swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2026-04-14 21:29:12 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

wip: migrate client modules

Browse source
This commit is contained in:
Leon Schwarzäugl 2026-04-02 19:25:58 +02:00
parent f6d2ff1544
commit 7ce27d5d2f
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
245 changed files with 20254 additions and 188 deletions
Download patch file Download diff file Expand all files Collapse all files

11
modules-clone/nixos/client/appimage.nix Normal file
View file

@ -0,0 +1,11 @@
{ lib, config, ... }:
{
options.swarselmodules.appimage = lib.mkEnableOption "appimage config";
config = lib.mkIf config.swarselmodules.appimage {
programs.appimage = {
enable = true;
binfmt = true;
};
};
}

13
modules-clone/nixos/client/autologin.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, config, ... }:
let
inherit (config.swarselsystems) mainUser;
in
{
options.swarselmodules.autologin = lib.mkEnableOption "optional autologin settings";
config = lib.mkIf config.swarselmodules.autologin {
services = {
getty.autologinUser = mainUser;
greetd.settings.initial_session.user = mainUser;
};
};
}

8
modules-clone/nixos/client/blueman.nix Normal file
View file

@ -0,0 +1,8 @@
{ lib, config, ... }:
{
options.swarselmodules.blueman = lib.mkEnableOption "blueman config";
config = lib.mkIf config.swarselmodules.blueman {
services.blueman.enable = true;
services.hardware.bolt.enable = true;
};
}

7
modules-clone/nixos/client/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules-clone/nixos/client";
in
{
imports = lib.swarselsystems.mkImports importNames "modules-clone/nixos/client";
}

16
modules-clone/nixos/client/distrobox.nix Normal file
View file

@ -0,0 +1,16 @@
{ lib, config, pkgs, ... }:
{
options.swarselmodules.distrobox = lib.mkEnableOption "distrobox config";
config = lib.mkIf config.swarselmodules.distrobox {
environment.systemPackages = with pkgs; [
distrobox
boxbuddy
];
virtualisation.podman = {
enable = true;
dockerCompat = true;
package = pkgs.podman;
};
};
}

21
modules-clone/nixos/client/env.nix Normal file
View file

@ -0,0 +1,21 @@
{ lib, config, pkgs, ... }:
{
options.swarselmodules.env = lib.mkEnableOption "environment config";
config = lib.mkIf config.swarselmodules.env {
environment = {
wordlist.enable = true;
sessionVariables = {
NIXOS_OZONE_WL = "1";
SWARSEL_LO_RES = config.swarselsystems.lowResolution;
SWARSEL_HI_RES = config.swarselsystems.highResolution;
GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (with pkgs.gst_all_1; [
gst-plugins-good
gst-plugins-bad
gst-plugins-ugly
gst-libav
]);
} // (lib.optionalAttrs (!config.swarselsystems.isPublic) { });
};
};
}

15
modules-clone/nixos/client/firezone-client.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, config, ... }:
let
moduleName = "firezone-client";
inherit (config.swarselsystems) mainUser;
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
services.firezone.gui-client = {
enable = true;
inherit (config.node) name;
allowedUsers = [ mainUser ];
};
};
}

11
modules-clone/nixos/client/gnome-keyring.nix Normal file
View file

@ -0,0 +1,11 @@
{ lib, config, ... }:
{
options.swarselmodules.gnome-keyring = lib.mkEnableOption "gnome-keyring config";
config = lib.mkIf config.swarselmodules.gnome-keyring {
services.gnome.gnome-keyring = {
enable = true;
};
programs.seahorse.enable = true;
};
}

7
modules-clone/nixos/client/gvfs.nix Normal file
View file

@ -0,0 +1,7 @@
{ lib, config, ... }:
{
options.swarselmodules.gvfs = lib.mkEnableOption "gvfs config for nautilus";
config = lib.mkIf config.swarselmodules.gvfs {
services.gvfs.enable = true;
};
}

48
modules-clone/nixos/client/hardware.nix Normal file
View file

@ -0,0 +1,48 @@
{ pkgs, config, lib, ... }:
{
options.swarselmodules.hardware = lib.mkEnableOption "hardware config";
options.swarselsystems = {
hasBluetooth = lib.mkEnableOption "bluetooth availability";
hasFingerprint = lib.mkEnableOption "fingerprint sensor availability";
trackpoint = {
isAvailable = lib.mkEnableOption "trackpoint availability";
trackpoint.device = lib.mkOption {
type = lib.types.str;
default = "";
};
};
};
config = lib.mkIf config.swarselmodules.hardware {
hardware = {
# opengl.driSupport32Bit = true is replaced with graphics.enable32Bit and hence redundant
graphics = {
enable = true;
enable32Bit = true;
};
trackpoint = lib.mkIf config.swarselsystems.trackpoint.isAvailable {
enable = true;
inherit (config.swarselsystems.trackpoint) device;
};
keyboard.qmk.enable = true;
enableAllFirmware = lib.mkDefault true;
bluetooth = lib.mkIf config.swarselsystems.hasBluetooth {
enable = true;
package = pkgs.bluez;
powerOnBoot = true;
settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
};
};
};
services.fprintd.enable = lib.mkIf config.swarselsystems.hasFingerprint true;
};
}

