Merge branch 'v0.2.5-alpha'

add options.users.users.<name>.manageHome

.gitignore

@@ -1 +1,2 @@
 /hidden
+target/

TODO.md

@@ -1,12 +1,14 @@
 ## Next
-- [ ] use the Nix module system instead of projectOnto for `cerulean.mkNexus`
+- [ ] formalize how the snow flake system compiles outputs, this would remove the need for `mapNodes`
+- [ ] groups should allow you to set node configuration defaults
+
 - [ ] add `options.experimental` for snowflake
 - [ ] add `legacyImports` support
 
+- [ ] support hs system per dir, ie hosts/<name>/overlays or hosts/<name>/nixpkgs.nix
+
 ## Queued
-- [X] base should automatically be set as the default (dont do anything with the default)
+- [ ] per node home configuration is a lil jank rn
-- [X] try to remove common foot guns, ie abort if the user provides the home-manager or microvm nixosModules
-      since cerulean ALREADY provides these
 
 - [ ] deploy port should default to the first port given to `services.openssh`
 
@@ -23,29 +25,19 @@
 
 - [ ] go through all flake inputs (recursively) and ENSURE we remove all duplicates by using follows!!
 
-- [X] rename nixos-modules/ to nixos/
-- [X] ensure all machines are in groups.all by default
-
-- [X] fix nixpkgs.nix not working (default not respected)
-- [X] remove dependence on nixpkgs
-
 - [ ] allow multiple privesc methods, the standard is pam_ssh_agent_auth
 
 ## Low Priority
-- [X] rename extraModules to modules?
-- [X] rename specialArgs to args?
-
 - [ ] make an extension to the nix module system (different to mix)
       that allows transformations (ie a stop post config, ie outputs, which
       it then returns instead of config)
+- [ ] support `legacyImports` (?)
 
 - [ ] patch microvm so that acpi=off https://github.com/microvm-nix/microvm.nix/commit/b59a26962bb324cc0a134756a323f3e164409b72
       cause otherwise 2GB causes a failure
 
-- [ ] rewrite the ceru cli in rust
+- [ ] write the cerulean cli
-- [ ] make `ceru` do local and remote deployments
 
