swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: WIP

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-03-31 18:29:07 +02:00
parent 289f072c13
commit ecd37537cc
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
53 changed files with 2370 additions and 1932 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/home/common/symlink.nix
View file

@ -23,6 +23,7 @@
xdg.configFile = {
"tridactyl/tridactylrc".source = self + /programs/firefox/tridactyl/tridactylrc;
"tridactyl/themes/base16-codeschool.css".source = self + /programs/firefox/tridactyl/themes/base16-codeschool.css;
"tridactyl/themes/swarsel.css".source = self + /programs/firefox/tridactyl/themes/swarsel.css;
"swayidle/config".source = self + /programs/swayidle/config;
};
}

12
modules/nixos/common/appimage.nix
View file

@ -1,9 +1,11 @@
_:
{ lib, config, ... }:
{
programs.appimage = {
enable = true;
binfmt = true;
options.swarselsystems.modules.appimage = lib.mkEnableOption "appimage config";
config = lib.mkIf config.swarselsystems.modules.appimage {
programs.appimage = {
enable = true;
binfmt = true;
};
};
}

9
modules/nixos/common/blueman.nix
View file

@ -1,5 +1,8 @@
_:
{ lib, config, ... }:
{
services.blueman.enable = true;
services.hardware.bolt.enable = true;
options.swarselsystems.modules.blueman = lib.mkEnableOption "blueman config";
config = lib.mkIf config.swarselsystems.modules.blueman {
services.blueman.enable = true;
services.hardware.bolt.enable = true;
};
}

5
modules/nixos/common/default.nix
View file

@ -8,10 +8,5 @@ in
"${modulesPath}/home/common/sharedsetup.nix"
];
nixpkgs.config.permittedInsecurePackages = [
"jitsi-meet-1.0.8043"
"electron-29.4.6"
"SDL_ttf-2.0.11"
];
}

22
modules/nixos/common/distrobox.nix
View file

@ -1,14 +1,16 @@
{ pkgs, ... }:
{ lib, config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
distrobox
boxbuddy
];
options.swarselsystems.modules.distrobox = lib.mkEnableOption "distrobox config";
config = lib.mkIf config.swarselsystems.modules.distrobox {
environment.systemPackages = with pkgs; [
distrobox
boxbuddy
];
virtualisation.podman = {
enable = true;
dockerCompat = true;
package = pkgs.stable.podman;
virtualisation.podman = {
enable = true;
dockerCompat = true;
package = pkgs.stable.podman;
};
};
}

26
modules/nixos/common/env.nix
View file

@ -1,16 +1,18 @@
{ lib, pkgs, ... }:
{ lib, config, pkgs, ... }:
{
environment = {
wordlist.enable = true;
sessionVariables = {
NIXOS_OZONE_WL = "1";
GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (with pkgs.gst_all_1; [
gst-plugins-good
gst-plugins-bad
gst-plugins-ugly
gst-libav
]);
options.swarselsystems.modules.env = lib.mkEnableOption "environment config";
config = lib.mkIf config.swarselsystems.modules.env {
environment = {
wordlist.enable = true;
sessionVariables = {
NIXOS_OZONE_WL = "1";
GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (with pkgs.gst_all_1; [
gst-plugins-good
gst-plugins-bad
gst-plugins-ugly
gst-libav
]);
};
};
};
# gstreamer plugins for nautilus (used for file metadata)
}

15
modules/nixos/common/gc.nix
View file

@ -1,9 +1,12 @@
_:
{ lib, config, ... }:
{
nix.gc = {
automatic = true;
randomizedDelaySec = "14m";
dates = "weekly";
options = "--delete-older-than 10d";
options.swarselsystems.modules.gc = lib.mkEnableOption "garbage collection config";
config = lib.mkIf config.swarselsystems.modules.gc {
nix.gc = {
automatic = true;
randomizedDelaySec = "14m";
dates = "weekly";
options = "--delete-older-than 10d";
};
};
}

13
modules/nixos/common/gnome-keyring.nix
View file

@ -1,8 +1,11 @@
_:
{ lib, config, ... }:
{
services.gnome.gnome-keyring = {
enable = true;
};
options.swarselsystems.modules.gnome-keyring = lib.mkEnableOption "gnome-keyring config";
config = lib.mkIf config.swarselsystems.modules.gnome-keyring {
services.gnome.gnome-keyring = {
enable = true;
};
programs.seahorse.enable = true;
programs.seahorse.enable = true;
};
}

7
modules/nixos/common/gvfs.nix
View file

@ -1,4 +1,7 @@
_:
{ lib, config, ... }:
{
services.gvfs.enable = true;
options.swarselsystems.modules.gvfs = lib.mkEnableOption "gvfs config for nautilus";
config = lib.mkIf config.swarselsystems.modules.gvfs {
services.gvfs.enable = true;
};
}

3
modules/nixos/common/hardware.nix
View file

@ -2,6 +2,7 @@
{
options.swarselsystems = {
modules.hardware = lib.mkEnableOption "hardware config";
hasBluetooth = lib.mkEnableOption "bluetooth availability";
hasFingerprint = lib.mkEnableOption "fingerprint sensor availability";
trackpoint = {
@ -12,7 +13,7 @@
};
};
};
config = {
config = lib.mkIf config.swarselsystems.modules.hardware {
hardware = {
# opengl.driSupport32Bit = true is replaced with graphics.enable32Bit and hence redundant
graphics = {

