Commit 11e2fec

HPCesia <me@hpcesia.com>
2025-07-14 09:18:26
refactor: host config manage
1 parent 6df60fe
hosts/chaser-kevin/default.nix
@@ -23,11 +23,12 @@ in {
     ./boot.nix
   ];
 
-  networking =
-    {
-      inherit hostName;
-    }
-    // myvars.networking.generateHostNetworking hostName;
+  modules.my-hosts.${hostName}.network = {
+    enable = "networkmanager";
+    iface = "wlp0s20f3";
+    useDHCP = true;
+    nameservers = myvars.defaultNameservers;
+  };
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
hosts/chaser-kevin/miscs.nix
@@ -29,9 +29,10 @@
   # Touchpad
   services.libinput.enable = true;
 
-  # Network Manager
-  environment.systemPackages = with pkgs; [networkmanagerapplet];
-
   # √(3200² + 2000²) px / 16 in ≃ 235 dpi
   services.xserver.dpi = 235;
+
+  # Mihomo
+  services.mihomo.enable = true;
+  modules.secrets.mihomo.enable = true;
 }
modules/base/hosts.nix
@@ -0,0 +1,75 @@
+{lib, ...}:
+with lib; let
+  hostModule = types.submodule {
+    options = {
+      network = mkOption {
+        type = networkModule;
+        default = {};
+        description = "Network configurations of the host.";
+      };
+      hostPublicKey = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+      sshPorts = mkOption {
+        type = types.listOf types.port;
+        default = [22];
+      };
+    };
+  };
+
+  networkModule = types.submodule {
+    options = {
+      enable = mkOption {
+        type = types.nullOr (types.enum ["networkmanager" "networkd"]);
+        default = null;
+        description = "Which network manager to use.";
+      };
+      iface = mkOption {
+        type = types.str;
+      };
+      useDHCP = mkOption {
+        type = types.bool;
+        default = false;
+      };
+      nameservers = mkOption {
+        type = types.listOf types.str;
+        default = [];
+      };
+      search = mkOption {
+        type = types.listOf types.str;
+        default = [];
+      };
+      ipv4 = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+      ipv6 = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+      prefixLength4 = mkOption {
+        type = types.int;
+        default = 24;
+      };
+      prefixLength6 = mkOption {
+        type = types.int;
+        default = 64;
+      };
+      defaultGateway = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+      defaultGateway6 = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+    };
+  };
+in {
+  options.modules.my-hosts = mkOption {
+    type = types.attrsOf hostModule;
+    description = "My nix hosts general configuration";
+    default = {};
+  };
+}
modules/base/users.nix
@@ -1,5 +1,37 @@
-{myvars, ...}: {
-  programs.ssh = myvars.networking.ssh;
+{
+  lib,
+  myvars,
+  config,
+  ...
+}: let
+  hosts = config.modules.my-hosts;
+  sshTargetHosts = lib.filterAttrs (n: v: !builtins.isNull v.hostPublicKey) hosts;
+in {
+  programs.ssh = {
+    extraConfig =
+      lib.attrsets.foldlAttrs
+      (acc: host: val:
+        acc
+        + ''
+          Host ${host}
+            HostName ${val.network.ipv4}
+            Port ${val.sshPort}
+        '')
+      ""
+      sshTargetHosts;
+    knownHosts =
+      lib.mapAttrs'
+      (
+        host: value:
+          lib.attrsets.nameValuePair
+          (value.network.ipv4)
+          {
+            inherit (value) hostPublicKey;
+            hostNames = [host];
+          }
+      )
+      sshTargetHosts;
+  };
 
   users.users.${myvars.username} = {
     description = myvars.userfullname;
modules/nixos/base/mihomo/default.nix
@@ -5,7 +5,7 @@
   ...
 }: {
   services.mihomo = {
-    enable = lib.mkDefault true;
+    enable = lib.mkDefault false;
     tunMode = true;
     webui = pkgs.metacubexd;
     configFile = config.sops.templates."mihomo-config.yaml".path;
modules/nixos/base/networking.nix
@@ -1,21 +1,77 @@
 {
-  # Network discovery, mDNS
-  # With this enabled, you can access your machine at <hostname>.local
-  # it's more convenient than using the IP address.
