cleanup

modules/nixos/desktop/gnome/default.nix

@@ -10,16 +10,16 @@ let
   cfg = config.${namespace}.desktop.gnome;
 in
 {
-  imports = [ ../../../home/desktop/gnome/options.nix ];
+  options.${namespace}.desktop.gnome = {
+    enable = lib.mkEnableOption "GNOME desktop environment";
+  };
 
   config = lib.mkIf cfg.enable {
     services = {
-      # Enable Desktop Environment.
       desktopManager.gnome = enabled;
-      # Enable Desktop Environment.
-      displayManager = {
-        gdm = lib.mkDefault enabled;
-        gdm.wayland = lib.mkDefault true;
+      displayManager.gdm = {
+        enable = lib.mkDefault true;
+        wayland = lib.mkDefault true;
       };
 
       gnome = {
@@ -49,11 +49,9 @@ in
 
     xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
 
-    programs = {
-      kdeconnect = {
-        enable = false;
-        package = pkgs.gnomeExtensions.gsconnect;
-      };
+    programs.kdeconnect = {
+      enable = false;
+      package = pkgs.gnomeExtensions.gsconnect;
     };
   };
 }

modules/nixos/hardware/amd/default.nix

@@ -12,15 +12,13 @@ let
 in
 {
   options.${namespace}.hardware.amd = {
-    enable = mkEnableOption "amd hardware config";
+    enable = mkEnableOption "AMD hardware configuration";
 
-    corectrl.enable = mkBoolOpt false "Enable Corectl";
+    corectrl.enable = mkBoolOpt false "Enable CoreCtrl GPU control";
+    corectrl.enablePolkit = mkBoolOpt false "Enable CoreCtrl polkit rules";
+    corectrl.polkitGroup = mkOpt types.str "wheel" "Group allowed to use CoreCtrl without password";
 
-    corectrl.enablePolkit = mkBoolOpt false "Enable Corectl Polkit";
-
-    corectrl.polkitGroup = mkOpt types.str "wheel" "Corectl Polkit Group";
-
-    lact.enable = mkBoolOpt false "Enable Lact daemon";
+    lact.enable = mkBoolOpt false "Enable LACT daemon (AMD GPU control)";
   };
 
   config = lib.mkIf cfg.enable {
@@ -29,26 +27,23 @@ in
         "nct6775"
         "k10temp"
       ];
-      kernelParams = [ (if cfg.enable then "amdgpu.ppfeaturemask=0xffffffff" else null) ];
+      kernelParams = [ "amdgpu.ppfeaturemask=0xffffffff" ];
     };
 
-    # Configure programs
     programs.corectrl = {
       enable = cfg.corectrl.enable;
       package = pkgs.corectrl;
     };
 
-    # Configure environment
     environment = {
-      # Force radv
       variables = {
         AMD_VULKAN_ICD = "RADV";
         STEAM_FORCE_DESKTOPUI_SCALING = "1.0";
         GDK_SCALE = "1";
       };
+      systemPackages = lib.mkIf cfg.lact.enable [ pkgs.lact ];
     };
 
-    # Configure polkit
     security.polkit = lib.mkIf cfg.corectrl.enablePolkit {
       extraConfig = ''
         polkit.addRule(function(action, subject) {
@@ -63,13 +58,13 @@ in
       '';
     };
 
-    # nixpkg is broken so need to manually define
+    # k10temp is listed in kernelModules above, but the module doesn't always
+    # load early enough for sensors to be available.  This service ensures it
+    # is loaded after multi-user.target.
     systemd.services = {
       load-k10temp = {
-        description = "Load k10temp manually cause it wont otherwise";
-        script = ''
-          ${pkgs.kmod}/bin/modprobe k10temp
-        '';
+        description = "Load k10temp kernel module";
+        script = "${pkgs.kmod}/bin/modprobe k10temp";
         wantedBy = [ "multi-user.target" ];
       };
       lactd = lib.mkIf cfg.lact.enable {
@@ -78,17 +73,10 @@ in
           bash
           lact
         ];
-        script = ''
-          lact daemon
-        '';
+        script = "lact daemon";
         wantedBy = [ "multi-user.target" ];
         after = [ "multi-user.target" ];
       };
     };
-
-    # Configure environment
-    environment = {
-      systemPackages = with pkgs; lib.mkIf cfg.lact.enable [ lact ];
-    };
   };
 }

modules/nixos/power/default.nix

@@ -59,10 +59,5 @@ in
       };
     };
 