15
modules/nixos/common/hardwarecompatibility-keyboards.nix
View file

@ -1,8 +1,11 @@
{ pkgs, ... }:
{ lib, config, pkgs, ... }:
{
services.udev.packages = with pkgs; [
qmk-udev-rules
vial
via
];
options.swarselsystems.modules.keyboards = lib.mkEnableOption "keyboards config";
config = lib.mkIf config.swarselsystems.modules.keyboards {
services.udev.packages = with pkgs; [
qmk-udev-rules
vial
via
];
};
}

13
modules/nixos/common/hardwarecompatibility-ledger.nix
View file

@ -1,9 +1,12 @@
{ pkgs, ... }:
{ lib, config, pkgs, ... }:
{
hardware.ledger.enable = true;
options.swarselsystems.modules.ledger = lib.mkEnableOption "ledger config";
config = lib.mkIf config.swarselsystems.modules.ledger {
hardware.ledger.enable = true;
services.udev.packages = with pkgs; [
ledger-udev-rules
];
services.udev.packages = with pkgs; [
ledger-udev-rules
];
};
}

25
modules/nixos/common/hardwarecompatibility-yubikey.nix
View file

@ -1,21 +1,16 @@
{ pkgs, ... }:
{ lib, config, pkgs, ... }:
{
programs.ssh.startAgent = false;
options.swarselsystems.modules.yubikey = lib.mkEnableOption "yubikey config";
config = lib.mkIf config.swarselsystems.modules.yubikey {
programs.ssh.startAgent = false;
services.pcscd.enable = false;
services.pcscd.enable = false;
hardware.gpgSmartcards.enable = true;
hardware.gpgSmartcards.enable = true;
services.udev.packages = with pkgs; [
yubikey-personalization
];
# systemd.services.shutdownSopsGpg = {
# path = [ pkgs.gnupg ];
# script = ''
# gpgconf --homedir /var/lib/sops --kill gpg-agent
# '';
# wantedBy = [ "multi-user.target" ];
# };
services.udev.packages = with pkgs; [
yubikey-personalization
];
};
}

7
modules/nixos/common/home-manager-extra.nix
View file

@ -1,6 +1,9 @@
{ inputs, config, lib, ... }:
{
home-manager = lib.mkIf config.swarselsystems.withHomeManager {
extraSpecialArgs = { inherit (inputs) nix-secrets nixgl; };
options.swarselsystems.modules.home-managerExtra = lib.mkEnableOption "home-manager extras for non-chaostheatre";
config = lib.mkIf config.swarselsystems.modules.home-managerExtra {
home-manager = lib.mkIf config.swarselsystems.withHomeManager {
extraSpecialArgs = { inherit (inputs) nix-secrets nixgl; };
};
};
}

12
modules/nixos/common/home-manager.nix
View file

@ -1,8 +1,12 @@
{ inputs, config, lib, ... }:
{
home-manager = lib.mkIf config.swarselsystems.withHomeManager {
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = { inherit (inputs) self; };
options.swarselsystems.modules.home-manager = lib.mkEnableOption "home-manager";
config = lib.mkIf config.swarselsystems.modules.home-manager {
home-manager = lib.mkIf config.swarselsystems.withHomeManager {
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = { inherit (inputs) self; };
};
};
}

