swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: use true common config and split rest

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-07-03 17:03:58 +02:00
parent 6ca7717d3e
commit 7d82c3cee9
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
59 changed files with 987 additions and 989 deletions
Download patch file Download diff file Expand all files Collapse all files

0
modules/nixos/common/appimage.nix → modules/nixos/client/appimage.nix
View file

4
modules/nixos/optional/autologin.nix → modules/nixos/client/autologin.nix
View file

@ -3,8 +3,8 @@ let
inherit (config.swarselsystems) mainUser;
in
{
options.swarselsystems.modules.optional.autologin = lib.mkEnableOption "optional autologin settings";
config = lib.mkIf config.swarselsystems.modules.optional.autologin {
options.swarselsystems.modules.autologin = lib.mkEnableOption "optional autologin settings";
config = lib.mkIf config.swarselsystems.modules.autologin {
services = {
getty.autologinUser = mainUser;
greetd.settings.initial_session.user = mainUser;

0
modules/nixos/common/blueman.nix → modules/nixos/client/blueman.nix
View file

7
modules/nixos/client/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/nixos/client";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/nixos/client";
}

0
modules/nixos/common/distrobox.nix → modules/nixos/client/distrobox.nix
View file

0
modules/nixos/common/env.nix → modules/nixos/client/env.nix
View file

0
modules/nixos/common/gnome-keyring.nix → modules/nixos/client/gnome-keyring.nix
View file

0
modules/nixos/common/gvfs.nix → modules/nixos/client/gvfs.nix
View file

0
modules/nixos/common/hardware.nix → modules/nixos/client/hardware.nix
View file

0
modules/nixos/common/hardwarecompatibility-keyboards.nix → modules/nixos/client/hardwarecompatibility-keyboards.nix
View file

0
modules/nixos/common/hardwarecompatibility-ledger.nix → modules/nixos/client/hardwarecompatibility-ledger.nix
View file

0
modules/nixos/common/hardwarecompatibility-yubikey.nix → modules/nixos/client/hardwarecompatibility-yubikey.nix
View file

0
modules/nixos/common/interceptiontools.nix → modules/nixos/client/interceptiontools.nix
View file

0
modules/nixos/common/lid.nix → modules/nixos/client/lid.nix
View file

0
modules/nixos/common/login.nix → modules/nixos/client/login.nix
View file

0
modules/nixos/common/lowbattery.nix → modules/nixos/client/lowbattery.nix
View file

64
modules/nixos/common/network.nix → modules/nixos/client/network.nix
View file

@ -1,11 +1,70 @@
{ lib, config, ... }:
{ self, lib, config, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
inherit (config.swarselsystems) mainUser;
iwd = config.networking.networkmanager.wifi.backend == "iwd";
in
{
options.swarselsystems = {
modules.network = lib.mkEnableOption "network config";
firewall = lib.swarselsystems.mkTrueOption;
};
config = lib.mkIf config.swarselsystems.modules.network {
sops = {
secrets = lib.mkIf (!config.swarselsystems.isPublic) {
ernest = { };
frauns = { };
hotspot = { };
eduid = { };
edupass = { };
handyhotspot = { };
vpnuser = { };
vpnpass = { };
wireguardpriv = { };
wireguardpub = { };
wireguardendpoint = { };
stashuser = { };
stashpass = { };
githubforgeuser = { };
githubforgepass = { };
gitlabforgeuser = { };
gitlabforgepass = { };
"sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
"sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
};
templates = lib.mkIf (!config.swarselsystems.isPublic) {
"network-manager.env".content = ''
ERNEST=${config.sops.placeholder.ernest}
FRAUNS=${config.sops.placeholder.frauns}
HOTSPOT=${config.sops.placeholder.hotspot}
EDUID=${config.sops.placeholder.eduid}
EDUPASS=${config.sops.placeholder.edupass}
HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
VPNUSER=${config.sops.placeholder.vpnuser}
VPNPASS=${config.sops.placeholder.vpnpass}
WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
'';
};
};
networking = {
wireless.iwd = {
enable = true;
settings = {
IPv6 = {
Enabled = true;
};
Settings = {
AutoConnect = true;
};
DriverQuirks = {
UseDefaultInterface = true;
};
};
};
nftables.enable = lib.mkDefault true;
enableIPv6 = lib.mkDefault true;
firewall = {
@ -76,10 +135,11 @@
eduroam = {
"802-1x" = {
eap = "ttls;";
eap = if (!iwd) then "ttls;" else "peap;";
identity = "$EDUID";
password = "$EDUPASS";
phase2-auth = "mschapv2";
anonymous-identity = lib.mkIf iwd "anonymous@student.tuwien.ac.at";
};
connection = {
id = "eduroam";

