Started work on modularized machine config, does not quite work yet. Changed Ophanim's kernel to hardened.

config/default.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 
-let
+{
-  cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
-in {
   imports = [
     ./etc.nix
     ./locale.nix
@@ -10,5 +8,5 @@ in {
     ./nix.nix
     ./users.nix
     ./zsh.nix
-    ] ++ (if cfg.conf.networking.hostName != "Ophanim" then [./fonts.nix] else [./security.nix]);
+    ] ++ (if (config.machine.hostName != "Ophanim") then [./fonts.nix] else [./security.nix]);
 }

config/networking.nix

@@ -1,18 +1,18 @@
 { config, lib, pkgs, ... }:
 
 let
-  cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
+ firewallcfg = config.machine.networking.firewall;
 in {
   networking = {
-    hostName = cfg.conf.networking.hostName;
+    hostName = config.machine.hostName;
-    # should probably add some etc file for this....
+
     firewall = {
       enable = true;
-      allowPing = cfg.conf.networking.firewall.allowPing;
+      allowPing = firewallcfg.allowPing;
-      allowedUDPPorts = cfg.conf.networking.firewall.allowedUDPPorts;
+      allowedUDPPorts = firewallcfg.allowedUDPPorts;
-      allowedTCPPorts = cfg.conf.networking.firewall.allowedTCPPorts;
+      allowedTCPPorts = firewallcfg.allowedTCPPorts;
-      allowedUDPPortRanges = cfg.conf.networking.firewall.allowedUDPPortRanges;
+      allowedUDPPortRanges = firewallcfg.allowedUDPPortRanges;
-      allowedTCPPortRanges = cfg.conf.networking.firewall.allowedTCPPortRanges;
+      allowedTCPPortRanges = firewallcfg.allowedTCPPortRanges;
     };
   };
 }

config/users.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 
-let
+{
-  cfg = with lib; import ("/etc/nixos/machines/" + (replaceStrings ["\n"] [""] (readFile /etc/hostname)) + "/configuration.nix");
-in {
   users = {
     mutableUsers = false;
     users.derped = {
@@ -11,11 +9,11 @@ in {
       createHome = true;
       description = "";
       group = "derped";
-      extraGroups = [ "audio" "wheel" "network" ] ++ (if cfg.conf.networking.hostName != "Ophanim" then ["input" "cups" "lp"] else []);
+      extraGroups = [ "audio" "wheel" "network" ] ++ (if config.machine.hostName != "Ophanim" then ["input" "cups" "lp" "docker"] else []);
       uid = 1337;
       shell = "/run/current-system/sw/bin/zsh";
       passwordFile = "/secret/derped";
-      openssh.authorizedKeys.keyFiles = (if cfg.conf.networking.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]);
+      openssh.authorizedKeys.keyFiles = (if config.machine.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]);
     };
     
     groups.derped = {

configuration.nix

@@ -1,13 +1,24 @@
 { config, lib, pkgs, ... }:
 
+with lib;
+
 let
-  cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
+  # hint: use 'echo -n' so there is no newline char in the hostName file
-in {
+  cfgPath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName) + "/configuration.nix"));
+in rec {
   imports = [
-    cfg.confPath
+    cfgPath
-    ./config/default.nix
+
+
+    # use
+#    config.machine.confPath
+    # instead of
+    ./machines/Lilim/Lilim.nix
+
+
+#    ./config/default.nix # same problem as above
     ./pkgs/nixpkgs.nix
     ./pkgs/pkgsets.nix
-    ./services/default.nix
+#    ./services/default.nix # same problem as above
   ];
 }

machines/Lilim/configuration.nix

@@ -1,32 +1,38 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
 {
-  confPath = ./Lilim.nix;
+  imports = [ ../../options/machine.nix ];
-  pkgs = [
+
-    "base"
+  config.machine = {
-    "emacs"
+    confPath = ./Lilim.nix;
-    "extra"
+    pkgs = [
-    "cpp"
+      "base"
-    "haskell"
+      "dict"
-    "mailutils"
+      "emacs"
-    "python3"
+      "extra"
-    "rustpkgs"
+      "cpp"
-    "xpkgs"
+      "haskell"
-  ];
+      "mailutils"
-  services = [
+      "python3"
-    ../../services/xserver.nix
+      "rustpkgs"
-    ../../services/udev.nix
+      "xpkgs"
-    ../../services/cups.nix
+    ];
-  ];
+    services = [
-  conf = {
+      ../../services/xserver.nix
+      ../../services/docker.nix
+      ../../services/udev.nix
+      ../../services/cups.nix
+    ];
     allowUnfree = true;
-    networking = {
+    hostName = "Lilim";
-      hostName = "Lilim";
+    firewall = {
-      firewall = {
+      allowPing = true;
-        allowPing = true;
+      allowedUDPPorts = [];
-        allowedUDPPorts = [];
+      allowedTCPPorts = [];
-        allowedTCPPorts = [];
+      allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
-        allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
+      allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
-        allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
-      };
     };
   };
 }

machines/Ophanim/hardware-configuration.nix

@@ -7,7 +7,7 @@
 
   boot = {
     initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
-    kernelPackages = pkgs.linuxPackages_latest;
+    kernelPackages = pkgs.linuxPackages_latest_hardened;
     kernelModules = [ ];
     extraModulePackages = [ ];
     loader.grub = {

