feat: add minimal config support (WIP)

SwarselSystems.org

@@ -1433,7 +1433,7 @@ Lastly, I add some of my own library functions to be used alongside the function
 ** Installer iso
 
 #+begin_src nix-ts :tangle nix/iso.nix
-  { inputs, ... }:
+  { self, inputs, ... }:
   {
     perSystem = { pkgs, system, ... }:
       {
@@ -1442,7 +1442,7 @@ Lastly, I add some of my own library functions to be used alongside the function
           inherit pkgs;
           modules = [
             inputs.home-manager.nixosModules.home-manager
-            ./installer-config.nix
+            "${self}/install/installer-config.nix"
           ];
           format =
             {
@@ -1454,6 +1454,17 @@ Lastly, I add some of my own library functions to be used alongside the function
       };
   }
 #+end_src
+** Installer flake
+
+#+begin_src nix-ts :tangle install/flake.nix
+  {
+    description = "Minimal installer flake - not to be used manually";
+
+    inputs.swarsel.url = "github:Swarsel/.dotfiles";
+
+    outputs = { swarsel, ... }: { nixosConfigurations = swarsel.nixosConfigurationsMinimal; };
+  }
+#+end_src
 * System
 :PROPERTIES:
 :CUSTOM_ID: h:02cd20be-1ffa-4904-9d5a-da5a89ba1421
@@ -1482,13 +1493,13 @@ This is the template that I use for new deployments of personal machines. Server
 :END:
 
 #+begin_src nix-ts :tangle files/templates/hosts/nixos/default.nix
-  { self, inputs, pkgs, lib, globals, ... }:
+  { self, config, inputs, pkgs, lib, ... }:
   let
+    primaryUser = config.swarselsystems.mainUser;
     modulesPath = "${self}/modules";
     sharedOptions = {
       isBtrfs = true;
     };
-    primaryUser = globals.user.name;
   in
   {
 
@@ -1694,17 +1705,18 @@ My work machine. Built for more security, this is the gold standard of my config
 :CUSTOM_ID: h:567c0055-f5f7-4e53-8f13-d767d7166e9d
 :END:
 #+begin_src nix-ts :tangle hosts/nixos/nbl-imba-2/default.nix
-  { self, config, inputs, lib, globals, ... }:
+  { self, config, inputs, lib, ... }:
   let
-    primaryUser = globals.user.name;
+    primaryUser = config.swarselsystems.mainUser;
     sharedOptions = {
       isBtrfs = true;
       isLinux = true;
       sharescreen = "eDP-2";
       profiles = {
-        personal = true;
+        personal = lib.mkIf (!minimal) true;
-        work = true;
+        minimal = lib.mkIf minimal true;
-        framework = true;
+        work = lib.mkIf (!minimal) true;
+        framework = lib.mkIf (!minimal) true;
       };
     };
   in
@@ -1950,9 +1962,9 @@ This is my main server that I run at home. It handles most tasks that require bi
 :CUSTOM_ID: h:8ad68406-4a75-45ba-97ad-4c310b921124
 :END:
 #+begin_src nix-ts :tangle hosts/nixos/winters/default.nix
-  { lib, config, globals, ... }:
+  { lib, config, ... }:
   let
-    primaryUser = globals.user.name;
+    primaryUser = config.swarselsystems.mainUser;
     sharedOptions = {
       isBtrfs = false;
       isLinux = true;
@@ -2173,7 +2185,7 @@ This machine mainly acts as an external sync helper. It manages the following th
 #+begin_src nix-ts :tangle hosts/nixos/sync/default.nix
   { lib, config, globals, ... }:
   let
-    primaryUser = globals.user.name;
+    primaryUser = config.swarselsystems.mainUser;
     sharedOptions = {
       isBtrfs = false;
       isLinux = true;
@@ -2406,7 +2418,7 @@ This machine mainly acts as an external sync helper. It manages the following th
 #+begin_src nix-ts :tangle hosts/nixos/moonside/default.nix
   { lib, config, globals, ... }:
   let
-    primaryUser = globals.user.name;
+    primaryUser = config.swarselsystems.mainUser;
     inherit (config.repo.secrets.common) workHostName;
     inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
     serviceDomain = config.repo.secrets.common.services.domains.syncthing3;
@@ -2809,14 +2821,15 @@ This is a slim setup for developing base configuration. I do not track the hardw
 :CUSTOM_ID: h:4e53b40b-98b2-4615-b1b0-3696a75edd6e
 :END:
 #+begin_src nix-ts :tangle hosts/nixos/toto/default.nix
-  { self, inputs, pkgs, lib, ... }:
+  { self, lib, minimal, ... }:
   let
-    modulesPath = "${self}/modules";
     sharedOptions = {
       isBtrfs = true;
       isLinux = true;
       profiles = {
-        toto = true;
+        toto = lib.mkIf (!minimal) true;
+        minimal = lib.mkIf minimal true;
+        btrfs = lib.mkIf minimal true;
       };
     };
   in
@@ -2825,41 +2838,9 @@ This is a slim setup for developing base configuration. I do not track the hardw
     imports = [
       ./disk-config.nix
       ./hardware-configuration.nix
-
-      "${modulesPath}/nixos/common/sharedsetup.nix"
-      "${modulesPath}/home/common/sharedsetup.nix"
-      "${self}/profiles/nixos"
-
-      inputs.home-manager.nixosModules.home-manager
-      {
-        home-manager.users."setup".imports = [
-          inputs.sops-nix.homeManagerModules.sops
-          "${modulesPath}/home/common/sharedsetup.nix"
-          "${self}/profiles/home"
-        ];
-      }
     ];
 