0
modules/nixos/common/networkdevices.nix → modules/nixos/client/networkdevices.nix
View file

0
modules/nixos/common/nix-ld.nix → modules/nixos/client/nix-ld.nix
View file

0
modules/nixos/common/nvd-rebuild.nix → modules/nixos/client/nvd-rebuild.nix
View file

0
modules/nixos/common/packages.nix → modules/nixos/client/packages.nix
View file

0
modules/nixos/common/pipewire.nix → modules/nixos/client/pipewire.nix
View file

0
modules/nixos/common/polkit.nix → modules/nixos/client/polkit.nix
View file

0
modules/nixos/common/power-profiles-daemon.nix → modules/nixos/client/power-profiles-daemon.nix
View file

0
modules/nixos/common/programs.nix → modules/nixos/client/programs.nix
View file

0
modules/nixos/common/pulseaudio.nix → modules/nixos/client/pulseaudio.nix
View file

16
modules/nixos/client/sops.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, ... }:
{
options.swarselsystems.modules.sops = lib.mkEnableOption "sops config";
config = lib.mkIf config.swarselsystems.modules.sops {
sops = {
# age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
# defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
defaultSopsFile = "${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
validateSopsFiles = false;
};
};
}

0
modules/nixos/common/stylix.nix → modules/nixos/client/stylix.nix
View file

0
modules/nixos/common/sway.nix → modules/nixos/client/sway.nix
View file

0
modules/nixos/common/swayosd.nix → modules/nixos/client/swayosd.nix
View file

0
modules/nixos/common/syncthing.nix → modules/nixos/client/syncthing.nix
View file

0
modules/nixos/common/systemd.nix → modules/nixos/client/systemd.nix
View file

0
modules/nixos/common/xdg-portal.nix → modules/nixos/client/xdg-portal.nix
View file

0
modules/nixos/common/zsh.nix → modules/nixos/client/zsh.nix
View file

9
modules/nixos/common/home-manager-extra.nix
View file

@ -1,9 +0,0 @@
{ inputs, config, lib, ... }:
{
options.swarselsystems.modules.home-managerExtra = lib.mkEnableOption "home-manager extras for non-chaostheatre";
config = lib.mkIf config.swarselsystems.modules.home-managerExtra {
home-manager = lib.mkIf config.swarselsystems.withHomeManager {
extraSpecialArgs = { inherit (inputs) nix-secrets nixgl; };
};
};
}

2
modules/nixos/common/home-manager.nix
View file

@ -14,7 +14,7 @@
home.stateVersion = lib.mkDefault config.system.stateVersion;
}
];
extraSpecialArgs = { inherit (inputs) self; inherit inputs outputs globals nodes; };
extraSpecialArgs = { inherit (inputs) self nixgl; inherit inputs outputs globals nodes; };
};
};
}