11
modules-clone/nixos/client/hardwarecompatibility-keyboards.nix Normal file
View file

@ -0,0 +1,11 @@
{ lib, config, pkgs, ... }:
{
options.swarselmodules.keyboards = lib.mkEnableOption "keyboards config";
config = lib.mkIf config.swarselmodules.keyboards {
services.udev.packages = with pkgs; [
qmk-udev-rules
vial
via
];
};
}

12
modules-clone/nixos/client/hardwarecompatibility-ledger.nix Normal file
View file

@ -0,0 +1,12 @@
{ lib, config, pkgs, ... }:
{
options.swarselmodules.ledger = lib.mkEnableOption "ledger config";
config = lib.mkIf config.swarselmodules.ledger {
hardware.ledger.enable = true;
services.udev.packages = with pkgs; [
ledger-udev-rules
];
};
}

45
modules-clone/nixos/client/hardwarecompatibility-yubikey.nix Normal file
View file

@ -0,0 +1,45 @@
{ lib, config, pkgs, ... }:
let
inherit (config.swarselsystems) mainUser;
inherit (config.repo.secrets.common.yubikeys) cfg1 cfg2;
in
{
options.swarselmodules.yubikey = lib.mkEnableOption "yubikey config";
config = lib.mkIf config.swarselmodules.yubikey {
programs.ssh = {
startAgent = false; # yes we want this to use FIDO2 keys
# enableAskPassword = true;
# askPassword = lib.getExe pkgs.kdePackages.ksshaskpass;
};
services = {
gnome.gcr-ssh-agent.enable = false;
yubikey-agent.enable = false;
pcscd.enable = true;
udev.packages = with pkgs; [
yubikey-personalization
];
};
hardware.gpgSmartcards.enable = true;
security.pam.u2f = {
enable = true;
control = "sufficient";
settings = {
interactive = false; # displays a prompt BEFORE asking for presence
cue = true; # prints a message that a touch is requrired
origin = "pam://${mainUser}"; # make the keys work on all machines
authfile = pkgs.writeText "u2f-mappings" (lib.concatStrings [
mainUser
cfg1
cfg2
]);
};
};
environment.systemPackages = with pkgs; [
kdePackages.ksshaskpass
];
};
}

32
modules-clone/nixos/client/interceptiontools.nix Normal file
View file

@ -0,0 +1,32 @@
{ lib, config, pkgs, ... }:
{
options.swarselmodules.interceptionTools = lib.mkEnableOption "interception tools config";
config = lib.mkIf config.swarselmodules.interceptionTools {
# Make CAPS work as a dual function ESC/CTRL key
services.interception-tools = {
enable = true;
udevmonConfig =
let
dualFunctionKeysConfig = builtins.toFile "dual-function-keys.yaml" ''
TIMING:
TAP_MILLISEC: 200
DOUBLE_TAP_MILLISEC: 0
MAPPINGS:
- KEY: KEY_CAPSLOCK
TAP: KEY_ESC
HOLD: KEY_LEFTCTRL
'';
in
''
- JOB: |
${pkgs.interception-tools}/bin/intercept -g $DEVNODE \
| ${pkgs.interception-tools-plugins.dual-function-keys}/bin/dual-function-keys -c ${dualFunctionKeysConfig} \
| ${pkgs.interception-tools}/bin/uinput -d $DEVNODE
DEVICE:
EVENTS:
EV_KEY: [KEY_CAPSLOCK]
'';
};
};
}

23
modules-clone/nixos/client/keyd.nix Normal file
View file

@ -0,0 +1,23 @@
{ lib, config, ... }:
let
moduleName = "keyd";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} tools config";
config = lib.mkIf config.swarselmodules.${moduleName} {
services.keyd = {
enable = true;
keyboards = {
default = {
ids = [ "*" ];
settings = {
main = {
leftmeta = "overload(meta, macro(rightmeta+z))";
rightmeta = "overload(meta, macro(rightmeta+z))";
};
};
};
};
};
};
}

