Split shared host config into dedicated modules

- Add shared modules for boot, hardware, networking, input, and host defaults
- Move host-specific TOML flags to new option namespaces
- Update SSH and service defaults for the new layout

hosts/dunamis/configuration.nix

@@ -35,6 +35,7 @@
   };
 
   networking.firewall = rec {
+    allowedTCPPorts = [8080];
     allowedTCPPortRanges = [
       {
         from = 1714;

hosts/dunamis/host.toml

@@ -4,9 +4,12 @@ id = "c7f6c4a1"
 type = "workstation"
 stateVersion = "24.11"
 
+[boot.secureBoot]
+enable = true
+
+[boot.tpmDiskUnlock]
+enable = true
+
 [config]
 locale = "uk_UA.UTF-8"
 timeZone = "Europe/Kyiv"
-secureBoot = true
-tpmDiskUnlock = true
-

hosts/kled/configuration.nix

@@ -42,12 +42,15 @@
       stateVersion = "25.11";
     };
 
+    boot.secureBoot.enable = true;
+    hardware = {
+      graphics.vaapi = "intel-media-driver";
+      powerSave.enable = true;
+    };
+    input.homeRowMods.enable = true;
+    networking.iwd.enable = true;
+
     config = {
-      laptop.homeRowMods = true;
-      powerSave = true;
-      secureBoot = true;
-      useIwd = true;
-      vaapi = "intel-media-driver";
       locale = "uk_UA.UTF-8";
       timeZone = "Europe/Kyiv";
     };

hosts/legion/host.toml

@@ -4,11 +4,21 @@ id = "45b00123"
 type = "laptop"
 stateVersion = "25.11"
 
+[boot.secureBoot]
+enable = true
+
+[boot.tpmDiskUnlock]
+enable = true
+
+[hardware.graphics]
+vaapi = "nvidia"
+
+[hardware.powerSave]
+enable = true
+
+#[input.homeRowMods]
+#enable = true
+
 [config]
 locale = "uk_UA.UTF-8"
 timeZone = "Europe/Kyiv"
-secureBoot = true
-tpmDiskUnlock = true
-vaapi = "nvidia"
-# laptop.homeRowMods = true
-powerSave = true

modules/home/desktop/dms/programs/niri.nix

@@ -56,11 +56,11 @@ in {
           layout = "us,ua";
           variant =
             "colemak_dh"
-            + (
-              if osConfig.unexplrd.host.name == "dunamis"
-              then "_ortho"
-              else ""
-            )
+            # + (
+            #   if osConfig.unexplrd.host.name == "dunamis"
+            #   then "_ortho"
+            #   else ""
+            # )
             + ",";
         };
         repeat-delay = 200;

modules/nixos/shared/boot/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./secure-boot.nix
+    ./tpm-disk-unlock.nix
+  ];
+}

modules/nixos/shared/boot/secure-boot.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkDefault mkEnableOption;
+  cfg = config.unexplrd.boot.secureBoot;
+in {
+  options.unexplrd.boot.secureBoot.enable =
+    mkEnableOption "secure boot support";
+
+  config = {
+    boot.loader.systemd-boot.enable = mkDefault (!cfg.enable);
+  };
+}

modules/nixos/shared/boot/tpm-disk-unlock.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkDefault mkEnableOption;
+  cfg = config.unexplrd.boot.tpmDiskUnlock;
+in {
+  options.unexplrd.boot.tpmDiskUnlock.enable =
+    mkEnableOption "TPM2 disk unlock support";
+
+  config = {
+    boot.initrd.systemd.tpm2.enable = mkDefault cfg.enable;
+  };
+}

