default.nix

@@ -1,15 +1,11 @@
 { config, inputs, lib, pkgs, ... }:
 
 let
-  inherit (builtins) toString;
+  inherit (lib) filterAttrs _;
-  inherit (lib.modules) mkDefault;
-  inherit (lib.my) mapModulesRec';
 in {
   imports =
-    [ 
+    [ inputs.home-manager.nixosModules.home-manager ]
-      inputs.home-manager.nixosModules.home-manager
+    ++ _.mapModulesRec' ./modules import;
-    ]
-    ++ (mapModulesRec' (toString ./modules) import);
 
   nix = {
   	settings = {
@@ -29,15 +25,14 @@ in {
   environment.systemPackages = with pkgs; [
     unrar unzip
     curl wget
-    # nixos-rebuild w/ flakes does not work without git
+    # hello! if you remove this, good luck
-    # do not remove this
+    # ever rebuilding your system using flakes!
-    # nix is awesome
     git
   ];
 
-  time.timeZone = mkDefault "America/Los_Angeles";
+  time.timeZone = lib.mkDefault "America/Los_Angeles";
 
-  i18n.defaultLocale = mkDefault "en_US.UTF-8";
+  i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
 
-  system.stateVersion = mkDefault "23.11";
+  system.stateVersion = lib.mkDefault "23.11";
 }

flake.lock

@@ -2,9 +2,7 @@
   "nodes": {
     "home-manager": {
       "inputs": {
-        "nixpkgs": [
+        "nixpkgs": "nixpkgs"
-          "nixpkgs"
-        ]
       },
       "locked": {
         "lastModified": 1705535278,
@@ -21,6 +19,22 @@
       }
     },
     "nixpkgs": {
+      "locked": {
+        "lastModified": 1705316053,
+        "narHash": "sha256-J2Ey5mPFT8gdfL2XC0JTZvKaBw/b2pnyudEXFvl+dQM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
       "locked": {
         "lastModified": 1705496572,
         "narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=",
@@ -39,7 +53,7 @@
     "root": {
       "inputs": {
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
       }
     }
   },

flake.nix

@@ -5,44 +5,29 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
 
     home-manager.url = "github:nix-community/home-manager";
-    home-manager.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = inputs @ { self, nixpkgs, ... }:
     let
-      inherit (lib.my) mapModules mapModulesRec mapHosts;
       system = "aarch64-linux";
 
-      mkPkgs = pkgs: extraOverlays: 
+      lib = import ./lib { inherit pkgs inputs; lib = nixpkgs.lib; };
-        import pkgs {
+      inherit (lib._) mapModules mapModulesRec mkHost;
+
+      mkPkgs = pkgs: overlays: import pkgs {
         inherit system;
         config.allowUnfree = true;
-          config.allowAliases = false;
+        overlays = overlays ++ (lib.attrValues self.overlays);
-          overlays = extraOverlays ++ (lib.attrValues self.overlays);
       };
-      pkgs = mkPkgs nixpkgs [ self.overlays.default ];
 
-      lib = nixpkgs.lib.extend (final: prev: {
+      pkgs = mkPkgs nixpkgs [ self.overlay ];
-        my = import ./lib {
-          inherit pkgs inputs;
-          lib = final;
-        };
-      });
     in {
-      lib = lib.my;
-    
-      overlays = 
-        (mapModules ./overlays import)
-        // {
-          default = final: prev: {
-            my = self.packages.${system};
-          };
-        };
-      
       packages."${system}" = mapModules ./packages (p: pkgs.callPackage p {});
-      
+      overlay = final: prev: {
-      nixosModules = mapModulesRec ./modules import;
+        _ = self.packages."${system}";
-      
+      };
-      nixosConfigurations = mapHosts ./hosts {};
+      overlays = mapModules ./overlays import;
+      nixosModules = (mapModulesRec ./modules import);
+      nixosConfigurations = mapModules ./hosts (host: mkHost host { inherit system; });
     };
 }

hosts/server/authorizedKeys.nix

@@ -0,0 +1,10 @@
+[
+  # reidlab
+  { hostname = "reidlab@rei-pc";
+    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc";
+  }
+  {
+    hostname = "reidlab@rei-phone";
+    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKC12NkyZAFNDHfq1ECh4uAgM4mpKfsQnL3XF/ZzSyCJ reidlab@rei-phone";
+  }
+]

hosts/server/default.nix

@@ -1,7 +1,9 @@
 { config, lib, pkgs, ... }:
 
 let
-
+  keys = import ./authorizedKeys.nix;
+  fetchSSH = (host: lib._.getSSH host keys);
+  fetchSSHKeys = map fetchSSH;
 in {
   imports = [
     ./hardware-configuration.nix
@@ -15,9 +17,9 @@ in {
       conf = {
         packages = with pkgs; [ bat tree micro duf ];
         extraGroups = [ "wheel" "dotfiles" ];
-        openssh.authorizedKeys.keys = [
+        openssh.authorizedKeys.keys = fetchSSHKeys [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc"
+          "reidlab@rei-pc"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKC12NkyZAFNDHfq1ECh4uAgM4mpKfsQnL3XF/ZzSyCJ reidlab@rei-phone"
+          "reidlab@rei-phone"
         ];
       };
 
