diff --git a/.github/README.md b/.github/README.md index f0d8733..51d18c4 100644 --- a/.github/README.md +++ b/.github/README.md @@ -108,7 +108,7 @@ Alternatively, to install this from any NixOS live ISO, run `nix run --experimen - Below is a small list of tips that should be helpful if you are new to the nix ecosystem: - Temporarily install any package using `nix shell nixpkgs#` - this can be e.g. useful if you accidentally removed home-manager from your packages on a non-NixOS machine. Alternatively, use [comma](https://github.com/nix-community/comma) -- More info on `nix [...]` commands: https://nixos.org/manual/nix/stable/command-ref/new-cli/nix + - More info on `nix [...]` commands: https://nixos.org/manual/nix/stable/command-ref/new-cli/nix - When you are trying to setup a new configuration part, GitHub code search can really help you to find a working configuration. Just filter for `.nix` files and the options you are trying to set up. - getting packages at a different version than your target (or not packaged at all) can be done in most cases easily with fetchFromGithub (https://ryantm.github.io/nixpkgs/builders/fetchers/) - you can easily install old revisions of packages using https://lazamar.co.uk/nix-versions/. You can conveniently spawn a shell with a chosen package available using `vershell `. Just make sure to pick a revision that has flakes enabled, otherwise you will need the legacy way of spawning the shell (see the link for more info) diff --git a/index.html b/index.html index f260e28..9a5ddf9 100644 --- a/index.html +++ b/index.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + SwarselSystems: NixOS + Emacs Configuration @@ -221,6 +221,7 @@
  • 3.7. darwinConfigurations
  • 3.8. homeConfigurations
  • 3.9. nixOnDroidConfigurations
    • +
  • 3.10. topologyConfigurations
  • 4. System @@ -237,19 +238,19 @@
  • 4.1.2. Virtual hosts
    • -
  • 4.1.3. Utility hosts +
  • 4.1.3. Utility hosts
    • @@ -275,12 +276,13 @@
  • 4.2.1.15. github-notifications
  • 4.2.1.16. screenshare
  • 4.2.1.17. bootstrap
    • -
  • 4.2.1.18. swarsel-rebuild
    • -
  • 4.2.1.19. swarsel-install
    • -
  • 4.2.1.20. t2ts
    • -
  • 4.2.1.21. ts2t
    • -
  • 4.2.1.22. vershell
    • -
  • 4.2.1.23. eontimer
    • +
  • 4.2.1.18. swarsel-rebuild
    • +
  • 4.2.1.19. swarsel-install
    • +
  • 4.2.1.20. swarsel-postinstall
    • +
  • 4.2.1.21. t2ts
    • +
  • 4.2.1.22. ts2t
    • +
  • 4.2.1.23. vershell
    • +
  • 4.2.1.24. eontimer
  • 4.2.2. Overlays (additions, overrides, nixpkgs-stable)
    • @@ -291,9 +293,8 @@
  • 4.2.3.1.1. Wallpaper
  • 4.2.3.1.2. Hardware
  • 4.2.3.1.3. Setup
    • -
  • 4.2.3.1.4. Input
    • -
  • 4.2.3.1.5. Impermanence
    • -
  • 4.2.3.1.6. Filesystem
    • +
  • 4.2.3.1.4. Server
    • +
  • 4.2.3.1.5. Input
  • 4.2.3.2. home-manager @@ -369,6 +370,7 @@
  • 4.3.1.29. Podmam (distrobox)
  • 4.3.1.30. Handle lid switch correctly
  • 4.3.1.31. Low battery notification
    • +
  • 4.3.1.32. Lanzaboote
  • 4.3.2. Server @@ -683,7 +685,7 @@

    -This file has 57207 words spanning 14595 lines and was last revised on 2024-12-21 04:43:26 +0100. +This file has 58511 words spanning 14914 lines and was last revised on 2024-12-28 16:43:06 +0100.

    @@ -736,7 +738,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry

    -My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2024-12-21 04:43:26 +0100) +My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2024-12-28 16:43:06 +0100)

    • @@ -1535,6 +1537,8 @@ In outputs = inputs@ [...], the inputs@ makes it so th inputs = { }; }; + nix-topology.url = "github:oddlama/nix-topology"; + }; outputs = @@ -1571,7 +1575,10 @@ In outputs = inputs@ [...], the inputs@ makes it so th systemFunc = func; in systemFunc { - specialArgs = { inherit inputs outputs self; }; + specialArgs = { + inherit inputs outputs self; + lib = lib.extend (_: _: { swarselsystems = import ./lib { inherit lib; }; }); + }; modules = [ ./hosts/${if isNixos then "nixos" else "darwin"}/${host} ]; }; }; @@ -1583,9 +1590,10 @@ In outputs = inputs@ [...], the inputs@ makes it so th inputs.stylix.nixosModules.stylix inputs.lanzaboote.nixosModules.lanzaboote inputs.disko.nixosModules.disko - # inputs.impermanence.nixosModules.impermanence + inputs.impermanence.nixosModules.impermanence inputs.sops-nix.nixosModules.sops inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm + inputs.nix-topology.nixosModules.default ./profiles/common/nixos ]; @@ -1632,6 +1640,11 @@ In outputs = inputs@ [...], the inputs@ makes it so th program = "${self.packages.${system}.swarsel-install}/bin/swarsel-install"; }; + postinstall = { + type = "app"; + program = "${self.packages.${system}.swarsel-postinstall}/bin/swarsel-postinstall"; + }; + rebuild = { type = "app"; program = "${self.packages.${system}.swarsel-rebuild}/bin/swarsel-rebuild"; @@ -1676,13 +1689,13 @@ In outputs = inputs@ [...], the inputs@ makes it so th homeConfigurations = { - "swarsel@home-manager" = inputs.home-manager.lib.homeManagerConfiguration { - pkgs = pkgsFor.x86_64-linux; - extraSpecialArgs = { inherit inputs outputs; }; - modules = homeModules ++ mixedModules ++ [ - ./hosts/home-manager - ]; - }; + "swarsel@home-manager" = inputs.home-manager.lib.homeManagerConfiguration { + pkgs = pkgsFor.x86_64-linux; + extraSpecialArgs = { inherit inputs outputs; }; + modules = homeModules ++ mixedModules ++ [ + ./hosts/home-manager + ]; + }; }; @@ -1700,6 +1713,18 @@ In outputs = inputs@ [...], the inputs@ makes it so th }; + topology = + + forEachSystem (pkgs: import inputs.nix-topology { + inherit pkgs; + modules = [ + # Your own file to define global topology. Works in principle like a nixos module but uses different options. + # ./topology.nix + { inherit (self) nixosConfigurations; } + ]; + }); + + }; } @@ -1826,6 +1851,10 @@ This is a private repository that I use for settings in modules that do not expo

    When setting this option normally, the password would normally be written world-readable not only in the nix store, but also in the configuration. Hence, I put such passwords into a private repository. This allows me to keep purity of the flake while keeping a level of security on these secrets.

