swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: rename old profiles->modules [part 2]

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-03-27 01:47:14 +01:00
parent de9b5cf40c
commit 289f072c13
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
138 changed files with 355 additions and 355 deletions
Download patch file Download diff file Expand all files Collapse all files

9
modules/nixos/common/appimage.nix Normal file
View file

@ -0,0 +1,9 @@
_:
{
programs.appimage = {
enable = true;
binfmt = true;
};
}

5
modules/nixos/common/blueman.nix Normal file
View file

@ -0,0 +1,5 @@
_:
{
services.blueman.enable = true;
services.hardware.bolt.enable = true;
}

17
modules/nixos/common/default.nix Normal file
View file

@ -0,0 +1,17 @@
{ self, lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/nixos/common";
modulesPath = "${self}/modules";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/nixos/common" ++ [
"${modulesPath}/home/common/sharedsetup.nix"
];
nixpkgs.config.permittedInsecurePackages = [
"jitsi-meet-1.0.8043"
"electron-29.4.6"
"SDL_ttf-2.0.11"
];
}

14
modules/nixos/common/distrobox.nix Normal file
View file

@ -0,0 +1,14 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
distrobox
boxbuddy
];
virtualisation.podman = {
enable = true;
dockerCompat = true;
package = pkgs.stable.podman;
};
}

16
modules/nixos/common/env.nix Normal file
View file

@ -0,0 +1,16 @@
{ lib, pkgs, ... }:
{
environment = {
wordlist.enable = true;
sessionVariables = {
NIXOS_OZONE_WL = "1";
GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (with pkgs.gst_all_1; [
gst-plugins-good
gst-plugins-bad
gst-plugins-ugly
gst-libav
]);
};
};
# gstreamer plugins for nautilus (used for file metadata)
}

9
modules/nixos/common/gc.nix Normal file
View file

@ -0,0 +1,9 @@
_:
{
nix.gc = {
automatic = true;
randomizedDelaySec = "14m";
dates = "weekly";
options = "--delete-older-than 10d";
};
}

8
modules/nixos/common/gnome-keyring.nix Normal file
View file

@ -0,0 +1,8 @@
_:
{
services.gnome.gnome-keyring = {
enable = true;
};
programs.seahorse.enable = true;
}

4
modules/nixos/common/gvfs.nix Normal file
View file

@ -0,0 +1,4 @@
_:
{
services.gvfs.enable = true;
}

47
modules/nixos/common/hardware.nix Normal file
View file

@ -0,0 +1,47 @@
{ pkgs, config, lib, ... }:
{
options.swarselsystems = {
hasBluetooth = lib.mkEnableOption "bluetooth availability";
hasFingerprint = lib.mkEnableOption "fingerprint sensor availability";
trackpoint = {
isAvailable = lib.mkEnableOption "trackpoint availability";
trackpoint.device = lib.mkOption {
type = lib.types.str;
default = "";
};
};
};
config = {
hardware = {
# opengl.driSupport32Bit = true is replaced with graphics.enable32Bit and hence redundant
graphics = {
enable = true;
enable32Bit = true;
};
trackpoint = lib.mkIf config.swarselsystems.trackpoint.isAvailable {
enable = true;
inherit (config.swarselsystems.trackpoint) device;
};
keyboard.qmk.enable = true;
enableAllFirmware = true;
bluetooth = lib.mkIf config.swarselsystems.hasBluetooth {
enable = true;
package = pkgs.stable.bluez;
powerOnBoot = true;
settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
};
};
};
services.fprintd.enable = lib.mkIf config.swarselsystems.hasFingerprint true;
};
}

8
modules/nixos/common/hardwarecompatibility-keyboards.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, ... }:
{
services.udev.packages = with pkgs; [
qmk-udev-rules
vial
via
];
}

9
modules/nixos/common/hardwarecompatibility-ledger.nix Normal file
View file

@ -0,0 +1,9 @@
{ pkgs, ... }:
{
hardware.ledger.enable = true;
services.udev.packages = with pkgs; [
ledger-udev-rules
];
}