37
modules-clone/nixos/client/lid.nix Normal file
View file

@ -0,0 +1,37 @@
{ lib, config, ... }:
{
options.swarselmodules.lid = lib.mkEnableOption "lid config";
config = lib.mkIf config.swarselmodules.lid {
services.logind.settings.Login = {
HandleLidSwitch = "suspend";
HandleLidSwitchDocked = "ignore";
};
services.acpid = {
enable = true;
handlers.lidClosed = {
event = "button/lid \\w+ close";
action = ''
cat /sys/class/backlight/amdgpu_bl1/device/enabled
if grep -Fxq disabled /sys/class/backlight/amdgpu_bl1/device/enabled
then
echo "Lid closed. Disabling fprintd."
systemctl stop fprintd
ln -s /dev/null /run/systemd/transient/fprintd.service
systemctl daemon-reload
fi
'';
};
handlers.lidOpen = {
event = "button/lid \\w+ open";
action = ''
if ! $(systemctl is-active --quiet fprintd); then
echo "Lid open. Enabling fprintd."
rm -f /run/systemd/transient/fprintd.service
systemctl daemon-reload
systemctl start fprintd
fi
'';
};
};
};
}

25
modules-clone/nixos/client/login.nix Normal file
View file

@ -0,0 +1,25 @@
{ lib, config, pkgs, ... }:
{
options.swarselmodules.login = lib.mkEnableOption "login config";
config = lib.mkIf config.swarselmodules.login {
services.greetd = {
enable = true;
settings = {
# initial_session.command = "sway";
initial_session.command = "uwsm start -- niri-uwsm.desktop";
# --cmd sway
default_session.command = ''
${pkgs.tuigreet}/bin/tuigreet \
--time \
--asterisks \
--user-menu \
--cmd "uwsm start -- niri-uwsm.desktop"
'';
};
};
# environment.etc."greetd/environments".text = ''
# sway
# '';
};
}

33
modules-clone/nixos/client/lowbattery.nix Normal file
View file

@ -0,0 +1,33 @@
{ pkgs, lib, config, ... }:
{
options.swarselmodules.lowBattery = lib.mkEnableOption "low battery notification config";
config = lib.mkIf config.swarselmodules.lowBattery {
systemd.user.services."battery-low" =
let
target = "sway-session.target";
in
{
enable = true;
description = "Timer for battery check that alerts at 10% or less";
partOf = [ target ];
wantedBy = [ target ];
serviceConfig = {
Type = "simple";
ExecStart = pkgs.writeShellScript "battery-low-notification"
''
if (( 10 >= $(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%" | ${lib.getExe pkgs.ripgrep} -o "\d+") && $(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%" | ${lib.getExe pkgs.ripgrep} -o "\d+") > 0 ));
then ${lib.getExe pkgs.libnotify} --urgency=critical "low battery" "$(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%")";
fi;
'';
};
};
systemd.user.timers."battery-low" = {
wantedBy = [ "timers.target" ];
timerConfig = {
# Every Minute
OnCalendar = "*-*-* *:*:00";
Unit = "battery-low.service";
};
};
};
}

10
modules-clone/nixos/client/nautilus.nix Normal file
View file

@ -0,0 +1,10 @@
{ lib, config, ... }:
{
options.swarselmodules.nautilus = lib.mkEnableOption "nautilus config";
config = lib.mkIf config.swarselmodules.nautilus {
programs.nautilus-open-any-terminal = {
enable = true;
terminal = "kitty";
};
};
}

