nixos/servers: dont use home-manager

home/applications/fish/default.nix

@@ -1,10 +1,12 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:
 {
   programs.fish = {
     enable = true;
+
     interactiveShellInit = ''
       set fish_greeting
     '';
+
     plugins = [
       {
         name = "autopair";
@@ -19,5 +21,24 @@
         inherit (pkgs.fishPlugins.puffer) src;
       }
     ];
+
+    functions =
+      let
+        jq = lib.getExe pkgs.jq;
+        nix = lib.getExe pkgs.nix;
+        curl = lib.getExe pkgs.curl;
+      in
+      {
+        "pb" = ''
+          ${jq} -Rns '{text: inputs}' | \
+            ${curl} -s -H 'Content-Type: application/json' --data-binary @- https://pb.ny4.dev | \
+            ${jq} -r '. | "https://pb.ny4.dev\(.path)"'
+        '';
+
+        "getmnter" = ''
+          ${nix} eval nixpkgs#{$argv}.meta.maintainers --json | \
+            ${jq} '.[].github | "@" + .' -r
+        '';
+      };
   };
 }

home/applications/ssh/default.nix

@@ -5,10 +5,14 @@
     matchBlocks =
       let
         inherit (config.home) homeDirectory;
+        serverConfig = {
+          identityFile = "${homeDirectory}/.ssh/id_github_signing";
+          user = "root";
+        };
       in
       {
-        "blacksteel".identityFile = "${homeDirectory}/.ssh/id_github_signing";
-        "tyo0.ny4.dev".identityFile = "${homeDirectory}/.ssh/id_github_signing";
+        "blacksteel" = serverConfig;
+        "tyo0.ny4.dev" = serverConfig;
       };
   };
 }

home/default.nix

@@ -1,5 +1,4 @@
 {
-  lib,
   pkgs,
   ...
 }:
@@ -10,46 +9,52 @@
     stateVersion = "23.05";
   };
 
-  imports = [
-    ./applications/atuin
-    ./applications/bash
-    ./applications/bat
-    ./applications/eza
-    ./applications/fish
-    ./applications/git
-    ./applications/gpg
-    ./applications/neovim
-    ./applications/ssh
-    ./applications/starship
-    ./applications/tealdeer
-    ./applications/tmux
-  ];
+  imports =
+    [
+      ./theme.nix
+      ./xdg-mime.nix
+    ]
+    ++ map (n: ./applications/${n}) [
+      "atuin"
+      "bash"
+      "bat"
+      "eza"
+      "fcitx5"
+      "firefox"
+      "fish"
+      "foot"
+      "git"
+      "go"
+      "gpg"
+      "mpv"
+      "nautilus"
+      "neovim"
+      "nix"
+      "ssh"
+      "starship"
+      "sway"
+      "tealdeer"
+      "thunderbird"
+      "tmux"
+      "ydict"
+    ];
 
   programs.jq.enable = true;
+  programs.obs-studio.enable = true;
   programs.ripgrep.enable = true;
   programs.skim.enable = true;
   programs.zoxide.enable = true;
+
   home.packages = with pkgs; [
     fastfetch
     fd
+    dconf-editor
+    file-roller
+    fractal
+    gnome-calculator
+    hyperfine
+    loupe
+    seahorse
   ];
 
-  programs.fish.functions =
-    let
-      jq = lib.getExe pkgs.jq;
-      nix = lib.getExe pkgs.nix;
-      curl = lib.getExe pkgs.curl;
-    in
-    {
-      "pb" = ''
-        ${jq} -Rns '{text: inputs}' | \
-          ${curl} -s -H 'Content-Type: application/json' --data-binary @- https://pb.ny4.dev | \
-          ${jq} -r '. | "https://pb.ny4.dev\(.path)"'
-      '';
-
-      "getmnter" = ''
-        ${nix} eval nixpkgs#{$argv}.meta.maintainers --json | \
-          ${jq} '.[].github | "@" + .' -r
-      '';
-    };
 }

hosts/dust/default.nix

@@ -1,6 +1,8 @@
 {
   lib,
+  config,
   pkgs,
+  inputs,
   ...
 }:
 {
@@ -19,7 +21,27 @@
   time.timeZone = "Asia/Shanghai";
   system.stateVersion = "24.05";
 
