rename /cerulean -> /nix

nix/nixos/default.nix

@@ -0,0 +1,52 @@
+# Copyright 2025-2026 _cry64 (Emile Clark-Boman)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{
+  root,
+  system,
+  hostname,
+  node,
+  pkgs,
+  lib,
+  _cerulean,
+  ...
+} @ args: {
+  imports =
+    [
+      _cerulean.inputs.sops-nix.nixosModules.sops
+      # _cerulean.inputs.microvm.nixosModules.microvm
+
+      # add support for `options.legacyImports`
+      # ./legacy-imports.nix
+
+      # nixos options declarations
+      (import ./nixpkgs.nix (args // {contextName = "hosts";}))
+
+      # user's nixpkg configuration
+      (import /${root}/nixpkgs.nix)
+    ]
+    # homemanager options declarations
+    ++ (lib.optional (_cerulean.homeManager != null) ./home.nix)
+    # remote deployment configuration
+    ++ (lib.optional (node.deploy.ssh.host != null) ./remote-deploy);
+
+  networking.hostName = lib.mkDefault hostname;
+
+  environment.systemPackages =
+    (with pkgs; [
+      sops
+    ])
+    ++ (with _cerulean.inputs; [
+      deploy-rs.packages.${system}.default
+    ]);
+}

nix/nixos/home.nix

@@ -0,0 +1,82 @@
+# Copyright 2025-2026 _cry64 (Emile Clark-Boman)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{
+  _cerulean,
+  config,
+  root,
+  lib,
+  ...
+} @ args: let
+  inherit
+    (builtins)
+    pathExists
+    ;
+
+  inherit
+    (lib)
+    filterAttrs
+    mapAttrs
+    ;
+in {
+  imports = [
+    _cerulean.homeManager.nixosModules.default
+  ];
+
+  options = {
+    users.users = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options.manageHome = lib.mkOption {
+          type = lib.types.bool;
+          default = true;
+          example = false;
+          description = ''
+            Whether Cerulean should automatically enable home-manager for this user,
+            and manage their home configuration declaratively.
+
+            Enabled by default, but can be disabled if necessary.
+          '';
+        };
+      });
+    };
+  };
+
+  config = {
+    home-manager = {
+      useUserPackages = lib.mkDefault false;
+      useGlobalPkgs = lib.mkDefault true;
+
+      overwriteBackup = lib.mkDefault false;
+      backupFileExtension = lib.mkDefault "bak";
+
+      users =
+        config.users.users
+        |> filterAttrs (name: value: value.manageHome && pathExists /${root}/homes/${name})
+        |> mapAttrs (name: _: {...}: {
+          imports = [/${root}/homes/${name}];
+
+          # per-user arguments
+          _module.args.username = name;
+        });
+
+      extraSpecialArgs = _cerulean.specialArgs;
+      sharedModules = [
+        ../home
+
+        (import /${root}/nixpkgs.nix)
+        # options declarations
+        (import ./nixpkgs.nix (args // {contextName = "homes";}))
+      ];
+    };
+  };
+}

nix/nixos/microvm-child.nix

@@ -0,0 +1,13 @@
+# Copyright 2025-2026 _cry64 (Emile Clark-Boman)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

nix/nixos/microvm-parent.nix

@@ -0,0 +1,13 @@
+# Copyright 2025-2026 _cry64 (Emile Clark-Boman)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.