modules/nixos/shared/default.nix

@@ -1,16 +1,15 @@
-{
-  config,
-  # inputs,
-  lib,
-  pkgs,
-  ...
-}: let
-  inherit (lib) mkDefault mkOption mkEnableOption mkIf;
-  cfg = config.unexplrd.config;
-  cfgHost = config.unexplrd.host;
-in {
+{lib, ...}: {
   imports = [
+    (lib.mkRenamedOptionModule ["unexplrd" "config" "laptop" "homeRowMods"] ["unexplrd" "input" "homeRowMods" "enable"])
+    (lib.mkRenamedOptionModule ["unexplrd" "config" "powerSave"] ["unexplrd" "hardware" "powerSave" "enable"])
+    (lib.mkRenamedOptionModule ["unexplrd" "config" "secureBoot"] ["unexplrd" "boot" "secureBoot" "enable"])
+    (lib.mkRenamedOptionModule ["unexplrd" "config" "tpmDiskUnlock"] ["unexplrd" "boot" "tpmDiskUnlock" "enable"])
+    (lib.mkRenamedOptionModule ["unexplrd" "config" "useIwd"] ["unexplrd" "networking" "iwd" "enable"])
+    (lib.mkRenamedOptionModule ["unexplrd" "config" "vaapi"] ["unexplrd" "hardware" "graphics" "vaapi"])
+    ./boot
     ./hardware
+    ./host.nix
+    ./input/home-row-mods.nix
     ./misc
     ./module/lanzaboote.nix
     ./module/locale.nix
@@ -24,79 +23,4 @@ in {
     ./sops.nix
     ./users.nix
   ];
-  options = {
-    unexplrd.host = {
-      name = mkOption {
-        type = lib.types.str;
-      };
-      id = mkOption {
-        type = lib.types.strMatching "[a-z0-9]{8}";
-      };
-      stateVersion = mkOption {
-        type = lib.types.strMatching ''[0-9]{2}\.[0-9]{2}'';
-      };
-      type = mkOption {
-        type = lib.types.enum ["laptop" "server" "workstation"];
-      };
-    };
-    unexplrd.config = {
-      laptop.homeRowMods = mkEnableOption "set to have mods on asdfjkl;";
-      powerSave = mkEnableOption "set to use various power saving daemons";
-      secureBoot = mkEnableOption "set if secure boot is configured";
-      tpmDiskUnlock = mkEnableOption "set if luks enrolled in tpm2";
-      useIwd = mkEnableOption "set to use iwd instead of wpa-supplicant";
-      vaapi = lib.mkOption {
-        type = lib.types.nullOr (lib.types.enum ["intel-media-driver" "nvidia"]);
-        default = null;
-      };
-    };
-  };
-  config = lib.mkMerge [
-    {
-      system.stateVersion = cfgHost.stateVersion;
-      networking.hostName = cfgHost.name;
-      networking.hostId = cfgHost.id;
-    }
-    {
-      boot.initrd.systemd.tpm2.enable = mkDefault cfg.tpmDiskUnlock;
-      boot.loader.systemd-boot.enable = mkDefault (!cfg.secureBoot);
-    }
-    (mkIf (cfg.laptop.homeRowMods)
-      # lib.asserts.assertMsg (config.services.kanata.enable != config.services.keyd.enable) "Kanata and keyd create soft lock when both enabled"
-      {
-        services.kanata.enable = true;
-        services.kanata.keyboards.internal = {
-          extraDefCfg = ''
-            process-unmapped-keys no
-          '';
-          configFile = ./kanata/internal.kbd;
-        };
-      })
-    (mkIf (cfg.powerSave) {
-      powerManagement.enable = true;
-      powerManagement.powertop.enable = true;
-      services.power-profiles-daemon.enable = true;
-      services.thermald.enable = true;
-      services.upower.enable = true;
-      hardware.bluetooth.settings.Policy.AutoEnable = false;
-    })
-    (mkIf cfg.useIwd {
-      networking = {
-        networkmanager.wifi.backend = "iwd";
-        wireless.iwd.enable = true;
-      };
-    })
-    (mkIf (cfg.vaapi == "intel-media-driver") {
-      hardware.graphics.extraPackages = with pkgs; [
-        intel-compute-runtime
-        intel-media-driver
-        vpl-gpu-rt
-      ];
-    })
-    (mkIf (cfg.vaapi == "nvidia") {
-      hardware.graphics.extraPackages = with pkgs; [
-        nvidia-vaapi-driver
-      ];
-    })
-  ];
 }

modules/nixos/shared/hardware/default.nix

@@ -1,5 +1,7 @@
 {
   imports = [
     ./facter.nix
+    ./graphics/vaapi.nix
+    ./power-save.nix
   ];
 }

modules/nixos/shared/hardware/graphics/vaapi.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf mkOption types;
+  cfg = config.unexplrd.hardware.graphics.vaapi;
+in {
+  options.unexplrd.hardware.graphics.vaapi = mkOption {
+    type = types.nullOr (types.enum ["intel-media-driver" "nvidia"]);
+    default = null;
+  };
+
+  config = lib.mkMerge [
+    (mkIf (cfg == "intel-media-driver") {
+      hardware.graphics.extraPackages = with pkgs; [
+        intel-compute-runtime
+        intel-media-driver
+        vpl-gpu-rt
+      ];
+    })
+    (mkIf (cfg == "nvidia") {
+      hardware.graphics.extraPackages = with pkgs; [
+        nvidia-vaapi-driver
+      ];
+    })
+  ];
+}

modules/nixos/shared/hardware/power-save.nix

@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.unexplrd.hardware.powerSave;
+in {
+  options.unexplrd.hardware.powerSave.enable =
+    mkEnableOption "power saving defaults";
+
+  config = mkIf cfg.enable {
+    powerManagement.enable = true;
+    powerManagement.powertop.enable = true;
+    services.power-profiles-daemon.enable = true;
+    services.thermald.enable = true;
+    services.upower.enable = true;
+    hardware.bluetooth.settings.Policy.AutoEnable = false;
+  };
+}

modules/nixos/shared/host.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkOption types;
+  cfg = config.unexplrd.host;
+in {
+  options.unexplrd.host = {
+    name = mkOption {
+      type = types.str;
+    };
+    id = mkOption {
+      type = types.strMatching "[a-z0-9]{8}";
+    };
+    stateVersion = mkOption {
+      type = types.strMatching ''[0-9]{2}\.[0-9]{2}'';
+    };
+    type = mkOption {
+      type = types.enum ["laptop" "server" "workstation"];
+    };
+  };
+
+  config = {
+    system.stateVersion = cfg.stateVersion;
+    networking.hostName = cfg.name;
+    networking.hostId = cfg.id;
+  };
+}

modules/nixos/shared/input/home-row-mods.nix

@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.unexplrd.input.homeRowMods;
+in {
+  options.unexplrd.input.homeRowMods.enable =
+    mkEnableOption "home row mods for the internal keyboard";
+
+  config = mkIf cfg.enable {
+    services.kanata.enable = true;
+    services.kanata.keyboards.internal = {
+      extraDefCfg = ''
+        process-unmapped-keys no
+      '';
+      configFile = ../kanata/internal.kbd;
+    };
+  };
+}

modules/nixos/shared/misc/default.nix

@@ -57,7 +57,7 @@
   '';
 
   zramSwap = {
-    enable = true;
+    enable = false;
     algorithm = "zstd";
     memoryPercent = 25;
     priority = 5;

modules/nixos/shared/module/lanzaboote.nix

@@ -8,7 +8,7 @@
   ];
   boot = {
     lanzaboote = {
-      enable = config.unexplrd.config.secureBoot;
+      enable = config.unexplrd.boot.secureBoot.enable;
       pkiBundle = "/var/lib/sbctl";
     };
   };

modules/nixos/shared/networking/default.nix

@@ -1,5 +1,8 @@
 {
-  imports = [./hosts.nix];
+  imports = [
+    ./hosts.nix
+    ./iwd.nix
+  ];
   networking.networkmanager = {
     ethernet.macAddress = "stable";
     wifi.macAddress = "random";

modules/nixos/shared/networking/iwd.nix

@@ -0,0 +1,18 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.unexplrd.networking.iwd;
+in {
+  options.unexplrd.networking.iwd.enable =
+    mkEnableOption "iwd as the NetworkManager Wi-Fi backend";
+
+  config = mkIf cfg.enable {
+    networking = {
+      networkmanager.wifi.backend = "iwd";
+      wireless.iwd.enable = true;
+    };
+  };
+}

modules/nixos/shared/security/ssh.nix

@@ -4,7 +4,7 @@
     settings = {
       PasswordAuthentication = false;
       PermitEmptyPasswords = false;
-      PermitTunnel = false;
+      PermitTunnel = true;
       UseDns = false;
       KbdInteractiveAuthentication = false;
       X11Forwarding = config.services.xserver.enable;
@@ -14,7 +14,7 @@
       ClientAliveCountMax = 0;
       # AllowUsers = ["user"];
       TCPKeepAlive = false;
-      AllowTcpForwarding = false;
+      AllowTcpForwarding = "yes";
       AllowAgentForwarding = false;
       LogLevel = "VERBOSE";
       PermitRootLogin = "no";

modules/nixos/shared/services.nix

@@ -33,6 +33,6 @@
         InterceptUnknown = true;
         ProcMonitorMethod = "ebpf";
       };
-      scx.scheduler = "scx_rustland";
+      # scx.scheduler = "scx_rustland";
     };
 }

modules/users/user/services.nix

@@ -8,6 +8,8 @@
   # services.pueue.enable = true; # process queue in rust
   services.ssh-agent.enable = true;
 
+  services.kdeconnect.enable = true;
+
   services.vicinae = {
     enable = true;
     systemd.enable = true;