157
modules/nixos/common/impermanence.nix
View file

@ -4,88 +4,91 @@ let
inherit (config.swarselsystems) homeDir isImpermanence isCrypted;
in
{
options.swarselsystems.modules.impermanence = lib.mkEnableOption "impermanence config";
config = lib.mkIf config.swarselsystems.modules.impermanence {
security.sudo.extraConfig = lib.mkIf isImpermanence ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
# This script does the actual wipe of the system
# So if it doesn't run, the btrfs system effectively acts like a normal system
# Taken from https://github.com/NotAShelf/nyx/blob/2a8273ed3f11a4b4ca027a68405d9eb35eba567b/modules/core/common/system/impermanence/default.nix
boot.initrd.systemd.enable = lib.mkIf isImpermanence true;
boot.initrd.systemd.services.rollback = lib.mkIf isImpermanence {
description = "Rollback BTRFS root subvolume to a pristine state";
wantedBy = [ "initrd.target" ];
# make sure it's done after encryption
# i.e. LUKS/TPM process
after = lib.swarselsystems.mkIfElseList isCrypted [ "systemd-cryptsetup@cryptroot.service" ] [ "dev-disk-by\\x2dlabel-nixos.device" ];
requires = lib.mkIf (!isCrypted) [ "dev-disk-by\\x2dlabel-nixos.device" ];
# mount the root fs before clearing
before = [ "sysroot.mount" ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /mnt
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvolid=5 -t btrfs ${mapperTarget} /mnt
btrfs subvolume list -o /mnt/root
# While we're tempted to just delete /root and create
# a new snapshot from /root-blank, /root is already
# populated at this point with a number of subvolumes,
# which makes `btrfs subvolume delete` fail.
# So, we remove them first.
#
# /root contains subvolumes:
# - /root/var/lib/portables
# - /root/var/lib/machines
btrfs subvolume list -o /mnt/root |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..." &&
btrfs subvolume delete /mnt/root
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/root-blank /mnt/root
# Once we're done rolling back to a blank snapshot,
# we can unmount /mnt and continue on the boot process.
umount /mnt
security.sudo.extraConfig = lib.mkIf isImpermanence ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
};
# This script does the actual wipe of the system
# So if it doesn't run, the btrfs system effectively acts like a normal system
# Taken from https://github.com/NotAShelf/nyx/blob/2a8273ed3f11a4b4ca027a68405d9eb35eba567b/modules/core/common/system/impermanence/default.nix
boot.initrd.systemd.enable = lib.mkIf isImpermanence true;
boot.initrd.systemd.services.rollback = lib.mkIf isImpermanence {
description = "Rollback BTRFS root subvolume to a pristine state";
wantedBy = [ "initrd.target" ];
# make sure it's done after encryption
# i.e. LUKS/TPM process
after = lib.swarselsystems.mkIfElseList isCrypted [ "systemd-cryptsetup@cryptroot.service" ] [ "dev-disk-by\\x2dlabel-nixos.device" ];
requires = lib.mkIf (!isCrypted) [ "dev-disk-by\\x2dlabel-nixos.device" ];
# mount the root fs before clearing
before = [ "sysroot.mount" ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /mnt
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvolid=5 -t btrfs ${mapperTarget} /mnt
btrfs subvolume list -o /mnt/root
# While we're tempted to just delete /root and create
# a new snapshot from /root-blank, /root is already
# populated at this point with a number of subvolumes,
# which makes `btrfs subvolume delete` fail.
# So, we remove them first.
#
# /root contains subvolumes:
# - /root/var/lib/portables
# - /root/var/lib/machines
btrfs subvolume list -o /mnt/root |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..." &&
btrfs subvolume delete /mnt/root
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/root-blank /mnt/root
# Once we're done rolling back to a blank snapshot,
# we can unmount /mnt and continue on the boot process.
umount /mnt
'';
};
environment.persistence."/persist" = lib.mkIf isImpermanence {
hideMounts = true;
directories =
[
"/.cache/nix"
"/srv"
"/etc/nixos"
"/etc/nix"
"/etc/NetworkManager/system-connections"
# "/etc/secureboot"
"${homeDir}/.dotfiles"
"/var/db/sudo"
"/var/cache"
"/var/lib"
environment.persistence."/persist" = lib.mkIf isImpermanence {
hideMounts = true;
directories =
[
"/.cache/nix"
"/srv"
"/etc/nixos"
"/etc/nix"
"/etc/NetworkManager/system-connections"
# "/etc/secureboot"
"${homeDir}/.dotfiles"
"/var/db/sudo"
"/var/cache"
"/var/lib"
];
files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
};
};
}

51
modules/nixos/common/interceptiontools.nix
View file

@ -1,29 +1,32 @@
{ pkgs, ... }:
{ lib, config, pkgs, ... }:
{
# Make CAPS work as a dual function ESC/CTRL key
services.interception-tools = {
enable = true;
udevmonConfig =
let
dualFunctionKeysConfig = builtins.toFile "dual-function-keys.yaml" ''
TIMING:
TAP_MILLISEC: 200
DOUBLE_TAP_MILLISEC: 0
options.swarselsystems.modules.interceptionTools = lib.mkEnableOption "interception tools config";
config = lib.mkIf config.swarselsystems.modules.interceptionTools {
# Make CAPS work as a dual function ESC/CTRL key
services.interception-tools = {
enable = true;
udevmonConfig =
let
dualFunctionKeysConfig = builtins.toFile "dual-function-keys.yaml" ''
TIMING:
TAP_MILLISEC: 200
DOUBLE_TAP_MILLISEC: 0
MAPPINGS:
- KEY: KEY_CAPSLOCK
TAP: KEY_ESC
HOLD: KEY_LEFTCTRL
MAPPINGS:
- KEY: KEY_CAPSLOCK
TAP: KEY_ESC
HOLD: KEY_LEFTCTRL
'';
in
''
- JOB: |
${pkgs.interception-tools}/bin/intercept -g $DEVNODE \
| ${pkgs.interception-tools-plugins.dual-function-keys}/bin/dual-function-keys -c ${dualFunctionKeysConfig} \
| ${pkgs.interception-tools}/bin/uinput -d $DEVNODE
DEVICE:
EVENTS:
EV_KEY: [KEY_CAPSLOCK]
'';
in
''
- JOB: |
${pkgs.interception-tools}/bin/intercept -g $DEVNODE \
| ${pkgs.interception-tools-plugins.dual-function-keys}/bin/dual-function-keys -c ${dualFunctionKeysConfig} \
| ${pkgs.interception-tools}/bin/uinput -d $DEVNODE
DEVICE:
EVENTS:
EV_KEY: [KEY_CAPSLOCK]
'';
};
};
}

21
modules/nixos/common/lanzaboote.nix
View file

@ -1,14 +1,17 @@
{ lib, config, ... }:
{
boot = {
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
};
lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
enable = true;
pkiBundle = "/var/lib/sbctl";
configurationLimit = 3;
options.swarselsystems.modules.lanzaboote = lib.mkEnableOption "lanzaboote config";
config = lib.mkIf config.swarselsystems.modules.lanzaboote {
boot = {
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = lib.swarselsystems.mkIfElse (config.swarselsystems.initialSetup || !config.swarselsystems.isSecureBoot) (lib.mkForce true) (lib.mkForce false);
};
lanzaboote = lib.mkIf (!config.swarselsystems.initialSetup && config.swarselsystems.isSecureBoot) {
enable = true;
pkiBundle = "/var/lib/sbctl";
configurationLimit = 3;
};
};
};
}

