genericLinux enable

README.md

@@ -15,7 +15,15 @@ nix flake show --all-systems
 ## Layout
 
 - Everything under `./modules` gets auto-imported by `import-tree`
-- 
+
+| Directory     | Description |
+| ------------- | ----------- |
+| `hosts`       | Provides either `homeConfigurations` or `nixosConfigurations` |
+| `nix-tools`   | Nix-specific tools, like factory functions for use in the flakes |
+| `nixos`       | `flake.modules.nixos` |
+| `programs`    | flakes that provide `flake.modules` attributes for specific programs |
+| `services`    | flakes that provide configuration for running services |
+| `users`       | flakes that provide configuration for individual users with the `flake.factory.user` factory |
 
 ## Mechanics
 

modules/default.nix

@@ -1,9 +1,7 @@
 { inputs, ... }:
 {
-
   imports = [
     # https://github.com/vic/flake-file/tree/main/modules/dendritic
     inputs.flake-file.flakeModules.dendritic
   ];
-
 }

modules/home-manager/profiles/base.nix

@@ -1,12 +0,0 @@
-{ inputs, pkgs, ... }:
-{
-  flake.homeModules.base = { pkgs, ... }:
-  {
-    imports = with inputs.self.homeModules; [
-      rebuild
-      ssh
-      git
-      shell-tools
-    ];
-  };
-}

modules/home-manager/programs/zsh.nix

@@ -1,39 +0,0 @@
-{
-  flake.homeModules.zsh = { pkgs, config, ... }:
-  {
-    programs.zsh = {
-      enable = true;
-      package = pkgs.zsh;
-      enableCompletion = true;
-      autosuggestion.enable = true;
-      # syntaxHighlighting.enable = true;
-      initContent = "HOST=$(hostname -s)";
-      dotDir = "${config.xdg.configHome}/zsh";
-      history = {
-        append = true;
-        ignoreAllDups = true;
-        ignorePatterns = [
-          "history"
-          "ls"
-          "eza"
-          "clear"
-        ];
-        save = 1000;
-        size = 1000;
-        share = true;
-      };
-      oh-my-zsh = {
-        enable = true;
-        # theme = "risto";
-        theme = "agnoster";
-        plugins = [
-          "sudo"
-          "dotenv"
-          "git"
-          "ssh"
-          "ssh-agent"
-        ];
-      };
-    };
-  };
-}

modules/hosts/janus.nix

@@ -0,0 +1,27 @@
+{ inputs, ... }:
+let
+  hostname = "janus";
+  username ="john";
+in
+{
+  flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
+    modules = [
+      inputs.self.modules.nixos.lxc
+      inputs.self.modules.nixos.zsh
+      inputs.home-manager.nixosModules.home-manager
+      inputs.self.modules.nixos."${username}"
+      # inputs.self.modules.nixos.step-ca
+      inputs.self.modules.nixos.docker
+      {
+        home-manager.users."${username}" = {
+          shell.program = "zsh";
+          docker.enable = true;
+          ssh.matchSets = {
+            certs = true;
+            homelab = true;
+          };
+        };
+      }
+    ];
+  };
+}

modules/hosts/john-pc-ubuntu.nix

@@ -1,65 +1,75 @@
 { inputs, ... }:
+let
+	hostname = "john-pc-ubuntu";
+in
 {
-	flake.homeModules."john-pc-ubuntu" = { pkgs, ... }: {
+	flake.modules.homeManager."${hostname}" = { pkgs, config, ... }:
-		imports = with inputs.self.homeModules; [
+	let
+		flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
+	in
+	{
+		imports = with inputs.self.modules.homeManager; [
+			rebuild
 			john
-			desktop
 			resticprofile
 			sops
+			docker
+			desktop
 		];
+		targets.genericLinux.enable = true;
+
+		shell.program = "zsh";
 
 		home.packages = with pkgs; [
 			nixos-rebuild
+			(writeShellScriptBin "test-push" ''
+				nixos-rebuild switch --flake ${flakeDir}#janus --target-host root@fded:fb16:653e:25da:be24:11ff:fea0:753f
+			'')
 		];
 		# TODO: Add host-specific settings here:
 		# - sops secret for `restic_password/john_ubuntu`
 		# - resticprofile profile definition
 		# - zsh RESTIC* session variables
-	};
 
