feat: rework to modular

README.md

@@ -1,35 +1,132 @@
 # nix-nodeiwest
 
-Employee and workstation flake for NodeiWest.
+Composable company Nix for NodeiWest workstations and project shells.
 
-Server deployment moved to the sibling repo `../nix-deployment`.
+This repo is now structured as a shared SDK:
 
-This repo now owns:
+- `modules/` holds focused Home Manager building blocks
+- `profiles/` bundles those modules into opinionated employee entrypoints
+- `shells/` exposes reusable flake dev shells for project repos
+- `systems/` adapts the shared modules into Darwin or standalone Linux Home Manager configs
+- `lib/` holds the small helpers that keep composition consistent
+- `templates/` bootstraps downstream user flakes
 
-- shared Home Manager modules
-- employee shell packages and environment variables
-- workstation-side access to the `nodeiwest` helper by consuming it from `../nix-deployment`
+It does not define users or machines directly. Downstream flakes decide who uses which profile.
 
-This repo no longer owns:
+## Layout
 
-- NixOS server host definitions
-- Colmena deployment state
-- Tailscale server bootstrap
-- k3s bootstrap
-- OpenBao server or Kubernetes infra manifests
-
-## Helper Consumption
-
-The helper package is re-exported from the deployment repo:
-
-```bash
-nix run .#nodeiwest-helper -- --help
+```text
+.
+├── flake.nix
+├── lib/
+├── modules/
+│   ├── base/
+│   ├── dev/
+│   ├── optional/
+│   ├── roles/
+│   ├── secrets/
+│   └── services/
+├── profiles/
+├── shells/
+├── systems/
+└── templates/
 ```
 
-If you import `modules/helpers/home.nix` directly, pass the deployment flake as a special arg:
+## Flake Interface
+
+Primary outputs:
+
+- `homeManagerModules.base.*`: low-level base modules
+- `homeManagerModules.dev.*`: language and workflow modules
+- `homeManagerModules.roles.*`: reusable role bundles
+- `homeManagerModules.profiles.*`: ready-made employee profiles
+- `homeManagerModules.default`: compatibility shim for the old default home module
+- `lib.mkSystem`: chooses the Darwin or Linux adapter for a downstream flake
+- `lib.shells.*`: shell factories for repo-local dev environments
+- `devShells.<system>.*`: ready-to-use company shells
+- `templates.user-flake`: starter personal flake
+
+## Workstation Consumption
+
+Downstream user flakes own the actual machine definitions. They consume profiles from this repo:
 
 ```nix
-extraSpecialArgs = {
-  deployment = inputs.deployment;
+{
+  inputs.company.url = "git+ssh://git@git.dgren.dev/employees/company-nix.git";
+
+  outputs = { company, ... }: {
+    darwinConfigurations.eric = company.lib.mkSystem {
+      target = "darwin";
+      system = "aarch64-darwin";
+      username = "eric";
+      homeDirectory = "/Users/eric";
+      modules = [
+        company.homeManagerModules.profiles.frontend
+      ];
+    };
+  };
+}
+```
+
+For Linux Home Manager:
+
+```nix
+{
+  inputs.company.url = "git+ssh://git@git.dgren.dev/employees/company-nix.git";
+
+  outputs = { company, ... }: {
+    homeConfigurations."eric@work" = company.lib.mkSystem {
+      target = "linux";
+      system = "x86_64-linux";
+      username = "eric";
+      homeDirectory = "/home/eric";
+      modules = [
+        company.homeManagerModules.profiles.backend
+      ];
+    };
+  };
+}
+```
+
+## Project Shell Consumption
+
+Project repos should keep their own flake and compose shells from this repo instead of outsourcing project ownership here.
