Roles

Roles are used to enable large numbers of default options based on what kind of machine they are.

This can reduce a lot of boilerplate, if you run many hosts with similar configurations.

Currently there are two available roles:

• Desktop
• Edge

Desktop

Designed for desktop use, sets up:

• base shell + env
• systemd-networkd networking
• boot integrated, systemd-boot by default but can be changed
• initrd + SSH encrypted root unlock

Module Options Reference for provision.roles.desktop

Example Usage:

provision.roles.desktop = {
  enable = true;
  # add myuser as nix trusted user
  trustedNixUsers = ["myuser"];
  # import SSH keyFiles from my user into initrd.networkd authorizedKeyFiles
  initrdUnlockUsers = ["myuser"];
};

Produces:

  };

  config = mkIf cfg.desktop.enable {
    provision = {
      fs.boot = {
        enable = true;
        initrd.enable = false;
        initrd.ssh.usersImportKeyFiles = cfg.desktop.initrdUnlockUsers;
      };
      core = {
        enable = true;
        fonts.enable = true;
      };
      nix = {
        basic = true;
        develop = true;
        builder = true;
        optimise.enable = true;
        trustWheel = mkDefault true;
        trustedUsers = cfg.desktop.nixTrustedUsers;
      };
      networking.ssh = {
        enable = true;
        hardened = true;

Edge

Designed for server use, sets up:

• base shell + env
• garbage collected + optimised nix
• systemd-networkd networking
• boot integrated, systemd-boot by default but can be changed
• initrd + SSH encrypted root unlock

Module Options Reference for provision.roles.edge

Example Usage:

provision.roles.desktop = {
  enable = true;
  # increase inotify limits multiple
  bigMachine = true;
  # add deploy as nix trusted user, can be required for remote deploys
  trustedNixUsers = ["deploy"];
  # import SSH keyFiles from deploy user into initrd.networkd authorizedKeyFiles
  initrdUnlockUsers = ["deploy"];
  # add network kernel modules to stage-1 boot for remote unlock over SSH
  initrdNetModules = ["e1000e"];
};

Produces:

    initrdNetModules =
      opts.stringList [ ]
        "extra network modules to add to `boot.initrd.availableKernelModules`";
    nixTrustedUsers = opts.stringList [ ] "trusted nix users (needed for deploy user at least)";
  };

  config = mkIf cfg.edge.enable {
    provision = {
      fs.boot = {
        enable = true;
        initrd.enable = true;
        initrd.ssh.usersImportKeyFiles = cfg.edge.initrdUnlockUsers;
        initrd.network.modules = cfg.edge.initrdNetModules;
      };
      core = {
        enable = true;
        shell.enable = true;
        locale.enable = true;
        aliases.enable = true;
        packages.enable = true;
        defaults.sysctl.bumpInotifyLimits = true;
        defaults.sysctl.inotifyLimitsMultiple = mkIf cfg.edge.bigMachine 10000;
      };
      nix = {