WIP

modules/nixos/boot/loader/systemd-boot.nix

@@ -18,23 +18,21 @@ in
   };
 
   config = mkIf (cfg.loader == "systemd-boot") {
-    boot.loader = {
-      systemd-boot =
-        {
-          enable = mkDefault true;
-          configurationLimit = 15; # prevent "too many" configuration from showing up on the boot menu
-          consoleMode = mkDefault "max"; # the default is "keep"
+    boot.loader.systemd-boot =
+      {
+        enable = mkDefault true;
+        configurationLimit = 15; # prevent "too many" configuration from showing up on the boot menu
+        consoleMode = mkDefault "max"; # the default is "keep"
 
-          # Fix a security hole. See desc in nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
-          editor = false;
-        }
-        // optionalAttrs cfg.memtest.enable {
-          extraFiles."efi/memtest86plus/memtest.efi" = "${cfg.boot.memtest.package}/memtest.efi";
-          extraEntries."memtest86plus.conf" = ''
-            title MemTest86+
-            efi   /efi/memtest86plus/memtest.efi
-          '';
-        };
-    };
+        # Fix a security hole. See desc in nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
+        editor = false;
+      }
+      // optionalAttrs cfg.memtest.enable {
+        extraFiles."efi/memtest86plus/memtest.efi" = "${cfg.boot.memtest.package}/memtest.efi";
+        extraEntries."memtest86plus.conf" = ''
+          title MemTest86+
+          efi   /efi/memtest86plus/memtest.efi
+        '';
+      };
   };
 }

modules/nixos/hardware/gpu/nvidia.nix

@@ -103,17 +103,8 @@ in
       };
 
       graphics = {
-        extraPackages = builtins.attrValues {
-          inherit (pkgs)
-            nvidia-vaapi-driver
-            ;
-        };
-
-        extraPackages32 = builtins.attrValues {
-          inherit (pkgs.pkgsi686Linux)
-            nvidia-vaapi-driver
-            ;
-        };
+        extraPackages = [ pkgs.nvidia-vaapi-driver ];
+        extraPackages32 = [ pkgs.pkgsi686Linux.nvidia-vaapi-driver ];
       };
     };
   };

modules/profiles/graphical/login/greetd.nix

@@ -48,8 +48,8 @@ in
       };
 
       initial_session = mkIf system.autoLogin {
-        user = "${system.mainUser}";
-        command = "${environment.desktop}";
+        user = system.mainUser;
+        command = environment.desktop;
       };
     };
   };

modules/profiles/graphical/login/pam.nix

@@ -1,18 +1,22 @@
+{ lib, ... }:
 let
-  common = {
-    enableGnomeKeyring = true;
-    gnupg = {
-      enable = true;
-      noAutostart = true;
-      storeOnly = true;
-    };
-  };
+  inherit (lib.attrsets) genAttrs;
 in
 {
   # unlock GPG keyring on login
-  security.pam.services = {
-    login = common;
-    greetd = common;
-    tuigreet = common;
-  };
+  security.pam.services =
+    genAttrs
+      [
+        "login"
+        "greetd"
+        "tuigreet"
+      ]
+      (_: {
+        enableGnomeKeyring = true;
+        gnupg = {
+          enable = true;
+          noAutostart = true;
+          storeOnly = true;
+        };
+      });
 }

modules/profiles/graphical/security/polkit.nix

@@ -8,7 +8,7 @@ let
   inherit (lib.modules) mkIf;
 in
 {
-  systemd = mkIf config.garden.system.video.enable {
+  systemd = mkIf (config.garden.system.video.enable && config.garden.environment.isWM) {
     user.services.polkit-pantheon-authentication-agent-1 = {
       description = "Pantheon PolicyKit agent";
       serviceConfig = {