-    services = {
-      apcupsd = {
-        enable = true;
-      };
-    };
   };
 }

modules/nixos/services/authentik/options.nix

@@ -1,31 +0,0 @@
-{ lib, namespace, ... }:
-with lib;
-{
-  options.${namespace}.services.authentik = {
-    enable = mkEnableOption "authentik identity provider";
-
-    port = mkOption {
-      type = types.port;
-      default = 9000;
-      description = "Port for authentik web interface";
-    };
-
-    openFirewall = mkOption {
-      type = types.bool;
-      default = true;
-      description = "Whether to open firewall for authentik";
-    };
-
-    environmentFile = mkOption {
-      type = types.nullOr types.path;
-      default = null;
-      description = "Path to environment file containing authentik secrets";
-    };
-
-    dataDir = mkOption {
-      type = types.str;
-      default = "/var/lib/authentik";
-      description = "Data directory for authentik";
-    };
-  };
-}

modules/nixos/services/mongodb/default.nix

@@ -14,11 +14,11 @@ let
     description = "mongodb";
     options = { };
     moduleConfig = {
-      virtualisation.oci-containers.containers."${cfg.name}" = {
+      virtualisation.oci-containers.containers."${name}" = {
         autoStart = true;
         image = "mongo";
-        ports = [ "${cfg.port}:27017" ];
-        volumes = [ "${cfg.configPath}/mongodb:/data/db" ];
+        ports = [ "${toString cfg.port}:27017" ];
+        volumes = [ "${cfg.configDir}/mongodb:/data/db" ];
         extraOptions = [ "--network-alias=mongo" ];
         # environmentFiles = cfg.environmentFiles;
         environment = {

modules/nixos/services/nebula-lighthouse/sops.nix

@@ -37,7 +37,7 @@ in
           sopsFile = (lib.snowfall.fs.get-file "secrets/pi5-secrets.yaml");
           owner = "nebula-jallen-nebula";
           group = "nebula-jallen-nebula";
-          restartUnits = [ "nebula@v-nebula.service" ];
+          restartUnits = [ "nebula@jallen-nebula.service" ];
         };
       };
     };

modules/nixos/services/owncloud/options.nix

@@ -1,47 +0,0 @@
-{ lib, namespace, ... }:
-with lib;
-{
-  options.${namespace}.services.free-games-claimer = {
-    enable = mkEnableOption "free-games-claimer docker service";
-
-    autoStart = mkOption {
-      type = types.bool;
-      default = true;
-    };
-
-    httpPort = mkOption {
-      type = types.str;
-      default = "6080";
-    };
-
-    name = mkOption {
-      type = types.str;
-      default = "free-games-claimer";
-    };
-
-    image = mkOption {
-      type = types.str;
-      default = "ghcr.io/vogler/free-games-claimer";
-    };
-
-    dataPath = mkOption {
-      type = types.str;
-      default = "/media/nas/main/nix-app-data/free-games-claimer";
-    };
-
-    puid = mkOption {
-      type = types.str;
-      default = "911";
-    };
-
-    pgid = mkOption {
-      type = types.str;
-      default = "1000";
-    };
-
-    timeZone = mkOption {
-      type = types.str;
-      default = "America/Chicago";
-    };
-  };
-}

modules/nixos/shell/default.nix

@@ -1,15 +0,0 @@
-{ lib, ... }:
-{
-  programs = {
-    zsh.enable = lib.mkForce true;
-    gnupg.agent = {
-      enable = lib.mkDefault true;
-      enableSSHSupport = lib.mkDefault true;
-    };
-    nix-index = {
-      enable = lib.mkDefault true;
-      enableBashIntegration = lib.mkDefault false;
-      enableZshIntegration = lib.mkDefault true;
-    };
-  };
-}

modules/nixos/sops/default.nix

@@ -6,114 +6,39 @@
   ...
 }:
 let
-  defaultSops = (lib.snowfall.fs.get-file "secrets/secrets.yaml");
+  cfg = config.${namespace}.sops;
+  defaultSops = lib.snowfall.fs.get-file "secrets/secrets.yaml";
   isx86 = system == "x86_64-linux";
   user = config.${namespace}.user.name;
 in
 {
-  # Permission modes are in octal representation (same as chmod),
-  # the digits represent: user|group|others
-  # 7 - full (rwx)
-  # 6 - read and write (rw-)
-  # 5 - read and execute (r-x)
-  # 4 - read only (r--)
-  # 3 - write and execute (-wx)
-  # 2 - write only (-w-)
-  # 1 - execute only (--x)
-  # 0 - none (---)
-  # Either a user id or group name representation of the secret owner
-  # It is recommended to get the user name from `config.users.users.<?name>.name` to avoid misconfiguration
-  # Either the group id or group name representation of the secret group
-  # It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration
-  sops = {
-    defaultSopsFile = defaultSops;
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  config = lib.mkIf cfg.enable {
+    sops = {
+      defaultSopsFile = if cfg.defaultSopsFile != null then cfg.defaultSopsFile else defaultSops;
+      age.sshKeyPaths = cfg.sshKeyPaths;
 