-	flake.homeConfigurations."john-pc-ubuntu" = inputs.home-manager.lib.homeManagerConfiguration {
+		# TODO: make this more restrictive, rather than allowing all unfree packages
-		pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
+		nixpkgs.config.allowUnfree = true;
-		modules = [
+		nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
-			inputs.self.homeModules."john-pc-ubuntu"
 
-      # Include another inline module to set the options created through the jsl-home modules
+		homeManagerFlakeDir = flakeDir;
-      ({ config, ... }: {
+		docker.enable = true;
-
+		ssh.matchSets = {
-				# TODO: make this more restrictive, rather than allowing all unfree packages
+			certs = true;
-        nixpkgs.config.allowUnfree = true;
+			appdaemon = true;
-				nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
+			homelab = true;
-
+			dev = true;
-        homeManagerFlakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
+		};
-        docker.enable = true;
+		sops.secrets."restic_password/john_ubuntu" = {
-        ssh.matchSets = {
+			path = "${config.xdg.configHome}/resticprofile/password.txt";
-          certs = true;
+		};
-          appdaemon = true;
+		programs.resticprofile = {
-          homelab = true;
+			enable= true;
-					dev = true;
+			profiles = {
-        };
+				default = {
-				shell.program = "zsh";
+					"inherit" = "base";
-				sops.secrets."restic_password/john_ubuntu" = {
+					repository = "rest:https://soteria.john-stream.com/john-ubuntu";
-					path = "${config.xdg.configHome}/resticprofile/password.txt";
+					# cacert = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
-				};
+					# tls-client-cert = "${config.home.homeDirectory}/.step/certs/mtls.pem";
-				programs.resticprofile = {
+					backup = {
-					enable= true;
+						source = [
-					profiles = {
+							"${config.xdg.userDirs.documents}"
-						default = {
+							"/conf"
-							"inherit" = "base";
+						];
-							repository = "rest:https://soteria.john-stream.com/john-ubuntu";
+						schedule = "*-*-* *:15,30,45:00";
-							cacert = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
-							tls-client-cert = "${config.home.homeDirectory}/.step/certs/mtls.pem";
-							backup = {
-								source = [
-									"${config.xdg.userDirs.documents}"
-									"/conf"
-								];
-								schedule = "*-*-* *:15,30,45:00";
-							};
-						};
 					};
 				};
-      })
+			};
+		};
+	};
+
+	flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
+		pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
+		modules = with inputs.self.modules; [
+			homeManager."${hostname}"
 		];
 	};
 }

modules/nix-tools/rebuild.nix

@@ -1,6 +1,6 @@
 { inputs, ... }:
 {
-  flake.homeModules.rebuild =
+  flake.modules.homeManager.rebuild =
     { pkgs, lib, config, ... }:
     {
       options = {
@@ -31,7 +31,8 @@
             ${nixBin} flake check
           '')
           (writeShellScriptBin "nhms" ''
-            ${lib.getExe home-manager} switch --impure --flake ${flakeDir}
+            HOSTNAME=$(hostname -s)
+            ${lib.getExe home-manager} switch --impure --flake ${flakeDir}#$HOSTNAME
           '')
           (writeShellScriptBin "nhmu" ''
             ${nixBin} flake update --flake ${flakeDir}