-  # https://avahi.org/
-  services.avahi = {
-    enable = true;
-    nssmdns4 = true;
-    publish = {
-      enable = true;
-      domain = true;
-      userServices = true;
-    };
-  };
+  config,
+  lib,
+  hostName,
+  ...
+}:
+lib.mkMerge [
+  {
+    # Use an NTP server located in the mainland of China to synchronize the system time
+    networking.timeServers = [
+      "ntp.aliyun.com" # Aliyun NTP Server
+      "ntp.tencent.com" # Tencent NTP Server
+    ];
+  }
 
-  # Use an NTP server located in the mainland of China to synchronize the system time
-  networking.timeServers = [
-    "ntp.aliyun.com" # Aliyun NTP Server
-    "ntp.tencent.com" # Tencent NTP Server
-  ];
-}
+  (let
+    cfg = config.modules.my-hosts.${hostName}.network;
+  in
+    lib.mkIf cfg.useDHCP {
+      assertions = map (x: {
+        assertion = cfg.${x} == null;
+        message = "my-host.network.useDHCP is confilt with my-host.network.${x}";
+      }) ["ipv4" "ipv6"];
+    })
+
+  (let
+    cfg = config.modules.my-hosts.${hostName}.network;
+  in
+    lib.mkIf
+    (cfg.enable == "networkmanager")
+    {
+      networking = with cfg; {
+        networkmanager.enable = true;
+        useDHCP = lib.mkDefault useDHCP;
+        inherit hostName search defaultGateway defaultGateway6 nameservers;
+        interfaces.${cfg.iface} = lib.mkIf (!builtins.isNull cfg.ipv4 && !builtins.isNull cfg.ipv6) {
+          ipv4.addresses = lib.optional (!builtins.isNull cfg.ipv4) {
+            address = cfg.ipv4;
+            prefixLength = cfg.prefixLength4;
+          };
+          ipv6.addresses = lib.optional (!builtins.isNull cfg.ipv6) {
+            address = cfg.ipv6;
+            prefixLength = cfg.prefixLength6;
+          };
+        };
+      };
+    })
+  (let
+    cfg = config.modules.my-hosts.${hostName}.network;
+  in
+    lib.mkIf
+    (cfg.enable == "networkd")
+    {
+      networking.useNetworkd = true;
+      networking.hostName = hostName;
+      systemd.network.networks."10-${cfg.iface}" = {
+        matchConfig.Name = [cfg.iface];
+        networkConfig = {
+          Address =
+            (lib.optionals (!builtins.isNull cfg.ipv4) ["${cfg.ipv4}/${toString cfg.prefixLength4}"])
+            ++ (lib.optionals (!builtins.isNull cfg.ipv6) ["${cfg.ipv6}/${toString cfg.prefixLength6}"]);
+          DNS = cfg.nameservers;
+        };
+        routes =
+          (lib.optional (!builtins.isNull cfg.defaultGateway)
+            {
+              Destination = "0.0.0.0/0";
+              Gateway = cfg.defaultGateway;
+            })
+          ++ (lib.optional (!builtins.isNull cfg.defaultGateway6) {
+            Destination = "::/0";
+            Gateway = cfg.defaultGateway6;
+          });
+        linkConfig.RequiredForOnline = "routable";
+      };
+    })
+]
modules/nixos/base/ssh.nix
@@ -1,9 +1,15 @@
-{lib, ...}: {
+{
+  lib,
+  config,
+  hostName,
+  ...
+}: {
   # Or disable the firewall altogether.
   networking.firewall.enable = lib.mkDefault false;
   # Enable the OpenSSH daemon.
   services.openssh = {
     enable = true;
+    ports = config.modules.my-hosts.${hostName}.sshPorts;
     settings = {
       # root user is used for remote deployment.
       PermitRootLogin = "prohibit-password";
outputs/x86_64-linux/src/kevin.nix
@@ -29,6 +29,10 @@
   };
 in {
   nixosConfigurations = {
-    "${name}" = mylib.nixosSystem (base-modules // args);
+    "${name}" = mylib.nixosSystem (base-modules
+      // args
+      // {
+        genSpecialArgs = system: (genSpecialArgs system) // {hostName = name;};
+      });
   };
 }
outputs/x86_64-linux/src/pardofelis.nix
@@ -0,0 +1,42 @@
+{
+  # NOTE: the args not used in this file CAN NOT be removed!
