From 28e710337595636d53790a69b5f23d9bc3fa6011 Mon Sep 17 00:00:00 2001
From: Alexander Wainwright <code@figtree.dev>
Date: Sat, 11 Apr 2026 10:55:04 +1000
Subject: [PATCH] refactor: split base.nix into core.nix + base.nix layers

core.nix is the new minimal layer: user, SSH, fish, nix flakes/gc,
locale, and a handful of essential packages. Suitable for any headless
host that just needs to be SSHable and manageable.

base.nix now imports core.nix and adds the day-to-day quality-of-life
layer: avahi, mosh, direnv, nix-ld, earlyoom, zramSwap, CLI tools,
and build toolchains. All existing hosts that import base.nix are
unchanged.

bootstrap is updated to import core.nix directly instead of
duplicating the config inline.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 hosts/bootstrap/configuration.nix |  78 ++-----------------
 hosts/modules/base.nix            | 120 ++----------------------------
 hosts/modules/core.nix            |  67 +++++++++++++++++
 3 files changed, 81 insertions(+), 184 deletions(-)
 create mode 100644 hosts/modules/core.nix

diff --git a/hosts/bootstrap/configuration.nix b/hosts/bootstrap/configuration.nix
index bba8645..624ff4b 100644
--- a/hosts/bootstrap/configuration.nix
+++ b/hosts/bootstrap/configuration.nix
@@ -3,91 +3,25 @@
 {
   imports = [
     (modulesPath + "/virtualisation/proxmox-lxc.nix")
+    ../modules/core.nix
   ];
 
-  nix.settings = {
-    sandbox = false;
-    experimental-features = [ "nix-command" "flakes" ];
-    auto-optimise-store = true;
-    trusted-users = [ "root" "alex" ];
-  };
-
-  nix.gc = {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 30d";
-  };
+  nix.settings.sandbox = false;
 
   proxmoxLXC = {
     manageNetwork = false;
-    privileged = false;
+    privileged = true;
   };
 
   networking.hostName = "bootstrap";
 
-  time.timeZone = "Australia/Brisbane";
-
-  i18n.defaultLocale = "en_GB.UTF-8";
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "en_AU.UTF-8";
-    LC_IDENTIFICATION = "en_AU.UTF-8";
-    LC_MEASUREMENT = "en_AU.UTF-8";
-    LC_MONETARY = "en_AU.UTF-8";
-    LC_NAME = "en_AU.UTF-8";
-    LC_NUMERIC = "en_AU.UTF-8";
-    LC_PAPER = "en_AU.UTF-8";
-    LC_TELEPHONE = "en_AU.UTF-8";
-    LC_TIME = "en_AU.UTF-8";
-  };
-
-  console.keyMap = "dvorak";
-
-  nixpkgs.config.allowUnfree = true;
-
-  documentation.man.generateCaches = false;
-
-  programs.fish.enable = true;
-
-  services.openssh = {
-    enable = true;
-    settings.PermitRootLogin = "prohibit-password";
-  };
-
-  services.avahi = {
-    enable = true;
-    nssmdns4 = true;
-    nssmdns6 = true;
-    publish = {
-      enable = true;
-      addresses = true;
-    };
-    openFirewall = true;
-  };
-
-  users.users.alex = {
-    isNormalUser = true;
-    description = "Alexander Wainwright";
-    extraGroups = [ "wheel" ];
-    shell = pkgs.fish;
-    openssh.authorizedKeys.keys = [
-      # TODO: add your SSH public key here
-    ];
-  };
+  users.users.alex.openssh.authorizedKeys.keys = [
+    # TODO: add your SSH public key here
+  ];
 
   users.users.root.openssh.authorizedKeys.keys = [
     # TODO: add your SSH public key here
   ];
 
-  environment.variables.EDITOR = "nvim";
-
-  environment.systemPackages = with pkgs; [
-    curl
-    git
-    htop
-    neovim
-    rsync
-    wget
-  ];
-
   system.stateVersion = "25.11";
 }
diff --git a/hosts/modules/base.nix b/hosts/modules/base.nix
index ed49e4b..9c31a2c 100644
--- a/hosts/modules/base.nix
+++ b/hosts/modules/base.nix
@@ -1,42 +1,15 @@
 { config, pkgs, inputs, ... }:
 {
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users = {
-		users.alex = {
-			isNormalUser = true;
-			description = "Alexander Wainwright";
-			extraGroups = [
-				"dialout"
-				"input"
-				"networkmanager"
-				"plugdev"
-				"render"
-				"video"
-				"wheel"
-				];
-			packages = with pkgs; [
-			#  thunderbird
-			];
-			shell = pkgs.fish;
-		};
-		groups.pluggdev = {};
-	};
+  imports = [ ./core.nix ];
 
-	services.udev.packages = [ pkgs.rtl-sdr ];
+  services.udev.packages = [ pkgs.rtl-sdr ];
 
-  # this is to avoid some problem that happens apparently only when fish is
-  # enabled, where generating man cahes takes a very long time. note that it may
-  # break fish man completion and apropos.
-  documentation.man.generateCaches = false;
-
-  # enable zram. not totally sure if this does it in physical ram or just swap
   zramSwap.enable = true;
 
   boot.kernel.sysctl = {
     "vm.swappiness" = 10;
   };
 