21
modules/nixos/common/hardwarecompatibility-yubikey.nix Normal file
View file

@ -0,0 +1,21 @@
{ pkgs, ... }:
{
programs.ssh.startAgent = false;
services.pcscd.enable = false;
hardware.gpgSmartcards.enable = true;
services.udev.packages = with pkgs; [
yubikey-personalization
];
# systemd.services.shutdownSopsGpg = {
# path = [ pkgs.gnupg ];
# script = ''
# gpgconf --homedir /var/lib/sops --kill gpg-agent
# '';
# wantedBy = [ "multi-user.target" ];
# };
}

6
modules/nixos/common/home-manager-extra.nix Normal file
View file

@ -0,0 +1,6 @@
{ inputs, config, lib, ... }:
{
home-manager = lib.mkIf config.swarselsystems.withHomeManager {
extraSpecialArgs = { inherit (inputs) nix-secrets nixgl; };
};
}

8
modules/nixos/common/home-manager.nix Normal file
View file

@ -0,0 +1,8 @@
{ inputs, config, lib, ... }:
{
home-manager = lib.mkIf config.swarselsystems.withHomeManager {
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = { inherit (inputs) self; };
};
}

91
modules/nixos/common/impermanence.nix Normal file
View file

@ -0,0 +1,91 @@
{ config, lib, ... }:
let
mapperTarget = lib.swarselsystems.mkIfElse config.swarselsystems.isCrypted "/dev/mapper/cryptroot" "/dev/disk/by-label/nixos";
inherit (config.swarselsystems) homeDir isImpermanence isCrypted;
in
{
security.sudo.extraConfig = lib.mkIf isImpermanence ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
# This script does the actual wipe of the system
# So if it doesn't run, the btrfs system effectively acts like a normal system
# Taken from https://github.com/NotAShelf/nyx/blob/2a8273ed3f11a4b4ca027a68405d9eb35eba567b/modules/core/common/system/impermanence/default.nix
boot.initrd.systemd.enable = lib.mkIf isImpermanence true;
boot.initrd.systemd.services.rollback = lib.mkIf isImpermanence {
description = "Rollback BTRFS root subvolume to a pristine state";
wantedBy = [ "initrd.target" ];
# make sure it's done after encryption
# i.e. LUKS/TPM process
after = lib.swarselsystems.mkIfElseList isCrypted [ "systemd-cryptsetup@cryptroot.service" ] [ "dev-disk-by\\x2dlabel-nixos.device" ];
requires = lib.mkIf (!isCrypted) [ "dev-disk-by\\x2dlabel-nixos.device" ];
# mount the root fs before clearing
before = [ "sysroot.mount" ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /mnt
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvolid=5 -t btrfs ${mapperTarget} /mnt
btrfs subvolume list -o /mnt/root
# While we're tempted to just delete /root and create
# a new snapshot from /root-blank, /root is already
# populated at this point with a number of subvolumes,
# which makes `btrfs subvolume delete` fail.
# So, we remove them first.
#
# /root contains subvolumes:
# - /root/var/lib/portables
# - /root/var/lib/machines
btrfs subvolume list -o /mnt/root |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..." &&
btrfs subvolume delete /mnt/root
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/root-blank /mnt/root
# Once we're done rolling back to a blank snapshot,
# we can unmount /mnt and continue on the boot process.
umount /mnt
'';
};
environment.persistence."/persist" = lib.mkIf isImpermanence {
hideMounts = true;
directories =
[
"/.cache/nix"
"/srv"
"/etc/nixos"
"/etc/nix"
"/etc/NetworkManager/system-connections"
# "/etc/secureboot"
"${homeDir}/.dotfiles"
"/var/db/sudo"
"/var/cache"
"/var/lib"
];
files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
};
}

29
modules/nixos/common/interceptiontools.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, ... }:
{
# Make CAPS work as a dual function ESC/CTRL key
services.interception-tools = {
enable = true;
udevmonConfig =
let
dualFunctionKeysConfig = builtins.toFile "dual-function-keys.yaml" ''
TIMING:
TAP_MILLISEC: 200
DOUBLE_TAP_MILLISEC: 0
MAPPINGS:
- KEY: KEY_CAPSLOCK
TAP: KEY_ESC
HOLD: KEY_LEFTCTRL
'';
in
''
- JOB: |
${pkgs.interception-tools}/bin/intercept -g $DEVNODE \
| ${pkgs.interception-tools-plugins.dual-function-keys}/bin/dual-function-keys -c ${dualFunctionKeysConfig} \
| ${pkgs.interception-tools}/bin/uinput -d $DEVNODE
DEVICE:
EVENTS:
EV_KEY: [KEY_CAPSLOCK]
'';
};
}

