-This file has 58741 words spanning 15323 lines and was last revised on 2025-03-22 22:55:00 +0100. +This file has 59294 words spanning 15468 lines and was last revised on 2025-03-26 22:15:27 +0100.
@@ -733,7 +742,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-03-22 22:55:00 +0100) +My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-03-26 22:15:27 +0100)
{ self, inputs, pkgs, lib, primaryUser, ... }:
+{ self, inputs, lib, primaryUser, ... }:
let
secretsDirectory = builtins.toString inputs.nix-secrets;
profilesPath = "${self}/profiles";
@@ -1773,7 +1782,7 @@ in
boot = {
supportedFilesystems = [ "btrfs" ];
- kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+ # kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
kernelParams = [
"resume_offset=533760"
];
@@ -1794,23 +1803,9 @@ in
programs.fw-fanctrl = {
enable = true;
- # config = {
- # defaultStrategy = "lazy";
- # strategies = {
- # "lazy" = {
- # fanSpeedUpdateFrequency = 5;
- # movingAverageInterval = 30;
- # speedCurve = [
- # { temp = 0; speed = 15; }
- # { temp = 50; speed = 15; }
- # { temp = 65; speed = 25; }
- # { temp = 70; speed = 35; }
- # { temp = 75; speed = 50; }
- # { temp = 85; speed = 100; }
- # ];
- # };
- # };
- # };
+ config = {
+ defaultStrategy = "lazy";
+ };
};
networking = {
@@ -1821,16 +1816,18 @@ in
services = {
- fwupd.enable = true;
+ fwupd = {
+ enable = true;
+ # framework also uses lvfs-testing, but I do not want to use it
+ extraRemotes = [ "lvfs" ];
+ };
udev.extraRules = ''
- # Make Framework 16 Ethernet Module work reliably
- ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0bda", ATTR{idProduct}=="8156", ATTR{power/autosuspend}="20"
-
- # disable Wakup on Framework Laptop 16 Keyboard
- ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0018", ATTR{power/wakeup}="disabled"
-
- # disable Wakup on Framework Laptop 16 Numpad Module
+ # disable Wakeup on Framework Laptop 16 Keyboard (ANSI)
+ ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0012", ATTR{power/wakeup}="disabled"
+ # disable Wakeup on Framework Laptop 16 Numpad Module
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0014", ATTR{power/wakeup}="disabled"
+ # disable Wakeup on Framework Laptop 16 Trackpad
+ ACTION=="add", SUBSYSTEM=="i2c", DRIVERS=="i2c_hid_acpi", ATTRS{name}=="PIXA3854:00", ATTR{power/wakeup}="disabled"
'';
};
@@ -1985,7 +1982,7 @@ in
3.1.2.1.2. hardware-configuration
-{ config, pkgs, lib, modulesPath, ... }:
+{ config, lib, modulesPath, ... }:
{
imports =
[
@@ -1993,20 +1990,20 @@ in
];
# Fix Wlan after suspend or Hibernate
- environment.etc."systemd/system-sleep/fix-wifi.sh".source =
- pkgs.writeShellScript "fix-wifi.sh" ''
- case $1/$2 in
- pre/*)
- ${pkgs.kmod}/bin/modprobe -r mt7921e mt792x_lib mt76
- echo 1 > /sys/bus/pci/devices/0000:04:00.0/remove
- ;;
+ # environment.etc."systemd/system-sleep/fix-wifi.sh".source =
+ # pkgs.writeShellScript "fix-wifi.sh" ''
+ # case $1/$2 in
+ # pre/*)
+ # ${pkgs.kmod}/bin/modprobe -r mt7921e mt792x_lib mt76
+ # echo 1 > /sys/bus/pci/devices/0000:04:00.0/remove
+ # ;;
- post/*)
- ${pkgs.kmod}/bin/modprobe mt7921e
- echo 1 > /sys/bus/pci/rescan
- ;;
- esac
- '';
+ # post/*)
+ # ${pkgs.kmod}/bin/modprobe mt7921e
+ # echo 1 > /sys/bus/pci/rescan
+ # ;;
+ # esac
+ # '';
boot = {
initrd = {
@@ -2022,7 +2019,10 @@ in
kernelModules = [ "kvm-amd" ];
kernelParams = [
"mem_sleep_default=deep"
- "amd_pstate=passive"
+ # supposedly, this helps save power on laptops