modules/nix-tools/user.nix

@@ -0,0 +1,36 @@
+# Lifted from:
+# https://github.com/Doc-Steve/dendritic-design-with-flake-parts/blob/69edacdb5a4a6ca71d649bb8eb62cf8c630c8627/modules/users/bob%20%5BNDn%5D/bob.nix#L8
+{ self, ... }:
+{
+  config.flake.factory.user = username: isAdmin: {
+    nixos."${username}" = { lib, pkgs, ... }: {
+      users.users."${username}" = {
+        isNormalUser = true;
+        home = "/home/${username}";
+        extraGroups = [
+          "input"
+          "networkmanager"
+        ] ++ lib.optionals isAdmin [
+          "docker"
+          "wheel"
+        ];
+      };
+      # https://github.com/Doc-Steve/dendritic-design-with-flake-parts/wiki/Dendritic_Aspects#multi-context-aspect
+      home-manager.users."${username}" = {
+        imports = [
+          self.modules.homeManager."${username}"
+          # self.modules.homeManager.shell-tools
+        ];
+      };
+    };
+
+    homeManager."${username}" = {
+      home.username = "${username}";
+      home.homeDirectory = "/home/${username}";
+      # TODO: This doesn't get merged properly when the factory gets used
+      # imports = with self.modules.homeManager; [
+      #   shell-tools
+      # ];
+    };
+  };
+}

modules/nixos/lxc.nix

@@ -1,19 +1,29 @@
 { inputs, ... }:
 {
   flake.modules.nixos.lxc = { pkgs, lib, ...}: {
-    imports = [
+    imports = with inputs.self.modules.nixos; [
       ({ modulesPath, ... }: { imports = [ "${modulesPath}/virtualisation/proxmox-lxc.nix" ]; })
+      ssh
     ];
     nixpkgs.hostPlatform = lib.mkForce "x86_64-linux";
     system.stateVersion = "25.11";
     nix.settings.experimental-features = [ "nix-command" "flakes" ];
     environment.systemPackages = with pkgs; [ git zsh ];
+
+    security.sudo-rs.enable = true;
+    programs.nix-ld.enable = true;
+    nix.optimise.automatic = true;
+    nix.gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 30d";
+    };
   };
 
   # Generic bootstrapping lxc, use a specific host file for more
   flake.nixosConfigurations.lxc = inputs.nixpkgs.lib.nixosSystem {
-    modules = [
+    modules = with inputs.self.modules.nixos; [
-      inputs.self.modules.nixos.lxc
+      lxc
     ];
   };
 }

modules/programs/bash.nix

@@ -1,5 +1,5 @@
 {
-  flake.homeModules.bash = { pkgs, ... }:
+  flake.modules.homeManager.bash = { pkgs, ... }:
   {
     programs.bash = {
       enable = true;

modules/programs/desktop.nix

@@ -1,9 +1,9 @@
 # This module is for programs with GUIs that run in a desktop environment
 { inputs, ... }:
 {
-  flake.homeModules.desktop = 
+  flake.modules.homeManager.desktop = 
     {
-      imports = with inputs.self.homeModules; [
+      imports = with inputs.self.modules.homeManager; [
         onepassword
         ghostty
         sublime

modules/programs/eza.nix

@@ -1,6 +1,6 @@
 { inputs, pkgs, lib, ... }:
 {
-  flake.homeModules.eza = { pkgs, lib, ... }: {
+  flake.modules.homeManager.eza = { pkgs, lib, ... }: {
     programs.eza = {
       enable = true;
       package = pkgs.eza;

modules/programs/files.nix

@@ -1,5 +1,5 @@
 {
-  flake.homeModules.files = { pkgs, ... }:
+  flake.modules.homeManager.files = { pkgs, ... }:
   {
     programs.lf.enable = true;
     programs.lf.cmdKeybindings = {

modules/programs/ghostty.nix

@@ -7,7 +7,7 @@
     };
   };
 