14
modules/nixos/common/lanzaboote.nix Normal file
View file

@ -0,0 +1,14 @@
{ lib, config, ... }:
{
boot = {
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
};
lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
enable = true;
pkiBundle = "/var/lib/sbctl";
configurationLimit = 3;
};
};
}

34
modules/nixos/common/lid.nix Normal file
View file

@ -0,0 +1,34 @@
_:
{
services.logind = {
lidSwitch = "suspend";
lidSwitchDocked = "ignore";
};
services.acpid = {
enable = true;
handlers.lidClosed = {
event = "button/lid \\w+ close";
action = ''
cat /sys/class/backlight/amdgpu_bl1/device/enabled
if grep -Fxq disabled /sys/class/backlight/amdgpu_bl1/device/enabled
then
echo "Lid closed. Disabling fprintd."
systemctl stop fprintd
ln -s /dev/null /run/systemd/transient/fprintd.service
systemctl daemon-reload
fi
'';
};
handlers.lidOpen = {
event = "button/lid \\w+ open";
action = ''
if ! $(systemctl is-active --quiet fprintd); then
echo "Lid open. Enabling fprintd."
rm -f /run/systemd/transient/fprintd.service
systemctl daemon-reload
systemctl start fprintd
fi
'';
};
};
}

20
modules/nixos/common/login.nix Normal file
View file

@ -0,0 +1,20 @@
{ pkgs, ... }:
{
services.greetd = {
enable = true;
settings = {
initial_session.command = "sway";
default_session.command = ''
${pkgs.greetd.tuigreet}/bin/tuigreet \
--time \
--asterisks \
--user-menu \
--cmd sway
'';
};
};
environment.etc."greetd/environments".text = ''
sway
'';
}

26
modules/nixos/common/lowbattery.nix Normal file
View file

@ -0,0 +1,26 @@
{ pkgs, lib, ... }:
{
systemd.user.services."battery-low" = {
enable = true;
description = "Timer for battery check that alerts at 10% or less";
partOf = [ "graphical-session.target" ];
wantedBy = [ "graphical-session.target" ];
serviceConfig = {
Type = "simple";
ExecStart = pkgs.writeShellScript "battery-low-notification"
''
if (( 10 >= $(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%" | ${lib.getExe pkgs.ripgrep} -o "\d+") && $(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%" | ${lib.getExe pkgs.ripgrep} -o "\d+") > 0 ));
then ${lib.getExe pkgs.libnotify} --urgency=critical "low battery" "$(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%")";
fi;
'';
};
};
systemd.user.timers."battery-low" = {
wantedBy = [ "timers.target" ];
timerConfig = {
# Every Minute
OnCalendar = "*-*-* *:*:00";
Unit = "battery-low.service";
};
};
}