    +
      +
    • nix-topology +This automatically creates a topology diagram of my configuration.
      • +
    @@ -1929,6 +1958,8 @@ nix-secrets = {
   inputs = { };
 };
 
+nix-topology.url = "github:oddlama/nix-topology";
+
    @@ -1981,7 +2012,10 @@ mkFullHost = host: isNixos: { systemFunc = func; in systemFunc { - specialArgs = { inherit inputs outputs self; }; + specialArgs = { + inherit inputs outputs self; + lib = lib.extend (_: _: { swarselsystems = import ./lib { inherit lib; }; }); + }; modules = [ ./hosts/${if isNixos then "nixos" else "darwin"}/${host} ]; }; }; @@ -1993,9 +2027,10 @@ nixModules = [ inputs.stylix.nixosModules.stylix inputs.lanzaboote.nixosModules.lanzaboote inputs.disko.nixosModules.disko - # inputs.impermanence.nixosModules.impermanence + inputs.impermanence.nixosModules.impermanence inputs.sops-nix.nixosModules.sops inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm + inputs.nix-topology.nixosModules.default ./profiles/common/nixos ]; @@ -2073,6 +2108,11 @@ apps = forAllSystems (system: { program = "${self.packages.${system}.swarsel-install}/bin/swarsel-install"; }; + postinstall = { + type = "app"; + program = "${self.packages.${system}.swarsel-postinstall}/bin/swarsel-postinstall"; + }; + rebuild = { type = "app"; program = "${self.packages.${system}.swarsel-rebuild}/bin/swarsel-rebuild"; @@ -2189,6 +2229,24 @@ magicant = inputs.nix-on-droid.lib.nixOnDroidConfiguration { ]; }; + + + + +
    +

    3.10. topologyConfigurations

    +
    +
    +
    +forEachSystem (pkgs: import inputs.nix-topology {
+  inherit pkgs;
+  modules = [
+    # Your own file to define global topology. Works in principle like a nixos module but uses different options.
+    # ./topology.nix
+    { inherit (self) nixosConfigurations; }
+  ];
+});
+
    @@ -2228,6 +2286,9 @@ My work machine. Built for more security, this is the gold standard of my config 
    { self, inputs, outputs, config, pkgs, lib, ... }:
 let
   profilesPath = "${self}/profiles";
+  sharedOptions = {
+    isBtrfs = true;
+  };
 in
 {
 
@@ -2265,12 +2326,6 @@ in
   networking.networkmanager.wifi.scanRandMacAddress = false;
 
   boot = {
-    loader.systemd-boot.enable = lib.mkForce false;
-    loader.efi.canTouchEfiVariables = true;
-    lanzaboote = {
-      enable = true;
-      pkiBundle = "/etc/secureboot";
-    };
     supportedFilesystems = [ "btrfs" ];
     kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
     kernelParams = [
@@ -2305,18 +2360,18 @@ in
     '';
   };
 
-  swarselsystems = {
+  swarselsystems = lib.recursiveUpdate {
     wallpaper = self + /wallpaper/lenovowp.png;
     hasBluetooth = true;
     hasFingerprint = true;
-    impermanence = false;
-    isBtrfs = true;
-  };
+    isImpermanence = false;
+    isSecureBoot = true;
+    isCrypted = true;
+  } sharedOptions;
 
-  home-manager.users.swarsel.swarselsystems = {
+  home-manager.users.swarsel.swarselsystems = lib.recursiveUpdate {
     isLaptop = true;
     isNixos = true;
-    isBtrfs = true;
     flakePath = "/home/swarsel/.dotfiles";
     cpuCount = 16;
     # temperatureHwmon = {
@@ -2441,7 +2496,7 @@ in
       ans = ". ~/.venvs/ansible/bin/activate";
       ans2-15 = ". ~/.venvs/ansible2.15.0/bin/activate";
     };
-  };
+  } sharedOptions;
 }
 