+
+Use the ready-made shell directly:
+
+```nix
+{
+  inputs.company.url = "git+ssh://git@git.dgren.dev/employees/company-nix.git";
+
+  outputs = { nixpkgs, company, ... }:
+    let
+      system = "x86_64-linux";
+      pkgs = import nixpkgs { inherit system; };
+    in
+    {
+      devShells.${system}.default = company.lib.shells.node {
+        inherit pkgs;
+        extraPackages = [ pkgs.ffmpeg ];
+      };
+    };
+}
+```
+
+Or extend the published company shell in place:
+
+```nix
+devShells.${system}.default = pkgs.mkShell {
+  inputsFrom = [ company.devShells.${system}.node ];
+  packages = [ pkgs.ffmpeg ];
 };
 ```
+
+## Template
+
+Bootstrap a personal flake with:
+
+```bash
+nix flake init -t .#user-flake
+```
+
+That template is intentionally small. Add machine-specific modules in the personal repo, not here.

flake.lock

@@ -1,98 +1,5 @@
 {
   "nodes": {
-    "colmena": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "flake-utils": "flake-utils",
-        "nix-github-actions": "nix-github-actions",
-        "nixpkgs": "nixpkgs",
-        "stable": "stable"
-      },
-      "locked": {
-        "lastModified": 1762034856,
-        "narHash": "sha256-QVey3iP3UEoiFVXgypyjTvCrsIlA4ecx6Acaz5C8/PQ=",
-        "owner": "zhaofengli",
-        "repo": "colmena",
-        "rev": "349b035a5027f23d88eeb3bc41085d7ee29f18ed",
-        "type": "github"
-      },
-      "original": {
-        "owner": "zhaofengli",
-        "repo": "colmena",
-        "type": "github"
-      }
-    },
-    "deployment": {
-      "inputs": {
-        "colmena": "colmena",
-        "disko": "disko",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 0,
-        "narHash": "sha256-BW+YgPQb2t5davyiQ6gb4sIbBdIL72jCaLGiehkGT9U=",
-        "type": "git",
-        "url": "file:../nix-deployment"
-      },
-      "original": {
-        "type": "git",
-        "url": "file:../nix-deployment"
-      }
-    },
-    "disko": {
-      "inputs": {
-        "nixpkgs": [
-          "deployment",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1773506317,
-        "narHash": "sha256-qWKbLUJpavIpvOdX1fhHYm0WGerytFHRoh9lVck6Bh0=",
-        "owner": "nix-community",
-        "repo": "disko",
-        "rev": "878ec37d6a8f52c6c801d0e2a2ad554c75b9353c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "disko",
-        "type": "github"
-      }
-    },
-    "flake-compat": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1650374568,
-        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-utils": {
-      "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -100,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1773681856,
-        "narHash": "sha256-+bRqxoFCJFO9ZTFhcCkzNXbDT3b8AEk88fyjB7Is6eo=",
+        "lastModified": 1775781825,
+        "narHash": "sha256-L5yKTpR+alrZU2XYYvIxCeCP4LBHU5jhwSj7H1VAavg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "57d5560ee92a424fb71fde800acd6ed2c725dfce",
+        "rev": "e35c39fca04fee829cecdf839a50eb9b54d8a701",
         "type": "github"
       },
       "original": {
@@ -113,51 +20,33 @@
         "type": "github"
       }
     },
-    "nix-github-actions": {
+    "nix-darwin": {
       "inputs": {
         "nixpkgs": [
-          "deployment",
-          "colmena",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1729742964,
-        "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
-        "rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
+        "lastModified": 1775037210,
+        "narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=",
+        "owner": "LnL7",
+        "repo": "nix-darwin",
+        "rev": "06648f4902343228ce2de79f291dd5a58ee12146",
         "type": "github"
       },
       "original": {
-        "owner": "nix-community",
-        "repo": "nix-github-actions",
+        "owner": "LnL7",
+        "repo": "nix-darwin",
         "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1750134718,
-        "narHash": "sha256-v263g4GbxXv87hMXMCpjkIxd/viIF7p3JpJrwgKdNiI=",
+        "lastModified": 1775763530,
+        "narHash": "sha256-BuTK9z1QEwWPOIakQ1gCN4pa4VwVJpfptYCviy2uOGc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9e83b64f727c88a7711a2c463a7b16eedb69a84c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1773628058,
-        "narHash": "sha256-hpXH0z3K9xv0fHaje136KY872VT2T5uwxtezlAskQgY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "f8573b9c935cfaa162dd62cc9e75ae2db86f85df",
+        "rev": "b0188973b4b2a5b6bdba8b65381d6cd09a533da0",
         "type": "github"
       },
       "original": {
@@ -169,25 +58,9 @@
     },
     "root": {
       "inputs": {
-        "deployment": "deployment",
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs_2"
-      }
-    },
-    "stable": {
-      "locked": {
-        "lastModified": 1750133334,
-        "narHash": "sha256-urV51uWH7fVnhIvsZIELIYalMYsyr2FCalvlRTzqWRw=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "36ab78dab7da2e4e27911007033713bab534187b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-25.05",
-        "repo": "nixpkgs",
-        "type": "github"
+        "nix-darwin": "nix-darwin",
+        "nixpkgs": "nixpkgs"
       }
     }
   },

flake.nix

@@ -1,14 +1,16 @@
 {
-  description = "NodeiWest employee and workstation flake";
+  description = "NodeiWest company Nix SDK";
 
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    deployment = {
-      url = "git+file:../nix-deployment";
+
+    nix-darwin = {
+      url = "github:LnL7/nix-darwin";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
@@ -17,33 +19,116 @@
     inputs@{
       self,
       nixpkgs,
-      deployment,
       ...
