service/remote-build: fix shell

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1766150702,
+        "lastModified": 1768923567,
-        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
+        "narHash": "sha256-GVJ0jKsyXLuBzRMXCDY6D5J8wVdwP1DuQmmvYL/Vw/Q=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
+        "rev": "00395d188e3594a1507f214a2f15d4ce5c07cb28",
         "type": "github"
       },
       "original": {
@@ -114,11 +114,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767281941,
+        "lastModified": 1769069492,
-        "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=",
+        "narHash": "sha256-Efs3VUPelRduf3PpfPP2ovEB4CXT7vHf8W+xc49RL/U=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa",
+        "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23",
         "type": "github"
       },
       "original": {
@@ -222,11 +222,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1768584846,
+        "lastModified": 1769086393,
-        "narHash": "sha256-IRPmIOV2tPwxbhP/I9M5AmwhTC0lMPtoPStC+8T6xl0=",
+        "narHash": "sha256-3ymIZ8s3+hu7sDl/Y48o6bwMxorfKrmn97KuWiw1vjY=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "cce68f4a54fa4e3d633358364477f5cc1d782440",
+        "rev": "9f7ba891ea5fc3ededd7804f1a23fafadbcb26ca",
         "type": "github"
       },
       "original": {
@@ -237,11 +237,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1768323494,
+        "lastModified": 1769089682,
-        "narHash": "sha256-yBXJLE6WCtrGo7LKiB6NOt6nisBEEkguC/lq/rP3zRQ=",
+        "narHash": "sha256-9yA/LIuAVQq0lXelrZPjLuLVuZdm03p8tfmHhnDIkms=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2c3e5ec5df46d3aeee2a1da0bfedd74e21f4bf3a",
+        "rev": "078d69f03934859a181e81ba987c2bb033eebfc5",
         "type": "github"
       },
       "original": {
@@ -297,11 +297,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1768564909,
+        "lastModified": 1769018530,
-        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
+        "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
+        "rev": "88d3861acdd3d2f0e361767018218e51810df8a1",
         "type": "github"
       },
       "original": {
@@ -354,11 +354,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768481291,
+        "lastModified": 1768863606,
-        "narHash": "sha256-NjKtkJraCZEnLHAJxLTI+BfdU//9coAz9p5TqveZwPU=",
+        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e085e303dfcce21adcb5fec535d65aacb066f101",
+        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
         "type": "github"
       },
       "original": {

flake.nix

@@ -97,6 +97,7 @@
               keep-sorted.enable = true;
               markdownlint.enable = true;
               nil.enable = true;
+              nixf-diagnose.enable = true;
               nixfmt-rfc-style.enable = true;
               shellcheck.enable = true;
               statix.enable = true;

images/base-config.nix

@@ -50,10 +50,8 @@
         };
   };
 
-  imports = [
+  my.profiles.core.nix.enable = true;
-    ../profiles/core/core.nix
+  my.profiles.core.packages.enable = true;
-    ../profiles/core/nix.nix
-  ];
 
   documentation = {
     enable = lib.mkDefault false;

images/flake-module.nix

@@ -1,10 +1,16 @@
 { self, ... }:
 let
-  inherit (self.inputs) nixos-generators;
+  inherit (self.inputs) nixos-generators sops-nix;
-  defaultModule = {
+  defaultModules = [
-    imports = [ ./base-config.nix ];
+    {
-    _module.args.inputs = self.inputs;
+      imports = [
-  };
+        ./base-config.nix
+        sops-nix.nixosModules.sops
+      ];
+      _module.args.inputs = self.inputs;
+    }
+    ../profiles
+  ];
 in
 {
   perSystem =
@@ -14,16 +20,14 @@ in
         install-iso = nixos-generators.nixosGenerate {
           system = "x86_64-linux";
           inherit pkgs;
-          modules = [ defaultModule ];
+          modules = defaultModules;
           format = "install-iso";
         };
 