-    # ------------------------------
-    # Secrets
-    # ------------------------------
-    secrets = {
-      "wifi" = { };
+      secrets = {
+        "wifi" = { };
 
-      "matt_password" = {
-        neededForUsers = true;
-        mode = "0600";
-        owner = config.users.users."${user}".name;
-        group = config.users.users."${user}".group;
+        "matt_password" = {
+          neededForUsers = true;
+          mode = "0600";
+          owner = config.users.users."${user}".name;
+          group = config.users.users."${user}".group;
+        };
+
+        "disk-key".mode = "0600";
+
+        "secureboot/GUID" = lib.mkIf isx86 { mode = "0600"; };
+        "secureboot/keys/db-key" = lib.mkIf isx86 { mode = "0600"; };
+        "secureboot/keys/db-pem" = lib.mkIf isx86 { mode = "0600"; };
+        "secureboot/keys/KEK-key" = lib.mkIf isx86 { mode = "0600"; };
+        "secureboot/keys/KEK-pem" = lib.mkIf isx86 { mode = "0600"; };
+        "secureboot/keys/PK-key" = lib.mkIf isx86 { mode = "0600"; };
+        "secureboot/keys/PK-pem" = lib.mkIf isx86 { mode = "0600"; };
       };
 
-      "disk-key" = {
-        mode = "0600";
-      };
-
-      # ------------------------------
-      # SSH keys
-      # ------------------------------
-      # "ssh-keys-public/desktop-nixos" = {
-      #   sopsFile = sharedSops;
-      #   mode = "0644";
-      #   owner = config.users.users."${user}".name;
-      #   group = config.users.users."${user}".group;
-      #   restartUnits = [ "sshd.service" ];
-      # };
-      # "ssh-keys-private/desktop-nixos" = {
-      #   sopsFile = sharedSops;
-      #   mode = "0600";
-      #   owner = config.users.users."${user}".name;
-      #   group = config.users.users."${user}".group;
-      #   restartUnits = [ "sshd.service" ];
-      # };
-      # "ssh-keys-public/desktop-nixos-root" = {
-      #   sopsFile = sharedSops;
-      #   path = "/root/.ssh/id_ed25519.pub";
-      #   mode = "0600";
-      #   restartUnits = [ "sshd.service" ];
-      # };
-      # "ssh-keys-private/desktop-nixos-root" = {
-      #   sopsFile = sharedSops;
-      #   path = "/root/.ssh/id_ed25519";
-      #   mode = "0600";
-      #   restartUnits = [ "sshd.service" ];
-      # };
-
-      # ------------------------------
-      # Secureboot keys
-      # ------------------------------
-      "secureboot/GUID" = lib.mkIf isx86 {
-        # path = "/etc/secureboot/GUID";
-        mode = "0600";
-      };
-      "secureboot/keys/db-key" = lib.mkIf isx86 {
-        # path = "/etc/secureboot/keys/db/db.key";
-        mode = "0600";
-      };
-      "secureboot/keys/db-pem" = lib.mkIf isx86 {
-        # path = "/etc/secureboot/keys/db/db.pem";
-        mode = "0600";
-      };
-      "secureboot/keys/KEK-key" = lib.mkIf isx86 {
-        # path = "/etc/secureboot/keys/KEK/KEK.key";
-        mode = "0600";
-      };
-      "secureboot/keys/KEK-pem" = lib.mkIf isx86 {
-        # path = "/etc/secureboot/keys/KEK/KEK.pem";
-        mode = "0600";
-      };
-      "secureboot/keys/PK-key" = lib.mkIf isx86 {
-        # path = "/etc/secureboot/keys/PK/PK.key";
-        mode = "0600";
-      };
-      "secureboot/keys/PK-pem" = lib.mkIf isx86 {
-        # path = "/etc/secureboot/keys/PK/PK.pem";
-        mode = "0600";
-      };
-    };
-
-    # ------------------------------
-    # Templates
-    # ------------------------------
-    templates = {
-      # ...
+      templates = { };
     };
   };
 }

modules/nixos/virtualization/default.nix

@@ -4,6 +4,6 @@
   virtualisation = {
     libvirtd.enable = lib.mkDefault true;
     podman.enable = lib.mkDefault true;
-    waydroid.enable = lib.mkDefault true;
+    waydroid.enable = lib.mkDefault false;
   };
 }