-  flake.homeModules.ghostty = { config, pkgs, lib, ... }:
+  flake.modules.homeManager.ghostty = { config, pkgs, lib, ... }:
   {
     home.sessionVariables = {
       TERMINAL = "ghostty";

modules/programs/git.nix

@@ -1,5 +1,5 @@
 {
-  flake.homeModules.git = { config, lib, ... }:
+  flake.modules.homeManager.git = { config, lib, ... }:
   {
     programs.git = {
         enable = true;

modules/programs/onepassword.nix

@@ -1,5 +1,5 @@
 {
-  flake.homeModules.onepassword = {
+  flake.modules.homeManager.onepassword = {
     # TODO: Port `_1password = true` behavior into an explicit Home Manager module.
   };
 }

modules/programs/shell-tools.nix

@@ -1,14 +1,14 @@
 # This module provides all the shell options
 { inputs, lib, ... }:
 {
-  flake.homeModules.shell-tools = { config, pkgs, ... }: {
+  flake.modules.homeManager.shell-tools = { config, pkgs, ... }: {
     options.shell.program = lib.mkOption {
       type = lib.types.enum [ "bash" "zsh" ];
       default = "zsh";
       description = "Which interactive shell configuration to enable.";
     };
 
-    imports = with inputs.self.homeModules; [
+    imports = with inputs.self.modules.homeManager; [
       bash
       zsh
 

modules/programs/sops.nix

@@ -11,12 +11,12 @@ in
   };
   
   # Define the homeModules that are used by flake-parts
-  # https://flake.parts/options/home-manager.html#opt-flake.homeModules
+  # https://flake.parts/options/home-manager.html#opt-flake.modules.homeManager
-  flake.homeModules.sops = { inputs, config, pkgs, lib, ... }:
+  flake.modules.homeManager.sops = { inputs, config, pkgs, lib, ... }:
   let
     sopsBin = lib.getExe pkgs.sops;
-    sopsConfigPath = ../../../.sops.yaml;
+    sopsConfigPath = ../../.sops.yaml;
-    sopsSecretsPath = ../../../keys/secrets.yaml;
+    sopsSecretsPath = ../../keys/secrets.yaml;
     ageKeyFile = "${config.xdg.configHome}/sops/age/keys.txt";
   in
   {

modules/programs/sublime.nix

@@ -1,6 +1,6 @@
 { inputs, pkgs, ... }:
 {
-  flake.homeModules.sublime = { pkgs, lib, ... }: {
+  flake.modules.homeManager.sublime = { pkgs, lib, ... }: {
     home.packages = with pkgs; [
       sublime4
     ];

modules/programs/vscode.nix

@@ -1,5 +1,5 @@
 {
-  flake.homeModules.vscode = { pkgs, ... }:
+  flake.modules.homeManager.vscode = { pkgs, ... }:
   {
     programs.vscode = {
       enable = true;

modules/programs/zsh.nix

@@ -0,0 +1,53 @@
+{ inputs, ... }:
+let
+  username = "john";
+in
+{
+  flake.modules = {
+    nixos.zsh = { pkgs, ... }: {
+      users.users."${username}".shell = pkgs.zsh;
+      programs.zsh.enable = true;
+      home-manager.sharedModules = [
+        inputs.self.modules.homeManager.zsh
+      ];
+    };
+
+    homeManager.zsh = { pkgs, config, ... }: {
+      programs.zsh = {
+        enable = true;
+        package = pkgs.zsh;
+        enableCompletion = true;
+        autosuggestion.enable = true;
+        # syntaxHighlighting.enable = true;
+        initContent = "HOST=$(hostname -s)";
+        dotDir = "${config.xdg.configHome}/zsh";
+        history = {
+          append = true;
+          ignoreAllDups = true;
+          ignorePatterns = [
+            "history"
+            "ls"
+            "eza"
+            "clear"
+          ];
+          save = 1000;
+          size = 1000;
+          share = true;
+        };
+        oh-my-zsh = {
+          enable = true;
+          # theme = "risto";
+          theme = "agnoster";
+          plugins = [
+            "sudo"
+            "dotenv"
+            "git"
+            "ssh"
+            "ssh-agent"
+          ];
+        };
+      };
+    };
+  };
+  
+}