+ # in reality (at least on this model), this just generate excessive heat on the CPUs
+ # "amd_pstate=passive"
+
# Fix screen flickering issue at the cost of battery life (disable PSR and PSR-SU, keep PR enabled)
# TODO: figure out if this is worth it
# test PSR/PR state with 'sudo grep '' /sys/kernel/debug/dri/0000*/eDP-2/*_capability'
@@ -3639,16 +3639,56 @@ writeShellApplication {
+This application moves the wl-mirror app to the T workspace and makes it fullscreen there. +
+ +{ name, writeShellApplication, sway, ... }:
+
+writeShellApplication {
+ inherit name;
+ runtimeInputs = [ sway ];
+ text = ''
+ swaymsg '[app_id=at.yrlf.wl_mirror] move to workspace 14:T'
+ swaymsg '[app_id=at.yrlf.wl_mirror] fullscreen'
+ '';
+}
+
+SHARESCREEN="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$(hostname)".config.home-manager.users."$(whoami)".swarselsystems.sharescreen)" ++headless="false" +while [[ $# -gt 0 ]]; do + case "$1" in + -h) + headless="true" + ;; + *) + echo "Invalid option detected." + ;; + esac + shift +done -wl-mirror "$SHARESCREEN" & -sleep 0.1 -swaymsg '[app_id=at.yrlf.wl_mirror] move to workspace 14:T' -swaymsg '[app_id=at.yrlf.wl_mirror] fullscreen' +SHARESCREEN="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$(hostname)".config.home-manager.users."$(whoami)".swarselsystems.sharescreen)" + +if [[ $headless == "true" ]]; then + wl-mirror "$SHARESCREEN" +else + wl-mirror "$SHARESCREEN" & + sleep 0.1 + swaymsg '[app_id=at.yrlf.wl_mirror] move to workspace 14:T' + swaymsg '[app_id=at.yrlf.wl_mirror] fullscreen' +fi
This program sets up a new NixOS host remotely. It also takes care of secret management on the new host. @@ -4027,7 +4067,7 @@ writeShellApplication {
This program builds a configuration locally. @@ -4117,6 +4157,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then rm profiles/home/common/gammastep.nix rm profiles/home/common/git.nix rm profiles/home/common/mail.nix + rm profiles/home/common/yubikey.nix rm profiles/nixos/common/home-manager-extra.nix nix flake update vbc-nix git add . @@ -4146,7 +4187,7 @@ writeShellApplication {
This program sets up a new NixOS host locally. @@ -4254,6 +4295,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then rm profiles/home/common/gammastep.nix rm profiles/home/common/git.nix rm profiles/home/common/mail.nix + rm profiles/home/common/yubikey.nix rm profiles/nixos/common/home-manager-extra.nix nix flake update vbc-nix git add . @@ -4351,7 +4393,7 @@ writeShellApplication {
This program sets up a new NixOS host locally. @@ -4449,7 +4491,7 @@ writeShellApplication {
This script allows for quick git branch switching. @@ -4471,7 +4513,7 @@ writeShellApplication {
This script allows for quick git branch switching. @@ -4493,7 +4535,7 @@ writeShellApplication {
This script allows for quick git branch switching. @@ -4515,7 +4557,7 @@ writeShellApplication {
This script allows for quick git branch switching. @@ -4623,7 +4665,7 @@ python3.pkgs.buildPythonApplication rec {
set -euo pipefail
@@ -4647,7 +4689,7 @@ writeShellApplication {
{ name, pkgs, ... }:
@@ -4666,15 +4708,15 @@ pkgs.buildFHSEnv (base // {
A crude script to power on all displays that might be attached. Needed because sometimes displays do not awake from sleep.
swaymsg output eDP-1 power on > /dev/null 2>&1 || true -swaymsg output eDP-2 power on > /dev/null 2>&1 || true +swaymsg "output * power on" > /dev/null 2>&1 || true +swaymsg "output * dpms on" > /dev/null 2>&1 || true
AppImage version of mgba in which the lua scripting works.