+  # because haumea pass argument lazily,
+  # and these arguments are used in the functions like `mylib.nixosSystem`, `mylib.colmenaSystem`, etc.
+  inputs,
+  lib,
+  myvars,
+  mylib,
+  system,
+  genSpecialArgs,
+  ...
+} @ args: let
+  # Pardofelis - Codename "Reverie", 13th of Flame-Chasers
+  name = "pardofelis";
+  tags = ["pardo" "vps"];
+  ssh-user = "root";
+
+  modules = {
+    nixos-modules = map mylib.relativeToRoot [
+      # common
+      "secrets/nixos.nix"
+      "modules/nixos/server/x86_64.nix"
+      # host specific
+      "hosts/chaser-${name}"
+    ];
+    home-modules = map mylib.relativeToRoot [
+      "home/linux/core.nix"
+    ];
+  };
+
+  systemArgs =
+    modules
+    // args
+    // {
+      genSpecialArgs = system: (genSpecialArgs system) // {hostName = name;};
+    };
+in {
+  nixosConfigurations.${name} = mylib.nixosSystem systemArgs;
+
+  colmena.${name} =
+    mylib.colmenaSystem (systemArgs // {inherit tags ssh-user;});
+}
secrets/base/default.nix
@@ -1,15 +0,0 @@
-let
-  mapSecrets = keys:
-    builtins.listToAttrs (builtins.map (k: {
-        name = k;
-        value = {
-          format = "yaml";
-          sopsFile = ./secrets.yaml;
-        };
-      })
-      keys);
-in {
-  sops.secrets = mapSecrets [
-    "github-access-token"
-  ];
-}
secrets/base/secrets.yaml
@@ -1,28 +0,0 @@
-github-access-token: ENC[AES256_GCM,data:Ca/NER89MA1sF+bGc6Tcz/OVr7vlu7fh6p0eZWEONQ9HvkNeXN1aB3duWLTCWUTv+qvTYXrNicOTVFpLdlpaq3oJhZno+l6jbDu00DIOFUFyg8VfOXXZYPxlCx/K,iv:e+nTOBn4GAARFDXdWOEGZYMvzgjFUwxfk2BmY/Xm/A4=,tag:UuvOUtZ5LbFyy3JAEux40Q==,type:str]
-sops:
-    age:
-        - recipient: age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MUJodUUvWkxNeDQyemR0
-            NmhWV20vNFRkK0JUN3JFZUpyZHl1WVdBaFFnCjJ3Zmdra2RlODkrZkc3Kzk5Q2Zy
-            N2plT2dRQkUzOG53RDUrZHY1ZjFsS1EKLS0tIGdRREVxaGc5S1ZTV1R0NmNvenpJ
-            Yi9ZV013dWo1NjlEbkREMlYxL3FZS0EKMStYByW8u5mTQ+ZthgWqTTOsjatJVuFo
-            5bOZw/lgD5L6XcSb+xWbM21dlV/Vn7ulMsTHM7FE2Z36OGQc0cwQUA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-13T16:55:44Z"
-    mac: ENC[AES256_GCM,data:avJXHLxu1WPUILzgUpDVobGbhABJq/yKJExBVZx56KN0gMM/Q7GzSoK4GAglw6nrJSLbYwHN/IzH3X/rR5Z1YYD/imHJO/rO5YCMYlnZvXXk/9Hif4bi5e8NdyuWrNGXrSYfUU68x9VVEGF0UWTFu+TAQihXvrx4LLA9J6dmetw=,iv:KgD3mAtonjL6l2WNkcfAyw7NxSxRUezEwNlImQ+9fLY=,tag:tsJaOH2TJFVqdcjLQ4xVTQ==,type:str]
-    pgp:
-        - created_at: "2025-06-03T17:06:45Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4Dh4vQ8CmRuq4SAQdAMt829MplCrLDjQjnpmQfj1f1l98VHir3KmuwyHHqYUgw
-            F+I8O8PReUS+LKLFy+H1HbrsAuBUfnC8y8q9a6eX092cjX3hcNRAlPMUa89yG1Ud
