diff --git a/SwarselSystems.org b/SwarselSystems.org index dad3199..d9e5b39 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -807,7 +807,10 @@ My work machine. Built for more security, this is the gold standard of my config isBtrfs = true; isLinux = true; sharescreen = "eDP-2"; - profiles.personal = true; + profiles = { + personal = true; + work = true; + }; }; in { @@ -826,11 +829,13 @@ My work machine. Built for more security, this is the gold standard of my config "${modulesPath}/nixos/optional/gaming.nix" "${modulesPath}/nixos/optional/work.nix" "${self}/profiles/nixos" + "${modulesPath}/nixos/server" inputs.home-manager.nixosModules.home-manager { home-manager.users."${primaryUser}".imports = [ "${self}/profiles/home" + "${modulesPath}/home/server" "${modulesPath}/home/optional/gaming.nix" "${modulesPath}/home/optional/work.nix" ]; @@ -3865,6 +3870,32 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a lid = lib.mkDefault true; lowBattery = lib.mkDefault true; lanzaboote = lib.mkDefault true; + + optional = { + gaming = lib.mkDefault true; + virtualbox = lib.mkDefault true; + autologin = lib.mkDefault true; + nswitch-rcm = lib.mkDefault true; + }; + }; + + }; + + } + +#+end_src + +***** Work + +#+begin_src nix :tangle profiles/nixos/work/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselsystems.profiles.work = lib.mkEnableOption "is this a work host"; + config = lib.mkIf config.swarselsystems.profiles.work { + swarselsystems.modules = { + optional = { + work = lib.mkDefault true; + }; }; }; @@ -3881,7 +3912,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a options.swarselsystems.profiles.server.local = lib.mkEnableOption "is this a local server"; config = lib.mkIf config.swarselsystems.profiles.server.local { swarselsystems = { - # common modules modules = { nix-ld = lib.mkDefault true; home-manager = lib.mkDefault true; @@ -3892,23 +3922,29 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a time = lib.mkDefault true; users = lib.mkDefault true; }; - # server modules - # server = { - # kavita = lib.mkDefault true; - # jellyfin = lib.mkDefault true; - # navidrome = lib.mkDefault true; - # spotifyd = lib.mkDefault true; - # mpd = lib.mkDefault true; - # matrix = lib.mkDefault true; - # nextcloud = lib.mkDefault true; - # immich = lib.mkDefault true; - # paperless = lib.mkDefault true; - # transmission = lib.mkDefault true; - # syncthing = lib.mkDefault true; - # monitoring = lib.mkDefault true; - # emacs = lib.mkDefault true; - # freshrss = lib.mkDefault true; - # }; + server = { + general = lib.mkDefault true; + packages = lib.mkDefault true; + sops = lib.mkDefault true; + nfs = lib.mkDefault true; + nginx = lib.mkDefault true; + ssh = lib.mkDefault true; + kavita = lib.mkDefault true; + jellyfin = lib.mkDefault true; + navidrome = lib.mkDefault true; + spotifyd = lib.mkDefault true; + mpd = lib.mkDefault true; + matrix = lib.mkDefault true; + nextcloud = lib.mkDefault true; + immich = lib.mkDefault true; + paperless = lib.mkDefault true; + transmission = lib.mkDefault true; + syncthing = lib.mkDefault true; + monitoring = lib.mkDefault true; + emacs = lib.mkDefault true; + freshrss = lib.mkDefault true; + + }; }; }; @@ -3923,7 +3959,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a options.swarselsystems.profiles.server.sync = lib.mkEnableOption "is this a oci sync server"; config = lib.mkIf config.swarselsystems.profiles.server.sync { swarselsystems = { - # common modules modules = { nix-ld = lib.mkDefault true; home-manager = lib.mkDefault true; @@ -3934,11 +3969,16 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a time = lib.mkDefault true; users = lib.mkDefault true; }; - # server modules - # server = { - # forgejo = lib.mkDefault true; - # ankisync = lib.mkDefault true; - # }; + server = { + general = lib.mkDefault true; + packages = lib.mkDefault true; + sops = lib.mkDefault true; + nfs = lib.mkDefault true; + nginx = lib.mkDefault true; + ssh = lib.mkDefault true; + forgejo = lib.mkDefault true; + ankisync = lib.mkDefault true; + }; }; }; @@ -3997,6 +4037,71 @@ This holds modules that are to be used on most hosts. These are also the most im waybar = lib.mkDefault true; firefox = lib.mkDefault true; gnome-keyring = lib.mkDefault true; + kdeconnect = lib.mkDefault true; + mako = lib.mkDefault true; + swayosd = lib.mkDefault true; + yubikeytouch = lib.mkDefault true; + sway = lib.mkDefault true; + kanshi = lib.mkDefault true; + gpgagent = lib.mkDefault true; + gammastep = lib.mkDefault true; + + optional = { + gaming = lib.mkDefault true; + }; + }; + }; + + } + +#+end_src + +***** Work + +#+begin_src nix :tangle profiles/home/work/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselsystems.profiles.work = lib.mkEnableOption "is this a work host"; + config = lib.mkIf config.swarselsystems.profiles.work { + swarselsystems.modules = { + optional = { + work = lib.mkDefault true; + }; + }; + }; + + } + +#+end_src + +***** Darwin + +#+begin_src nix :tangle profiles/home/darwin/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselsystems.profiles.darwin = lib.mkEnableOption "is this a darwin host"; + config = lib.mkIf config.swarselsystems.profiles.darwin { + swarselsystems.modules = { + general = lib.mkDefault true; + }; + }; + + } + +#+end_src + +***** Local Server + +#+begin_src nix :tangle profiles/home/localserver/default.nix :mkdirp yes + { lib, config, ... }: + { + options.swarselsystems.profiles.server.local = lib.mkEnableOption "is this a local server"; + config = lib.mkIf config.swarselsystems.profiles.server.local { + swarselsystems.modules = { + general = lib.mkDefault true; + server = { + dotfiles = lib.mkDefault true; + }; }; }; @@ -6077,12 +6182,13 @@ Here we just define some aliases for rebuilding the system, and we allow some in in { options.swarselsystems = { + server.general = lib.mkEnableOption "general setting on server"; shellAliases = lib.mkOption { type = lib.types.attrsOf lib.types.str; default = { }; }; }; - config = { + config = lib.mkIf config.swarselsystems.server.general { environment.shellAliases = lib.recursiveUpdate { npswitch = "cd ${flakePath}; git pull; sudo nixos-rebuild --flake .#$(hostname) switch; cd -;"; @@ -6114,16 +6220,19 @@ Here we just define some aliases for rebuilding the system, and we allow some in :END: #+begin_src nix :tangle modules/nixos/server/packages.nix - { pkgs, ... }: + { lib, config, pkgs, ... }: { - environment.systemPackages = with pkgs; [ - gnupg - nix-index - ssh-to-age - git - emacs - vim - ]; + options.swarselsystems.server.packages = lib.mkEnableOption "enable packages on server"; + config = lib.mkIf config.swarselsystems.server.packages { + environment.systemPackages = with pkgs; [ + gnupg + nix-index + ssh-to-age + git + emacs + vim + ]; + }; } #+end_src @@ -6135,12 +6244,14 @@ Here we just define some aliases for rebuilding the system, and we allow some in #+begin_src nix :tangle modules/nixos/server/sops.nix { config, lib, ... }: { - sops = { - age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/sops" ]; - defaultSopsFile = lib.mkDefault "${config.swarselsystems.flakePath}/secrets/winters/secrets.yaml"; - validateSopsFiles = false; + options.swarselsystems.server.sops = lib.mkEnableOption "enable sops on server"; + config = lib.mkIf config.swarselsystems.server.sops { + sops = { + age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/sops" ]; + defaultSopsFile = lib.mkDefault "${config.swarselsystems.flakePath}/secrets/winters/secrets.yaml"; + validateSopsFiles = false; + }; }; - } #+end_src @@ -6150,52 +6261,55 @@ Here we just define some aliases for rebuilding the system, and we allow some in :END: #+begin_src nix :tangle modules/nixos/server/nfs.nix - { pkgs, ... }: + { lib, config, pkgs, ... }: { - services = { - # add a user with sudo smbpasswd -a - samba = { - package = pkgs.samba4Full; - # extraConfig = '' - # workgroup = WORKGROUP - # server role = standalone server - # dns proxy = no + options.swarselsystems.server.nfs = lib.mkEnableOption "enable nfs on server"; + config = lib.mkIf config.swarselsystems.server.nfs { + services = { + # add a user with sudo smbpasswd -a + samba = { + package = pkgs.samba4Full; + # extraConfig = '' + # workgroup = WORKGROUP + # server role = standalone server + # dns proxy = no - # pam password change = yes - # map to guest = bad user - # create mask = 0664 - # force create mode = 0664 - # directory mask = 0775 - # force directory mode = 0775 - # follow symlinks = yes - # ''; + # pam password change = yes + # map to guest = bad user + # create mask = 0664 + # force create mode = 0664 + # directory mask = 0775 + # force directory mode = 0775 + # follow symlinks = yes + # ''; - enable = true; - openFirewall = true; - settings.Eternor = { - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - path = "/Vault/Eternor"; - writable = "true"; - comment = "Eternor"; - "valid users" = "Swarsel"; + enable = true; + openFirewall = true; + settings.Eternor = { + browseable = "yes"; + "read only" = "no"; + "guest ok" = "no"; + path = "/Vault/Eternor"; + writable = "true"; + comment = "Eternor"; + "valid users" = "Swarsel"; + }; }; - }; - avahi = { - publish.enable = true; - publish.userServices = true; # Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile` - nssmdns4 = true; - enable = true; - openFirewall = true; - }; + avahi = { + publish.enable = true; + publish.userServices = true; # Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile` + nssmdns4 = true; + enable = true; + openFirewall = true; + }; - # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued - samba-wsdd = { - enable = true; - openFirewall = true; + # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued + samba-wsdd = { + enable = true; + openFirewall = true; + }; }; }; } @@ -6207,42 +6321,44 @@ Here we just define some aliases for rebuilding the system, and we allow some in :END: #+begin_src nix :tangle modules/nixos/server/nginx.nix - { pkgs, config, ... }: + { pkgs, lib, config, ... }: { - environment.systemPackages = with pkgs; [ - lego - ]; + options.swarselsystems.server.nginx = lib.mkEnableOption "enable nginx on server"; + config = lib.mkIf config.swarselsystems.server.nginx { + environment.systemPackages = with pkgs; [ + lego + ]; - # users.users.acme = {}; + # users.users.acme = {}; - sops = { - # secrets.dnstokenfull = { owner = "acme"; }; - secrets.dnstokenfull = { }; - templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} - ''; - }; + sops = { + # secrets.dnstokenfull = { owner = "acme"; }; + secrets.dnstokenfull = { }; + templates."certs.secret".content = '' + CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} + ''; + }; - security.acme = { - acceptTerms = true; - preliminarySelfsigned = false; - defaults = { - email = "mrswarsel@gmail.com"; - dnsProvider = "cloudflare"; - environmentFile = "${config.sops.templates."certs.secret".path}"; + security.acme = { + acceptTerms = true; + preliminarySelfsigned = false; + defaults = { + email = "mrswarsel@gmail.com"; + dnsProvider = "cloudflare"; + environmentFile = "${config.sops.templates."certs.secret".path}"; + }; + }; + + services.nginx = { + enable = true; + statusPage = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + # virtualHosts are defined in the respective sections }; }; - - services.nginx = { - enable = true; - statusPage = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - # virtualHosts are defined in the respective sections - }; - } #+end_src @@ -6252,23 +6368,25 @@ Here we just define some aliases for rebuilding the system, and we allow some in :END: #+begin_src nix :tangle modules/nixos/server/ssh.nix - { self, config, ... }: + { self, lib, config, ... }: { - services.openssh = { - enable = true; + options.swarselsystems.server.ssh = lib.mkEnableOption "enable ssh on server"; + config = lib.mkIf config.swarselsystems.server.ssh { + services.openssh = { + enable = true; + }; + users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [ + (self + /secrets/keys/ssh/yubikey.pub) + (self + /secrets/keys/ssh/magicant.pub) + ]; + users.users.root.openssh.authorizedKeys.keyFiles = [ + (self + /secrets/keys/ssh/yubikey.pub) + (self + /secrets/keys/ssh/magicant.pub) + ]; + security.sudo.extraConfig = '' + Defaults env_keep+=SSH_AUTH_SOCK + ''; }; - users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [ - (self + /secrets/keys/ssh/yubikey.pub) - (self + /secrets/keys/ssh/magicant.pub) - ]; - users.users.root.openssh.authorizedKeys.keyFiles = [ - (self + /secrets/keys/ssh/yubikey.pub) - (self + /secrets/keys/ssh/magicant.pub) - ]; - security.sudo.extraConfig = '' - Defaults env_keep+=SSH_AUTH_SOCK - ''; - } #+end_src @@ -7853,39 +7971,42 @@ These sets of configuration do not need to be deployed on every host, for a mult This opens a few gaming ports and installs the steam configuration suite for gaming. There are more options in [[#h:84fd7029-ecb6-4131-9333-289982f24ffa][Gaming]] (home-manager side). #+begin_src nix :tangle modules/nixos/optional/gaming.nix - { pkgs, lib, ... }: + { pkgs, lib, config, ... }: { - specialisation = { - gaming.configuration = { - networking = { - firewall.enable = lib.mkForce false; - firewall = { - allowedUDPPorts = [ 4380 27036 14242 34197 ]; # 34197: factorio; 4380 27036 14242: barotrauma; - allowedTCPPorts = [ ]; # 34197: factorio; 4380 27036 14242: barotrauma; 51820: wireguard - allowedTCPPortRanges = [ - { from = 27015; to = 27030; } # barotrauma - { from = 27036; to = 27037; } # barotrauma - ]; - allowedUDPPortRanges = [ - { from = 27000; to = 27031; } # barotrauma - { from = 58962; to = 58964; } # barotrauma + options.swarselsystems.modules.optional.gaming = lib.mkEnableOption "optional gaming settings"; + config = lib.mkIf config.swarselsystems.modules.optional.gaming { + specialisation = { + gaming.configuration = { + networking = { + firewall.enable = lib.mkForce false; + firewall = { + allowedUDPPorts = [ 4380 27036 14242 34197 ]; # 34197: factorio; 4380 27036 14242: barotrauma; + allowedTCPPorts = [ ]; # 34197: factorio; 4380 27036 14242: barotrauma; 51820: wireguard + allowedTCPPortRanges = [ + { from = 27015; to = 27030; } # barotrauma + { from = 27036; to = 27037; } # barotrauma + ]; + allowedUDPPortRanges = [ + { from = 27000; to = 27031; } # barotrauma + { from = 58962; to = 58964; } # barotrauma + ]; + }; + }; + + programs.steam = { + enable = true; + package = pkgs.steam; + extraCompatPackages = [ + pkgs.proton-ge-bin ]; }; - }; - programs.steam = { - enable = true; - package = pkgs.steam; - extraCompatPackages = [ - pkgs.proton-ge-bin + hardware.xone.enable = true; + + environment.systemPackages = [ + pkgs.linuxKernel.packages.linux_6_12.xone ]; }; - - hardware.xone.enable = true; - - environment.systemPackages = [ - pkgs.linuxKernel.packages.linux_6_12.xone - ]; }; }; @@ -7902,9 +8023,10 @@ This opens a few gaming ports and installs the steam configuration suite for gam This sets the VirtualBox configuration. Guest should not be enabled if not direly needed, it will make rebuilds unbearably slow. I only use this privately to run an old editor that does not run well under wine, so I put it into it's own specialisation. #+begin_src nix :tangle modules/nixos/optional/virtualbox.nix - { lib, pkgs, ... }: - { - +{ lib, config, pkgs, ... }: +{ + options.swarselsystems.modules.optional.virtualbox = lib.mkEnableOption "optional VBox settings"; + config = lib.mkIf config.swarselsystems.modules.optional.virtualbox { specialisation = { VBox.configuration = { virtualisation.virtualbox = { @@ -7921,8 +8043,9 @@ This sets the VirtualBox configuration. Guest should not be enabled if not direl boot.kernelPackages = lib.mkForce pkgs.linuxPackages; }; }; + }; - } +} #+end_src **** VmWare @@ -7934,11 +8057,14 @@ This sets the VirtualBox configuration. Guest should not be enabled if not direl This sets the VirtualBox configuration. Guest should not be enabled if not direly needed, it will make rebuilds unbearably slow. #+begin_src nix :tangle modules/nixos/optional/vmware.nix - _: + { lib, config, ... }: { - virtualisation.vmware.host.enable = true; - virtualisation.vmware.guest.enable = true; + options.swarselsystems.modules.optional.vmware = lib.mkEnableOption "optional vmware settings"; + config = lib.mkIf config.swarselsystems.modules.optional.vmware { + virtualisation.vmware.host.enable = true; + virtualisation.vmware.guest.enable = true; + }; } #+end_src @@ -7950,14 +8076,17 @@ This sets the VirtualBox configuration. Guest should not be enabled if not direl Auto login for the initial session. #+begin_src nix :tangle modules/nixos/optional/autologin.nix - { config, ... }: + { lib, config, ... }: let inherit (config.swarselsystems) mainUser; in { - services = { - getty.autologinUser = mainUser; - greetd.settings.initial_session.user = mainUser; + options.swarselsystems.modules.optional.autologin = lib.mkEnableOption "optional autologin settings"; + config = lib.mkIf config.swarselsystems.modules.optional.autologin { + services = { + getty.autologinUser = mainUser; + greetd.settings.initial_session.user = mainUser; + }; }; } #+end_src @@ -7970,13 +8099,16 @@ Auto login for the initial session. This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using. #+begin_src nix :tangle modules/nixos/optional/nswitch-rcm.nix - { pkgs, ... }: + { lib, config, pkgs, ... }: { - services.nswitch-rcm = { - enable = true; - package = pkgs.fetchurl { - url = "https://github.com/Atmosphere-NX/Atmosphere/releases/download/1.3.2/fusee.bin"; - hash = "sha256-5AXzNsny45SPLIrvWJA9/JlOCal5l6Y++Cm+RtlJppI="; + options.swarselsystems.modules.optional.nswitch-rcm = lib.mkEnableOption "optional nswitch-rcm settings"; + config = lib.mkIf config.swarselsystems.modules.optional.nswitch-rcm { + services.nswitch-rcm = { + enable = true; + package = pkgs.fetchurl { + url = "https://github.com/Atmosphere-NX/Atmosphere/releases/download/1.3.2/fusee.bin"; + hash = "sha256-5AXzNsny45SPLIrvWJA9/JlOCal5l6Y++Cm+RtlJppI="; + }; }; }; } @@ -8016,167 +8148,170 @@ Options that I need specifically at work. There are more options at [[#h:f0b2ea9 }; in { - sops = - let - secretNames = [ - "vcuser" - "vcpw" - "govcuser" - "govcpw" - "govcurl" - "govcdc" - "govcds" - "govchost" - "govcnetwork" - "govcpool" - ]; - in - { - secrets = builtins.listToAttrs ( - map - (name: { - inherit name; - value = { inherit owner sopsFile; }; - }) - secretNames - ); - }; + options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings"; + config = lib.mkIf config.swarselsystems.modules.optional.work { + sops = + let + secretNames = [ + "vcuser" + "vcpw" + "govcuser" + "govcpw" + "govcurl" + "govcdc" + "govcds" + "govchost" + "govcnetwork" + "govcpool" + ]; + in + { + secrets = builtins.listToAttrs ( + map + (name: { + inherit name; + value = { inherit owner sopsFile; }; + }) + secretNames + ); + }; - boot.initrd = { - systemd.enable = lib.mkForce true; # make sure we are using initrd systemd even when not using Impermanence - luks = { - # disable "support" since we use systemd-cryptenroll - # make sure yubikeys are enrolled using - # sudo systemd-cryptenroll --fido2-device=auto --fido2-with-user-verification=no --fido2-with-user-presence=true --fido2-with-client-pin=no /dev/nvme0n1p2 - yubikeySupport = false; - fido2Support = false; - }; - }; - - programs = { - zsh.shellInit = '' - export VSPHERE_USER="$(cat ${config.sops.secrets.vcuser.path})" - export VSPHERE_PW="$(cat ${config.sops.secrets.vcpw.path})" - export GOVC_USERNAME="$(cat ${config.sops.secrets.govcuser.path})" - export GOVC_PASSWORD="$(cat ${config.sops.secrets.govcpw.path})" - export GOVC_URL="$(cat ${config.sops.secrets.govcurl.path})" - export GOVC_DATACENTER="$(cat ${config.sops.secrets.govcdc.path})" - export GOVC_DATASTORE="$(cat ${config.sops.secrets.govcds.path})" - export GOVC_HOST="$(cat ${config.sops.secrets.govchost.path})" - export GOVC_RESOURCE_POOL="$(cat ${config.sops.secrets.govcpool.path})" - export GOVC_NETWORK="$(cat ${config.sops.secrets.govcnetwork.path})" - ''; - - browserpass.enable = true; - _1password.enable = true; - _1password-gui = { - enable = true; - polkitPolicyOwners = [ "${mainUser}" ]; - }; - }; - - networking = { - firewall.trustedInterfaces = [ "virbr0" ]; - search = [ - "vbc.ac.at" - "clip.vbc.ac.at" - "imp.univie.ac.at" - ]; - }; - - virtualisation = { - docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true; - spiceUSBRedirection.enable = true; - libvirtd = { - enable = true; - qemu = { - package = pkgs.qemu_kvm; - runAsRoot = true; - swtpm.enable = true; - vhostUserPackages = with pkgs; [ virtiofsd ]; - ovmf = { - enable = true; - packages = [ - (pkgs.OVMFFull.override { - secureBoot = true; - tpmSupport = true; - }).fd - ]; - }; + boot.initrd = { + systemd.enable = lib.mkForce true; # make sure we are using initrd systemd even when not using Impermanence + luks = { + # disable "support" since we use systemd-cryptenroll + # make sure yubikeys are enrolled using + # sudo systemd-cryptenroll --fido2-device=auto --fido2-with-user-verification=no --fido2-with-user-presence=true --fido2-with-client-pin=no /dev/nvme0n1p2 + yubikeySupport = false; + fido2Support = false; }; }; - }; - environment.systemPackages = with pkgs; [ - # (python39.withPackages (ps: with ps; [ - # cryptography - # ])) - # docker - python39 - qemu - packer - gnumake - libisoburn - govc - terraform - graphviz + programs = { + zsh.shellInit = '' + export VSPHERE_USER="$(cat ${config.sops.secrets.vcuser.path})" + export VSPHERE_PW="$(cat ${config.sops.secrets.vcpw.path})" + export GOVC_USERNAME="$(cat ${config.sops.secrets.govcuser.path})" + export GOVC_PASSWORD="$(cat ${config.sops.secrets.govcpw.path})" + export GOVC_URL="$(cat ${config.sops.secrets.govcurl.path})" + export GOVC_DATACENTER="$(cat ${config.sops.secrets.govcdc.path})" + export GOVC_DATASTORE="$(cat ${config.sops.secrets.govcds.path})" + export GOVC_HOST="$(cat ${config.sops.secrets.govchost.path})" + export GOVC_RESOURCE_POOL="$(cat ${config.sops.secrets.govcpool.path})" + export GOVC_NETWORK="$(cat ${config.sops.secrets.govcnetwork.path})" + ''; - # vm - virt-manager - virt-viewer - virtiofsd - spice - spice-gtk - spice-protocol - win-virtio - win-spice - ]; - - - services = { - spice-vdagentd.enable = true; - openssh = { - enable = true; - extraConfig = '' - ''; + browserpass.enable = true; + _1password.enable = true; + _1password-gui = { + enable = true; + polkitPolicyOwners = [ "${mainUser}" ]; + }; }; - syncthing = { - settings = { - "winters" = { - id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; - }; - folders = { - "Documents" = { - path = "${homeDir}/Documents"; - devices = [ "magicant" "winters" ]; - id = "hgr3d-pfu3w"; + networking = { + firewall.trustedInterfaces = [ "virbr0" ]; + search = [ + "vbc.ac.at" + "clip.vbc.ac.at" + "imp.univie.ac.at" + ]; + }; + + virtualisation = { + docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true; + spiceUSBRedirection.enable = true; + libvirtd = { + enable = true; + qemu = { + package = pkgs.qemu_kvm; + runAsRoot = true; + swtpm.enable = true; + vhostUserPackages = with pkgs; [ virtiofsd ]; + ovmf = { + enable = true; + packages = [ + (pkgs.OVMFFull.override { + secureBoot = true; + tpmSupport = true; + }).fd + ]; }; }; }; }; - udev.extraRules = '' - # share screen when dongle detected - SUBSYSTEM=="usb", ACTION=="add", ATTRS{idVendor}=="343c", ATTRS{idProduct}=="0000", TAG+="systemd", ENV{SYSTEMD_WANTS}="swarsel-screenshare.service" + environment.systemPackages = with pkgs; [ + # (python39.withPackages (ps: with ps; [ + # cryptography + # ])) + # docker + python39 + qemu + packer + gnumake + libisoburn + govc + terraform + graphviz - # lock screen when yubikey removed - ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" - ''; + # vm + virt-manager + virt-viewer + virtiofsd + spice + spice-gtk + spice-protocol + win-virtio + win-spice + ]; - }; - systemd.services = lib.mkMerge [ - (swarselService "swarsel-screenshare" "Start screensharing after HDMI dongle is detected" "${pkgs.screenshare}/bin/screenshare -h") - ]; + services = { + spice-vdagentd.enable = true; + openssh = { + enable = true; + extraConfig = '' + ''; + }; - # cgroups v1 is required for centos7 dockers - specialisation = { - cgroup_v1.configuration = { - boot.kernelParams = [ - "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" - "systemd.unified_cgroup_hierarchy=0" - ]; + syncthing = { + settings = { + "winters" = { + id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; + }; + folders = { + "Documents" = { + path = "${homeDir}/Documents"; + devices = [ "magicant" "winters" ]; + id = "hgr3d-pfu3w"; + }; + }; + }; + }; + + udev.extraRules = '' + # share screen when dongle detected + SUBSYSTEM=="usb", ACTION=="add", ATTRS{idVendor}=="343c", ATTRS{idProduct}=="0000", TAG+="systemd", ENV{SYSTEMD_WANTS}="swarsel-screenshare.service" + + # lock screen when yubikey removed + ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" + ''; + + }; + + systemd.services = lib.mkMerge [ + (swarselService "swarsel-screenshare" "Start screensharing after HDMI dongle is detected" "${pkgs.screenshare}/bin/screenshare -h") + ]; + + # cgroups v1 is required for centos7 dockers + specialisation = { + cgroup_v1.configuration = { + boot.kernelParams = [ + "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" + "systemd.unified_cgroup_hierarchy=0" + ]; + }; }; }; @@ -10655,11 +10790,14 @@ Used for storing sessions in e.g. Nextcloud This enables phone/computer communication, including sending clipboard, files etc. Sadly on Wayland many of the features are broken (like remote control). #+begin_src nix :tangle modules/home/common/kdeconnect.nix - _: + { lib, config, ... }: { - services.kdeconnect = { - enable = true; - indicator = true; + options.swarselsystems.modules.kdeconnect = lib.mkEnableOption "kdeconnect settings"; + config = lib.mkIf config.swarselsystems.modules.kdeconnect { + services.kdeconnect = { + enable = true; + indicator = true; + }; }; } @@ -10675,42 +10813,55 @@ Desktop notifications! The `extraConfig` section here CANNOT be reindented. This has something to do with how nix handles multiline strings, when indented Mako will fail to start. This might be a mako bug as well. #+begin_src nix :tangle modules/home/common/mako.nix - _: + { lib, config, ... }: { - services.mako = { - enable = true; - # backgroundColor = "#2e3440"; - # borderColor = "#88c0d0"; - borderRadius = 15; - borderSize = 1; - defaultTimeout = 5000; - height = 150; - icons = true; - ignoreTimeout = true; - layer = "overlay"; - maxIconSize = 64; - sort = "-time"; - width = 300; - # font = "monospace 10"; - extraConfig = '' - [urgency=low] - border-color=#cccccc - [urgency=normal] - border-color=#d08770 - [urgency=high] - border-color=#bf616a - default-timeout=3000 - [category=mpd] - default-timeout=2000 - group-by=category - ''; + options.swarselsystems.modules.mako = lib.mkEnableOption "mako settings"; + config = lib.mkIf config.swarselsystems.modules.mako { + services.mako = { + enable = true; + # backgroundColor = "#2e3440"; + # borderColor = "#88c0d0"; + borderRadius = 15; + borderSize = 1; + defaultTimeout = 5000; + height = 150; + icons = true; + ignoreTimeout = true; + layer = "overlay"; + maxIconSize = 64; + sort = "-time"; + width = 300; + # font = "monospace 10"; + extraConfig = '' + [urgency=low] + border-color=#cccccc + [urgency=normal] + border-color=#d08770 + [urgency=high] + border-color=#bf616a + default-timeout=3000 + [category=mpd] + default-timeout=2000 + group-by=category + ''; + }; }; - services.swayosd = { - enable = true; - topMargin = 0.5; - }; + } +#+end_src +***** SwayOSD + +#+begin_src nix :tangle modules/home/common/swayosd.nix + { lib, config, ... }: + { + options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings"; + config = lib.mkIf config.swarselsystems.modules.swayosd { + services.swayosd = { + enable = true; + topMargin = 0.5; + }; + }; } #+end_src @@ -10720,32 +10871,35 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi :END: #+begin_src nix :tangle modules/home/common/yubikey-touch-detector.nix - { pkgs, ... }: + { lib, config, pkgs, ... }: { - systemd.user.services.yubikey-touch-detector = { - Unit = { - Description = "Detects when your YubiKey is waiting for a touch"; - Requires = [ "yubikey-touch-detector.socket" ]; + options.swarselsystems.modules.yubikeytouch = lib.mkEnableOption "yubikey touch detector service settings"; + config = lib.mkIf config.swarselsystems.modules.yubikeytouch { + systemd.user.services.yubikey-touch-detector = { + Unit = { + Description = "Detects when your YubiKey is waiting for a touch"; + Requires = [ "yubikey-touch-detector.socket" ]; + }; + Service = { + ExecStart = "${pkgs.yubikey-touch-detector}/bin/yubikey-touch-detector --libnotify"; + EnvironmentFile = "-%E/yubikey-touch-detector/service.conf"; + }; + Install = { + Also = [ "yubikey-touch-detector.socket" ]; + WantedBy = [ "default.target" ]; + }; }; - Service = { - ExecStart = "${pkgs.yubikey-touch-detector}/bin/yubikey-touch-detector --libnotify"; - EnvironmentFile = "-%E/yubikey-touch-detector/service.conf"; - }; - Install = { - Also = [ "yubikey-touch-detector.socket" ]; - WantedBy = [ "default.target" ]; - }; - }; - systemd.user.sockets.yubikey-touch-detector = { - Unit = { - Description = "Unix socket activation for YubiKey touch detector service"; - }; - Socket = { - ListenStream = "%t/yubikey-touch-detector.socket"; - RemoveOnStop = true; - }; - Install = { - WantedBy = [ "sockets.target" ]; + systemd.user.sockets.yubikey-touch-detector = { + Unit = { + Description = "Unix socket activation for YubiKey touch detector service"; + }; + Socket = { + ListenStream = "%t/yubikey-touch-detector.socket"; + RemoveOnStop = true; + }; + Install = { + WantedBy = [ "sockets.target" ]; + }; }; }; } @@ -10764,6 +10918,7 @@ Currently, I am too lazy to explain every option here, but most of it is very se { self, config, lib, ... }: { options.swarselsystems = { + modules.sway = lib.mkEnableOption "sway settings"; inputs = lib.mkOption { type = lib.types.attrsOf (lib.types.attrsOf lib.types.str); default = { }; @@ -10827,7 +10982,7 @@ Currently, I am too lazy to explain every option here, but most of it is very se internal = true; }; }; - config = { + config = lib.mkIf config.swarselsystems.modules.sway { swarselsystems = { touchpad = lib.mkIf config.swarselsystems.isLaptop { "type:touchpad" = { @@ -11175,77 +11330,80 @@ Currently, I am too lazy to explain every option here, but most of it is very se #+begin_src nix :tangle modules/home/common/kanshi.nix - { config, ... }: + { lib, config, ... }: { - services.kanshi = { - enable = true; - settings = [ - { - # laptop screen - output = { - criteria = config.swarselsystems.sharescreen; - mode = config.swarselsystems.highResolution; - scale = 1.0; - }; - } - { - # home main screen - output = { - criteria = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; - scale = 1.0; - mode = "2560x1440"; - }; - } - { - profile = { - name = "lidopen"; - outputs = [ - { - criteria = "eDP-2"; - status = "enable"; - scale = 1.0; - } - ]; - }; - } - { - profile = { - name = "lidopen"; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "enable"; - scale = 1.7; - position = "2560,0"; - } - { - criteria = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; - scale = 1.0; - mode = "2560x1440"; - position = "0,0"; - } - ]; - }; - } - { - profile = { - name = "lidclosed"; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "disable"; - position = "2560,0"; - } - { - criteria = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; - scale = 1.0; - mode = "2560x1440"; - position = "0,0"; - } - ]; - }; - } - ]; + options.swarselsystems.modules.kanshi = lib.mkEnableOption "kanshi settings"; + config = lib.mkIf config.swarselsystems.modules.kanshi { + services.kanshi = { + enable = true; + settings = [ + { + # laptop screen + output = { + criteria = config.swarselsystems.sharescreen; + mode = config.swarselsystems.highResolution; + scale = 1.0; + }; + } + { + # home main screen + output = { + criteria = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; + scale = 1.0; + mode = "2560x1440"; + }; + } + { + profile = { + name = "lidopen"; + outputs = [ + { + criteria = "eDP-2"; + status = "enable"; + scale = 1.0; + } + ]; + }; + } + { + profile = { + name = "lidopen"; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "enable"; + scale = 1.7; + position = "2560,0"; + } + { + criteria = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; + scale = 1.0; + mode = "2560x1440"; + position = "0,0"; + } + ]; + }; + } + { + profile = { + name = "lidclosed"; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "disable"; + position = "2560,0"; + } + { + criteria = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; + scale = 1.0; + mode = "2560x1440"; + position = "0,0"; + } + ]; + }; + } + ]; + }; }; } #+end_src @@ -11258,44 +11416,47 @@ Currently, I am too lazy to explain every option here, but most of it is very se Settinfs that are needed for the gpg-agent. Also we are enabling emacs support for unlocking my Yubikey here. #+begin_src nix :tangle modules/home/common/gpg-agent.nix - { self, config, pkgs, ... }: + { self, lib, config, pkgs, ... }: let inherit (config.swarselsystems) mainUser homeDir; in { - services.gpg-agent = { - enable = true; - enableZshIntegration = true; - enableScDaemon = true; - enableSshSupport = true; - enableExtraSocket = true; - pinentryPackage = pkgs.pinentry.gtk2; - defaultCacheTtl = 600; - maxCacheTtl = 7200; - extraConfig = '' - allow-loopback-pinentry - allow-emacs-pinentry - ''; - sshKeys = [ - "4BE7925262289B476DBBC17B76FD3810215AE097" + options.swarselsystems.modules.gpgagent = lib.mkEnableOption "gpg agent settings"; + config = lib.mkIf config.swarselsystems.modules.gpgagent { + services.gpg-agent = { + enable = true; + enableZshIntegration = true; + enableScDaemon = true; + enableSshSupport = true; + enableExtraSocket = true; + pinentryPackage = pkgs.pinentry.gtk2; + defaultCacheTtl = 600; + maxCacheTtl = 7200; + extraConfig = '' + allow-loopback-pinentry + allow-emacs-pinentry + ''; + sshKeys = [ + "4BE7925262289B476DBBC17B76FD3810215AE097" + ]; + }; + + programs.gpg = { + enable = true; + publicKeys = [ + { + source = "${self}/secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc"; + trust = 5; + } + ]; + }; + + # assure correct permissions + systemd.user.tmpfiles.rules = [ + "d ${homeDir}/.gnupg 700 ${mainUser} users" ]; }; - programs.gpg = { - enable = true; - publicKeys = [ - { - source = "${self}/secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc"; - trust = 5; - } - ]; - }; - - # assure correct permissions - systemd.user.tmpfiles.rules = [ - "d ${homeDir}/.gnupg 700 ${mainUser} users" - ]; - } #+end_src @@ -11307,16 +11468,19 @@ Settinfs that are needed for the gpg-agent. Also we are enabling emacs support f This service changes the screen hue at night. I am not sure if that really does something, but I like the color anyways. #+begin_src nix :tangle modules/home/common/gammastep.nix - { lib, nix-secrets, ... }: + { lib, config, nix-secrets, ... }: let secretsDirectory = builtins.toString nix-secrets; in { - services.gammastep = { - enable = true; - provider = "manual"; - latitude = lib.swarselsystems.getSecret "${secretsDirectory}/home/gammastep-latitude"; - longitude = lib.swarselsystems.getSecret "${secretsDirectory}/home/gammastep-longitude"; + options.swarselsystems.modules.gammastep = lib.mkEnableOption "gammastep settings"; + config = lib.mkIf config.swarselsystems.modules.gammastep { + services.gammastep = { + enable = true; + provider = "manual"; + latitude = lib.swarselsystems.getSecret "${secretsDirectory}/home/gammastep-latitude"; + longitude = lib.swarselsystems.getSecret "${secretsDirectory}/home/gammastep-longitude"; + }; }; } #+end_src @@ -11357,12 +11521,15 @@ This section should be used in order to symlink already existing configuration f As for the `home.sessionVariables`, it should be noted that environment variables that are needed at system start should NOT be loaded here, but instead in `programs.zsh.config.extraSessionCommands` (in the home-manager programs section). This is also where all the wayland related variables are stored. #+begin_src nix :tangle modules/home/server/symlink.nix - { self, lib, ... }: + { self, lib, config, ... }: { - home.file = { - "init.el" = lib.mkForce { - source = self + /programs/emacs/server.el; - target = ".emacs.d/init.el"; + options.swarselsystems.modules.server.dotfiles = lib.mkEnableOption "server dotfiles settings"; + config = lib.mkIf config.swarselsystems.modules.server.dotfiles { + home.file = { + "init.el" = lib.mkForce { + source = self + /programs/emacs/server.el; + target = ".emacs.d/init.el"; + }; }; }; } @@ -11408,40 +11575,43 @@ Akin to the optional NixOS modules. The rest of the settings is at [[#h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431][gaming]]. #+begin_src nix :tangle modules/home/optional/gaming.nix - { pkgs, ... }: + { lib, config, pkgs, ... }: { - # specialisation = { - # gaming.configuration = { - home.packages = with pkgs; [ - lutris - wine - winetricks - libudev-zero - dwarfs - fuse-overlayfs - # steam - steam-run - patchelf - gamescope - vulkan-tools - moonlight-qt - ns-usbloader + options.swarselsystems.modules.optional.gaming = lib.mkEnableOption "optional gaming settings"; + config = lib.mkIf config.swarselsystems.modules.optional.gaming { + # specialisation = { + # gaming.configuration = { + home.packages = with pkgs; [ + lutris + wine + winetricks + libudev-zero + dwarfs + fuse-overlayfs + # steam + steam-run + patchelf + gamescope + vulkan-tools + moonlight-qt + ns-usbloader - quark-goldleaf + quark-goldleaf - # gog games installing - heroic + # gog games installing + heroic - # minecraft - prismlauncher # has overrides - temurin-bin-17 + # minecraft + prismlauncher # has overrides + temurin-bin-17 - pokefinder - retroarch - flips - ]; - # }; - # }; + pokefinder + retroarch + flips + ]; + # }; + # }; + }; } #+end_src @@ -11463,307 +11633,310 @@ The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]] wsUser = lib.swarselsystems.getSecret "${secretsDirectory}/work/ws-user"; in { - home.packages = with pkgs; [ - stable.teams-for-linux - shellcheck - dig - docker - postman - rclone - stable.awscli2 - libguestfs-with-appliance - stable.prometheus.cli - tigervnc - openstackclient - ]; + options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings"; + config = lib.mkIf config.swarselsystems.modules.optional.work { + home.packages = with pkgs; [ + stable.teams-for-linux + shellcheck + dig + docker + postman + rclone + stable.awscli2 + libguestfs-with-appliance + stable.prometheus.cli + tigervnc + openstackclient + ]; - home.sessionVariables = { - DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private"; - DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; - }; - - wayland.windowManager.sway.config = { - output = { - "Applied Creative Technology Transmitter QUATTRO201811" = { - bg = "${self}/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; - }; - "Hewlett Packard HP Z24i CN44250RDT" = { - bg = "${self}/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; - }; - "HP Inc. HP 732pk CNC4080YL5" = { - bg = "${self}/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; - }; - }; - }; - - stylix.targets.firefox.profileNames = [ - "dc" - "cl" - "ws" - ]; - - programs = { - git.userEmail = lib.swarselsystems.getSecret "${secretsDirectory}/work/git-email"; - - zsh = { - shellAliases = { - dssh = "ssh -l ${dcUser}"; - cssh = "ssh -l ${clUser}"; - wssh = "ssh -l ${wsUser}"; - }; - cdpath = [ - "~/Documents/Work" - ]; - dirHashes = { - d = "$HOME/.dotfiles"; - w = "$HOME/Documents/Work"; - s = "$HOME/.dotfiles/secrets"; - pr = "$HOME/Documents/Private"; - ac = "$HOME/.ansible/collections/ansible_collections/vbc/linux/roles"; - }; + home.sessionVariables = { + DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private"; + DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; }; - ssh = { - matchBlocks = { - "uc" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-prod"; - user = "stack"; + wayland.windowManager.sway.config = { + output = { + "Applied Creative Technology Transmitter QUATTRO201811" = { + bg = "${self}/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; }; - "uc.stg" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-stg"; - user = "stack"; + "Hewlett Packard HP Z24i CN44250RDT" = { + bg = "${self}/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; }; - "uc.staging" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-stg"; - user = "stack"; - }; - "uc.dev" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-dev"; - user = "stack"; - }; - "cbe" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-prod"; - user = dcUser; - }; - "cbe.stg" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-stg"; - user = dcUser; - }; - "cbe.staging" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-stg"; - user = dcUser; - }; - "*.vbc.ac.at" = { - user = dcUser; + "HP Inc. HP 732pk CNC4080YL5" = { + bg = "${self}/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; }; }; }; - firefox = { - profiles = + stylix.targets.firefox.profileNames = [ + "dc" + "cl" + "ws" + ]; + + programs = { + git.userEmail = lib.swarselsystems.getSecret "${secretsDirectory}/work/git-email"; + + zsh = { + shellAliases = { + dssh = "ssh -l ${dcUser}"; + cssh = "ssh -l ${clUser}"; + wssh = "ssh -l ${wsUser}"; + }; + cdpath = [ + "~/Documents/Work" + ]; + dirHashes = { + d = "$HOME/.dotfiles"; + w = "$HOME/Documents/Work"; + s = "$HOME/.dotfiles/secrets"; + pr = "$HOME/Documents/Private"; + ac = "$HOME/.ansible/collections/ansible_collections/vbc/linux/roles"; + }; + }; + + ssh = { + matchBlocks = { + "uc" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-prod"; + user = "stack"; + }; + "uc.stg" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-stg"; + user = "stack"; + }; + "uc.staging" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-stg"; + user = "stack"; + }; + "uc.dev" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-dev"; + user = "stack"; + }; + "cbe" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-prod"; + user = dcUser; + }; + "cbe.stg" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-stg"; + user = dcUser; + }; + "cbe.staging" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-stg"; + user = dcUser; + }; + "*.vbc.ac.at" = { + user = dcUser; + }; + }; + }; + + firefox = { + profiles = + let + isDefault = false; + in + { + dc = lib.recursiveUpdate + { + inherit isDefault; + id = 1; + settings = { + "browser.startup.homepage" = "https://tower.vbc.ac.at|https://artifactory.vbc.ac.at"; + }; + } + config.swarselsystems.firefox; + cl = lib.recursiveUpdate + { + inherit isDefault; + id = 2; + settings = { + "browser.startup.homepage" = "https://portal.azure.com"; + }; + } + config.swarselsystems.firefox; + ws = lib.recursiveUpdate + { + inherit isDefault; + id = 3; + } + config.swarselsystems.firefox; + }; + }; + + chromium = { + enable = true; + package = pkgs.chromium; + + extensions = [ + # 1password + "gejiddohjgogedgjnonbofjigllpkmbf" + # dark reader + "eimadpbcbfnmbkopoojfekhnkhdbieeh" + # ublock origin + "cjpalhdlnbpafiamejdnhcphjbkeiagm" + # i still dont care about cookies + "edibdbjcniadpccecjdfdjjppcpchdlm" + # browserpass + "naepdomgkenhinolocfifgehidddafch" + ]; + }; + }; + + services = { + kanshi = { + settings = [ + { + # seminary room + output = { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + }; + } + { + # work main screen + output = { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.0; + mode = "3840x2160"; + }; + } + { + # work side screen + output = { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "270"; + }; + } + { + profile = { + name = "lidopen"; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "enable"; + scale = 1.5; + position = "1462,0"; + } + { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "90"; + position = "-2480,0"; + } + ]; + }; + } + { + profile = { + name = "lidopen"; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "enable"; + scale = 1.7; + position = "2560,0"; + } + { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + position = "10000,10000"; + } + ]; + }; + } + { + profile = { + name = "lidclosed"; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "disable"; + } + { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "270"; + position = "-2480,0"; + } + ]; + }; + } + { + profile = { + name = "lidclosed"; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "disable"; + } + { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + position = "10000,10000"; + } + ]; + }; + } + ]; + }; + }; + + xdg = { + mimeApps = { + defaultApplications = { + "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; + }; + }; + desktopEntries = let - isDefault = false; + terminal = false; + categories = [ "Application" ]; + icon = "firefox"; in { - dc = lib.recursiveUpdate - { - inherit isDefault; - id = 1; - settings = { - "browser.startup.homepage" = "https://tower.vbc.ac.at|https://artifactory.vbc.ac.at"; - }; - } - config.swarselsystems.firefox; - cl = lib.recursiveUpdate - { - inherit isDefault; - id = 2; - settings = { - "browser.startup.homepage" = "https://portal.azure.com"; - }; - } - config.swarselsystems.firefox; - ws = lib.recursiveUpdate - { - inherit isDefault; - id = 3; - } - config.swarselsystems.firefox; + firefox_dc = { + name = "Firefox (dc)"; + genericName = "Firefox dc"; + exec = "firefox -p dc"; + inherit terminal categories icon; + }; + + firefox_ws = { + name = "Firefox (ws)"; + genericName = "Firefox ws"; + exec = "firefox -p ws"; + inherit terminal categories icon; + }; + + firefox_cl = { + name = "Firefox (cl)"; + genericName = "Firefox cl"; + exec = "firefox -p cl"; + inherit terminal categories icon; + }; + }; }; - - chromium = { - enable = true; - package = pkgs.chromium; - - extensions = [ - # 1password - "gejiddohjgogedgjnonbofjigllpkmbf" - # dark reader - "eimadpbcbfnmbkopoojfekhnkhdbieeh" - # ublock origin - "cjpalhdlnbpafiamejdnhcphjbkeiagm" - # i still dont care about cookies - "edibdbjcniadpccecjdfdjjppcpchdlm" - # browserpass - "naepdomgkenhinolocfifgehidddafch" - ]; - }; - }; - - services = { - kanshi = { - settings = [ - { - # seminary room - output = { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - }; - } - { - # work main screen - output = { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.0; - mode = "3840x2160"; - }; - } - { - # work side screen - output = { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "270"; - }; - } - { - profile = { - name = "lidopen"; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "enable"; - scale = 1.5; - position = "1462,0"; - } - { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "90"; - position = "-2480,0"; - } - ]; - }; - } - { - profile = { - name = "lidopen"; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "enable"; - scale = 1.7; - position = "2560,0"; - } - { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; - } - ]; - }; - } - { - profile = { - name = "lidclosed"; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "disable"; - } - { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "270"; - position = "-2480,0"; - } - ]; - }; - } - { - profile = { - name = "lidclosed"; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "disable"; - } - { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; - } - ]; - }; - } - ]; - }; - }; - - xdg = { - mimeApps = { - defaultApplications = { - "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; - }; - }; - desktopEntries = - let - terminal = false; - categories = [ "Application" ]; - icon = "firefox"; - in - { - firefox_dc = { - name = "Firefox (dc)"; - genericName = "Firefox dc"; - exec = "firefox -p dc"; - inherit terminal categories icon; - }; - - firefox_ws = { - name = "Firefox (ws)"; - genericName = "Firefox ws"; - exec = "firefox -p ws"; - inherit terminal categories icon; - }; - - firefox_cl = { - name = "Firefox (cl)"; - genericName = "Firefox cl"; - exec = "firefox -p cl"; - inherit terminal categories icon; - }; - - }; }; } diff --git a/hosts/nixos/nbl-imba-2/default.nix b/hosts/nixos/nbl-imba-2/default.nix index 31b35dc..9d3f41d 100644 --- a/hosts/nixos/nbl-imba-2/default.nix +++ b/hosts/nixos/nbl-imba-2/default.nix @@ -6,7 +6,10 @@ let isBtrfs = true; isLinux = true; sharescreen = "eDP-2"; - profiles.personal = true; + profiles = { + personal = true; + work = true; + }; }; in { @@ -25,11 +28,13 @@ in "${modulesPath}/nixos/optional/gaming.nix" "${modulesPath}/nixos/optional/work.nix" "${self}/profiles/nixos" + "${modulesPath}/nixos/server" inputs.home-manager.nixosModules.home-manager { home-manager.users."