 
@@ -2505,7 +2560,7 @@ in
   swarselsystems = {
     hasBluetooth = false;
     hasFingerprint = false;
-    impermanence = false;
+    isImpermanence = false;
     isBtrfs = false;
     flakePath = "/home/swarsel/.dotfiles";
     server = {
@@ -2649,105 +2704,8 @@ My server setup was originally built on Proxmox VE; back when I started, I creat
 I have removed most of the machines from this section. What remains are some hosts that I have deployed on OCI (mostly sync for medium-important data) and one other machine that I left for now as a reference.
    -
    -
    4.1.2.1. Toto (QEMU VM)
    -
    -
    -
    { self, inputs, outputs, config, pkgs, lib, ... }:
-let
-  profilesPath = "${self}/profiles";
-in
-{
-
-  imports =  [
-    inputs.disko.nixosModules.disko
-    "${self}/hosts/nixos/toto/disk-config.nix"
-    {
-      _module.args = {
-        withSwap = false;
-      };
-    }
-    ./hardware-configuration.nix
-
-    inputs.sops-nix.nixosModules.sops
-
-    "${profilesPath}/optional/nixos/autologin.nix"
-    "${profilesPath}/common/nixos/settings.nix"
-    "${profilesPath}/common/nixos/home-manager.nix"
-    "${profilesPath}/common/nixos/xserver.nix"
-    "${profilesPath}/common/nixos/users.nix"
-    "${profilesPath}/common/nixos/sops.nix"
-    "${profilesPath}/server/nixos/ssh.nix"
-
-    inputs.home-manager.nixosModules.home-manager
-    {
-      home-manager.users.swarsel.imports =  [
-        inputs.sops-nix.homeManagerModules.sops
-        "${profilesPath}/common/home/settings.nix"
-        "${profilesPath}/common/home/sops.nix"
-        "${profilesPath}/common/home/ssh.nix"
-
-      ] ++ (builtins.attrValues outputs.homeManagerModules);
-    }
-  ] ++ (builtins.attrValues outputs.nixosModules);
-
-
-  nixpkgs = {
-    overlays = [ outputs.overlays.default ];
-    config = {
-      allowUnfree = true;
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    curl
-    git
-    gnupg
-    rsync
-    ssh-to-age
-    sops
-    vim
-    just
-  ];
-
-  system.stateVersion = lib.mkForce "23.05";
-
-  boot = {
-    loader.systemd-boot.enable = lib.mkForce true;
-    loader.efi.canTouchEfiVariables = true;
-    supportedFilesystems = [ "btrfs" ];
-    kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
-  };
-
-
-  networking = {
-    hostName = "toto";
-    firewall.enable = false;
-  };
-
-  swarselsystems = {
-    wallpaper = self + /wallpaper/lenovowp.png;
-    impermanence = false;
-    isBtrfs = false;
-    initialSetup = true;
-  };
-
-  home-manager.users.swarsel.swarselsystems = {
-    isLaptop = false;
-    isNixos = true;
-    isBtrfs = false;
-    flakePath = "/home/swarsel/.dotfiles";
-  };
-
-}
-
-
-
    -
    -
    -
    -
    4.1.2.2. Sync (OCI)
    +
    4.1.2.1. Sync (OCI)

    This machine mainly acts as an external sync helper. It manages the following things: @@ -2766,7 +2724,7 @@ All of these are processes that use little cpu but can take a lot of storage. Fo

    -
    4.1.2.2.1. NixOS
    +
    4.1.2.1.1. NixOS
    { self, inputs, outputs, lib, ... }:
@@ -2850,7 +2808,7 @@ in
   swarselsystems = {
     hasBluetooth = false;
     hasFingerprint = false;
-    impermanence = false;
+    isImpermanence = false;
     isBtrfs = false;
     flakePath = "/root/.dotfiles";
     server = {
@@ -2868,19 +2826,148 @@ in
    -
    -

    4.1.3. Utility hosts

    +
    +

    4.1.3. Utility hosts

    +
    +
    4.1.3.1. Toto (Physical/VM)
    +
    +

    +This is a slim setup for developing base configuration. +

    + +
    +
    { self, inputs, outputs, config, pkgs, lib, ... }:
+let
+  profilesPath = "${self}/profiles";
+  sharedOptions = {
+    isBtrfs = true;
+  };
+in
+{
+
+  imports =  [
+    inputs.disko.nixosModules.disko
+    "${self}/hosts/nixos/toto/disk-config.nix"
+    ./hardware-configuration.nix
+
+    inputs.sops-nix.nixosModules.sops
+    inputs.impermanence.nixosModules.impermanence
+    inputs.lanzaboote.nixosModules.lanzaboote
+
+    "${profilesPath}/optional/nixos/autologin.nix"
+    "${profilesPath}/common/nixos/settings.nix"
+    "${profilesPath}/common/nixos/home-manager.nix"
+    "${profilesPath}/common/nixos/xserver.nix"
+    "${profilesPath}/common/nixos/users.nix"
+    "${profilesPath}/common/nixos/impermanence.nix"
+    "${profilesPath}/common/nixos/lanzaboote.nix"
+    "${profilesPath}/common/nixos/sops.nix"
+    "${profilesPath}/server/nixos/ssh.nix"
+
+    inputs.home-manager.nixosModules.home-manager
+    {
+      home-manager.users.swarsel.imports =  [
+        inputs.sops-nix.homeManagerModules.sops
+        "${profilesPath}/common/home/settings.nix"
+        "${profilesPath}/common/home/sops.nix"
+        "${profilesPath}/common/home/ssh.nix"
+
+      ] ++ (builtins.attrValues outputs.homeManagerModules);
+    }
+  ] ++ (builtins.attrValues outputs.nixosModules);
+
+
+  nixpkgs = {
+    overlays = [ outputs.overlays.default ];
+    config = {
+      allowUnfree = true;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    curl
+    git
+    gnupg
+    rsync
+    ssh-to-age
+    sops
+    vim
+    just
+    sbctl
+  ];
+
+  system.stateVersion = lib.mkForce "23.05";
+
+  boot = {
+    supportedFilesystems = [ "btrfs" ];
+    kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+  };
+
+
+  networking = {
+    hostName = "toto";
+    firewall.enable = false;
+  };
+
+  swarselsystems = lib.recursiveUpdate {
+    wallpaper = self + /wallpaper/lenovowp.png;
+    isImpermanence = true;
+    isCrypted = true;
+    isSecureBoot = false;
+    isSwap = true;
+    swapSize = "8G";
+    # rootDisk = "/dev/nvme0n1";
+    rootDisk = "/dev/vda";
+  } sharedOptions;
+
+  home-manager.users.swarsel.swarselsystems = lib.recursiveUpdate {
+    isLaptop = false;
+    isNixos = true;
+    flakePath = "/home/swarsel/.dotfiles";
+  } sharedOptions;
+
+}
+
+
+
    +
    +
    +
    -
    4.1.3.1. drugstore (ISO)
    +
    4.1.3.2. drugstore (ISO)

    This is a live environment ISO that I use to bootstrap new systems. It only loads a minimal configuration and no graphical interface. After booting this image on a host, find out its IP and bootstrap the system using the bootstrap utility.