 
-    environment.systemPackages = with pkgs; [
-      curl
-      git
-      gnupg
-      rsync
-      ssh-to-age
-      sops
-      vim
-      just
-      sbctl
-    ];
-
-    system.stateVersion = lib.mkForce "23.05";
-
-    boot = {
-      supportedFilesystems = [ "btrfs" ];
-      kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
-    };
-
 
     networking = {
       hostName = "toto";
@@ -2871,10 +2852,10 @@ This is a slim setup for developing base configuration. I do not track the hardw
         info = "~SwarselSystems~ remote install helper";
         wallpaper = self + /files/wallpaper/lenovowp.png;
         isImpermanence = true;
-        isCrypted = false;
+        isCrypted = true;
         isSecureBoot = false;
-        isSwap = false;
+        isSwap = true;
-        swapSize = "8G";
+        swapSize = "2G";
         # rootDisk = "/dev/nvme0n1";
         rootDisk = "/dev/sda";
         # rootDisk = "/dev/vda";
@@ -3032,7 +3013,7 @@ This is a slim setup for developing base configuration. I do not track the hardw
 
 
 #+end_src
-**** drugstore (ISO)
+**** drugstore (ISO installer config)
 :PROPERTIES:
 :CUSTOM_ID: h:8583371d-5d47-468b-84ba-210aad7e2c90
 :END:
@@ -3040,10 +3021,9 @@ This is a slim setup for developing base configuration. I do not track the hardw
 This is a live environment ISO that I use to bootstrap new systems. It only loads a minimal configuration and no graphical interface. After booting this image on a host, find out its IP and bootstrap the system using the =bootstrap= utility.
 
 
-#+begin_src nix-ts :tangle nix/installer-config.nix
+#+begin_src nix-ts :tangle install/installer-config.nix
-{ pkgs, lib, ... }:
+  { pkgs, lib, ... }:
-{
+  {
-
     config = {
       home-manager.users.root.home = {
         stateVersion = "23.05";
@@ -3151,7 +3131,7 @@ This is a live environment ISO that I use to bootstrap new systems. It only load
       system.stateVersion = lib.mkForce "23.05";
 
     };
-}
+  }
 
 
         #+end_src
@@ -3750,10 +3730,14 @@ A breakdown of the flags being set:
 - nix.nixPath: Basically the same as =nix.registry=, but for the legacy nix commands
 
 #+begin_src nix-ts :tangle modules/nixos/common/settings.nix
-  { lib, pkgs, config, outputs, inputs, ... }:
+  { lib, pkgs, config, outputs, inputs, minimal, ... }:
   {
     options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
-    config = lib.mkIf config.swarselsystems.modules.general {
+    config = lib.mkIf config.swarselsystems.modules.general
+      ({
+
+        system.stateVersion = lib.mkDefault "23.05";
+
         nixpkgs = {
           overlays = [ outputs.overlays.default ];
           config = {
@@ -3761,6 +3745,9 @@ A breakdown of the flags being set:
           };
         };
 
+      }
+    // lib.optionalAttrs (!minimal) {
+
       environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
         assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
         { }
@@ -3782,7 +3769,7 @@ A breakdown of the flags being set:
             trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
             connect-timeout = 5;
             bash-prompt-prefix = "$SHLVL:\\w ";
-              bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]λ\[\e[0m\] ";
+            bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
             fallback = true;
             min-free = 128000000;
             max-free = 1000000000;
@@ -3815,8 +3802,7 @@ A breakdown of the flags being set:
         environment.TMPDIR = "/var/tmp";
       };
 
-      system.stateVersion = lib.mkDefault "23.05";
+    });
-    };
   }
 #+end_src
 
@@ -3828,9 +3814,9 @@ A breakdown of the flags being set:
 We enable the use of =home-manager= as a NixoS module. A nice trick here is the =extraSpecialArgs = inputs= line, which enables the use of =seflf= in most parts of the configuration. This is useful to refer to the root of the flake (which is otherwise quite hard while maintaining flake purity).
 
 #+begin_src nix-ts :tangle modules/nixos/common/home-manager.nix
-  { self, inputs, config, lib, outputs, globals, nodes, ... }:
+  { self, inputs, config, lib, outputs, globals, nodes, minimal, ... }:
   let
-    mainUser = globals.user.name;
+    inherit (config.swarselsystems) mainUser;
   in
     {
       options.swarselsystems.modules.home-manager = lib.mkEnableOption "home-manager";
@@ -3850,7 +3836,7 @@ We enable the use of =home-manager= as a NixoS module. A nice trick here is the
               home.stateVersion = lib.mkDefault config.system.stateVersion;
             }
           ];
-          extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes; };
+          extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal; };
         };
       };
     }
@@ -3867,7 +3853,7 @@ In case of using a fully setup system, this makes also sure that no further user
 For that reason, make sure that =sops-nix= is properly working before setting the =initialSetup= flag, otherwise you might lose user access.
 