-- [ ] support `legacyImports` 
 
 ```nix
 # REF: foxora

cerulean/default.nix

@@ -21,7 +21,7 @@ mix.newMixture args (mixture: {
     ./snow
   ];
 
-  version = "0.2.3";
+  version = "0.2.5-alpha";
 
   # WARNING: legacy
   mkFlake = mixture.snow.flake;

cerulean/home/default.nix

@@ -0,0 +1,34 @@
+# Copyright 2025-2026 _cry64 (Emile Clark-Boman)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{
+  username,
+  lib,
+  ...
+}: {
+  # NOTE: you can access the system configuration via the `osConfig` arg
+
+  # WARNING: required for home-manager to work
+  programs.home-manager.enable = true; # user must apply lib.mkForce
+  # Nicely reload systemd units when changing configs
+  systemd.user.startServices = lib.mkDefault "sd-switch";
+
+  home = {
+    username = lib.mkDefault username;
+    homeDirectory = lib.mkDefault "/home/${username}";
+
+    sessionVariables = {
+      NIX_SHELL_PRESERVE_PROMPT = lib.mkDefault 1;
+    };
+  };
+}

cerulean/nixos/default.nix

@@ -13,29 +13,34 @@
 # limitations under the License.
 {
   root,
-  pkgs,
   system,
+  hostname,
+  node,
+  pkgs,
+  lib,
   _cerulean,
   ...
 } @ args: {
-  imports = with _cerulean.inputs;
+  imports =
     [
+      _cerulean.inputs.sops-nix.nixosModules.sops
+      # _cerulean.inputs.microvm.nixosModules.microvm
+
       # add support for `options.legacyImports`
       # ./legacy-imports.nix
 
-      # user configuration
+      # nixos options declarations
-      (import (root + "/nixpkgs.nix"))
-      # options declarations
       (import ./nixpkgs.nix (args // {contextName = "hosts";}))
 
-      sops-nix.nixosModules.sops
+      # user's nixpkg configuration
-      # microvm.nixosModules.microvm
+      (import /${root}/nixpkgs.nix)
     ]
-    ++ (
+    # homemanager options declarations
-      if _cerulean.homeManager != null
+    ++ (lib.optional (_cerulean.homeManager != null) ./home.nix)
-      then [./home-manager.nix]
+    # remote deployment configuration
-      else []
+    ++ (lib.optional (node.deploy.ssh.host != null) ./remote-deploy);
-    );
+
+  networking.hostName = lib.mkDefault hostname;
 
   environment.systemPackages =
     (with pkgs; [

cerulean/nixos/home-manager.nix

@@ -1,49 +0,0 @@
-# Copyright 2025-2026 _cry64 (Emile Clark-Boman)
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-{
-  root,
-  config,
-  lib,
-  _cerulean,
-  ...
-} @ args: let
-  inherit
-    (builtins)
-    attrNames
-    filter
-    pathExists
-    ;
-in {
-  imports = [
-    _cerulean.homeManager.nixosModules.default
-  ];
-
-  home-manager = {
-    users =
-      config.users.users
-      |> attrNames
-      |> filter (x: pathExists (root + "/homes/${x}"))
-      |> (x:
-        lib.genAttrs x (y:
-          import (root + "/homes/${y}")));
-
-    extraSpecialArgs = _cerulean.specialArgs;
-    sharedModules = [
-      # user configuration
-      (import (root + "/nixpkgs.nix"))
-      # options declarations
-      (import ./nixpkgs.nix (args // {contextName = "homes";}))
-    ];
-  };
-}

cerulean/nixos/home.nix

@@ -0,0 +1,82 @@
+# Copyright 2025-2026 _cry64 (Emile Clark-Boman)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{
+  _cerulean,
+  config,
+  root,
+  lib,
+  ...
+} @ args: let
+  inherit
+    (builtins)
+    pathExists
+    ;
+
+  inherit
+    (lib)
+    filterAttrs
+    mapAttrs
+    ;
+in {
+  imports = [
+    _cerulean.homeManager.nixosModules.default
+  ];
+
+  options = {
+    users.users = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options.manageHome = lib.mkOption {
+          type = lib.types.bool;
+          default = true;
+          example = false;
+          description = ''
+            Whether Cerulean should automatically enable home-manager for this user,
+            and manage their home configuration declaratively.
+
+            Enabled by default, but can be disabled if necessary.
+          '';
+        };
+      });
+    };
+  };
+
+  config = {
+    home-manager = {
+      useUserPackages = lib.mkDefault false;
+      useGlobalPkgs = lib.mkDefault true;
+
+      overwriteBackup = lib.mkDefault false;
+      backupFileExtension = lib.mkDefault "bak";
+
+      users =
+        config.users.users
+        |> filterAttrs (name: value: value.manageHome && pathExists /${root}/homes/${name})
+        |> mapAttrs (name: _: {...}: {