${primaryUser}".imports = [ "${self}/profiles/home" + "${modulesPath}/home/server" "${modulesPath}/home/optional/gaming.nix" "${modulesPath}/home/optional/work.nix" ]; diff --git a/modules/home/common/gammastep.nix b/modules/home/common/gammastep.nix index 55bf1bf..d2fbbb5 100644 --- a/modules/home/common/gammastep.nix +++ b/modules/home/common/gammastep.nix @@ -1,12 +1,15 @@ -{ lib, nix-secrets, ... }: +{ lib, config, nix-secrets, ... }: let secretsDirectory = builtins.toString nix-secrets; in { - services.gammastep = { - enable = true; - provider = "manual"; - latitude = lib.swarselsystems.getSecret "${secretsDirectory}/home/gammastep-latitude"; - longitude = lib.swarselsystems.getSecret "${secretsDirectory}/home/gammastep-longitude"; + options.swarselsystems.modules.gammastep = lib.mkEnableOption "gammastep settings"; + config = lib.mkIf config.swarselsystems.modules.gammastep { + services.gammastep = { + enable = true; + provider = "manual"; + latitude = lib.swarselsystems.getSecret "${secretsDirectory}/home/gammastep-latitude"; + longitude = lib.swarselsystems.getSecret "${secretsDirectory}/home/gammastep-longitude"; + }; }; } diff --git a/modules/home/common/gpg-agent.nix b/modules/home/common/gpg-agent.nix index c70a572..b17f204 100644 --- a/modules/home/common/gpg-agent.nix +++ b/modules/home/common/gpg-agent.nix @@ -1,39 +1,42 @@ -{ self, config, pkgs, ... }: +{ self, lib, config, pkgs, ... }: let inherit (config.swarselsystems) mainUser homeDir; in { - services.gpg-agent = { - enable = true; - enableZshIntegration = true; - enableScDaemon = true; - enableSshSupport = true; - enableExtraSocket = true; - pinentryPackage = pkgs.pinentry.gtk2; - defaultCacheTtl = 600; - maxCacheTtl = 7200; - extraConfig = '' - allow-loopback-pinentry - allow-emacs-pinentry - ''; - sshKeys = [ - "4BE7925262289B476DBBC17B76FD3810215AE097" + options.swarselsystems.modules.gpgagent = lib.mkEnableOption "gpg agent settings"; + config = lib.mkIf config.swarselsystems.modules.gpgagent { + services.gpg-agent = { + enable = true; + enableZshIntegration = true; + enableScDaemon = true; + enableSshSupport = true; + enableExtraSocket = true; + pinentryPackage = pkgs.pinentry.gtk2; + defaultCacheTtl = 600; + maxCacheTtl = 7200; + extraConfig = '' + allow-loopback-pinentry + allow-emacs-pinentry + ''; + sshKeys = [ + "4BE7925262289B476DBBC17B76FD3810215AE097" + ]; + }; + + programs.gpg = { + enable = true; + publicKeys = [ + { + source = "${self}/secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc"; + trust = 5; + } + ]; + }; + + # assure correct permissions + systemd.user.tmpfiles.rules = [ + "d ${homeDir}/.gnupg 700 ${mainUser} users" ]; }; - programs.gpg = { - enable = true; - publicKeys = [ - { - source = "${self}/secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc"; - trust = 5; - } - ]; - }; - - # assure correct permissions - systemd.user.tmpfiles.rules = [ - "d ${homeDir}/.gnupg 700 ${mainUser} users" - ]; - } diff --git a/modules/home/common/kanshi.nix b/modules/home/common/kanshi.nix index 2a4ba89..0cb7480 100644 --- a/modules/home/common/kanshi.nix +++ b/modules/home/common/kanshi.nix @@ -1,73 +1,76 @@ -{ config, ... }: +{ lib, config, ... }: { - services.kanshi = { - enable = true; - settings = [ - { - # laptop screen - output = { - criteria = config.swarselsystems.sharescreen; - mode = config.swarselsystems.highResolution; - scale = 1.0; - }; - } - { - # home main screen - output = { - criteria = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; - scale = 1.0; - mode = "2560x1440"; - }; - } - { - profile = { - name = "lidopen"; - outputs = [ - { - criteria = "eDP-2"; - status = "enable"; - scale = 1.0; - } - ]; - }; - } - { - profile = { - name = "lidopen"; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "enable"; - scale = 1.7; - position = "2560,0"; - } - { - criteria = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; - scale = 1.0; - mode = "2560x1440"; - position = "0,0"; - } - ]; - }; - } - { - profile = { - name = "lidclosed"; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "disable"; - position = "2560,0"; - } - { - criteria = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; - scale = 1.0; - mode = "2560x1440"; - position = "0,0"; - } - ]; - }; - } - ]; + options.swarselsystems.modules.kanshi = lib.mkEnableOption "kanshi settings"; + config = lib.mkIf config.swarselsystems.modules.kanshi { + services.kanshi = { + enable = true; + settings = [ + { + # laptop screen + output = { + criteria = config.swarselsystems.sharescreen; + mode = config.swarselsystems.highResolution; + scale = 1.0; + }; + } + { + # home main screen + output = { + criteria = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; + scale = 1.0; + mode = "2560x1440"; + }; + } + { + profile = { + name = "lidopen"; + outputs = [ + { + criteria = "eDP-2"; + status = "enable"; + scale = 1.0; + } + ]; + }; + } + { + profile = { + name = "lidopen"; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "enable"; + scale = 1.7; + position = "2560,0"; + } + { + criteria = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; + scale = 1.0; + mode = "2560x1440"; + position = "0,0"; + } + ]; + }; + } + { + profile = { + name = "lidclosed"; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "disable"; + position = "2560,0"; + } + { + criteria = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; + scale = 1.0; + mode = "2560x1440"; + position = "0,0"; + } + ]; + }; + } + ]; + }; }; } diff --git a/modules/home/common/kdeconnect.nix b/modules/home/common/kdeconnect.nix index 1687db4..b36122e 100644 --- a/modules/home/common/kdeconnect.nix +++ b/modules/home/common/kdeconnect.nix @@ -1,8 +1,11 @@ -_: +{ lib, config, ... }: { - services.kdeconnect = { - enable = true; - indicator = true; + options.swarselsystems.modules.kdeconnect = lib.mkEnableOption "kdeconnect settings"; + config = lib.mkIf config.swarselsystems.modules.kdeconnect { + services.kdeconnect = { + enable = true; + indicator = true; + }; }; } diff --git a/modules/home/common/mako.nix b/modules/home/common/mako.nix index 0e46f7e..6388674 100644 --- a/modules/home/common/mako.nix +++ b/modules/home/common/mako.nix @@ -1,37 +1,35 @@ -_: +{ lib, config, ... }: { - services.mako = { - enable = true; - # backgroundColor = "#2e3440"; - # borderColor = "#88c0d0"; - borderRadius = 15; - borderSize = 1; - defaultTimeout = 5000; - height = 150; - icons = true; - ignoreTimeout = true; - layer = "overlay"; - maxIconSize = 64; - sort = "-time"; - width = 300; - # font = "monospace 10"; - extraConfig = '' - [urgency=low] - border-color=#cccccc - [urgency=normal] - border-color=#d08770 - [urgency=high] - border-color=#bf616a - default-timeout=3000 - [category=mpd] - default-timeout=2000 - group-by=category - ''; - }; - - services.swayosd = { - enable = true; - topMargin = 0.5; + options.swarselsystems.modules.mako = lib.mkEnableOption "mako settings"; + config = lib.mkIf config.swarselsystems.modules.mako { + services.mako = { + enable = true; + # backgroundColor = "#2e3440"; + # borderColor = "#88c0d0"; + borderRadius = 15; + borderSize = 1; + defaultTimeout = 5000; + height = 150; + icons = true; + ignoreTimeout = true; + layer = "overlay"; + maxIconSize = 64; + sort = "-time"; + width = 300; + # font = "monospace 10"; + extraConfig = '' + [urgency=low] + border-color=#cccccc + [urgency=normal] + border-color=#d08770 + [urgency=high] + border-color=#bf616a + default-timeout=3000 + [category=mpd] + default-timeout=2000 + group-by=category + ''; + }; }; } diff --git a/modules/home/common/sway.nix b/modules/home/common/sway.nix index 054aaf1..ad71d02 100644 --- a/modules/home/common/sway.nix +++ b/modules/home/common/sway.nix @@ -1,6 +1,7 @@ { self, config, lib, ... }: { options.swarselsystems = { + modules.sway = lib.mkEnableOption "sway settings"; inputs = lib.mkOption { type = lib.types.attrsOf (lib.types.attrsOf lib.types.str); default = { }; @@ -64,7 +65,7 @@ internal = true; }; }; - config = { + config = lib.mkIf config.swarselsystems.modules.sway { swarselsystems = { touchpad = lib.mkIf config.swarselsystems.isLaptop { "type:touchpad" = { diff --git a/modules/home/common/swayosd.nix b/modules/home/common/swayosd.nix new file mode 100644 index 0000000..9af1ac8 --- /dev/null +++ b/modules/home/common/swayosd.nix @@ -0,0 +1,10 @@ +{ lib, config, ... }: +{ + options.swarselsystems.modules.swayosd = lib.mkEnableOption "swayosd settings"; + config = lib.mkIf config.swarselsystems.modules.swayosd { + services.swayosd = { + enable = true; + topMargin = 0.5; + }; + }; +} diff --git a/modules/home/common/yubikey-touch-detector.nix b/modules/home/common/yubikey-touch-detector.nix index 2ca5fd6..53e5721 100644 --- a/modules/home/common/yubikey-touch-detector.nix +++ b/modules/home/common/yubikey-touch-detector.nix @@ -1,29 +1,32 @@ -{ pkgs, ... }: +{ lib, config, pkgs, ... }: { - systemd.user.services.yubikey-touch-detector = { - Unit = { - Description = "Detects when your YubiKey is waiting for a touch"; - Requires = [ "yubikey-touch-detector.socket" ]; + options.swarselsystems.modules.yubikeytouch = lib.mkEnableOption "yubikey touch detector service settings"; + config = lib.mkIf config.swarselsystems.modules.yubikeytouch { + systemd.user.services.yubikey-touch-detector = { + Unit = { + Description = "Detects when your YubiKey is waiting for a touch"; + Requires = [ "yubikey-touch-detector.socket" ]; + }; + Service = { + ExecStart = "${pkgs.yubikey-touch-detector}/bin/yubikey-touch-detector --libnotify"; + EnvironmentFile = "-%E/yubikey-touch-detector/service.conf"; + }; + Install = { + Also = [ "yubikey-touch-detector.socket" ]; + WantedBy = [ "default.target" ]; + }; }; - Service = { - ExecStart = "${pkgs.yubikey-touch-detector}/bin/yubikey-touch-detector --libnotify"; - EnvironmentFile = "-%E/yubikey-touch-detector/service.conf"; - }; - Install = { - Also = [ "yubikey-touch-detector.socket" ]; - WantedBy = [ "default.target" ]; - }; - }; - systemd.user.sockets.yubikey-touch-detector = { - Unit = { - Description = "Unix socket activation for YubiKey touch detector service"; - }; - Socket = { - ListenStream = "%t/yubikey-touch-detector.socket"; - RemoveOnStop = true; - }; - Install = { - WantedBy = [ "sockets.target" ]; + systemd.user.sockets.yubikey-touch-detector = { + Unit = { + Description = "Unix socket activation for YubiKey touch detector service"; + }; + Socket = { + ListenStream = "%t/yubikey-touch-detector.socket"; + RemoveOnStop = true; + }; + Install = { + WantedBy = [ "sockets.target" ]; + }; }; }; } diff --git a/modules/home/optional/gaming.nix b/modules/home/optional/gaming.nix index 58fe580..9891806 100644 --- a/modules/home/optional/gaming.nix +++ b/modules/home/optional/gaming.nix @@ -1,35 +1,38 @@ -{ pkgs, ... }: +{ lib, config, pkgs, ... }: { - # specialisation = { - # gaming.configuration = { - home.packages = with pkgs; [ - lutris - wine - winetricks - libudev-zero - dwarfs - fuse-overlayfs - # steam - steam-run - patchelf - gamescope - vulkan-tools - moonlight-qt - ns-usbloader + options.swarselsystems.modules.optional.gaming = lib.mkEnableOption "optional gaming settings"; + config = lib.mkIf config.swarselsystems.modules.optional.gaming { + # specialisation = { + # gaming.configuration = { + home.packages = with pkgs; [ + lutris + wine + winetricks + libudev-zero + dwarfs + fuse-overlayfs + # steam + steam-run + patchelf + gamescope + vulkan-tools + moonlight-qt + ns-usbloader - quark-goldleaf + quark-goldleaf - # gog games installing - heroic + # gog games installing + heroic - # minecraft - prismlauncher # has overrides - temurin-bin-17 + # minecraft + prismlauncher # has overrides + temurin-bin-17 - pokefinder - retroarch - flips - ]; - # }; - # }; + pokefinder + retroarch + flips + ]; + # }; + # }; + }; } diff --git a/modules/home/optional/work.nix b/modules/home/optional/work.nix index 9d67ca0..407aa37 100644 --- a/modules/home/optional/work.nix +++ b/modules/home/optional/work.nix @@ -7,307 +7,310 @@ let wsUser = lib.swarselsystems.getSecret "${secretsDirectory}/work/ws-user"; in { - home.packages = with pkgs; [ - stable.teams-for-linux - shellcheck - dig - docker - postman - rclone - stable.awscli2 - libguestfs-with-appliance - stable.prometheus.cli - tigervnc - openstackclient - ]; + options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings"; + config = lib.mkIf config.swarselsystems.modules.optional.work { + home.packages = with pkgs; [ + stable.teams-for-linux + shellcheck + dig + docker + postman + rclone + stable.awscli2 + libguestfs-with-appliance + stable.prometheus.cli + tigervnc + openstackclient + ]; - home.sessionVariables = { - DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private"; - DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; - }; - - wayland.windowManager.sway.config = { - output = { - "Applied Creative Technology Transmitter QUATTRO201811" = { - bg = "${self}/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; - }; - "Hewlett Packard HP Z24i CN44250RDT" = { - bg = "${self}/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; - }; - "HP Inc. HP 732pk CNC4080YL5" = { - bg = "${self}/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; - }; - }; - }; - - stylix.targets.firefox.profileNames = [ - "dc" - "cl" - "ws" - ]; - - programs = { - git.userEmail = lib.swarselsystems.getSecret "${secretsDirectory}/work/git-email"; - - zsh = { - shellAliases = { - dssh = "ssh -l ${dcUser}"; - cssh = "ssh -l ${clUser}"; - wssh = "ssh -l ${wsUser}"; - }; - cdpath = [ - "~/Documents/Work" - ]; - dirHashes = { - d = "$HOME/.dotfiles"; - w = "$HOME/Documents/Work"; - s = "$HOME/.dotfiles/secrets"; - pr = "$HOME/Documents/Private"; - ac = "$HOME/.ansible/collections/ansible_collections/vbc/linux/roles"; - }; + home.sessionVariables = { + DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private"; + DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work"; }; - ssh = { - matchBlocks = { - "uc" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-prod"; - user = "stack"; + wayland.windowManager.sway.config = { + output = { + "Applied Creative Technology Transmitter QUATTRO201811" = { + bg = "${self}/wallpaper/navidrome.png ${config.stylix.imageScalingMode}"; }; - "uc.stg" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-stg"; - user = "stack"; + "Hewlett Packard HP Z24i CN44250RDT" = { + bg = "${self}/wallpaper/op6wp.png ${config.stylix.imageScalingMode}"; }; - "uc.staging" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-stg"; - user = "stack"; - }; - "uc.dev" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-dev"; - user = "stack"; - }; - "cbe" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-prod"; - user = dcUser; - }; - "cbe.stg" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-stg"; - user = dcUser; - }; - "cbe.staging" = { - hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-stg"; - user = dcUser; - }; - "*.vbc.ac.at" = { - user = dcUser; + "HP Inc. HP 732pk CNC4080YL5" = { + bg = "${self}/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}"; }; }; }; - firefox = { - profiles = + stylix.targets.firefox.profileNames = [ + "dc" + "cl" + "ws" + ]; + + programs = { + git.userEmail = lib.swarselsystems.getSecret "${secretsDirectory}/work/git-email"; + + zsh = { + shellAliases = { + dssh = "ssh -l ${dcUser}"; + cssh = "ssh -l ${clUser}"; + wssh = "ssh -l ${wsUser}"; + }; + cdpath = [ + "~/Documents/Work" + ]; + dirHashes = { + d = "$HOME/.dotfiles"; + w = "$HOME/Documents/Work"; + s = "$HOME/.dotfiles/secrets"; + pr = "$HOME/Documents/Private"; + ac = "$HOME/.ansible/collections/ansible_collections/vbc/linux/roles"; + }; + }; + + ssh = { + matchBlocks = { + "uc" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-prod"; + user = "stack"; + }; + "uc.stg" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-stg"; + user = "stack"; + }; + "uc.staging" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-stg"; + user = "stack"; + }; + "uc.dev" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/uc-dev"; + user = "stack"; + }; + "cbe" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-prod"; + user = dcUser; + }; + "cbe.stg" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-stg"; + user = dcUser; + }; + "cbe.staging" = { + hostname = lib.swarselsystems.getSecret "${secretsDirectory}/work/cbe-stg"; + user = dcUser; + }; + "*.vbc.ac.at" = { + user = dcUser; + }; + }; + }; + + firefox = { + profiles = + let + isDefault = false; + in + { + dc = lib.recursiveUpdate + { + inherit isDefault; + id = 1; + settings = { + "browser.startup.homepage" = "https://tower.vbc.ac.at|https://artifactory.vbc.ac.at"; + }; + } + config.swarselsystems.firefox; + cl = lib.recursiveUpdate + { + inherit isDefault; + id = 2; + settings = { + "browser.startup.homepage" = "https://portal.azure.com"; + }; + } + config.swarselsystems.firefox; + ws = lib.recursiveUpdate + { + inherit isDefault; + id = 3; + } + config.swarselsystems.firefox; + }; + }; + + chromium = { + enable = true; + package = pkgs.chromium; + + extensions = [ + # 1password + "gejiddohjgogedgjnonbofjigllpkmbf" + # dark reader + "eimadpbcbfnmbkopoojfekhnkhdbieeh" + # ublock origin + "cjpalhdlnbpafiamejdnhcphjbkeiagm" + # i still dont care about cookies + "edibdbjcniadpccecjdfdjjppcpchdlm" + # browserpass + "naepdomgkenhinolocfifgehidddafch" + ]; + }; + }; + + services = { + kanshi = { + settings = [ + { + # seminary room + output = { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + }; + } + { + # work main screen + output = { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.0; + mode = "3840x2160"; + }; + } + { + # work side screen + output = { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "270"; + }; + } + { + profile = { + name = "lidopen"; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "enable"; + scale = 1.5; + position = "1462,0"; + } + { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "90"; + position = "-2480,0"; + } + ]; + }; + } + { + profile = { + name = "lidopen"; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "enable"; + scale = 1.7; + position = "2560,0"; + } + { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + position = "10000,10000"; + } + ]; + }; + } + { + profile = { + name = "lidclosed"; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "disable"; + } + { + criteria = "HP Inc. HP 732pk CNC4080YL5"; + scale = 1.4; + mode = "3840x2160"; + position = "-1280,0"; + } + { + criteria = "Hewlett Packard HP Z24i CN44250RDT"; + scale = 1.0; + mode = "1920x1200"; + transform = "270"; + position = "-2480,0"; + } + ]; + }; + } + { + profile = { + name = "lidclosed"; + outputs = [ + { + criteria = config.swarselsystems.sharescreen; + status = "disable"; + } + { + criteria = "Applied Creative Technology Transmitter QUATTRO201811"; + scale = 1.0; + mode = "1280x720"; + position = "10000,10000"; + } + ]; + }; + } + ]; + }; + }; + + xdg = { + mimeApps = { + defaultApplications = { + "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; + }; + }; + desktopEntries = let - isDefault = false; + terminal = false; + categories = [ "Application" ]; + icon = "firefox"; in { - dc = lib.recursiveUpdate - { - inherit isDefault; - id = 1; - settings = { - "browser.startup.homepage" = "https://tower.vbc.ac.at|https://artifactory.vbc.ac.at"; - }; - } - config.swarselsystems.firefox; - cl = lib.recursiveUpdate - { - inherit isDefault; - id = 2; - settings = { - "browser.startup.homepage" = "https://portal.azure.com"; - }; - } - config.swarselsystems.firefox; - ws = lib.recursiveUpdate - { - inherit isDefault; - id = 3; - } - config.swarselsystems.firefox; + firefox_dc = { + name = "Firefox (dc)"; + genericName = "Firefox dc"; + exec = "firefox -p dc"; + inherit terminal categories icon; + }; + + firefox_ws = { + name = "Firefox (ws)"; + genericName = "Firefox ws"; + exec = "firefox -p ws"; + inherit terminal categories icon; + }; + + firefox_cl = { + name = "Firefox (cl)"; + genericName = "Firefox cl"; + exec = "firefox -p cl"; + inherit terminal categories icon; + }; + }; }; - - chromium = { - enable = true; - package = pkgs.chromium; - - extensions = [ - # 1password - "gejiddohjgogedgjnonbofjigllpkmbf" - # dark reader - "eimadpbcbfnmbkopoojfekhnkhdbieeh" - # ublock origin - "cjpalhdlnbpafiamejdnhcphjbkeiagm" - # i still dont care about cookies - "edibdbjcniadpccecjdfdjjppcpchdlm" - # browserpass - "naepdomgkenhinolocfifgehidddafch" - ]; - }; - }; - - services = { - kanshi = { - settings = [ - { - # seminary room - output = { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - }; - } - { - # work main screen - output = { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.0; - mode = "3840x2160"; - }; - } - { - # work side screen - output = { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "270"; - }; - } - { - profile = { - name = "lidopen"; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "enable"; - scale = 1.5; - position = "1462,0"; - } - { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "90"; - position = "-2480,0"; - } - ]; - }; - } - { - profile = { - name = "lidopen"; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "enable"; - scale = 1.7; - position = "2560,0"; - } - { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; - } - ]; - }; - } - { - profile = { - name = "lidclosed"; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "disable"; - } - { - criteria = "HP Inc. HP 732pk CNC4080YL5"; - scale = 1.4; - mode = "3840x2160"; - position = "-1280,0"; - } - { - criteria = "Hewlett Packard HP Z24i CN44250RDT"; - scale = 1.0; - mode = "1920x1200"; - transform = "270"; - position = "-2480,0"; - } - ]; - }; - } - { - profile = { - name = "lidclosed"; - outputs = [ - { - criteria = config.swarselsystems.sharescreen; - status = "disable"; - } - { - criteria = "Applied Creative Technology Transmitter QUATTRO201811"; - scale = 1.0; - mode = "1280x720"; - position = "10000,10000"; - } - ]; - }; - } - ]; - }; - }; - - xdg = { - mimeApps = { - defaultApplications = { - "x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ]; - }; - }; - desktopEntries = - let - terminal = false; - categories = [ "Application" ]; - icon = "firefox"; - in - { - firefox_dc = { - name = "Firefox (dc)"; - genericName = "Firefox dc"; - exec = "firefox -p dc"; - inherit terminal categories icon; - }; - - firefox_ws = { - name = "Firefox (ws)"; - genericName = "Firefox ws"; - exec = "firefox -p ws"; - inherit terminal categories icon; - }; - - firefox_cl = { - name = "Firefox (cl)"; - genericName = "Firefox cl"; - exec = "firefox -p cl"; - inherit terminal categories icon; - }; - - }; }; } diff --git a/modules/home/server/symlink.nix b/modules/home/server/symlink.nix index ae15c8f..bbacf96 100644 --- a/modules/home/server/symlink.nix +++ b/modules/home/server/symlink.nix @@ -1,9 +1,12 @@ -{ self, lib, ... }: +{ self, lib, config, ... }: { - home.file = { - "init.el" = lib.mkForce { - source = self + /programs/emacs/server.el; - target = ".emacs.d/init.el"; + options.swarselsystems.modules.server.dotfiles = lib.mkEnableOption "server dotfiles settings"; + config = lib.mkIf config.swarselsystems.modules.server.dotfiles { + home.file = { + "init.el" = lib.mkForce { + source = self + /programs/emacs/server.el; + target = ".emacs.d/init.el"; + }; }; }; } diff --git a/modules/nixos/optional/autologin.nix b/modules/nixos/optional/autologin.nix index 6283235..d7f4c9c 100644 --- a/modules/nixos/optional/autologin.nix +++ b/modules/nixos/optional/autologin.nix @@ -1,10 +1,13 @@ -{ config, ... }: +{ lib, config, ... }: let inherit (config.swarselsystems) mainUser; in { - services = { - getty.autologinUser = mainUser; - greetd.settings.initial_session.user = mainUser; + options.swarselsystems.modules.optional.autologin = lib.mkEnableOption "optional autologin settings"; + config = lib.mkIf config.swarselsystems.modules.optional.autologin { + services = { + getty.autologinUser = mainUser; + greetd.settings.initial_session.user = mainUser; + }; }; } diff --git a/modules/nixos/optional/gaming.nix b/modules/nixos/optional/gaming.nix index 38f1c0e..5e601d0 100644 --- a/modules/nixos/optional/gaming.nix +++ b/modules/nixos/optional/gaming.nix @@ -1,36 +1,39 @@ -{ pkgs, lib, ... }: +{ pkgs, lib, config, ... }: { - specialisation = { - gaming.configuration = { - networking = { - firewall.enable = lib.mkForce false; - firewall = { - allowedUDPPorts = [ 4380 27036 14242 34197 ]; # 34197: factorio; 4380 27036 14242: barotrauma; - allowedTCPPorts = [ ]; # 34197: factorio; 4380 27036 14242: barotrauma; 51820: wireguard - allowedTCPPortRanges = [ - { from = 27015; to = 27030; } # barotrauma - { from = 27036; to = 27037; } # barotrauma - ]; - allowedUDPPortRanges = [ - { from = 27000; to = 27031; } # barotrauma - { from = 58962; to = 58964; } # barotrauma + options.swarselsystems.modules.optional.gaming = lib.mkEnableOption "optional gaming settings"; + config = lib.mkIf config.swarselsystems.modules.optional.gaming { + specialisation = { + gaming.configuration = { + networking = { + firewall.enable = lib.mkForce false; + firewall = { + allowedUDPPorts = [ 4380 27036 14242 34197 ]; # 34197: factorio; 4380 27036 14242: barotrauma; + allowedTCPPorts = [ ]; # 34197: factorio; 4380 27036 14242: barotrauma; 