "tor: starting tor"
-            tor -f /etc/tor/tor.rc --verify-config
-            tor -f /etc/tor/tor.rc
-          '';
-      };
-    })
-
-
-  ];
-}
-

components/nixos/default.nix

@@ -2,7 +2,6 @@
 {
   imports = [
     ./upgrade-diff.nix
-    ./boot
   ];
 
   options.components.nixos.enable = lib.mkOption {

features/boot/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./ssh.nix
+    ./tor.nix
+  ];
+}

features/boot/ssh.nix

@@ -3,10 +3,10 @@ with lib;
 with types;
 
 {
-  options.components.nixos.boot.ssh = {
+  options.features.boot.ssh = {
     enable = lib.mkOption {
       type = lib.types.bool;
-      default = config.components.nixos.boot.enable;
+      default = false;
     };
     kernelModules = mkOption {
       type = listOf str;
@@ -16,12 +16,7 @@ with types;
     };
   };
 
-  config = mkIf (config.components.nixos.boot.ssh.enable) {
-
-    # root password
-    #clan.core.facts.services.rootPassword = factsGenerator.password { name = "root"; };
-    #users.users.root.hashedPasswordFile = config.clan.core.facts.services.rootPassword.secret."password.root.pam".path; # fixme not working for some reason
-    #users.users.root.initalPassword = "admin";
+  config = mkIf (config.features.boot.ssh.enable) {
 
     # ssh host key
     clan.core.facts.services."boot.ssh" = factsGenerator.ssh { name = "boot"; };
@@ -32,7 +27,7 @@ with types;
 
     # network
     boot.initrd.systemd.network.enable = true;
-    boot.initrd.availableKernelModules = config.components.nixos.boot.ssh.kernelModules;
+    boot.initrd.availableKernelModules = config.features.boot.ssh.kernelModules;
 
     # ssh
     boot.initrd.network.enable = true;

features/boot/tor.nix

@@ -0,0 +1,65 @@
+{ config, lib, pkgs, factsGenerator, clanLib, ... }:
+with lib;
+with types;
+{
+  options.features.boot.tor = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  config = mkIf (config.features.boot.tor.enable) {
+
+    # tor secrets
+    clan.core.facts.services."initrd.tor" = factsGenerator.tor {
+      name = "initrd";
+      addressPrefix = "init";
+    };
+    boot.initrd.secrets = {
+      "/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.priv".path;
+      "/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.hostname".path;
+    };
+
+    boot.initrd.systemd.storePaths = [
+      pkgs.tor
+      pkgs.iproute2
+      pkgs.coreutils
+    ];
+    boot.initrd.systemd.contents = {
+      "/etc/tor/tor.rc".text = ''
+        DataDirectory /etc/tor
+        SOCKSPort 127.0.0.1:9050 IsolateDestAddr
+        SOCKSPort 127.0.0.1:9063
+        HiddenServiceDir /etc/tor/onion/bootup
+        HiddenServicePort 2222 127.0.0.1:2222
+      '';
+    };
+
+    boot.initrd.systemd.services.tor = {
+      description = "tor during init";
+      wantedBy = [ "initrd.target" ];
+      after = [ "network.target" "initrd-nixos-copy-secrets.service" ];
+      before = [ "shutdown.target" ];
+      conflicts = [ "shutdown.target" ];
+
+      unitConfig.DefaultDependencies = false;
+      path = [
+        pkgs.tor
+        pkgs.iproute2
+        pkgs.coreutils
+      ];
+      script =
+        ''
+          echo "tor: preparing onion folder"
+          # have to do this otherwise tor does not want to start
+          chmod -R 700 /etc/tor
+
+          echo "tor: starting tor"
+          tor -f /etc/tor/tor.rc --verify-config
+          tor -f /etc/tor/tor.rc
+        '';
+    };
+  };
+}
+

features/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [ ./boot ];
+}

flake.nix

@@ -172,6 +172,7 @@
           clanLib = import ./lib/clanlib.nix { inherit (pkgs) lib; machineDir = ./machines; };
           zerotierDeviceName = "ztbn67ogn2";
           components = ./components;
+          features = ./features;
         };
       };
 
@@ -260,6 +261,8 @@
             documentation.nixos.options.warningsAreErrors = false; # todo make this true again
             documentation.nixos.extraModules = [
               ./components
+              ./features
+              #./modules
               inputs.clan-core.nixosModules.clanCore
               # inputs.stylix.nixosModules.stylix # fixme: not working
               permown.nixosModules.permown
@@ -272,6 +275,12 @@
             boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 10;
             boot.loader.grub.configurationLimit = lib.mkDefault 10;
           })
+        # My Structure
+        ./components
+        ./features
+        ./modules # todo : spread this across features and components
+        #./system/all # todo : spread this across features and components
+
         # some modules I always use
         permown.nixosModules.permown
         kmonad.nixosModules.default

machines/cherry/configuration.nix

@@ -3,9 +3,6 @@
 
   imports = [
 
-    ../../components
-    ../../modules
-
     ./hardware-configuration
 
     ./syncthing.nix

machines/chungus/configuration.nix

@@ -5,9 +5,6 @@
     # todo : remove
     ../../system/all
 
-    ../../components
-    ../../modules
-
     ./hardware-configuration
 
     ./packages.nix
@@ -58,8 +55,7 @@
   components.network.wifi.enable = false;
   components.terminal.enable = true;
 