-            0l4B43c42oJb/mxgorqnjMieIAE3pzXd2vX/qFZzKMZHFT30rpwWGXQibW4nRG2Q
-            fmboUVQPEcwx/9FdO9kQP8lldCQA5ny6HalKL0e3LWTXSi39XpTtb8ZMO6G3xvG/
-            =kTIM
-            -----END PGP MESSAGE-----
-          fp: 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
secrets/hosts/default.nix
@@ -0,0 +1,3 @@
+{mylib, ...}: {
+  imports = mylib.scanModules ./.;
+}
secrets/nixos/default.nix
@@ -1,17 +0,0 @@
-let
-  mapSecrets = keys:
-    builtins.listToAttrs (builtins.map (k: {
-        name = k;
-        value = {
-          format = "yaml";
-          sopsFile = ./secrets.yaml;
-        };
-      })
-      keys);
-in {
-  sops.secrets = mapSecrets [
-    "mihomo/providers/yi_yuan"
-    "mihomo/providers/mo_jie"
-    "aria2-rpc-secret"
-  ];
-}
secrets/nixos/secrets.yaml
@@ -1,32 +0,0 @@
-mihomo:
-    providers:
-        yi_yuan: ENC[AES256_GCM,data:s+aeWYDpUzCJikFdwLaa5bbATg6VFz+dsqbuVJfHd+xnOxQm32lFCpTM3nM22Cw5Fy2KhVupwFKRhGzhwfGZXowf0QDc4fFpQH/nveb8/C82C0mJPGg5w3/r6G2PAsU=,iv:cikjeLhXqfoDDeJGOobRVqejmic8IINOa7Bh7rLDY6k=,tag:ExJCLLrf0Is2SsWZaAwBdg==,type:str]
-        mo_jie: ENC[AES256_GCM,data:cCwgl6ZBXSyv0v9DYFHBk4sS29bQ4yt6SiVTIOMr6F/aBV0hzPavErpO7A6CYCfs6e03ZZCyvQVGjbA+c4TEH8+K/OPPKjUzpE3k3FwfJQ==,iv:tN2Kyo6X2eAAqx+/OOOtAW4YSIYaR2TuoPmUuLQuzCw=,tag:LbxetW8P44/TPV4uk6d63g==,type:str]
-aria2-rpc-secret: ENC[AES256_GCM,data:5q0HzOd4XjDbRA==,iv:54Fwf7RgpOPulHN9ZLglgWpB16EsqpPEiBAcgb2H/Ys=,tag:IKqsUXd4VH/ebaK+X+QiLw==,type:str]
-sops:
-    age:
-        - recipient: age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3blBzNTR1eGhuUEJpUWor
-            d1FqcGlSNnhPNVpJa1I3TlI0TDFHYS9PUTJjClpwREFVTTc0aTJBRW13Y3RWY0x4
-            OWlVa3FNRUZYaWt6YXVJQnFWbVllcVUKLS0tICtKb05DdzlJYldDQndJaWdoclY4
-            V0lEaEYxVVozUHpRRDcwOEFuc002WGMKH6ewbfK1BuUguYbHxEKbzTTC+QbSYHMB
-            WIKu1bHYVaOu8grQq5A4RDDP8pgxFlLrKPDw841Oy5/jHFE4DYiQrw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-13T16:58:03Z"
-    mac: ENC[AES256_GCM,data:CurUQKMEi896f/wVzeZSKhHHFQmxi+D1bAHSYqYQMG7IgWL6h8MVhzx3AVHjIlgOU7ikf2HrBs/E9/oOMk5L68t89FLeCeiYWp9XFRU+lNzS/jhqmw/MCEIBDfJFvDhzO4HHZFHKd5yreSm1mTVgH5beTIq3VmeXTm8MtNgoNOQ=,iv:EsbIGcBhyNAOGLoCKzgT7IsDo5RBlvx8EfpHY0gpuUs=,tag:TcEHWrVZNa/VrkaqQC4Djg==,type:str]
-    pgp:
-        - created_at: "2025-07-13T16:57:48Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4Dh4vQ8CmRuq4SAQdA+tSoSJdi8OD88jazXVsI1LnPUe7kF1aVpZfzC3Vsq00w
-            kXkPlD64pBLoRjwZ8ZHHR3EUD1+BoA2PfKeHWB8jF169d6K3wW4nFMAtCWvuBXEe
-            0lEBDCgTipKF03XhGPr59dUnMdpWtyA3R4IgowCEcmCq/HHY6F3PxUUmJ59jgGB2
-            0co9dGWZ7oGzLR8CLKKwWjJylOfiS08PIMrHVOo7Yi+pLPY=
-            =rnOM
-            -----END PGP MESSAGE-----
