feat: add ripgrep and fzf for nvim deps

nur.overlay -> nur.overlays.default

.sops.yaml

@@ -0,0 +1,13 @@
+keys:
+  - &users:
+    - &irl age1uhp600xemepn27l0vxnt7hmuvk53wmw5peh9d3wy4ma2apsympmqxm8jxq
+  - &hosts:
+    - &homeserver age1y9v37jc3kxuygw042qrsvseac5krhh3skp88ewlqlja00uslpyss62e4nd
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+      - age:
+        - *irl
+        - *homeserver
+
+

darwin/common.nix

@@ -0,0 +1,126 @@
+{
+  pkgs,
+  lib,
+  nix-darwin,
+  ...
+}:
+{
+  environment.systemPackages = with pkgs; [
+    home-manager
+    jetbrains.clion
+    jetbrains.idea-ultimate
+    jetbrains.pycharm-professional
+    jetbrains.webstorm
+  ];
+
+  environment.darwinConfig = "/Users/irl/.config/nix-configs";
+
+  nix = {
+    package = pkgs.nix;
+    settings = {
+      "extra-experimental-features" = [
+        "nix-command"
+        "flakes"
+      ];
+    };
+  };
+
+  nixpkgs.config.allowUnfreePredicate =
+    pkg:
+    builtins.elem (lib.getName pkg) [
+      "clion"
+      "idea-ultimate"
+      "pycharm-professional"
+      "webstorm"
+    ];
+
+  homebrew = {
+    enable = true;
+
+    onActivation = {
+      autoUpdate = true;
+      cleanup = "zap";
+    };
+
+    brews = [
+      "libfido2"
+      "mas"
+      "openssh"
+      "theseal/ssh-askpass/ssh-askpass"
+    ];
+
+    casks = [
+      "affinity-designer"
+      "affinity-photo"
+      "affinity-publisher"
+      "audacity"
+      "discord"
+      "element"
+      "fantastical"
+      "firefox"
+      "ghostty"
+      "notion"
+      "obsidian"
+      "tor-browser"
+      "vlc"
+    ];
+
+    masApps = {
+      "Things" = 904280696;
+    };
+
+    taps = [
+      "theseal/ssh-askpass"
+    ];
+  };
+
+  programs = {
+    # TODO: rewrite in fish maybe
+    zsh.shellInit = ''
+      export SSH_ASKPASS=/opt/homebrew/bin/ssh-askpass
+      export SSH_ASKPASS_REQUIRE=force
+
+      checkSSHAgent() {
+        if [ "$1" = "-k" ] ; then
+          pkill -9 ssh-agent
+        fi
+
+        ssh_agent_conf="$HOME/.ssh/agent"
+        if [ -e "$ssh_agent_conf" ] ; then
+          . "$ssh_agent_conf"
+        fi
+        if ! ps aux | awk '{print $2}' | grep -q "$SSH_AGENT_PID" \
+          || ! [ -e "$ssh_agent_conf" ] \
+          || [ -z "$SSH_AGENT_PID" ] ; \
+        then
+          ssh-agent -s | grep -v echo > "$ssh_agent_conf"
+          . "$ssh_agent_conf"
+        fi
+      }
+
+      checkSSHAgent
+    '';
+  };
+
+  system = {
+    defaults.NSGlobalDomain = {
+      "com.apple.swipescrolldirection" = false;
+    };
+    primaryUser = "irl";
+    stateVersion = 6;
+  };
+
+  users.users = {
+    irl = {
+      description = "irl";
+      home = "/Users/irl";
+      name = "irl";
+
+      # This is the macOS zsh, not from nix!
+      # My home-manager configuration contains some zshrc to automatically
+      # start fish for interactive shells where the parent process is not
+      # already fish.
+      shell = "/bin/zsh";
+    };
+  };
+}

darwin/irl-mac-mini.nix

@@ -0,0 +1,7 @@
+{
+  lib,
+  ...
+}:
+{
+  networking.hostName = "irl-mac-mini";
+}