307
modules-clone/nixos/client/network.nix Normal file
View file

@ -0,0 +1,307 @@
{ self, lib, pkgs, config, globals, ... }:
let
certsSopsFile = self + /secrets/repo/certs.yaml;
clientSopsFile = config.node.secretsDir + "/secrets.yaml";
inherit (config.repo.secrets.common.network) wlan1 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
iwd = config.networking.networkmanager.wifi.backend == "iwd";
in
{
options.swarselsystems = {
firewall = lib.swarselsystems.mkTrueOption;
};
options.swarselmodules.network = lib.mkEnableOption "network config";
config = lib.mkIf config.swarselmodules.network {
sops = {
secrets = lib.mkIf (!config.swarselsystems.isPublic) {
wlan1-pw = { };
wlan2-pw = { };
laptop-hotspot-pw = { };
mobile-hotspot-pw = { };
eduroam-user = { };
eduroam-pw = { };
pia-vpn-user = { };
pia-vpn-pw = { };
home-wireguard-client-private-key = { sopsFile = clientSopsFile; };
home-wireguard-server-public-key = { };
home-wireguard-endpoint = { };
pia-vpn1-crl-pem = { sopsFile = certsSopsFile; };
pia-vpn1-ca-pem = { sopsFile = certsSopsFile; };
};
templates = lib.mkIf (!config.swarselsystems.isPublic) {
"network-manager.env".content = ''
WLAN1_PW=${config.sops.placeholder.wlan1-pw}
WLAN2_PW=${config.sops.placeholder.wlan2-pw}
LAPTOP_HOTSPOT_PW=${config.sops.placeholder.laptop-hotspot-pw}
MOBILE_HOTSPOT_PW=${config.sops.placeholder.mobile-hotspot-pw}
EDUROAM_USER=${config.sops.placeholder.eduroam-user}
EDUROAM_PW=${config.sops.placeholder.eduroam-pw}
PIA_VPN_USER=${config.sops.placeholder.pia-vpn-user}
PIA_VPN_PW=${config.sops.placeholder.pia-vpn-pw}
HOME_WIREGUARD_CLIENT_PRIVATE_KEY=${config.sops.placeholder.home-wireguard-client-private-key}
HOME_WIREGUARD_SERVER_PUBLIC_KEY=${config.sops.placeholder.home-wireguard-server-public-key}
HOME_WIREGUARD_ENDPOINT=${config.sops.placeholder.home-wireguard-endpoint}
'';
};
};
services.resolved.enable = true;
networking = {
hostName = config.node.name;
hosts = {
"${globals.networks.home-lan.hosts.winters.ipv4}" = [ globals.services.transmission.domain ];
};
wireless.iwd = {
enable = true;
settings = {
IPv6 = {
Enabled = true;
};
Settings = {
AutoConnect = true;
};
# DriverQuirks = {
# UseDefaultInterface = true;
# };
};
};
nftables.enable = lib.mkDefault true;
enableIPv6 = lib.mkDefault true;
firewall = {
enable = lib.swarselsystems.mkStrong config.swarselsystems.firewall;
checkReversePath = lib.mkDefault false;
allowedUDPPorts = [ 51820 ]; # 51820: wireguard
allowedTCPPortRanges = [
{ from = 1714; to = 1764; } # kde-connect
];
allowedUDPPortRanges = [
{ from = 1714; to = 1764; } # kde-connect
];
};
networkmanager = {
enable = true;
wifi.backend = "iwd";
dns = "systemd-resolved";
plugins = [
# list of plugins: https://search.nixos.org/packages?query=networkmanager-
# docs https://networkmanager.dev/docs/vpn/
pkgs.networkmanager-openconnect
pkgs.networkmanager-openvpn
];
ensureProfiles = lib.mkIf (!config.swarselsystems.isPublic) {
environmentFiles = [
"${config.sops.templates."network-manager.env".path}"
];
profiles =
let
inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
in
{
${wlan1} = {
connection = {
id = wlan1;
# permissions = "";
type = "wifi";
autoconnect-priority = "999";
};
ipv4 = {
# dns-search = "";
method = "auto";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
# dns-search = "";
method = "auto";
};
wifi = {
# mac-address-blacklist = "";
mode = "infrastructure";
# band = "a";
ssid = wlan1;
};
wifi-security = {
# auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$WLAN1_PW";
};
};
LAN-Party = {
connection = {
autoconnect = "false";
id = "LAN-Party";
type = "ethernet";
};
ethernet = {
auto-negotiate = "true";
cloned-mac-address = "preserve";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
eduroam = {
"802-1x" = {
eap = if (!iwd) then "ttls;" else "peap;";
identity = "$EDUROAM_USER";
password = "$EDUROAM_PW";
phase2-auth = "mschapv2";
anonymous-identity = lib.mkIf iwd eduroam-anon;
};
connection = {
id = "eduroam";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "eduroam";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-eap";
};
};
local = {
connection = {
autoconnect = "false";
id = "local";
type = "ethernet";
};
ethernet = { };
ipv4 = {
address1 = "10.42.1.1/24";
method = "shared";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
${mobile1} = {
connection = {
id = mobile1;
type = "wifi";
autoconnect-priority = "500";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = mobile1;
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$MOBILE_HOTSPOT_PW";
};
};
home-wireguard = {
connection = {
id = "HomeVPN";
type = "wireguard";
autoconnect = "false";
interface-name = "wg1";
};
wireguard = { private-key = "$HOME_WIREGUARD_CLIENT_PRIVATE_KEY"; };
"wireguard-peer.$HOME_WIREGURARD_SERVER_PUBLIC_KEY" = {
endpoint = "$HOME_WIREGUARD_ENDPOINT";
allowed-ips = home-wireguard-allowed-ips;
};
ipv4 = {
method = "ignore";
address1 = home-wireguard-address;
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "ignore";
};
proxy = { };
};
pia-vpn1 = {
connection = {
autoconnect = "false";
id = "PIA ${vpn1-location}";
type = "vpn";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
vpn = {
auth = "sha1";
ca = config.sops.secrets."pia-vpn1-ca-pem".path;
challenge-response-flags = "2";
cipher = vpn1-cipher;
compress = "yes";
connection-type = "password";
crl-verify-file = config.sops.secrets."pia-vpn1-crl-pem".path;
dev = "tun";
password-flags = "0";
remote = vpn1-address;
remote-cert-tls = "server";
reneg-seconds = "0";
service-type = "org.freedesktop.NetworkManager.openvpn";
username = "$PIA_VPN_USER";
};
vpn-secrets = { password = "$PIA_VPN_PW"; };
};
Hotspot = {
connection = {
autoconnect = "false";
id = "Hotspot";
type = "wifi";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "default";
method = "ignore";
};
proxy = { };
wifi = {
mode = "ap";
ssid = "Hotspot-${config.swarselsystems.mainUser}";
};
wifi-security = {
group = "ccmp;";
key-mgmt = "wpa-psk";
pairwise = "ccmp;";
proto = "rsn;";
psk = "$MOBILE_HOTSPOT_PW";
};
};
};
};
};
};
systemd.services.NetworkManager-ensure-profiles.after = [ "NetworkManager.service" ];
};
}