-  home-manager.users.guanranwang = import ./home;
+  users.users = {
+    "guanranwang" = {
+      isNormalUser = true;
+      description = "Guanran Wang";
+      hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
+      shell = pkgs.fish;
+      extraGroups = [
+        "wheel"
+        "nix-access-tokens"
+      ];
+    };
+  };
+
+  home-manager = {
+    users.guanranwang = import ../../home;
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    extraSpecialArgs = {
+      inherit inputs;
+    };
+  };
 
   boot.tmp.useTmpfs = true;
 
@@ -36,6 +58,8 @@
   networking.firewall.allowedUDPPorts = [ 53317 ];
 
   programs.adb.enable = true;
+  programs.dconf.enable = true;
+  programs.fish.enable = true;
   programs.localsend.enable = true;
   programs.seahorse.enable = true;
   programs.ssh = {

hosts/dust/home/default.nix

@@ -1,32 +0,0 @@
-{ pkgs, ... }:
-{
-  imports =
-    [
-      ./theme.nix
-      ./xdg-mime.nix
-    ]
-    ++ map (n: ../../../home/applications/${n}) [
-      "fcitx5"
-      "firefox"
-      "foot"
-      "go"
-      "mpv"
-      "nautilus"
-      "nix"
-      "sway"
-      "thunderbird"
-      "ydict"
-    ];
-
-  home.packages = with pkgs; [
-    dconf-editor
-    file-roller
-    fractal
-    gnome-calculator
-    hyperfine
-    loupe
-    seahorse
-  ];
-
-  programs.obs-studio.enable = true;
-}

nixos/profiles/core/default.nix

@@ -1,5 +1,4 @@
 {
-  config,
   lib,
   inputs,
   pkgs,
@@ -26,15 +25,6 @@
     inputs.self.overlays.patches
   ];
 
-  home-manager = {
-    users.guanranwang = import ../../../home;
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    extraSpecialArgs = {
-      inherit inputs;
-    };
-  };
-
   boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
 
   environment.systemPackages = with pkgs; [
@@ -53,55 +43,19 @@
   ];
 
   users.mutableUsers = false;
-  users.users = {
-    "guanranwang" = {
-      isNormalUser = true;
-      description = "Guanran Wang";
-      hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
-      shell = pkgs.fish;
-      extraGroups = [
-        "wheel"
-        "nix-access-tokens"
-      ];
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/ guanran928@outlook.com"
-      ];
-    };
-  };
-
   boot.initrd.systemd.enable = true;
   environment.stub-ld.enable = false;
 
   programs.command-not-found.enable = false;
-  programs.dconf.enable = true;
-  programs.fish.enable = true;
   programs.nano.enable = false;
   programs.vim = {
     enable = true;
     defaultEditor = true;
   };
 
-  # Avoid TOFU MITM with github by providing their public key here.
-  programs.ssh.knownHosts = {
-    "github.com".hostNames = [ "github.com" ];
-    "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-
-    "gitlab.com".hostNames = [ "gitlab.com" ];
-    "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
-
-    "git.sr.ht".hostNames = [ "git.sr.ht" ];
-    "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
-  };
-
   # https://archlinux.org/news/making-dbus-broker-our-default-d-bus-daemon/
   services.dbus.implementation = lib.mkDefault "broker";
 
-  services.openssh = {
-    enable = true;
-    settings.PermitRootLogin = lib.mkDefault "no"; # mkDefault for colmena
-    settings.PasswordAuthentication = false;
-  };
-
   security.sudo.execWheelOnly = true;
   security.sudo.extraConfig = ''
     Defaults lecture = never

nixos/profiles/server/default.nix

@@ -1,17 +1,18 @@
-{
-  pkgs,
-  config,
-  ...
-}:
+{ pkgs, ... }:
 {
   environment.systemPackages = with pkgs; [
     foot.terminfo
   ];
 
-  # TODO: colmena
-  services.openssh.settings.PermitRootLogin = "prohibit-password";
-  users.users."root".openssh.authorizedKeys.keys =
-    config.users.users.guanranwang.openssh.authorizedKeys.keys;
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "prohibit-password";
+    settings.PasswordAuthentication = false;
+  };
+
+  users.users."root".openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmd/uqiBahzKcKMJ+gT3dkUIdrWQgudspsDchDlx1E/ guanran928@outlook.com"
+  ];
 
   time.timeZone = "UTC";
 }

nixos/profiles/sing-box/default.nix

@@ -89,7 +89,7 @@
     httpsProxy = "http://127.0.0.1:1080/";
   };
 
-  environment.shellAliases =
+  programs.fish.shellAliases =
     let
       inherit (config.networking.proxy) httpProxy httpsProxy;
     in