 #+begin_src nix-ts :tangle modules/nixos/common/users.nix
-  { self, pkgs, config, lib, ... }:
+  { self, pkgs, config, lib, minimal, ... }:
   let
     sopsFile = self + /secrets/general/secrets.yaml;
   in
@@ -3881,9 +3867,9 @@ For that reason, make sure that =sops-nix= is properly working before setting th
           users."${config.swarselsystems.mainUser}" = {
             isNormalUser = true;
             description = "Leon S";
-            password = lib.mkIf config.swarselsystems.initialSetup "setup";
+            password = lib.mkIf (config.swarselsystems.initialSetup || minimal) "setup";
-            hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
+            hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup && !minimal) config.sops.secrets.swarseluser.path;
-            extraGroups = [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
+            extraGroups = lib.mkIf (!minimal) [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
             packages = with pkgs; [ ];
           };
         };
@@ -4038,16 +4024,16 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
 This dynamically uses systemd boot or Lanzaboote depending on `config.swarselsystems.initialSetup` and `config.swarselsystems.isSecureBoot`.
 
 #+begin_src nix-ts :tangle modules/nixos/common/lanzaboote.nix
-  { lib, config, ... }:
+  { lib, config, minimal, ... }:
   {
     options.swarselsystems.modules.lanzaboote = lib.mkEnableOption "lanzaboote config";
     config = lib.mkIf config.swarselsystems.modules.lanzaboote {
       boot = {
         loader = {
           efi.canTouchEfiVariables = true;
-          systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
+          systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || minimal || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
         };
-        lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
+        lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && !minimal && config.swarselsystems.isSecureBoot) {
           enable = true;
           pkiBundle = "/var/lib/sbctl";
           configurationLimit = 6;
@@ -4196,11 +4182,12 @@ This section is for setting things that should be used on hosts that are using t
 Mostly used to install some compilers and lsp's that I want to have available when not using a devShell flake. Most other packages should go in [[#h:893a7f33-7715-415b-a895-2687ded31c18][Installed packages]].
 
 #+begin_src nix-ts :tangle modules/nixos/client/packages.nix
-  { lib, config, pkgs, ... }:
+  { lib, config, pkgs, minimal, ... }:
   {
     options.swarselsystems.modules.packages = lib.mkEnableOption "install packages";
     config = lib.mkIf config.swarselsystems.modules.packages {
-      environment.systemPackages = with pkgs; [
+
+      environment.systemPackages = with pkgs; lib.optionals (!minimal) [
         # yubikey packages
         gnupg
         yubikey-personalization
@@ -4271,9 +4258,19 @@ Mostly used to install some compilers and lsp's that I want to have available wh
 
         elk-to-svg
 
+      ] ++ lib.optionals minimal [
+        curl
+        git
+        gnupg
+        rsync
+        ssh-to-age
+        sops
+        vim
+        just
+        sbctl
       ];
 
-      nixpkgs.config.permittedInsecurePackages = [
+      nixpkgs.config.permittedInsecurePackages = lib.mkIf (!minimal) [
         "jitsi-meet-1.0.8043"
         "electron-29.4.6"
         "SDL_ttf-2.0.11"
@@ -4311,7 +4308,7 @@ Next, we will setup some environment variables that need to be set on the system
   }
 #+end_src
 
-**** Security
+**** Security (polkit)
 :PROPERTIES:
 :CUSTOM_ID: h:e2d40df9-0026-4caa-8476-9dc2353055a1
 :END:
@@ -4319,28 +4316,29 @@ Next, we will setup some environment variables that need to be set on the system
 Needed for control over system-wide privileges etc. Also I make sure that the root user has access to =SSH_AUTH_SOCK= (without this, root will not be able to read my =nix-secrets= repository).
 
 #+begin_src nix-ts :tangle modules/nixos/client/polkit.nix
-  { lib, config, ... }:
+{ lib, config, minimal, ... }:
-  {
+{
   options.swarselsystems.modules.security = lib.mkEnableOption "security config";
   config = lib.mkIf config.swarselsystems.modules.security {
 
     security = {
-        pam.services = {
+      pam.services = lib.mkIf (!minimal) {
         login.u2fAuth = true;
         sudo.u2fAuth = true;
         swaylock.u2fAuth = true;
         swaylock.fprintAuth = false;
       };
-        polkit.enable = true;
+      polkit.enable = lib.mkIf (!minimal) true;
 
       sudo.extraConfig = ''
         Defaults    env_keep+=SSH_AUTH_SOCK
+      '' + lib.optionalString (!minimal) ''
           Defaults    env_keep+=XDG_RUNTIME_DIR
           Defaults    env_keep+=WAYLAND_DISPLAY
         '';
     };
   };
-  }
+}
 #+end_src
 
 **** Reduce systemd timeouts
@@ -9979,7 +9977,7 @@ The full list of nerd-fonts can be found here: https://github.com/NixOS/nixpkgs/
 This is where the theme for the whole OS is defined. Originally, this noweb-ref section could not be copied to the general NixOS config since they are on different folder structure levels in the config, which would have made the flake impure. By now, I have found out that using the =${self}= method for referencing the flake root, I could circumvent this problem. Also, the noweb-ref block could in general be replaced by a custom attribute set (see for example [[#h:e7f98ad8-74a6-4860-a368-cce154285ff0][firefox]]). The difference here was, for a long time, that this block is used in a NixOS and a home-manager-only configuration, verbatim. If I were to use an attribute set, I would have to duplicate this block once each for NixOS and home-manager. Alas, this block stays (for now). However, I learned how to use an attribute set in a custom home-manager module and pass it to both NixOS and home-manager configurations, which also removed the need for that use of it.
 