     }:
     let
       lib = nixpkgs.lib;
-      supportedSystems = [
-        "aarch64-darwin"
-        "x86_64-darwin"
-        "x86_64-linux"
-      ];
-      forAllSystems = lib.genAttrs supportedSystems;
+      defaults = import ./lib/defaults.nix { inherit lib; };
+      inherit (defaults) forAllSystems supportedSystems;
+
+      shellFactories = {
+        default = args: import ./shells/default.nix args;
+        node = args: import ./shells/node.nix (args // { inherit lib; });
+        go = args: import ./shells/go.nix args;
+        rust = args: import ./shells/rust.nix (args // { inherit lib; });
+      };
+
+      profileModules = {
+        backend = import ./profiles/backend.nix;
+        frontend = import ./profiles/frontend.nix;
+        minimal = import ./profiles/minimal.nix;
+      };
+
+      darwinSystem = args: import ./systems/darwin/default.nix ({ inherit inputs; } // args);
+      linuxHome = args: import ./systems/linux/default.nix ({ inherit inputs; } // args);
     in
     {
-      homeManagerModules.default = ./modules/home.nix;
-      homeManagerModules.helpers = ./modules/helpers/home.nix;
-
-      packages = forAllSystems (system: {
-        nodeiwest-helper = deployment.packages.${system}.nodeiwest-helper;
-        default = self.packages.${system}.nodeiwest-helper;
-      });
-
-      apps = forAllSystems (system: {
-        nodeiwest-helper = {
-          type = "app";
-          program = "${self.packages.${system}.nodeiwest-helper}/bin/nodeiwest";
+      lib = {
+        inherit (defaults) companySessionVariables forAllSystems supportedSystems;
+        mkProfile = import ./lib/mkProfile.nix;
+        mkSystem = import ./lib/mkSystem.nix {
+          systems = {
+            darwin = darwinSystem;
+            linux = linuxHome;
+          };
         };
-        default = self.apps.${system}.nodeiwest-helper;
-      });
+        shells = shellFactories;
+        systems = {
+          darwin = darwinSystem;
+          linux = linuxHome;
+        };
+      };
+
+      homeManagerModules = {
+        base = {
+          nix = import ./modules/base/nix.nix;
+          core = import ./modules/base/core.nix;
+          shell = import ./modules/base/shell.nix;
+          fonts = import ./modules/base/fonts.nix;
+        };
+
+        dev = {
+          node = import ./modules/dev/node.nix;
+          go = import ./modules/dev/go.nix;
+          rust = import ./modules/dev/rust.nix;
+          docker = import ./modules/dev/docker.nix;
+        };
+
+        roles = {
+          backend = import ./modules/roles/backend.nix;
+          frontend = import ./modules/roles/frontend.nix;
+          infra = import ./modules/roles/infra.nix;
+          minimal = import ./modules/roles/minimal.nix;
+        };
+
+        services = {
+          tailscale = import ./modules/services/tailscale.nix;
+          ssh = import ./modules/services/ssh.nix;
+          gpg = import ./modules/services/gpg.nix;