modules/services/docker.nix

@@ -1,5 +1,15 @@
+{ inputs, ... }:
 {
-  flake.homeModules.docker = { config, lib, pkgs, ... }:
+  flake.modules.nixos.docker = {
+    virtualisation.docker = {
+      enable = true;
+    };
+    home-manager.sharedModules = with inputs.self.modules.homeManager; [
+      docker
+    ];
+  };
+
+  flake.modules.homeManager.docker = { config, lib, pkgs, ... }:
   {
     options.docker = {
       enable = lib.mkEnableOption "Docker tools and utilities";
@@ -13,9 +23,6 @@
         docker
         docker-compose
         lazydocker
-        (pkgs.writeShellScriptBin "test-docker" ''
-          echo "Hello from docker.nix!"
-        '')
       ];
       home.shellAliases = {
         lzd = "lazydocker";

modules/services/restic/base-profile.yaml

@@ -0,0 +1,42 @@
+base:
+  repository: local:/mnt/backup
+  password-file: '{{ .ConfigDir }}/password.txt'
+  status-file: '{{ .ConfigDir }}/backup-status.json'
+  retention:
+    after-backup: true
+    keep-last: '10'
+    keep-hourly: '8'
+    keep-daily: '14'
+    keep-weekly: '8'
+  backup:
+    verbose: true
+    exclude:
+      - .cache
+      - .devenv
+      - .rustup
+      - .cargo
+      - .venv
+      - .pyenv
+      - .vscode*
+      - data/postgres
+      - build
+      - __pycache__
+      - '*.log'
+      - '*.egg-info'
+      - '*.csv'
+      - '*.m4a'
+      - .local/share/Steam
+      - .local/share/Trash
+      - build
+      - dist
+      - /home/*/Pictures
+      - /home/*/Videos
+      - /home/*/go
+      - /home/*/snap
+      - /home/john/john-nas
+    schedule-permission: user
+    schedule-priority: background
+    check-after: true
+  prune:
+    schedule-permission: user
+    schedule-lock-wait: 1h

modules/services/restic/resticprofile.nix

@@ -29,11 +29,25 @@
       };
     };
 
-  flake.homeModules.resticprofile = { config, lib, pkgs, ... }:
+  flake.lib.fromYAML = pkgs: path:
+    builtins.fromJSON (
+      builtins.readFile (
+        pkgs.runCommand "${builtins.baseNameOf path}.json"
+          {
+            nativeBuildInputs = [ pkgs.remarshal ];
+          }
+          ''
+            remarshal -if yaml -of json ${path} > "$out"
+          ''
+      )
+    );
+
+  flake.modules.homeManager.resticprofile = { config, lib, pkgs, ... }:
     let
       cfg = config.programs.resticprofile;
       yamlFormat = pkgs.formats.yaml { };
-      baseProfile = import ../../../resticprofile/base.nix { inherit lib config; };
+      # baseProfile = import ../../../resticprofile/base.nix;
+      baseProfile = inputs.self.lib.fromYAML pkgs ./base-profile.yaml;
       profiles = lib.recursiveUpdate baseProfile cfg.profiles;
     in {
       options.programs.resticprofile = {

modules/services/ssh.nix

@@ -3,7 +3,20 @@ let
   userName = "john";
 in
 {
-  flake.homeModules.ssh = { pkgs, config, lib, ... }:
+  flake.modules.nixos.ssh = {
+    services.openssh = {
+      enable = true;
+      # require public key authentication for better security
+      settings.PasswordAuthentication = false;
+      settings.KbdInteractiveAuthentication = false;
+    };
+
+    home-manager.sharedModules = with inputs.self.modules.homeManager; [
+      ssh
+    ];
+  };
+
+  flake.modules.homeManager.ssh = { pkgs, config, lib, ... }:
   {
     options.ssh = {
       IdentityFile = lib.mkOption {

modules/services/step-ca/ca.json

@@ -0,0 +1,129 @@
+{
+  "root": "/etc/step-ca/certs/root_ca.crt",
+  "federatedRoots": null,
+  "crt": "/etc/step-ca/certs/intermediate_ca.crt",
+  "key": "/etc/step-ca/secrets/intermediate_ca_key",
+  "address": ":443",
+  "insecureAddress": "",
+  "dnsNames": [
+    "janus.john-stream.com",
+    "192.168.1.113"
+  ],
+  "ssh": {
+    "hostKey": "/etc/step-ca/secrets/ssh_host_ca_key",
+    "userKey": "/etc/step-ca/secrets/ssh_user_ca_key"
+  },
+  "logger": {
+    "format": "text"
+  },
+  "db": {
+    "type": "badgerv2",
+    "dataSource": "/var/lib/step-ca/db",
+    "badgerFileLoadingMode": ""
+  },
+  "authority": {
+    "provisioners": [
+      {
+        "type": "ACME",
+        "name": "acme"
+      },
+      {
+        "type": "SSHPOP",
+        "name": "sshpop",
+        "claims": {
+          "enableSSHCA": true
+        }
+      },
+      {
+        "type": "JWK",
+        "name": "admin",
+        "key": {
+          "use": "sig",
+          "kty": "EC",
+          "kid": "xoxgOJFbveSLIL2gm1Yu5ZiRb9v8Jxe44F56i3v-Nf8",
+          "crv": "P-256",
+          "alg": "ES256",
+          "x": "zFO8hPx_eH0Iyz7UJI-w8ODMusEKCZ28M76sGWmWYxA",
+          "y": "XIWLLyKDzqxV9UH-2KeAkKPDrgLoPrxxW9-PzkXggME"
+        },
+        "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiUVJnTnJVTF9KcmxJYkJMVTlGNVRPZyJ9.DMu7xBNCq5pr-_--YTxNr5Hrcqy6ZmSVHsWurfVXL7Hk0Q3vyYRxiw.h-CnFiYc-DhxThI3.plx3_Qa_0kU-2TwnqFNfAfGnCpfQ2e0iiCMLruNHbLMnHeXQ1BysHBqps45_02zZXIRdHoDgYGtXRSfcdUYYoS0pLoPzC6m301ZFNSAFdRVlSZ3Q6VmWdixPXXnEB4EgSKTT_wxR33L8t9OpFzD85KfY-b_Un1l99ufjCnfg-EYkcICTn_G4-8bcW3eFIvJ6setzu-l0jHMhLQdIweqncn9on9xBXBD-ANhZfP95P2BJt-APqCi8eqiAvn_vClovdg0PxzRwOVDvWREz66FDw-HTU7xDtGO9hACopT5tfZOXDoykgZw1mJsq9NEq9ZzvKG2hvyk1UXtExxrNtFo.5q1OfGU4Amo4Si-vpeI42g",
+        "claims": {
+          "enableSSHCA": true,
+          "disableRenewal": false,
+          "allowRenewalAfterExpiry": false,
+          "disableSmallstepExtensions": false
+        },
+        "options": {
+          "x509": {},
+          "ssh": {}
+        }
+      }
+    ],
+    "template": {},
+    "backdate": "1m0s"
+  },
+  "tls": {
+    "cipherSuites": [
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+    ],
+    "minVersion": 1.2,
+    "maxVersion": 1.3,
+    "renegotiation": false
+  },
+  "templates": {
+    "ssh": {
+      "user": [
+        {
+          "name": "config.tpl",
+          "type": "snippet",
+          "template": "templates/ssh/config.tpl",
+          "path": "~/.ssh/config",
+          "comment": "#"
+        },
+        {
+          "name": "step_includes.tpl",
+          "type": "prepend-line",
+          "template": "templates/ssh/step_includes.tpl",
+          "path": "${STEPPATH}/ssh/includes",
+          "comment": "#"
+        },
+        {
+          "name": "step_config.tpl",
+          "type": "file",
+          "template": "templates/ssh/step_config.tpl",
+          "path": "ssh/config",
+          "comment": "#"
+        },
+        {
+          "name": "known_hosts.tpl",
+          "type": "file",
+          "template": "templates/ssh/known_hosts.tpl",
+          "path": "ssh/known_hosts",
+          "comment": "#"
+        }
+      ],
+      "host": [
+        {
+          "name": "sshd_config.tpl",
+          "type": "snippet",
+          "template": "templates/ssh/sshd_config.tpl",
+          "path": "/etc/ssh/sshd_config",
+          "comment": "#",
+          "requires": [
+            "Certificate",
+            "Key"
+          ]
+        },
+        {
+          "name": "ca.tpl",
+          "type": "snippet",
+          "template": "templates/ssh/ca.tpl",
+          "path": "/etc/ssh/ca.pub",
+          "comment": "#"
+        }
+      ]
+    }
+  },
+  "commonName": "Step Online CA"
+}