33
modules-clone/nixos/client/networkdevices.nix Normal file
View file

@ -0,0 +1,33 @@
{ lib, config, pkgs, ... }:
{
options.swarselmodules.networkDevices = lib.mkEnableOption "network device config";
config = lib.mkIf config.swarselmodules.networkDevices {
# enable scanners over network
hardware.sane = {
enable = true;
extraBackends = [ pkgs.sane-airscan ];
};
# enable discovery and usage of network devices (esp. printers)
services.printing = {
enable = true;
drivers = [
pkgs.gutenprint
pkgs.gutenprintBin
];
browsedConf = ''
BrowseDNSSDSubTypes _cups,_print
BrowseLocalProtocols all
BrowseRemoteProtocols all
CreateIPPPrinterQueues All
BrowseProtocols all
'';
};
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
};
}

113
modules-clone/nixos/client/nix-ld.nix Normal file
View file

@ -0,0 +1,113 @@
{ lib, config, pkgs, ... }:
{
options.swarselmodules.nix-ld = lib.mkEnableOption "nix-ld config";
config = lib.mkIf config.swarselmodules.nix-ld {
programs.nix-ld = {
enable = true;
libraries = with pkgs; [
SDL
SDL2
SDL2_image
SDL2_mixer
SDL2_ttf
SDL_image
SDL_mixer
SDL_ttf
alsa-lib
at-spi2-atk
at-spi2-core
atk
bzip2
cairo
cups
curl
dbus
dbus-glib
expat
ffmpeg
flac
fontconfig
freeglut
freetype
fuse3
gdk-pixbuf
glew_1_10
glib
gnome2.GConf
pango
gtk2
gtk3
icu
libGL
libappindicator-gtk2
libappindicator-gtk3
libcaca
libcanberra
libcap
libdbusmenu-gtk2
libdrm
libelf
libgbm
libgcrypt
libglvnd
libidn
libindicator-gtk2
libjpeg
libmikmod
libnotify
libogg
libpng
libpng12
libpulseaudio
librsvg
libsamplerate
libtheora
libtiff
libudev0-shim
libunwind
libusb1
libuuid
libva
libvdpau
libvorbis
libvpx
libxkbcommon
libxml2
libz
mesa
nspr
nss
openssl
pango
pipewire
pixman
speex
steam-fhsenv-without-steam
systemd
tbb
vulkan-loader
libice
libsm
libx11
libxscrnsaver
libxcomposite
libxcursor
libxdamage
libxext
libxfixes
libxft
libxi
libxinerama
libxmu
libxrandr
libxrender
libxt
libxtst
libxxf86vm
libxcb
libxshmfence
zlib
];
};
};
}

18
modules-clone/nixos/client/nvd-rebuild.nix Normal file
View file

@ -0,0 +1,18 @@
{ lib, config, pkgs, ... }:
{
options.swarselmodules.nvd = lib.mkEnableOption "nvd config";
config = lib.mkIf config.swarselmodules.nvd {
environment.systemPackages = [
pkgs.nvd
];
# system.activationScripts.diff = {
# supportsDryActivation = true;
# text = ''
# ${pkgs.nvd}/bin/nvd --color=always --nix-bin-dir=${pkgs.nix}/bin diff \
# /run/current-system "$systemConfig"
# '';
# };
};
}