modules/profiles/graphical/services/earlyoom.nix

@@ -2,6 +2,45 @@
 let
   inherit (lib.modules) mkForce;
   inherit (builtins) concatStringsSep;
+
+  avoid = concatStringsSep "|" [
+    "(h|H)yprland"
+    "sway"
+    "Xwayland"
+    "cryptsetup"
+    "dbus-.*"
+    "gpg-agent"
+    "greetd"
+    "ssh-agent"
+    ".*qemu-system.*"
+    "sddm"
+    "sshd"
+    "systemd"
+    "systemd-.*"
+    "wezterm"
+    "kitty"
+    "bash"
+    "zsh"
+    "fish"
+    "n?vim"
+    "akkoma"
+  ];
+
+  prefer = concatStringsSep "|" [
+    "Web Content"
+    "Isolated Web Co"
+    "firefox.*"
+    "chrom(e|ium).*"
+    "electron"
+    "dotnet"
+    ".*.exe"
+    "java.*"
+    "pipewire(.*)"
+    "nix"
+    "npm"
+    "node"
+    "pipewire(.*)"
+  ];
 in
 {
   # https://dataswamp.org/~solene/2022-09-28-earlyoom.html
@@ -13,51 +52,11 @@ in
       enableNotifications = true; # annoying, but we want to know what's killed
       freeSwapThreshold = 2;
       freeMemThreshold = 2;
-      extraArgs =
-        let
-          avoid = concatStringsSep "|" [
-            "(h|H)yprland"
-            "sway"
-            "Xwayland"
-            "cryptsetup"
-            "dbus-.*"
-            "gpg-agent"
-            "greetd"
-            "ssh-agent"
-            ".*qemu-system.*"
-            "sddm"
-            "sshd"
-            "systemd"
-            "systemd-.*"
-            "wezterm"
-            "kitty"
-            "bash"
-            "zsh"
-            "fish"
-            "n?vim"
-            "akkoma"
-          ];
-          prefer = concatStringsSep "|" [
-            "Web Content"
-            "Isolated Web Co"
-            "firefox.*"
-            "chrom(e|ium).*"
-            "electron"
-            "dotnet"
-            ".*.exe"
-            "java.*"
-            "pipewire(.*)"
-            "nix"
-            "npm"
-            "node"
-            "pipewire(.*)"
-          ];
-        in
-        [
-          "-g"
-          "--avoid '(^|/)(${avoid})'" # things that we want to avoid killing
-          "--prefer '(^|/)(${prefer})'" # things we want to remove fast
-        ];
+      extraArgs = [
+        "-g"
+        "--avoid '(^|/)(${avoid})'" # things that we want to avoid killing
+        "--prefer '(^|/)(${prefer})'" # things we want to remove fast
+      ];
 
       # we should ideally write the logs into a designated log file; or even better, to the journal
       # for now we can hope this echo sends the log to somewhere we can observe later

modules/profiles/graphical/services/systemd.nix

@@ -1,26 +1,31 @@
+{ lib, ... }:
+let
+  inherit (lib.attrsets) genAttrs;
+
+  extraConfig = ''
+    DefaultTimeoutStartSec=15s
+    DefaultTimeoutStopSec=15s
+    DefaultTimeoutAbortSec=15s
+    DefaultDeviceTimeoutSec=15s
+  '';
+in
 {
-  systemd =
-    let
-      extraConfig = ''
-        DefaultTimeoutStartSec=15s
-        DefaultTimeoutStopSec=15s
-        DefaultTimeoutAbortSec=15s
-        DefaultDeviceTimeoutSec=15s
-      '';
-    in
-    {
-      inherit extraConfig;
-      user = {
-        inherit extraConfig;
-      };
+  systemd = {
+    inherit extraConfig;
+    user = { inherit extraConfig; };
 
-      services = {
-        "getty@tty1".enable = false;
-        "autovt@tty1".enable = false;
-        "getty@tty7".enable = false;
-        "autovt@tty7".enable = false;
-        "kmsconvt@tty1".enable = false;
-        "kmsconvt@tty7".enable = false;
-      };
-    };
+    services =
+      genAttrs
+        [
+          "getty@tty1"
+          "autovt@tty1"
+          "getty@tty7"
+          "autovt@tty7"
+          "kmsconvt@tty1"
+          "kmsconvt@tty7"
+        ]
+        (_: {
+          enable = false;
+        });
+  };
 }

modules/profiles/headless/fonts.nix

@@ -1,13 +1,14 @@
 { lib, ... }:
 let
   inherit (lib.modules) mkForce;
+  inherit (lib.attrsets) mapAttrs;
 in
 {
   # we don't need fonts on a server
   # since there are no fonts to be configured outside the console
-  fonts = {
-    packages = mkForce [ ];
-    fontDir.enable = mkForce false;
-    fontconfig.enable = mkForce false;
+  fonts = mapAttrs (_: mkForce) {
+    packages = [ ];
+    fontDir.enable = false;
+    fontconfig.enable = false;
   };
 }