flake.lock

@@ -1,5 +1,62 @@
 {
   "nodes": {
+    "apple-silicon": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748659443,
+        "narHash": "sha256-dav2hzyCmXZ3n6lEZrfZBG51+g6PUhkzRl3d6Ypd9x0=",
+        "owner": "tpwrules",
+        "repo": "nixos-apple-silicon",
+        "rev": "3ddc251d2acce5019b0fa770e224d068610a34e4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tpwrules",
+        "repo": "nixos-apple-silicon",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "locked": {
+        "lastModified": 1688025799,
+        "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
+        "owner": "nix-community",
+        "repo": "flake-compat",
+        "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nur",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
@@ -25,11 +82,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1749131129,
+        "lastModified": 1751569544,
-        "narHash": "sha256-tJ+93i7N4QttM75bE8T09LlSU3Mv6Dfi9WaVBvlWilo=",
+        "narHash": "sha256-iWjzNHaSU+pm4TS/vzkzgBdbTwkyHy8Jc6PlcrgdgyU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "13a45ede6c17b5e923dfc18a40a3f646436f4809",
+        "rev": "28639e6470ef597fe9f5efc4c6594306859d62ed",
         "type": "github"
       },
       "original": {
@@ -38,13 +95,34 @@
         "type": "github"
       }
     },
+    "nix-darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1751313918,
+        "narHash": "sha256-HsJM3XLa43WpG+665aGEh8iS8AfEwOIQWk3Mke3e7nk=",
+        "owner": "nix-darwin",
+        "repo": "nix-darwin",
+        "rev": "e04a388232d9a6ba56967ce5b53a8a6f713cdfcf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-darwin",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1749145035,
+        "lastModified": 1751571573,
-        "narHash": "sha256-7hU9TqHpz3BhcgoP3J/udnvZ3QCurGEBD+ERhvKbJEE=",
+        "narHash": "sha256-vyhLXk2EsyTSxZ8cETmAAUF/fp8hQ3lZ6fUC0p6+LsY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a537c74d1071ca48aa835f731998094a4058a6f3",
+        "rev": "e50e2a177e0aaa0fd02c10fa365252f91b50cbf4",
         "type": "github"
       },
       "original": {
@@ -53,11 +131,71 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1744868846,
+        "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nur": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1751571902,
+        "narHash": "sha256-5EimK/KBs+UHVC3d9L1oagFWIzOlU2lOq0eI5kOTTWI=",
+        "owner": "nix-community",
+        "repo": "NUR",
+        "rev": "b19bd45d58ab88e1700cc3032139676fae7f3ea1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "NUR",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
+        "apple-silicon": "apple-silicon",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs"
+        "nix-darwin": "nix-darwin",
+        "nixpkgs": "nixpkgs",
+        "nur": "nur",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1750119275,
+        "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "systems": {
@@ -74,6 +212,27 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nur",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733222881,
+        "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "49717b5af6f80172275d47a418c9719a31a78b53",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -1,25 +1,52 @@
 {
   description = "I have no idea what I'm doing";
-
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs";
+    apple-silicon = {
+      url = "github:tpwrules/nixos-apple-silicon";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     flake-utils.url = "github:numtide/flake-utils";
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    #    nur = {
+    nix-darwin = {
-    #      url = "github:nix-community/NUR";
+      url = "github:nix-darwin/nix-darwin/master";
-    #      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs";
-    #    };
+    };
+    nur = {
+      url = "github:nix-community/NUR";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    sops-nix = {
+      url = "github:mic92/sops-nix";
+      inputs.nix.follows = "nixpkgs";
+    };
   };
   outputs =
     {
-      nixpkgs,
+      apple-silicon,
       flake-utils,
       home-manager,
-      ...
+      nix-darwin,
-    }:
+      nixpkgs,
+      nur,
+      self,
+      sops-nix,
+    }@inputs:
+    let
+      outputs = inputs.self;
+      overlays = [
+        apple-silicon.overlays.apple-silicon-overlay
+        nur.overlays.default
+      ];
+      supportedSystems = [
+        "x86_64-linux"
+        "aarch64-darwin"
+        "aarch64-linux"
+      ];
+    in
     {
       nixosConfigurations = {
         laptop = nixpkgs.lib.nixosSystem {
@@ -30,24 +57,58 @@
             ./nixos/hosts/laptop/hardware-configuration.nix
           ];
         };
-      };
+        homeserver = nixpkgs.lib.nixosSystem {
-    }
+          system = "aarch64-linux";
-    // flake-utils.lib.eachSystem flake-utils.lib.allSystems (system: {
-      formatter = nixpkgs.legacyPackages.${system}.nixfmt-rfc-style;
-      packages.homeConfigurations = {
-        irl = home-manager.lib.homeManagerConfiguration {
-          pkgs = import nixpkgs { inherit system; };
-          modules = [ ./home/irl.nix ];
-        };
-        irl-gui = home-manager.lib.homeManagerConfiguration {
-          pkgs = import nixpkgs { inherit system; };
           modules = [
-            ./home/irl.nix
+            ./nixos/common.nix
-            {
+            ./nixos/hosts/homeserver/default.nix
-              irl.gui-packages = true;
+            ./nixos/hosts/homeserver/hardware-configuration.nix
-            }
+            apple-silicon.nixosModules.apple-silicon-support
           ];
+          specialArgs = inputs;
         };
       };
-    });
+      homeManagerModules = import ./modules/home-manager;
+      homeConfigurations =
+        {
+          role = [
+            "desktop"
+            "minimal"
+            "server"
+          ];
+          system = supportedSystems;
+        }
+        |> nixpkgs.lib.cartesianProduct
+        |> nixpkgs.lib.foldl' (
+          c: e:
+          c
+          // {
+            "irl-${e.role}-${e.system}" = home-manager.lib.homeManagerConfiguration {
+              pkgs = import nixpkgs {
+                inherit overlays;
+                system = e.system;
+              };
+              extraSpecialArgs = {
+                inherit outputs;
+              };
+              modules = [
+                ./home-manager/irl.nix
+                { role = "${e.role}"; }
+              ];
+            };
+          }
+        ) { };
+    }
+    // flake-utils.lib.eachSystem supportedSystems (system: {
+      formatter = nixpkgs.legacyPackages.${system}.nixfmt-tree;
+    })
+    // {
+      darwinConfigurations."irl-mac-mini" = nix-darwin.lib.darwinSystem {
+        system = "aarch64-darwin";
+        modules = [
+          ./darwin/common.nix
+          ./darwin/irl-mac-mini.nix
+        ];
+      };
+    };
 }