    +

    +For added convenience, the live environment displays a helpful text on login, we define it here (will be put into /etc/issue): +

    +
    -
    { self, pkgs, inputs, config, lib, modulesPath, ... }:
+
    ~SwarselSystems~
+IP of primary interface: \4
+The Password for all users & root is 'setup'.
+Install the system remotely by running 'bootstrap -n <CONFIGURATION_NAME> -d <IP_FROM_ABOVE> ' on a machine with deployed secrets.
+Alternatively, run 'swarsel-install -n <CONFIGURATION_NAME>' for a local install. For your convenience, an example call is in the bash history (press up on the keyboard to access).
+
+
    
+
    + +

    +Also, an initial bash history is provided to allow for a very quick local deployment: +

    + +
    +
    swarsel-install -n chaostheatre
+
    +
    + + +
    +
    { self, pkgs, inputs, outputs, config, lib, modulesPath, ... }:
 let
   pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
 in
@@ -2897,9 +2984,32 @@ in
 
     "${self}/profiles/iso/minimal.nix"
 
+    inputs.home-manager.nixosModules.home-manager
+    {
+      home-manager.users.swarsel.imports = [
+        "${self}/profiles/common/home/settings.nix"
+      ] ++ (builtins.attrValues outputs.homeManagerModules);
+    }
   ];
 
-  environment.etc."issue".text = "\\4\n";
+  home-manager.users.swarsel.home = {
+    file = {
+      ".bash_history" = {
+        source = self + /programs/bash/.bash_history;
+      };
+    };
+  };
+  home-manager.users.root.home = {
+    stateVersion = "23.05";
+    file = {
+      ".bash_history" = {
+        source = self + /programs/bash/.bash_history;
+      };
+    };
+  };
+
+  # environment.etc."issue".text = "\x1B[32m~SwarselSystems~\x1B[0m\nIP of primary interface: \x1B[31m\\4\x1B[0m\nThe Password for all users & root is '\x1B[31msetup\x1B[0m'.\nInstall the system remotely by running '\x1B[33mbootstrap -n <HOSTNAME> -d <IP_FROM_ABOVE> [--impermanence] [--encryption]\x1B[0m' on a machine with deployed secrets.\nAlternatively, run '\x1B[33mswarsel-install -d <DISK> -f <flake>\x1B[0m' for a local install.\n";
+  environment.etc."issue".source = "${self}/programs/etc/issue";
   networking.dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload";
 
   isoImage = {
@@ -2945,7 +3055,9 @@ in
 
   system.activationScripts.cache = {
     text = ''
-      mkdir -p /home/swarsel/.local/share/nix/
+      mkdir -p -m=0777 /home/swarsel/.local/state/nix/profiles
+      mkdir -p -m=0777 /home/swarsel/.local/state/home-manager/gcroots
+      mkdir -p -m=0777 /home/swarsel/.local/share/nix/
       printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /home/swarsel/.local/share/nix/trusted-settings.json > /dev/null
       mkdir -p /root/.local/share/nix/
       printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json > /dev/null
@@ -2976,7 +3088,7 @@ in
    -
    4.1.3.2. Home-manager only (non-NixOS)
    +
    4.1.3.3. Home-manager only (non-NixOS)

    This is the "reference implementation" of a setup that runs without NixOS, only relying on home-manager. I try to test this every now and then and keep it supported. However, manual steps are needed to get the system to work fully, depending on what distribution you are running on. @@ -3044,9 +3156,9 @@ This is the "reference implementation" of a setup that runs without NixOS, only

    -
    -
    4.1.3.3. ChaosTheatre (Demo)
    -
    +
    +
    4.1.3.4. ChaosTheatre (Demo Physical/VM)
    +

    This is just a demo host. It applies all the configuration found in the common parts of the flake, but disables all secrets-related features (as they would not work without the proper SSH keys).

    @@ -3174,6 +3286,7 @@ let "bootstrap" "swarsel-rebuild" "swarsel-install" + "swarsel-postinstall" "t2ts" "ts2t" "vershell" @@ -3274,7 +3387,8 @@ The version of cura used to be quite outdated in nixpkgs. I am fetc
    -
    { appimageTools, fetchurl, writeScriptBin, pkgs }:
+
    # taken from https://github.com/NixOS/nixpkgs/issues/186570#issuecomment-1627797219
+{ appimageTools, fetchurl, writeScriptBin, pkgs }:
 
 
 let
@@ -3826,7 +3940,7 @@ writeShellApplication {
 
    4.2.1.17. bootstrap
    
 
    
 
    
-This program sets up a new NixOS host.
+This program sets up a new NixOS host remotely. It also takes care of secret management on the new host.
 
    
 
 
    
@@ -3837,11 +3951,13 @@ target_hostname=""
 target_destination=""
 target_user="swarsel"
 ssh_port="22"
+persist_dir=""
+disk_encryption=0
 temp=$(mktemp -d)
 
 function help_and_exit() {
     echo
-    echo "Remotely installs NixOS on a target machine using this nix-config."
+    echo "Remotely installs SwarselSystem on a target machine including secret deployment."
     echo
     echo "USAGE: $0 -n <target_hostname> -d <target_destination> [OPTIONS]"
     echo
@@ -3854,7 +3970,6 @@ function help_and_exit() {
     echo "  -u <target_user>                        specify target_user with sudo access. nix-config will be cloned to their home."
     echo "                                          Default='${target_user}'."
     echo "  --port <ssh_port>                       specify the ssh port to use for remote access. Default=${ssh_port}."
-    echo "  --impermanence                          Use this flag if the target machine has impermanence enabled. WARNING: Assumes /persist path."
     echo "  --debug                                 Enable debug mode."
     echo "  -h | --help                             Print this help."
     exit 0
@@ -3909,14 +4024,14 @@ function update_sops_file() {
 
     SOPS_FILE=".sops.yaml"
     sed -i "{
-                          # Remove any * and & entries for this host
-                          /[*&]$key_name/ d;
-                          # Inject a new age: entry
-                          # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
-                          /age:/{n; p; s/\(.*- \*\).*/\1$key_name/};
-                          # Inject a new hosts or user: entry
-                          /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/}
-                          }" $SOPS_FILE
+                                              # Remove any * and & entries for this host
+                                              /[*&]$key_name/ d;
+                                              # Inject a new age: entry
+                                              # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
+                                              /age:/{n; p; s/\(.*- \*\).*/\1$key_name/};
+                                              # Inject a new hosts or user: entry
+                                              /&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/}
+                                              }" $SOPS_FILE
     green "Updating .sops.yaml"
     cd -
 }
@@ -3939,10 +4054,6 @@ while [[ $# -gt 0 ]]; do
         shift
         ssh_port=$1
         ;;
-    --temp-override)
-        shift
-        temp=$1
-        ;;
     --debug)
         set -x
         ;;
@@ -3955,6 +4066,44 @@ while [[ $# -gt 0 ]]; do
     shift
 done
 