-          fp: 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
secrets/base.nix
@@ -0,0 +1,15 @@
+{sops-nix, ...}: {
+  imports = [
+    sops-nix.nixosModules.sops
+    ./hosts
+  ];
+
+  sops.defaultSopsFile = ./secrets.yaml;
+
+  sops.secrets."github-access-token" = {};
+
+  sops.age = {
+    sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+    generateKey = true;
+  };
+}
secrets/nixos.nix
@@ -1,12 +1,31 @@
-{sops-nix, ...}: {
-  imports = [
-    sops-nix.nixosModules.sops
-    ./base
-    ./nixos
-  ];
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.modules.secrets;
+in {
+  imports = [./base.nix];
 
-  sops.age = {
-    sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
-    generateKey = true;
+  options.modules.secrets = {
+    mihomo.enable = mkEnableOption "NixOS Secrets for Mihomo";
   };
+
+  config = mkMerge [
+    {
+      sops.secrets = {
+        "aria2-rpc-secret" = {
+          restartUnits = ["aria2.service"];
+        };
+      };
+    }
+
+    (mkIf cfg.mihomo.enable {
+      sops.secrets = genAttrs [
+        "mihomo/providers/yi_yuan"
+        "mihomo/providers/mo_jie"
+      ] (name: {restartUnits = ["mihomo.service"];});
+    })
+  ];
 }
secrets/README.md
@@ -18,7 +18,7 @@ nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-ag
 Open the secret file in the terminal using sops:
 
 ```sh
-sops secrets/base/secrets.yaml
+sops secrets/secrets.yaml
 ```
 
 Then edit and add new secret fields:
@@ -28,7 +28,7 @@ this: "is a secret"
 and: { a: { nest: secret } }
 ```
 
-Next, edit and add the field in `/secrets/base/default.nix`:
+Next, edit and add the field in `/secrets/base.nix`:
 
 ```nix
 let
secrets/README.zh-CN.md
@@ -18,7 +18,7 @@ nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-ag
 在终端中使用 sops 打开机密所在的文件:
 
 ```sh
-sops secrets/base/secrets.yaml
+sops secrets/secrets.yaml
 ```
 
 并编辑添加新的机密字段:
@@ -28,7 +28,7 @@ this: "is a secret"
 and: { a: { nest: secret } }
 ```
 
-随后在 `/secrets/base/default.nix` 中编辑添加该字段
+随后在 `/secrets/base.nix` 中编辑添加该字段
 
 ```nix
 let
secrets/secrets.yaml
@@ -0,0 +1,42 @@
+github-access-token: ENC[AES256_GCM,data:Ca/NER89MA1sF+bGc6Tcz/OVr7vlu7fh6p0eZWEONQ9HvkNeXN1aB3duWLTCWUTv+qvTYXrNicOTVFpLdlpaq3oJhZno+l6jbDu00DIOFUFyg8VfOXXZYPxlCx/K,iv:e+nTOBn4GAARFDXdWOEGZYMvzgjFUwxfk2BmY/Xm/A4=,tag:UuvOUtZ5LbFyy3JAEux40Q==,type:str]
+mihomo:
+    providers:
+        yi_yuan: ENC[AES256_GCM,data:Lpgq1RVV35OT+oJC7280nJzN7lW77OYdEcVxBHRd0FzIu9D0hEC4VE8Gf0nw4LsL6BNQbZQtULmrSR1gi8DNGcjQJUGedA/LaOM7stL/g62FdYzNVVoDTyhRwOdxj8A=,iv:lwaEEDQkyCQDNML6Iv6jhZmz0zUU1SDhN363datm4Fs=,tag:J4vAVMXplSd9qz1eq2gFZA==,type:str]