61
modules/nixos/common/lid.nix
View file

@ -1,34 +1,37 @@
_:
{ lib, config, ... }:
{
services.logind = {
lidSwitch = "suspend";
lidSwitchDocked = "ignore";
};
services.acpid = {
enable = true;
handlers.lidClosed = {
event = "button/lid \\w+ close";
action = ''
cat /sys/class/backlight/amdgpu_bl1/device/enabled
if grep -Fxq disabled /sys/class/backlight/amdgpu_bl1/device/enabled
then
echo "Lid closed. Disabling fprintd."
systemctl stop fprintd
ln -s /dev/null /run/systemd/transient/fprintd.service
systemctl daemon-reload
fi
'';
options.swarselsystems.modules.lid = lib.mkEnableOption "lid config";
config = lib.mkIf config.swarselsystems.modules.lid {
services.logind = {
lidSwitch = "suspend";
lidSwitchDocked = "ignore";
};
handlers.lidOpen = {
event = "button/lid \\w+ open";
action = ''
if ! $(systemctl is-active --quiet fprintd); then
echo "Lid open. Enabling fprintd."
rm -f /run/systemd/transient/fprintd.service
systemctl daemon-reload
systemctl start fprintd
fi
'';
services.acpid = {
enable = true;
handlers.lidClosed = {
event = "button/lid \\w+ close";
action = ''
cat /sys/class/backlight/amdgpu_bl1/device/enabled
if grep -Fxq disabled /sys/class/backlight/amdgpu_bl1/device/enabled
then
echo "Lid closed. Disabling fprintd."
systemctl stop fprintd
ln -s /dev/null /run/systemd/transient/fprintd.service
systemctl daemon-reload
fi
'';
};
handlers.lidOpen = {
event = "button/lid \\w+ open";
action = ''
if ! $(systemctl is-active --quiet fprintd); then
echo "Lid open. Enabling fprintd."
rm -f /run/systemd/transient/fprintd.service
systemctl daemon-reload
systemctl start fprintd
fi
'';
};
};
};
}

35
modules/nixos/common/login.nix
View file

@ -1,20 +1,23 @@
{ pkgs, ... }:
{ lib, config, pkgs, ... }:
{
services.greetd = {
enable = true;
settings = {
initial_session.command = "sway";
default_session.command = ''
${pkgs.greetd.tuigreet}/bin/tuigreet \
--time \
--asterisks \
--user-menu \
--cmd sway
'';
options.swarselsystems.modules.login = lib.mkEnableOption "login config";
config = lib.mkIf config.swarselsystems.modules.login {
services.greetd = {
enable = true;
settings = {
initial_session.command = "sway";
default_session.command = ''
${pkgs.greetd.tuigreet}/bin/tuigreet \
--time \
--asterisks \
--user-menu \
--cmd sway
'';
};
};
};
environment.etc."greetd/environments".text = ''
sway
'';
environment.etc."greetd/environments".text = ''
sway
'';
};
}

45
modules/nixos/common/lowbattery.nix
View file

@ -1,26 +1,29 @@
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:
{
systemd.user.services."battery-low" = {
enable = true;
description = "Timer for battery check that alerts at 10% or less";
partOf = [ "graphical-session.target" ];
wantedBy = [ "graphical-session.target" ];
serviceConfig = {
Type = "simple";
ExecStart = pkgs.writeShellScript "battery-low-notification"
''
if (( 10 >= $(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%" | ${lib.getExe pkgs.ripgrep} -o "\d+") && $(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%" | ${lib.getExe pkgs.ripgrep} -o "\d+") > 0 ));
then ${lib.getExe pkgs.libnotify} --urgency=critical "low battery" "$(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%")";
fi;
'';
options.swarselsystems.modules.lowBattery = lib.mkEnableOption "low battery notification config";
config = lib.mkIf config.swarselsystems.modules.lowBattery {
systemd.user.services."battery-low" = {
enable = true;
description = "Timer for battery check that alerts at 10% or less";
partOf = [ "graphical-session.target" ];
wantedBy = [ "graphical-session.target" ];
serviceConfig = {
Type = "simple";
ExecStart = pkgs.writeShellScript "battery-low-notification"
''
if (( 10 >= $(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%" | ${lib.getExe pkgs.ripgrep} -o "\d+") && $(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%" | ${lib.getExe pkgs.ripgrep} -o "\d+") > 0 ));
then ${lib.getExe pkgs.libnotify} --urgency=critical "low battery" "$(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%")";
fi;
'';
};
};
};
systemd.user.timers."battery-low" = {
wantedBy = [ "timers.target" ];
timerConfig = {
# Every Minute
OnCalendar = "*-*-* *:*:00";
Unit = "battery-low.service";
systemd.user.timers."battery-low" = {
wantedBy = [ "timers.target" ];
timerConfig = {
# Every Minute
OnCalendar = "*-*-* *:*:00";
Unit = "battery-low.service";
};
};
};
}

