feat[client,server]: add remote builds, confLib

2025-12-06 00:57:22 +01:00 · 2025-12-02 00:57:35 +01:00 · 2025-12-02 00:57:35 +01:00 · 9acfc5f934
commit 9acfc5f934
parent c20f1b0b59
133 changed files with 4297 additions and 3249 deletions
--- a/modules/home/common/anki.nix
+++ b/modules/home/common/anki.nix
@ -1,4 +1,4 @@
-{ lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }:
+{ lib, config, pkgs, globals, inputs, confLib, ... }:
 let
  moduleName = "anki";
  inherit (config.swarselsystems) isPublic isNixos;
@ -23,11 +23,11 @@ in
          syncMedia = true;
          autoSyncMediaMinutes = 5;
          url = "https://${globals.services.ankisync.domain}";
-          usernameFile = nixosConfig.sops.secrets.anki-user.path;
+          usernameFile = confLib.getConfig.sops.secrets.anki-user.path;
          # this is not the password but the syncKey
          # get it by logging in or out, saving preferences and then
          # show details on the "settings wont be saved" dialog
-          keyFile = nixosConfig.sops.secrets.anki-pw.path;
+          keyFile = confLib.getConfig.sops.secrets.anki-pw.path;
        };
        addons =
          let
--- a/modules/home/common/element.nix
+++ b/modules/home/common/element.nix
@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ lib, config, globals, ... }:
 let
  moduleName = "element-desktop";
 in
@ -10,7 +10,7 @@ in
      settings = {
        default_server_config = {
          "m.homeserver" = {
-            base_url = "https://swatrix.swarsel.win/";
+            base_url = "https://${globals.services.matrix.domain}/";
          };
        };
        UIFeature = {
--- a/modules/home/common/env.nix
+++ b/modules/home/common/env.nix
@ -1,8 +1,8 @@
-{ lib, config, nixosConfig ? config, ... }:
+{ lib, config, confLib, globals, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
-  inherit (nixosConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name;
-  inherit (nixosConfig.repo.secrets.common) fullName openrouterApi;
+  inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
+  inherit (confLib.getConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name;
+  inherit (confLib.getConfig.repo.secrets.common) fullName openrouterApi instaDomain sportDomain;
  inherit (config.swarselsystems) isPublic homeDir;

  DISPLAY = ":0";
@ -18,6 +18,12 @@ in
      DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private";
      FLAKE = "${config.home.homeDirectory}/.dotfiles";
    } // lib.optionalAttrs (!isPublic) {
+      SWARSEL_DOMAIN = globals.domains.main;
+      SWARSEL_RSS_DOMAIN = globals.services.freshrss.domain;
+      SWARSEL_MUSIC_DOMAIN = globals.services.navidrome.domain;
+      SWARSEL_FILES_DOMAIN = globals.services.nextcloud.domain;
+      SWARSEL_INSTA_DOMAIN = instaDomain;
+      SWARSEL_SPORT_DOMAIN = sportDomain;
      SWARSEL_MAIL1 = address1;
      SWARSEL_MAIL2 = address2;
      SWARSEL_MAIL3 = address3;
@ -30,7 +36,7 @@ in
      SWARSEL_CAL3NAME = source3-name;
      SWARSEL_FULLNAME = fullName;
      SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses;
-      GITHUB_NOTIFICATION_TOKEN_PATH = nixosConfig.sops.secrets.github-notifications-token.path;
+      GITHUB_NOTIFICATION_TOKEN_PATH = confLib.getConfig.sops.secrets.github-notifications-token.path;
      OPENROUTER_API_KEY = openrouterApi;
    };
  };
--- a/modules/home/common/gammastep.nix
+++ b/modules/home/common/gammastep.nix
@ -1,6 +1,6 @@
-{ lib, config, nixosConfig ? config, ... }:
+{ lib, config, confLib, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.location) latitude longitude;
+  inherit (confLib.getConfig.repo.secrets.common.location) latitude longitude;
 in
 {
  options.swarselmodules.gammastep = lib.mkEnableOption "gammastep settings";
