snowfall migration

modules/nixos/display-managers/sddm/default.nix

@@ -0,0 +1,33 @@
+{ config, lib, pkgs, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.display-managers.sddm;
+in
+{
+  options.${namespace}.display-managers.sddm = {
+    enable = lib.mkEnableOption "sddm";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      catppuccin-sddm
+    ];
+
+    services = {
+      displayManager = {
+        sddm = {
+          inherit (cfg) enable;
+          package = pkgs.kdePackages.sddm;
+          theme = "catppuccin-mocha";
+          wayland.enable = true;
+        };
+      };
+    };
+
+    environment.sessionVariables = {
+      QT_SCREEN_SCALE_FACTORS = "2";
+      QT_FONT_DPI = "192";
+    };
+  };
+}

modules/nixos/hardware/asahi/default.nix

@@ -0,0 +1,27 @@
+{ config, lib, inputs, namespace, ... }:
+let
+  inherit (lib) types optionalAttrs;
+  inherit (lib.${namespace}) mkOpt mkBoolOpt;
+
+  cfg = config.${namespace}.hardware.asahi;
+in
+{
+  imports = [
+    inputs.apple-silicon.nixosModules.default
+  ];
+
+  options.${namespace}.hardware.asahi = {
+    enable = lib.mkEnableOption "support for asahi linux";
+    enableGPU = mkBoolOpt false "enable gpu driver";
+    firmwareDirectory = mkOpt types.path null "firmware directory";
+  };
+
+  config = {
+    hardware.asahi = {
+      enable = cfg.enable;
+    } // optionalAttrs cfg.enable {
+      peripheralFirmwareDirectory = cfg.firmwareDirectory;
+      useExperimentalGPUDriver = cfg.enableGPU;
+    };
+  };
+}

modules/nixos/hardware/opengl/default.nix

@@ -0,0 +1,44 @@
+{ config, lib, pkgs, namespace, ... }:
+let
+  inherit (lib) mkIf;
+  inherit (lib.${namespace}) mkBoolOpt;
+
+  cfg = config.${namespace}.hardware.opengl;
+in
+{
+  options.${namespace}.hardware.opengl = {
+    enable = lib.mkEnableOption "support for opengl";
+    enable32Bit = mkBoolOpt false "enable 32-bit";
+    enableIntel = mkBoolOpt false "support for intel";
+    enableNvidia = mkBoolOpt false "support for nvidia";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      libva-utils
+      vdpauinfo
+    ] ++ lib.optionals cfg.enableNvidia [
+      nvtopPackages.full
+    ] ++ lib.optionals cfg.enableIntel [
+      intel-gpu-tools
+    ];
+
+    # Add Intel Arc / Nvidia Drivers
+    hardware.enableRedistributableFirmware = cfg.enableIntel;
+    hardware.graphics = {
+      enable = true;
+      enable32Bit = cfg.enable32Bit;
+
+      extraPackages = with pkgs;
+        lib.optionals cfg.enableIntel [
+          libvdpau-va-gl
+          intel-vaapi-driver
+          intel-media-driver
+          intel-compute-runtime
+          intel-ocl
+        ] ++ lib.optionals cfg.enableNvidia [
+          cudatoolkit
+        ];
+    };
+  };
+}