@@ -51,6 +53,8 @@ in {
     security.useDoas = true;
   };
 
+  time.timeZone = "America/Los_Angeles";
+
   networking = {
     hostName = "nixos-server-reid";
     networkmanager.enable = true;

hosts/server/webapps/default.nix

@@ -13,7 +13,7 @@ in {
         };
 
         metrics = {
-          enable = false;
+          enable = true;
           domain = "metrics.reidlab.online";
           port = 2342;
         };

lib/attrs.nix

@@ -1,25 +0,0 @@
-{lib, ...}: let
-  inherit (lib.lists) any count;
-  inherit (lib.attrsets) filterAttrs listToAttrs mapAttrs' mapAttrsToList;
-in rec {
-  # attrsToList
-  attrsToList = attrs:
-    mapAttrsToList (name: value: {inherit name value;}) attrs;
-
-  # mapFilterAttrs ::
-  #   (name -> value -> bool)
-  #   (name -> value -> { name = any; value = any; })
-  #   attrs
-  mapFilterAttrs = pred: f: attrs: filterAttrs pred (mapAttrs' f attrs);
-
-  # Generate an attribute set by mapping a function over a list of values.
-  genAttrs' = values: f: listToAttrs (map f values);
-
-  # anyAttrs :: (name -> value -> bool) attrs
-  anyAttrs = pred: attrs:
-    any (attr: pred attr.name attr.value) (attrsToList attrs);
-
-  # countAttrs :: (name -> value -> bool) attrs
-  countAttrs = pred: attrs:
-    count (attr: pred attr.name attr.value) (attrsToList attrs);
-}

lib/default.nix

@@ -1,20 +1,17 @@
 { inputs, lib, pkgs, ... }:
 
+lib.extend (self: super:
   let
-    inherit (lib.attrsets) attrValues;
+    inherit (lib) attrValues foldr;
-    inherit (lib.fixedPoints) makeExtensible;
-    inherit (lib.lists) foldr;
     inherit (modules) mapModules;
+    inherit (helpers) getSSH;
 
-    modules = import ./modules.nix {
+    modules = import ./modules.nix { inherit lib; };
-      inherit lib;
+    helpers = import ./helpers.nix { inherit lib; };
-      self.attrs = import ./attrs.nix {
+  in {
-      	inherit lib;
+    _ = foldr (a: b: a // b) {} (attrValues (mapModules ./. (file: import file {
-      	self = {};
+      inherit pkgs inputs;
-      };
+      lib = self;
-    };
+    })));
-    mylib =
+  }
-      makeExtensible (self:
+)
-        mapModules ./. (file: import file {inherit self lib pkgs inputs;}));
-  in 
-    mylib.extend (self: super: foldr (a: b: a // b) {} (attrValues super))

lib/helpers.nix

@@ -0,0 +1,18 @@
+{ lib, ... }:
+
+with lib;
+rec {
+  indexFrom = origin: name: item: list: foldr
+  (h: t:
+    if h.${origin} == name && hasAttr item h
+    then h.${item}
+    else t)
+  (error ''
+    No item at the origin point ${origin} with element ${name} found.
+    Please make sure that the item with that origin exists, and,
+    failing that, that it also has the requested item defined.
+  '')
+  list;
+
+  getSSH = name: keys: indexFrom "hostname" name "ssh" keys;
+}