--- a/modules/home/common/git.nix
+++ b/modules/home/common/git.nix
@ -1,7 +1,7 @@
-{ lib, config, globals, minimal, nixosConfig ? config, ... }:
+{ lib, config, globals, minimal, confLib, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1;
-  inherit (nixosConfig.repo.secrets.common) fullName;
+  inherit (confLib.getConfig.repo.secrets.common.mail) address1;
+  inherit (confLib.getConfig.repo.secrets.common) fullName;

  gitUser = globals.user.name;
 in
--- a/modules/home/common/hexchat.nix
+++ b/modules/home/common/hexchat.nix
@ -1,7 +1,7 @@
-{ lib, config, nixosConfig ? config, ... }:
+{ lib, config, confLib, ... }:
 let
  moduleName = "hexchat";
-  inherit (nixosConfig.repo.secrets.common.irc) irc_nick1;
+  inherit (confLib.getConfig.repo.secrets.common.irc) irc_nick1;
 in
 {
  options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
--- a/modules/home/common/mail.nix
+++ b/modules/home/common/mail.nix
@ -1,7 +1,7 @@
-{ lib, config, inputs, globals, nixosConfig ? config, ... }:
+{ lib, config, inputs, globals, confLib, ... }:
 let
-  inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
-  inherit (nixosConfig.repo.secrets.common) fullName;
+  inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
+  inherit (confLib.getConfig.repo.secrets.common) fullName;
  inherit (config.swarselsystems) xdgDir;
 in
 {
@ -140,7 +140,7 @@ in
                address = address4;
                userName = address4;
                realName = fullName;
-                passwordCommand = "cat ${nixosConfig.sops.secrets.address4-token.path}";
+                passwordCommand = "cat ${confLib.getConfig.sops.secrets.address4-token.path}";
                mu.enable = true;
                msmtp = {
                  enable = true;
@ -169,7 +169,7 @@ in
                  address = address1;
                  userName = address1;
                  realName = fullName;
-                  passwordCommand = "cat ${nixosConfig.sops.secrets.address1-token.path}";
+                  passwordCommand = "cat ${confLib.getConfig.sops.secrets.address1-token.path}";
                  gpg = {
                    key = "0x76FD3810215AE097";
                    signByDefault = true;
@ -183,7 +183,7 @@ in
                  address = address2;
                  userName = address2;
                  realName = address2-name;
-                  passwordCommand = "cat ${nixosConfig.sops.secrets.address2-token.path}";
+                  passwordCommand = "cat ${confLib.getConfig.sops.secrets.address2-token.path}";
                }
                defaultSettings;

@ -193,7 +193,7 @@ in
                  address = address3;
                  userName = address3;
                  realName = address3-name;
-                  passwordCommand = "cat ${nixosConfig.sops.secrets.address3-token.path}";
+                  passwordCommand = "cat ${confLib.getConfig.sops.secrets.address3-token.path}";
                }
                defaultSettings;

--- a/modules/home/common/obsidian.nix
+++ b/modules/home/common/obsidian.nix
@ -1,7 +1,7 @@
-{ lib, config, pkgs, nixosConfig ? config, ... }:
+{ lib, config, pkgs, confLib, ... }:
 let
  moduleName = "obsidian";
-  inherit (nixosConfig.repo.secrets.common.obsidian) userIgnoreFilters;
+  inherit (confLib.getConfig.repo.secrets.common.obsidian) userIgnoreFilters;
  name = "Main";
 in
 {
--- a/modules/home/common/opkssh.nix
+++ b/modules/home/common/opkssh.nix
@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ lib, config, globals, ... }:
 let
  moduleName = "opkssh";
 in
@ -13,7 +13,7 @@ in
        providers = [
          {
            alias = "kanidm";
-            issuer = "https://sso.swarsel.win/oauth2/openid/opkssh";
+            issuer = "https://${globals.services.kanidm.domain}/oauth2/openid/opkssh";