245
modules/nixos/common/network.nix Normal file
View file

@ -0,0 +1,245 @@
{ lib, config, ... }:
{
networking = {
nftables.enable = lib.mkDefault true;
enableIPv6 = lib.mkDefault true;
firewall = {
checkReversePath = lib.mkDefault false;
enable = lib.mkDefault true;
allowedUDPPorts = [ 51820 ]; # 51820: wireguard
allowedTCPPortRanges = [
{ from = 1714; to = 1764; } # kde-connect
];
allowedUDPPortRanges = [
{ from = 1714; to = 1764; } # kde-connect
];
};
networkmanager = {
enable = true;
ensureProfiles = lib.mkIf (!config.swarselsystems.isPublic) {
environmentFiles = [
"${config.sops.templates."network-manager.env".path}"
];
profiles = {
"Ernest Routerford" = {
connection = {
id = "Ernest Routerford";
permissions = "";
type = "wifi";
};
ipv4 = {
dns-search = "";
method = "auto";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
dns-search = "";
method = "auto";
};
wifi = {
mac-address-blacklist = "";
mode = "infrastructure";
ssid = "Ernest Routerford";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$ERNEST";
};
};
LAN-Party = {
connection = {
autoconnect = "false";
id = "LAN-Party";
type = "ethernet";
};
ethernet = {
auto-negotiate = "true";
cloned-mac-address = "preserve";
mac-address = "90:2E:16:D0:A1:87";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
eduroam = {
"802-1x" = {
eap = "ttls;";
identity = "$EDUID";
password = "$EDUPASS";
phase2-auth = "mschapv2";
};
connection = {
id = "eduroam";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "eduroam";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-eap";
};
};
local = {
connection = {
autoconnect = "false";
id = "local";
type = "ethernet";
};
ethernet = { };
ipv4 = {
address1 = "10.42.1.1/24";
method = "shared";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
HH40V_39F5 = {
connection = {
id = "HH40V_39F5";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
wifi = {
band = "bg";
mode = "infrastructure";
ssid = "HH40V_39F5";
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = "$FRAUNS";
};
};
magicant = {
connection = {
id = "magicant";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "magicant";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$HANDYHOTSPOT";
};
};
wireguardvpn = {
connection = {
id = "HomeVPN";
type = "wireguard";
autoconnect = "false";
interface-name = "wg1";
};
wireguard = { private-key = "$WIREGUARDPRIV"; };
"wireguard-peer.$WIREGUARDPUB" = {
endpoint = "$WIREGUARDENDPOINT";
allowed-ips = "0.0.0.0/0";
};
ipv4 = {
method = "ignore";
address1 = "192.168.3.3/32";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "ignore";
};
proxy = { };
};
"sweden-aes-128-cbc-udp-dns" = {
connection = {
autoconnect = "false";
id = "PIA Sweden";
type = "vpn";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
vpn = {
auth = "sha1";
ca = config.sops.secrets."sweden-aes-128-cbc-udp-dns-ca.pem".path;
challenge-response-flags = "2";
cipher = "aes-128-cbc";
compress = "yes";
connection-type = "password";
crl-verify-file = config.sops.secrets."sweden-aes-128-cbc-udp-dns-crl-verify.pem".path;
dev = "tun";
password-flags = "0";
remote = "sweden.privacy.network:1198";
remote-cert-tls = "server";
reneg-seconds = "0";
service-type = "org.freedesktop.NetworkManager.openvpn";
username = "$VPNUSER";
};
vpn-secrets = { password = "$VPNPASS"; };
};
Hotspot = {
connection = {
autoconnect = "false";
id = "Hotspot";
type = "wifi";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "default";
method = "ignore";
};
proxy = { };
wifi = {
mode = "ap";
ssid = "Hotspot-${config.swarselsystems.mainUser}";
};
wifi-security = {
group = "ccmp;";
key-mgmt = "wpa-psk";
pairwise = "ccmp;";
proto = "rsn;";
psk = "$HOTSPOT";
};
};
};
};
};
};
systemd.services.NetworkManager-ensure-profiles.after = [ "NetworkManager.service" ];
}

30
modules/nixos/common/networkdevices.nix Normal file
View file

@ -0,0 +1,30 @@
{ pkgs, ... }:
{
# enable scanners over network
hardware.sane = {
enable = true;
extraBackends = [ pkgs.sane-airscan ];
};
# enable discovery and usage of network devices (esp. printers)
services.printing = {
enable = true;
drivers = [
pkgs.gutenprint
pkgs.gutenprintBin
];
browsedConf = ''
BrowseDNSSDSubTypes _cups,_print
BrowseLocalProtocols all
BrowseRemoteProtocols all
CreateIPPPrinterQueues All
BrowseProtocols all
'';
};
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
}

110
modules/nixos/common/nix-ld.nix Normal file
View file

@ -0,0 +1,110 @@
{ pkgs, ... }:
{
programs.nix-ld = {
enable = true;
libraries = with pkgs; [
SDL
SDL2
SDL2_image
SDL2_mixer
SDL2_ttf
SDL_image
SDL_mixer
SDL_ttf
alsa-lib
at-spi2-atk
at-spi2-core
atk
bzip2
cairo
cups
curl
dbus
dbus-glib
expat
ffmpeg
flac
fontconfig
freeglut
freetype
fuse3
gdk-pixbuf
glew110
glib
stable.gnome2.GConf
pango
gtk2
gtk3
icu
libGL
libappindicator-gtk2
libappindicator-gtk3
libcaca
libcanberra
libcap
libdbusmenu-gtk2
libdrm
libelf
libgcrypt
libglvnd
libidn
libindicator-gtk2
libjpeg
libmikmod
libnotify
libogg
libpng
libpng12
libpulseaudio
librsvg
libsamplerate
libtheora
libtiff
libudev0-shim
libunwind
libusb1
libuuid
libva
libvdpau
libvorbis
libvpx
libxkbcommon
libxml2
libz
mesa
nspr
nss
openssl
pango
pipewire
pixman
speex
stdenv.cc.cc
steam-fhsenv-without-steam
systemd
tbb
vulkan-loader
xorg.libICE
xorg.libSM
xorg.libX11
xorg.libXScrnSaver
xorg.libXcomposite
xorg.libXcursor
xorg.libXdamage
xorg.libXext
xorg.libXfixes
xorg.libXft
xorg.libXi
xorg.libXinerama
xorg.libXmu
xorg.libXrandr
xorg.libXrender
xorg.libXt
xorg.libXtst
xorg.libXxf86vm
xorg.libxcb
xorg.libxshmfence
zlib
];
};
}