-  # enable earlyoom to stop the system becoming unresponsive when out of ram
   services.earlyoom = {
     enable = true;
     freeMemThreshold = 10;
@@ -45,31 +18,6 @@
 
   networking.firewall.allowedTCPPorts = [ 8000 8080 ];
 
-  # Set your time zone.
-  time.timeZone = "Australia/Brisbane";
-
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_GB.UTF-8";
-
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "en_AU.UTF-8";
-    LC_IDENTIFICATION = "en_AU.UTF-8";
-    LC_MEASUREMENT = "en_AU.UTF-8";
-    LC_MONETARY = "en_AU.UTF-8";
-    LC_NAME = "en_AU.UTF-8";
-    LC_NUMERIC = "en_AU.UTF-8";
-    LC_PAPER = "en_AU.UTF-8";
-    LC_TELEPHONE = "en_AU.UTF-8";
-    LC_TIME = "en_AU.UTF-8";
-  };
-
-  # Configure console keymap
-  console.keyMap = "dvorak";
-
-  # fish shell
-  programs.fish.enable = true;
-
-  # direnv
   programs.direnv = {
     enable = true;
     package = pkgs.direnv;
@@ -82,72 +30,23 @@
     };
   };
 
-  # Create a library path that only applies to unpackaged programs by using
-  # nix-ldo
-  # https://nix.dev/guides/faq#how-to-run-non-nix-executables
   programs.nix-ld.enable = true;
-  programs.nix-ld.libraries = with pkgs; [
-    # Add any missing dynamic libraries for unpackaged programs
-    # here, NOT in environment.systemPackages
-  ];
+  programs.nix-ld.libraries = with pkgs; [];
 
-  # Allow unfree packages
-  nixpkgs.config.allowUnfree = true;
+  programs.mosh.enable = true;
 
-  # Enable the Flakes feature and the accompanying new nix command-line tool
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-
-  # some nix tidy up stuff
-  nix.settings.auto-optimise-store = true;
-
-  nix.gc = {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 30d";
-  };
-
-  # Enable zeroconf
   services.avahi = {
     enable = true;
-    nssmdns4 = true; # Enables Avahi for name service lookups (e.g., in /etc/nsswitch.conf)
-    nssmdns6 = true; # Also resolve IPv6 mDNS addresses via NSS
+    nssmdns4 = true;
+    nssmdns6 = true;
     publish = {
       enable = true;
-      addresses = true; # Publish your laptop's IP addresses
-      workstation = true; # Publish your laptop as a workstation
-      # You might also want:
-      # domain = true; # Announce the locally used domain name (usually .local)
-      # userServices = true; # Publish services advertised by users
+      addresses = true;
+      workstation = true;
     };
     openFirewall = true;
-    # If you're using systemd-resolved alongside Avahi, ensure mDNS is also enabled there:
-    # services.resolved.enable = true;
-    # services.resolved.extraConfig = "MulticastDNS=yes";
   };
 
-  environment.variables.EDITOR = "nvim";
-
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
-  #   enable = true;
-  #   enableSSHSupport = true;
-  # };
-
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
-  # enable mosh
-  programs.mosh.enable  = true;
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  # Packages
   environment.systemPackages = with pkgs; [
     avahi
     bat
@@ -157,10 +56,8 @@
     dust
     entr
     fd
-    git
     gocryptfs
     mosh
-    neovim
     python314
     ripgrep
     rsync
@@ -168,7 +65,6 @@
     tldr
     unzip
     uv
-    wget
     wireguard-tools
     zip
 
diff --git a/hosts/modules/core.nix b/hosts/modules/core.nix
new file mode 100644
index 0000000..159e9ce
--- /dev/null
+++ b/hosts/modules/core.nix
@@ -0,0 +1,67 @@
+{ config, pkgs, inputs, ... }:
+{
+  users = {
+    users.alex = {
+      isNormalUser = true;
+      description = "Alexander Wainwright";
+      extraGroups = [
+        "dialout"
+        "input"
+        "networkmanager"
+        "plugdev"
+        "render"
+        "video"
+        "wheel"
+      ];
+      packages = [];
+      shell = pkgs.fish;
+    };
+    groups.pluggdev = {};
+  };
+
+  programs.fish.enable = true;
+
+  documentation.man.generateCaches = false;
+
+  time.timeZone = "Australia/Brisbane";
+
+  i18n.defaultLocale = "en_GB.UTF-8";
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "en_AU.UTF-8";
+    LC_IDENTIFICATION = "en_AU.UTF-8";
+    LC_MEASUREMENT = "en_AU.UTF-8";
+    LC_MONETARY = "en_AU.UTF-8";
+    LC_NAME = "en_AU.UTF-8";
+    LC_NUMERIC = "en_AU.UTF-8";
+    LC_PAPER = "en_AU.UTF-8";
+    LC_TELEPHONE = "en_AU.UTF-8";
+    LC_TIME = "en_AU.UTF-8";
+  };
+
+  console.keyMap = "dvorak";
+
+  nixpkgs.config.allowUnfree = true;
+
+  nix.settings = {
+    experimental-features = [ "nix-command" "flakes" ];
+    auto-optimise-store = true;
+    trusted-users = [ "root" "alex" ];
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
+  services.openssh.enable = true;
+
+  environment.variables.EDITOR = "nvim";
+
+  environment.systemPackages = with pkgs; [
+    curl
+    git
+    neovim
+    wget
+  ];
+}