Lebesque Configuration.

nixos/common/caddy.nix

@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  ...
 }: let
   inherit (lib) mkIf mkEnableOption;
   cfg = config.foehammer.caddy;

nixos/common/nixos.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  ...
 }: let
   inherit (lib) mkIf;
 in {

nixos/common/services/vaultwarden.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  ...
 }: let
   inherit (lib) mkEnableOption mkIf mkOption;
 
@@ -32,21 +33,23 @@ in {
     };
   };
 
-  config.services.vaultwarden = mkIf cfg.enable {
-    enable = true;
+  config = mkIf cfg.enable {
+    services.vaultwarden = {
+      enable = true;
 
-    config = {
-      ROCKET_ADDRESS = "127.0.0.1";
-      ROCKET_PORT = cfg.port;
-      DOMAIN = cfg.domain;
-      ROCKET_LOG = "critical";
-      SIGNUPS_ALLOWED = cfg.signups;
+      config = {
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = cfg.port;
+        DOMAIN = cfg.domain;
+        ROCKET_LOG = "critical";
+        SIGNUPS_ALLOWED = cfg.signups;
+      };
+
+      environmentFile = cfg.envPath;
     };
 
     foehammer.backups.paths = [
       "/var/lib/bitwarden_rs"
     ];
-
-    environmentFile = cfg.envPath;
   };
 }

nixos/common/sudo.nix

@@ -0,0 +1,7 @@
+{...}: {
+  security.sudo = {
+    enable = true;
+    execWheelOnly = true;
+    wheelNeedsPassword = false;
+  };
+}

nixos/common/users/admin.nix

@@ -4,10 +4,16 @@
   foelib,
   ...
 }: let
-  inherit (lib) mkIf mkEnableOption optionals;
+  inherit (lib) mkIf mkOption mkEnableOption optionals types;
   cfg = config.foehammer.users.admin;
 in {
-  options.foehammer.users.admin.enable = mkEnableOption "Enable a wheel admin user.";
+  options.foehammer.users.admin = {
+    enable = mkEnableOption "Enable a wheel admin user.";
+    hashedPasswordFile = mkOption {
+      type = with types; nullOr str;
+      default = null;
+    };
+  };
   config = mkIf cfg.enable {
     users.users.admin = {
       createHome = true;
@@ -19,6 +25,8 @@ in {
       uid = 9999;
 
       openssh.authorizedKeys.keys = foelib.getSSHKeys "foehammer";
+
+      hashedPasswordFile = cfg.hashedPasswordFile;
     };
 
     users.groups.admin.gid = config.users.users.admin.uid;

nixos/flake.nix

@@ -30,11 +30,11 @@
       };
 
       flake = {
-        lib = import ./lib;
+        lib = import ./lib inputs.nixpkgs withSystem;
         overlays.default = final: prev: (import ./lib/packages.nix prev);
 
         nixosModules.default = {...}: {
-          imports = self.lib.utils.findNixFiles ./nixos;
+          imports = self.lib.utils.findNixFiles ./common;
         };
       };
     });

nixos/lib/default.nix

@@ -1,5 +1,5 @@
-{
+nixpkgs: withSystem: {
   utils = import ./utils.nix;
   getSSHKeys = (import ./keys.nix).getSSHKeys;
-  mkSystem = (import ./nixos.nix).mkSystem;
+  mkSystem = (import ./nixos.nix nixpkgs withSystem).mkSystem;
 }

nixos/lib/keys.nix

@@ -1,4 +1,6 @@
-rec {
+let
+  utils = import ./utils.nix;
+in rec {
   getSSHKeys = name: (getKeySets ../keys)."${name}";
 
   getKeySets = dir: let
@@ -10,19 +12,11 @@ rec {
       if type == "regular"
       then [
         {
-          name = getName name;
+          name = utils.getName name;
           value = builtins.attrValues (import path);
         }
       ]
       else [];
   in
     builtins.listToAttrs (builtins.concatLists (builtins.attrValues (builtins.mapAttrs procEntry entries)));
-
-  getName = filename: let
-    parts = builtins.split "\\." filename;
-    base = builtins.head (builtins.split "\\." filename);
-  in
-    if builtins.length parts == 1
-    then filename
-    else base;
 }

nixos/lib/nixos.nix

@@ -1,25 +1,25 @@
-let
-  foelib = import ./default.nix;
+nixpkgs: withSystem: let
+  foelib = import ./default.nix nixpkgs withSystem;
 in {
-  mkSystem = nixpkgs: pkgs: hostname: modules:
-    nixpkgs.lib.nixosSystem {
-      modules =
-        [
-          {
-            nix.registry = {
-              nixpkgs.flake = nixpkgs;
-              p.flake = nixpkgs;
-            };
-            nixpkgs.pkgs = pkgs;
+  mkSystem = hostname: host-platform: modules:
+    withSystem host-platform
+    ({pkgs, ...}:
+      nixpkgs.lib.nixosSystem {
+        modules =
+          [
+            {
+              nix.registry = {
+                nixpkgs.flake = nixpkgs;
+                p.flake = nixpkgs;
+              };
+              nixpkgs.pkgs = pkgs;
 
-            networking.hostname = hostname;
-          }
-        ]
-        ++ modules
-        ++ foelib.utils.findNixFiles ../nixos;
-
-      specialArgs = {
-        inherit hostname foelib;
-      };
-    };
+              networking.hostName = hostname;
+            }
+          ]
+          ++ modules;
+        specialArgs = {
+          inherit hostname foelib;
+        };
+      });
 }

nixos/lib/utils.nix

@@ -1,6 +1,6 @@
 rec {
   findNixFiles = dir: let
-    inherit (builtins) attrNames readDir pathExists concatMap hasSuffix;
+    inherit (builtins) attrNames readDir pathExists concatMap;
 
     # Helper function to build full paths
     fullPath = name: dir + "/${name}";
@@ -16,11 +16,32 @@ rec {
       path = fullPath name;
       type = contents.${name};
     in
-      if type == "regular" && hasSuffix ".nix" name
+      if type == "regular" && hasSuffix "nix" name
       then [path]
       else if type == "directory" && pathExists path
       then findNixFiles path
       else [];
   in
     concatMap processItem names;
+
+  getName = filename: let
+    parts = builtins.split "\\." filename;
+    base = builtins.head (builtins.split "\\." filename);
+  in
+    if builtins.length parts == 1
+    then filename
+    else base;
+
+  getSuffix = filename: let
+    parts = builtins.split "\\." filename;
+    end = builtins.tail (builtins.split "\\." filename);
+  in
+    if builtins.length parts == 1
+    then filename
+    else builtins.elemAt end (builtins.length end - 1);
+
+  hasSuffix = suffix: filename:
+    if (getSuffix filename) == suffix
+    then true
+    else false;
 }