lib/modules.nix

@@ -1,43 +1,27 @@
-{
+{ lib, ... }:
-  lib,
+
-  self,
+let
-  ...
+  inherit (builtins) attrValues readDir pathExists;
-}: let
+  inherit (lib) id filterAttrs hasPrefix hasSuffix nameValuePair removeSuffix mapAttrs' trace fix fold isAttrs;
-  inherit (builtins) attrValues readDir pathExists concatLists;
-  inherit (lib.attrsets) mapAttrsToList filterAttrs nameValuePair;
-  inherit (lib.strings) hasPrefix hasSuffix removeSuffix;
-  inherit (lib.trivial) id;
-  inherit (self.attrs) mapFilterAttrs;
 in rec {
-  mapModules = dir: fn:
+  mapModules' = dir: fn: dirfn:
-    mapFilterAttrs (n: v: v != null && !(hasPrefix "_" n)) (n: v: let
+    filterAttrs
-      path = "${toString dir}/${n}";
+      (name: type: type != null && !(hasPrefix "_" name))
-    in
+      (mapAttrs'
-      if v == "directory" && pathExists "${path}/default.nix"
+        (name: type:
-      then nameValuePair n (fn path)
+          let path = "${toString dir}/${name}"; in
-      else if v == "regular" && n != "default.nix" && hasSuffix ".nix" n
+          if type == "directory"
-      then nameValuePair (removeSuffix ".nix" n) (fn path)
+          then nameValuePair name (dirfn path)
-      else nameValuePair "" null) (readDir dir);
+          else if
-
+            type == "regular" &&
-  mapModules' = dir: fn: attrValues (mapModules dir fn);
+            name != "default.nix" &&
-
+            hasSuffix ".nix" name
-  mapModulesRec = dir: fn:
+          then nameValuePair (removeSuffix ".nix" name) (fn path)
-    mapFilterAttrs (n: v: v != null && !(hasPrefix "_" n)) (n: v: let
+          else nameValuePair "" null
-      path = "${toString dir}/${n}";
+        )
-    in
-      if v == "directory"
-      then nameValuePair n (mapModulesRec path fn)
-      else if v == "regular" && n != "default.nix" && hasSuffix ".nix" n
-      then nameValuePair (removeSuffix ".nix" n) (fn path)
-      else nameValuePair "" null) (readDir dir);
-
-  mapModulesRec' = dir: fn: let
-    dirs =
-      mapAttrsToList (k: _: "${dir}/${k}")
-      (filterAttrs (n: v: v == "directory" && !(hasPrefix "_" n))
         (readDir dir));
-    files = attrValues (mapModules dir id);
+
-    paths = files ++ concatLists (map (d: mapModulesRec' d id) dirs);
+  mapModules = dir: fn: mapModules' dir fn (path: if pathExists "${path}/default.nix" then fn path else null);
-  in
+  mapModulesRec = dir: fn: mapModules' dir fn (path: mapModulesRec path fn);
-    map fn paths;
+  mapModulesRec' = dir: fn: fix (f: attrs: fold (x: xs: (if isAttrs x then f x else [x]) ++ xs) [] (attrValues attrs)) (mapModulesRec dir fn);
 }

lib/nixos.nix

@@ -1,35 +1,21 @@
+{ inputs, lib, pkgs, ... }:
+
+with lib;
 {
-  inputs,
+  mkHost = path: attrs@{ system, ... }:
-  lib,
-  pkgs,
-  self,
-  ...
-}: let
-  inherit (inputs.nixpkgs.lib) nixosSystem;
-  inherit (builtins) baseNameOf elem;
-  inherit (lib.attrsets) filterAttrs;
-  inherit (lib.modules) mkDefault;
-  inherit (lib.strings) removeSuffix;
-  inherit (self.modules) mapModules;
-in rec {
-  mkHost = path: attrs @ {system ? "aarch64-linux", ...}:
     nixosSystem {
       inherit system;
-
+      specialArgs = { inherit lib inputs system; };
-      specialArgs = {inherit lib inputs system;};
-
       modules = [
         {
           nixpkgs.pkgs = pkgs;
-          networking.hostName =
+          networking.hostName = mkDefault (removeSuffix ".nix" (baseNameOf path));
-            mkDefault (removeSuffix ".nix" (baseNameOf path));
         }
-        (filterAttrs (n: v: !elem n ["system"]) attrs)
+        (filterAttrs (n: v: !elem n [ "system" ]) attrs)
-        ../. # /default.nix
+
+        ../.
+
         (import path)
       ];
     };
-
-  mapHosts = dir: attrs @ {system ? system, ...}:
-    mapModules dir (hostPath: mkHost hostPath attrs);
 }

modules/security.nix

@@ -14,38 +14,24 @@ in {
 		tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs);
 		
     	kernel.sysctl = {
-    	  # magic sysrq key, allows low-level commands through keyboard input
       	  "kernel.sysrq" = 0;
 
