Move out common.nix and development-server.nix into roles

Signed-off-by: Mel <mel@rnrd.eu>

2 files changed, 297 insertions, 0 deletions

diff --git a/roles/desktop.nix b/roles/desktop.nix
new file mode 100644
index 0000000..838df28
--- /dev/null
+++ b/roles/desktop.nix
@@ -0,0 +1,173 @@
+{
+  me,
+  pkgs,
+  auxiliaryPkgs,
+  unstablePkgs,
+  ...
+}:
+
+let
+  inherit (builtins) filter elem;
+
+  filterUnsupportedPackages =
+    packages: filter (p: elem me.system (p.meta.platforms or [ me.system ])) packages;
+in
+{
+  imports = [
+    ./nix.nix
+    ./user.nix
+    ./locale.nix
+    ./vim.nix
+    ./tmux.nix
+    ./gnome.nix
+    ./fonts.nix
+    ./flatpak.nix
+    ./libreoffice.nix
+    ./electronics.nix
+    ./hardware-keys.nix
+    ./nix-ld.nix
+  ];
+
+  services.envfs.enable = true;
+
+  virtualisation = {
+    libvirtd.enable = true;
+    docker.enable = true;
+  };
+
+  # fish enables this by default,
+  # it makes every nixos rebuild very slow.
+  documentation.man.generateCaches = false;
+  documentation = {
+    info.enable = true;
+    doc.enable = true;
+    dev.enable = true;
+    nixos = {
+      enable = true;
+      includeAllModules = true;
+    };
+  };
+
+  networking.hostName = me.name;
+  # use corsac dns server
+  networking.nameservers =
+    let
+      corsacTailnet = "100.64.100.100";
+    in
+    [ corsacTailnet ];
+
+  services.resolved.enable = true;
+
+  services = {
+    acpid.enable = true;
+    sysprof.enable = true;
+    tailscale = {
+      enable = true;
+      useRoutingFeatures = "both";
+      extraUpFlags = [ "--ssh" ];
+    };
+
+    # sometimes needed for gnupg
+    pcscd.enable = true;
+  };
+
+  programs = {
+    # steam requires the i386 package set, which obviously does not work on ARM.
+    # TODO: pull out gaming related configuration (like steam) into a seperate module.
+    # steam = {
+    #   enable = true;
+    #   remotePlay.openFirewall = true;
+    # };
+    virt-manager.enable = true;
+    fish.enable = true;
+    git.enable = true;
+
+    ghidra = {
+      enable = true;
+      package = auxiliaryPkgs.ghidra;
+      gdb = true;
+    };
+
+    wireshark = {
+      enable = true;
+      dumpcap.enable = true;
+      usbmon.enable = true;
+    };
+
+    adb.enable = true;
+
+    gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+      pinentryPackage = pkgs.pinentry-gnome3;
+    };
+  };
+
+  # on desktop machines (a.k.a. minerals) we only use tailscale ssh
+  # for access, so we don't generally have normal host keys, and
+  # have to grab the ones tailscale uses.
+  age.identityPaths = [ "/var/lib/tailscale/ssh/ssh_host_ed25519_key" ];
+
+  # TODO: the filter already does some good work, but we need some way to
+  # pick out x86-only packages, so it is not as opaque as it currently is.
+  # (who knows if muse-sounds-manager is actually installed, for example?)
+  environment.systemPackages = (with pkgs; filterUnsupportedPackages [
+    file unzip jq dig htop wget screen dive
+    gnupg pinentry-gnome3 age agenix minisign openssl cryptsetup pamtester
+    bitwarden-desktop bitwarden-cli
+    inetutils pciutils usbutils lshw lsof inxi iw pmutils acpi acpid
+    minicom miniserve netcat-gnu socat tcpdump nmap iftop iperf mtr arp-scan ethtool
+    sysprof wireshark seer mitmproxy hardinfo2 btrfs-assistant remmina trayscale
+    vlc celluloid foliate calibre
+    yt-dlp ffmpeg_7-full imagemagick handbrake mpv helvum
+    gimp3 krita mypaint aseprite rnote fontforge-gtk
+    blender inkscape obs-studio darktable davinci-resolve
+    orca-slicer
+    renderdoc
+    audacity musescore muse-sounds-manager reaper
+    # bitwigs bubblewrap configuration requires some non-ARM package sets.
+    # bitwig-studio
+    ungoogled-chromium librewolf lagrange
+    senpai signal-desktop alpaca newsflash
+    qemu_full virtiofsd
+
+    openvpn openvpn3 update-resolv-conf
+    transmission_4-gtk fragments
+
+    xorg.xeyes wl-clipboard
+
+    ripgrep hyperfine parallel just fzf bat delta eza fd tokei didyoumean
