refactor users activation. refactor home manager config to match nixos conf and move tjkeller archetypes to users/timmy. update many of the exising home manager configs to be nicer and better organized. profile archetypes now include homeconfigs which can be enabled per user, and are setup using a new mkProfileArchetype function.

13 files changed, 44 insertions, 266 deletions

diff --git a/archetypes/default.nix b/archetypes/default.nix
index f201fc3..52e5eaa 100644
--- a/archetypes/default.nix
+++ b/archetypes/default.nix
@@ -9,7 +9,5 @@
 
 		./profiles/desktop
 		./profiles/headless
-
-		./users/primary.nix
 	];
 }
diff --git a/archetypes/profiles/desktop/default.nix b/archetypes/profiles/desktop/default.nix
index d9a7dc7..7ca1e7c 100644
--- a/archetypes/profiles/desktop/default.nix
+++ b/archetypes/profiles/desktop/default.nix
@@ -1,12 +1,7 @@
 { lib, config, pkgs, ... }: let
 	mkDesktop = lib.mkOverride 920;
-	cfg = config._archetypes.profiles.desktop;
-in {
-	options._archetypes.profiles.desktop = {
-		enable = lib.mkEnableOption "enable desktop profile";
-	};
 
-	config = lib.mkIf cfg.enable {
+	nixosConfig = {
 		_archetypes.collections = {
 			desktop = {
 				utilities.enable = mkDesktop true;
@@ -22,10 +17,6 @@ in {
 			fonts.enable = mkDesktop true;
 		};
 
-		_archetypes.users.primary = {
-			enable = mkDesktop true;
-		};
-
 		security = {
 			_doas.enable = mkDesktop true;
 		};
@@ -45,9 +36,42 @@ in {
 			tlp.enable = mkDesktop true;
 
 			# Ensure video group can change backlight
-			udev.extraRules = ''
+			udev.extraRules = mkDesktop ''
 				SUBSYSTEM=="backlight", ACTION=="add", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
 			'';
 		};
 	};
+
+	homeConfig = {
+		gtk = {
+			enable = mkDesktop true;
+			_mintTheme.enable = mkDesktop true;
+			font.name = mkDesktop "sans-serif";
+			cursorTheme.name = mkDesktop "Adwaita";
+		};
+
+		qt._gtkPlatformTheme.enable = mkDesktop true;
+
+		fonts.fontconfig = {
+			enable = mkDesktop true;
+			defaultFonts = {
+				# These fonts are added above in fonts collection
+				sansSerif = mkDesktop [ "Inter" ];
+				monospace = mkDesktop [ "CommitMono" ];
+			};
+		};
+
+		programs = {
+			_pcmanfm.openAsRootOption.enable = mkDesktop true;
+			firefox._configure = mkDesktop true;
+			htop._configure = mkDesktop true;
+		};
+
+		home._repos = {
+			enable = mkDesktop true;
+			desktop = mkDesktop true;
+		};
+	};
+in {
+	imports = [ (lib._mkProfileArchetype "desktop" nixosConfig homeConfig) ];
 }
diff --git a/archetypes/profiles/headless/default.nix b/archetypes/profiles/headless/default.nix
index ef17db0..b391076 100644
--- a/archetypes/profiles/headless/default.nix
+++ b/archetypes/profiles/headless/default.nix
@@ -1,22 +1,13 @@
 { lib, config, ... }: let
 	mkHeadless = lib.mkOverride 910;
-	cfg = config._archetypes.profiles.headless;
-in {
-	options._archetypes.profiles.headless = {
-		enable = lib.mkEnableOption "enable headless profile";
-	};
 
-	config = lib.mkIf cfg.enable {
+	nixosConfig = {
 		_archetypes.collections = {