+green "~SwarselSystems~ remote installer"
+green "Reading system information for $target_hostname ..."
+
+DISK="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.rootDisk)"
+green "Root Disk: $DISK"
+
+CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isCrypted)"
+if [[ $CRYPTED == "true" ]]; then
+    green "Encryption: ✓"
+    disk_encryption=1
+else
+    red "Encryption: X"
+    disk_encryption=0
+fi
+
+IMPERMANENCE="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isImpermanence)"
+if [[ $IMPERMANENCE == "true" ]]; then
+    green "Impermanence: ✓"
+    persist_dir="/persist"
+else
+    red "Impermanence: X"
+    persist_dir=""
+fi
+
+SWAP="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSwap)"
+if [[ $SWAP == "true" ]]; then
+    green "Swap: ✓"
+else
+    red "Swap: X"
+fi
+
+SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)"
+if [[ $SECUREBOOT == "true" ]]; then
+    green "Secure Boot: ✓"
+else
+    red "Secure Boot: X"
+fi
+
 ssh_cmd="ssh -oport=${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t $target_user@$target_destination"
 # ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value
 ssh_root_cmd=${ssh_cmd/${target_user}@/root@}
@@ -3978,31 +4127,42 @@ sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
 # ------------------------
 green "Preparing a new ssh_host_ed25519_key pair for $target_hostname."
 # Create the directory where sshd expects to find the host keys
-install -d -m755 "$temp/etc/ssh"
+install -d -m755 "$temp/$persist_dir/etc/ssh"
 # Generate host ssh key pair without a passphrase
-ssh-keygen -t ed25519 -f "$temp/etc/ssh/ssh_host_ed25519_key" -C root@"$target_hostname" -N ""
+ssh-keygen -t ed25519 -f "$temp/$persist_dir/etc/ssh/ssh_host_ed25519_key" -C root@"$target_hostname" -N ""
 # Set the correct permissions so sshd will accept the key
-chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
+chmod 600 "$temp/$persist_dir/etc/ssh/ssh_host_ed25519_key"
 echo "Adding ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
 # This will fail if we already know the host, but that's fine
 ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
 # ------------------------
 # when using luks, disko expects a passphrase on /tmp/disko-password, so we set it for now and will update the passphrase later
 # via the config
-green "Preparing a temporary password for disko."
-green "[Optional] Set disk encryption passphrase:"
-read -rs luks_passphrase
-if [ -n "$luks_passphrase" ]; then
-    $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'"
-else
-    $ssh_root_cmd "/bin/sh -c 'echo passphrase > /tmp/disko-password'"
+if [ "$disk_encryption" -eq 1 ]; then
+    while true; do
+        green "Set disk encryption passphrase:"
+        read -rs luks_passphrase
+        green "Please confirm passphrase:"
+        read -rs luks_passphrase_confirm
+        if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
+            $ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'"
+            break
+        else
+            red "Passwords do not match"
+        fi
+    done
 fi
 # ------------------------
 green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
 $ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
+
+green "Injecting initialSetup"
+$ssh_root_cmd "sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
+
 mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
 $scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
 # ------------------------
+
 green "Deploying minimal NixOS installation on $target_destination"
 SHELL=/bin/sh nix run github:nix-community/nixos-anywhere -- --ssh-port "$ssh_port" --extra-files "$temp" --flake .#"$target_hostname" root@"$target_destination"
 
@@ -4019,6 +4179,24 @@ while true; do
         yellow "$target_destination is not yet ready."
     fi
 done
+
+# ------------------------
+
+if [[ $SECUREBOOT == "true" ]]; then
+    green "Setting up secure boot keys"
+    $ssh_root_cmd "mkdir -p /var/lib/sbctl"
+    read -ra scp_call <<< "${scp_cmd}"
+    sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/
+    $ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
+fi
+# ------------------------
+green "Disabling initialSetup"
+sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
+
+if [ -n "$persist_dir" ]; then
+    $ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"
+    $ssh_root_cmd "cp -R /etc/ssh/ $persist_dir/etc/ssh/ || true"
+fi
 # ------------------------
 green "Generating an age key based on the new ssh_host_ed25519_key."
 target_key=$(
@@ -4051,6 +4229,7 @@ green "Updating all secrets files to reflect updates .sops.yaml"
 sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml
 # --------------------------
 green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
+sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
 $scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key
 $ssh_root_cmd "chown $target_user:users /home/swarsel/.ssh/ssh_host_ed25519_key"
 # __________________________
@@ -4069,8 +4248,14 @@ if yes_or_no "Do you want to copy your full nix-config and nix-secrets to $targe
     cd "${git_root}"
     just sync "$target_user" "$target_destination"
 
+    if [ -n "$persist_dir" ]; then
+        $ssh_root_cmd "cp -r /home/$target_user/.dotfiles $persist_dir/.dotfiles || true"
+        $ssh_root_cmd "cp -r /home/$target_user/.ssh $persist_dir/.ssh || true"
+    fi
+
     if yes_or_no "Do you want to rebuild immediately?"; then
         green "Rebuilding nix-config on $target_hostname"
+        yellow "Reminder: The password is 'setup'"
         $ssh_root_cmd "mkdir -p /root/.local/share/nix/; printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' > /root/.local/share/nix/trusted-settings.json"
         $ssh_cmd -oForwardAgent=yes "cd .dotfiles && sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
     fi
@@ -4102,7 +4287,6 @@ fi
 
    
 
 
-
 
    
 
    { writeShellApplication, openssh }:
 
@@ -4115,27 +4299,27 @@ writeShellApplication {
    -
    -
    4.2.1.18. swarsel-rebuild
    +
    +
    4.2.1.18. swarsel-rebuild

    -This program sets up a new NixOS host. +This program builds a configuration locally. 