         # install-sd-aarch64 = nixos-generators.nixosGenerate {
         #   system = "aarch64-linux";
         #   inherit pkgs;
-        #   modules = [
+        #   modules = defaultModules;
-        #     defaultModule
-        #   ];
         #   format = "sd-aarch64-installer";
         # };
       };
@@ -35,8 +39,7 @@ in
   #      {
   #        nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   #      }
-  #      defaultModule
+  #    ] ++ defaultModules;
-  #    ];
   #  };
   #};
 }

modules/hardware/yubikey/default.nix

@@ -1,7 +1,6 @@
 {
   config,
   lib,
-  pkgs,
   ...
 }:
 let

modules/services/remote-build/default.nix

@@ -19,6 +19,7 @@ in
     users.users.nixremote = {
       isSystemUser = true;
       group = "nixremote";
+      shell = pkgs.zsh;
       openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYSzDdxqaNHmaaLqEvOK/vB65zvqoCebI3Nxzgg5smq root@workman"
       ];

profiles/core/core.nix

@@ -1,46 +0,0 @@
-{ pkgs, ... }:
-{
-  # Packages
-  environment.systemPackages = with pkgs; [
-    bandwhich # bandwidth monitor
-    bind # dns tools (dig, etc)
-    borgbackup # backup tool
-    cryptsetup # luks volume management
-    delta # git diff viewer
-    fd # find replacement in rust
-    file # show file type
-    fzf # fuzzy finder
-    gettext # localization tools
-    git # version control
-    gptfdisk # disk partitioning tools
-    htop # process monitor
-    jq # json processor
-    killall # kill processes by name
-    lsof # list open files
-    mosh # mobile shell
-    mtr # network diagnostic tool
-    multipath-tools # disk multipathing tools (kpartx)
-    neovim # text editor
-    nmap # network scanner
-    nmon # performance monitor
-    ouch # de-/compression tool
-    pciutils # lspci
-    progress # show progress of coreutils commands
-    pv # pipe viewer
-    reptyr # reparent process to new terminal
-    rsync # remote file sync
-    screen # terminal multiplexer
-    sd # sed replacement
-    stress-ng # stress testing
-    tmux # terminal multiplexer
-    unzip # unzip tools
-    usbutils # lsusb
-    vim # text editor
-    wget # file downloader
-    whois # domain lookup
-    xcp # rust cp replacement
-    zip # zip tools
-  ];
-
-  time.timeZone = "Europe/Berlin";
-}

profiles/core/default.nix

@@ -1,23 +1,31 @@
 {
   config,
   lib,
-  pkgs,
-  inputs,
   ...
-}@args:
+}:
 let
   cfg = config.my.profiles.core;
 in
 {
+  imports = [
+    ./kernel-modules.nix
+    ./network.nix
+    ./nix.nix
+    ./packages.nix
+    ./users.nix
+  ];
+
   options.my.profiles.core.enable = lib.mkEnableOption "core profile";
 
-  config = lib.mkIf cfg.enable (
+  config = lib.mkIf cfg.enable {
-    lib.mkMerge [
+    my.profiles.core = {
-      (import ./core.nix args)
+      packages.enable = lib.mkDefault true;
-      (import ./modules.nix args)
+      kernel-modules.enable = lib.mkDefault true;
-      (import ./network.nix args)
+      network.enable = lib.mkDefault true;
-      (import ./nix.nix args)
+      nix.enable = lib.mkDefault true;
-      (import ./users.nix args)
+      users.enable = lib.mkDefault true;
-    ]
+    };
-  );
+
+    time.timeZone = "Europe/Berlin";
+  };
 }

profiles/core/kernel-modules.nix

@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.profiles.core.kernel-modules;
+in
+{
+  options.my.profiles.core.kernel-modules.enable = lib.mkEnableOption "kernel module profile";
+
+  config = lib.mkIf cfg.enable {
+    boot.initrd.availableKernelModules = [
+      "ahci"
+      "e1000e"
+      "ehci_pci"
+      "nvme"
+      "sd_mod"
+      "uas"
+      "usbhid"
+      "usb_storage"
+      "xhci_pci"
+    ];
+  };
+}