+        };
+
+        secrets = {
+          env = import ./modules/secrets/env.nix;
+          openbao = import ./modules/secrets/openbao.nix;
+        };
+
+        optional = {
+          homebrew = import ./modules/optional/homebrew.nix;
+          gui = import ./modules/optional/gui.nix;
+          devtools = import ./modules/optional/devtools.nix;
+        };
+
+        profiles = profileModules;
+
+        default = import ./modules/home.nix;
+      };
+
+      devShells = forAllSystems (
+        system:
+        let
+          pkgs = import nixpkgs { inherit system; };
+        in
+        {
+          default = shellFactories.default { inherit pkgs; };
+          node = shellFactories.node { inherit pkgs; };
+          go = shellFactories.go { inherit pkgs; };
+          rust = shellFactories.rust { inherit pkgs; };
+        }
+      );
+
+      formatter = forAllSystems (
+        system:
+        let
+          pkgs = import nixpkgs { inherit system; };
+        in
+        pkgs.nixfmt
+      );
+
+      templates = {
+        user-flake = {
+          path = ./templates/user-flake;
+          description = "Starter personal flake wired to NodeiWest profiles.";
+        };
+      };
     };
 }

lib/defaults.nix

@@ -0,0 +1,20 @@
+{ lib }:
+let
+  supportedSystems = [
+    "aarch64-darwin"
+    "x86_64-darwin"
+    "x86_64-linux"
+  ];
+in
+{
+  inherit supportedSystems;
+
+  forAllSystems = f: lib.genAttrs supportedSystems f;
+
+  companySessionVariables = {
+    BAO_ADDR = "https://secrets.api.nodeiwest.se";
+    SOME_REGISTRY = "git.dgren.dev";
+  };
+
+  stateVersion = "24.11";
+}

lib/mkProfile.nix

@@ -0,0 +1,7 @@
+{
+  modules ? [ ],
+  extraModules ? [ ],
+}:
+{
+  imports = modules ++ extraModules;
+}

lib/mkSystem.nix

@@ -0,0 +1,15 @@
+{ systems }:
+{
+  target,
+  ...
+}@args:
+let
+  adapter =
+    if target == "darwin" then
+      systems.darwin
+    else if target == "linux" then
+      systems.linux
+    else
+      throw "Unsupported target `${target}`. Expected `darwin` or `linux`.";
+in
+adapter (builtins.removeAttrs args [ "target" ])

modules/base/core.nix

@@ -0,0 +1,19 @@
+{ lib, pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    age
+    curl
+    fd
+    git
+    jq
+    just
+    ripgrep
+    sops
+  ];
+
+  programs.git = {
+    enable = true;
+    lfs.enable = true;
+    signing.format = lib.mkDefault "openpgp";
+  };
+}

modules/base/fonts.nix

@@ -0,0 +1,11 @@
+{ lib, pkgs, ... }:
+let
+  jetbrainsMono = lib.attrByPath [ "nerd-fonts" "jetbrains-mono" ] null pkgs;
+in
+{
+  fonts.fontconfig.enable = pkgs.stdenv.isLinux;
+
+  home.packages = builtins.filter (pkg: pkg != null) [
+    jetbrainsMono
+  ];
+}

modules/base/nix.nix

@@ -0,0 +1,14 @@
+{ lib, pkgs, ... }:
+{
+  programs.home-manager.enable = true;
+
+  nix.package = lib.mkDefault pkgs.nix;
+
+  nix.settings = {
+    experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+    warn-dirty = false;