    set -eo pipefail
 
-target_flake="chaostheatre"
+target_config="chaostheatre"
 target_user="swarsel"
 
 function help_and_exit() {
     echo
-    echo "Remotely installs NixOS on a target machine using this nix-config."
+    echo "Builds SwarselSystem configuration."
     echo
     echo "USAGE: $0 [OPTIONS]"
     echo
     echo "ARGS:"
-    echo "  -f <target_flake>                       specify flake to deploy the nixos config of."
+    echo "  -n <target_config>                       specify nixos config to build."
     echo "                                          Default: chaostheatre"
     echo "  -u <target_user>                        specify user to deploy for."
     echo "                                          Default: swarsel"
@@ -4164,9 +4348,9 @@ function yellow() {
 
 while [[ $# -gt 0 ]]; do
     case "$1" in
-    -f)
+    -n)
         shift
-        target_flake=$1
+        target_config=$1
         ;;
     -u)
         shift
@@ -4204,11 +4388,11 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
 else
     green "Valid SSH key found! Continuing with installation"
 fi
-sudo nixos-generate-config --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_flake"/
-git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_flake"/hardware-configuration.nix
+sudo nixos-generate-config --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/
+git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
 
-green "Installing flake $target_flake"
-sudo nixos-rebuild --show-trace --flake .#"$target_flake" boot
+green "Installing flake $target_config"
+sudo nixos-rebuild --show-trace --flake .#"$target_config" boot
 yellow "Please keep in mind that this is only a demo of the configuration. Things might break unexpectedly."
    @@ -4227,39 +4411,44 @@ writeShellApplication {
    -
    -
    4.2.1.19. swarsel-install
    +
    +
    4.2.1.19. swarsel-install

    -This program sets up a new NixOS host. +This program sets up a new NixOS host locally. 

    set -eo pipefail
 
-target_flake="chaostheatre"
+target_config="chaostheatre"
+target_hostname="chaostheatre"
 target_user="swarsel"
-fs_type="ext4"
-disk=""
+persist_dir=""
+disk_encryption=0
 
 function help_and_exit() {
     echo
-    echo "Remotely installs NixOS on a target machine using this nix-config."
+    echo "Locally installs SwarselSystem on this machine."
     echo
-    echo "USAGE: $0 -d <disk> [OPTIONS]"
+    echo "USAGE: $0 -n <target_config> [OPTIONS]"
     echo
     echo "ARGS:"
-    echo "  -d <disk>                               specify disk to install on."
-    echo "  -f <target_flake>                       specify flake to deploy the nixos config of."
+    echo "  -n <target_config>                      specify the nixos config to deploy."
+    echo "                                          Default: chaostheatre"
     echo "                                          Default: chaostheatre"
     echo "  -u <target_user>                        specify user to deploy for."
     echo "                                          Default: swarsel"
-    echo "  -t <fs_type>                            specify file system type to deploy for."
-    echo "                                          Default: ext4"
     echo "  -h | --help                             Print this help."
     exit 0
 }
 
+function red() {
+    echo -e "\x1B[31m[!] $1 \x1B[0m"
+    if [ -n "${2-}" ]; then
+        echo -e "\x1B[31m[!] $($2) \x1B[0m"
+    fi
+}
 function green() {
     echo -e "\x1B[32m[+] $1 \x1B[0m"
     if [ -n "${2-}" ]; then
@@ -4275,22 +4464,15 @@ function yellow() {
 
 while [[ $# -gt 0 ]]; do
     case "$1" in
-    -f)
+    -n)
         shift
-        target_flake=$1
+        target_config=$1
+        target_hostname=$1
         ;;
     -u)
         shift
         target_user=$1
         ;;
-    -t)
-        shift
-        fs_type=$1
-        ;;
-    -d)
-        shift
-        disk=$1
-        ;;
     -h | --help) help_and_exit ;;
     *)
         echo "Invalid option detected."
@@ -4300,14 +4482,59 @@ while [[ $# -gt 0 ]]; do
     shift
 done
 
+function cleanup() {
+    sudo rm -rf .cache/nix
+    sudo rm -rf /root/.cache/nix
+}
+trap cleanup exit
+
+green "~SwarselSystems~ remote installer"
+
 cd /home/"$target_user"
 
+sudo rm -rf /root/.cache/nix
 sudo rm -rf .cache/nix
 sudo rm -rf .dotfiles
 
 green "Cloning repository from GitHub"
 git clone https://github.com/Swarsel/.dotfiles.git
 
+green "Reading system information for $target_config ..."
+DISK="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.rootDisk)"
+green "Root Disk: $DISK"
+
+CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isCrypted)"
+if [[ $CRYPTED == "true" ]]; then
+    green "Encryption: ✓"
+    disk_encryption=1
+else
+    red "Encryption: X"
+    disk_encryption=0
+fi
+
+IMPERMANENCE="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isImpermanence)"
+if [[ $IMPERMANENCE == "true" ]]; then
+    green "Impermanence: ✓"
+    persist_dir="/persist"
+else
+    red "Impermanence: X"
+    persist_dir=""
+fi
+
+SWAP="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSwap)"
+if [[ $SWAP == "true" ]]; then
+    green "Swap: ✓"
+else
+    red "Swap: X"
+fi
+
+SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)"
+if [[ $SECUREBOOT == "true" ]]; then
+    green "Secure Boot: ✓"
+else
+    red "Secure Boot: X"
+fi
+
 local_keys=$(ssh-add -L || true)
 pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/nbl-imba-2.pub)
 read -ra pub_arr <<< "$pub_key"
@@ -4322,33 +4549,38 @@ else
     green "Valid SSH key found! Continuing with installation"
 fi
 
-green "Creating /boot partition"
-sudo parted -a optimal --script "$disk" mklabel gpt
-sudo parted -a optimal --script "$disk" mkpart "boot" fat32 1MiB 1025MiB
-sudo parted -a optimal --script "$disk" set 1 esp on
+if [ "$disk_encryption" -eq 1 ]; then
+    while true; do
+        green "Set disk encryption passphrase:"
+        read -rs luks_passphrase
+        green "Please confirm passphrase:"
+        read -rs luks_passphrase_confirm
+        if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
+            echo "$luks_passphrase" > /tmp/disko-password
+            break
+        else
+            red "Passwords do not match"
+        fi
+    done
+fi
 