101
modules-clone/nixos/client/packages.nix Normal file
View file

@ -0,0 +1,101 @@
{ lib, config, pkgs, minimal, ... }:
{
options.swarselmodules.packages = lib.mkEnableOption "install packages";
config = lib.mkIf config.swarselmodules.packages {
environment.systemPackages = with pkgs; lib.optionals (!minimal) [
# yubikey packages
gnupg
yubikey-personalization
yubico-pam
yubioath-flutter
yubikey-manager
yubikey-touch-detector
yubico-piv-tool
cfssl
pcsc-tools
pcscliteWithPolkit.out
# ledger packages
ledger-live-desktop
# pinentry
dbus
# swaylock-effects
syncthingtray-minimal
swayosd
# secure boot
sbctl
libsForQt5.qt5.qtwayland
# do not do this! clashes with the flake
# nix-index
nixos-generators
# commit hooks
pre-commit
# proc info
acpi
# pci info
pciutils
usbutils
# better make for general tasks
just
# sops
ssh-to-age
sops
# keyboards
qmk
vial
via
# theme related
adwaita-icon-theme
# kde-connect
xdg-desktop-portal
xdg-desktop-portal-gtk
xdg-desktop-portal-wlr
# bluetooth
bluez
ghostscript_headless
wireguard-tools
nixd
zig
zls
elk-to-svg
] ++ lib.optionals minimal [
networkmanager
curl
git
gnupg
rsync
ssh-to-age
sops
vim
just
sbctl
];
nixpkgs.config.permittedInsecurePackages = lib.mkIf (!minimal) [
"jitsi-meet-1.0.8043"
"electron-29.4.6"
"SDL_ttf-2.0.11"
# audacity?
"mbedtls-2.28.10"
# "qtwebengine-5.15.19"
];
};
}

20
modules-clone/nixos/client/pipewire.nix Normal file
View file

@ -0,0 +1,20 @@
{ lib, config, pkgs, ... }:
{
options.swarselmodules.pipewire = lib.mkEnableOption "pipewire config";
config = lib.mkIf config.swarselmodules.pipewire {
security.rtkit.enable = true; # this is required for pipewire real-time access
services.pipewire = {
enable = true;
package = pkgs.pipewire;
pulse.enable = true;
jack.enable = true;
audio.enable = true;
wireplumber.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
};
};
}

29
modules-clone/nixos/client/polkit.nix Normal file
View file

@ -0,0 +1,29 @@
{ lib, config, minimal, ... }:
{
options.swarselmodules.security = lib.mkEnableOption "security config";
config = lib.mkIf config.swarselmodules.security {
security = {
# pki.certificateFiles = [
# config.sops.secrets.harica-root-ca.path
# ];
pam.services = lib.mkIf (!minimal) {
login.u2fAuth = true;
sudo.u2fAuth = true;
sshd.u2fAuth = false;
swaylock = {
u2fAuth = true;
fprintAuth = false;
};
};
polkit.enable = lib.mkIf (!minimal) true;
sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
'' + lib.optionalString (!minimal) ''
Defaults env_keep+=XDG_RUNTIME_DIR
Defaults env_keep+=WAYLAND_DISPLAY
'';
};
};
}

7
modules-clone/nixos/client/power-profiles-daemon.nix Normal file
View file

@ -0,0 +1,7 @@
{ lib, config, ... }:
{
options.swarselmodules.ppd = lib.mkEnableOption "power profiles daemon config";
config = lib.mkIf config.swarselmodules.ppd {
services.power-profiles-daemon.enable = true;
};
}

11
modules-clone/nixos/client/programs.nix Normal file
View file

@ -0,0 +1,11 @@
{ lib, config, ... }:
{
options.swarselmodules.programs = lib.mkEnableOption "small program modules config";
config = lib.mkIf config.swarselmodules.programs {
programs = {
dconf.enable = true;
evince.enable = true;
kdeconnect.enable = true;
};
};
}

11
modules-clone/nixos/client/pulseaudio.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, pkgs, lib, ... }: {
options.swarselmodules.pulseaudio = lib.mkEnableOption "pulseaudio config";
config = lib.mkIf config.swarselmodules.pulseaudio {
services.pulseaudio = {
enable = lib.mkIf (!config.services.pipewire.enable) true;
package = pkgs.pulseaudioFull;
};
};
}