modules/services/step-ca/step-ca.nix

@@ -0,0 +1,22 @@
+{ inputs, ... }:
+let
+  ipAddress = "0.0.0.0";
+in
+{
+  flake.modules.nixos.step-ca = { pkgs, ... }: {
+    # https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/security/step-ca.nix
+    services.step-ca = {
+      enable = true;
+      openFirewall = true;
+      address = ipAddress;
+      port = 8443;
+
+      # https://smallstep.com/docs/step-ca/configuration/#configuration-options
+      settings = {
+        root = "";
+        crt = "";
+      };
+    };
+    environment.systemPackages = with pkgs; [ step-ca step-cli ];
+  };
+}

modules/users/john.nix

@@ -1,54 +1,51 @@
-{ inputs, ... }:
+{ inputs, lib, ... }:
 let
   username = "john";
 in
 {
-  flake.modules.nixos."${username}" = { pkgs, ... }: {
+  flake = {
-    home-manager.users."${username}" = {
+    meta.users."${username}" = {
-      imports = [
+      email = "32917998+jsl12@users.noreply.github.com";
-        inputs.self.homeModules."${username}"
+      name = "John Lancaster";
+      username = "${username}";
+      key = "";
+      keygrip = [
       ];
-    };
+      authorizedKeys = [
-    users.users."${username}" = {
-      isNormalUser = true;
-      shell = pkgs.zsh;
-      openssh.authorizedKeys.keys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus"
       ];
     };
-    programs.zsh.enable = true;
-  };
 
-  flake.homeModules."${username}" = {
+    modules = lib.recursiveUpdate
-    home.username = "${username}";
+      (inputs.self.factory.user username true)
-    home.homeDirectory = "/home/${username}";
-    home.stateVersion = "25.11";
-    xdg.enable = true;
-
-    programs.git.settings.user.name = "John Lancaster";
-    programs.git.settings.user.email = "32917998+jsl12@users.noreply.github.com";
-
-    imports = with inputs.self.homeModules; [
-      base
-      docker
-			# resticprofile
-		];
-  };
-
-  # This is the base homeConfiguration for the john user that will be used if no other
-  flake.homeConfigurations."${username}" = inputs.home-manager.lib.homeManagerConfiguration {
-		pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
-		modules = [
-			inputs.self.homeModules."${username}"
-
-      # Include another inline module to set the options created through the jsl-home modules
       {
-        docker.enable = false;
+        #
-        ssh.matchSets = {
+        # NixOS
-          certs = true;
+        #
-          homelab = true;
+        nixos."${username}" = { pkgs, ... }: {
+          users.users."${username}" = {
+            openssh.authorizedKeys.keys = inputs.self.meta.users."${username}".authorizedKeys;
+            extraGroups = [ "docker" ];
+          };
         };
-      }
+
-		];
+        #
-	};
+        # Home Manager
+        #
+        homeManager."${username}" = with inputs.self.meta.users."${username}"; {
+          home.stateVersion = "25.11";
+          xdg.enable = true;
+
+          programs.git.settings.user.name = name;
+          programs.git.settings.user.email = email;
+
+          imports = with inputs.self.modules.homeManager; [
+            ssh
+            shell-tools
+            git
+          ];
+        };
+      };
+  };
 }

resticprofile/base.nix

@@ -1,4 +1,3 @@
-{ lib, config, ... }:
 {
   base = {
     repository = "local:/mnt/backup";