home-manager/irl.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  outputs,
+  pkgs,
+  ...
+}:
+{
+  imports = builtins.attrValues outputs.homeManagerModules;
+
+  options.role = lib.mkOption {
+    description = "Home role to set up";
+    default = "minimal";
+    type =
+      with lib.types;
+      enum [
+        "desktop"
+        "minimal"
+        "server"
+      ];
+  };
+
+  config = {
+    feature.cli.enable = builtins.elem config.role [
+      "desktop"
+      "minimal"
+      "server"
+    ];
+    feature.firefox.enable = config.role == "desktop";
+    feature.git.enable = builtins.elem config.role [
+      "desktop"
+      "server"
+    ];
+    feature.ops.enable = config.role == "desktop";
+    feature.tmux.enable = builtins.elem config.role [
+      "desktop"
+      "server"
+    ];
+    feature.vim.enable = builtins.elem config.role [
+      "desktop"
+      "minimal"
+      "server"
+    ];
+
+    home.username = "irl";
+    home.homeDirectory =
+      if lib.strings.hasSuffix "darwin" pkgs.system then "/Users/irl" else "/home/irl";
+    home.file.".config/nix/nix.conf".text = ''
+      experimental-features = nix-command flakes pipe-operators
+    '';
+    home.packages = with pkgs; [
+      neofetch
+    ];
+    home.shellAliases = {
+      hms = "home-manager switch --flake ~/.config/nix-configs#irl-${config.role}-${pkgs.system}";
+      drs = "sudo darwin-rebuild switch --flake ~/.config/nix-configs";
+    };
+    home.stateVersion = "25.05";
+
+    programs.home-manager.enable = true;
+  };
+}