+          imports = [/${root}/homes/${name}];
+
+          # per-user arguments
+          _module.args.username = name;
+        });
+
+      extraSpecialArgs = _cerulean.specialArgs;
+      sharedModules = [
+        ../home
+
+        (import /${root}/nixpkgs.nix)
+        # options declarations
+        (import ./nixpkgs.nix (args // {contextName = "homes";}))
+      ];
+    };
+  };
+}

cerulean/nixos/nixpkgs.nix

@@ -31,7 +31,7 @@ in {
     default = {};
     description = "Declare package repositories";
     example = {
-      "pkgs" = {
+      "npkgs" = {
         source = "inputs.nixpkgs";
         system = "x86-64-linux";
         config = {
@@ -53,7 +53,7 @@ in {
   config = let
     repos =
       cfg
-      |> (xs: removeAttrs xs ["default"])
+      |> (xs: removeAttrs xs ["base"])
       |> mapAttrs (
         name: args:
           lib.mkForce (
@@ -65,30 +65,31 @@ in {
           )
       );
 
-    # XXX: TODO: would it work to use `base` instead of having default?
+    basePkgs = cfg.base or {};
-    defaultPkgs =
-      cfg.default or (throw ''
-        Your `nixpkgs.nix` file does not declare a default package source.
-        Ensure you set `nixpkgs.channels.*.default = ...;`
-      '');
   in {
     # NOTE: _module.args is a special option that allows us to
     # NOTE: set extend specialArgs from inside the modules.
     # WARNING: pkgs is a reserved specialArg
-    _module.args = removeAttrs repos ["pkgs" "default"];
+    _module.args = removeAttrs repos ["pkgs" "base"];
 
-    nixpkgs =
+    nixpkgs = let
+      nixpkgsConfig = {
+        config = lib.mkForce (basePkgs.config or {});
+        overlays = lib.mkForce (basePkgs.overlays or []);
+      };
+
+      nixpkgsHostsConfig =
+        nixpkgsConfig
+        // {
+          flake.source = lib.mkForce base;
+        };
+
+      nixpkgsHomesConfig = lib.mkIf (!config.home-manager.useGlobalPkgs) nixpkgsConfig;
+    in
       if contextName == "hosts"
-      then {
+      then nixpkgsHostsConfig
-        flake.source = lib.mkForce base; # DEBUG: temp while getting base to work
-        overlays = lib.mkForce (defaultPkgs.overlays or {});
-        config = lib.mkForce (defaultPkgs.config or {});
-      }
       else if contextName == "homes"
-      then {
+      then nixpkgsHomesConfig
-        config = lib.mkForce (defaultPkgs.config or {});
-        overlays = lib.mkForce (defaultPkgs.overlays or []);
-      }
       else {};
   };
 }

cerulean/nixos/remote-deploy/default.nix

@@ -0,0 +1,82 @@
+{
+  config,
+  node,
+  lib,
+  pkgs,
+  hostname,
+  ...
+}: let
+  user = node.deploy.ssh.user;
+  cfg = config.users.users.${user};
+
+  DEFAULT_USER = "cerubld";
+
+  isStandardDeployUser = user == DEFAULT_USER;
+in {
+  assertions = [
+    {
+      assertion = builtins.length node.deploy.ssh.publicKeys != 0;
+      message = ''
+        The Cerulean deployment user `${user}` for node `${hostname}` must have at least
+        one publicKey authorized for ssh deployment! Try setting `nodes.nodes.<name>.deploy.ssh.publicKeys = [ ... ]` <3
+      '';
+    }
+    # {
+    #   assertion = cfg.isSystemUser && !cfg.isNormalUser;
+    #   message = ''
+    #     The Cerulean deployment user `${user}` for node `${hostname}` has been configured incorrectly.
+    #     Ensure `users.users.${user}.isSystemUser == true` and `users.users.${user}.isNormalUser == false`.
+    #   '';
+    # }
+  ];
+
+  warnings = lib.optional (node.deploy.warnNonstandardDeployUser && !isStandardDeployUser) ''
+    The Cerulean deplyment user `${user}` for node `${hostname}` has been overriden.
+    It is recommended to leave this user as `${DEFAULT_USER}` unless you TRULY understand what you are doing!
+    This message can be disabled by setting `<node>.deploy.warnNonstandardBuildUser = false`.
+  '';
+
+  # prefer sudo-rs over sudo
+  security.sudo-rs = {
+    enable = true;
+    wheelNeedsPassword = true;
+
+    # allow the build user to run nix commands
+    extraRules = [
+      {
+        users = [user];
+        runAs = "${node.deploy.user}:ALL";
+        commands = [
+          # "${pkgs.nix}/bin/nix"
+          "ALL" # XXX: WARNING: FIX: TODO: DO NOT FUCKING USE `ALL`
+        ];
+      }
+    ];
+  };
+
+  # XXX: WARNING: FIX: TODO: use `trusted-public-keys` instead
+  nix.settings.trusted-users = [user];
+
+  # ensure deployment user has SSH permissions
+  services.openssh.settings.AllowUsers = [user];
+
+  users = lib.mkIf isStandardDeployUser {
+    groups.${user} = {};
+
+    users.${user} = {
+      enable = true;
+      description = "Cerulean's user for building and remote deployment.";
+
+      isSystemUser = true;
+      group = user;
+
+      createHome = true;
+      home = "/var/lib/cerulean/cerubld";
+
+      useDefaultShell = false;
+      shell = pkgs.bash;
+
+      openssh.authorizedKeys.keys = node.deploy.ssh.publicKeys;
+    };
+  };
+}

cerulean/snow/default.nix

@@ -48,16 +48,22 @@ in
         class = "snowflake";
         # TODO: abort if inputs contains reserved names
         specialArgs =
-          flakeInputs
+          (flakeInputs
-          // {
+            // {
-            inherit root;
+              inherit systems root;
-            inherit systems;
+              inherit (this) snow;
-            inherit (this) snow; # please don't be infinite recursion...
+              inputs = flakeInputs;
-            inputs = flakeInputs;
+            })
-          };
+          |> (x: builtins.removeAttrs x ["self" "nodes"]);
 
         modules = [
           ./module.nix
+          ({config, ...}: {
+            _module.args = {
+              self = config;
+              nodes = config.nodes.nodes;
+            };
+          })
         ];
       };
 
@@ -86,9 +92,10 @@ in
 
           userArgs = nodes.args // node.args;
           ceruleanArgs = {
-            inherit systems root base;
+            inherit systems root base nodes node;
             inherit (node) system;
             inherit (this) snow;
+            hostname = name;
 
             _cerulean = {
               inherit inputs userArgs ceruleanArgs homeManager;
@@ -111,7 +118,7 @@ in
             modules =
               [
                 self.nixosModules.default
-                (findImport (root + "/hosts/${name}"))
+                (findImport /${root}/hosts/${name})
               ]
               ++ (groupModules root)
               ++ node.modules
@@ -128,7 +135,6 @@ in
           (node.deploy)
           ssh
           user
-          sudoCmd
           interactiveSudo
           remoteBuild
           rollback
@@ -140,14 +146,17 @@ in
 
         nixosFor = system: inputs.deploy-rs.lib.${system}.activate.nixos;
       in {
-        hostname = ssh.host;
+        hostname =
+          if ssh.host != null
+          then ssh.host
+          else "";
 
         profilesOrder = ["default"]; # profiles priority
         profiles.default = {
           path = nixosFor node.system nixosConfigurations.${name};
 
           user = user;
-          sudo = sudoCmd;
+          sudo = "sudo -u";
           interactiveSudo = interactiveSudo;
 
           fastConnection = false;

cerulean/snow/lib/nodes.nix

@@ -65,7 +65,7 @@
     # flatten recursion result
     |> concatLists
     # find import location
-    |> map (group: nt.findImport (root + "/groups/${group._name}"))
+    |> map (group: nt.findImport /${root}/groups/${group._name})
     # filter by uniqueness
     |> nt.prim.unique
     # ignore missing groups

cerulean/snow/module.nix

@@ -18,6 +18,6 @@
 }: {
   imports = [
     ./nodes
-    (snow.findImport (root + "/snow"))
+    (snow.findImport /${root}/snow)
   ];
 }

cerulean/snow/nodes/submodule.nix

@@ -59,23 +59,32 @@
         default = "root";
         example = "admin";
         description = ''
-          The user that the system derivation will be deployed to. The command specified in
+          The user that the system derivation will be built with. The command specified in
           `<node>.deploy.sudoCmd` will be used if `<node>.deploy.user` is not the
           same as `<node>.deploy.ssh.user` the same as above).
         '';
       };
 
-      sudoCmd = mkOption {
+      warnNonstandardDeployUser = mkOption {
-        type = types.str;
+        type = types.bool;
-        default = "sudo -u";
+        default = true;
-        example = "doas -u";
+        example = false;
         description = ''
-          Which sudo command to use. Must accept at least two arguments:
+          Disables the warning that shows when `deploy.ssh.user` is set to a non-standard value.
-          1. the user name to execute commands as
