refactor: use true common config and split rest

modules/darwin/nixos/default.nix

@@ -1,14 +0,0 @@
-_:
-{
-
-  nix.settings.experimental-features = "nix-command flakes";
-  nixpkgs = {
-    hostPlatform = "x86_64-darwin";
-    overlays = [ outputs.overlays.default ];
-    config = {
-      allowUnfree = true;
-    };
-  };
-
-  system.stateVersion = 4;
-}

modules/home/default.nix

@@ -0,0 +1,7 @@
+{ lib, ... }:
+let
+  importNames = lib.swarselsystems.readNix "modules/home";
+in
+{
+  imports = lib.swarselsystems.mkImports importNames "modules/home";
+}

modules/nixos/client/autologin.nix

@@ -3,8 +3,8 @@ let
   inherit (config.swarselsystems) mainUser;
 in
 {
-  options.swarselsystems.modules.optional.autologin = lib.mkEnableOption "optional autologin settings";
-  config = lib.mkIf config.swarselsystems.modules.optional.autologin {
+  options.swarselsystems.modules.autologin = lib.mkEnableOption "optional autologin settings";
+  config = lib.mkIf config.swarselsystems.modules.autologin {
     services = {
       getty.autologinUser = mainUser;
       greetd.settings.initial_session.user = mainUser;

modules/nixos/client/default.nix

@@ -0,0 +1,7 @@
+{ lib, ... }:
+let
+  importNames = lib.swarselsystems.readNix "modules/nixos/client";
+in
+{
+  imports = lib.swarselsystems.mkImports importNames "modules/nixos/client";
+}

modules/nixos/client/network.nix

@@ -1,11 +1,70 @@
-{ lib, config, ... }:
+{ self, lib, config, ... }:
+let
+  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  inherit (config.swarselsystems) mainUser;
+  iwd = config.networking.networkmanager.wifi.backend == "iwd";
+in
 {
   options.swarselsystems = {
     modules.network = lib.mkEnableOption "network config";
     firewall = lib.swarselsystems.mkTrueOption;
   };
   config = lib.mkIf config.swarselsystems.modules.network {
+
+    sops = {
+      secrets = lib.mkIf (!config.swarselsystems.isPublic) {
+        ernest = { };
+        frauns = { };
+        hotspot = { };
+        eduid = { };
+        edupass = { };
+        handyhotspot = { };
+        vpnuser = { };
+        vpnpass = { };
+        wireguardpriv = { };
+        wireguardpub = { };
+        wireguardendpoint = { };
+        stashuser = { };
+        stashpass = { };
+        githubforgeuser = { };
+        githubforgepass = { };
+        gitlabforgeuser = { };
+        gitlabforgepass = { };
+        "sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
+        "sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
+      };
+      templates = lib.mkIf (!config.swarselsystems.isPublic) {
+        "network-manager.env".content = ''
+          ERNEST=${config.sops.placeholder.ernest}
+          FRAUNS=${config.sops.placeholder.frauns}
+          HOTSPOT=${config.sops.placeholder.hotspot}
+          EDUID=${config.sops.placeholder.eduid}
+          EDUPASS=${config.sops.placeholder.edupass}
+          HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
+          VPNUSER=${config.sops.placeholder.vpnuser}
+          VPNPASS=${config.sops.placeholder.vpnpass}
+          WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
+          WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
+          WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
+        '';
+      };
+    };
+
     networking = {
+      wireless.iwd = {
+        enable = true;
+        settings = {
+          IPv6 = {
+            Enabled = true;
+          };
+          Settings = {
+            AutoConnect = true;
+          };
+          DriverQuirks = {
+            UseDefaultInterface = true;
+          };
+        };
+      };
       nftables.enable = lib.mkDefault true;
       enableIPv6 = lib.mkDefault true;
       firewall = {
@@ -76,10 +135,11 @@
 
             eduroam = {
               "802-1x" = {
-                eap = "ttls;";
+                eap = if (!iwd) then "ttls;" else "peap;";
                 identity = "$EDUID";
                 password = "$EDUPASS";
                 phase2-auth = "mschapv2";
+                anonymous-identity = lib.mkIf iwd "anonymous@student.tuwien.ac.at";
               };
               connection = {
                 id = "eduroam";