 			development = {
 				utilities.enable = mkHeadless true;
 			};
 		};
 
-		_archetypes.users = {
-			primary.enable = mkHeadless true;
-		};
-
 		security = {
 			_doas.enable = mkHeadless true;
 		};
@@ -29,4 +20,12 @@ in {
 			_ssh.enable = mkHeadless true;
 		};
 	};
+
+	homeConfig = {
+		home._repos = {
+			enable = mkHeadless true;
+		};
+	};
+in {
+	imports = [ (lib._mkProfileArchetype "headless" nixosConfig homeConfig) ];
 }
diff --git a/archetypes/tjkeller/default.nix b/archetypes/tjkeller/default.nix
deleted file mode 100644
index 6a9bbd9..0000000
--- a/archetypes/tjkeller/default.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-	imports = [
-		./hosts.nix
-		./localization.nix
-		./nas.nix
-		./printing.nix
-		./user.nix
-		./wifi.nix
-	];
-}
diff --git a/archetypes/tjkeller/hosts.nix b/archetypes/tjkeller/hosts.nix
deleted file mode 100644
index 66c6ccc..0000000
--- a/archetypes/tjkeller/hosts.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-	networking.hosts = {
-		"192.168.1.9"   = [ "optiplex" ];
-		"192.168.1.30"  = [ "localgit" ];
-		"192.168.1.11"  = [ "truenas-home" ];
-		"192.168.77.11" = [ "truenas-office" ];
-		"192.168.77.8"  = [ "publicgit" "tjkeller" ];
-		"192.168.77.3"  = [ "devel" ];
-		"173.9.253.3"   = [
-			"git.tjkeller.xyz"
-			"piped.tjkeller.xyz"
-			"search.tjkeller.xyz"
-			"tjkeller.xyz"
-		];
-	};
-}
diff --git a/archetypes/tjkeller/localization.nix b/archetypes/tjkeller/localization.nix
deleted file mode 100644
index 8313f07..0000000
--- a/archetypes/tjkeller/localization.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-	time.timeZone = "America/Chicago";
-	i18n.defaultLocale = "en_US.UTF-8";
-	services.xserver.xkb.layout = "us";
-}
diff --git a/archetypes/tjkeller/nas.nix b/archetypes/tjkeller/nas.nix
deleted file mode 100644
index 1ed0ca3..0000000
--- a/archetypes/tjkeller/nas.nix
+++ /dev/null
@@ -1,35 +0,0 @@
-{ lib, config, ... } :
-let
-	cfg = config._archetypes.tjkeller.nas;
-	mkNetworkFileSystem = device: automount: {
-		device = "${device}";
-		fsType = "nfs";
-		options = [ "defaults" ] ++ lib.optionals (!automount) [ "noauto" ];
-	};
-in {
-	options._archetypes.tjkeller.nas = {
-		enable = lib.mkEnableOption "enable network shares";
-		home = {
-			enable = lib.mkEnableOption "enable home network shares";
-			automount = lib.mkEnableOption "automount home network shares";
-		};
-		office = {
-			enable = lib.mkEnableOption "enable office network shares";
-			automount = lib.mkEnableOption "automount home network shares";
-		};
-	};
-
-	config = lib.mkIf cfg.enable {
-		fileSystems = lib.optionalAttrs cfg.home.enable {
-			"/media/Storage/Media"   = mkNetworkFileSystem "truenas-home:/mnt/Storage/Media"               cfg.home.automount;
-			"/media/Storage/Backups" = mkNetworkFileSystem "truenas-home:/mnt/Storage/Backups"             cfg.home.automount;
-			"/media/Storage/Tapes"   = mkNetworkFileSystem "truenas-home:/mnt/Storage/Backups/Tapes"       cfg.home.automount;