modules/nixos/nix/default.nix

@@ -0,0 +1,102 @@
+{ config, lib, pkgs, inputs, namespace, host, ... }:
+let
+  inherit (lib) types mkIf;
+  inherit (lib.${namespace}) mkBoolOpt mkOpt;
+
+  cfg = config.${namespace}.nix;
+in
+{
+  options.${namespace}.nix = {
+    enable = mkBoolOpt true "Whether or not to manage nix configuration.";
+    package = mkOpt types.package pkgs.nixVersions.latest "Which nix package to use.";
+  };
+
+  config = mkIf cfg.enable {
+    nix =
+      let
+        mappedRegistry = lib.pipe inputs [
+          (lib.filterAttrs (_: lib.isType "flake"))
+          (lib.mapAttrs (_: flake: { inherit flake; }))
+          (x: x // {
+            nixpkgs.flake = if pkgs.stdenv.hostPlatform.isLinux then inputs.nixpkgs else inputs.nixpkgs-unstable;
+          })
+          (x: if pkgs.stdenv.hostPlatform.isDarwin then lib.removeAttrs x [ "nixpkgs-unstable" ] else x)
+        ];
+        users = [
+          "root"
+          "@wheel"
+          "nix-builder"
+          "evanreichard"
+        ];
+      in
+      {
+        inherit (cfg) package;
+
+        buildMachines = lib.optional (config.${namespace}.security.sops.enable && host != "nixos-builder") {
+          hostName = "10.0.50.130";
+          systems = [ "x86_64-linux" ];
+          sshUser = "evanreichard";
+          protocol = "ssh";
+          sshKey = config.sops.secrets.builder_ssh_key.path;
+          supportedFeatures = [
+            "benchmark"
+            "big-parallel"
+            "nixos-test"
+            "kvm"
+          ];
+        };
+
+        checkConfig = true;
+        distributedBuilds = true;
+        optimise.automatic = true;
+        registry = mappedRegistry;
+
+        gc = {
+          automatic = true;
+          options = "--delete-older-than 7d";
+        };
+
+        settings = {
+          connect-timeout = 5;
+          allowed-users = users;
+          max-jobs = "auto";
+          auto-optimise-store = pkgs.stdenv.hostPlatform.isLinux;
+          builders-use-substitutes = true;
+          experimental-features = [
+            "nix-command"
+            "flakes "
+          ];
+          flake-registry = "/etc/nix/registry.json";
+          http-connections = 50;
+          keep-derivations = true;
+          keep-going = true;
+          keep-outputs = true;
+          log-lines = 50;
+          sandbox = true;
+          trusted-users = users;
+          warn-dirty = false;
+          use-xdg-base-directories = true;
+
+          substituters = [
+            "https://anyrun.cachix.org"
+            "https://cache.nixos.org"
+            "https://hyprland.cachix.org"
+            "https://nix-community.cachix.org"
+            "https://nixpkgs-unfree.cachix.org"
+            "https://nixpkgs-wayland.cachix.org"
+            "https://numtide.cachix.org"
+          ];
+
+          trusted-public-keys = [
+            "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
+            "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+            "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+            "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+            "nixpkgs-unfree.cachix.org-1:hqvoInulhbV4nJ9yJOEr+4wxhDV4xq2d1DK7S6Nj6rs="
+            "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
+            "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
+          ];
+        };
+      };
+  };
+}

modules/nixos/programs/graphical/wms/hyprland/default.nix

@@ -0,0 +1,28 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.programs.graphical.wms.hyprland;
+in
+{
+  options.${namespace}.programs.graphical.wms.hyprland = {
+    enable = lib.mkEnableOption "Hyprland";
+  };
+
+  config = mkIf cfg.enable {
+    programs = {
+      hyprland = {
+        enable = true;
+        withUWSM = true;
+      };
+    };
+
+    reichard = {
+      display-managers = {
+        sddm = {
+          enable = true;
+        };
+      };
+    };
+  };
+}

modules/nixos/security/sops/default.nix

@@ -0,0 +1,31 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib.${namespace}) mkOpt;
+
+  cfg = config.${namespace}.security.sops;
+in
+{
+  options.${namespace}.security.sops = {
+    enable = lib.mkEnableOption "sops";
+    defaultSopsFile = mkOpt lib.types.path null "Default sops file.";
+    sshKeyPaths = mkOpt (with lib.types; listOf path) [
+      # "/etc/ssh/ssh_host_ed25519_key"
+    ] "SSH Key paths to use.";
+  };
+
+  config = lib.mkIf cfg.enable {
+    sops = {
+      inherit (cfg) defaultSopsFile;
+
+      age = {
+        inherit (cfg) sshKeyPaths;
+
+        keyFile = "${config.users.users.${config.${namespace}.user.name}.home}/.config/sops/age/keys.txt";
+      };
+    };
+
+    sops.secrets.builder_ssh_key = {
+      sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
+    };
+  };
+}