10
modules/nixos/common/nvd-rebuild.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs, ... }:
{
system.activationScripts.diff = {
supportsDryActivation = true;
text = ''
${pkgs.nvd}/bin/nvd --color=always --nix-bin-dir=${pkgs.nix}/bin diff \
/run/current-system "$systemConfig"
'';
};
}

123
modules/nixos/common/packages.nix Normal file
View file

@ -0,0 +1,123 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
# yubikey packages
gnupg
yubikey-personalization
yubikey-personalization-gui
yubico-pam
yubioath-flutter
yubikey-manager
yubikey-manager-qt
yubikey-touch-detector
yubico-piv-tool
cfssl
pcsctools
pcscliteWithPolkit.out
# ledger packages
ledger-live-desktop
# pinentry
dbus
swaylock-effects
syncthingtray-minimal
wl-mirror
# secure boot
sbctl
libsForQt5.qt5.qtwayland
# nix package database
nix-index
nixos-generators
# commit hooks
pre-commit
# proc info
acpi
# pci info
pciutils
usbutils
# better make for general tasks
just
screenshare
fullscreen
# keyboards
qmk
vial
via
# theme related
adwaita-icon-theme
# kde-connect
xdg-desktop-portal
xdg-desktop-portal-wlr
# bluetooth
bluez
# lsp-related -------------------------------
# nix
# latex
# texlab
ghostscript_headless
# wireguard
wireguard-tools
# rust
# rust-analyzer
# clippy
# rustfmt
# go
# go
# gopls
# nix
nixd
# zig
zig
zls
# cpp
# clang-tools
# + cuda
# cudatoolkit
# ansible
# ansible-lint
ansible-language-server
# molecule
#lsp-bridge / python
# gcc
# gdb
# (python3.withPackages (ps: with ps; [ jupyter ipython pyqt5 epc orjson sexpdata six setuptools paramiko numpy pandas scipy matplotlib requests debugpy flake8 gnureadline python-lsp-server ]))
# (python3.withPackages(ps: with ps; [ jupyter ipython pyqt5 numpy pandas scipy matplotlib requests debugpy flake8 gnureadline python-lsp-server]))
# --------------------------------------------
# (stdenv.mkDerivation {
# name = "oama";
# src = pkgs.fetchurl {
# name = "oama";
# url = "https://github.com/pdobsan/oama/releases/download/0.13.1/oama-0.13.1-Linux-x86_64-static.tgz";
# sha256 = "sha256-OTdCObVfnMPhgZxVtZqehgUXtKT1iyqozdkPIV+i3Gc=";
# };
# phases = [
# "unpackPhase"
# ];
# unpackPhase = ''
# mkdir -p $out/bin
# tar xvf $src -C $out/
# mv $out/oama-0.13.1-Linux-x86_64-static/oama $out/bin/
# '';
# })
];
}

15
modules/nixos/common/pipewire.nix Normal file
View file

@ -0,0 +1,15 @@
_: {
security.rtkit.enable = true; # this is required for pipewire real-time access
services.pipewire = {
enable = true;
pulse.enable = true;
jack.enable = true;
audio.enable = true;
wireplumber.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
};
}

20
modules/nixos/common/polkit.nix Normal file
View file

@ -0,0 +1,20 @@
_:
{
security = {
pam.services = {
login.u2fAuth = true;
sudo.u2fAuth = true;
swaylock.u2fAuth = true;
swaylock.fprintAuth = false;
};
polkit.enable = true;
sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
Defaults env_keep+=XDG_RUNTIME_DIR
Defaults env_keep+=WAYLAND_DISPLAY
'';
};
}