+    universal-ctags compiledb graphviz
+    python3 uv ruff
+    nodejs_22 deno yarn
+    rustc rustup cargo rustfmt
+    go gopls delve go-task gotags golangci-lint
+    meson cmake gnumake ninja gdb gcc clang clang-tools
+    hare haredoc
+    jdk maven gradle
+    nil nixfmt-rfc-style
+    nixpkgs-review nixpkgs-fmt nixpkgs-lint-community
+    postgresql
+    helix alacritty ghostty
+    androidStudioPackages.dev
+
+    winetricks bottles
+    scrcpy apfs-fuse nfs-utils
+    ubootTools dtc cloud-utils
+    borgbackup pika-backup
+
+    prismlauncher xonotic
+
+    man-pages man-pages-posix
+  ]) ++ (with unstablePkgs; [
+    claude-code gemini-cli
+  ]) ++ (with auxiliaryPkgs; [
+    # TODO: need fixes for 25.05
+    # retroarch wine
+
+    # TODO: ngfx (obviously) does not work on ARM, put it somewhere else
+    # ngfx
+  ]);
+
+  environment.etc.openvpn.source = "${pkgs.update-resolv-conf}/libexec/openvpn";
+}
diff --git a/roles/development-server.nix b/roles/development-server.nix
new file mode 100644
index 0000000..b0e80e5
--- /dev/null
+++ b/roles/development-server.nix
@@ -0,0 +1,124 @@
+{
+  me,
+  pkgs,
+  auxiliaryPkgs,
+  unstablePkgs,
+  ...
+}:
+{
+  imports = [
+    ./nix.nix
+    ./user.nix
+    ./locale.nix
+    ./vim.nix
+    ./tmux.nix
+    ./nix-ld.nix
+  ];
+
+  services.envfs.enable = true;
+
+  virtualisation = {
+    libvirtd.enable = true;
+    docker = {
+      enable = true;
+      daemon.settings.dns = [ "1.1.1.1" "1.0.0.1" ];
+    };
+  };
+
+  # fish enables this by default,
+  # it makes every nixos rebuild very slow.
+  documentation.man.generateCaches = false;
+  documentation = {
+    info.enable = true;
+    doc.enable = true;
+    dev.enable = true;
+    nixos = {
+      enable = true;
+      includeAllModules = true;
+    };
+  };
+
+  networking.hostName = me.name;
+  services.resolved.enable = true;
+
+  users.users.mel.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINTG/DHTkuQgwLakSBuXx3XBe+WjUmDlSgLBGzldx/ZD mel@moissanite"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDlqytVSNMFAfbB+rdiNktv3WYViVBMeK7zUO2Pjfii+ mel@corsac"
+  ];
+  services = {
+    acpid.enable = true;
+    tailscale.enable = true;
+
+    openssh = {
+      enable = true;
+      ports = [ 62322 ]; # listen on random port
+      openFirewall = true;
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "no";
+      };
+    };
+
+    # annoy every ssh spammer
+    endlessh = {
+      enable = true;
+      port = 22;
+      openFirewall = true;
+    };
+
+    # ban those who found the real port
+    fail2ban.enable = true;
+
+    # sometimes needed for gnupg
+    pcscd.enable = true;
+  };
+
+  programs = {
+    fish.enable = true;
+    git.enable = true;
+
+    gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+      pinentryPackage = pkgs.pinentry-curses;
+    };
+  };
+
+  environment.systemPackages = (with pkgs; [
+    file unzip jq dig htop wget screen dive
+    gnupg pinentry-curses age agenix minisign openssl cryptsetup pamtester
+    inetutils pciutils usbutils lshw lsof inxi iw pmutils acpi acpid
+    minicom miniserve netcat-gnu socat tcpdump nmap iftop iperf mtr arp-scan ethtool
+    mitmproxy 
+    yt-dlp ffmpeg_7-full imagemagick
+    senpai
+    qemu_full virtiofsd
+
+    openvpn openvpn3 update-resolv-conf
+
+    ripgrep hyperfine parallel just fzf bat delta eza fd tokei didyoumean
+    universal-ctags compiledb graphviz
+    python3 uv ruff
+    nodejs_22 deno yarn
+    rustc rustup cargo rustfmt
+    go gopls delve go-task gotags golangci-lint
+    meson cmake gnumake ninja gdb gcc clang clang-tools
+    hare haredoc
+    jdk maven gradle
+    nil nixfmt-rfc-style
+    nixpkgs-review nixpkgs-fmt nixpkgs-lint-community
+    postgresql
+    helix alacritty
+
+    ubootTools dtc cloud-utils
+    borgbackup
+
+    man-pages man-pages-posix
+  ]) ++ (with unstablePkgs; [
+    claude-code gemini-cli
+  ]) ++ (with auxiliaryPkgs; [
+  ]);
+
+  environment.etc.openvpn.source = "${pkgs.update-resolv-conf}/libexec/openvpn";
+}