modules/nixos/services/avahi/default.nix

@@ -0,0 +1,33 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.services.avahi;
+in
+{
+  options.${namespace}.services.avahi = {
+    enable = lib.mkEnableOption "Avahi";
+  };
+
+  config = mkIf cfg.enable {
+    services.avahi = {
+      enable = true;
+      nssmdns4 = true;
+      openFirewall = true;
+      publish = {
+        enable = true;
+        addresses = true;
+        domain = true;
+        hinfo = true;
+        userServices = true;
+        workstation = true;
+      };
+    };
+
+    # Cloud Init
+    systemd.services.avahi-daemon = mkIf config.${namespace}.services.cloud-init.enable {
+      after = [ "cloud-final.service" ];
+      requires = [ "cloud-final.service" ];
+    };
+  };
+}

modules/nixos/services/cloud-init/default.nix

@@ -0,0 +1,27 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.services.cloud-init;
+in
+{
+  options.${namespace}.services.cloud-init = {
+    enable = lib.mkEnableOption "Enable Cloud-Init";
+  };
+
+  config = mkIf cfg.enable {
+    services.cloud-init = {
+      enable = true;
+      network.enable = true;
+      settings = {
+        datasource_list = [ "NoCloud" ];
+        preserve_hostname = false;
+        system_info = {
+          distro = "nixos";
+          network.renderers = [ "networkd" ];
+        };
+      };
+    };
+    networking.hostName = lib.mkForce "";
+  };
+}

modules/nixos/services/openiscsi/default.nix

@@ -0,0 +1,57 @@
+{ config, pkgs, lib, namespace, host, ... }:
+let
+  inherit (lib) types mkIf;
+  inherit (lib.${namespace}) mkOpt mkBoolOpt;
+
+  cfg = config.${namespace}.services.openiscsi;
+  cloudInitEnabled = config.${namespace}.services.cloud-init.enable;
+in
+{
+  options.${namespace}.services.openiscsi = {
+    enable = lib.mkEnableOption "Open iSCSI support";
+    name = mkOpt types.str "iqn.2025.reichard.io:${host}" "iSCSI name";
+    symlink = mkBoolOpt false "Create a symlink to the iSCSI binaries";
+  };
+
+  config = mkIf cfg.enable {
+    boot.kernelModules = [ "iscsi_tcp" "libiscsi" "scsi_transport_iscsi" ];
+
+    services.openiscsi = {
+      enable = true;
+      name = cfg.name;
+    };
+
+    environment.systemPackages = with pkgs; [
+      openiscsi
+    ];
+
+    # Predominately used for RKE2 & Democratic CSI
+    system.activationScripts.iscsi-symlink = mkIf cfg.symlink ''
+      mkdir -p /usr/bin
+      ln -sf ${pkgs.openiscsi}/bin/iscsiadm /usr/bin/iscsiadm
+      ln -sf ${pkgs.openiscsi}/bin/iscsid /usr/bin/iscsid
+    '';
+
+    # Cloud Init Compatibility
+    environment.etc."iscsi/initiatorname.iscsi".enable = mkIf cloudInitEnabled false;
+    systemd.services.iscsi-initiator-setup = mkIf cloudInitEnabled {
+      description = "Setup iSCSI Initiator Name";
+      requires = [ "cloud-final.service" ];
+      before = [ "iscsid.service" ];
+      after = [ "cloud-final.service" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+
+      path = [ pkgs.hostname pkgs.util-linux ];
+      script = ''
+        mkdir -p /run/iscsi
+        echo "InitiatorName=iqn.2025.org.nixos:$(hostname)" > /run/iscsi/initiatorname.iscsi
+        mount --bind /run/iscsi/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
+      '';
+    };
+  };
+}