@@ -5445,8 +5487,10 @@ in
};
search = {
- default = "Kagi";
- privateDefault = "Kagi";
+ # default = "Kagi";
+ default = "Google";
+ # privateDefault = "Kagi";
+ privateDefault = "Google";
engines = {
"Kagi" = {
urls = [{
@@ -5959,6 +6003,7 @@ Mostly used to install some compilers and lsp's that I want to have available wh
just
screenshare
+ fullscreen
# keyboards
qmk
@@ -6178,6 +6223,8 @@ Needed for control over system-wide privileges etc. Also I make sure that the ro
sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
+ Defaults env_keep+=XDG_RUNTIME_DIR
+ Defaults env_keep+=WAYLAND_DISPLAY
'';
};
@@ -6993,20 +7040,24 @@ Most of the time I am using power-saver, however, it is good to be
-It makes sense to house these settings in their own section, since they are all needed really. Note that the starting of the gpg-agent is done in the sway settings, to also perform this step of the setup for non NixOS-machines at the same time. +This takes care of the main Yubikey related configuration on the NixOS side - note that the starting of the gpg-agent is done in the sway settings, to also perform this step of the setup for non NixOS-machines at the same time.
-pcscd is needed to use the smartcard mode (CCID) of the Yubikey.
+I want to use the ssh-agent from gpg-agent's ssh compatibility, which is why we disable ssh-agent. Also, we load some extra udev rules using hardware.gpgSmartcards.enable.
-The exception is the system packages, since that cannot be defined twice in the same file (common.nix). The comment is left in as a remider for that.
+Many guides state that it is needed to enable pcscd to use the smartcard mode (CCID) of the Yubikey. However, enabling it causes some problems when locking the screen and unplugging the Yubikey, after which the Yubikey only becomes available again as a smart card after about one minute. I found that is is sufficient to enable services.gpg-agent.enableScDaemon in home-manager instead.
-Also, this is a good place to setup the udev rules. +Also, since I use a GPG key in sops, it seems that scdaemon creates an instance at boot which sometimes hogs the Yubikey, which leads to significant delays after e.g. locking the screen and unplugging the Yubikey. Since I do not need the GPG key for the actual sops secrets (I use machine age keys instead), I kill that process.
+This performs the necessary configuration to support this hardware. +
+ +{ pkgs, ... }:
+{
+ hardware.ledger.enable = true;
+
+ services.udev.packages = with pkgs; [
ledger-udev-rules
+ ];
+
+}
+
++This loads some udev rules that I need for my split keyboards. +
+ +{ pkgs, ... }:
+{
+ services.udev.packages = with pkgs; [
qmk-udev-rules
vial
via
@@ -7030,6 +7127,7 @@ Also, this is a good place to setup the udev rules.
+Adds the necessary tools to allow .appimage programs easily. +
+ +_:
+{
+
+ programs.appimage = {
+ enable = true;
+ binfmt = true;
+ };
+
}
This turns off the display when the lid is closed. @@ -7480,7 +7599,7 @@ This turns off the display when the lid is closed.
Since I hide the waybar completely during normal operation, I run the risk of not noticing when my battery is about to run out. This module sends a notification when the battery level falls below 10%. Written by cafkafk. @@ -7491,7 +7610,7 @@ Since I hide the waybar completely during normal operation, I run the risk of no { systemd.user.services."battery-low" = { enable = true; - description = "Notify user if battery is below 10%"; + description = "Timer for battery check that alerts at 10% or less"; partOf = [ "graphical-session.target" ]; wantedBy = [ "graphical-session.target" ]; serviceConfig = { @@ -7518,7 +7637,7 @@ Since I hide the waybar completely during normal operation, I run the risk of no
This dynamically uses systemd boot or Lanzaboote depending on `config.swarselsystems.initialSetup` and `config.swarselsystems.isSecureBoot`. @@ -9523,6 +9642,25 @@ let inherit (config.swarselsystems) mainUser homeDir xdgDir; owner = mainUser; sopsFile = self + /secrets/work/secrets.yaml; + swarselService = name: description: execStart: { + "${name}" = { + enable = true; + inherit description; + serviceConfig = { + ExecStart = execStart; + User = mainUser; + Group = "users"; + Environment = [ + "PATH=/run/current-system/sw/bin:/etc/profiles/per-user/${mainUser}/bin" + "XDG_RUNTIME_DIR=${xdgDir}" + "WAYLAND_DISPLAY=wayland-1" + ]; + Type = "oneshot"; + StandardOutput = "journal"; + StandardError = "journal"; + }; + }; + }; in { sops = { @@ -9536,7 +9674,17 @@ in }; }; - # boot.initrd.luks.yubikeySupport = true; + boot.initrd = { + systemd.enable = lib.mkForce true; # make sure we are using initrd systemd even when not using Impermanence + luks = { + # disable "support" since we use systemd-cryptenroll + # make sure yubikeys are enrolled using + # sudo systemd-cryptenroll --fido2-device=auto --fido2-with-user-verification=no --fido2-with-user-presence=true --fido2-with-client-pin=no /dev/nvme0n1p2 + yubikeySupport = false; + fido2Support = false; + }; + }; + programs = { zsh.shellInit = '' export VSPHERE_USER="$(cat ${config.sops.secrets.vcuser.path})" @@ -9614,7 +9762,7 @@ in openssh = { enable = true; extraConfig = '' - ''; + ''; }; syncthing = { @@ -9633,28 +9781,18 @@ in }; udev.extraRules = '' + # share screen when dongle detected SUBSYSTEM=="usb", ACTION=="add", ATTRS{idVendor}=="04e8", ATTRS{idProduct}=="6860", TAG+="systemd", ENV{SYSTEMD_WANTS}="swarsel-screenshare.service" + + # lock screen when yubikey removed + ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" ''; }; - systemd.services.swarsel-screenshare = { - enable = true; - description = "Screensharing service upon dongle plugin"; - serviceConfig = { - ExecStart = "${pkgs.screenshare}/bin/screenshare"; - User = mainUser; - Group = "users"; - Environment = [ - "PATH=/run/current-system/sw/bin:/etc/profiles/per-user/${mainUser}/bin" - "XDG_RUNTIME_DIR=${xdgDir}" - "WAYLAND_DISPLAY=wayland-1" - ]; - Type = "oneshot"; - StandardOutput = "journal"; - StandardError = "journal"; - }; - }; + systemd.services = lib.mkMerge [ + (swarselService "swarsel-screenshare" "Start screensharing after HDMI dongle is detected" "${pkgs.screenshare}/bin/screenshare -h") + ]; # cgroups v1 is required for centos7 dockers specialisation = { @@ -10162,8 +10300,30 @@ in
{ lib, nix-secrets, ... }:
+let
+ secretsDirectory = builtins.toString nix-secrets;
+ yubikey1 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey1";
+ yubikey2 = lib.swarselsystems.getSecret "${secretsDirectory}/yubikey/yubikey2";
+in
+{
+ pam.yubico.authorizedYubiKeys = {
+ ids = [
+ "${yubikey1}"
+ "${yubikey2}"
+ ];
+ };
+}
+
+It is very convenient to have SSH aliases in place for machines that I use. This is mainly used for some server machines and some university clusters. We also enable agent forwarding to have our Yubikey SSH key accessible on the remote host. @@ -10212,7 +10372,7 @@ It is very convenient to have SSH aliases in place for machines that I use. This
These section allows home-manager to allow theme settings, and handles some other appearance-related settings like cursor styles. Interestingly, system icons (adwaita) still need to be setup on system-level, and will break if defined here. @@ -10246,7 +10406,7 @@ This section has been notably empty ever since switching to stylix. Only Emacs i
Some programs lack a dmenu launcher - I define them myself here. @@ -10355,7 +10515,7 @@ _:
This section should be used in order to symlink already existing configuration files using `home.file` and setting session variables using `home.sessionVariables`. @@ -10404,7 +10564,7 @@ Also in firefox `about:config > toolkit.legacyUserProfileCustomizations.style
Sets environment variables. Here I am only setting the EDITOR variable, most variables are set in the Sway section. @@ -10442,7 +10602,7 @@ in
This section is for programs that require no further configuration. zsh Integration is enabled by default for these. @@ -10476,7 +10636,7 @@ This section is for programs that require no further configuration. zsh Integrat
nix-index provides a way to find out which packages are provided by which derivations. By default it also comes with a replacement for command-not-found.sh, however, the implementation is based on a channel based setup. I like consistency, so I replace the command with one that provides a flakes-based output.
@@ -10509,7 +10669,7 @@ nix-index provides a way to find out which packages are provided by which deriva
Enables password store with the pass-otp extension which allows me to store and generate one-time-passwords.
@@ -10531,7 +10691,7 @@ Enables password store with the pass-otp extension which allows me
Enables direnv, which I use for nearly all of my nix dev flakes. @@ -10551,7 +10711,7 @@ Enables direnv, which I use for nearly all of my nix dev flakes.
Eza provides me with a better ls command and some other useful aliases.