443
modules/nixos/common/network.nix
View file

@ -1,245 +1,248 @@
{ lib, config, ... }:
{
networking = {
nftables.enable = lib.mkDefault true;
enableIPv6 = lib.mkDefault true;
firewall = {
checkReversePath = lib.mkDefault false;
enable = lib.mkDefault true;
allowedUDPPorts = [ 51820 ]; # 51820: wireguard
allowedTCPPortRanges = [
{ from = 1714; to = 1764; } # kde-connect
];
allowedUDPPortRanges = [
{ from = 1714; to = 1764; } # kde-connect
];
};
networkmanager = {
enable = true;
ensureProfiles = lib.mkIf (!config.swarselsystems.isPublic) {
environmentFiles = [
"${config.sops.templates."network-manager.env".path}"
options.swarselsystems.modules.network = lib.mkEnableOption "network config";
config = lib.mkIf config.swarselsystems.modules.network {
networking = {
nftables.enable = lib.mkDefault true;
enableIPv6 = lib.mkDefault true;
firewall = {
checkReversePath = lib.mkDefault false;
enable = lib.mkDefault true;
allowedUDPPorts = [ 51820 ]; # 51820: wireguard
allowedTCPPortRanges = [
{ from = 1714; to = 1764; } # kde-connect
];
profiles = {
"Ernest Routerford" = {
connection = {
id = "Ernest Routerford";
permissions = "";
type = "wifi";
};
ipv4 = {
dns-search = "";
method = "auto";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
dns-search = "";
method = "auto";
};
wifi = {
mac-address-blacklist = "";
mode = "infrastructure";
ssid = "Ernest Routerford";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$ERNEST";
};
};
allowedUDPPortRanges = [
{ from = 1714; to = 1764; } # kde-connect
];
};
LAN-Party = {
connection = {
autoconnect = "false";
id = "LAN-Party";
type = "ethernet";
networkmanager = {
enable = true;
ensureProfiles = lib.mkIf (!config.swarselsystems.isPublic) {
environmentFiles = [
"${config.sops.templates."network-manager.env".path}"
];
profiles = {
"Ernest Routerford" = {
connection = {
id = "Ernest Routerford";
permissions = "";
type = "wifi";
};
ipv4 = {
dns-search = "";
method = "auto";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
dns-search = "";
method = "auto";
};
wifi = {
mac-address-blacklist = "";
mode = "infrastructure";
ssid = "Ernest Routerford";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$ERNEST";
};
};
ethernet = {
auto-negotiate = "true";
cloned-mac-address = "preserve";
mac-address = "90:2E:16:D0:A1:87";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
eduroam = {
"802-1x" = {
eap = "ttls;";
identity = "$EDUID";
password = "$EDUPASS";
phase2-auth = "mschapv2";
LAN-Party = {
connection = {
autoconnect = "false";
id = "LAN-Party";
type = "ethernet";
};
ethernet = {
auto-negotiate = "true";
cloned-mac-address = "preserve";
mac-address = "90:2E:16:D0:A1:87";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
connection = {
id = "eduroam";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "eduroam";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-eap";
};
};
local = {
connection = {
autoconnect = "false";
id = "local";
type = "ethernet";
eduroam = {
"802-1x" = {
eap = "ttls;";
identity = "$EDUID";
password = "$EDUPASS";
phase2-auth = "mschapv2";
};
connection = {
id = "eduroam";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "eduroam";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-eap";
};
};
ethernet = { };
ipv4 = {
address1 = "10.42.1.1/24";
method = "shared";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
HH40V_39F5 = {
connection = {
id = "HH40V_39F5";
type = "wifi";
local = {
connection = {
autoconnect = "false";
id = "local";
type = "ethernet";
};
ethernet = { };
ipv4 = {
address1 = "10.42.1.1/24";
method = "shared";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
wifi = {
band = "bg";
mode = "infrastructure";
ssid = "HH40V_39F5";
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = "$FRAUNS";
};
};
magicant = {
connection = {
id = "magicant";
type = "wifi";
HH40V_39F5 = {
connection = {
id = "HH40V_39F5";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
wifi = {
band = "bg";
mode = "infrastructure";
ssid = "HH40V_39F5";
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = "$FRAUNS";
};
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "magicant";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$HANDYHOTSPOT";
};
};
wireguardvpn = {
connection = {
id = "HomeVPN";
type = "wireguard";
autoconnect = "false";
interface-name = "wg1";
magicant = {
connection = {
id = "magicant";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "magicant";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$HANDYHOTSPOT";
};
};
wireguard = { private-key = "$WIREGUARDPRIV"; };
"wireguard-peer.$WIREGUARDPUB" = {
endpoint = "$WIREGUARDENDPOINT";
allowed-ips = "0.0.0.0/0";
};
ipv4 = {
method = "ignore";
address1 = "192.168.3.3/32";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "ignore";
};
proxy = { };
};
"sweden-aes-128-cbc-udp-dns" = {
connection = {
autoconnect = "false";
id = "PIA Sweden";
type = "vpn";
wireguardvpn = {
connection = {
id = "HomeVPN";
type = "wireguard";
autoconnect = "false";
interface-name = "wg1";
};
wireguard = { private-key = "$WIREGUARDPRIV"; };
"wireguard-peer.$WIREGUARDPUB" = {
endpoint = "$WIREGUARDENDPOINT";
allowed-ips = "0.0.0.0/0";
};
ipv4 = {
method = "ignore";
address1 = "192.168.3.3/32";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "ignore";
};
proxy = { };
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
vpn = {
auth = "sha1";
ca = config.sops.secrets."sweden-aes-128-cbc-udp-dns-ca.pem".path;
challenge-response-flags = "2";
cipher = "aes-128-cbc";
compress = "yes";
connection-type = "password";
crl-verify-file = config.sops.secrets."sweden-aes-128-cbc-udp-dns-crl-verify.pem".path;
dev = "tun";
password-flags = "0";
remote = "sweden.privacy.network:1198";
remote-cert-tls = "server";
reneg-seconds = "0";
service-type = "org.freedesktop.NetworkManager.openvpn";
username = "$VPNUSER";
};
vpn-secrets = { password = "$VPNPASS"; };
};
Hotspot = {
connection = {
autoconnect = "false";
id = "Hotspot";
type = "wifi";
"sweden-aes-128-cbc-udp-dns" = {
connection = {
autoconnect = "false";
id = "PIA Sweden";
type = "vpn";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
vpn = {
auth = "sha1";
ca = config.sops.secrets."sweden-aes-128-cbc-udp-dns-ca.pem".path;
challenge-response-flags = "2";
cipher = "aes-128-cbc";
compress = "yes";
connection-type = "password";
crl-verify-file = config.sops.secrets."sweden-aes-128-cbc-udp-dns-crl-verify.pem".path;
dev = "tun";
password-flags = "0";
remote = "sweden.privacy.network:1198";
remote-cert-tls = "server";
reneg-seconds = "0";
service-type = "org.freedesktop.NetworkManager.openvpn";
username = "$VPNUSER";
};
vpn-secrets = { password = "$VPNPASS"; };
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "default";
method = "ignore";
};
proxy = { };
wifi = {
mode = "ap";
ssid = "Hotspot-${config.swarselsystems.mainUser}";
};
wifi-security = {
group = "ccmp;";
key-mgmt = "wpa-psk";
pairwise = "ccmp;";
proto = "rsn;";
psk = "$HOTSPOT";
};
};
Hotspot = {
connection = {
autoconnect = "false";
id = "Hotspot";
type = "wifi";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "default";
method = "ignore";
};
proxy = { };
wifi = {
mode = "ap";
ssid = "Hotspot-${config.swarselsystems.mainUser}";
};
wifi-security = {
group = "ccmp;";
key-mgmt = "wpa-psk";
pairwise = "ccmp;";
proto = "rsn;";
psk = "$HOTSPOT";
};
};
};
};
};
};
};
systemd.services.NetworkManager-ensure-profiles.after = [ "NetworkManager.service" ];
systemd.services.NetworkManager-ensure-profiles.after = [ "NetworkManager.service" ];
};
}