+        mo_jie: ENC[AES256_GCM,data:QT+UjsZhrF3mBui6rxn9q7QkYTM69l2ZCi8ecIFOkMzwLNcsCrG5ir0v9t1SocDDnNXNxOC4lH+kot4MHXjjYE3VXXp2AGuYP66OB85Zsg==,iv:ZZ7l9CDc3Lleh/51URWX0x/b/+t1nQH+eijJ7AOj7z4=,tag:S9pA0nZUHkjwbza1kzCTwg==,type:str]
+aria2-rpc-secret: ENC[AES256_GCM,data:I6FYN/TRRP2ceQ==,iv:18dOBc/3WTden6Za2IaSoUOX5aY6M0jAwt94il0f5OI=,tag:WZf3xu7EC7cVlZU5urNWzQ==,type:str]
+sops:
+    age:
+        - recipient: age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNmtzTE1hNnhiZDVpMDd1
+            bHl4VnRmQjBhQnFjbE5wWHVkeFo1bWlMc1h3CmZPNVcxMGpFRENTeUJBMko2UlAw
+            QWFFN1gxU2NmWXRsU1d2Q1hPS2pCdUUKLS0tIElYOW4vOCt5bkFhVng1R0JPZGs5
+            VDZnMGVvYjVxYUFPMHZNU3UwbFpXNncKUiVCNLyEkSpXhke79nqn96FzuJiLII41
+            bYR/L23fhZ9FPCWed8iPGJQgDuWsCWwde7K1j+50g0L1RcNkONP0Wg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1paj3ugpwg9l282ae7rm9t9kre5f4glljx5gj7ncthnzxfdxlcqas0jw6zx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQ2NqRVhTSE5oOXlTdEhk
+            ZG0rUCt4akdIc25LY0x0T0hlL2tjM1k2M0FBCkJPQWFBNHAxUDhySHFPL0xxRVY3
+            ajRuVGJSUEJMejcxWUxkQWFNS0FrUUUKLS0tIFd6ck80UjRXYzBzODFLQXlNV2tI
+            VlhsclVpbUtQMk45YUx0OXJocHpycUkKQl63KY0SqgDHaG+VlfsnczVZ7PH520EE
+            vUrAq1GKMbouZmIv3Yn952jIzgUudvZXcTP7NAFehE96LQxig9S+Zw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-14T08:59:30Z"
+    mac: ENC[AES256_GCM,data:9r7iPa/5jOobUGHnLZvBPp1nbUBl+Buc84B+2au/GS37xKnfR0gLas1cKb9P6F1NLmQ+wqZMqp1J4HgkYZOJsPGr9Nq8Xw/7dW8rOdr0LIFzARug4XDml7shYd4xu5+jHoS4pC5Wl0Wpj76c0a11chTFsllUXVjnajoFWCBGGYM=,iv:dh+C4uOHe59WAfJuFv7GCaTeBGhWIad1xv3W5Eq611s=,tag:2r3CZZAEr1gXQ4oTazi7+A==,type:str]
+    pgp:
+        - created_at: "2025-07-14T09:17:48Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dh4vQ8CmRuq4SAQdAvuP3lTA11ezSlVRzvARkjKWEyXq55memX6VcnF1GaBow
+            YgRdrJxH7FZh1qUbGQ9+T6e3NUMhOHVHunmuZ5U5fohqmyrprZts1cY/qfl8/9zb
+            0l4BPmwpi8sHg+YVEuyXHrTRLMcFABLcD2d5AQiae1LDTxZWzaWJt3VVyNpyCFcG
+            3uVYvhFpeQhDCNPh1l6MtaTnCIYeXaUr7JPn/vFk5yg38HQmbE+lwlvxxF87vgPn
+            =0q2P
+            -----END PGP MESSAGE-----
+          fp: 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
vars/default.nix
@@ -2,7 +2,14 @@
   username = "hpcesia";
   userfullname = "HPCesia";
   useremail = "me@hpcesia.com";
-  networking = import ./networking.nix {inherit lib;};
+  defaultNameservers = [
+    # IPv4
+    "119.29.29.29" # DNSPod
+    "223.5.5.5" # AliDNS
+    # IPv6
+    "2400:3200::1" # Alidns
+    "2606:4700:4700::1111" # Cloudflare
+  ];
   # generated by `mkpasswd -m scrypt`
   initialHashedPassword = "$7$CU..../....xQnray7Ah6GYybfmtsxmF.$k0F/eaOC2.9gXwXp0jgMrFM.fnMtFqYi3GZFaaJGsl3";