profiles/core/modules.nix

@@ -1,15 +0,0 @@
-_: {
-  boot.initrd = {
-    availableKernelModules = [
-      "ahci"
-      "e1000e"
-      "ehci_pci"
-      "nvme"
-      "sd_mod"
-      "uas"
-      "usbhid"
-      "usb_storage"
-      "xhci_pci"
-    ];
-  };
-}

profiles/core/network.nix

@@ -1,12 +1,20 @@
-_: {
+{ config, lib, ... }:
-  networking.networkmanager = {
+let
-    enable = true;
+  cfg = config.my.profiles.core.network;
+in
+{
+  options.my.profiles.core.network.enable = lib.mkEnableOption "core network profile";
 
-    unmanaged = [
+  config = lib.mkIf cfg.enable {
-      "interface-name:br-*" # docker compose bridges
+    networking.networkmanager = {
-      "interface-name:docker?" # docker default bridge
+      enable = true;
-      "interface-name:veth*" # docker veth devices
+
-      "interface-name:virbr?" # libvirt default bridge
+      unmanaged = [
-    ];
+        "interface-name:br-*" # docker compose bridges
+        "interface-name:docker?" # docker default bridge
+        "interface-name:veth*" # docker veth devices
+        "interface-name:virbr?" # libvirt default bridge
+      ];
+    };
   };
 }

profiles/core/nix.nix

@@ -1,36 +1,49 @@
-{ inputs, ... }:
 {
-  nix = {
+  config,
-    daemonCPUSchedPolicy = "idle";
+  lib,
-    daemonIOSchedClass = "idle";
+  inputs,
+  ...
+}:
+let
+  cfg = config.my.profiles.core.nix;
+in
+{
+  options.my.profiles.core.nix.enable = lib.mkEnableOption "core nix profile";
 
-    settings = {
+  config = lib.mkIf cfg.enable {
-      trusted-users = [
+
-        "root"
+    nix = {
-        "@wheel"
+      daemonCPUSchedPolicy = "idle";
-      ];
+      daemonIOSchedClass = "idle";
-      auto-optimise-store = true;
+
-      builders-use-substitutes = true;
+      settings = {
+        trusted-users = [
+          "root"
+          "@wheel"
+        ];
+        auto-optimise-store = true;
+        builders-use-substitutes = true;
+      };
+
+      gc = {
+        automatic = true;
+        options = "--delete-older-than 30d";
+      };
+
+      extraOptions = ''
+        experimental-features = nix-command flakes
+      '';
+
+      registry = {
+        nixpkgs.flake = inputs.nixpkgs;
+        unstable.flake = inputs.nixpkgs-unstable;
+      };
     };
 
-    gc = {
+    # auto upgrade with own flakes
-      automatic = true;
+    system.autoUpgrade = {
-      options = "--delete-older-than 30d";
+      enable = true;
+      flake = "github:Stunkymonkey/nixos";
     };
-
-    extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-
-    registry = {
-      nixpkgs.flake = inputs.nixpkgs;
-      unstable.flake = inputs.nixpkgs-unstable;
-    };
-  };
-
-  # auto upgrade with own flakes
-  system.autoUpgrade = {
-    enable = true;
-    flake = "github:Stunkymonkey/nixos";
   };
 }