53
modules/nixos/common/networkdevices.nix
View file

@ -1,30 +1,33 @@
{ pkgs, ... }:
{ lib, config, pkgs, ... }:
{
# enable scanners over network
hardware.sane = {
enable = true;
extraBackends = [ pkgs.sane-airscan ];
};
options.swarselsystems.modules.networkDevices = lib.mkEnableOption "network device config";
config = lib.mkIf config.swarselsystems.modules.networkDevices {
# enable scanners over network
hardware.sane = {
enable = true;
extraBackends = [ pkgs.sane-airscan ];
};
# enable discovery and usage of network devices (esp. printers)
services.printing = {
enable = true;
drivers = [
pkgs.gutenprint
pkgs.gutenprintBin
];
browsedConf = ''
BrowseDNSSDSubTypes _cups,_print
BrowseLocalProtocols all
BrowseRemoteProtocols all
CreateIPPPrinterQueues All
BrowseProtocols all
'';
};
# enable discovery and usage of network devices (esp. printers)
services.printing = {
enable = true;
drivers = [
pkgs.gutenprint
pkgs.gutenprintBin
];
browsedConf = ''
BrowseDNSSDSubTypes _cups,_print
BrowseLocalProtocols all
BrowseRemoteProtocols all
CreateIPPPrinterQueues All
BrowseProtocols all
'';
};
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
};
}