88
modules/nixos/common/impermanence.nix
View file

@ -7,6 +7,7 @@ in
options.swarselsystems.modules.impermanence = lib.mkEnableOption "impermanence config";
config = lib.mkIf config.swarselsystems.modules.impermanence {
security.sudo.extraConfig = lib.mkIf isImpermanence ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
@ -15,54 +16,55 @@ in
# This script does the actual wipe of the system
# So if it doesn't run, the btrfs system effectively acts like a normal system
# Taken from https://github.com/NotAShelf/nyx/blob/2a8273ed3f11a4b4ca027a68405d9eb35eba567b/modules/core/common/system/impermanence/default.nix
boot.tmp.useTmpfs = lib.mkIf (!isImpermanence) true;
boot.initrd.systemd = lib.mkIf isImpermanence {
enable = true;
services.rollback = {
description = "Rollback BTRFS root subvolume to a pristine state";
wantedBy = [ "initrd.target" ];
# make sure it's done after encryption
# i.e. LUKS/TPM process
after = lib.swarselsystems.mkIfElseList isCrypted [ "systemd-cryptsetup@cryptroot.service" ] [ "dev-disk-by\\x2dlabel-nixos.device" ];
requires = lib.mkIf (!isCrypted) [ "dev-disk-by\\x2dlabel-nixos.device" ];
# mount the root fs before clearing
before = [ "sysroot.mount" ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /mnt
boot.initrd.systemd.enable = lib.mkIf isImpermanence true;
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvolid=5 -t btrfs ${mapperTarget} /mnt
btrfs subvolume list -o /mnt/root
boot.initrd.systemd.services.rollback = lib.mkIf isImpermanence {
description = "Rollback BTRFS root subvolume to a pristine state";
wantedBy = [ "initrd.target" ];
# make sure it's done after encryption
# i.e. LUKS/TPM process
after = lib.swarselsystems.mkIfElseList isCrypted [ "systemd-cryptsetup@cryptroot.service" ] [ "dev-disk-by\\x2dlabel-nixos.device" ];
requires = lib.mkIf (!isCrypted) [ "dev-disk-by\\x2dlabel-nixos.device" ];
# mount the root fs before clearing
before = [ "sysroot.mount" ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /mnt
# While we're tempted to just delete /root and create
# a new snapshot from /root-blank, /root is already
# populated at this point with a number of subvolumes,
# which makes `btrfs subvolume delete` fail.
# So, we remove them first.
#
# /root contains subvolumes:
# - /root/var/lib/portables
# - /root/var/lib/machines
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvolid=5 -t btrfs ${mapperTarget} /mnt
btrfs subvolume list -o /mnt/root
btrfs subvolume list -o /mnt/root |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..." &&
btrfs subvolume delete /mnt/root
# While we're tempted to just delete /root and create
# a new snapshot from /root-blank, /root is already
# populated at this point with a number of subvolumes,
# which makes `btrfs subvolume delete` fail.
# So, we remove them first.
#
# /root contains subvolumes:
# - /root/var/lib/portables
# - /root/var/lib/machines
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/root-blank /mnt/root
btrfs subvolume list -o /mnt/root |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..." &&
btrfs subvolume delete /mnt/root
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/root-blank /mnt/root
# Once we're done rolling back to a blank snapshot,
# we can unmount /mnt and continue on the boot process.
umount /mnt
'';
# Once we're done rolling back to a blank snapshot,
# we can unmount /mnt and continue on the boot process.
umount /mnt
'';
};
};

54
modules/nixos/common/sops.nix
View file

@ -1,54 +0,0 @@
{ self, config, lib, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
inherit (config.swarselsystems) mainUser homeDir;
in
{
options.swarselsystems.modules.commonSops = lib.mkEnableOption "sops config";
config = lib.mkIf config.swarselsystems.modules.commonSops {
sops = {
age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${homeDir}/.ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
validateSopsFiles = false;
secrets = lib.mkIf (!config.swarselsystems.isPublic) {
ernest = { };
frauns = { };
hotspot = { };
eduid = { };
edupass = { };
handyhotspot = { };
vpnuser = { };
vpnpass = { };
wireguardpriv = { };
wireguardpub = { };
wireguardendpoint = { };
stashuser = { };
stashpass = { };
githubforgeuser = { };
githubforgepass = { };
gitlabforgeuser = { };
gitlabforgepass = { };
"sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
"sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
};
templates = lib.mkIf (!config.swarselsystems.isPublic) {
"network-manager.env".content = ''
ERNEST=${config.sops.placeholder.ernest}
FRAUNS=${config.sops.placeholder.frauns}
HOTSPOT=${config.sops.placeholder.hotspot}
EDUID=${config.sops.placeholder.eduid}
EDUPASS=${config.sops.placeholder.edupass}
HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
VPNUSER=${config.sops.placeholder.vpnuser}
VPNPASS=${config.sops.placeholder.vpnpass}
WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
'';
};
};
};
}