86
modules-clone/nixos/client/remotebuild.nix Normal file
View file

@ -0,0 +1,86 @@
{ lib, config, globals, ... }:
let
inherit (config.swarselsystems) homeDir mainUser isClient;
in
{
options.swarselmodules.remotebuild = lib.mkEnableOption "enable remote builds on this machine";
config = lib.mkIf config.swarselmodules.remotebuild {
sops.secrets = {
builder-key = lib.mkIf isClient { owner = mainUser; path = "${homeDir}/.ssh/builder"; mode = "0600"; };
nixbuild-net-key = { owner = mainUser; path = "${homeDir}/.ssh/nixbuild-net"; mode = "0600"; };
};
nix = {
settings.builders-use-substitutes = true;
distributedBuilds = true;
buildMachines = [
(lib.mkIf isClient {
hostName = config.repo.secrets.common.builder1-ip;
system = "aarch64-linux";
maxJobs = 20;
speedFactor = 10;
})
(lib.mkIf isClient {
hostName = globals.hosts.belchsfactory.wanAddress4;
system = "aarch64-linux";
maxJobs = 4;
speedFactor = 2;
protocol = "ssh-ng";
})
{
hostName = "eu.nixbuild.net";
system = "x86_64-linux";
maxJobs = 100;
speedFactor = 2;
supportedFeatures = [ "big-parallel" ];
}
];
};
programs.ssh = {
knownHosts = {
nixbuild = {
hostNames = [ "eu.nixbuild.net" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM";
};
builder1 = lib.mkIf isClient {
hostNames = [ config.repo.secrets.common.builder1-ip ];
publicKey = config.repo.secrets.common.builder1-pubHostKey;
};
jump = lib.mkIf isClient {
hostNames = [ globals.hosts.liliputsteps.wanAddress4 ];
publicKey = config.repo.secrets.common.jump-pubHostKey;
};
builder2 = lib.mkIf isClient {
hostNames = [ globals.hosts.belchsfactory.wanAddress4 ];
publicKey = config.repo.secrets.common.builder2-pubHostKey;
};
};
extraConfig = ''
Host eu.nixbuild.net
ConnectTimeout 1
PubkeyAcceptedKeyTypes ssh-ed25519
ServerAliveInterval 60
IPQoS throughput
IdentityFile ${config.sops.secrets.nixbuild-net-key.path}
'' + lib.optionalString isClient ''
Host ${config.repo.secrets.common.builder1-ip}
ConnectTimeout 1
User ${mainUser}
IdentityFile ${config.sops.secrets.builder-key.path}
Host ${globals.hosts.belchsfactory.wanAddress4}
ConnectTimeout 5
ProxyJump ${globals.hosts.liliputsteps.wanAddress4}
User builder
IdentityFile ${config.sops.secrets.builder-key.path}
Host ${globals.hosts.liliputsteps.wanAddress4}
ConnectTimeout 1
User jump
IdentityFile ${config.sops.secrets.builder-key.path}
'';
};
};
}

16
modules-clone/nixos/client/sops.nix Normal file
View file

@ -0,0 +1,16 @@
{ self, config, lib, ... }:
{
options.swarselmodules.sops = lib.mkEnableOption "sops config";
config = lib.mkIf config.swarselmodules.sops {
sops = {
# age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
# defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
defaultSopsFile = self + "/secrets/repo/common.yaml";
validateSopsFiles = false;
};
};
}

22
modules-clone/nixos/client/stylix.nix Normal file
View file

@ -0,0 +1,22 @@
{ self, lib, config, vars, withHomeManager, ... }:
{
options.swarselmodules.stylix = lib.mkEnableOption "stylix config";
config = {
stylix = {
enable = true;
base16Scheme = "${self}/files/stylix/swarsel.yaml";
} // lib.optionalAttrs config.swarselmodules.stylix
(lib.recursiveUpdate
{
targets.grub.enable = false; # the styling makes grub more ugly
image = config.swarselsystems.wallpaper;
}
vars.stylix);
} // lib.optionalAttrs withHomeManager {
home-manager.users."${config.swarselsystems.mainUser}" = {
stylix = {
targets = vars.stylixHomeTargets;
};
};
};
}

20
modules-clone/nixos/client/sway.nix Normal file
View file

@ -0,0 +1,20 @@
{ lib, config, pkgs, withHomeManager, ... }:
let
inherit (config.swarselsystems) mainUser;
in
{
options.swarselmodules.sway = lib.mkEnableOption "sway config";
config = lib.mkIf config.swarselmodules.sway
{
programs.sway = {
enable = true;
package = pkgs.swayfx;
wrapperFeatures = {
base = true;
gtk = true;
};
};
} // lib.optionalAttrs withHomeManager {
inherit (config.home-manager.users.${mainUser}.wayland.windowManager.sway) extraSessionCommands;
};
}

22
modules-clone/nixos/client/swayosd.nix Normal file
View file

@ -0,0 +1,22 @@
{ lib, pkgs, config, ... }:
{
options.swarselmodules.swayosd = lib.mkEnableOption "swayosd settings";
config = lib.mkIf config.swarselmodules.swayosd {
environment.systemPackages = [ pkgs.swayosd ];
services.udev.packages = [ pkgs.swayosd ];
systemd.services.swayosd-libinput-backend = {
description = "SwayOSD LibInput backend for listening to certain keys like CapsLock, ScrollLock, VolumeUp, etc.";
documentation = [ "https://github.com/ErikReider/SwayOSD" ];
wantedBy = [ "graphical.target" ];
partOf = [ "graphical.target" ];
after = [ "graphical.target" ];
serviceConfig = {
Type = "dbus";
BusName = "org.erikreider.swayosd";
ExecStart = "${pkgs.swayosd}/bin/swayosd-libinput-backend";
Restart = "on-failure";
};
};
};
}