217
modules/nixos/common/nix-ld.nix
View file

@ -1,110 +1,113 @@
{ pkgs, ... }:
{ lib, config, pkgs, ... }:
{
programs.nix-ld = {
enable = true;
libraries = with pkgs; [
SDL
SDL2
SDL2_image
SDL2_mixer
SDL2_ttf
SDL_image
SDL_mixer
SDL_ttf
alsa-lib
at-spi2-atk
at-spi2-core
atk
bzip2
cairo
cups
curl
dbus
dbus-glib
expat
ffmpeg
flac
fontconfig
freeglut
freetype
fuse3
gdk-pixbuf
glew110
glib
stable.gnome2.GConf
pango
gtk2
gtk3
icu
libGL
libappindicator-gtk2
libappindicator-gtk3
libcaca
libcanberra
libcap
libdbusmenu-gtk2
libdrm
libelf
libgcrypt
libglvnd
libidn
libindicator-gtk2
libjpeg
libmikmod
libnotify
libogg
libpng
libpng12
libpulseaudio
librsvg
libsamplerate
libtheora
libtiff
libudev0-shim
libunwind
libusb1
libuuid
libva
libvdpau
libvorbis
libvpx
libxkbcommon
libxml2
libz
mesa
nspr
nss
openssl
pango
pipewire
pixman
speex
stdenv.cc.cc
steam-fhsenv-without-steam
systemd
tbb
vulkan-loader
xorg.libICE
xorg.libSM
xorg.libX11
xorg.libXScrnSaver
xorg.libXcomposite
xorg.libXcursor
xorg.libXdamage
xorg.libXext
xorg.libXfixes
xorg.libXft
xorg.libXi
xorg.libXinerama
xorg.libXmu
xorg.libXrandr
xorg.libXrender
xorg.libXt
xorg.libXtst
xorg.libXxf86vm
xorg.libxcb
xorg.libxshmfence
zlib
];
options.swarselsystems.modules.nix-ld = lib.mkEnableOption "nix-ld config";
config = lib.mkIf config.swarselsystems.modules.nix-ld {
programs.nix-ld = {
enable = true;
libraries = with pkgs; [
SDL
SDL2
SDL2_image
SDL2_mixer
SDL2_ttf
SDL_image
SDL_mixer
SDL_ttf
alsa-lib
at-spi2-atk
at-spi2-core
atk
bzip2
cairo
cups
curl
dbus
dbus-glib
expat
ffmpeg
flac
fontconfig
freeglut
freetype
fuse3
gdk-pixbuf
glew110
glib
stable.gnome2.GConf
pango
gtk2
gtk3
icu
libGL
libappindicator-gtk2
libappindicator-gtk3
libcaca
libcanberra
libcap
libdbusmenu-gtk2
libdrm
libelf
libgcrypt
libglvnd
libidn
libindicator-gtk2
libjpeg
libmikmod
libnotify
libogg
libpng
libpng12
libpulseaudio
librsvg
libsamplerate
libtheora
libtiff
libudev0-shim
libunwind
libusb1
libuuid
libva
libvdpau
libvorbis
libvpx
libxkbcommon
libxml2
libz
mesa
nspr
nss
openssl
pango
pipewire
pixman
speex
stdenv.cc.cc
steam-fhsenv-without-steam
systemd
tbb
vulkan-loader
xorg.libICE
xorg.libSM
xorg.libX11
xorg.libXScrnSaver
xorg.libXcomposite
xorg.libXcursor
xorg.libXdamage
xorg.libXext
xorg.libXfixes
xorg.libXft
xorg.libXi
xorg.libXinerama
xorg.libXmu
xorg.libXrandr
xorg.libXrender
xorg.libXt
xorg.libXtst
xorg.libXxf86vm
xorg.libxcb
xorg.libxshmfence
zlib
];
};
};
}

17
modules/nixos/common/nvd-rebuild.nix
View file

@ -1,10 +1,13 @@
{ pkgs, ... }:
{ lib, config, pkgs, ... }:
{
system.activationScripts.diff = {
supportsDryActivation = true;
text = ''
${pkgs.nvd}/bin/nvd --color=always --nix-bin-dir=${pkgs.nix}/bin diff \
/run/current-system "$systemConfig"
'';
options.swarselsystems.modules.nvd = lib.mkEnableOption "nvd config";
config = lib.mkIf config.swarselsystems.modules.nvd {
system.activationScripts.diff = {
supportsDryActivation = true;
text = ''
${pkgs.nvd}/bin/nvd --color=always --nix-bin-dir=${pkgs.nix}/bin diff \
/run/current-system "$systemConfig"
'';
};
};
}

170
modules/nixos/common/packages.nix
View file

@ -1,123 +1,83 @@
{ pkgs, ... }:
{ lib, config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
# yubikey packages
gnupg
yubikey-personalization
yubikey-personalization-gui
yubico-pam
yubioath-flutter
yubikey-manager
yubikey-manager-qt
yubikey-touch-detector
yubico-piv-tool
cfssl
pcsctools
pcscliteWithPolkit.out
options.swarselsystems.modules.packages = lib.mkEnableOption "install packages";
config = lib.mkIf config.swarselsystems.modules.packages {
environment.systemPackages = with pkgs; [
# yubikey packages
gnupg
yubikey-personalization
yubikey-personalization-gui
yubico-pam
yubioath-flutter
yubikey-manager
yubikey-manager-qt
yubikey-touch-detector
yubico-piv-tool
cfssl
pcsctools
pcscliteWithPolkit.out
# ledger packages
ledger-live-desktop
# ledger packages
ledger-live-desktop
# pinentry
dbus
swaylock-effects
syncthingtray-minimal
wl-mirror
# pinentry
dbus
swaylock-effects
syncthingtray-minimal
wl-mirror
# secure boot
sbctl
# secure boot
sbctl
libsForQt5.qt5.qtwayland
libsForQt5.qt5.qtwayland
# nix package database
nix-index
nixos-generators
# nix package database
nix-index
nixos-generators
# commit hooks
pre-commit
# commit hooks
pre-commit
# proc info
acpi
# proc info
acpi
# pci info
pciutils
usbutils
# pci info
pciutils
usbutils
# better make for general tasks
just
# better make for general tasks
just
screenshare
fullscreen
screenshare
fullscreen
# keyboards
qmk
vial
via
# keyboards
qmk
vial
via
# theme related
adwaita-icon-theme
# theme related
adwaita-icon-theme
# kde-connect
xdg-desktop-portal
xdg-desktop-portal-wlr
# kde-connect
xdg-desktop-portal
xdg-desktop-portal-wlr
# bluetooth
bluez
# bluetooth
bluez
ghostscript_headless
wireguard-tools
nixd
zig
zls
ansible-language-server
# lsp-related -------------------------------
# nix
# latex
# texlab
ghostscript_headless
# wireguard
wireguard-tools
# rust
# rust-analyzer
# clippy
# rustfmt
# go
# go
# gopls
# nix
nixd
# zig
zig
zls
# cpp
# clang-tools
# + cuda
# cudatoolkit
# ansible
# ansible-lint
ansible-language-server
# molecule
#lsp-bridge / python
# gcc
# gdb
# (python3.withPackages (ps: with ps; [ jupyter ipython pyqt5 epc orjson sexpdata six setuptools paramiko numpy pandas scipy matplotlib requests debugpy flake8 gnureadline python-lsp-server ]))
# (python3.withPackages(ps: with ps; [ jupyter ipython pyqt5 numpy pandas scipy matplotlib requests debugpy flake8 gnureadline python-lsp-server]))
# --------------------------------------------
];
# (stdenv.mkDerivation {
# name = "oama";
# src = pkgs.fetchurl {
# name = "oama";
# url = "https://github.com/pdobsan/oama/releases/download/0.13.1/oama-0.13.1-Linux-x86_64-static.tgz";
# sha256 = "sha256-OTdCObVfnMPhgZxVtZqehgUXtKT1iyqozdkPIV+i3Gc=";
# };
# phases = [
# "unpackPhase"
# ];
# unpackPhase = ''
# mkdir -p $out/bin
# tar xvf $src -C $out/
# mv $out/oama-0.13.1-Linux-x86_64-static/oama $out/bin/
# '';
# })
];
nixpkgs.config.permittedInsecurePackages = [
"jitsi-meet-1.0.8043"
"electron-29.4.6"
"SDL_ttf-2.0.11"
];
};
}