home/irl.nix

@@ -1,100 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-
-let
-  cfg = config.irl;
-in
-{
-  options.irl.gui-packages = lib.mkEnableOption "GUI packages managed by home-manager";
-
-  config = {
-    home.username = "irl";
-    home.homeDirectory = "/home/irl";
-    home.stateVersion = "25.05";
-    home.packages = with pkgs; [
-      fish
-      neofetch
-      starship
-      tree
-    ];
-    home.shellAliases = {
-      hms =
-        "home-manager switch --flake ~/.config/nix-configs#irl" + (if cfg.gui-packages then "-gui" else "");
-    };
-    programs.bash = {
-      enable = true;
-      initExtra = ''
-        if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
-        then
-          shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
-          exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
-        fi
-      '';
-    };
-    programs.firefox = lib.mkIf cfg.gui-packages {
-      enable = true;
-      profiles.irl = {
-        extensions = {
-          #	  packages = with pkgs.nur.repos.rycee.firefox-addons; [
-          #	    bitwarden
-          #	    kagi-search
-          #            privacy-badger
-          #          ];
-        };
-      };
-    };
-    programs.fish.enable = true;
-    programs.fzf = {
-      enable = true;
-      enableFishIntegration = true;
-    };
-    programs.git = {
-      delta.enable = true;
-      enable = true;
-      extraConfig = {
-        diff = {
-          algorithm = "histogram";
-        };
-        init = {
-          defaultBranch = "main";
-        };
-        rebase = {
-          autosquash = true;
-          autostash = true;
-        };
-        url = {
-          "git@github.com:".pushInsteadOf = "https://github.com/";
-          "git@gitlab.com:".pushInsteadOf = "https://gitlab.com/";
-          "git@guardianproject.dev:".pushInsteadOf = "https://guardianproject.dev/";
-        };
-        user = {
-          name = "irl";
-          email = "iain@learmonth.me";
-        };
-      };
-    };
-    programs.home-manager.enable = true;
-    programs.neovim = {
-      defaultEditor = true;
-      enable = true;
-      viAlias = true;
-      vimAlias = true;
-      vimdiffAlias = true;
-      plugins = with pkgs.vimPlugins; [
-        bufferline-nvim
-        nvim-treesitter.withAllGrammars
-      ];
-    };
-    programs.starship = {
-      enable = true;
-      enableFishIntegration = true;
-      enableInteractive = true;
-      enableTransience = true;
-    };
-    programs.zellij.enable = true;
-  };
-}

modules/home-manager/cli/cli.nix

@@ -0,0 +1,70 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.feature.cli;
+in
+{
+  options.feature.cli = {
+    enable = lib.mkEnableOption "Set up the CLI";
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.packages = with pkgs; [
+      starship
+      tree
+    ];
+
+    programs.fish = {
+      enable = true;
+      functions.fish_greeting = "";
+      shellInitLast = lib.mkIf (lib.strings.hasSuffix "darwin" pkgs.system) ''
+        eval $(/opt/homebrew/bin/brew shellenv)
+      '';
+    };
+
+    programs.fzf = {
+      enable = true;
+      enableFishIntegration = true;
+    };
+
+    programs.zsh = lib.mkIf (lib.strings.hasSuffix "darwin" pkgs.system) {
+      enable = true;
+
+      # zsh is a POSIX compliant shell and a safe default, but if it's an interactive
+      # shell and fish is not in the parent processes (i.e. I'm not deliberately starting
+      # zsh to use interactively from fish) then just launch fish.
+      initContent = ''
+        [[ $- == *i* ]] || return
+
+        is_parent_fish() {
+          local ppid=$$
+          while [[ $ppid -ne 1 ]]; do
+            local ppname=$(ps -p $ppid -o comm=)
+            if [[ "$ppname" == *fish* ]]; then
+              return 1
+            fi
+            ppid=$(ps -o ppid= -p $ppid)
+          done
+          return 0
+        }
+
+        if is_parent_fish
+        then
+          exec fish -l
+        fi
+      '';
+    };
+
+    programs.starship = {
+      enable = true;
+      enableFishIntegration = true;
+      enableInteractive = true;
+      enableTransience = true;
+      settings = builtins.fromTOML (builtins.readFile ./starship.toml);
+    };
+  };
+}