+  };
+}

modules/base/shell.nix

@@ -0,0 +1,20 @@
+{ ... }:
+{
+  programs.bash.enable = true;
+
+  programs.zsh = {
+    enable = true;
+    autocd = true;
+    enableCompletion = true;
+    shellAliases = {
+      l = "ls -CF";
+      la = "ls -A";
+      ll = "ls -alF";
+    };
+  };
+
+  programs.direnv = {
+    enable = true;
+    nix-direnv.enable = true;
+  };
+}

modules/dev/docker.nix

@@ -0,0 +1,16 @@
+{ lib, pkgs, ... }:
+let
+  optionalPackage = path: lib.attrByPath path null pkgs;
+in
+{
+  home.packages = builtins.filter (pkg: pkg != null) (
+    [
+      (optionalPackage [ "docker-client" ])
+      (optionalPackage [ "docker-compose" ])
+      (optionalPackage [ "lazydocker" ])
+    ]
+    ++ lib.optionals pkgs.stdenv.isDarwin [
+      (optionalPackage [ "colima" ])
+    ]
+  );
+}

modules/dev/go.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    go
+    gopls
+  ];
+}

modules/dev/node.nix

@@ -0,0 +1,10 @@
+{ lib, pkgs, ... }:
+let
+  nodejs = lib.attrByPath [ "nodejs_20" ] pkgs.nodejs pkgs;
+in
+{
+  home.packages = [
+    nodejs
+    pkgs.pnpm
+  ];
+}

modules/dev/rust.nix

@@ -0,0 +1,13 @@
+{ lib, pkgs, ... }:
+let
+  optionalPackage = path: lib.attrByPath path null pkgs;
+in
+{
+  home.packages = builtins.filter (pkg: pkg != null) [
+    pkgs.cargo
+    pkgs.rustc
+    (optionalPackage [ "rust-analyzer" ])
+    (optionalPackage [ "rustfmt" ])
+    (optionalPackage [ "clippy" ])
+  ];
+}

modules/helpers/home.nix

@@ -1,6 +0,0 @@
-{ pkgs, deployment, ... }:
-{
-  home.packages = [
-    deployment.packages.${pkgs.system}.nodeiwest-helper
-  ];
-}

modules/home.nix

@@ -1,19 +1,9 @@
-{ pkgs, lib, ... }:
+{ pkgs, ... }:
 {
-  imports = [ ./helpers/home.nix ];
-
-  # Company env vars — available in all shells
-  home.sessionVariables = {
-    BAO_ADDR = "https://secrets.api.nodeiwest.se";
-    SOME_REGISTRY = "git.dgren.dev";
-    # etc.
-  };
-
-  home.packages = with pkgs; [
-    # Tools every dev needs
-    openbao
-    colmena
-    # etc.
-    sops
+  imports = [
+    ../profiles/minimal.nix
+    ./secrets/openbao.nix
   ];
+
+  home.packages = [ pkgs.colmena ];
 }

modules/optional/devtools.nix

@@ -0,0 +1,11 @@
+{ lib, pkgs, ... }:
+let
+  optionalPackage = path: lib.attrByPath path null pkgs;
+in
+{
+  home.packages = builtins.filter (pkg: pkg != null) [
+    (optionalPackage [ "nil" ])
+    (optionalPackage [ "nixd" ])
+    (optionalPackage [ "nixfmt" ])
+  ];
+}

modules/optional/gui.nix

@@ -0,0 +1,9 @@
+{ lib, pkgs, ... }:
+let
+  wezterm = lib.attrByPath [ "wezterm" ] null pkgs;
+in
+{
+  home.packages = builtins.filter (pkg: pkg != null) [
+    wezterm
+  ];
+}

modules/optional/homebrew.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  # Intentionally empty. This is the seam downstream workstations can use to
+  # compose nix-homebrew or Homebrew-specific activation without coupling it
+  # into the shared base roles.