 #+begin_src nix-ts :noweb yes :tangle modules/home/common/sharedsetup.nix
-  { self, lib, pkgs, ... }:
+  { self, lib, pkgs, globals, minimal, ... }:
   {
     options.swarselsystems = {
       isLaptop = lib.mkEnableOption "laptop host";
@@ -9990,7 +9988,7 @@ This is where the theme for the whole OS is defined. Originally, this noweb-ref
       isBtrfs = lib.mkEnableOption "use btrfs filesystem";
       mainUser = lib.mkOption {
         type = lib.types.str;
-        default = "swarsel";
+        default = if (!minimal) then globals.user.name else "setup" ;
       };
       homeDir = lib.mkOption {
         type = lib.types.str;
@@ -10615,24 +10613,16 @@ I use sops-nix to handle secrets that I want to have available on my machines at
 #+begin_src nix-ts :tangle modules/home/common/sops.nix
   { config, lib, ... }:
   let
-    inherit (config.swarselsystems) homeDir xdgDir;
+    inherit (config.swarselsystems) homeDir;
   in
   {
     options.swarselsystems.modules.sops = lib.mkEnableOption "sops settings";
     config = lib.mkIf config.swarselsystems.modules.sops {
       sops = {
         age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${homeDir}/.ssh/ssh_host_ed25519_key" ];
-        defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
+        defaultSopsFile = "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
 
         validateSopsFiles = false;
-        secrets = lib.mkIf (!config.swarselsystems.isPublic) {
-          mrswarsel = { path = "${xdgDir}/secrets/mrswarsel"; };
-          nautilus = { path = "${xdgDir}/secrets/nautilus"; };
-          leon = { path = "${xdgDir}/secrets/leon"; };
-          swarselmail = { path = "${xdgDir}/secrets/swarselmail"; };
-          github_notif = { path = "${xdgDir}/secrets/github_notif"; };
-          u2f_keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
-        };
       };
     };
   }
@@ -10645,10 +10635,18 @@ I use sops-nix to handle secrets that I want to have available on my machines at
 
 #+begin_src nix-ts :tangle modules/home/common/yubikey.nix
   { lib, config, nixosConfig, ... }:
+  let
+    inherit (config.swarselsystems) homeDir;
+  in
   {
     options.swarselsystems.modules.yubikey = lib.mkEnableOption "yubikey settings";
 
     config = lib.mkIf config.swarselsystems.modules.yubikey {
+
+      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
+        u2f_keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
+      };
+
       pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
         ids = [
           nixosConfig.repo.secrets.common.yubikeys.dev1
@@ -11385,7 +11383,7 @@ lib.mkMerge [ zshConfigEarlyInit zshConfig ];
 Currently I only use it as before with =initExtra= though.
 
 #+begin_src nix-ts :tangle modules/home/common/zsh.nix
-  { config, lib, ... }:
+  { config, lib, minimal, ... }:
   let
     inherit (config.swarselsystems) flakePath;
   in
@@ -11397,7 +11395,8 @@ Currently I only use it as before with =initExtra= though.
         default = { };
       };
     };
-    config = lib.mkIf config.swarselsystems.modules.zsh {
+    config = lib.mkIf config.swarselsystems.modules.zsh
+      {
 
         sops.secrets = {
           croc-password = { };
@@ -11405,6 +11404,8 @@ Currently I only use it as before with =initExtra= though.
 
         programs.zsh = {
           enable = true;
+        }
+        // lib.optionalAttrs (!minimal) {
           shellAliases = lib.recursiveUpdate
             {
               hg = "history | grep";
@@ -11656,10 +11657,19 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
   let
     inherit (nixosConfig.repo.secrets.common.mail) address1 address2 add2Name address3 add3Name address4;
     inherit (nixosConfig.repo.secrets.common) fullName;
+    inherit (config.swarselsystems) xdgDir;
   in
   {
     options.swarselsystems.modules.mail = lib.mkEnableOption "mail settings";
     config = lib.mkIf config.swarselsystems.modules.mail {
+
+      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
+        mrswarsel = { path = "${xdgDir}/secrets/mrswarsel"; };
+        nautilus = { path = "${xdgDir}/secrets/nautilus"; };
+        leon = { path = "${xdgDir}/secrets/leon"; };
+        swarselmail = { path = "${xdgDir}/secrets/swarselmail"; };
+      };
+
       programs = {
         mbsync = {
           enable = true;
@@ -11907,6 +11917,7 @@ The rest of the related configuration is found here:
 #+begin_src nix-ts :tangle modules/home/common/waybar.nix
   { self, config, lib, pkgs, ... }:
   let
+    inherit (config.swarselsystems) xdgDir;
     generateIcons = n: lib.concatStringsSep " " (builtins.map (x: "{icon" + toString x + "}") (lib.range 0 (n - 1)));
     modulesLeft = [
       "custom/outer-left-arrow-dark"
@@ -11959,11 +11970,17 @@ The rest of the related configuration is found here:
       };
     };
     config = lib.mkIf config.swarselsystems.modules.waybar {
+
       swarselsystems = {
         waybarModules = lib.mkIf config.swarselsystems.isLaptop (modulesLeft ++ [
           "battery"
         ] ++ modulesRight);
       };
+
+      sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
+        github_notif = { path = "${xdgDir}/secrets/github_notif"; };
+      };
+
       programs.waybar = {
         enable = true;
         systemd = {
@@ -14592,7 +14609,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
   # ------------------------
 