-green "Creating / partition"
-sudo parted -a optimal --script "$disk" mkpart "root" "$fs_type" 1025MiB 100%
-sudo parted -a optimal --script "$disk" type 2 4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709
-
-green "Ensuring proper file systems"
-sudo mkfs.fat -F32 "$disk"1
-sudo mkfs."${fs_type}" -F "$disk"2
+green "Setting up disk"
+sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks
+sudo mkdir -p /mnt/"$persist_dir"/home/"$target_user"/
+sudo cp -r /home/"$target_user"/.dotfiles /mnt/"$persist_dir"/home/"$target_user"/
+sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user"
 
 green "Generating hardware configuration"
-sudo mount "$disk"2 /mnt
-sudo mkdir -p /mnt/boot
-sudo mount "$disk"1 /mnt/boot
-sudo nixos-generate-config --root /mnt --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_flake"/
+sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/
 
-git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_flake"/hardware-configuration.nix
-# sudo rm -rf /root/.nix-defexpr/channels
-# sudo rm -rf /nix/var/nix/profiles/per-user/channels
+green "Injecting initialSetup"
+sudo sed -i '/  boot.extraModulePackages /a \  swarselsystems.initialSetup = true;' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
+
+git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
 sudo mkdir -p /root/.local/share/nix/
 printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | sudo tee /root/.local/share/nix/trusted-settings.json > /dev/null
-green "Installing flake $target_flake"
-sudo nixos-install --flake .#"$target_flake"
-yellow "Please keep in mind that this is only a demo of the configuration. Things might break unexpectedly."
+green "Installing flake $target_config"
+sudo nixos-install --flake .#"$target_config"
 green "Installation finished! Reboot to see changes"
    @@ -4367,8 +4599,108 @@ writeShellApplication {
    +
    +
    4.2.1.20. swarsel-postinstall
    +
    +

    +This program sets up a new NixOS host locally. +

    + +
    +
    set -eo pipefail
+
+target_config="chaostheatre"
+target_user="swarsel"
+
+function help_and_exit() {
+    echo
+    echo "Locally installs SwarselSystem on this machine."
+    echo
+    echo "USAGE: $0 -d <disk> [OPTIONS]"
+    echo
+    echo "ARGS:"
+    echo "  -d <disk>                               specify disk to install on."
+    echo "  -n <target_config>                      specify the nixos config to deploy."
+    echo "                                          Default: chaostheatre"
+    echo "                                          Default: chaostheatre"
+    echo "  -u <target_user>                        specify user to deploy for."
+    echo "                                          Default: swarsel"
+    echo "  -h | --help                             Print this help."
+    exit 0
+}
+
+function green() {
+    echo -e "\x1B[32m[+] $1 \x1B[0m"
+    if [ -n "${2-}" ]; then
+        echo -e "\x1B[32m[+] $($2) \x1B[0m"
+    fi
+}
+
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+    -n)
+        shift
+        target_config=$1
+        ;;
+    -u)
+        shift
+        target_user=$1
+        ;;
+    -h | --help) help_and_exit ;;
+    *)
+        echo "Invalid option detected."
+        help_and_exit
+        ;;
+    esac
+    shift
+done
+
+function cleanup() {
+    sudo rm -rf .cache/nix
+    sudo rm -rf /root/.cache/nix
+}
+trap cleanup exit
+
+sudo rm -rf .cache/nix
+sudo rm -rf /root/.cache/nix
+
+green "~SwarselSystems~ remote post-installer"
+
+cd /home/"$target_user"/.dotfiles
+
+SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_config".config.swarselsystems.isSecureBoot)"
+
+if [[ $SECUREBOOT == "true" ]]; then
+    green "Setting up secure boot keys"
+    sudo mkdir -p /var/lib/sbctl
+    sbctl create-keys || true
+    sbctl enroll-keys --ignore-immutable --microsoft || true
+fi
+
+green "Disabling initialSetup"
+sed -i '/swarselsystems\.initialSetup = true;/d' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix
+sudo nixos-rebuild --flake .#"$target_config" switch
+green "Post-install finished!"
+
+
    +
    + + + +
    +
    { writeShellApplication, git }:
+
+writeShellApplication {
+  name = "swarsel-postinstall";
+  runtimeInputs = [ git ];
+  text = builtins.readFile ../../scripts/swarsel-postinstall.sh;
+}
+
    +
    +
    +
    -
    4.2.1.20. t2ts
    +
    4.2.1.21. t2ts

    This script allows for quick git branch switching. @@ -4390,7 +4722,7 @@ writeShellApplication {

    -
    4.2.1.21. ts2t
    +
    4.2.1.22. ts2t

    This script allows for quick git branch switching. @@ -4411,9 +4743,9 @@ writeShellApplication {

    -
    -
    4.2.1.22. vershell
    -
    +
    +
    4.2.1.23. vershell
    +

    This script allows for quick git branch switching.

    @@ -4433,9 +4765,9 @@ writeShellApplication {
    -
    -
    4.2.1.23. eontimer
    -
    +
    +
    4.2.1.24. eontimer
    +

    This script allows for quick git branch switching.

    @@ -4575,6 +4907,7 @@ in // (zjstatus final prev) // (inputs.nur.overlays.default final prev) // (inputs.emacs-overlay.overlay final prev) + // (inputs.nix-topology.overlays.default final prev) // (inputs.nixgl.overlay final prev); } @@ -4607,8 +4940,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a "wallpaper" "hardware" "setup" - "impermanence" - "filesystem" + "server" "input" ]; @@ -4676,21 +5008,49 @@ I usually use mutableUsers = false in my NixOS configuration. Howev 
    { lib, ... }:
-let
-  inherit (lib) mkOption types;
-in
-
 {
-  options.swarselsystems.flakePath = mkOption {
-    type = types.str;
+  options.swarselsystems.user = lib.mkOption {
+    type = lib.types.str;
+    default = "swarsel";
+  };
+  options.swarselsystems.flakePath = lib.mkOption {
+    type = lib.types.str;
     default = "";
   };
-  options.swarselsystems.withHomeManager = mkOption {
-    type = types.bool;
+  options.swarselsystems.withHomeManager = lib.mkOption {
+    type = lib.types.bool;
     default = true;
   };
+  options.swarselsystems.isSwap = lib.mkOption {
+    type = lib.types.bool;
+    default = true;
+  };
+  options.swarselsystems.swapSize = lib.mkOption {
+    type = lib.types.str;
+    default = "8G";
+  };
+  options.swarselsystems.rootDisk = lib.mkOption {
+    type = lib.types.str;
+    default = "";
+  };
+  options.swarselsystems.isCrypted = lib.mkEnableOption "uses full disk encryption";
   options.swarselsystems.isPublic = lib.mkEnableOption "is a public machine (no secrets)";
   options.swarselsystems.initialSetup = lib.mkEnableOption "initial setup (no sops keys available)";
+
+  options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem";
+  options.swarselsystems.isImpermanence = lib.mkEnableOption "use impermanence on this system";
+  options.swarselsystems.isSecureBoot = lib.mkEnableOption "use secure boot on this system";
+}
+
    +
    +
    +
    +
    +
    4.2.3.1.4. Server
    +
    +
    +
    { lib, ... }:
+{
   options.swarselsystems.server.enable = lib.mkEnableOption "is a server machine";
   options.swarselsystems.server.kavita = lib.mkEnableOption "enable kavita on server";
   options.swarselsystems.server.jellyfin = lib.mkEnableOption "enable jellyfin on server";
@@ -4716,7 +5076,7 @@ in
    -
    4.2.3.1.4. Input
    +
    4.2.3.1.5. Input

    This section is for everything input-related on the NixOS side. At the moment, this is only used to define shell aliases for servers. @@ -4737,40 +5097,6 @@ in

    -
    -
    4.2.3.1.5. Impermanence
    -
    -

    -Option to enable impermanence configurations. This could also be done via optional imports, but impermanence is a "big enough" change to warrant a line in the machine default.nix. -

    - -
    -
    { lib, ... }:
-
-{
-  options.swarselsystems.impermanence = lib.mkEnableOption "use impermanence on this system";
-}
-
    -
    -
    -
    -
    -
    4.2.3.1.6. Filesystem
    -
    -

    -This lets me quickly set flags for "special" file systems. These options mostly function in conjunction with other settings (for example, the isBtrfs function is mostly used for impermanence configuration). -

    - -
    -
    { lib, ... }:
-
-{
-  options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem";
-}
-
    -
    -
    -
    4.2.3.2. home-manager
    @@ -5391,6 +5717,7 @@ This section is for setting things that should be used on hosts that are using t ./distrobox.nix ./lid.nix ./lowbattery.nix + ./lanzaboote.nix ]; nixpkgs.config.permittedInsecurePackages = [ @@ -6161,7 +6488,7 @@ in { sops = lib.mkIf (!config.swarselsystems.isPublic) { - age.sshKeyPaths = mkIfElse config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" ] [ "${config.users.users.swarsel.home}/.ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ]; + age.sshKeyPaths = mkIfElse config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.users.users.swarsel.home}/.ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ]; defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml"; validateSopsFiles = false; @@ -6786,9 +7113,14 @@ Normally, doing that also resets the lecture that happens on the first use of 
    { config, lib, ... }:
+let
+  mkIfElse = p: yes: no: if p then yes else no;
+  mapperTarget = mkIfElse config.swarselsystems.isCrypted "/dev/mapper/cryptroot" "/dev/disk/by-label/nixos";
+in
+
 {
 
-  security.sudo.extraConfig = lib.mkIf config.swarselsystems.impermanence ''
+  security.sudo.extraConfig = lib.mkIf config.swarselsystems.isImpermanence ''
     # rollback results in sudo lectures after each reboot
     Defaults lecture = never
   '';
@@ -6799,12 +7131,13 @@ Normally, doing that also resets the lecture that happens on the first use of
    +
    +
    4.3.1.32. Lanzaboote
    +
    +

    +This dynamically uses systemd boot or Lanzaboote depending on `config.swarselsystems.initialSetup` and `config.swarselsystems.isSecureBoot`. +

    + +
    +
    { lib, config, ... }:
+{
+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
+    };
+    lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+  };
+}
+
    +
    +
    +

    4.3.2. Server

    @@ -9268,6 +9623,7 @@ These options are really only to be used on the iso image in order to run nixos- sops vim just + sbctl ]; programs = { @@ -9448,6 +9804,8 @@ This holds packages that I can use as provided, or with small modifications (as deadnix statix nix-tree + manix + comma # shellscripts shfmt @@ -9526,6 +9884,7 @@ This holds packages that I can use as provided, or with small modifications (as wtype wl-clipboard wl-mirror + wf-recorder # screenshotting tools grim @@ -11826,7 +12185,8 @@ in "${modifier}+e" = "exec emacsclient -nquc -a emacs -e \"(dashboard-open)\""; "${modifier}+Shift+m" = "exec emacsclient -nquc -a emacs -e \"(mu4e)\""; "${modifier}+Shift+c" = "exec emacsclient -nquc -a emacs -e \"(swarsel/open-calendar)\""; - "${modifier}+m" = "exec swarselcheck -s"; + "${modifier}+m" = "exec swaymsg workspace back_and_forth"; + "${modifier}+a" = "exec swarselcheck -s"; "${modifier}+x" = "exec swarselcheck -k"; "${modifier}+d" = "exec swarselcheck -d"; "${modifier}+w" = "exec swarselcheck -e"; @@ -11844,6 +12204,7 @@ in "${modifier}+h" = "exec hyprpicker | wl-copy"; "${modifier}+s" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png"; "${modifier}+Shift+s" = "exec slurp | grim -g - Pictures/Screenshots/$(date +'screenshot_%Y-%m-%d-%H%M%S.png')"; + "${modifier}+Shift+v" = "exec wf-recorder -g '$(slurp -f %o -or)' -f ~/Videos/screenrecord_$(date +%Y-%m-%d-%H%M%S).mkv"; "${modifier}+1" = "workspace 1:一"; "${modifier}+Shift+1" = "move container to workspace 1:一"; "${modifier}+2" = "workspace 2:二"; @@ -12245,6 +12606,7 @@ The rest of the settings is at