modules/home-manager/cli/starship.toml

@@ -0,0 +1,13 @@
+"$schema" = 'https://starship.rs/config-schema.json'
+
+command_timeout = 800
+
+[shell]
+disabled = false
+format = '[$indicator]($style)'
+fish_indicator = ''
+zsh_indicator = 'z'
+
+[sudo]
+disabled = false
+

modules/home-manager/default.nix

@@ -0,0 +1,8 @@
+{
+  cli = import ./cli/cli.nix;
+  firefox = import ./firefox/firefox.nix;
+  git = import ./git/git.nix;
+  ops = import ./ops/ops.nix;
+  tmux = import ./tmux/tmux.nix;
+  vim = import ./vim/vim.nix;
+}

modules/home-manager/firefox/firefox.nix

@@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.feature.firefox;
+in
+{
+  options.feature.firefox = {
+    enable = lib.mkEnableOption "Set up firefox";
+  };
+
+  config = lib.mkIf cfg.enable {
+    programs.firefox = {
+      enable = true;
+
+      # Firefox is expected to be installed as a system package
+      package = null;
+
+      profiles.irl = {
+        extensions = {
+          force = true;
+          packages = with pkgs.nur.repos.rycee.firefox-addons; [
+            bitwarden
+            granted
+            kagi-search
+            multi-account-containers
+            privacy-badger
+            recap
+            rsf-censorship-detector
+          ];
+        };
+        settings = {
+          "browser.newtabpage.activity-stream.discoverystream.sendToPocket.enabled" = false;
+          "browser.newtabpage.activity-stream.feeds.section.topstories" = false;
+          "browser.newtabpage.activity-stream.showSponsored" = false;
+          "browser.newtabpage.activity-stream.showSponsoredCheckboxes" = false;
+          "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
+          "browser.search.suggest.enabled.private" = false;
+          "datareporting.policy.firstRunURL" = "https://irl.xyz/";
+          "extensions.autoDisableScope" = 0;
+          "extensions.pocket.enabled" = false;
+          "identity.fxaccounts.enabled" = false;
+        };
+        userContent = ''
+          /* It's a dot not an interpunct */
+          .govuk-logo-dot {
+            fill: #fff !important;
+            transform: translate(0, 14.5px);
+          }
+        '';
+      };
+    };
+  };
+}

modules/home-manager/git/git.nix

@@ -0,0 +1,41 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.feature.git;
+in
+{
+  options.feature.git.enable = lib.mkEnableOption "Set up git";
+
+  config = {
+    programs.git = {
+      delta.enable = true;
+      enable = true;
+      extraConfig = {
+        diff = {
+          algorithm = "histogram";
+        };
+        init = {
+          defaultBranch = "main";
+        };
+        rebase = {
+          autosquash = true;
+          autostash = true;
+        };
+        url = {
+          "git@github.com:".pushInsteadOf = "https://github.com/";
+          "git@gitlab.com:".pushInsteadOf = "https://gitlab.com/";
+          "git@guardianproject.dev:".pushInsteadOf = "https://guardianproject.dev/";
+        };
+        user = {
+          name = "irl";
+          email = "iain@learmonth.me";
+        };
+      };
+    };
+  };
+}

modules/home-manager/ops/ops.nix

@@ -0,0 +1,22 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.feature.ops;
+in
+{
+  options.feature.ops = {
+    enable = lib.mkEnableOption "Setup DevOps tools";
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.packages = with pkgs; [
+      age
+      awscli2
+      opentofu
+    ];
+  };
+}

modules/home-manager/tmux/tmux.conf

@@ -0,0 +1,11 @@
+set -g default-terminal "tmux-256color"
+
+# Configure the catppuccin plugin
+set -g @catppuccin_flavor "mocha"
+set -g @catppuccin_window_status_style "rounded"
+
+# Make the status line pretty and add some modules
+set -g status-right-length 100
+set -g status-left-length 100
+set -g status-left ""
+set -g status-right "#{E:@catppuccin_status_application}"