modules/nixos/services/openssh/default.nix

@@ -0,0 +1,78 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib)
+    types
+    mkDefault
+    mkIf
+    ;
+  inherit (lib.${namespace}) mkOpt;
+
+  cfg = config.${namespace}.services.openssh;
+
+  authorizedKeys = [
+    # evanreichard@lin-va-mbp-personal
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY"
+  ];
+in
+{
+  options.${namespace}.services.openssh = with types; {
+    enable = lib.mkEnableOption "OpenSSH support";
+    authorizedKeys = mkOpt (listOf str) authorizedKeys "The public keys to apply.";
+    extraConfig = mkOpt str "" "Extra configuration to apply.";
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+
+      hostKeys = mkDefault [
+        {
+          bits = 4096;
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+
+      openFirewall = true;
+      ports = [ 22 ];
+
+      settings = {
+        AuthenticationMethods = "publickey";
+        ChallengeResponseAuthentication = "no";
+        PasswordAuthentication = false;
+        PermitRootLogin = "prohibit-password";
+        PubkeyAuthentication = "yes";
+        StreamLocalBindUnlink = "yes";
+        UseDns = false;
+        UsePAM = true;
+        X11Forwarding = false;
+
+        KexAlgorithms = [
+          "curve25519-sha256"
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group16-sha512"
+          "diffie-hellman-group18-sha512"
+          "diffie-hellman-group-exchange-sha256"
+          "sntrup761x25519-sha512@openssh.com"
+        ];
+
+        Macs = [
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-256-etm@openssh.com"
+          "umac-128-etm@openssh.com"
+        ];
+      };
+
+      startWhenNeeded = true;
+    };
+
+    programs.ssh = {
+      startAgent = lib.mkDefault true;
+      inherit (cfg) extraConfig;
+    };
+
+    reichard = {
+      user.extraOptions.openssh.authorizedKeys.keys = cfg.authorizedKeys;
+    };
+  };
+}

modules/nixos/services/rke2/default.nix

@@ -0,0 +1,53 @@
+{ config, pkgs, lib, namespace, ... }:
+let
+  inherit (lib) types mkIf;
+  inherit (lib.${namespace}) mkOpt mkBoolOpt;
+
+  cfg = config.${namespace}.services.rke2;
+in
+{
+  options.${namespace}.services.rke2 = with types; {
+    enable = lib.mkEnableOption "Enable RKE2";
+    disable = mkOpt (listOf str) [ ] "Disable services";
+    openFirewall = mkBoolOpt true "Open firewall";
+  };
+
+  config = mkIf cfg.enable {
+    services.rke2 = {
+      enable = true;
+      disable = cfg.disable;
+    };
+
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
+      # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
+      6443 # Kubernetes API
+      9345 # RKE2 supervisor API
+      2379 # etcd Client Port
+      2380 # etcd Peer Port
+      2381 # etcd Metrics Port
+      10250 # kubelet metrics
+      9099 # Canal CNI health checks
+
+      # MetalLB
+      7946 # memberlist
+    ];
+
+    environment.systemPackages = with pkgs; [ nfs-utils ];
+
+    networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [
+      # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
+      8472 # Canal CNI with VXLAN
+      # 51820 # Canal CNI with WireGuard IPv4 (if using encryption)
+      # 51821 # Canal CNI with WireGuard IPv6 (if using encryption)
+
+      # MetalLB
+      7946 # memberlist
+    ];
+
+    # Cloud Init
+    systemd.services.rke2-server = mkIf config.${namespace}.services.cloud-init.enable {
+      after = [ "cloud-final.service" ];
+      requires = [ "cloud-final.service" ];
+    };
+  };
+}

modules/nixos/services/ydotool/default.nix

@@ -0,0 +1,19 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.services.ydotool;
+in
+{
+  options.${namespace}.services.ydotool = {
+    enable = lib.mkEnableOption "ydotool";
+  };
+
+  config = mkIf cfg.enable {
+    reichard.user.extraGroups = [ "input" ];
+    programs.ydotool = {
+      enable = true;
+      group = "input";
+    };
+  };
+}

