phundrak/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: refactor system modules

Browse Source
This commit is contained in:
Lucien Cartier-Tilet
2025-07-05 00:02:39 +02:00
parent d054442c28
commit af1a606c1a
56 changed files with 549 additions and 475 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
system/boot/boot.nix Normal file
View File

@@ -0,0 +1,99 @@
{
pkgs,
config,
lib,
...
}:
with lib; let
cfg = config.system.boot;
in {
options.system.boot = {
extraModprobeConfig = mkOption {
type = types.lines;
default = "";
example = ''
options snd_usb_audio vid=0x1235 pid=0x8212 device_setup=1
'';
};
kernel = {
package = mkOption {
type = types.raw;
default = pkgs.linuxPackages_zen;
};
modules = mkOption {
type = types.listOf types.str;
default = [];
};
cpuVendor = mkOption {
description = "Intel or AMD?";
type = types.enum ["intel" "amd"];
default = "amd";
};
v4l2loopback = mkOption {
description = "Enables v4l2loopback";
type = types.bool;
default = true;
};
hardened = mkEnableOption "Enables hardened Linux kernel";
};
systemd-boot = mkOption {
type = types.bool;
default = true;
description = "Does the system use systemd-boot?";
};
zfs = {
enable = mkEnableOption "Enables ZFS";
pools = mkOption {
type = types.listOf types.str;
default = [];
};
};
};
config.boot = {
initrd.kernelModules = lists.optional config.system.hardware.amdgpu.enable "amdgpu";
loader = {
systemd-boot.enable = cfg.systemd-boot;
efi.canTouchEfiVariables = cfg.systemd-boot;
};
supportedFilesystems = mkIf cfg.zfs.enable ["zfs"];
zfs.extraPools = mkIf cfg.zfs.enable cfg.zfs.pools;
kernelPackages =
if cfg.kernel.hardened
then pkgs.linuxPackages_hardened
else cfg.kernel.package;
kernelModules =
cfg.kernel.modules
++ ["kvm-${cfg.kernel.cpuVendor}"]
++ lists.optional cfg.kernel.v4l2loopback "v4l2loopback"
++ lists.optional cfg.kernel.hardened "tcp_bbr";
kernel.sysctl = mkIf cfg.kernel.hardened {
"kernel.sysrq" = 0; # Disable magic SysRq key
# Ignore ICMP broadcasts to avoid participating in Smurf attacks
"net.ipv4.icmp_echo_ignore_broadcasts" = 1;
# Ignore bad ICMP errors
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# SYN flood protection
"net.ipv4.tcp_syncookies" = 1;
# Do not accept ICMP redirects (prevent MITM attacks)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default_accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Do not send ICMP redirects (we are not a router)
"net.ipv4.conf.all.send_redirects" = 0;
# Do not accept IP source route packets (we are not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Protect against tcp time-wait assassination hazards
"net.ipv4.tcp_rfc1337" = 1;
# Latency reduction
"net.ipv4.tcp_fastopen" = 3;
# Bufferfloat mitigations
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
};
}

7
system/boot/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{
imports = [
./boot.nix
./plymouth.nix
./zram.nix
];
}

33
system/boot/plymouth.nix Normal file
View File

@@ -0,0 +1,33 @@
{
pkgs,
lib,
config,
...
}:
with lib; let
cfg = config.system.boot.plymouth;
in {
options.system.boot.plymouth.enable = mkEnableOption "Enables Plymouth at system boot";
config.boot = mkIf cfg.enable {
plymouth = {
inherit (cfg) enable;
theme = "circle_hud";
themePackages = with pkgs; [
(adi1090x-plymouth-themes.override {
selected_themes = ["circle_hud"];
})
];
};
consoleLogLevel = 3;
initrd.verbose = false;
kernelParams = [
"quiet"
"splash"
"boot.shell_on_fail"
"udev.log_priority=3"
"rd.systemd.show_status=auto"
];
# Loader appears only if a key is pressed
loader.timeout = 0;
};
}

21
system/boot/zram.nix Normal file
View File

@@ -0,0 +1,21 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.system.boot.zram;
in {
options.system.boot.zram = {
enable = mkEnableOption "Enable ZRAM";
memoryMax = mkOption {
type = types.int;
example = "512";
description = "Maximum size allocated to ZRAM in MiB";
};
};
config.zramSwap = mkIf cfg.enable {
inherit (cfg) enable;
memoryMax = cfg.memoryMax * 1024 * 1024;
};
}