+}

modules/roles/backend.nix

@@ -0,0 +1,13 @@
+{ ... }:
+{
+  imports = [
+    ./minimal.nix
+    ../dev/node.nix
+    ../dev/go.nix
+    ../dev/docker.nix
+    ../services/ssh.nix
+    ../services/gpg.nix
+    ../secrets/openbao.nix
+    ../optional/devtools.nix
+  ];
+}

modules/roles/frontend.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  imports = [
+    ./minimal.nix
+    ../base/fonts.nix
+    ../dev/node.nix
+    ../services/gpg.nix
+    ../optional/devtools.nix
+    ../optional/gui.nix
+  ];
+}

modules/roles/infra.nix

@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./minimal.nix
+    ../dev/go.nix
+    ../dev/docker.nix
+    ../services/ssh.nix
+    ../services/tailscale.nix
+    ../services/gpg.nix
+    ../secrets/openbao.nix
+    ../optional/devtools.nix
+  ];
+
+  home.packages = [ pkgs.colmena ];
+}

modules/roles/minimal.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ../base/nix.nix
+    ../base/core.nix
+    ../base/shell.nix
+    ../secrets/env.nix
+  ];
+}

modules/secrets/env.nix

@@ -0,0 +1,7 @@
+{ lib, ... }:
+let
+  defaults = import ../../lib/defaults.nix { inherit lib; };
+in
+{
+  home.sessionVariables = defaults.companySessionVariables;
+}

modules/secrets/openbao.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  imports = [ ./env.nix ];
+
+  home.packages = [ pkgs.openbao ];
+}

modules/services/gpg.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+{
+  programs.gpg.enable = true;
+
+  services.gpg-agent = {
+    enable = true;
+    enableBashIntegration = true;
+    enableZshIntegration = true;
+    pinentry.package = pkgs.pinentry-curses;
+  };
+}

modules/services/ssh.nix

@@ -0,0 +1,22 @@
+{ lib, ... }:
+{
+  programs.ssh = {
+    enable = true;
+    enableDefaultConfig = false;
+
+    matchBlocks."*" = {
+      addKeysToAgent = lib.mkDefault "yes";
+      compression = lib.mkDefault false;
+      controlMaster = lib.mkDefault "no";
+      controlPath = lib.mkDefault "~/.ssh/master-%r@%n:%p";
+      controlPersist = lib.mkDefault "no";
+      forwardAgent = lib.mkDefault true;
+      hashKnownHosts = lib.mkDefault false;
+      serverAliveCountMax = lib.mkDefault 3;
+      serverAliveInterval = lib.mkDefault 0;
+      userKnownHostsFile = lib.mkDefault "~/.ssh/known_hosts";
+    };
+  };
+
+  services.ssh-agent.enable = true;
+}

modules/services/tailscale.nix

@@ -0,0 +1,9 @@
+{ lib, pkgs, ... }:
+let
+  tailscale = lib.attrByPath [ "tailscale" ] null pkgs;
+in
+{
+  home.packages = builtins.filter (pkg: pkg != null) [
+    tailscale
+  ];
+}

profiles/backend.nix

@@ -0,0 +1,8 @@
+let
+  mkProfile = import ../lib/mkProfile.nix;
+in
+mkProfile {
+  modules = [
+    ../modules/roles/backend.nix
+  ];
+}

profiles/frontend.nix

@@ -0,0 +1,8 @@
+let
+  mkProfile = import ../lib/mkProfile.nix;
+in
+mkProfile {
+  modules = [
+    ../modules/roles/frontend.nix
+  ];
+}

profiles/minimal.nix

@@ -0,0 +1,10 @@
+let
+  mkProfile = import ../lib/mkProfile.nix;
+in
+mkProfile {
+  modules = [
+    ../modules/roles/minimal.nix
+    ../modules/services/ssh.nix
+    ../modules/optional/devtools.nix
+  ];
+}

shells/default.nix

@@ -0,0 +1,20 @@
+{
+  pkgs,
+  extraPackages ? [ ],
+  inputsFrom ? [ ],
+  shellHook ? "",
+}:
+pkgs.mkShell {
+  inherit inputsFrom shellHook;
+
+  packages =
+    (with pkgs; [
+      git
+      jq
+      just
+      nil
+      nixd
+      nixfmt
+    ])
+    ++ extraPackages;
+}

shells/go.nix

@@ -0,0 +1,16 @@
+{
+  pkgs,