-          ## TCP hardening
+          "net.ipv4.conf.all.accept_source_code" = 0;
-          # prevent bogus ICMP errors from filling up logs
+          "net.ipv6.conf.all.accept_source_code" = 0;
-          "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
-          # do not accept IP source packets (we are not a router)
-          "net.ipv4.conf.all.accept_source_route" = 0;
-          "net.ipv6.conf.all.accept_source_route" = 0;
-          # Don't send ICMP redirects (again, we're not a router)
-          "net.ipv4.conf.all.send_redirects" = 0;
           "net.ipv4.conf.default.send_redirects" = 0;
-          # refuse ICMP redirects (MITM mitigations)
+          "net.ipv4.conf.all.send_redirects" = 0;
-          "net.ipv4.conf.all.accept_redirects" = 0;
           "net.ipv4.conf.default.accept_redirects" = 0;
-          "net.ipv4.conf.all.secure_redirects" = 0;
+          "net.ipv4.conf.all.accept_redirects" = 0;
-          "net.ipv4.conf.default.secure_redirects" = 0;
-          "net.ipv6.conf.all.accept_redirects" = 0;
           "net.ipv6.conf.default.accept_redirects" = 0;
-          # protects against SYN flood attacks
+          "net.ipv6.conf.all.accept_redirects" = 0;
+          "net.ipv4.conf.default.secure_redirects" = 0;
+          "net.ipv4.conf.all.secure_redirects" = 0;
           "net.ipv4.tcp_syncookies" = 1;
-          # incomplete protection against TIME-WAIT assassination
           "net.ipv4.tcp_rfc1337" = 1;
-
-          ## TCP optimization
-          # TCP fastopen
           "net.ipv4.tcp_fastopen" = 3;
-          # bufferbloat mitigations + improvement in throughput and latency
           "net.ipv4.tcp_conjestion_control" = "bbr";
           "net.core.default_qdisc" = "cake";
         };
-        kernelModules = [ "tcp_bbr" ];
       };
 
       security = {

modules/services/forgejo.nix

@@ -11,7 +11,10 @@ let
   };
 in {
   options.modules.services.forgejo = {
-    enable = mkEnableOption "enable forgejo, a lightweight git server";
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
     domain = mkOption {
       type = types.str;
       default = "git.reidlab.online";

modules/services/metrics.nix

@@ -5,7 +5,10 @@ let
   cfg = config.modules.services.metrics;
 in {
   options.modules.services.metrics = {
-    enable = mkEnableOption "enable grafana with loki, prometheus, and promtail";
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
     domain = mkOption {
       type = types.str;
       default = "grafana.reidlab.online";

modules/services/mosh.nix

@@ -5,7 +5,10 @@ let
   cfg = config.modules.services.mosh;
 in {
   options.modules.services.mosh = {
-    enable = mkEnableOption "enable mosh, the mobile SSH shell";
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
   };
 
   config = mkIf cfg.enable {

modules/services/nginx-conf.nix

@@ -5,7 +5,10 @@ let
   cfg = config.modules.services.nginx-config;
 in {
   options.modules.services.nginx-config = {
-	enable = mkEnableOption "enable nginx, a high performance web server along with default configurations";
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
 
     package = mkOption {
       type = types.package;

modules/services/postgres.nix

@@ -5,7 +5,10 @@ let
   cfg = config.modules.services.postgres;
 in {
   options.modules.services.postgres = {
-    enable = mkEnableOption "enable postgres, the database industry standard";
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
   };
 
   config = mkIf cfg.enable {

modules/services/redis.nix

@@ -5,7 +5,10 @@ let
   cfg = config.modules.services.redis;
 in {
   options.modules.services.redis = {
-    enable = mkEnableOption "enable redis, a speedy cache database";
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
   };
 
   config = mkIf cfg.enable {

modules/services/ssh.nix

@@ -5,7 +5,11 @@ let
   cfg = config.modules.services.ssh;
 in {
   options.modules.services.ssh = {
-    enable = mkEnableOption "enable openssh, a server for remote shell access";
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Provide system SSH support though OpenSSH.";
+    };
 
     requirePassword = mkOption {
       type = types.bool;

readme.md

@@ -18,7 +18,8 @@ before committing, please run `nix flake check` and make sure everything is ok
 
 ## todo
 
-- remove the lua static stuff from nginx + the cf ip
+- analytics using matomo
-- per-host architecture selection, atm it is hardcoded to `aarch64`
+- php support in staticsites
-- some weird perl error abt locales when building??? it only happened after the big lib update. help me
+- no more luapackagepath. please stop.
-- leverage nixos-hardware
+- not sure if this is cloudflare doing this or our acme config, but accessing invalid subdomains returns a dumb ssl error
+- this is not related to the flake but it is to the site. transfer from namecheap to porkbun plz