Move to a profile-based configuration where common

This patch makes it so common configuration is now located in shared/
and each host basically just becomes a bunch of import statements.

The exception here is host-specific configuration like the `*.linus.onl`
that live inside `hosts/ahmed/`.

Specifically I have:

- moved common configuration `shared/{nixos,home-manager,nix-darwin}`.
- moved `hosts/common.nix` to `shared/nixos/common-{nix,shell}-settings.nix`.
- split `hosts/muhammed/{dev-utils,neovim}` into per-language
  configuration.

This patch was done in preparation for the arrival of a new host, which
will need to share a lot of configuration with Muhammed.

3 files changed, 14 insertions, 100 deletions

diff --git a/hosts/ahmed/cloudflare-proxy/default.nix b/hosts/ahmed/cloudflare-proxy/default.nix
deleted file mode 100644
index 45ccaa6..0000000
--- a/hosts/ahmed/cloudflare-proxy/default.nix
+++ /dev/null
@@ -1,88 +0,0 @@
-# This module adds some extra configuration useful when running behid a Cloudflare Proxy.
-# Mainly, it blocks all incomming conncections on relevant ports that aren't
-# coming from an official CloudFlare domain.
-{
-  config,
-  lib,
-  pkgs,
-  metadata,
-  ...
-}: let
-  # TODO: What happens when these get out of date??? Huh??? You little pissbaby
-  fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
-  cfipv4 = fileToList (pkgs.fetchurl {
-    url = "https://www.cloudflare.com/ips-v4";
-    hash = "sha256-8Cxtg7wBqwroV3Fg4DbXAMdFU1m84FTfiE5dfZ5Onns=";
-  });
-  cfipv6 = fileToList (pkgs.fetchurl {
-    url = "https://www.cloudflare.com/ips-v6";
-    hash = "sha256-np054+g7rQDE3sr9U8Y/piAp89ldto3pN9K+KCNMoKk=";
-  });
-
-  IPv4Whitelist = [metadata.hosts.muhammed.ipAddress];
-  IPv6Whitelist = [];
-in {
-  config = {
-    # Teach NGINX how to extract the proxied IP from proxied requests.
-    #
-    # See: https://nixos.wiki/wiki/Nginx#Using_realIP_when_behind_CloudFlare_or_other_CDN
-    services.nginx.commonHttpConfig = let
-      realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from  ${x};");
-    in ''
-      ${realIpsFromList cfipv4}
-      ${realIpsFromList cfipv6}
-      real_ip_header CF-Connecting-IP;
-    '';
-
-    # Block non-Cloudflare IP addresses.
-    networking.firewall = let
-      chain = "cloudflare-whitelist";
-    in {
-      extraCommands = let
-        allow-interface = lib.strings.concatMapStringsSep "\n" (i: ''ip46tables --append ${chain} --in-interface ${i} --jump RETURN'');
-        allow-ip = cmd: lib.strings.concatMapStringsSep "\n" (r: ''${cmd} --append ${chain} --source ${r} --jump RETURN'');
-      in ''
-        # Flush the old firewall rules. This behavior mirrors the default firewall service.
-        # See: https://github.com/NixOS/nixpkgs/blob/ac911bf685eecc17c2df5b21bdf32678b9f88c92/nixos/modules/services/networking/firewall-iptables.nix#L59-L66
-        ip46tables --delete INPUT --protocol tcp --destination-port 80  --syn --jump ${chain} 2>/dev/null || true
-        ip46tables --delete INPUT --protocol tcp --destination-port 443 --syn --jump ${chain} 2>/dev/null || true
-        ip46tables --flush ${chain} || true
-        ip46tables --delete-chain ${chain} || true
-
-        # Create a chain that only allows whitelisted IPs through.
-        ip46tables --new-chain ${chain}
-
-        # Allow trusted interfaces through.
-        ${allow-interface config.networking.firewall.trustedInterfaces}
-
-        # Allow local whitelisted IPs through
-        ${allow-ip "iptables" IPv4Whitelist}
-        ${allow-ip "ip6tables" IPv6Whitelist}
-
-        # Allow Cloudflare's IP ranges through.
-        ${allow-ip "iptables" cfipv4}
-        ${allow-ip "ip6tables" cfipv6}
-
-        # Everything else is dropped.
-        #
-        # TODO: I would like to use `nixos-fw-log-refuse` here, but I keep
-        #       running into weird issues when reloading the firewall.
-        #       Something about the table not being deleted properly.
-        ip46tables --append ${chain} --jump DROP
-
-        # Inject our chain as the first check in INPUT (before nixos-fw).
-        # We want to capture any new incomming TCP connections.
-        ip46tables --insert INPUT 1 --protocol tcp --destination-port 80 --syn --jump ${chain}
-        ip46tables --insert INPUT 1 --protocol tcp --destination-port 443 --syn --jump ${chain}
-      '';
-      extraStopCommands = ''
-        # Clean up added rulesets (${chain}). This mirrors the behavior of the
-        # default firewall at the time of writing.
-        #
-        # See: https://github.com/NixOS/nixpkgs/blob/ac911bf685eecc17c2df5b21bdf32678b9f88c92/nixos/modules/services/networking/firewall-iptables.nix#L218-L219
-        ip46tables --delete INPUT --protocol tcp --destination-port 80  --syn --jump ${chain} 2>/dev/null || true
-        ip46tables --delete INPUT --protocol tcp --destination-port 443 --syn --jump ${chain} 2>/dev/null || true
-      '';
-    };
-  };
-}
diff --git a/hosts/ahmed/configuration.nix b/hosts/ahmed/configuration.nix
index 86e7e60..81fc77a 100644
--- a/hosts/ahmed/configuration.nix
+++ b/hosts/ahmed/configuration.nix
@@ -3,13 +3,16 @@
 {
   config,
   pkgs,
-  flakeInputs,
   ...
 }: {
   imports = [
     ./hardware-configuration.nix
 
-    ./cloudflare-proxy
+    ../../shared/nixos/cloudflare-proxy
+    ../../shared/nixos/common-nix-settings
+    ../../shared/nixos/common-shell-settings
+    ../../shared/nixos/common-hm-settings
+
     ./duksebot
     ./git.linus.onl
     ./hellohtml.linus.onl
@@ -17,7 +20,6 @@
     ./nofitications.linus.onl
     ./ssh
     ./torrenting
-    ./home
     ./remote-builder
   ];
 
@@ -29,6 +31,15 @@
   };
   users.mutableUsers = false;
 
+  home-manager.users.linus = {
+    imports = [
+      # Despite this being a "just a server" it is also the only x86_64-linux
+      # host I have access to, so in practice I end up using it for development
+      # sometimes.
+      ../../shared/home-manager/development-minimal
+    ];
+  };
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
diff --git a/hosts/ahmed/home/default.nix b/hosts/ahmed/home/default.nix
deleted file mode 100644
index a031e96..0000000
--- a/hosts/ahmed/home/default.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-# Here we extend the HM user defined in `home/default.nix`. All the global HM
-# stuff is defined in there. The only imports here are specific to this host.
-{...}: {
-  home-manager.users.linus = {
-    imports = [
-      # empty for now
-    ];
-  };
-}