   # Public Keys that can be used to login to all my PC and servers.
vars/networking.nix
@@ -1,79 +0,0 @@
-{lib}: let
-  defaultNameservers = [
-    # IPv4
-    "119.29.29.29" # DNSPod
-    "223.5.5.5" # AliDNS
-    # IPv6
-    "2400:3200::1" # Alidns
-    "2606:4700:4700::1111" # Cloudflare
-  ];
-in rec {
-  hosts = {
-    kevin = {
-      environment = {
-        nameservers = defaultNameservers;
-      };
-      useNetworkManager = true;
-      iface = "wlp0s20f3";
-    };
-  };
-
-  generateHostNetworking = hostName: let
-    hostData = hosts.${hostName};
-    env = hostData.environment;
-  in {
-    inherit (env) nameservers;
-    defaultGateway = lib.mkIf (env ? "defaultGateway6") env.defaultGateway;
-    defaultGateway6 = lib.mkIf (env ? "defaultGateway6") env.defaultGateway6;
-    search = lib.mkIf (env ? "search") env.search;
-
-    useNetworkd = lib.mkDefault (hostData.useNetworkd or false);
-    networkmanager.enable = lib.mkDefault (hostData.useNetworkManager or false);
-    useDHCP = lib.mkDefault (hostData.useNetworkManager or false);
-
-    interfaces."${hostData.iface}" = {
-      ipv4.addresses = lib.mkIf (hostData ? "ipv4" && hostData.useNetworkd or false) [
-        {
-          address = hostData.ipv4;
-          prefixLength = env.prefixLength or env.prefixLength4;
-        }
-      ];
-      ipv6.addresses = lib.mkIf (hostData ? "ipv6" && hostData.useNetworkd or false) [
-        {
-          address = hostData.ipv6;
-          prefixLength = env.prefixLength6;
-        }
-      ];
-    };
-  };
-
-  ssh = {
-    extraConfig = let
-      sshTargetHosts = lib.attrsets.filterAttrs (name: value: value ? "ipv4") hosts;
-    in
-      lib.attrsets.foldlAttrs
-      (acc: host: val:
-        acc
-        + ''
-          Host ${host}
-            HostName ${val.ipv4}
-            Port ${val.port or "22"}
-        '')
-      ""
-      sshTargetHosts;
-    knownHosts =
-      lib.attrsets.mapAttrs'
-      (
-        host: value:
-          lib.attrsets.nameValuePair
-          (value.ipv4)
-          {
-            inherit (value) publicKey;
-            hostNames = [host];
-          }
-      )
-      (
-        lib.attrsets.filterAttrs (n: v: v ? "publicKey") hosts
-      );
-  };
-}
.sops.yaml
@@ -2,13 +2,7 @@ keys:
   - &admin_hpcesia 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
   - &chaser_kevin age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
 creation_rules:
-  - path_regex: ^secrets/base/secrets\.yaml$
-    key_groups:
-      - pgp:
-          - *admin_hpcesia
-        age:
-          - *chaser_kevin
-  - path_regex: ^secrets/nixos/secrets\.yaml$
+  - path_regex: ^secrets/secrets\.yaml$
     key_groups:
       - pgp:
           - *admin_hpcesia