   green "Deploying minimal NixOS installation on $target_destination"
-  SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake .#"$target_hostname" root@"$target_destination"
+  SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination"
 
   echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
   ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
@@ -15691,6 +15708,39 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
 
 #+end_src
 
+**** Minimal
+
+#+begin_src nix-ts :tangle profiles/nixos/minimal/default.nix :mkdirp yes
+  { lib, config, ... }:
+  {
+    options.swarselsystems.profiles.minimal = lib.mkEnableOption "declare this a minimal host";
+    config = lib.mkIf config.swarselsystems.profiles.minimal {
+      swarselsystems.modules = {
+        general = lib.mkDefault true;
+        home-manager = lib.mkDefault true;
+        xserver = lib.mkDefault true;
+        lanzaboote = lib.mkDefault true;
+        time = lib.mkDefault true;
+        users = lib.mkDefault true;
+        impermanence = lib.mkDefault true;
+        security = lib.mkDefault true;
+        sops = lib.mkDefault true;
+        pii = lib.mkDefault true;
+        zsh = lib.mkDefault true;
+        yubikey = lib.mkDefault true;
+        autologin = lib.mkDefault true;
+
+        server = {
+          ssh = lib.mkDefault true;
+        };
+      };
+
+    };
+
+  }
+
+#+end_src
+
 **** Chaostheatre
 :PROPERTIES:
 :CUSTOM_ID: h:b79fbb59-9cf2-48eb-b469-2589223dda95
@@ -15762,6 +15812,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
     config = lib.mkIf config.swarselsystems.profiles.toto {
       swarselsystems.modules = {
         general = lib.mkDefault true;
+        packages = lib.mkDefault true;
         home-manager = lib.mkDefault true;
         xserver = lib.mkDefault true;
         users = lib.mkDefault true;
@@ -16115,6 +16166,28 @@ This holds modules that are to be used on most hosts. These are also the most im
 
 #+end_src
 
+**** Minimal
+:PROPERTIES:
+:CUSTOM_ID: h:26512487-8c29-4b92-835b-d67394c3f5ef
+:END:
+
+#+begin_src nix-ts :tangle profiles/home/minimal/default.nix :mkdirp yes
+  { lib, config, ... }:
+  {
+    options.swarselsystems.profiles.minimal = lib.mkEnableOption "is this a personal host";
+    config = lib.mkIf config.swarselsystems.profiles.minimal {
+      swarselsystems.modules = {
+        general = lib.mkDefault true;
+        sops = lib.mkDefault true;
+        kitty = lib.mkDefault true;
+        zsh = lib.mkDefault true;
+      };
+    };
+
+  }
+
+#+end_src
+
 **** Chaostheatre
 :PROPERTIES:
 :CUSTOM_ID: h:36a0209f-2c17-4808-a1d0-a9e1920c307a

files/scripts/swarsel-bootstrap.sh

@@ -218,7 +218,7 @@ $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "$
 # ------------------------
 
 green "Deploying minimal NixOS installation on $target_destination"
-SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake .#"$target_hostname" root@"$target_destination"
+SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination"
 
 echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
 ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true

files/templates/hosts/nixos/default.nix

@@ -1,10 +1,10 @@
-{ self, inputs, pkgs, lib, globals, ... }:
+{ self, config, inputs, pkgs, lib, ... }:
 let
+  primaryUser = config.swarselsystems.mainUser;
   modulesPath = "${self}/modules";
   sharedOptions = {
     isBtrfs = true;
   };
-  primaryUser = globals.user.name;
 in
 {
 

hosts/nixos/moonside/default.nix

@@ -1,6 +1,6 @@
 { lib, config, globals, ... }:
 let
-  primaryUser = globals.user.name;
+  primaryUser = config.swarselsystems.mainUser;
   inherit (config.repo.secrets.common) workHostName;
   inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
   serviceDomain = config.repo.secrets.common.services.domains.syncthing3;

hosts/nixos/nbl-imba-2/default.nix

@@ -1,14 +1,15 @@
-{ self, config, inputs, lib, globals, ... }:
+{ self, config, inputs, lib, ... }:
 let
-  primaryUser = globals.user.name;
+  primaryUser = config.swarselsystems.mainUser;
   sharedOptions = {
     isBtrfs = true;
     isLinux = true;
     sharescreen = "eDP-2";
     profiles = {
-      personal = true;
+      personal = lib.mkIf (!minimal) true;
-      work = true;
+      minimal = lib.mkIf minimal true;
-      framework = true;
+      work = lib.mkIf (!minimal) true;
+      framework = lib.mkIf (!minimal) true;
     };
   };
 in