            client_id = "opkssh";
            scopes = "openid email profile";
            redirect_uris = [
--- a/modules/home/common/settings.nix
+++ b/modules/home/common/settings.nix
@ -40,7 +40,11 @@ in
          trusted-public-keys = [
            atticPublicKey
          ];
-          trusted-users = [ "@wheel" "${mainUser}" ];
+          trusted-users = [
+            "@wheel"
+            "${mainUser}"
+            (lib.mkIf config.swarselmodules.server.ssh-builder "builder")
+          ];
          connect-timeout = 5;
          bash-prompt-prefix = "[33m$SHLVL:\\w [0m";
          bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"[31m\"; else printf \"[32m\"; fi)λ [0m";
--- a/modules/home/common/ssh.nix
+++ b/modules/home/common/ssh.nix
@ -1,7 +1,7 @@
-{ lib, config, nixosConfig ? config, ... }:
+{ inputs, lib, config, confLib, ... }:
 {
  options.swarselmodules.ssh = lib.mkEnableOption "ssh settings";
-  config = lib.mkIf config.swarselmodules.ssh {
+  config = lib.mkIf config.swarselmodules.ssh ({
    programs.ssh = {
      enable = true;
      enableDefaultConfig = false;
@ -18,11 +18,15 @@
          serverAliveCountMax = 3;
          hashKnownHosts = false;
          userKnownHostsFile = "~/.ssh/known_hosts";
-          controlMaster = "no";
+          controlMaster = "auto";
          controlPath = "~/.ssh/master-%r@%n:%p";
-          controlPersist = "no";
+          controlPersist = "5m";
        };
-      } // nixosConfig.repo.secrets.common.ssh.hosts;
+      } // confLib.getConfig.repo.secrets.common.ssh.hosts;
    };
-  };
+  } // lib.optionalAttrs (inputs ? sops) {
+    sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
+      builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; };
+    };
+  });
 }
--- a/modules/home/common/sway.nix
+++ b/modules/home/common/sway.nix
@ -1,4 +1,4 @@
-{ config, lib, vars, nixosConfig ? config, ... }:
+{ config, lib, vars, confLib, ... }:
 let
  eachOutput = _: monitor: {
    inherit (monitor) name;
@ -381,7 +381,7 @@ in
        export XDG_CURRENT_DESKTOP=sway;
        export XDG_SESSION_DESKTOP=sway;
        export _JAVA_AWT_WM_NONREPARENTING=1;
-        export GITHUB_NOTIFICATION_TOKEN_PATH=${nixosConfig.sops.secrets.github-notifications-token.path};
+        export GITHUB_NOTIFICATION_TOKEN_PATH=${confLib.getConfig.sops.secrets.github-notifications-token.path};
      '' + vars.waylandExports;
      # extraConfigEarly = "
      # exec systemctl --user import-environment DISPLAY WAYLAND_DISPLAY SWAYSOCK
--- a/modules/home/common/yubikey.nix
+++ b/modules/home/common/yubikey.nix
@ -1,4 +1,4 @@
-{ lib, config, inputs, nixosConfig ? config, ... }:
+{ lib, config, inputs, confLib, ... }:
 let
  inherit (config.swarselsystems) homeDir;
 in
@ -9,8 +9,8 @@ in

    pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
      ids = [
-        nixosConfig.repo.secrets.common.yubikeys.dev1
-        nixosConfig.repo.secrets.common.yubikeys.dev2
+        confLib.getConfig.repo.secrets.common.yubikeys.dev1
+        confLib.getConfig.secrets.common.yubikeys.dev2
      ];
    };
  } // lib.optionalAttrs (inputs ? sops) {
--- a/modules/home/common/zsh.nix
+++ b/modules/home/common/zsh.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, minimal, inputs, globals, nixosConfig ? config, ... }:
+{ config, pkgs, lib, minimal, inputs, globals, confLib, ... }:
 let
  inherit (config.swarselsystems) flakePath isNixos;
  crocDomain = globals.services.croc.domain;
@ -127,8 +127,8 @@ in
        '';
        sessionVariables = lib.mkIf (!config.swarselsystems.isPublic) {
          CROC_RELAY = crocDomain;
-          CROC_PASS = "$(cat ${nixosConfig.sops.secrets.croc-password.path or ""})";