@@ -10575,7 +10735,7 @@ Eza provides me with a better ls command and some other useful alia
Here I set up my git config, automatic signing of commits, useful aliases for my ost used commands (for when I am not using Magit) as well as a git template defined in Linking dotfiles. @@ -10631,7 +10791,7 @@ in
Here I only need to set basic layout options - the rest is being managed by stylix. @@ -10657,7 +10817,7 @@ Here I only need to set basic layout options - the rest is being managed by styl
Starship makes my zsh look cooler! I have symbols for most programming languages and toolchains, also I build my own powerline.
@@ -10790,7 +10950,7 @@ Starship makes my zsh look cooler! I have symbols for most programm
Kitty is the terminal emulator of choice for me, it is nice to configure using nix, fast, and has a nice style. @@ -10818,7 +10978,7 @@ The theme is handled by stylix.
zsh is the most convenient shell for me and it happens to be super neat to configure within home manager. @@ -10938,7 +11098,7 @@ in
{ self, config, pkgs, ... }:
@@ -10964,7 +11124,7 @@ in
@@ -11072,7 +11232,7 @@ in
Normally I use 4 mail accounts - here I set them all up. Three of them are Google accounts (sadly), which are a chore to setup. The last is just a sender account that I setup SMTP for here. @@ -11229,7 +11389,7 @@ in
By using the emacs-overlay NixOS module, I can install all Emacs packages that I want to use right through NixOS. This is done by passing my init.el file to the configuration which will then be parsed upon system rebuild, looking for use-package sections in the Elisp code. Also I define here the style of Emacs that I want to run - I am going with native Wayland Emacs here (emacs-pgtk). All of the nice options such as tree-sitter support are enabled by default, so I do not need to adjust the build process.
@@ -11322,7 +11482,7 @@ in
Again I am just using the first bar option here that I was able to find good understandable documentation for. Of note is that the `cpu` section's `format` is not defined here, but in section 1 (since not every machine has the same number of cores) @@ -11595,7 +11755,7 @@ The rest of the related configuration is found here:
Setting up firefox along with some policies that are important to me (mostly disabling telemetry related stuff as well as Pocket). I also enable some integrations that enable super useful packages, namely tridactyl and browserpass.
@@ -11836,8 +11996,10 @@ in
};
search = {
- default = "Kagi";
- privateDefault = "Kagi";
+ # default = "Kagi";
+ default = "Google";
+ # privateDefault = "Kagi";
+ privateDefault = "Google";
engines = {
"Kagi" = {
urls = [{
@@ -11908,14 +12070,14 @@ in
Services that can be defined through home-manager should be defined here.
Used for storing sessions in e.g. Nextcloud @@ -11933,7 +12095,7 @@ Used for storing sessions in e.g. Nextcloud
This enables phone/computer communication, including sending clipboard, files etc. Sadly on Wayland many of the features are broken (like remote control). @@ -11953,7 +12115,7 @@ This enables phone/computer communication, including sending clipboard, files et
Desktop notifications! @@ -12000,7 +12162,7 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
{ pkgs, ... }:
@@ -12038,7 +12200,7 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
I am currently using SwayFX, which adds some nice effects to sway, like rounded corners and hiding the separator between title and content of a window. @@ -12343,7 +12505,8 @@ in mode $exit { bindsym --to-code { s exec \"systemctl suspend\", mode \"default\" - l exec \"swaylock --screenshots --clock --effect-blur 7x5 --effect-vignette 0.5:0.5 --fade-in 0.2 --daemonize\" + h exec \"systemctl hibernate\", mode \"default\" + l exec \"swaylock --screenshots --clock --effect-blur 7x5 --effect-vignette 0.5:0.5 --fade-in 0.2 --daemonize\", mode \"default\ p exec \"systemctl poweroff\" r exec \"systemctl reboot\" u exec \"swaymsg exit\" @@ -12374,7 +12537,7 @@ in
{ config, ... }:
@@ -12455,7 +12618,7 @@ in
Settinfs that are needed for the gpg-agent. Also we are enabling emacs support for unlocking my Yubikey here. @@ -12469,6 +12632,8 @@ in { services.gpg-agent = { enable = true; + enableZshIntegration = true; + enableScDaemon = true; enableSshSupport = true; enableExtraSocket = true; pinentryPackage = pkgs.pinentry.gtk2; @@ -12504,7 +12669,7 @@ in
This service changes the screen hue at night. I am not sure if that really does something, but I like the color anyways. @@ -17112,7 +17277,7 @@ sync USER HOST: