swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: add minimal config support (WIP)

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-07-04 19:54:45 +02:00
parent 34badc91d5
commit 49b557befa
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
26 changed files with 726 additions and 599 deletions
Download patch file Download diff file Expand all files Collapse all files

17
modules/nixos/client/packages.nix
View file

@ -1,8 +1,9 @@
{ lib, config, pkgs, ... }:
{ lib, config, pkgs, minimal, ... }:
{
options.swarselsystems.modules.packages = lib.mkEnableOption "install packages";
config = lib.mkIf config.swarselsystems.modules.packages {
environment.systemPackages = with pkgs; [
environment.systemPackages = with pkgs; lib.optionals (!minimal) [
# yubikey packages
gnupg
yubikey-personalization
@ -73,9 +74,19 @@
elk-to-svg
] ++ lib.optionals minimal [
curl
git
gnupg
rsync
ssh-to-age
sops
vim
just
sbctl
];
nixpkgs.config.permittedInsecurePackages = [
nixpkgs.config.permittedInsecurePackages = lib.mkIf (!minimal) [
"jitsi-meet-1.0.8043"
"electron-29.4.6"
"SDL_ttf-2.0.11"

7
modules/nixos/client/polkit.nix
View file

@ -1,19 +1,20 @@
{ lib, config, ... }:
{ lib, config, minimal, ... }:
{
options.swarselsystems.modules.security = lib.mkEnableOption "security config";
config = lib.mkIf config.swarselsystems.modules.security {
security = {
pam.services = {
pam.services = lib.mkIf (!minimal) {
login.u2fAuth = true;
sudo.u2fAuth = true;
swaylock.u2fAuth = true;
swaylock.fprintAuth = false;
};
polkit.enable = true;
polkit.enable = lib.mkIf (!minimal) true;
sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
'' + lib.optionalString (!minimal) ''
Defaults env_keep+=XDG_RUNTIME_DIR
Defaults env_keep+=WAYLAND_DISPLAY
'';

6
modules/nixos/common/home-manager.nix
View file

@ -1,6 +1,6 @@
{ self, inputs, config, lib, outputs, globals, nodes, ... }:
{ self, inputs, config, lib, outputs, globals, nodes, minimal, ... }:
let
mainUser = globals.user.name;
inherit (config.swarselsystems) mainUser;
in
{
options.swarselsystems.modules.home-manager = lib.mkEnableOption "home-manager";
@ -20,7 +20,7 @@ in
home.stateVersion = lib.mkDefault config.system.stateVersion;
}
];
extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes; };
extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes minimal; };
};
};
}

6
modules/nixos/common/lanzaboote.nix
View file

@ -1,13 +1,13 @@
{ lib, config, ... }:
{ lib, config, minimal, ... }:
{
options.swarselsystems.modules.lanzaboote = lib.mkEnableOption "lanzaboote config";
config = lib.mkIf config.swarselsystems.modules.lanzaboote {
boot = {
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || minimal || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
};
lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && !minimal && config.swarselsystems.isSecureBoot) {
enable = true;
pkiBundle = "/var/lib/sbctl";
configurationLimit = 6;

122
modules/nixos/common/settings.nix
View file

@ -1,68 +1,74 @@
{ lib, pkgs, config, outputs, inputs, ... }:
{ lib, pkgs, config, outputs, inputs, minimal, ... }:
{
options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
config = lib.mkIf config.swarselsystems.modules.general {
nixpkgs = {
overlays = [ outputs.overlays.default ];
config = {
allowUnfree = true;
};
};
config = lib.mkIf config.swarselsystems.modules.general
({
environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
{ }
'';
system.stateVersion = lib.mkDefault "23.05";
nix =
let
flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
in
{
settings = {
experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
"cgroups"
"pipe-operators"
];
trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
connect-timeout = 5;
bash-prompt-prefix = "$SHLVL:\\w ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]λ\[\e[0m\] ";
fallback = true;
min-free = 128000000;
max-free = 1000000000;
flake-registry = "";
auto-optimise-store = true;
warn-dirty = false;
max-jobs = 1;
use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
nixpkgs = {
overlays = [ outputs.overlays.default ];
config = {
allowUnfree = true;
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 10d";
};
optimise = {
automatic = true;
dates = "weekly";
};
channel.enable = false;
registry = rec {
nixpkgs.flake = inputs.nixpkgs;
p = nixpkgs;
};
nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
};
services.dbus.implementation = "broker";
}
// lib.optionalAttrs (!minimal) {
systemd.services.nix-daemon = {
environment.TMPDIR = "/var/tmp";
};
environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
{ }
'';
system.stateVersion = lib.mkDefault "23.05";
};
nix =
let
flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
in
{
settings = {
experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
"cgroups"
"pipe-operators"
];
trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
connect-timeout = 5;
bash-prompt-prefix = "$SHLVL:\\w ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
fallback = true;
min-free = 128000000;
max-free = 1000000000;
flake-registry = "";
auto-optimise-store = true;
warn-dirty = false;
max-jobs = 1;
use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 10d";
};
optimise = {
automatic = true;
dates = "weekly";
};
channel.enable = false;
registry = rec {
nixpkgs.flake = inputs.nixpkgs;
p = nixpkgs;
};
nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
};
services.dbus.implementation = "broker";
systemd.services.nix-daemon = {
environment.TMPDIR = "/var/tmp";
};
});
}

8
modules/nixos/common/users.nix
View file

@ -1,4 +1,4 @@
{ self, pkgs, config, lib, ... }:
{ self, pkgs, config, lib, minimal, ... }:
let
sopsFile = self + /secrets/general/secrets.yaml;
in
@ -12,9 +12,9 @@ in
users."${config.swarselsystems.mainUser}" = {
isNormalUser = true;
description = "Leon S";
password = lib.mkIf config.swarselsystems.initialSetup "setup";
hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
extraGroups = [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
password = lib.mkIf (config.swarselsystems.initialSetup || minimal) "setup";
hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup && !minimal) config.sops.secrets.swarseluser.path;
extraGroups = lib.mkIf (!minimal) [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
packages = with pkgs; [ ];
};
};