51
modules-clone/nixos/client/syncthing.nix Normal file
View file

@ -0,0 +1,51 @@
{ lib, config, pkgs, ... }:
let
inherit (config.swarselsystems) mainUser homeDir;
devices = config.swarselsystems.syncthing.syncDevices;
servicePort = 8384;
in
{
options.swarselmodules.syncthing = lib.mkEnableOption "syncthing config";
config = lib.mkIf config.swarselmodules.syncthing {
services.syncthing = {
enable = true;
systemService = true;
guiAddress = "127.0.0.1:${builtins.toString servicePort}";
package = pkgs.syncthing;
user = mainUser;
dataDir = homeDir;
configDir = "${homeDir}/.config/syncthing";
openDefaultPorts = true;
overrideDevices = true;
overrideFolders = true;
settings = {
options = {
urAccepted = -1;
};
inherit (config.swarselsystems.syncthing) devices;
folders = {
"Default Folder" = lib.mkDefault {
path = "${homeDir}/Sync";
inherit devices;
id = "default";
};
"Obsidian" = {
path = "${homeDir}/Obsidian";
inherit devices;
id = "yjvni-9eaa7";
};
"Org" = {
path = "${homeDir}/Org";
inherit devices;
id = "a7xnl-zjj3d";
};
"Vpn" = {
path = "${homeDir}/Vpn";
inherit devices;
id = "hgp9s-fyq3p";
};
};
};
};
};
}

11
modules-clone/nixos/client/systemd.nix Normal file
View file

@ -0,0 +1,11 @@
{ lib, config, ... }:
{
options.swarselmodules.systemdTimeout = lib.mkEnableOption "systemd timeout config";
config = lib.mkIf config.swarselmodules.systemdTimeout {
# systemd
systemd.settings.Manager = {
DefaultTimeoutStartSec = "60s";
DefaultTimeoutStopSec = "15s";
};
};
}

59
modules-clone/nixos/client/uwsm.nix Normal file
View file

@ -0,0 +1,59 @@
{ lib, config, pkgs, ... }:
let
moduleName = "uwsm";
cfg = config.programs.uwsm;
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
programs.uwsm = {
enable = true;
waylandCompositors = {
sway = {
prettyName = "Sway";
comment = "Sway compositor managed by UWSM";
binPath = "/run/current-system/sw/bin/sway";
};
niri = lib.mkIf (config.programs ? niri) {
prettyName = "Niri";
comment = "Niri compositor managed by UWSM";
binPath = "/run/current-system/sw/bin/niri-session";
};
};
};
services.displayManager.sessionPackages =
let
mk_uwsm_desktop_entry =
opts:
(pkgs.writeTextFile {
name = "${opts.name}-uwsm";
text = ''
[Desktop Entry]
Name=${opts.prettyName} (UWSM)
Comment=${opts.comment}
Exec=${lib.getExe cfg.package} start -F -- ${opts.binPath} ${lib.strings.escapeShellArgs opts.extraArgs}
Type=Application
'';
destination = "/share/wayland-sessions/${opts.name}-uwsm.desktop";
derivationArgs = {
passthru.providedSessions = [ "${opts.name}-uwsm" ];
};
});
in
lib.mkForce (lib.mapAttrsToList
(
name: value:
mk_uwsm_desktop_entry {
inherit name;
inherit (value)
prettyName
comment
binPath
extraArgs
;
}
)
cfg.waylandCompositors);
};
}

20
modules-clone/nixos/client/xdg-portal.nix Normal file
View file

@ -0,0 +1,20 @@
{ lib, config, ... }:
{
options.swarselmodules.xdg-portal = lib.mkEnableOption "xdg portal config";
config = lib.mkIf config.swarselmodules.xdg-portal {
xdg.portal = {
enable = true;
# config = {
# common = {
# default = "wlr";
# };
# };
# wlr.enable = true;
# wlr.settings.screencast = {
# output_name = "eDP-1";
# chooser_type = "simple";
# chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or";
# };
};
};
}

13
modules-clone/nixos/client/zsh.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, config, pkgs, ... }:
{
options.swarselmodules.zsh = lib.mkEnableOption "zsh base config";
config = lib.mkIf config.swarselmodules.zsh {
programs.zsh = {
enable = true;
enableCompletion = false;
};
users.defaultUserShell = pkgs.zsh;
environment.shells = with pkgs; [ zsh ];
environment.pathsToLink = [ "/share/zsh" ];
};
}