-          2. the rest is the command to execute
         '';
       };
 
+      # sudoCmd = mkOption {
+      #   type = types.str;
+      #   default = "sudo -u";
+      #   example = "doas -u";
+      #   description = ''
+      #     Which sudo command to use. Must accept at least two arguments:
+      #     1. the user name to execute commands as
+      #     2. the rest is the command to execute
+      #   '';
+      # };
+
       interactiveSudo = mkOption {
         type = types.bool;
         default = false;
@@ -145,8 +154,8 @@
 
       ssh = {
         host = mkOption {
-          type = types.str;
+          type = types.nullOr types.str;
-          default = "";
+          default = null;
           example = "dobutterfliescry.net";
           description = ''
             The host to connect to over ssh during deployment
@@ -171,6 +180,16 @@
           '';
         };
 
+        publicKeys = mkOption {
+          type = types.listOf types.str;
+          default = [];
+          example = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIeyZuUUmyUYrYaEJwEMvcXqZFYm1NaZab8klOyK6Imr me@puter"];
+          description = ''
+            SSH public keys that will be authorized to the deployment user.
+            This key is intended solely for deployment, allowing for fine-grained permission control.
+          '';
+        };
+
         opts = mkOption {
           type = types.listOf types.str;
           default = [];

cli/.gitignore

@@ -1 +0,0 @@
-/target

cli/Cargo.lock

@@ -1,7 +0,0 @@
-# This file is automatically @generated by Cargo.
-# It is not intended for manual editing.
-version = 4
-
-[[package]]
-name = "snow"
-version = "0.1.0"

cli/Cargo.toml

@@ -1,8 +0,0 @@
-[package]
-name = "snow"
-description = "NixOS Derivative"
-version = "0.1.0"
-authors = ["_cry64 <them@dobutterfliescry.net>"]
-edition = "2024"
-
-[dependencies]

cli/LICENSE

@@ -1,22 +0,0 @@
-MIT License
-
-Copyright (c) 2026 _cry64 (Emile Clark-Boman)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-

cli/src/main.rs

@@ -1,8 +0,0 @@
-use std::env;
-
-mod rocli;
-
-fn main() {
-    let args: Vec<String> = env::args().collect();
-    println!("Hello, world!");
-}

cli/src/rocli/command.rs

@@ -1,9 +0,0 @@
-pub struct Command {
-    pub name: String,
-    pub version: Option<String>,
-
-    pub action: Action,
-
-    pub subcommands: Vec<Commands>,
-    pub flags: Vec<Flag>,
-}

cli/src/rocli/mod.rs

@@ -1,4 +0,0 @@
-mod command;
-mod parse;
-
-pub use parse::normalize_args;

cli/src/rocli/parse.rs

@@ -1,33 +0,0 @@
-/// Parse the GNU convention CLI argument syntax.
-///
-/// # Examples
-/// ```rs
-/// assert!(parse(vec!["--flag=value"]) == vec!["--flag", "value"]);
-/// assert!(parse(vec!["--flag value"]) == vec!["--flag", "value"]);
-/// assert!(parse(vec!["-abe"]) == vec!["-a", "-b", "-e"]);
-/// assert!(parse(vec!["-abef=32"]) == vec!["-a", "-b", "-e", "-f", "32"]);
-/// ```
-///
-/// # Credit
-/// Based on [github:ksk001100/seahorse `src/utils.rs`](https://github.com/ksk001100/seahorse/blob/master/src/utils.rs)
-pub fn normalize_args(args: Vec<String>) -> Vec<String> {
-    args.iter().fold(Vec::<String>::new(), |mut acc, el| {
-        if !el.starts_with('-') {
-            acc.push(el.to_owned());
-            return acc;
-        }
-
-        let mut split = el.splitn(2, '=').map(|s| s.to_owned()).collect();
-        if el.starts_with("--") {
-            acc.append(&mut split);
-        } else {
-            let flags = split[0].chars().skip(1).map(|c| format!("-{c}"));
-
-            acc.append(&mut flags.collect());
-            if let Some(value) = split.get(1) {
-                acc.push(value.to_owned());
-            }
-        }
-        acc
-    })
-}

flake.lock

@@ -185,30 +185,9 @@
         "microvm": "microvm",
         "nixpkgs": "nixpkgs",
         "nt": "nt",
-        "sops-nix": "sops-nix",
         "systems": "systems_3"
       }
     },
-    "sops-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1772495394,
-        "narHash": "sha256-hmIvE/slLKEFKNEJz27IZ8BKlAaZDcjIHmkZ7GCEjfw=",
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "rev": "1d9b98a29a45abe9c4d3174bd36de9f28755e3ff",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "type": "github"
-      }
-    },
     "spectrum": {
       "flake": false,
       "locked": {