-          GITHUB_TOKEN = "$(cat ${nixosConfig.sops.secrets.github-nixpkgs-review-token.path or ""})";
+          CROC_PASS = "$(cat ${confLib.getConfig.sops.secrets.croc-password.path or ""})";
+          GITHUB_TOKEN = "$(cat ${confLib.getConfig.sops.secrets.github-nixpkgs-review-token.path or ""})";
          QT_QPA_PLATFORM_PLUGIN_PATH = "${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins";
          # QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox";
        };
--- a/modules/home/optional/framework.nix
+++ b/modules/home/optional/framework.nix
@ -1,7 +1,6 @@
-{ lib, config, ... }:
+_:
 {
-  options.swarselmodules.optional.framework = lib.mkEnableOption "optional framework machine settings";
-  config = lib.mkIf config.swarselmodules.optional.framework {
+  config = {
    swarselsystems = {
      inputs = {
        "12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = {
--- a/modules/home/optional/gaming.nix
+++ b/modules/home/optional/gaming.nix
@ -1,10 +1,9 @@
-{ lib, config, pkgs, nixosConfig ? config, ... }:
+{ config, pkgs, confLib, ... }:
 let
  inherit (config.swarselsystems) isNixos;
 in
 {
-  options.swarselmodules.optional.gaming = lib.mkEnableOption "optional gaming settings";
-  config = lib.mkIf config.swarselmodules.optional.gaming {
+  config = {
    # specialisation = {
    #   gaming.configuration = {
    home.packages = with pkgs; [
@ -44,7 +43,7 @@ in
        gamescope
        umu-launcher
      ];
-      steamPackage = if isNixos then nixosConfig.programs.steam.package else pkgs.steam;
+      steamPackage = if isNixos then confLib.getConfig.programs.steam.package else pkgs.steam;
      winePackages = with pkgs; [
        wineWow64Packages.waylandFull
      ];
--- a/modules/home/optional/niri.nix
+++ b/modules/home/optional/niri.nix
@ -1,5 +1,8 @@
-{ config, pkgs, lib, vars, ... }:
+{ inputs, config, pkgs, lib, vars, ... }:
 {
+  imports = [
+    inputs.niri-flake.homeModules.niri
+  ];
  options.swarselmodules.niri = lib.mkEnableOption "niri settings";
  config = lib.mkIf config.swarselmodules.niri
    {
--- a/modules/home/optional/uni.nix
+++ b/modules/home/optional/uni.nix
@ -1,24 +1,22 @@
-{ config, lib, nixosConfig ? config, ... }:
+{ confLib, ... }:
 {
-  options.swarselmodules.optional.uni = lib.mkEnableOption "optional uni settings";
-  config = lib.mkIf config.swarselmodules.optional.uni
-    {
-      services.pizauth = {
-        enable = true;
-        accounts = {
-          uni = {
-            authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
-            tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
-            clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
-            clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
-            scopes = [
-              "https://outlook.office365.com/IMAP.AccessAsUser.All"
-              "https://outlook.office365.com/SMTP.Send"
-              "offline_access"
-            ];
-            loginHint = "${nixosConfig.repo.secrets.local.uni.mailAddress}";
-          };
+  config = {
+    services.pizauth = {
+      enable = true;
+      accounts = {
+        uni = {
+          authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+          tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+          clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
+          clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
+          scopes = [
+            "https://outlook.office365.com/IMAP.AccessAsUser.All"
+            "https://outlook.office365.com/SMTP.Send"
+            "offline_access"
+          ];
+          loginHint = "${confLib.getConfig.repo.secrets.local.uni.mailAddress}";
        };
      };
    };
+  };
 }
--- a/modules/home/optional/work.nix
+++ b/modules/home/optional/work.nix