40
system/default.nix Normal file
View File

@@ -0,0 +1,40 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.system.misc;
in {
imports = [
./boot
./desktop
./dev
./hardware
./i18n
./network
./packages
./security
./services
./users
];
options.system.misc = {
timezone = mkOption {
type = types.str;
default = "Europe/Paris";
};
keymap = mkOption {
type = types.str;
default = "fr";
example = "fr-bepo";
description = "Keymap to use in the TTY console";
};
};
config = {
boot.tmp.cleanOnBoot = true;
time.timeZone = cfg.timezone;
console.keyMap = cfg.keymap;
};
}

3
system/desktop/default.nix Normal file
View File

@@ -0,0 +1,3 @@
{
imports = [./hyprland.nix ./niri.nix ./xserver.nix];
}

14
system/desktop/hyprland.nix Normal file
View File

@@ -0,0 +1,14 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.system.desktop.hyprland;
in {
options.system.desktop.hyprland.enable = mkEnableOption "Enables Hyprland";
config.programs.hyprland = mkIf cfg.enable {
inherit (cfg) enable;
withUWSM = true;
};
}

13
system/desktop/niri.nix Normal file
View File

@@ -0,0 +1,13 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.system.desktop.niri;
in {
options.system.desktop.niri.enable = mkEnableOption "Enables Niri";
config.programs.niri = mkIf cfg.enable {
inherit (cfg) enable;
};
}

45
system/desktop/xserver.nix Normal file
View File

@@ -0,0 +1,45 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.system.desktop.xserver;
in {
options.system.desktop.xserver = {
enable = mkEnableOption "Enables xserver";
de = mkOption {
type = types.enum ["gnome" "kde"];
default = "gnome";
example = "kde";
description = "Which DE to enable";
};
};
config.services = mkIf cfg.enable {
displayManager = {
sddm.enable = mkIf (cfg.de == "kde") true;
gdm.enable = mkIf (cfg.de == "gnome") true;
};
desktopManager = {
plasma6.enable = mkIf (cfg.de == "kde") true;
gnome.enable = mkIf (cfg.de == "gnome") true;
};
gnome = mkIf (cfg.de == "gnome") {
gnome-browser-connector.enable = true;
games.enable = false;
gnome-remote-desktop.enable = true;
gnome-online-accounts.enable = true;
sushi.enable = true;
};
xserver = {
inherit (cfg) enable;
videoDrivers = lists.optional config.system.hardware.amdgpu.enable "amdgpu";
xkb = {
layout = "fr";
variant = "bepo_afnor";
};
};
};
}

3
system/dev/default.nix Normal file
View File

@@ -0,0 +1,3 @@
{
imports = [./docker.nix];
}

32
system/dev/docker.nix Normal file
View File

@@ -0,0 +1,32 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.system.dev.docker;
in {
options.system.dev.docker = {
enable = mkEnableOption "Enable Docker";
podman.enable = mkEnableOption "Enable Podman rather than Docker";
nvidia.enable = mkEnableOption "Activate Nvidia support";
autoprune.enable = mkEnableOption "Enable autoprune";
};
config = {
virtualisation = {
docker = mkIf (cfg.enable && !cfg.podman.enable) {
enable = true;
enableNvidia = cfg.nvidia.enable;
autoPrune.enable = cfg.autoprune.enable;
};
podman = mkIf cfg.podman.enable {
enable = true;
dockerCompat = cfg.enable;
enableNvidia = cfg.nvidia.enable;
dockerSocket.enable = cfg.enable;
autoPrune.enable = cfg.autoprune.enable;
};
};
};
}

22
system/hardware/amdgpu.nix Normal file
View File

@@ -0,0 +1,22 @@
{
pkgs,
lib,
config,
...
}:
with lib; let
cfg = config.system.hardware.amdgpu;
in {
options.system.hardware.amdgpu.enable = mkEnableOption "Enables an AMD GPU configuration";
config = mkIf cfg.enable {
systemd.tmpfiles.rules = [
"L+ /opt/rocm/hip - - - - ${pkgs.rocmPackages.clr}"
];
hardware.graphics.extraPackages = with pkgs; [rocmPackages.clr.icd];
environment.systemPackages = with pkgs; [
clinfo
amdgpu_top
nvtopPackages.amd
];
};
}

14
system/hardware/bluetooth.nix Normal file
View File

@@ -0,0 +1,14 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.system.hardware.bluetooth;
in {
options.system.hardware.bluetooth.enable = mkEnableOption "Enable bluetooth";
config = mkIf cfg.enable {
hardware.bluetooth.enable = cfg.enable;
services.blueman.enable = cfg.enable;
};
}

15
system/hardware/corne.nix Normal file
View File

@@ -0,0 +1,15 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.system.hardware.corne;
in {
options.system.hardware.corne.allowHidAccess = mkEnableOption "Enable HID access to the corne keyboard";
config.services.udev = mkIf cfg.allowHidAccess {
extraRules = ''
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{serial}=="*vial:f64c2b3c*", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
'';
};
}

10
system/hardware/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{
imports = [
./amdgpu.nix
./bluetooth.nix
./corne.nix
./ibm-trackpoint.nix
./opentablet.nix
./sound.nix
];
}

15
system/hardware/ibm-trackpoint.nix Normal file
View File

@@ -0,0 +1,15 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.system.hardware.ibmTrackpoint;
in {
options.system.hardware.ibmTrackpoint.disable = mkEnableOption "Disable IBMs trackpoint on ThinkPad";
config.services.udev = mkIf cfg.disable {
extraRules = ''
ATTRS{name}=="*TPPS/2 IBM TrackPoint", ENV{ID_INPUT}="", ENV{ID_INPUT_MOUSE}="", ENV{ID_INPUT_POINTINGSTICK}=""
'';
};
}

14
system/hardware/opentablet.nix Normal file
View File

@@ -0,0 +1,14 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.system.hardware.opentablet;
in {
options.system.hardware.opentablet.enable = mkEnableOption "Enables OpenTablet drivers";
config.hardware.opentabletdriver = mkIf cfg.enable {
inherit (cfg) enable;
daemon.enable = true;
};
}

44
system/hardware/sound.nix Normal file
View File

@@ -0,0 +1,44 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
cfg = config.system.hardware.sound;
in {
options.system.hardware.sound = {
enable = mkEnableOption "Whether to enable sounds with Pipewire";
scarlett.enable = mkEnableOption "Activate support for Scarlett sound card";
alsa = mkOption {
type = types.bool;
example = true;
default = true;
description = "Whether to enable ALSA support with Pipewire";
};
jack = mkOption {
type = types.bool;
example = true;
default = false;
description = "Whether to enable JACK support with Pipewire";
};
package = mkOption {
type = types.package;
example = pkgs.pulseaudio;
default = pkgs.pulseaudioFull;
description = "Which base package to use for PulseAudio";
};
};
config = {
environment.systemPackages = mkIf cfg.scarlett.enable [pkgs.alsa-scarlett-gui];
services.pipewire = mkIf cfg.enable {
enable = true;
alsa = mkIf cfg.alsa {
enable = mkDefault true;
support32Bit = mkDefault true;
};
jack.enable = mkDefault cfg.jack;
};
};
}

5
system/i18n/default.nix Normal file
View File

@@ -0,0 +1,5 @@
{
imports = [
./locale.nix
];
}

16
system/i18n/locale.nix Normal file
View File

@@ -0,0 +1,16 @@
{
i18n = {
defaultLocale = "en_DK.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "fr_FR.UTF-8";
LC_IDENTIFICATION = "fr_FR.UTF-8";
LC_MEASUREMENT = "fr_FR.UTF-8";
LC_MONETARY = "fr_FR.UTF-8";
LC_NAME = "fr_FR.UTF-8";
LC_NUMERIC = "fr_FR.UTF-8";
LC_PAPER = "fr_FR.UTF-8";
LC_TELEPHONE = "fr_FR.UTF-8";
LC_TIME = "fr_FR.UTF-8";
};
};
}

5
system/network/default.nix Normal file
View File

@@ -0,0 +1,5 @@
{
imports = [
./networking.nix
];
}

70
system/network/networking.nix Normal file
View File

@@ -0,0 +1,70 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.system.networking;
in {
options.system.networking = with types; {
hostname = mkOption {
type = str;
example = "gampo";
};
id = mkOption {
type = str;
example = "deadb33f";
};
domain = mkOption {
type = nullOr str;
example = "phundrak.com";
default = null;
};
hostFiles = mkOption {
type = listOf path;
example = [/path/to/hostFile];
default = [];
};
firewall = {
openPorts = mkOption {
type = listOf int;
example = [22 80 443];
default = [];
};
openPortRanges = mkOption {
type = listOf (attrsOf port);
default = [];
example = [
{
from = 8080;
to = 8082;
}
];
description = ''
A range of TCP and UDP ports on which incoming connections are
accepted.
'';
};
extraCommands = mkOption {
type = nullOr lines;
example = "iptables -A INPUTS -p icmp -j ACCEPT";
default = null;
};
};
};
config.networking = {
hostName = cfg.hostname; # Define your hostname.
hostId = cfg.id;
networkmanager.enable = true;
inherit (cfg) hostFiles domain;
firewall = {
enable = true;
allowedTCPPorts = cfg.firewall.openPorts;
allowedUDPPorts = cfg.firewall.openPorts;
allowedTCPPortRanges = cfg.firewall.openPortRanges;
allowedUDPPortRanges = cfg.firewall.openPortRanges;
extraCommands = (mkIf (cfg.firewall.extraCommands != null)) cfg.firewall.extraCommands;
};
};
}

14
system/packages/appimage.nix Normal file
View File

@@ -0,0 +1,14 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.system.packages.appimage;
in {
options.system.packages.appimage.enable = mkEnableOption "Enables AppImage support";
config.programs.appimage = mkIf cfg.enable {
inherit (cfg) enable;
binfmt = true;
};
}

15
system/packages/default.nix Normal file
View File

@@ -0,0 +1,15 @@
{pkgs, ...}: {
imports = [
./appimage.nix
./flatpak.nix
./nano.nix
./nix.nix
./steam.nix
];
environment.systemPackages = with pkgs; [
curl
openssl
wget
];
}

22
system/packages/flatpak.nix Normal file
View File

@@ -0,0 +1,22 @@
{
pkgs,
lib,
config,
...
}:
with lib; let
cfg = config.system.packages.flatpak;
in {
options.system.packages.flatpak = {
enable = mkEnableOption "Enable Flatpak support";
builder.enable = mkEnableOption "Enable Flatpak builder";
};
config = {
services.flatpak = mkIf cfg.enable {
inherit (cfg) enable;
};
environment.systemPackages = mkIf cfg.builder.enable [
pkgs.flatpak-buildR
];
};
}

14
system/packages/nano.nix Normal file
View File

@@ -0,0 +1,14 @@
{
programs.nano = {
enable = true;
syntaxHighlight = true;
nanorc = ''
set tabsize 2
set autoindent
set atblanks
set linenumber
set smarthome
set softwrap
'';
};
}

49
system/packages/nix.nix Normal file
View File

@@ -0,0 +1,49 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.system.packages.nix;
in {
options.system.packages.nix = {
allowUnfree = mkEnableOption "Enable unfree packages";
disableSandbox = mkEnableOption "Disable Nix sandbox";
gc = {
automatic = mkOption {
type = types.bool;
default = true;
};
dates = mkOption {
type = types.str;
default = "Monday 01:00 UTC";
};
options = mkOption {
type = types.str;
default = "--delete-older-than 30d";
};
};
nix-ld.enable = mkEnableOption "Enable unpatched binaries support";
trusted-users = mkOption {
type = types.listOf types.str;
example = ["alice" "bob"];
default = [];
};
};
config = {
nix = {
inherit (cfg) gc;
settings = {
inherit (cfg) trusted-users;
sandbox = cfg.disableSandbox;
experimental-features = ["nix-command" "flakes"];
auto-optimise-store = true;
};
};
nixpkgs.config.allowUnfree = true;
programs = {
inherit (cfg) nix-ld;
};
};
}

34
system/packages/steam.nix Normal file
View File

@@ -0,0 +1,34 @@
{
pkgs,
lib,
config,
...
}:
with lib; let
cfg = config.system.programs.steam;
in {
options.system.programs.steam.enable = mkEnableOption "Enables Steam and Steam hardware";
config = mkIf cfg.enable {
programs = {
steam = {
inherit (cfg) enable;
protontricks.enable = true;
remotePlay.openFirewall = true;
localNetworkGameTransfers.openFirewall = true;
gamescopeSession.enable = true;
extraCompatPackages = [pkgs.proton-ge-bin];
};
gamescope = {
enable = true;
capSysNice = true;
args = [
"--rt"
"--expose-wayland"
];
};
};
hardware.steam-hardware = {
inherit (cfg) enable;
};
};
}

5
system/security/default.nix Normal file
View File

@@ -0,0 +1,5 @@
{
imports = [
./sops.nix
];
}

17
system/security/sops.nix Normal file
View File

@@ -0,0 +1,17 @@
{
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
age = {
# automatically import user SSH keys as age keys
sshKeyPaths = [
"/home/phundrak/.ssh/id_ed25519"
"/etc/ssh/ssh_host_ed25519_key"
];
# this will use an age key that is expected to already be in the filesystem
keyFile = "/var/lib/sops-nix/key.txt";
# generate a new key if the key specified above does not exist
generateKey = true;
};
};
}

9
system/services/default.nix Normal file
View File

@@ -0,0 +1,9 @@
{
imports = [
./endlessh.nix
./fwupd.nix
./printing.nix
./ssh.nix
./sunshine.nix
];
}

21
system/services/endlessh.nix Normal file
View File

@@ -0,0 +1,21 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.system.services.endlessh;
in {
options.system.services.endlessh = {
enable = mkEnableOption "Enables endlessh.";
port = mkOption {
type = types.port;
default = 2222;
example = 22;
};
};
config.services.endlessh-go = mkIf cfg.enable {
inherit (cfg) enable port;
openFirewall = true;
};
}

13
system/services/fwupd.nix Normal file
View File

@@ -0,0 +1,13 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.system.services.fwupd;
in {
options.system.services.fwupd.enable = mkEnableOption "Enable fwupd";
config.services.fwupd = mkIf cfg.enable {
inherit (cfg) enable;
};
}

13
system/services/printing.nix Normal file
View File

@@ -0,0 +1,13 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.system.services.printing;
in {
options.system.services.printing.enable = mkEnableOption "Enable printing with CUPS";
config.services.printing = mkIf cfg.enable {
inherit (cfg) enable;
};
}

30
system/services/ssh.nix Normal file
View File

@@ -0,0 +1,30 @@
{
lib,
config,
...
}:
with lib; let
cfg = config.system.services.ssh;
in {
options.system.services.ssh = {
enable = mkEnableOption "Enables OpenSSH";
allowedUsers = mkOption {
type = types.listOf types.str;
example = ["alice" "bob"];
default = ["phundrak"];
};
passwordAuthentication = mkOption {
type = types.bool;
example = true;
default = false;
};
};
config.services.openssh = mkIf cfg.enable {
inherit (cfg) enable;
settings = {
AllowUsers = cfg.allowedUsers;
PermitRootLogin = "no";
PasswordAuthentication = cfg.passwordAuthentication;
};
};
}

20
system/services/sunshine.nix Normal file
View File

@@ -0,0 +1,20 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.system.services.sunshine;
in {
options.system.services.sunshine = {
enable = mkEnableOption "Enables Sunshine";
autostart = mkEnableOption "Enables autostart";
};
config.services.sunshine = mkIf cfg.enable {
inherit (cfg) enable;
autoStart = cfg.autostart;
capSysAdmin = true;
openFirewall = true;
settings.sunshine_name = config.system.networking.hostname;
};
}

5
system/users/default.nix Normal file
View File

@@ -0,0 +1,5 @@
{
imports = [
./phundrak.nix
];
}

1
system/users/keys/id_alys.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTv1lb6d99O84jeh6GdjPm8Gnt/HncSRhGhmoTq7BMK lucien@phundrak.com

1
system/users/keys/id_gampo.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBPhP4p9KGk6jSOxJzBu+RzJPHI6baT0o+xrgPeNRwfq lucien@phundrak.com

1
system/users/keys/id_marpa.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILw9oiK8tZ5Vpz82RaRLpITU8qeJrT2hjvudGEDQu2QW lucien@phundrak.com

1
system/users/keys/id_opn4.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFVzXgt8Md+PgOMM3qcBIR/a8uf5s6dnxGbFlG9yD+Gx lucien@phundrak.com

1
system/users/keys/id_tilo.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ7GXp4OfK2j1+7TMjVBL29Ol/6nsEMbfE2wRGkjk3Ya lucien@phundrak.com

31
system/users/phundrak.nix Normal file
View File

@@ -0,0 +1,31 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
cfg = config.system.users;
in {
options.system.users = {
root.disablePassword = mkEnableOption "Disables root password";
phundrak.enable = mkEnableOption "Enables users phundrak";
};
config = {
users.users = {
root = {
hashedPassword = mkIf cfg.root.disablePassword "*";
shell = pkgs.zsh;
};
phundrak = mkIf cfg.phundrak.enable {
isNormalUser = true;
description = "Lucien Cartier-Tilet";
extraGroups = ["networkmanager" "wheel" "docker" "dialout" "podman"];
shell = pkgs.zsh;
openssh.authorizedKeys.keyFiles = lib.filesystem.listFilesRecursive ./keys;
};
};
programs.zsh.enable = true;
};
}