modules/nixos/system/boot/default.nix

@@ -0,0 +1,52 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf mkDefault;
+
+  cfg = config.${namespace}.system.boot;
+in
+{
+  options.${namespace}.system.boot = {
+    enable = lib.mkEnableOption "Enable Boot";
+    xenGuest = lib.mkEnableOption "Enable Xen Guest";
+    showNotch = lib.mkEnableOption "Show macOS Notch";
+    silentBoot = lib.mkEnableOption "Silent Boot";
+  };
+
+  config = mkIf cfg.enable {
+    services.xe-guest-utilities.enable = mkIf cfg.xenGuest true;
+
+    boot = {
+      kernelParams = lib.optionals cfg.silentBoot [
+        "quiet"
+        "loglevel=3"
+        "udev.log_level=3"
+        "rd.udev.log_level=3"
+        "systemd.show_status=auto"
+        "rd.systemd.show_status=auto"
+        "vt.global_cursor_default=0"
+      ] ++ lib.optionals cfg.showNotch [
+        "apple_dcp.show_notch=1"
+      ];
+
+      loader = {
+        efi = {
+          canTouchEfiVariables = false;
+        };
+
+        systemd-boot = {
+          enable = true;
+          configurationLimit = 20;
+          editor = false;
+        };
+
+        timeout = mkDefault 1;
+      };
+
+      initrd = mkIf cfg.xenGuest {
+        kernelModules = [ "xen_netfront" "xen_blkfront" ];
+        supportedFilesystems = [ "xenfs" ];
+      };
+      kernelModules = mkIf cfg.xenGuest [ "xen_netfront" "xen_blkfront" "xenfs" ];
+    };
+  };
+}

modules/nixos/system/disk/default.nix

@@ -0,0 +1,55 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib.${namespace}) mkOpt;
+  inherit (lib) mkIf types;
+
+  cfg = config.${namespace}.system.disk;
+in
+{
+  options.${namespace}.system.disk = {
+    enable = lib.mkEnableOption "Disko Configuration";
+    diskPath = mkOpt types.str null "Device path for the main disk";
+  };
+
+  config = mkIf cfg.enable {
+    disko.devices = {
+      disk = {
+        main = {
+          type = "disk";
+          device = cfg.diskPath;
+          content = {
+            type = "gpt";
+            partitions = {
+              boot = {
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  mountOptions = [ "umask=0077" ];
+                };
+              };
+              root = {
+                size = "100%";
+                content = {
+                  type = "filesystem";
+                  format = "ext4";
+                  mountpoint = "/";
+                };
+              };
+              swap = {
+                size = "32G";
+                content = {
+                  type = "swap";
+                  discardPolicy = "both";
+                  resumeDevice = true;
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

modules/nixos/system/networking/default.nix

@@ -0,0 +1,71 @@
+{ config, lib, pkgs, namespace, ... }:
+let
+  inherit (lib) types mkIf mkForce mkOption mkEnableOption;
+  inherit (lib.${namespace}) mkBoolOpt enabled;
+
+  cfg = config.${namespace}.system.networking;
+in
+{
+  options.${namespace}.system.networking = {
+    enable = mkEnableOption "Enable Networking";
+    enableIWD = mkEnableOption "Enable IWD";
+    useDHCP = mkBoolOpt true "Use DHCP";
+    useNetworkd = mkBoolOpt false "Use networkd";
+    useStatic = mkOption {
+      type = types.nullOr (types.submodule {
+        options = {
+          interface = mkOption {
+            type = lib.types.str;
+            description = "Network interface name";
+            example = "enp0s3";
+          };
+          address = mkOption {
+            type = types.str;
+            description = "Static IP address";
+            example = "10.0.20.200";
+          };
+          defaultGateway = mkOption {
+            type = types.str;
+            description = "Default gateway IP";
+            example = "10.0.20.254";
+          };
+          nameservers = mkOption {
+            type = types.listOf types.str;
+            description = "List of DNS servers";
+            example = [ "10.0.20.254" "8.8.8.8" ];
+            default = [ "8.8.8.8" "8.8.4.4" ];
+          };
+        };
+      });
+      default = null;
+      description = "Static Network Configuration";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      mtr
+      tcpdump
+      traceroute
+    ];
+
+    reichard.user.extraGroups = [ "network" ];
+
+    networking = {
+      firewall = enabled;
+      useDHCP = mkForce (cfg.useDHCP && cfg.useStatic == null);
+      useNetworkd = cfg.useNetworkd;
+    } // (lib.optionalAttrs (cfg.enableIWD) {
+      wireless.iwd = {
+        enable = true;
+        settings.General.EnableNetworkConfiguration = true;
+      };
+    }) // (lib.optionalAttrs (cfg.useStatic != null) {
+      inherit (cfg.useStatic) defaultGateway nameservers;
+      interfaces.${cfg.useStatic.interface}.ipv4.addresses = [{
+        inherit (cfg.useStatic) address;
+        prefixLength = 24;
+      }];
+    });
+  };
+}