-			"/media/Family Photos"   = mkNetworkFileSystem "truenas-home:/mnt/Media/Photos"                cfg.home.automount;
-		} // lib.optionalAttrs cfg.office.enable {
-			"/media/chexx/chexx"     = mkNetworkFileSystem "truenas-office:/mnt/Storage/chexx"             cfg.office.automount;
-			"/media/chexx/tkdocs"    = mkNetworkFileSystem "truenas-office:/mnt/Storage/Users/Tim-Keller"  cfg.office.automount;
-			"/media/chexx/scans"     = mkNetworkFileSystem "truenas-office:/mnt/Storage/Scans"             cfg.office.automount;
-		};
-		# TODO auto mkdirz
-	};
-}
diff --git a/archetypes/tjkeller/printing.nix b/archetypes/tjkeller/printing.nix
deleted file mode 100644
index d5cceab..0000000
--- a/archetypes/tjkeller/printing.nix
+++ /dev/null
@@ -1,39 +0,0 @@
-{ lib, config, pkgs, ... }: {
-	config = lib.mkIf config.services.printing.enable {
-		# Printer drivers
-		services.printing.drivers = [
-			pkgs.epson-escpr2
-			pkgs.workcentre-7800-series
-		];
-
-		# Scanning programs
-		environment.systemPackages = with pkgs; [
-			epsonscan2
-		];
-
-		# Printers
-		networking.hosts = {
-			"192.168.1.35"  = [ "Epson_ET-8500" ];
-			"192.168.77.40" = [ "Xerox_WorkCentre_7855" ];
-		};
-
-		# Add printers to cups
-		hardware.printers.ensurePrinters = [
-			{
-				name = "Epson_ET-8500";
-				description = "Epson ET-8500";
-				location = "Home";
-				deviceUri = "ipp://Epson_ET-8500:631/ipp/print";
-				model = "epson-inkjet-printer-escpr2/Epson-ET-8500_Series-epson-escpr2-en.ppd";
-			}
-			#{
-			#	name = "Xerox_WorkCentre_7855";
-			#	description = "Xerox WorkCentre 7855";
-			#	location = "Office";
-			#	deviceUri = "ipp://Xerox_WorkCentre_7855:631/ipp/print";
-			#	model = "everywhere IPP Everywhere";
-			#}
-		];
-		hardware.printers.ensureDefaultPrinter = "Epson_ET-8500";
-	};
-}
diff --git a/archetypes/tjkeller/resources/secrets/hashed-root-password.yaml b/archetypes/tjkeller/resources/secrets/hashed-root-password.yaml
deleted file mode 100644
index a42fd42..0000000
--- a/archetypes/tjkeller/resources/secrets/hashed-root-password.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-hashed-root-password: ENC[AES256_GCM,data:7Qgoeb/6JPNupkHCBEzCs0FMP2cDEw972bjCRWeMrBrAMZzLsZc3Mbv03s1zLztUp6Ie93R5lVsamxKPUnaPt+Tnr/l+0E9aTmt7j7L6UzmWr12nj3FHxxTSU9ief6+ioIk+S4eICJspIQ==,iv:VoWP4qBCGzuYRpQw4nilUXByJ+ZwyZR/BdKowi+53DM=,tag:x6A00VCm8BEOhtv/WySXrQ==,type:str]
-sops:
-    age:
-        - recipient: age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Z3dTbW1GUzgyRUwyZGtF
-            alZSeFBmdEdhNER3UEtGRGd4MnliK1l1eGpJCm80SHFNZ3NZOTNxVkM4R3ZLY005
-            OFVtUGN3OXZJblRxOFNMOFhsV25CS0EKLS0tIEE5SG5NekxWbytXY2xNeUN6TWhG
-            RldJZms3RDFuRk40ck42Mkd5RTd4YVUKgyWE8Cs0yLO/82w2muGWTlcjY86BVSUy
-            bFeIcQT33dEPiNUmynTqEGpN2NVQbfVDw17QbA9GNhGClanTTXmX4A==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1f0tmpy2nam58skmznjyqd3zf54rxtfrk6fda0vlpq9y3yg6wac7sjf0vja
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcUprWjBXTVlidTRwMEZ6
-            WHE4dWp6OWtybkFCaTkyY2JyaWYrRHNhZWtNCi9xamwreEsyVFdnWWhJeUVsdUpT