hosts/nixos/sync/default.nix

@@ -1,6 +1,6 @@
 { lib, config, globals, ... }:
 let
-  primaryUser = globals.user.name;
+  primaryUser = config.swarselsystems.mainUser;
   sharedOptions = {
     isBtrfs = false;
     isLinux = true;

hosts/nixos/toto/default.nix

@@ -1,11 +1,12 @@
-{ self, inputs, pkgs, lib, ... }:
+{ self, lib, minimal, ... }:
 let
-  modulesPath = "${self}/modules";
   sharedOptions = {
     isBtrfs = true;
     isLinux = true;
     profiles = {
-      toto = true;
+      toto = lib.mkIf (!minimal) true;
+      minimal = lib.mkIf minimal true;
+      btrfs = lib.mkIf minimal true;
     };
   };
 in
@@ -14,41 +15,9 @@ in
   imports = [
     ./disk-config.nix
     ./hardware-configuration.nix
-
-    "${modulesPath}/nixos/common/sharedsetup.nix"
-    "${modulesPath}/home/common/sharedsetup.nix"
-    "${self}/profiles/nixos"
-
-    inputs.home-manager.nixosModules.home-manager
-    {
-      home-manager.users."setup".imports = [
-        inputs.sops-nix.homeManagerModules.sops
-        "${modulesPath}/home/common/sharedsetup.nix"
-        "${self}/profiles/home"
-      ];
-    }
   ];
 
 
-  environment.systemPackages = with pkgs; [
-    curl
-    git
-    gnupg
-    rsync
-    ssh-to-age
-    sops
-    vim
-    just
-    sbctl
-  ];
-
-  system.stateVersion = lib.mkForce "23.05";
-
-  boot = {
-    supportedFilesystems = [ "btrfs" ];
-    kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
-  };
-
 
   networking = {
     hostName = "toto";
@@ -60,10 +29,10 @@ in
       info = "~SwarselSystems~ remote install helper";
       wallpaper = self + /files/wallpaper/lenovowp.png;
       isImpermanence = true;
-      isCrypted = false;
+      isCrypted = true;
       isSecureBoot = false;
-      isSwap = false;
+      isSwap = true;
-      swapSize = "8G";
+      swapSize = "2G";
       # rootDisk = "/dev/nvme0n1";
       rootDisk = "/dev/sda";
       # rootDisk = "/dev/vda";

hosts/nixos/winters/default.nix

@@ -1,6 +1,6 @@
-{ lib, config, globals, ... }:
+{ lib, config, ... }:
 let
-  primaryUser = globals.user.name;
+  primaryUser = config.swarselsystems.mainUser;
   sharedOptions = {
     isBtrfs = false;
     isLinux = true;

install/flake.nix

@@ -0,0 +1,7 @@
+{
+  description = "Minimal installer flake - not to be used manually";
+
+  inputs.swarsel.url = "github:Swarsel/.dotfiles";
+
+  outputs = { swarsel, ... }: { nixosConfigurations = swarsel.nixosConfigurationsMinimal; };
+}

install/installer-config.nix

@@ -1,6 +1,5 @@
 { pkgs, lib, ... }:
 {
-
   config = {
     home-manager.users.root.home = {
       stateVersion = "23.05";

modules/home/common/mail.nix

@@ -2,10 +2,19 @@
 let
   inherit (nixosConfig.repo.secrets.common.mail) address1 address2 add2Name address3 add3Name address4;
   inherit (nixosConfig.repo.secrets.common) fullName;
+  inherit (config.swarselsystems) xdgDir;
 in
 {
   options.swarselsystems.modules.mail = lib.mkEnableOption "mail settings";
   config = lib.mkIf config.swarselsystems.modules.mail {
+
+    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
+      mrswarsel = { path = "${xdgDir}/secrets/mrswarsel"; };
+      nautilus = { path = "${xdgDir}/secrets/nautilus"; };
+      leon = { path = "${xdgDir}/secrets/leon"; };
+      swarselmail = { path = "${xdgDir}/secrets/swarselmail"; };
+    };
+
     programs = {
       mbsync = {
         enable = true;

modules/home/common/sharedsetup.nix

@@ -1,4 +1,4 @@
-{ self, lib, pkgs, ... }:
+{ self, lib, pkgs, globals, minimal, ... }:
 {
   options.swarselsystems = {
     isLaptop = lib.mkEnableOption "laptop host";
@@ -9,7 +9,7 @@
     isBtrfs = lib.mkEnableOption "use btrfs filesystem";
     mainUser = lib.mkOption {
       type = lib.types.str;
-      default = "swarsel";
+      default = if (!minimal) then globals.user.name else "setup";
     };
     homeDir = lib.mkOption {
       type = lib.types.str;

modules/home/common/sops.nix

@@ -1,23 +1,15 @@
 { config, lib, ... }:
 let
-  inherit (config.swarselsystems) homeDir xdgDir;
+  inherit (config.swarselsystems) homeDir;
 in
 {
   options.swarselsystems.modules.sops = lib.mkEnableOption "sops settings";
   config = lib.mkIf config.swarselsystems.modules.sops {
     sops = {
       age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${homeDir}/.ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
+      defaultSopsFile = "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
 
       validateSopsFiles = false;
-      secrets = lib.mkIf (!config.swarselsystems.isPublic) {
-        mrswarsel = { path = "${xdgDir}/secrets/mrswarsel"; };
-        nautilus = { path = "${xdgDir}/secrets/nautilus"; };
-        leon = { path = "${xdgDir}/secrets/leon"; };
-        swarselmail = { path = "${xdgDir}/secrets/swarselmail"; };
-        github_notif = { path = "${xdgDir}/secrets/github_notif"; };
-        u2f_keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
-      };
     };
   };
 }

modules/home/common/waybar.nix

@@ -1,5 +1,6 @@
 { self, config, lib, pkgs, ... }:
 let
+  inherit (config.swarselsystems) xdgDir;
   generateIcons = n: lib.concatStringsSep " " (builtins.map (x: "{icon" + toString x + "}") (lib.range 0 (n - 1)));
   modulesLeft = [
     "custom/outer-left-arrow-dark"
@@ -52,11 +53,17 @@ in
     };
   };
   config = lib.mkIf config.swarselsystems.modules.waybar {
+
     swarselsystems = {
       waybarModules = lib.mkIf config.swarselsystems.isLaptop (modulesLeft ++ [
         "battery"
       ] ++ modulesRight);
     };
+
+    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
+      github_notif = { path = "${xdgDir}/secrets/github_notif"; };
+    };
+
     programs.waybar = {
       enable = true;
       systemd = {

modules/home/common/yubikey.nix

@@ -1,8 +1,16 @@
 { lib, config, nixosConfig, ... }:
+let
+  inherit (config.swarselsystems) homeDir;
+in
 {
   options.swarselsystems.modules.yubikey = lib.mkEnableOption "yubikey settings";
 
   config = lib.mkIf config.swarselsystems.modules.yubikey {
+
+    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
+      u2f_keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
+    };
+
     pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
       ids = [
         nixosConfig.repo.secrets.common.yubikeys.dev1

modules/home/common/zsh.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, minimal, ... }:
 let
   inherit (config.swarselsystems) flakePath;
 in
@@ -10,7 +10,8 @@ in
       default = { };
     };
   };
-  config = lib.mkIf config.swarselsystems.modules.zsh {
+  config = lib.mkIf config.swarselsystems.modules.zsh
+    {
 
       sops.secrets = {
         croc-password = { };
@@ -18,6 +19,8 @@ in
 
       programs.zsh = {
         enable = true;
+      }
+      // lib.optionalAttrs (!minimal) {
         shellAliases = lib.recursiveUpdate
           {
             hg = "history | grep";

modules/nixos/client/packages.nix

@@ -1,8 +1,9 @@
-{ lib, config, pkgs, ... }:
+{ lib, config, pkgs, minimal, ... }:
 {
   options.swarselsystems.modules.packages = lib.mkEnableOption "install packages";
   config = lib.mkIf config.swarselsystems.modules.packages {
-    environment.systemPackages = with pkgs; [
+
+    environment.systemPackages = with pkgs; lib.optionals (!minimal) [
       # yubikey packages
       gnupg
       yubikey-personalization
@@ -73,9 +74,19 @@
 
       elk-to-svg
 
+    ] ++ lib.optionals minimal [
+      curl
+      git
+      gnupg
+      rsync
+      ssh-to-age
+      sops
+      vim
+      just
+      sbctl
     ];
 
-    nixpkgs.config.permittedInsecurePackages = [
+    nixpkgs.config.permittedInsecurePackages = lib.mkIf (!minimal) [
       "jitsi-meet-1.0.8043"
       "electron-29.4.6"
       "SDL_ttf-2.0.11"

modules/nixos/client/polkit.nix

@@ -1,19 +1,20 @@
-{ lib, config, ... }:
+{ lib, config, minimal, ... }:
 {
   options.swarselsystems.modules.security = lib.mkEnableOption "security config";
   config = lib.mkIf config.swarselsystems.modules.security {
 
     security = {
-      pam.services = {
+      pam.services = lib.mkIf (!minimal) {
         login.u2fAuth = true;
         sudo.u2fAuth = true;
         swaylock.u2fAuth = true;
         swaylock.fprintAuth = false;
       };
-      polkit.enable = true;
+      polkit.enable = lib.mkIf (!minimal) true;
 
       sudo.extraConfig = ''
         Defaults    env_keep+=SSH_AUTH_SOCK
+      '' + lib.optionalString (!minimal) ''
         Defaults    env_keep+=XDG_RUNTIME_DIR
         Defaults    env_keep+=WAYLAND_DISPLAY
       '';

modules/nixos/common/home-manager.nix

@@ -1,6 +1,6 @@
-{ self, inputs, config, lib, outputs, globals, nodes, ... }:
+{ self, inputs, config, lib, outputs, globals, nodes, minimal, ... }:
 let
-  mainUser = globals.user.name;
+  inherit (config.swarselsystems) mainUser;
 in
 {
   options.swarselsystems.modules.home-manager = lib.mkEnableOption "home-manager";
@@ -20,7 +20,7 @@ in
           home.stateVersion = lib.mkDefault config.system.stateVersion;
         }
       ];
-      extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes; };
+      extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal; };
     };
   };
 }