-  components.nixos.boot.enable = true;
-  components.nixos.boot.ssh.kernelModules = [ "e1000e" ];
+  features.boot.ssh.kernelModules = [ "e1000e" ];
 
   components.monitor.enable = true;
   components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317";

machines/cream/configuration.nix

@@ -3,9 +3,6 @@
 
   imports = [
 
-    ../../components
-    ../../modules
-
     ./hardware-configuration.nix
 
     ./syncthing.nix

machines/orbi/configuration.nix

@@ -5,9 +5,6 @@
 
     ../../system/all/defaults.nix
 
-    ../../components
-    ../../modules
-
     ./service-forgejo-runner.nix
     ./service-forgejo.nix
     ./service-hedgedoc.nix
@@ -50,7 +47,8 @@
   components.network.fail2ban.enable = true;
   components.network.sshd.sshguard.enable = false;
 
-  components.nixos.boot.enable = true;
+  features.boot.ssh.enable = true;
+  features.boot.tor.enable = true;
 
   components.monitor.enable = true;
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];

machines/orbi/media-nextcloud.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, factsGenerator, ... }:
+{ pkgs, config, factsGenerator, components, ... }:
 
 # don't forget the database backup before upgrading
 # -------------------------------------------------
@@ -85,7 +85,7 @@ in
 
     config = { config, lib, ... }: {
       nixpkgs.pkgs = pkgs;
-      imports = [ ../../components/monitor/container.nix ];
+      imports = [ "${components}/monitor/container.nix" ];
       system.stateVersion = "23.11";
       services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
 

machines/orbi/media-transmission2.nix

@@ -1,4 +1,4 @@
-{ lib, pkgs, config, ... }:
+{ lib, pkgs, config, components, ... }:
 let
   uiPort = 9091;
 in
@@ -25,7 +25,7 @@ in
 
     config = { config, lib, ... }: {
       nixpkgs.pkgs = pkgs;
-      imports = [ ../../components/monitor/container.nix ];
+      imports = [ "${components}/monitor/container.nix" ];
       system.stateVersion = "21.05";
       services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
 

machines/orbi/service-photoprism.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, components, ... }:
 let
   mySQLPackage = pkgs.mysql;
   photoprismPort = 2342;
@@ -15,7 +15,7 @@ in
 
     config = { config, lib, ... }: {
       nixpkgs.pkgs = pkgs;
-      imports = [ ../../components/monitor/container.nix ];
+      imports = [ "${components}/monitor/container.nix" ];
       system.stateVersion = "23.11";
       services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
 

machines/orbi/service-surrealdb.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, clanCore, factsGenerator, ... }:
+{ config, pkgs, lib, clanCore, factsGenerator, components, ... }:
 let
   surrealdbPort = 8000;
 in
@@ -12,7 +12,7 @@ in
 
     config = { config, lib, ... }: {
       nixpkgs.pkgs = pkgs;
-      imports = [ ../../components/monitor/container.nix ];
+      imports = [ "${components}/monitor/container.nix" ];
       system.stateVersion = "24.05";
       services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
 

machines/orbi/service-vikunja.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, components, ... }:
 let
   vikunjaPort = 3456;
   mysqlPort = 3337;
@@ -13,7 +13,7 @@ in
 
     config = { config, lib, ... }: {
       nixpkgs.pkgs = pkgs;
-      imports = [ ../../components/monitor/container.nix ];
+      imports = [ "${components}/monitor/container.nix" ];
       system.stateVersion = "24.05";
       services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
 

machines/orbi/social-matrix-terranix.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, factsGenerator, ... }:
+{ config, pkgs, factsGenerator, components, ... }:
 let
   # 1. create DNS entry `matrix.terranix.org A - 95.216.66.212`
   # 2. test with : https://federationtester.matrix.org/#terranix.org
@@ -66,7 +66,7 @@ in
 
     config = { config, lib, ... }: {
       nixpkgs.pkgs = pkgs;
-      imports = [ ../../components/monitor/container.nix ];
+      imports = [ "${components}/monitor/container.nix" ];
       system.stateVersion = "23.11";
       services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
 

machines/probe/configuration.nix

@@ -1,8 +1,6 @@
 { lib, config, pkgs, ... }: {
   imports = [
     ./hardware-configuration
-    ../../components
-    ../../modules
   ];
 
   system.stateVersion = "24.11";
@@ -10,9 +8,8 @@
   components.mainUser.enable = true;
   components.network.enable = true;
 
-  components.nixos.boot.enable = true;
-  components.nixos.boot.ssh.enable = true;
-  components.nixos.boot.tor.enable = true;
+  features.boot.ssh.enable = true;
+  features.boot.tor.enable = true;
 
   components.monitor.enable = false;
 

machines/sternchen/configuration.nix

@@ -2,8 +2,6 @@
 
   imports = [
 
-    ../../components
-    ../../modules
     ./hardware-configuration.nix
     ./packages.nix
     ./syncthing.nix

modules/browser.nix

@@ -232,7 +232,6 @@ in
               '';
             };
             sudoUsers = mkOption {
-              default = [ config.users.users.mainUser.name ];
               type = with types; listOf str;
               description = ''
                 user allowed to run sudo without password to start the browser

system/all/default.nix

@@ -2,8 +2,6 @@
 
   imports = [
 
-    ../../modules
-    ../../components/network
     ./defaults.nix
     ./grub.nix
     ./packages.nix