-            UHlkRVJZZTEvMDluTWNJSnRSUXN6Q0kKLS0tIHNsQk92SUd2ekowY0hvQi9LNjIx
-            Q0oxVFNtRkpZTlVHeEY3YXFoSlc4Zk0K7RaqH/Qf2dTPBuCz9DH0xgU+Tq8ATKUq
-            tfAuuAU9HBtLFiZjhWsZmj5XUy5Z18IiUKDIxlw41mNtbcsUnjm30w==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-17T22:34:07Z"
-    mac: ENC[AES256_GCM,data:B95HuJC2o8B+P1f9kAtJTcSty7YSAByuqe/Xs6ce6780p05FuzWM5X9bwvwsYXngGNKqCHksWf50UXzJ3eyc6y4ISxdxljAv2FmJFKw4NkfGaOMiRLlGPMn1uFpOtkRT+qL0+mupWG/Ap3zcpbxjsDx46PUur+e6yRxlAHw8mGw=,iv:DYobhWK+4+7vOog7BrBASiHrEzzz0P6zqgWxexfcLG8=,tag:skGwUpDEB8e3TCjrxs5peA==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
diff --git a/archetypes/tjkeller/resources/secrets/wpa_supplicant-conf.yaml b/archetypes/tjkeller/resources/secrets/wpa_supplicant-conf.yaml
deleted file mode 100644
index 2fd7a0e..0000000
--- a/archetypes/tjkeller/resources/secrets/wpa_supplicant-conf.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-wpa_supplicant-conf: ENC[AES256_GCM,data:QoHQhTuEsSCW/K2ArOzNMfpSV7RtyTgezg4bM6eyNwhBhuJ/fCExzrniZtFzZ3zfs+ROFOYYxkx5lu4N/AQ6xEdCjJ3DYKHpeveqQ3GcWaldDr6aUDxLnBmLGBgSskGoOOANCwGvXGtFsChlCah02/W3YIhLWKIC1pfw1t9ANw9ErtLt7Fxt8TphJ1n9KdCXCJCMFrDjWDTrvbDzrvkJh6EGJIoaXuJSN+9asKrFvTwXyvHPbJmw8ZRbYgtlJtv5c1Q+PZoMtEeBRI/q2y/xUX5nvhnyy3HO1CaZPq+2XP9w+Zz90PyehVvbFVSl3V3Wg3rg9uu/c1rRGgfNkVJSHdhN+7nWYobSI28uoA8L9oXono9mNYwfcN2c4R6xwW9yOH72KabKRbD0Qq0mXcwNjU0HNneqvnMFURbDVstWmKt39gHg2xoZkG774EEDdXBAmKe5nbj0wVk8TBPWPcyR8gQ3uQrXPElqC7CWHMvajzi/hq02gmzkq1DAiheVWHxVmSQUUP3M52vvFBDdWip4X7IM3r5H4uBmcF6wGHl7JS+okDno5BuInIXvrApDV3rTqnam7YeQZao9pbx8WRWg/ZQFUysiXf9tcAl4ror71+SLKa5MfeP9AV431DbcsrIS1XQ=,iv:7qdltuNvesslz32SfEXqu9WFu2uGOGg1sjfskfqfXnk=,tag:N1RhL1M9YtDlvxLBRC2gAg==,type:str]
-sops:
-    age:
-        - recipient: age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxdXBUWXEvRU85Tk1lNWgz
-            ZHpENjdudmRuaEJIeVRHOHlDbWNzK0tQMGs4CmV6MVBpdE5PMTBWMm1PcDVFQ2VM
-            b0IwWDFxLy8xYUcxRVZFSEsyYlBFS1UKLS0tIHpCbDQ0a29TZlVFTGp4aXJCSmJ4
-            ZGxqMFQ1NDk1OHJIOUd0cVV0dzNNQlkKzYX36u0rEq6dMTCJf6OON6LzcEEnAB5A
-            +M9t3OKUUNtwgksjBUEwqBLJ1sU9amijpK63GUxwp74YDtsb0YXHiw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-17T22:33:44Z"
-    mac: ENC[AES256_GCM,data:leJsAdcWFE0EA1syXfd7yDu1Ct+vTkKiHUEc46O31uUeaWVFwgH8EKC0ImqiHMgbDJv+a9UHm7GtsWy1aMQNVRBXL3R2HbNQkOqGkIIdGsrrbjslQl8UwI7wx1g2P3ORhlGRYXTscDUl53+e4i3YrYOEDDPL5EAWuQEWldJXLZc=,iv:banL6qqV2EqfZFKHn5dawUq95Ima06z8H6Kso1qRdcA=,tag:g6M95M6bT4UPTfiEZT4ljw==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
diff --git a/archetypes/tjkeller/user.nix b/archetypes/tjkeller/user.nix
deleted file mode 100644
index 2695549..0000000
--- a/archetypes/tjkeller/user.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ lib, config, pkgs, userDetails, ... }: let
-	cfg = config._archetypes.tjkeller.setPasswords;
-	hashedPasswordFile = config.sops.secrets.hashed-root-password.path;
-in {
-	options._archetypes.tjkeller.setPasswords = {
-		enable = lib.mkEnableOption "set users password. requires hashed root password from sops";