51820: wireguard + allowedTCPPortRanges = [ + { from = 27015; to = 27030; } # barotrauma + { from = 27036; to = 27037; } # barotrauma + ]; + allowedUDPPortRanges = [ + { from = 27000; to = 27031; } # barotrauma + { from = 58962; to = 58964; } # barotrauma + ]; + }; + }; + + programs.steam = { + enable = true; + package = pkgs.steam; + extraCompatPackages = [ + pkgs.proton-ge-bin ]; }; - }; - programs.steam = { - enable = true; - package = pkgs.steam; - extraCompatPackages = [ - pkgs.proton-ge-bin + hardware.xone.enable = true; + + environment.systemPackages = [ + pkgs.linuxKernel.packages.linux_6_12.xone ]; }; - - hardware.xone.enable = true; - - environment.systemPackages = [ - pkgs.linuxKernel.packages.linux_6_12.xone - ]; }; }; diff --git a/modules/nixos/optional/nswitch-rcm.nix b/modules/nixos/optional/nswitch-rcm.nix index 6af5a91..095524e 100644 --- a/modules/nixos/optional/nswitch-rcm.nix +++ b/modules/nixos/optional/nswitch-rcm.nix @@ -1,10 +1,13 @@ -{ pkgs, ... }: +{ lib, config, pkgs, ... }: { - services.nswitch-rcm = { - enable = true; - package = pkgs.fetchurl { - url = "https://github.com/Atmosphere-NX/Atmosphere/releases/download/1.3.2/fusee.bin"; - hash = "sha256-5AXzNsny45SPLIrvWJA9/JlOCal5l6Y++Cm+RtlJppI="; + options.swarselsystems.modules.optional.nswitch-rcm = lib.mkEnableOption "optional nswitch-rcm settings"; + config = lib.mkIf config.swarselsystems.modules.optional.nswitch-rcm { + services.nswitch-rcm = { + enable = true; + package = pkgs.fetchurl { + url = "https://github.com/Atmosphere-NX/Atmosphere/releases/download/1.3.2/fusee.bin"; + hash = "sha256-5AXzNsny45SPLIrvWJA9/JlOCal5l6Y++Cm+RtlJppI="; + }; }; }; } diff --git a/modules/nixos/optional/virtualbox.nix b/modules/nixos/optional/virtualbox.nix index 3eaa64a..060f2bb 100644 --- a/modules/nixos/optional/virtualbox.nix +++ b/modules/nixos/optional/virtualbox.nix @@ -1,20 +1,22 @@ -{ lib, pkgs, ... }: +{ lib, config, pkgs, ... }: { - - specialisation = { - VBox.configuration = { - virtualisation.virtualbox = { - host = { - enable = true; - enableExtensionPack = true; - }; - # leaving this here for future notice. setting guest.enable = true will make 'restarting sysinit-reactivation.target' take till timeout on nixos-rebuild switch - guest = { - enable = false; + options.swarselsystems.modules.optional.virtualbox = lib.mkEnableOption "optional VBox settings"; + config = lib.mkIf config.swarselsystems.modules.optional.virtualbox { + specialisation = { + VBox.configuration = { + virtualisation.virtualbox = { + host = { + enable = true; + enableExtensionPack = true; + }; + # leaving this here for future notice. setting guest.enable = true will make 'restarting sysinit-reactivation.target' take till timeout on nixos-rebuild switch + guest = { + enable = false; + }; }; + # run an older kernel to provide compatibility with windows vm + boot.kernelPackages = lib.mkForce pkgs.linuxPackages; }; - # run an older kernel to provide compatibility with windows vm - boot.kernelPackages = lib.mkForce pkgs.linuxPackages; }; }; diff --git a/modules/nixos/optional/vmware.nix b/modules/nixos/optional/vmware.nix index 5e80c8f..d328f38 100644 --- a/modules/nixos/optional/vmware.nix +++ b/modules/nixos/optional/vmware.nix @@ -1,6 +1,9 @@ -_: +{ lib, config, ... }: { - virtualisation.vmware.host.enable = true; - virtualisation.vmware.guest.enable = true; + options.swarselsystems.modules.optional.vmware = lib.mkEnableOption "optional vmware settings"; + config = lib.mkIf config.swarselsystems.modules.optional.vmware { + virtualisation.vmware.host.enable = true; + virtualisation.vmware.guest.enable = true; + }; } diff --git a/modules/nixos/optional/work.nix b/modules/nixos/optional/work.nix index 78d65fe..66af2ab 100644 --- a/modules/nixos/optional/work.nix +++ b/modules/nixos/optional/work.nix @@ -24,167 +24,170 @@ let }; in { - sops = - let - secretNames = [ - "vcuser" - "vcpw" - "govcuser" - "govcpw" - "govcurl" - "govcdc" - "govcds" - "govchost" - "govcnetwork" - "govcpool" - ]; - in - { - secrets = builtins.listToAttrs ( - map - (name: { - inherit name; - value = { inherit owner sopsFile; }; - }) - secretNames - ); - }; + options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings"; + config = lib.mkIf config.swarselsystems.modules.optional.work { + sops = + let + secretNames = [ + "vcuser" + "vcpw" + "govcuser" + "govcpw" + "govcurl" + "govcdc" + "govcds" + "govchost" + "govcnetwork" + "govcpool" + ]; + in + { + secrets = builtins.listToAttrs ( + map + (name: { + inherit name; + value = { inherit owner sopsFile; }; + }) + secretNames + ); + }; - boot.initrd = { - systemd.enable = lib.mkForce true; # make sure we are using initrd systemd even when not using Impermanence - luks = { - # disable "support" since we use systemd-cryptenroll - # make sure yubikeys are enrolled using - # sudo systemd-cryptenroll --fido2-device=auto --fido2-with-user-verification=no --fido2-with-user-presence=true --fido2-with-client-pin=no /dev/nvme0n1p2 - yubikeySupport = false; - fido2Support = false; - }; - }; - - programs = { - zsh.shellInit = '' - export VSPHERE_USER="$(cat ${config.sops.secrets.vcuser.path})" - export VSPHERE_PW="$(cat ${config.sops.secrets.vcpw.path})" - export GOVC_USERNAME="$(cat ${config.sops.secrets.govcuser.path})" - export GOVC_PASSWORD="$(cat ${config.sops.secrets.govcpw.path})" - export GOVC_URL="$(cat ${config.sops.secrets.govcurl.path})" - export GOVC_DATACENTER="$(cat ${config.sops.secrets.govcdc.path})" - export GOVC_DATASTORE="$(cat ${config.sops.secrets.govcds.path})" - export GOVC_HOST="$(cat ${config.sops.secrets.govchost.path})" - export GOVC_RESOURCE_POOL="$(cat ${config.sops.secrets.govcpool.path})" - export GOVC_NETWORK="$(cat ${config.sops.secrets.govcnetwork.path})" - ''; - - browserpass.enable = true; - _1password.enable = true; - _1password-gui = { - enable = true; - polkitPolicyOwners = [ "${mainUser}" ]; - }; - }; - - networking = { - firewall.trustedInterfaces = [ "virbr0" ]; - search = [ - "vbc.ac.at" - "clip.vbc.ac.at" - "imp.univie.ac.at" - ]; - }; - - virtualisation = { - docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true; - spiceUSBRedirection.enable = true; - libvirtd = { - enable = true; - qemu = { - package = pkgs.qemu_kvm; - runAsRoot = true; - swtpm.enable = true; - vhostUserPackages = with pkgs; [ virtiofsd ]; - ovmf = { - enable = true; - packages = [ - (pkgs.OVMFFull.override { - secureBoot = true; - tpmSupport = true; - }).fd - ]; - }; + boot.initrd = { + systemd.enable = lib.mkForce true; # make sure we are using initrd systemd even when not using Impermanence + luks = { + # disable "support" since we use systemd-cryptenroll + # make sure yubikeys are enrolled using + # sudo systemd-cryptenroll --fido2-device=auto --fido2-with-user-verification=no --fido2-with-user-presence=true --fido2-with-client-pin=no /dev/nvme0n1p2 + yubikeySupport = false; + fido2Support = false; }; }; - }; - environment.systemPackages = with pkgs; [ - # (python39.withPackages (ps: with ps; [ - # cryptography - # ])) - # docker - python39 - qemu - packer - gnumake - libisoburn - govc - terraform - graphviz + programs = { + zsh.shellInit = '' + export VSPHERE_USER="$(cat ${config.sops.secrets.vcuser.path})" + export VSPHERE_PW="$(cat ${config.sops.secrets.vcpw.path})" + export GOVC_USERNAME="$(cat ${config.sops.secrets.govcuser.path})" + export GOVC_PASSWORD="$(cat ${config.sops.secrets.govcpw.path})" + export GOVC_URL="$(cat ${config.sops.secrets.govcurl.path})" + export GOVC_DATACENTER="$(cat ${config.sops.secrets.govcdc.path})" + export GOVC_DATASTORE="$(cat ${config.sops.secrets.govcds.path})" + export GOVC_HOST="$(cat ${config.sops.secrets.govchost.path})" + export GOVC_RESOURCE_POOL="$(cat ${config.sops.secrets.govcpool.path})" + export GOVC_NETWORK="$(cat ${config.sops.secrets.govcnetwork.path})" + ''; - # vm - virt-manager - virt-viewer - virtiofsd - spice - spice-gtk - spice-protocol - win-virtio - win-spice - ]; - - - services = { - spice-vdagentd.enable = true; - openssh = { - enable = true; - extraConfig = '' - ''; + browserpass.enable = true; + _1password.enable = true; + _1password-gui = { + enable = true; + polkitPolicyOwners = [ "${mainUser}" ]; + }; }; - syncthing = { - settings = { - "winters" = { - id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; - }; - folders = { - "Documents" = { - path = "${homeDir}/Documents"; - devices = [ "magicant" "winters" ]; - id = "hgr3d-pfu3w"; + networking = { + firewall.trustedInterfaces = [ "virbr0" ]; + search = [ + "vbc.ac.at" + "clip.vbc.ac.at" + "imp.univie.ac.at" + ]; + }; + + virtualisation = { + docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true; + spiceUSBRedirection.enable = true; + libvirtd = { + enable = true; + qemu = { + package = pkgs.qemu_kvm; + runAsRoot = true; + swtpm.enable = true; + vhostUserPackages = with pkgs; [ virtiofsd ]; + ovmf = { + enable = true; + packages = [ + (pkgs.OVMFFull.override { + secureBoot = true; + tpmSupport = true; + }).fd + ]; }; }; }; }; - udev.extraRules = '' - # share screen when dongle detected - SUBSYSTEM=="usb", ACTION=="add", ATTRS{idVendor}=="343c", ATTRS{idProduct}=="0000", TAG+="systemd", ENV{SYSTEMD_WANTS}="swarsel-screenshare.service" + environment.systemPackages = with pkgs; [ + # (python39.withPackages (ps: with ps; [ + # cryptography + # ])) + # docker + python39 + qemu + packer + gnumake + libisoburn + govc + terraform + graphviz - # lock screen when yubikey removed - ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" - ''; + # vm + virt-manager + virt-viewer + virtiofsd + spice + spice-gtk + spice-protocol + win-virtio + win-spice + ]; - }; - systemd.services = lib.mkMerge [ - (swarselService "swarsel-screenshare" "Start screensharing after HDMI dongle is detected" "${pkgs.screenshare}/bin/screenshare -h") - ]; + services = { + spice-vdagentd.enable = true; + openssh = { + enable = true; + extraConfig = '' + ''; + }; - # cgroups v1 is required for centos7 dockers - specialisation = { - cgroup_v1.configuration = { - boot.kernelParams = [ - "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" - "systemd.unified_cgroup_hierarchy=0" - ]; + syncthing = { + settings = { + "winters" = { + id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; + }; + folders = { + "Documents" = { + path = "${homeDir}/Documents"; + devices = [ "magicant" "winters" ]; + id = "hgr3d-pfu3w"; + }; + }; + }; + }; + + udev.extraRules = '' + # share screen when dongle detected + SUBSYSTEM=="usb", ACTION=="add", ATTRS{idVendor}=="343c", ATTRS{idProduct}=="0000", TAG+="systemd", ENV{SYSTEMD_WANTS}="swarsel-screenshare.service" + + # lock screen when yubikey removed + ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" + ''; + + }; + + systemd.services = lib.mkMerge [ + (swarselService "swarsel-screenshare" "Start screensharing after HDMI dongle is detected" "${pkgs.screenshare}/bin/screenshare -h") + ]; + + # cgroups v1 is required for centos7 dockers + specialisation = { + cgroup_v1.configuration = { + boot.kernelParams = [ + "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" + "systemd.unified_cgroup_hierarchy=0" + ]; + }; }; }; diff --git a/modules/nixos/server/nfs.nix b/modules/nixos/server/nfs.nix index 3506e8c..f7f1f65 100644 --- a/modules/nixos/server/nfs.nix +++ b/modules/nixos/server/nfs.nix @@ -1,49 +1,52 @@ -{ pkgs, ... }: +{ lib, config, pkgs, ... }: { - services = { - # add a user with sudo smbpasswd -a - samba = { - package = pkgs.samba4Full; - # extraConfig = '' - # workgroup = WORKGROUP - # server role = standalone server - # dns proxy = no + options.swarselsystems.server.nfs = lib.mkEnableOption "enable nfs on server"; + config = lib.mkIf config.swarselsystems.server.nfs { + services = { + # add a user with sudo smbpasswd -a + samba = { + package = pkgs.samba4Full; + # extraConfig = '' + # workgroup = WORKGROUP + # server role = standalone server + # dns proxy = no - # pam password change = yes - # map to guest = bad user - # create mask = 0664 - # force create mode = 0664 - # directory mask = 0775 - # force directory mode = 0775 - # follow symlinks = yes - # ''; + # pam password change = yes + # map to guest = bad user + # create mask = 0664 + # force create mode = 0664 + # directory mask = 0775 + # force directory mode = 0775 + # follow symlinks = yes + # ''; - enable = true; - openFirewall = true; - settings.Eternor = { - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - path = "/Vault/Eternor"; - writable = "true"; - comment = "Eternor"; - "valid users" = "Swarsel"; + enable = true; + openFirewall = true; + settings.Eternor = { + browseable = "yes"; + "read only" = "no"; + "guest ok" = "no"; + path = "/Vault/Eternor"; + writable = "true"; + comment = "Eternor"; + "valid users" = "Swarsel"; + }; }; - }; - avahi = { - publish.enable = true; - publish.userServices = true; # Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile` - nssmdns4 = true; - enable = true; - openFirewall = true; - }; + avahi = { + publish.enable = true; + publish.userServices = true; # Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile` + nssmdns4 = true; + enable = true; + openFirewall = true; + }; - # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued - samba-wsdd = { - enable = true; - openFirewall = true; + # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued + samba-wsdd = { + enable = true; + openFirewall = true; + }; }; }; } diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix index 9af9f9a..e4c8f9d 100644 --- a/modules/nixos/server/nginx.nix +++ b/modules/nixos/server/nginx.nix @@ -1,37 +1,39 @@ -{ pkgs, config, ... }: +{ pkgs, lib, config, ... }: { - environment.systemPackages = with pkgs; [ - lego - ]; + options.swarselsystems.server.nginx = lib.mkEnableOption "enable nginx on server"; + config = lib.mkIf config.swarselsystems.server.nginx { + environment.systemPackages = with pkgs; [ + lego + ]; - # users.users.acme = {}; + # users.users.acme = {}; - sops = { - # secrets.dnstokenfull = { owner = "acme"; }; - secrets.dnstokenfull = { }; - templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} - ''; - }; + sops = { + # secrets.dnstokenfull = { owner = "acme"; }; + secrets.dnstokenfull = { }; + templates."certs.secret".content = '' + CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} + ''; + }; - security.acme = { - acceptTerms = true; - preliminarySelfsigned = false; - defaults = { - email = "mrswarsel@gmail.com"; - dnsProvider = "cloudflare"; - environmentFile = "${config.sops.templates."certs.secret".path}"; + security.acme = { + acceptTerms = true; + preliminarySelfsigned = false; + defaults = { + email = "mrswarsel@gmail.com"; + dnsProvider = "cloudflare"; + environmentFile = "${config.sops.templates."certs.secret".path}"; + }; + }; + + services.nginx = { + enable = true; + statusPage = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + # virtualHosts are defined in the respective sections }; }; - - services.nginx = { - enable = true; - statusPage = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - # virtualHosts are defined in the respective sections - }; - } diff --git a/modules/nixos/server/packages.nix b/modules/nixos/server/packages.nix index 108a727..4acbd22 100644 --- a/modules/nixos/server/packages.nix +++ b/modules/nixos/server/packages.nix @@ -1,11 +1,14 @@ -{ pkgs, ... }: +{ lib, config, pkgs, ... }: { - environment.systemPackages = with pkgs; [ - gnupg - nix-index - ssh-to-age - git - emacs - vim - ]; + options.swarselsystems.server.packages = lib.mkEnableOption "enable packages on server"; + config = lib.mkIf config.swarselsystems.server.packages { + environment.systemPackages = with pkgs; [ + gnupg + nix-index + ssh-to-age + git + emacs + vim + ]; + }; } diff --git a/modules/nixos/server/settings.nix b/modules/nixos/server/settings.nix index 1052e28..68fd267 100644 --- a/modules/nixos/server/settings.nix +++ b/modules/nixos/server/settings.nix @@ -4,12 +4,13 @@ let in { options.swarselsystems = { + server.general = lib.mkEnableOption "general setting on server"; shellAliases = lib.mkOption { type = lib.types.attrsOf lib.types.str; default = { }; }; }; - config = { + config = lib.mkIf config.swarselsystems.server.general { environment.shellAliases = lib.recursiveUpdate { npswitch = "cd ${flakePath}; git pull; sudo nixos-rebuild --flake .#$(hostname) switch; cd -;"; diff --git a/modules/nixos/server/sops.nix b/modules/nixos/server/sops.nix index 3b8bd2d..cfe40e4 100644 --- a/modules/nixos/server/sops.nix +++ b/modules/nixos/server/sops.nix @@ -1,9 +1,11 @@ { config, lib, ... }: { - sops = { - age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/sops" ]; - defaultSopsFile = lib.mkDefault "${config.swarselsystems.flakePath}/secrets/winters/secrets.yaml"; - validateSopsFiles = false; + options.swarselsystems.server.sops = lib.mkEnableOption "enable sops on server"; + config = lib.mkIf config.swarselsystems.server.sops { + sops = { + age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/sops" ]; + defaultSopsFile = lib.mkDefault "${config.swarselsystems.flakePath}/secrets/winters/secrets.yaml"; + validateSopsFiles = false; + }; }; - } diff --git a/modules/nixos/server/ssh.nix b/modules/nixos/server/ssh.nix index 5315cbe..0c1b376 100644 --- a/modules/nixos/server/ssh.nix +++ b/modules/nixos/server/ssh.nix @@ -1,18 +1,20 @@ -{ self, config, ... }: +{ self, lib, config, ... }: { - services.openssh = { - enable = true; + options.swarselsystems.server.ssh = lib.mkEnableOption "enable ssh on server"; + config = lib.mkIf config.swarselsystems.server.ssh { + services.openssh = { + enable = true; + }; + users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [ + (self + /secrets/keys/ssh/yubikey.pub) + (self + /secrets/keys/ssh/magicant.pub) + ]; + users.users.root.openssh.authorizedKeys.keyFiles = [ + (self + /secrets/keys/ssh/yubikey.pub) + (self + /secrets/keys/ssh/magicant.pub) + ]; + security.sudo.extraConfig = '' + Defaults env_keep+=SSH_AUTH_SOCK + ''; }; - users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [ - (self + /secrets/keys/ssh/yubikey.pub) - (self + /secrets/keys/ssh/magicant.pub) - ]; - users.users.root.openssh.authorizedKeys.keyFiles = [ - (self + /secrets/keys/ssh/yubikey.pub) - (self + /secrets/keys/ssh/magicant.pub) - ]; - security.sudo.extraConfig = '' - Defaults env_keep+=SSH_AUTH_SOCK - ''; - } diff --git a/profiles/home/darwin/default.nix b/profiles/home/darwin/default.nix new file mode 100644 index 0000000..29c8307 --- /dev/null +++ b/profiles/home/darwin/default.nix @@ -0,0 +1,10 @@ +{ lib, config, ... }: +{ + options.swarselsystems.profiles.darwin = lib.mkEnableOption "is this a darwin host"; + config = lib.mkIf config.swarselsystems.profiles.darwin { + swarselsystems.modules = { + general = lib.mkDefault true; + }; + }; + +} diff --git a/profiles/home/localserver/default.nix b/profiles/home/localserver/default.nix new file mode 100644 index 0000000..2a87f51 --- /dev/null +++ b/profiles/home/localserver/default.nix @@ -0,0 +1,13 @@ +{ lib, config, ... }: +{ + options.swarselsystems.profiles.server.local = lib.mkEnableOption "is this a local server"; + config = lib.mkIf config.swarselsystems.profiles.server.local { + swarselsystems.modules = { + general = lib.mkDefault true; + server = { + dotfiles = lib.mkDefault true; + }; + }; + }; + +} diff --git a/profiles/home/personal/default.nix b/profiles/home/personal/default.nix index e5dae81..8ed4b08 100644 --- a/profiles/home/personal/default.nix +++ b/profiles/home/personal/default.nix @@ -30,6 +30,18 @@ waybar = lib.mkDefault true; firefox = lib.mkDefault true; gnome-keyring = lib.mkDefault true; + kdeconnect = lib.mkDefault true; + mako = lib.mkDefault true; + swayosd = lib.mkDefault true; + yubikeytouch = lib.mkDefault true; + sway = lib.mkDefault true; + kanshi = lib.mkDefault true; + gpgagent = lib.mkDefault true; + gammastep = lib.mkDefault true; + + optional = { + gaming = lib.mkDefault true; + }; }; }; diff --git a/profiles/home/work/default.nix b/profiles/home/work/default.nix new file mode 100644 index 0000000..4653f87 --- /dev/null +++ b/profiles/home/work/default.nix @@ -0,0 +1,12 @@ +{ lib, config, ... }: +{ + options.swarselsystems.profiles.work = lib.mkEnableOption "is this a work host"; + config = lib.mkIf config.swarselsystems.profiles.work { + swarselsystems.modules = { + optional = { + work = lib.mkDefault true; + }; + }; + }; + +} diff --git a/profiles/nixos/localserver/default.nix b/profiles/nixos/localserver/default.nix index 876e97a..09af340 100644 --- a/profiles/nixos/localserver/default.nix +++ b/profiles/nixos/localserver/default.nix @@ -3,7 +3,6 @@ options.swarselsystems.profiles.server.local = lib.mkEnableOption "is this a local server"; config = lib.mkIf config.swarselsystems.profiles.server.local { swarselsystems = { - # common modules modules = { nix-ld = lib.mkDefault true; home-manager = lib.mkDefault true; @@ -14,23 +13,29 @@ time = lib.mkDefault true; users = lib.mkDefault true; }; - # server modules - # server = { - # kavita = lib.mkDefault true; - # jellyfin = lib.mkDefault true; - # navidrome = lib.mkDefault true; - # spotifyd = lib.mkDefault true; - # mpd = lib.mkDefault true; - # matrix = lib.mkDefault true; - # nextcloud = lib.mkDefault true; - # immich = lib.mkDefault true; - # paperless = lib.mkDefault true; - # transmission = lib.mkDefault true; - # syncthing = lib.mkDefault true; - # monitoring = lib.mkDefault true; - # emacs = lib.mkDefault true; - # freshrss = lib.mkDefault true; - # }; + server = { + general = lib.mkDefault true; + packages = lib.mkDefault true; + sops = lib.mkDefault true; + nfs = lib.mkDefault true; + nginx = lib.mkDefault true; + ssh = lib.mkDefault true; + kavita = lib.mkDefault true; + jellyfin = lib.mkDefault true; + navidrome = lib.mkDefault true; + spotifyd = lib.mkDefault true; + mpd = lib.mkDefault true; + matrix = lib.mkDefault true; + nextcloud = lib.mkDefault true; + immich = lib.mkDefault true; + paperless = lib.mkDefault true; + transmission = lib.mkDefault true; + syncthing = lib.mkDefault true; + monitoring = lib.mkDefault true; + emacs = lib.mkDefault true; + freshrss = lib.mkDefault true; + + }; }; }; diff --git a/profiles/nixos/personal/default.nix b/profiles/nixos/personal/default.nix index d719c28..715ab88 100644 --- a/profiles/nixos/personal/default.nix +++ b/profiles/nixos/personal/default.nix @@ -44,6 +44,13 @@ lid = lib.mkDefault true; lowBattery = lib.mkDefault true; lanzaboote = lib.mkDefault true; + + optional = { + gaming = lib.mkDefault true; + virtualbox = lib.mkDefault true; + autologin = lib.mkDefault true; + nswitch-rcm = lib.mkDefault true; + }; }; }; diff --git a/profiles/nixos/syncserver/default.nix b/profiles/nixos/syncserver/default.nix index 82ade9d..6782556 100644 --- a/profiles/nixos/syncserver/default.nix +++ b/profiles/nixos/syncserver/default.nix @@ -3,7 +3,6 @@ options.swarselsystems.profiles.server.sync = lib.mkEnableOption "is this a oci sync server"; config = lib.mkIf config.swarselsystems.profiles.server.sync { swarselsystems = { - # common modules modules = { nix-ld = lib.mkDefault true; home-manager = lib.mkDefault true; @@ -14,11 +13,16 @@ time = lib.mkDefault true; users = lib.mkDefault true; }; - # server modules - # server = { - # forgejo = lib.mkDefault true; - # ankisync = lib.mkDefault true; - # }; + server = { + general = lib.mkDefault true; + packages = lib.mkDefault true; + sops = lib.mkDefault true; + nfs = lib.mkDefault true; + nginx = lib.mkDefault true; + ssh = lib.mkDefault true; + forgejo = lib.mkDefault true; + ankisync = lib.mkDefault true; + }; }; }; diff --git a/profiles/nixos/work/default.nix b/profiles/nixos/work/default.nix new file mode 100644 index 0000000..dca896e --- /dev/null +++ b/profiles/nixos/work/default.nix @@ -0,0 +1,13 @@ +{ lib, config, ... }: +{ + options.swarselsystems.profiles.work = lib.mkEnableOption "is this a work host"; + config = lib.mkIf config.swarselsystems.profiles.work { + swarselsystems.modules = { + optional = { + work = lib.mkDefault true; + }; + }; + + }; + +} diff --git a/programs/zellij/layouts/default.kdl.nix b/programs/zellij/layouts/default.kdl.nix index 941c3e9..170115a 100644 --- a/programs/zellij/layouts/default.kdl.nix +++ b/programs/zellij/layouts/default.kdl.nix @@ -103,8 +103,8 @@ in format_center "" format_right "#[bg=#${colors.base00},fg=#${colors.base02}]#[bg=#${colors.base02},fg=#${colors.base01},bold] #[bg=#${colors.base02},fg=#${colors.base01},bold] {session} #[bg=#${colors.base02},fg=#${colors.base01},bold]" format_space "" - format_hide_on_overlength "true" - format_precedence "crl" + format_hide_on_overlength "false" + format_precedence "lcr" border_enabled "false" border_char "─"