profiles/core/packages.nix

@@ -0,0 +1,55 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.profiles.core.packages;
+in
+{
+  options.my.profiles.core.packages.enable = lib.mkEnableOption "core packages profile";
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      bandwhich # bandwidth monitor
+      bind # dns tools (dig, etc)
+      borgbackup # backup tool
+      cryptsetup # luks volume management
+      delta # git diff viewer
+      fd # find replacement in rust
+      file # show file type
+      fzf # fuzzy finder
+      gettext # localization tools
+      git # version control
+      gptfdisk # disk partitioning tools
+      htop # process monitor
+      jq # json processor
+      killall # kill processes by name
+      lsof # list open files
+      mosh # mobile shell
+      mtr # network diagnostic tool
+      multipath-tools # disk multipathing tools (kpartx)
+      neovim # text editor
+      nmap # network scanner
+      nmon # performance monitor
+      ouch # de-/compression tool
+      pciutils # lspci
+      progress # show progress of coreutils commands
+      pv # pipe viewer
+      reptyr # reparent process to new terminal
+      rsync # remote file sync
+      screen # terminal multiplexer
+      sd # sed replacement
+      stress-ng # stress testing
+      tmux # terminal multiplexer
+      unzip # unzip tools
+      usbutils # lsusb
+      vim # text editor
+      wget # file downloader
+      whois # domain lookup
+      xcp # rust cp replacement
+      zip # zip tools
+    ];
+  };
+}

profiles/core/users.nix

@@ -1,35 +1,42 @@
-{ config, ... }:
+{ config, lib, ... }:
+let
+  cfg = config.my.profiles.core.users;
+in
 {
-  sops.secrets."users/felix/password".neededForUsers = true;
+  options.my.profiles.core.users.enable = lib.mkEnableOption "core users profile";
-  sops.secrets."users/felix/password" = { };
 
-  users.users.felix = {
+  config = lib.mkIf cfg.enable {
-    isNormalUser = true;
+    sops.secrets."users/felix/password".neededForUsers = true;
-    home = "/home/felix";
+    sops.secrets."users/felix/password" = { };
-    group = "felix";
-    extraGroups = [
-      "adbusers" # adb control
-      "audio" # sound control
-      "cdrom" # emulate cds
-      "dialout" # serial-console
-      "docker" # usage of `docker` socket
-      "input" # mouse control
-      "libvirtd" # kvm control
-      "networkmanager" # wireless configuration
-      "podman" # usage of `podman` socket
-      "seat" # access to input devices
-      "video" # screen control
-      "wheel" # `sudo` for the user.
-    ];
-    hashedPasswordFile = config.sops.secrets."users/felix/password".path;
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@workman"
-      "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHhjrfqyOS+M9ATSTVr9JXPERBXOow/ZmkWICjbtbEgXAAAAFHNzaDpmZWxpeC1wZXJzb25hbC0x ssh:felix-personal-1"
-      "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMHExVOrEevQ+bwrrW3cXCO7Y/SyA+7wG+b6ZvAWY4MJAAAAFHNzaDpmZWxpeC1wZXJzb25hbC0y ssh:felix-personal-2"
-    ];
-  };
 
-  users.groups.felix = {
+    users.users.felix = {
-    gid = 1000;
+      isNormalUser = true;
+      home = "/home/felix";
+      group = "felix";
+      extraGroups = [
+        "adbusers" # adb control
+        "audio" # sound control
+        "cdrom" # emulate cds
+        "dialout" # serial-console
+        "docker" # usage of `docker` socket
+        "input" # mouse control
+        "libvirtd" # kvm control
+        "networkmanager" # wireless configuration
+        "podman" # usage of `podman` socket
+        "seat" # access to input devices
+        "video" # screen control
+        "wheel" # `sudo` for the user.
+      ];
+      hashedPasswordFile = config.sops.secrets."users/felix/password".path;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFx6OLwL9MbkD3mnMsv+xrzZHN/rwCTgVs758SCLG0h felix@workman"
+        "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHhjrfqyOS+M9ATSTVr9JXPERBXOow/ZmkWICjbtbEgXAAAAFHNzaDpmZWxpeC1wZXJzb25hbC0x ssh:felix-personal-1"
+        "no-touch-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMHExVOrEevQ+bwrrW3cXCO7Y/SyA+7wG+b6ZvAWY4MJAAAAFHNzaDpmZWxpeC1wZXJzb25hbC0y ssh:felix-personal-2"
+      ];
+    };
+
+    users.groups.felix = {
+      gid = 1000;
+    };
   };
 }