-	};
-
-	config = lib.mkIf cfg.enable {
-		# Load hashed root password secret
-		sops.secrets.hashed-root-password = {
-			sopsFile = ./resources/secrets/hashed-root-password.yaml;
-			neededForUsers = true;
-		};
-
-		# Apply password file
-		users.users = {
-			root = { inherit hashedPasswordFile; };
-			${userDetails.username} = lib.mkIf config._archetypes.users.primary.enable { inherit hashedPasswordFile; };
-		};
-	};
-}
diff --git a/archetypes/tjkeller/wifi.nix b/archetypes/tjkeller/wifi.nix
deleted file mode 100644
index 32b6ef8..0000000
--- a/archetypes/tjkeller/wifi.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-{ lib, config, ... }: let
-	cfg = config._archetypes.tjkeller.wifi;
-in {
-	options._archetypes.tjkeller.wifi = {
-		enable = lib.mkEnableOption "enables wifi";
-	};
-
-	config = lib.mkIf cfg.enable {
-		networking.wireless = {
-			enable = true;  # Enables wireless support via wpa_supplicant.
-			userControlled.enable = true;
-			allowAuxiliaryImperativeNetworks = true;  # Networks defined in aux imperitive networks (/etc/wpa_supplicant.conf)
-		};
-
-		# Load wpa_supplicant.conf secret config
-		sops.secrets.wpa_supplicant-conf = {
-			sopsFile = ./resources/secrets/wpa_supplicant-conf.yaml;
-		};
-
-		# Link /etc/wpa_supplicant.conf -> secret config
-		environment.etc."wpa_supplicant.conf" = {
-			source = config.sops.secrets.wpa_supplicant-conf.path;
-		};
-
-		# This service is a workaround to ensure that secrets are available on
-		# reboot when the secret keys are on a separate subvolume
-		systemd.services.npcnix-force-rebuild-sops-hack = {
-			wantedBy = [ "multi-user.target" ];
-			before = [ "wpa_supplicant.service" ];
-			serviceConfig = {
-				ExecStart = "/run/current-system/activate";
-				Type = "oneshot";
-				Restart = "on-failure"; # because oneshot
-				RestartSec = "10s";
-			};
-		};
-	};
-}
diff --git a/archetypes/users/primary.nix b/archetypes/users/primary.nix
deleted file mode 100644
index a29c3b8..0000000
--- a/archetypes/users/primary.nix
+++ /dev/null
@@ -1,37 +0,0 @@
-{ lib, config, pkgs, userDetails, ... }: let
-	cfg = config._archetypes.users.primary;
-in {
-	options._archetypes.users.primary = {
-		enable = lib.mkEnableOption "create primary user";
-		autologin.enable = lib.mkEnableOption "enables getty automatic login";
-	};
-
-	config = lib.mkIf cfg.enable {
-		# Enable zsh
-		programs.zsh.enable = true;
-
-		# Setup normal user
-		users.users.${userDetails.username} = {
-			home = userDetails.home;
-			description = userDetails.fullname;
-			isNormalUser = true;
-			shell = pkgs.zsh;
-			extraGroups = [
-				"nixbld"
-				"video"
-				"wheel"
-			] ++ lib.optionals config.hardware.i2c.enable [
-				"i2c"
-			] ++ lib.optionals config.virtualisation.libvirtd.enable [
-				"libvirtd"
-			] ++ lib.optionals config.virtualisation.docker.enable [
-				"docker"
-			];
-		};
-
-		# Configure automatic login with getty
-		services.getty = lib.mkIf cfg.autologin.enable {
-			autologinUser = userDetails.username;
-		};
-	};
-}