modules/nixos/client/sops.nix

@@ -0,0 +1,16 @@
+{ config, lib, ... }:
+{
+  options.swarselsystems.modules.sops = lib.mkEnableOption "sops config";
+  config = lib.mkIf config.swarselsystems.modules.sops {
+    sops = {
+
+      # age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
+      age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
+      # defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+      defaultSopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
+
+      validateSopsFiles = false;
+
+    };
+  };
+}

modules/nixos/common/home-manager-extra.nix

@@ -1,9 +0,0 @@
-{ inputs, config, lib, ... }:
-{
-  options.swarselsystems.modules.home-managerExtra = lib.mkEnableOption "home-manager extras for non-chaostheatre";
-  config = lib.mkIf config.swarselsystems.modules.home-managerExtra {
-    home-manager = lib.mkIf config.swarselsystems.withHomeManager {
-      extraSpecialArgs = { inherit (inputs) nix-secrets nixgl; };
-    };
-  };
-}

modules/nixos/common/home-manager.nix

@@ -14,7 +14,7 @@
           home.stateVersion = lib.mkDefault config.system.stateVersion;
         }
       ];
-      extraSpecialArgs = { inherit (inputs) self; inherit inputs outputs globals nodes; };
+      extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes; };
     };
   };
 }

modules/nixos/common/impermanence.nix

@@ -7,6 +7,7 @@ in
   options.swarselsystems.modules.impermanence = lib.mkEnableOption "impermanence config";
   config = lib.mkIf config.swarselsystems.modules.impermanence {
 
+
     security.sudo.extraConfig = lib.mkIf isImpermanence ''
       # rollback results in sudo lectures after each reboot
       Defaults lecture = never
@@ -15,54 +16,55 @@ in
     # This script does the actual wipe of the system
     # So if it doesn't run, the btrfs system effectively acts like a normal system
     # Taken from https://github.com/NotAShelf/nyx/blob/2a8273ed3f11a4b4ca027a68405d9eb35eba567b/modules/core/common/system/impermanence/default.nix
+    boot.tmp.useTmpfs = lib.mkIf (!isImpermanence) true;
+    boot.initrd.systemd = lib.mkIf isImpermanence {
+      enable = true;
+      services.rollback = {
+        description = "Rollback BTRFS root subvolume to a pristine state";
+        wantedBy = [ "initrd.target" ];
+        # make sure it's done after encryption
+        # i.e. LUKS/TPM process
+        after = lib.swarselsystems.mkIfElseList isCrypted [ "systemd-cryptsetup@cryptroot.service" ] [ "dev-disk-by\\x2dlabel-nixos.device" ];
+        requires = lib.mkIf (!isCrypted) [ "dev-disk-by\\x2dlabel-nixos.device" ];
+        # mount the root fs before clearing
+        before = [ "sysroot.mount" ];
+        unitConfig.DefaultDependencies = "no";
+        serviceConfig.Type = "oneshot";
+        script = ''
+          mkdir -p /mnt
 
-    boot.initrd.systemd.enable = lib.mkIf isImpermanence true;
+          # We first mount the btrfs root to /mnt
+          # so we can manipulate btrfs subvolumes.
+          mount -o subvolid=5 -t btrfs ${mapperTarget} /mnt
+          btrfs subvolume list -o /mnt/root
 
-    boot.initrd.systemd.services.rollback = lib.mkIf isImpermanence {
-      description = "Rollback BTRFS root subvolume to a pristine state";
-      wantedBy = [ "initrd.target" ];
-      # make sure it's done after encryption
-      # i.e. LUKS/TPM process
-      after = lib.swarselsystems.mkIfElseList isCrypted [ "systemd-cryptsetup@cryptroot.service" ] [ "dev-disk-by\\x2dlabel-nixos.device" ];
-      requires = lib.mkIf (!isCrypted) [ "dev-disk-by\\x2dlabel-nixos.device" ];
-      # mount the root fs before clearing
-      before = [ "sysroot.mount" ];
-      unitConfig.DefaultDependencies = "no";
-      serviceConfig.Type = "oneshot";
-      script = ''
-        mkdir -p /mnt
+          # While we're tempted to just delete /root and create
+          # a new snapshot from /root-blank, /root is already
+          # populated at this point with a number of subvolumes,
+          # which makes `btrfs subvolume delete` fail.
+          # So, we remove them first.
+          #
+          # /root contains subvolumes:
+          # - /root/var/lib/portables
+          # - /root/var/lib/machines
 