nix/nixos/nixpkgs.nix

@@ -0,0 +1,95 @@
+# Copyright 2025-2026 _cry64 (Emile Clark-Boman)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{
+  base,
+  lib,
+  system,
+  config,
+  contextName,
+  ...
+}: let
+  inherit
+    (builtins)
+    mapAttrs
+    ;
+
+  cfg = config.nixpkgs.channels;
+in {
+  options.nixpkgs.channels = lib.mkOption {
+    type = lib.types.attrs;
+    default = {};
+    description = "Declare package repositories";
+    example = {
+      "npkgs" = {
+        source = "inputs.nixpkgs";
+        system = "x86-64-linux";
+        config = {
+          allowUnfree = true;
+          allowBroken = false;
+        };
+      };
+      "upkgs" = {
+        source = "inputs.nixpkgs-unstable";
+        system = "x86-64-linux";
+        config = {
+          allowUnfree = false;
+          allowBroken = true;
+        };
+      };
+    };
+  };
+
+  config = let
+    repos =
+      cfg
+      |> (xs: removeAttrs xs ["base"])
+      |> mapAttrs (
+        name: args:
+          lib.mkForce (
+            assert args ? source
+            || abort ''
+              `nixpkgs.channels.${name}` missing required attribute "source"
+            '';
+              import args.source ({inherit system;} // (removeAttrs args ["source"]))
+          )
+      );
+
+    basePkgs = cfg.base or {};
+  in {
+    # NOTE: _module.args is a special option that allows us to
+    # NOTE: set extend specialArgs from inside the modules.
+    # WARNING: pkgs is a reserved specialArg
+    _module.args = removeAttrs repos ["pkgs" "base"];
+
+    nixpkgs = let
+      nixpkgsConfig = {
+        config = lib.mkForce (basePkgs.config or {});
+        overlays = lib.mkForce (basePkgs.overlays or []);
+      };
+
+      nixpkgsHostsConfig =
+        nixpkgsConfig
+        // {
+          flake.source = lib.mkForce base;
+        };
+
+      nixpkgsHomesConfig = lib.mkIf (!config.home-manager.useGlobalPkgs) nixpkgsConfig;
+    in
+      if contextName == "hosts"
+      then nixpkgsHostsConfig
+      else if contextName == "homes"
+      then nixpkgsHomesConfig
+      else {};
+  };
+}

nix/nixos/remote-deploy/default.nix

@@ -0,0 +1,82 @@
+{
+  config,
+  node,
+  lib,
+  pkgs,
+  hostname,
+  ...
+}: let
+  user = node.deploy.ssh.user;
+  cfg = config.users.users.${user};
+
+  DEFAULT_USER = "cerubld";
+
+  isStandardDeployUser = user == DEFAULT_USER;
+in {
+  assertions = [
+    {
+      assertion = builtins.length node.deploy.ssh.publicKeys != 0;
+      message = ''
+        The Cerulean deployment user `${user}` for node `${hostname}` must have at least
+        one publicKey authorized for ssh deployment! Try setting `nodes.nodes.<name>.deploy.ssh.publicKeys = [ ... ]` <3
+      '';
+    }
+    # {
+    #   assertion = cfg.isSystemUser && !cfg.isNormalUser;
+    #   message = ''
+    #     The Cerulean deployment user `${user}` for node `${hostname}` has been configured incorrectly.
+    #     Ensure `users.users.${user}.isSystemUser == true` and `users.users.${user}.isNormalUser == false`.
+    #   '';
+    # }
+  ];
+
+  warnings = lib.optional (node.deploy.warnNonstandardDeployUser && !isStandardDeployUser) ''
+    The Cerulean deplyment user `${user}` for node `${hostname}` has been overriden.
+    It is recommended to leave this user as `${DEFAULT_USER}` unless you TRULY understand what you are doing!
+    This message can be disabled by setting `<node>.deploy.warnNonstandardBuildUser = false`.
+  '';
+
+  # prefer sudo-rs over sudo
+  security.sudo-rs = {
+    enable = true;
+    wheelNeedsPassword = true;
+
+    # allow the build user to run nix commands
+    extraRules = [
+      {
+        users = [user];
+        runAs = "${node.deploy.user}:ALL";
+        commands = [
+          # "${pkgs.nix}/bin/nix"
+          "ALL" # XXX: WARNING: FIX: TODO: DO NOT FUCKING USE `ALL`
+        ];
+      }
+    ];
+  };
+
+  # XXX: WARNING: FIX: TODO: use `trusted-public-keys` instead
+  nix.settings.trusted-users = [user];
+
+  # ensure deployment user has SSH permissions
+  services.openssh.settings.AllowUsers = [user];
+
+  users = lib.mkIf isStandardDeployUser {
+    groups.${user} = {};
+
+    users.${user} = {
+      enable = true;
+      description = "Cerulean's user for building and remote deployment.";
+
+      isSystemUser = true;
+      group = user;
+
+      createHome = true;
+      home = "/var/lib/cerulean/cerubld";
+
+      useDefaultShell = false;
+      shell = pkgs.bash;
+
+      openssh.authorizedKeys.keys = node.deploy.ssh.publicKeys;
+    };
+  };
+}