7
modules/nixos/common/tmp.nix
View file

@ -1,7 +0,0 @@
{ config, lib, ... }:
{
options.swarselsystems.modules.tmp = lib.mkEnableOption "tmp dir config";
config = lib.mkIf config.swarselsystems.modules.tmp {
boot.tmp.useTmpfs = !config.swarselsystems.modules.impermanence true;
};
}

17
modules/nixos/darwin/default.nix Normal file
View file

@ -0,0 +1,17 @@
{ lib, config, outputs, ... }:
{
options.swarselsystems.modules.darwin.general = lib.mkEnableOption "darwin config";
config = lib.mkIf config.swarselsystems.modules.darwin.general {
nix.settings.experimental-features = "nix-command flakes";
nixpkgs = {
hostPlatform = "x86_64-darwin";
overlays = [ outputs.overlays.default ];
config = {
allowUnfree = true;
};
};
system.stateVersion = 4;
};
}

7
modules/nixos/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/nixos";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/nixos";
}

54
modules/nixos/optional/work.nix
View file

@ -1,6 +1,7 @@
{ self, lib, pkgs, config, ... }:
let
inherit (config.swarselsystems) mainUser homeDir xdgDir;
iwd = config.networking.networkmanager.wifi.backend == "iwd";
owner = mainUser;
sopsFile = self + /secrets/work/secrets.yaml;
swarselService = name: description: execStart: {
@ -49,6 +50,8 @@ in
"govchost"
"govcnetwork"
"govcpool"
"baseuser"
"basepw"
];
in
{
@ -60,6 +63,12 @@ in
})
secretNames
);
templates = {
"network-manager-work.env".content = ''
BASEUSER=${config.sops.placeholder.baseuser}
BASEPASS=${config.sops.placeholder.basepw}
'';
};
};
boot.initrd = {
@ -97,7 +106,48 @@ in
networking = {
inherit (config.swarselsystems) hostName fqdn;
networkmanager.wifi.scanRandMacAddress = false;
networkmanager = {
wifi.scanRandMacAddress = false;
ensureProfiles = {
environmentFiles = [
"${config.sops.templates."network-manager-work.env".path}"
];
profiles = {
VBC = {
"802-1x" = {
eap = if (!iwd) then "ttls;" else "peap;";
identity = "$BASEUSER";
password = "$BASEPASS";
phase2-auth = "mschapv2";
};
connection = {
id = "VBC";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
cloned-mac-address = "permanent";
mac-address = "E8:65:38:52:63:FF";
mac-address-randomization = "1";
mode = "infrastructure";
ssid = "VBC";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-eap";
};
};
};
};
};
firewall = {
enable = lib.mkDefault true;
trustedInterfaces = [ "virbr0" ];
@ -166,7 +216,7 @@ in
openssh = {
enable = true;
extraConfig = ''
'';
'';
};
syncthing = {

15
modules/nixos/server/default.nix
View file

@ -1,18 +1,7 @@
{ self, lib, ... }:
{ lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/nixos/server";
modulesPath = "${self}/modules";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/nixos/server" ++ [
"${modulesPath}/nixos/common/settings.nix"
"${modulesPath}/nixos/common/home-manager.nix"
"${modulesPath}/nixos/common/home-manager-extra.nix"
"${modulesPath}/nixos/common/xserver.nix"
"${modulesPath}/nixos/common/time.nix"
"${modulesPath}/nixos/common/users.nix"
"${modulesPath}/nixos/common/nix-ld.nix"
"${modulesPath}/nixos/common/sharedsetup.nix"
"${modulesPath}/home/common/sharedsetup.nix"
];
imports = lib.swarselsystems.mkImports importNames "modules/nixos/server";
}

11
modules/nixos/server/sops.nix
View file

@ -1,11 +0,0 @@
{ config, lib, ... }:
{
options.swarselsystems.modules.server.sops = lib.mkEnableOption "enable sops on server";
config = lib.mkIf config.swarselsystems.modules.server.sops {
sops = {
age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/sops" ];
defaultSopsFile = lib.mkDefault "${config.swarselsystems.flakePath}/secrets/winters/secrets.yaml";
validateSopsFiles = false;
};
};
}