-        # We first mount the btrfs root to /mnt
-        # so we can manipulate btrfs subvolumes.
-        mount -o subvolid=5 -t btrfs ${mapperTarget} /mnt
-        btrfs subvolume list -o /mnt/root
+          btrfs subvolume list -o /mnt/root |
+          cut -f9 -d' ' |
+          while read subvolume; do
+            echo "deleting /$subvolume subvolume..."
+            btrfs subvolume delete "/mnt/$subvolume"
+          done &&
+          echo "deleting /root subvolume..." &&
+          btrfs subvolume delete /mnt/root
 
-        # While we're tempted to just delete /root and create
-        # a new snapshot from /root-blank, /root is already
-        # populated at this point with a number of subvolumes,
-        # which makes `btrfs subvolume delete` fail.
-        # So, we remove them first.
-        #
-        # /root contains subvolumes:
-        # - /root/var/lib/portables
-        # - /root/var/lib/machines
+          echo "restoring blank /root subvolume..."
+          btrfs subvolume snapshot /mnt/root-blank /mnt/root
 
-        btrfs subvolume list -o /mnt/root |
-        cut -f9 -d' ' |
-        while read subvolume; do
-          echo "deleting /$subvolume subvolume..."
-          btrfs subvolume delete "/mnt/$subvolume"
-        done &&
-        echo "deleting /root subvolume..." &&
-        btrfs subvolume delete /mnt/root
-
-        echo "restoring blank /root subvolume..."
-        btrfs subvolume snapshot /mnt/root-blank /mnt/root
-
-        # Once we're done rolling back to a blank snapshot,
-        # we can unmount /mnt and continue on the boot process.
-        umount /mnt
-      '';
+          # Once we're done rolling back to a blank snapshot,
+          # we can unmount /mnt and continue on the boot process.
+          umount /mnt
+        '';
+      };
     };
 
 

modules/nixos/common/sops.nix

@@ -1,54 +0,0 @@
-{ self, config, lib, ... }:
-let
-  certsSopsFile = self + /secrets/certs/secrets.yaml;
-  inherit (config.swarselsystems) mainUser homeDir;
-in
-{
-  options.swarselsystems.modules.commonSops = lib.mkEnableOption "sops config";
-  config = lib.mkIf config.swarselsystems.modules.commonSops {
-    sops = {
-
-      age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${homeDir}/.ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
-      defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
-
-      validateSopsFiles = false;
-
-      secrets = lib.mkIf (!config.swarselsystems.isPublic) {
-        ernest = { };
-        frauns = { };
-        hotspot = { };
-        eduid = { };
-        edupass = { };
-        handyhotspot = { };
-        vpnuser = { };
-        vpnpass = { };
-        wireguardpriv = { };
-        wireguardpub = { };
-        wireguardendpoint = { };
-        stashuser = { };
-        stashpass = { };
-        githubforgeuser = { };
-        githubforgepass = { };
-        gitlabforgeuser = { };
-        gitlabforgepass = { };
-        "sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
-        "sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
-      };
-      templates = lib.mkIf (!config.swarselsystems.isPublic) {
-        "network-manager.env".content = ''
-          ERNEST=${config.sops.placeholder.ernest}
-          FRAUNS=${config.sops.placeholder.frauns}
-          HOTSPOT=${config.sops.placeholder.hotspot}
-          EDUID=${config.sops.placeholder.eduid}
-          EDUPASS=${config.sops.placeholder.edupass}
-          HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
-          VPNUSER=${config.sops.placeholder.vpnuser}
-          VPNPASS=${config.sops.placeholder.vpnpass}
-          WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
-          WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
-          WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
-        '';
-      };
-    };
-  };
-}

modules/nixos/common/tmp.nix

@@ -1,7 +0,0 @@
-{ config, lib, ... }:
-{
-  options.swarselsystems.modules.tmp = lib.mkEnableOption "tmp dir config";
-  config = lib.mkIf config.swarselsystems.modules.tmp {
-    boot.tmp.useTmpfs = !config.swarselsystems.modules.impermanence true;
-  };
-}

modules/nixos/darwin/default.nix

@@ -0,0 +1,17 @@
+{ lib, config, outputs, ... }:
+{
+
+  options.swarselsystems.modules.darwin.general = lib.mkEnableOption "darwin config";
+  config = lib.mkIf config.swarselsystems.modules.darwin.general {
+    nix.settings.experimental-features = "nix-command flakes";
+    nixpkgs = {
+      hostPlatform = "x86_64-darwin";
+      overlays = [ outputs.overlays.default ];
+      config = {
+        allowUnfree = true;
+      };
+    };
+
+    system.stateVersion = 4;
+  };
+}