4
modules/nixos/common/power-profiles-daemon.nix Normal file
View file

@ -0,0 +1,4 @@
_:
{
services.power-profiles-daemon.enable = true;
}

8
modules/nixos/common/programs.nix Normal file
View file

@ -0,0 +1,8 @@
_:
{
programs = {
dconf.enable = true;
evince.enable = true;
kdeconnect.enable = true;
};
}

8
modules/nixos/common/pulseaudio.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, pkgs, lib, ... }: {
services.pulseaudio = {
enable = lib.mkIf (!config.services.pipewire.enable) true;
package = pkgs.pulseaudioFull;
};
}

45
modules/nixos/common/settings.nix Normal file
View file

@ -0,0 +1,45 @@
{ lib, config, outputs, inputs, ... }:
{
nixpkgs = {
overlays = [ outputs.overlays.default ];
config = {
allowUnfree = true;
};
};
nix =
let
flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
in
{
settings = {
experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
"cgroups"
"pipe-operators"
];
trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
connect-timeout = 5;
bash-prompt-prefix = "$SHLVL:\\w ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]λ\[\e[0m\] ";
fallback = true;
min-free = 128000000;
max-free = 1000000000;
flake-registry = "";
auto-optimise-store = true;
warn-dirty = false;
max-jobs = 1;
use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
};
channel.enable = false;
registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
};
system.stateVersion = lib.mkDefault "23.05";
}

26
modules/nixos/common/sharedsetup.nix Normal file
View file

@ -0,0 +1,26 @@
{ lib, ... }:
{
options.swarselsystems = {
withHomeManager = lib.mkOption {
type = lib.types.bool;
default = true;
};
isSwap = lib.mkOption {
type = lib.types.bool;
default = true;
};
swapSize = lib.mkOption {
type = lib.types.str;
default = "8G";
};
rootDisk = lib.mkOption {
type = lib.types.str;
default = "";
};
isCrypted = lib.mkEnableOption "uses full disk encryption";
initialSetup = lib.mkEnableOption "initial setup (no sops keys available)";
isImpermanence = lib.mkEnableOption "use impermanence on this system";
isSecureBoot = lib.mkEnableOption "use secure boot on this system";
};
}

51
modules/nixos/common/sops.nix Normal file
View file

@ -0,0 +1,51 @@
{ self, config, lib, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
inherit (config.swarselsystems) mainUser homeDir;
in
{
sops = lib.mkIf (!config.swarselsystems.isPublic) {
age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${homeDir}/.ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
validateSopsFiles = false;
secrets = {
ernest = { };
frauns = { };
hotspot = { };
eduid = { };
edupass = { };
handyhotspot = { };
vpnuser = { };
vpnpass = { };
wireguardpriv = { };
wireguardpub = { };
wireguardendpoint = { };
stashuser = { };
stashpass = { };
githubforgeuser = { };
githubforgepass = { };
gitlabforgeuser = { };
gitlabforgepass = { };
"sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
"sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
};
templates = {
"network-manager.env".content = ''
ERNEST=${config.sops.placeholder.ernest}
FRAUNS=${config.sops.placeholder.frauns}
HOTSPOT=${config.sops.placeholder.hotspot}
EDUID=${config.sops.placeholder.eduid}
EDUPASS=${config.sops.placeholder.edupass}
HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
VPNUSER=${config.sops.placeholder.vpnuser}
VPNPASS=${config.sops.placeholder.vpnpass}
WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
'';
};
};
}

7
modules/nixos/common/store.nix Normal file
View file

@ -0,0 +1,7 @@
_:
{
nix.optimise = {
automatic = true;
dates = [ "weekly" ];
};
}

14
modules/nixos/common/stylix.nix Normal file
View file

@ -0,0 +1,14 @@
{ lib, config, ... }:
{
stylix = lib.recursiveUpdate
{
targets.grub.enable = false; # the styling makes grub more ugly
image = config.swarselsystems.wallpaper;
}
config.swarselsystems.stylix;
home-manager.users."${config.swarselsystems.mainUser}" = {
stylix = {
targets = config.swarselsystems.stylixHomeTargets;
};
};
}