modules/home-manager/tmux/tmux.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.feature.tmux;
+in
+{
+  options.feature.tmux = {
+    enable = lib.mkEnableOption "Set up tmux";
+  };
+
+  config = lib.mkIf cfg.enable {
+    programs.tmux = {
+      enable = true;
+      baseIndex = 1;
+      plugins = with pkgs.tmuxPlugins; [
+        catppuccin
+      ];
+      extraConfig = builtins.readFile ./tmux.conf;
+    };
+  };
+}

modules/home-manager/vim/init.lua

@@ -0,0 +1,97 @@
+-- Global settings
+vim.g.loaded_netrw = 1
+vim.g.loaded_netrwPlugin = 1
+vim.g.mapleader = " "
+
+vim.opt.termguicolors = true
+
+vim.opt.tabstop = 2
+vim.opt.softtabstop = 2
+vim.opt.shiftwidth = 2
+vim.opt.expandtab = true
+
+vim.opt.number = true
+vim.opt.relativenumber = true
+vim.opt.scrolloff = 8
+
+vim.opt.colorcolumn = "+1,+2"
+vim.opt.cursorline = true
+vim.opt.signcolumn = 'yes'
+
+vim.cmd.colorscheme "catppuccin-mocha"
+
+-- Custom bindings for buffer navigation
+vim.keymap.set("n", "<leader>n", "<cmd>bn<CR>")
+vim.keymap.set("n", "<leader>p", "<cmd>bp<CR>")
+
+vim.keymap.set("n", "<Esc>", "<cmd>nohlsearch<CR>")
+
+-- Bufferline (tabs)
+require("bufferline").setup {}
+
+-- Lualine (status line)
+require("lualine").setup {
+  options = {
+    section_separators = { left = '', right = '' }
+  }
+}
+
+-- Telescope (anything search)
+vim.keymap.set("n", "<leader>b", "<cmd>Telescope buffers<CR>")
+vim.keymap.set("n", "<leader>f", "<cmd>Telescope find_files<CR>")
+vim.keymap.set("n", "<leader>g", "<cmd>Telescope git_files<CR>")
+
+-- Tree (file manager)
+require("nvim-tree").setup()
+vim.keymap.set("n", "<leader>t", "<cmd>NvimTreeToggle<CR>", { noremap = true, silent = true })
+
+-- lspconfig (LSPs)
+vim.lsp.enable("lua_ls")
+vim.lsp.enable("nil_ls")
+vim.lsp.enable("pyright")
+vim.lsp.enable("rust_analyzer")
+
+vim.keymap.set("n", "<leader>o", vim.lsp.buf.format)
+
+vim.api.nvim_create_autocmd('LspAttach', {
+  desc = 'LSP actions',
+  callback = function()
+    local bufmap = function(mode, lhs, rhs)
+      local opts = { buffer = true }
+      vim.keymap.set(mode, lhs, rhs, opts)
+    end
+
+    -- Displays hover information about the symbol under the cursor
+    bufmap('n', 'K', vim.lsp.buf.hover)
+
+    -- Jump to the definition
+    bufmap('n', 'gd', vim.lsp.buf.definition)
+
+    -- Jump to declaration
+    bufmap('n', 'gD', vim.lsp.buf.declaration)
+
+    -- Lists all the implementations for the symbol under the cursor
+    bufmap('n', 'gi', vim.lsp.buf.implementation)
+
+    -- Jumps to the definition of the type symbol
+    bufmap('n', 'go', vim.lsp.buf.type_definition)
+
+    -- Lists all the references
+    bufmap('n', 'gr', vim.lsp.buf.references)
+
+    -- Displays a function's signature information
+    bufmap('n', '<C-k>', vim.lsp.buf.signature_help)
+
+    -- Renames all references to the symbol under the cursor
+    bufmap('n', '<leader>R', vim.lsp.buf.rename)
+
+    -- Show diagnostics in a floating window
+    bufmap('n', 'gl', vim.diagnostic.open_float)
+
+    -- Move to the previous diagnostic
+    bufmap('n', '[d', vim.diagnostic.goto_prev)
+
+    -- Move to the next diagnostic
+    bufmap('n', ']d', vim.diagnostic.goto_next)
+  end
+})