modules/nixos/default.nix

@@ -0,0 +1,7 @@
+{ lib, ... }:
+let
+  importNames = lib.swarselsystems.readNix "modules/nixos";
+in
+{
+  imports = lib.swarselsystems.mkImports importNames "modules/nixos";
+}

modules/nixos/optional/work.nix

@@ -1,6 +1,7 @@
 { self, lib, pkgs, config, ... }:
 let
   inherit (config.swarselsystems) mainUser homeDir xdgDir;
+  iwd = config.networking.networkmanager.wifi.backend == "iwd";
   owner = mainUser;
   sopsFile = self + /secrets/work/secrets.yaml;
   swarselService = name: description: execStart: {
@@ -49,6 +50,8 @@ in
           "govchost"
           "govcnetwork"
           "govcpool"
+          "baseuser"
+          "basepw"
         ];
       in
       {
@@ -60,6 +63,12 @@ in
             })
             secretNames
         );
+        templates = {
+          "network-manager-work.env".content = ''
+            BASEUSER=${config.sops.placeholder.baseuser}
+            BASEPASS=${config.sops.placeholder.basepw}
+          '';
+        };
       };
 
     boot.initrd = {
@@ -97,7 +106,48 @@ in
 
     networking = {
       inherit (config.swarselsystems) hostName fqdn;
-      networkmanager.wifi.scanRandMacAddress = false;
+
+      networkmanager = {
+        wifi.scanRandMacAddress = false;
+        ensureProfiles = {
+          environmentFiles = [
+            "${config.sops.templates."network-manager-work.env".path}"
+          ];
+          profiles = {
+            VBC = {
+              "802-1x" = {
+                eap = if (!iwd) then "ttls;" else "peap;";
+                identity = "$BASEUSER";
+                password = "$BASEPASS";
+                phase2-auth = "mschapv2";
+              };
+              connection = {
+                id = "VBC";
+                type = "wifi";
+              };
+              ipv4 = { method = "auto"; };
+              ipv6 = {
+                addr-gen-mode = "default";
+                method = "auto";
+              };
+              proxy = { };
+              wifi = {
+                cloned-mac-address = "permanent";
+                mac-address = "E8:65:38:52:63:FF";
+                mac-address-randomization = "1";
+                mode = "infrastructure";
+                ssid = "VBC";
+              };
+              wifi-security = {
+                auth-alg = "open";
+                key-mgmt = "wpa-eap";
+              };
+            };
+          };
+        };
+      };
+
+
       firewall = {
         enable = lib.mkDefault true;
         trustedInterfaces = [ "virbr0" ];
@@ -166,7 +216,7 @@ in
       openssh = {
         enable = true;
         extraConfig = ''
-                          '';
+                                '';
       };
 
       syncthing = {

modules/nixos/server/default.nix

@@ -1,18 +1,7 @@
-{ self, lib, ... }:
+{ lib, ... }:
 let
   importNames = lib.swarselsystems.readNix "modules/nixos/server";
-  modulesPath = "${self}/modules";
 in
 {
-  imports = lib.swarselsystems.mkImports importNames "modules/nixos/server" ++ [
-    "${modulesPath}/nixos/common/settings.nix"
-    "${modulesPath}/nixos/common/home-manager.nix"
-    "${modulesPath}/nixos/common/home-manager-extra.nix"
-    "${modulesPath}/nixos/common/xserver.nix"
-    "${modulesPath}/nixos/common/time.nix"
-    "${modulesPath}/nixos/common/users.nix"
-    "${modulesPath}/nixos/common/nix-ld.nix"
-    "${modulesPath}/nixos/common/sharedsetup.nix"
-    "${modulesPath}/home/common/sharedsetup.nix"
-  ];
+  imports = lib.swarselsystems.mkImports importNames "modules/nixos/server";
 }

modules/nixos/server/sops.nix

@@ -1,11 +0,0 @@
-{ config, lib, ... }:
-{
-  options.swarselsystems.modules.server.sops = lib.mkEnableOption "enable sops on server";
-  config = lib.mkIf config.swarselsystems.modules.server.sops {
-    sops = {
-      age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/sops" ];
-      defaultSopsFile = lib.mkDefault "${config.swarselsystems.flakePath}/secrets/winters/secrets.yaml";
-      validateSopsFiles = false;
-    };
-  };
-}