Restructure to focus on nix.

common/backups/restic.nix

@@ -0,0 +1,70 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf mkEnableOption mkOption types;
+  cfg = config.foehammer.backups.restic;
+in {
+  options.foehammer.backups.restic = {
+    enable = mkEnableOption "Enable restic backups";
+
+    repositoryFile = mkOption {
+      type = types.nullOr types.path;
+    };
+
+    environmentFile = mkOption {
+      type = types.nullOr types.str;
+    };
+
+    passwordFile = mkOption {
+      type = types.str;
+    };
+
+    paths = mkOption {
+      type = lib.types.nullOr (lib.types.listOf lib.types.str);
+      default = [];
+    };
+
+    exclude = mkOption {
+      type = lib.types.nullOr (lib.types.listOf lib.types.str);
+      default = [];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.groups.restic = {};
+    users.users.restic = {
+      isSystemUser = true;
+      group = "restic";
+    };
+
+    security.wrappers.restic = {
+      source = "${pkgs.restic.out}/bin/restic";
+      owner = "restic";
+      group = "restic";
+      permissions = "u=rwx,g=,o=";
+      capabilities = "cap_dac_read_search=+ep";
+    };
+
+    services.restic.backups = {
+      remote = {
+        paths = cfg.paths;
+        exclude = cfg.exclude;
+        user = "restic";
+
+        initialize = true;
+
+        repositoryFile = cfg.repositoryFile;
+        environmentFile = cfg.environmentFile;
+        passwordFile = cfg.passwordFile;
+
+        pruneOpts = [
+          "--keep-daily 7"
+          "--keep-weekly 4"
+        ];
+      };
+    };
+  };
+}

common/caddy.nix

@@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf mkEnableOption;
+  cfg = config.foehammer.caddy;
+in {
+  options.foehammer.caddy.enable = mkEnableOption "Enable caddy with default configuration.";
+  config = mkIf cfg.enable {
+    services.caddy = {
+      enable = true;
+      email = "foehammer127points+acme@gmail.com";
+    };
+
+    networking.firewall.allowedTCPPorts = [80 443];
+  };
+}

common/nix.nix

@@ -0,0 +1,26 @@
+{...}: {
+  nix = {
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 7d";
+    };
+
+    settings = {
+      experimental-features = [
+        "auto-allocate-uids"
+        "flakes"
+        "nix-command"
+      ];
+
+      trusted-users = ["root" "@wheel"];
+
+      substituters = ["https://cache.nixos.org" "https://cache.garnix.io"];
+      trusted-public-keys = ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="];
+    };
+  };
+}

common/nixos.nix

@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf;
+in {
+  config = {
+    users.mutableUsers = false;
+
+    environment.systemPackages = with pkgs; [neovim git];
+
+    networking = {
+      firewall = {
+        enable = true;
+      };
+
+      nameservers = ["1.1.1.1" "8.8.8.8"];
+      # If using dhcpcd:
+      dhcpcd.extraConfig = mkIf config.networking.dhcpcd.enable "nohook resolv.conf";
+      # If using NetworkManager:
+      networkmanager.dns = mkIf config.networking.networkmanager.enable "none";
+    };
+
+    services.openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+      };
+    };
+  };
+}

common/services/vaultwarden.nix

@@ -0,0 +1,51 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf mkOption;
+
+  cfg = config.foehammer.services.vaultwarden;
+in {
+  options.foehammer.services.vaultwarden = {
+    enable = mkEnableOption "Enable Vaultwarden Server";
+
+    port = mkOption {
+      type = lib.types.port;
+      default = 8222;
+      description = ''
+        What external port to serve over.
+      '';
+    };
+
+    signups = mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+
+    envPath = mkOption {
+      type = lib.types.path;
+    };
+
+    domain = mkOption {
+      type = lib.types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.vaultwarden = {
+      enable = true;
+
+      config = {
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = cfg.port;
+        DOMAIN = cfg.domain;
+        ROCKET_LOG = "critical";
+        SIGNUPS_ALLOWED = cfg.signups;
+      };
+
+      environmentFile = cfg.envPath;
+    };
+  };
+}

common/sudo.nix

@@ -0,0 +1,7 @@
+{...}: {
+  security.sudo = {
+    enable = true;
+    execWheelOnly = true;
+    wheelNeedsPassword = false;
+  };
+}

common/tailscale.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkOption types mkIf;
+  cfg = config.foehammer.tailscale;
+in {
+  options.foehammer.tailscale = {
+    enable = mkEnableOption "Enable tailscale";
+    authKeyFile = mkOption {
+      type = types.nullOr types.path;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.tailscale = {
+      enable = true;
+      authKeyFile = cfg.authKeyFile;
+      openFirewall = true;
+    };
+
+    networking.firewall.trustedInterfaces = ["tailscale0"];
+  };
+}

common/users/admin.nix

@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  foelib,
+  ...
+}: let
+  inherit (lib) mkIf mkOption mkEnableOption optionals types;
+  cfg = config.foehammer.users.admin;
+in {
+  options.foehammer.users.admin = {
+    enable = mkEnableOption "Enable a wheel admin user.";
+    hashedPasswordFile = mkOption {
+      type = with types; nullOr str;
+      default = null;
+    };
+  };
+  config = mkIf cfg.enable {
+    users.users.admin = {
+      createHome = true;
+      description = "SSH Admin User.";
+      group = "admin";
+
+      extraGroups = ["wheel"] ++ optionals config.virtualisation.docker.enable ["docker"];
+      isNormalUser = true;
+      uid = 9999;
+
+      openssh.authorizedKeys.keys = foelib.getSSHKeys "foehammer";
+
+      hashedPasswordFile = cfg.hashedPasswordFile;
+    };
+
+    users.groups.admin.gid = config.users.users.admin.uid;
+  };
+}