modules/home-manager/vim/vim.nix

@@ -0,0 +1,43 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.feature.vim;
+in
+{
+  options.feature.vim = {
+    enable = lib.mkEnableOption "Set up neovim";
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.packages = with pkgs; [
+      fzf
+      lua-language-server
+      nil
+      pyright
+      ripgrep
+      rust-analyzer
+    ];
+
+    programs.neovim = {
+      defaultEditor = true;
+      enable = true;
+      viAlias = true;
+      vimAlias = true;
+      vimdiffAlias = true;
+      plugins = with pkgs.vimPlugins; [
+        bufferline-nvim
+        catppuccin-nvim
+        lualine-nvim
+        nvim-tree-lua
+        nvim-lspconfig
+        telescope-nvim
+        nvim-web-devicons
+      ];
+      extraLuaConfig = builtins.readFile ./init.lua;
+    };
+  };
+}

nixos/common.nix

@@ -1,8 +1,30 @@
-{ ... }:
+{
+  pkgs,
+  config,
+  sops-nix,
+  ...
+}:
 
 {
+  imports = [
+    sops-nix.nixosModules.sops
+  ];
+
   nix.settings.experimental-features = "nix-command flakes";
 
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    validateSopsFiles = false;
+
+    age = {
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      keyFile = "/var/lib/sops-nix/key.txt";
+      generateKey = true;
+    };
+
+    secrets.irl-password.neededForUsers = true;
+  };
+
   time.timeZone = "Europe/London";
 
   i18n.defaultLocale = "en_GB.UTF-8";
@@ -18,4 +40,28 @@
     LC_TELEPHONE = "en_GB.UTF-8";
     LC_TIME = "en_GB.UTF-8";
   };
+
+  users.mutableUsers = false;
+
+  users.users.irl = {
+    isNormalUser = true;
+    description = "irl";
+    hashedPasswordFile = config.sops.secrets.irl-password.path;
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+    ];
+    openssh.authorizedKeys.keys = [
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJpoCJEax0XTNK6qfYfZV60euSwoc0RQ0bwFDQGMWYQnAAAABHNzaDo="
+    ];
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  environment.systemPackages = with pkgs; [
+    curl
+    home-manager
+    neovim
+    wget
+  ];
 }

nixos/hosts/homeserver/default.nix

@@ -0,0 +1,87 @@
+{
+  config,
+  lib,
+  pkgs,
+  apple-silicon,
+  ...
+}:
+
+{
+  nixpkgs.overlays = [ apple-silicon.overlays.apple-silicon-overlay ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = false;
+
+  hardware.asahi.useExperimentalGPUDriver = true;
+  hardware.asahi.extractPeripheralFirmware = true;
+
+  networking.hostName = "homeserver";
+  networking.networkmanager.enable = true;
+
+  fileSystems."/mnt/data" = {
+    device = "172.16.0.1:/volume1/data";
+    fsType = "nfs";
+    options = [
+      "noauto"
+      "x-systemd.automount"
+      "x-systemd.idle-timeout=600"
+    ];
+  };
+
+  users.groups.media = { };
+  users.users.media = {
+    group = "media";
+    isNormalUser = true;
+  };
+
+  services.xserver.xkb.layout = "us";
+
+  services.audiobookshelf = {
+    enable = true;
+    group = "media";
+    host = "0.0.0.0";
+    openFirewall = true;
+    port = 8000;
+    user = "media";
+  };
+
+  services.avahi = {
+    enable = true;
+    publish = {
+      enable = true;
+      addresses = true;
+      workstation = true;
+    };
+    allowInterfaces = [
+      "end0"
+      "enp2s0u2"
+    ];
+  };
+
+  services.calibre-server = {
+    enable = true;
+    extraFlags = [ "--enable-local-write" ];
+    group = "media";
+    libraries = [ "/srv/books" ];
+    openFirewall = true;
+    port = 8585;
+    user = "media";
+  };
+
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+    settings.PermitRootLogin = "no";
+  };
+
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "server";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 22 ];
+  networking.firewall.allowedUDPPorts = [ ];
+
+  system.stateVersion = "25.11";
+}