modules/nixos/common/lanzaboote.nix

@@ -1,13 +1,13 @@
-{ lib, config, ... }:
+{ lib, config, minimal, ... }:
 {
   options.swarselsystems.modules.lanzaboote = lib.mkEnableOption "lanzaboote config";
   config = lib.mkIf config.swarselsystems.modules.lanzaboote {
     boot = {
       loader = {
         efi.canTouchEfiVariables = true;
-        systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
+        systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || minimal || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
       };
-      lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
+      lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && !minimal && config.swarselsystems.isSecureBoot) {
         enable = true;
         pkiBundle = "/var/lib/sbctl";
         configurationLimit = 6;

modules/nixos/common/settings.nix

@@ -1,7 +1,11 @@
-{ lib, pkgs, config, outputs, inputs, ... }:
+{ lib, pkgs, config, outputs, inputs, minimal, ... }:
 {
   options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
-  config = lib.mkIf config.swarselsystems.modules.general {
+  config = lib.mkIf config.swarselsystems.modules.general
+    ({
+
+      system.stateVersion = lib.mkDefault "23.05";
+
       nixpkgs = {
         overlays = [ outputs.overlays.default ];
         config = {
@@ -9,6 +13,9 @@
         };
       };
 
+    }
+    // lib.optionalAttrs (!minimal) {
+
       environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
         assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
         { }
@@ -30,7 +37,7 @@
             trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
             connect-timeout = 5;
             bash-prompt-prefix = "$SHLVL:\\w ";
-          bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]λ\[\e[0m\] ";
+            bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
             fallback = true;
             min-free = 128000000;
             max-free = 1000000000;
@@ -63,6 +70,5 @@
         environment.TMPDIR = "/var/tmp";
       };
 
-    system.stateVersion = lib.mkDefault "23.05";
+    });
-  };
 }

modules/nixos/common/users.nix

@@ -1,4 +1,4 @@
-{ self, pkgs, config, lib, ... }:
+{ self, pkgs, config, lib, minimal, ... }:
 let
   sopsFile = self + /secrets/general/secrets.yaml;
 in
@@ -12,9 +12,9 @@ in
       users."${config.swarselsystems.mainUser}" = {
         isNormalUser = true;
         description = "Leon S";
-        password = lib.mkIf config.swarselsystems.initialSetup "setup";
+        password = lib.mkIf (config.swarselsystems.initialSetup || minimal) "setup";
-        hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
+        hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup && !minimal) config.sops.secrets.swarseluser.path;
-        extraGroups = [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
+        extraGroups = lib.mkIf (!minimal) [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
         packages = with pkgs; [ ];
       };
     };

nix/iso.nix

@@ -1,4 +1,4 @@
-{ inputs, ... }:
+{ self, inputs, ... }:
 {
   perSystem = { pkgs, system, ... }:
     {
@@ -7,7 +7,7 @@
         inherit pkgs;
         modules = [
           inputs.home-manager.nixosModules.home-manager
-          ./installer-config.nix
+          "${self}/install/installer-config.nix"
         ];
         format =
           {

profiles/home/minimal/default.nix

@@ -0,0 +1,13 @@
+{ lib, config, ... }:
+{
+  options.swarselsystems.profiles.minimal = lib.mkEnableOption "is this a personal host";
+  config = lib.mkIf config.swarselsystems.profiles.minimal {
+    swarselsystems.modules = {
+      general = lib.mkDefault true;
+      sops = lib.mkDefault true;
+      kitty = lib.mkDefault true;
+      zsh = lib.mkDefault true;
+    };
+  };
+
+}

profiles/nixos/minimal/default.nix

@@ -0,0 +1,27 @@
+{ lib, config, ... }:
+{
+  options.swarselsystems.profiles.minimal = lib.mkEnableOption "declare this a minimal host";
+  config = lib.mkIf config.swarselsystems.profiles.minimal {
+    swarselsystems.modules = {
+      general = lib.mkDefault true;
+      home-manager = lib.mkDefault true;
+      xserver = lib.mkDefault true;
+      lanzaboote = lib.mkDefault true;
+      time = lib.mkDefault true;
+      users = lib.mkDefault true;
+      impermanence = lib.mkDefault true;
+      security = lib.mkDefault true;
+      sops = lib.mkDefault true;
+      pii = lib.mkDefault true;
+      zsh = lib.mkDefault true;
+      yubikey = lib.mkDefault true;
+      autologin = lib.mkDefault true;
+
+      server = {
+        ssh = lib.mkDefault true;
+      };
+    };
+
+  };
+
+}

profiles/nixos/toto/default.nix

@@ -4,6 +4,7 @@
   config = lib.mkIf config.swarselsystems.profiles.toto {
     swarselsystems.modules = {
       general = lib.mkDefault true;
+      packages = lib.mkDefault true;
       home-manager = lib.mkDefault true;
       xserver = lib.mkDefault true;
       users = lib.mkDefault true;