modules/nixos/system/networking/networkmanager/default.nix

@@ -0,0 +1,26 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.system.networking;
+in
+{
+  config = mkIf cfg.enable {
+    reichard.user.extraGroups = [ "networkmanager" ];
+
+    networking.networkmanager = {
+      enable = true;
+
+      connectionConfig = {
+        "connection.mdns" = "2";
+      };
+
+      # unmanaged = [
+      #   "interface-name:br-*"
+      #   "interface-name:rndis*"
+      # ]
+      # ++ lib.optionals config.${namespace}.virtualisation.podman.enable [ "interface-name:docker*" ]
+      # ++ lib.optionals config.${namespace}.virtualisation.kvm.enable [ "interface-name:virbr*" ];
+    };
+  };
+}

modules/nixos/user/default.nix

@@ -0,0 +1,30 @@
+{ config, lib, pkgs, namespace, ... }:
+let
+  inherit (lib) types;
+  inherit (lib.${namespace}) mkOpt;
+
+  cfg = config.${namespace}.user;
+in
+{
+  options.${namespace}.user = with types; {
+    email = mkOpt str "evan@reichard.io" "The email of the user.";
+    extraGroups = mkOpt (listOf str) [ ] "Groups for the user to be assigned.";
+    extraOptions = mkOpt attrs { } "Extra options passed to <option>users.users.<name></option>.";
+    fullName = mkOpt str "Evan Reichard" "The full name of the user.";
+    initialPassword = mkOpt str "changeMe2025!" "The initial password to use when the user is first created.";
+    name = mkOpt str "evanreichard" "The name to use for the user account.";
+  };
+
+  config = {
+    users.users.${cfg.name} = {
+      inherit (cfg) name initialPassword;
+
+      group = "users";
+      home = "/home/${cfg.name}";
+      extraGroups = [ "wheel" ] ++ cfg.extraGroups;
+      isNormalUser = true;
+      shell = pkgs.bashInteractive;
+      uid = 1000;
+    } // cfg.extraOptions;
+  };
+}

modules/nixos/virtualisation/podman/default.nix

@@ -0,0 +1,43 @@
+{ config, lib, pkgs, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.virtualisation.podman;
+in
+{
+  options.${namespace}.virtualisation.podman = {
+    enable = lib.mkEnableOption "podman";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      podman-compose
+      podman-desktop
+    ];
+
+    reichard = {
+      user = {
+        extraGroups = [
+          "docker"
+          "podman"
+        ];
+      };
+    };
+
+    virtualisation = {
+      podman = {
+        inherit (cfg) enable;
+
+        autoPrune = {
+          enable = true;
+          flags = [ "--all" ];
+          dates = "weekly";
+        };
+
+        defaultNetwork.settings.dns_enabled = true;
+        dockerCompat = true;
+        dockerSocket.enable = true;
+      };
+    };
+  };
+}