nixos/hosts/homeserver/hardware-configuration.nix

@@ -0,0 +1,53 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "usb_storage"
+    "usbhid"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/d82c7bbb-e496-414c-a96b-4b4ca457bdfd";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/3B58-1BF7";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  swapDevices = [ ];
+
+  networking.interfaces = {
+    end0.useDHCP = lib.mkDefault true;
+    enp2s0u2.ipv4.addresses = [
+      {
+        address = "172.16.0.2";
+        prefixLength = 24;
+      }
+    ];
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

nixos/hosts/laptop/default.nix

@@ -32,28 +32,10 @@
     pulse.enable = true;
   };
 
-  users.users.irl = {
-    isNormalUser = true;
-    description = "irl";
-    extraGroups = [
-      "networkmanager"
-      "wheel"
-    ];
-  };
-
-  nixpkgs.config.allowUnfree = true;
-
-  environment.systemPackages = with pkgs; [
-    curl
-    home-manager
-    neovim
-    wget
-  ];
-
   hardware.gpgSmartcards.enable = true;
   programs.gnupg.agent = {
     enable = true;
-    enableSSHSupport = true;
+    # enableSSHSupport = true;
   };
 
   system.stateVersion = "25.05";

secrets.yaml

@@ -0,0 +1,25 @@
+irl-password: ENC[AES256_GCM,data:8DcPiZ9Ui40MaOaPJ5XmZI3M7XDqLtBqJKLEUnolMYuNoa6dDBF/IicokQO6zvNVw0G2DPVQwbKzgEaWtvnj+5rXm+QbyEVIKw==,iv:+qsf6VzsMzAj6A5B6TCQ/ZaYDt0EiZYwQ7gZg0sw2TM=,tag:3Xi5bSJ7rYEUUVIDuynHag==,type:str]
+sops:
+    age:
+        - recipient: age1uhp600xemepn27l0vxnt7hmuvk53wmw5peh9d3wy4ma2apsympmqxm8jxq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZmJkMlpoN2RRUEVVUCtS
+            cVl4T0grTit5TGtGUEM2MTlBRnQ2OWlWaEVrClErVm5uRzQySzNDM3J6dDFQY2U0
+            cjlVS1NpTzdBQzgvSHJndmlxMWRmbUkKLS0tIHBtTkhSU1BTZHhMaXdZT0xiWWZD
+            ZXlLNjAzSVkxZWtDRjlUMHV5bnJXK3MKNGKAW7iq/Qfo1dAt3Zxjzu+PsjdtaYPG
+            a5Zvnazkm2dmuajldII/+xk4r/JewBZmeWdd37n2lUpbSisgcw0X5A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1y9v37jc3kxuygw042qrsvseac5krhh3skp88ewlqlja00uslpyss62e4nd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQTcxWkphbngrK3RMaEZF
+            UHU4ZURiVmNZdDhoR1l5YWVDZ1YvdlZWbndJCnRZd0tmR2lXcnA0V0dRaDZzZkg5
+            YitPd01mbFc1VHVyTDl3Sk9UTGptclEKLS0tIEtWb0VNZWFLUmNZRDh3S0N4WmN0
+            SlVKUDZWVEp2YmR4V3ArRW1GR1lXeTAKRJoawuTKrgrz6qeOSTmYLXO6n66QNPLA
+            C5UI4yB0WLeRxdqxU84a3rS2ZjgTh22RR0WwRe6siOaKOdS1G96DXw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-13T17:56:08Z"
+    mac: ENC[AES256_GCM,data:YjTPJ69gNE3MOxUq8X1H4ucqiJxIwRFBBLz0pu6nJgx64XDKe96qeiy7NLAnyJuzOgXpZxb6bm+ecf4E288Bq5NyqpWyrICXC37mSMMXTIoi+HZMHk/GYOAezfCHCBzJBKlJjTZhmslF1zu/4jGtUf/VTOCm+WTPDTUjVkzvwJ8=,iv:vsiDWLir7b/DmOgJFs9iuNxJxJAipdriP/XSPbm4MKU=,tag:aBXeQdetTepLNj/kl45McQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2