options/machine.nix

@@ -0,0 +1,70 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+{
+  options.machine = {
+    confPath = mkOption {
+      type = types.path;
+      description = ''
+        Path to the machines configuration.nix
+      '';
+    };
+    allowUnfree = mkOption {
+      type = types.bool;
+      description = ''
+        Wether to allow the installation of unfree packages.
+      '';
+    };
+    pkgs = mkOption {
+      type = types.listOf types.string;
+      description = ''
+        The list of metapackages to be installed.
+      '';
+    };
+    services = mkOption {
+      type = types.listOf types.path;
+      description = ''
+        List of services to be enabled.
+      '';
+    };
+    hostName = mkOption {
+      type = types.str;
+      description = ''
+        The Machines HostName
+      '';
+    };
+    firewall = {
+        allowPing = mkOption {
+          type = types.bool;
+          description = ''
+            See networking.firewall.allowPing.
+          '';
+        };
+        allowedUDPPorts = mkOption {
+          type = types.listOf types.int;
+          description = ''
+            See networking.firewall.allowerdUDPPorts.
+          '';
+        };
+        allowedTCPPorts = mkOption {
+          type = types.listOf types.int;
+          description = ''
+            See networking.firewall.allowedTCPPorts.
+          '';
+        };
+        allowedUDPPortRanges = mkOption {
+          type = types.listOf (types.attrsOf types.int);
+          description = ''
+            See networking.firewall.allowerdUDPPortRanges.
+          '';
+        };
+        allowedTCPPortRanges = mkOption {
+          type = types.listOf (types.attrsOf types.int);
+          description = ''
+            See networking.firewall.allowedTCPPortRanges.
+          '';
+        };
+    };
+  };
+}

pkgs/pkgsets.nix

@@ -3,9 +3,10 @@
   gitpkgs ? import /nixpkgs/default.nix,
   config, lib, pkgs, ... }:
 
+with lib;
+
 let
-  cfg = with lib; import ("/etc/nixos/machines/" + (replaceStrings ["\n"] [""] (readFile /etc/hostname)) + "/configuration.nix");
+  optPkgs = package: pkgstring: if elem pkgstring config.machine.pkgs then package else [];
-  optPkgs = with lib; package: pkgstring: if elem pkgstring cfg.pkgs then package else [];
   gitpkgs = import /nixpkgs/default.nix {};
 
   # Programms I'm likely to want on every machine and/or may execute as root
@@ -36,7 +37,7 @@ let
     nix-update-source
     nix-zsh-completions
     nixbang
-#    nixops
+    nixops
     nmap
     nox
     ntfs3g
@@ -66,6 +67,12 @@ let
     zsh
   ];
 
+  dict = with pkgs; [
+    translate-shell
+    ( hunspellWithDicts (with pkgs.hunspellDicts; [ de-de en-us ] ))
+    ( aspellWithDicts   (d: [ d.de d.en d.en-computers d.en-science ] ))
+  ];
+
   emacs = gitpkgs.emacsWithPackages (epkgs: with epkgs; [
     /* Theming */
     solarized-theme color-theme-sanityinc-tomorrow moe-theme powerline moody minions
@@ -80,6 +87,7 @@ let
     wsd-mode
     plantuml-mode
     /* Other Stuff, not yet sorted */
+    google-translate
     transmission
     org-plus-contrib orgit ox-gfm ox-rst
     eclim
@@ -152,7 +160,7 @@ let
     })
   ];
 
-  python3 = gitpkgs.python3Full.withPackages(ps: with ps; [ 
+  python3 = gitpkgs.python3Full.withPackages(ps: with ps; [
     GitPython
     bpython
     configparser
@@ -160,6 +168,7 @@ let
     elpy
     emoji
     epc
+    genanki
     numpy
     opencv3
     paho-mqtt
@@ -168,7 +177,6 @@ let
     pip
     plotly
     pyflakes
-    pygame_sdl2
     pylama
     pylint
     pyopengl
@@ -201,10 +209,9 @@ let
 #    flask_sqlalchemy
 #    flask_testing    
 #    flask_wtf
-#    flaskbabel
+#    flaskbabel   
     /* temporarily fix python stuff */
     py3status pytz tzlocal
-
   ]);
 
   rustpkgs = with pkgs; [ 
@@ -243,6 +250,7 @@ let
 
 in {
  environment.systemPackages =  base
+                            ++ (optPkgs dict "dict")
                             ++ (optPkgs [emacs] "emacs")
                             ++ (optPkgs extra "extra")
                             ++ (optPkgs mailutils "mailutils")
@@ -256,8 +264,8 @@ in {
                             ++ (optPkgs xpkgs "xpkgs");
 
   services.emacs = {
-    enable = (lib.elem "emacs" cfg.pkgs);
+    enable = (elem "emacs" config.machine.pkgs);
-    install = (lib.elem "emacs" cfg.pkgs);
+    install = (elem "emacs" config.machine.pkgs);
     package = emacs;
   };
 }

services/default.nix

@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 
-let
+with lib;
-  cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
+
-in {
+{
-  imports = cfg.services;
+  imports = config.machine.services;
 }

services/docker.nix

@@ -0,0 +1,8 @@
+{ config, lib, pkgs, ... }:
+
+# Note: add privileged users to docker group for access
+{
+  virtualisation.docker.enable = true;
+  environment.systemPackages = with pkgs; [ docker-compose docker-machine ];
+  ### Docker Image stuff will probably follow here
+}