+  extraPackages ? [ ],
+  inputsFrom ? [ ],
+  shellHook ? "",
+}:
+pkgs.mkShell {
+  inherit inputsFrom shellHook;
+
+  packages =
+    (with pkgs; [
+      go
+      gopls
+    ])
+    ++ extraPackages;
+}

shells/node.nix

@@ -0,0 +1,19 @@
+{
+  lib,
+  pkgs,
+  extraPackages ? [ ],
+  inputsFrom ? [ ],
+  shellHook ? "",
+}:
+let
+  nodejs = lib.attrByPath [ "nodejs_20" ] pkgs.nodejs pkgs;
+in
+pkgs.mkShell {
+  inherit inputsFrom shellHook;
+
+  packages = [
+    nodejs
+    pkgs.pnpm
+  ]
+  ++ extraPackages;
+}

shells/rust.nix

@@ -0,0 +1,24 @@
+{
+  lib,
+  pkgs,
+  extraPackages ? [ ],
+  inputsFrom ? [ ],
+  shellHook ? "",
+}:
+let
+  optionalPackage = path: lib.attrByPath path null pkgs;
+in
+pkgs.mkShell {
+  inherit inputsFrom shellHook;
+
+  packages = builtins.filter (pkg: pkg != null) (
+    [
+      pkgs.cargo
+      pkgs.rustc
+      (optionalPackage [ "rust-analyzer" ])
+      (optionalPackage [ "rustfmt" ])
+      (optionalPackage [ "clippy" ])
+    ]
+    ++ extraPackages
+  );
+}

systems/darwin/default.nix

@@ -0,0 +1,42 @@
+{
+  inputs,
+  system,
+  username,
+  homeDirectory,
+  modules ? [ ],
+  darwinStateVersion ? 6,
+  stateVersion ? "24.11",
+  extraSpecialArgs ? { },
+}:
+inputs.nix-darwin.lib.darwinSystem {
+  inherit system;
+
+  specialArgs = extraSpecialArgs // {
+    inherit inputs;
+  };
+
+  modules = [
+    inputs.home-manager.darwinModules.home-manager
+    {
+      system.stateVersion = darwinStateVersion;
+
+      users.users = {
+        ${username}.home = homeDirectory;
+      };
+
+      home-manager.useGlobalPkgs = true;
+      home-manager.useUserPackages = true;
+      home-manager.extraSpecialArgs = extraSpecialArgs // {
+        inherit inputs;
+      };
+      home-manager.users = {
+        ${username} = {
+          imports = modules;
+          home = {
+            inherit stateVersion username;
+          };
+        };
+      };
+    }
+  ];
+}

systems/linux/default.nix

@@ -0,0 +1,24 @@
+{
+  inputs,
+  system,
+  username,
+  homeDirectory,
+  modules ? [ ],
+  stateVersion ? "24.11",
+  extraSpecialArgs ? { },
+}:
+inputs.home-manager.lib.homeManagerConfiguration {
+  pkgs = import inputs.nixpkgs { inherit system; };
+  extraSpecialArgs = extraSpecialArgs // {
+    inherit inputs;
+  };
+
+  modules = [
+    {
+      home = {
+        inherit homeDirectory stateVersion username;
+      };
+    }
+  ]
+  ++ modules;
+}

templates/user-flake/flake.nix

@@ -0,0 +1,36 @@
+{
+  description = "Starter personal flake for NodeiWest employees";
+
+  inputs = {
+    # Adjust the repo path if you publish this under a different name.
+    company.url = "git+ssh://git@git.dgren.dev/employees/company-nix.git";
+  };
+
+  outputs =
+    { company, ... }:
+    let
+      username = "your-name";
+    in
+    {
+      # Remove whichever target you do not need.
+      homeConfigurations."${username}@linux" = company.lib.mkSystem {
+        target = "linux";
+        system = "x86_64-linux";
+        inherit username;
+        homeDirectory = "/home/${username}";
+        modules = [
+          company.homeManagerModules.profiles.backend
+        ];
+      };
+
+      darwinConfigurations."${username}-mac" = company.lib.mkSystem {
+        target = "darwin";
+        system = "aarch64-darwin";
+        inherit username;
+        homeDirectory = "/Users/${username}";
+        modules = [
+          company.homeManagerModules.profiles.frontend
+        ];
+      };
+    };
+}