23
modules/nixos/common/sway.nix Normal file
View file

@ -0,0 +1,23 @@
{ pkgs, ... }:
{
programs.sway = {
enable = true;
package = pkgs.swayfx;
wrapperFeatures = {
base = true;
gtk = true;
};
extraSessionCommands = ''
export XDG_SESSION_DESKTOP=sway
export SDL_VIDEODRIVER=wayland
export QT_QPA_PLATFORM=wayland-egl
export QT_WAYLAND_DISABLE_WINDOWDECORATION=1
export QT_QPA_PLATFORM_PLUGIN_PATH="${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins";
export MOZ_ENABLE_WAYLAND=1
export MOZ_DISABLE_RDD_SANDBOX=1
'';
};
}

53
modules/nixos/common/syncthing.nix Normal file
View file

@ -0,0 +1,53 @@
{ lib, config, ... }:
let
inherit (config.swarselsystems) mainUser homeDir;
in
{
services.syncthing = {
enable = true;
user = mainUser;
dataDir = homeDir;
configDir = "${homeDir}/.config/syncthing";
openDefaultPorts = true;
settings = {
devices = {
"magicant" = {
id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
};
"sync (@oracle)" = {
id = "ETW6TST-NPK7MKZ-M4LXMHA-QUPQHDT-VTSHH5X-CR5EIN2-YU7E55F-MGT7DQB";
};
"winters" = {
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
};
};
folders = {
"Default Folder" = lib.mkDefault {
path = "${homeDir}/Sync";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "default";
};
"Obsidian" = {
path = "${homeDir}/Nextcloud/Obsidian";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "yjvni-9eaa7";
};
"Org" = {
path = "${homeDir}/Nextcloud/Org";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "a7xnl-zjj3d";
};
"Vpn" = {
path = "${homeDir}/Vpn";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "hgp9s-fyq3p";
};
".elfeed" = {
path = "${homeDir}/.elfeed";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "h7xbs-fs9v1";
};
};
};
};
}

8
modules/nixos/common/systemd.nix Normal file
View file

@ -0,0 +1,8 @@
_:
{
# systemd
systemd.extraConfig = ''
DefaultTimeoutStartSec=60s
DefaultTimeoutStopSec=15s
'';
}

22
modules/nixos/common/time.nix Normal file
View file

@ -0,0 +1,22 @@
_:
{
time = {
timeZone = "Europe/Vienna";
# hardwareClockInLocalTime = true;
};
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "de_AT.UTF-8";
LC_IDENTIFICATION = "de_AT.UTF-8";
LC_MEASUREMENT = "de_AT.UTF-8";
LC_MONETARY = "de_AT.UTF-8";
LC_NAME = "de_AT.UTF-8";
LC_NUMERIC = "de_AT.UTF-8";
LC_PAPER = "de_AT.UTF-8";
LC_TELEPHONE = "de_AT.UTF-8";
LC_TIME = "de_AT.UTF-8";
};
};
}

16
modules/nixos/common/users.nix Normal file
View file

@ -0,0 +1,16 @@
{ pkgs, config, lib, ... }:
{
sops.secrets.swarseluser = lib.mkIf (!config.swarselsystems.isPublic) { neededForUsers = true; };
users = {
mutableUsers = lib.mkIf (!config.swarselsystems.initialSetup) false;
users."${config.swarselsystems.mainUser}" = {
isNormalUser = true;
description = "Leon S";
password = lib.mkIf config.swarselsystems.initialSetup "setup";
hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
extraGroups = [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
packages = with pkgs; [ ];
};
};
}

19
modules/nixos/common/xdg-portal.nix Normal file
View file

@ -0,0 +1,19 @@
{ pkgs, ... }:
{
xdg.portal = {
enable = true;
config = {
common = {
default = "wlr";
};
};
wlr.enable = true;
wlr.settings.screencast = {
output_name = "eDP-1";
chooser_type = "simple";
chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or";
};
};
}

9
modules/nixos/common/xserver.nix Normal file
View file

@ -0,0 +1,9 @@
_:
{
services.xserver = {
xkb = {
layout = "us";
variant = "altgr-intl";
};
};
}

7
modules/nixos/common/zsh.nix Normal file
View file

@ -0,0 +1,7 @@
{ pkgs, ... }:
{
programs.zsh.enable = true;
users.defaultUserShell = pkgs.zsh;
environment.shells = with pkgs; [ zsh ];
environment.pathsToLink = [ "/share/zsh" ];
}