24
modules/nixos/common/pipewire.nix
View file

@ -1,15 +1,19 @@
_: {
security.rtkit.enable = true; # this is required for pipewire real-time access
{ lib, config, ... }:
{
options.swarselsystems.modules.pipewire = lib.mkEnableOption "pipewire config";
config = lib.mkIf config.swarselsystems.modules.pipewire {
security.rtkit.enable = true; # this is required for pipewire real-time access
services.pipewire = {
enable = true;
pulse.enable = true;
jack.enable = true;
audio.enable = true;
wireplumber.enable = true;
alsa = {
services.pipewire = {
enable = true;
support32Bit = true;
pulse.enable = true;
jack.enable = true;
audio.enable = true;
wireplumber.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
};
};
}

32
modules/nixos/common/polkit.nix
View file

@ -1,20 +1,22 @@
_:
{ lib, config, ... }:
{
options.swarselsystems.modules.security = lib.mkEnableOption "security config";
config = lib.mkIf config.swarselsystems.modules.security {
security = {
pam.services = {
login.u2fAuth = true;
sudo.u2fAuth = true;
swaylock.u2fAuth = true;
swaylock.fprintAuth = false;
security = {
pam.services = {
login.u2fAuth = true;
sudo.u2fAuth = true;
swaylock.u2fAuth = true;
swaylock.fprintAuth = false;
};
polkit.enable = true;
sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
Defaults env_keep+=XDG_RUNTIME_DIR
Defaults env_keep+=WAYLAND_DISPLAY
'';
};
polkit.enable = true;
sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
Defaults env_keep+=XDG_RUNTIME_DIR
Defaults env_keep+=WAYLAND_DISPLAY
'';
};
}

7
modules/nixos/common/power-profiles-daemon.nix
View file

@ -1,4 +1,7 @@
_:
{ lib, config, ... }:
{
services.power-profiles-daemon.enable = true;
options.swarselsystems.modules.ppd = lib.mkEnableOption "power profiles daemon config";
config = lib.mkIf config.swarselsystems.modules.ppd {
services.power-profiles-daemon.enable = true;
};
}

13
modules/nixos/common/programs.nix
View file

@ -1,8 +1,11 @@
_:
{ lib, config, ... }:
{
programs = {
dconf.enable = true;
evince.enable = true;
kdeconnect.enable = true;
options.swarselsystems.modules.programs = lib.mkEnableOption "small program modules config";
config = lib.mkIf config.swarselsystems.modules.programs {
programs = {
dconf.enable = true;
evince.enable = true;
kdeconnect.enable = true;
};
};
}

9
modules/nixos/common/pulseaudio.nix
View file

@ -1,8 +1,11 @@
{ config, pkgs, lib, ... }: {
services.pulseaudio = {
enable = lib.mkIf (!config.services.pipewire.enable) true;
package = pkgs.pulseaudioFull;
options.swarselsystems.modules.pulseaudio = lib.mkEnableOption "pulseaudio config";
config = lib.mkIf config.swarselsystems.modules.pulseaudio {
services.pulseaudio = {
enable = lib.mkIf (!config.services.pipewire.enable) true;
package = pkgs.pulseaudioFull;
};
};
}

76
modules/nixos/common/settings.nix
View file

@ -1,45 +1,45 @@
{ lib, config, outputs, inputs, ... }:
{
nixpkgs = {
overlays = [ outputs.overlays.default ];
config = {
allowUnfree = true;
};
};
nix =
let
flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
in
{
settings = {
experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
"cgroups"
"pipe-operators"
];
trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
connect-timeout = 5;
bash-prompt-prefix = "$SHLVL:\\w ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]λ\[\e[0m\] ";
fallback = true;
min-free = 128000000;
max-free = 1000000000;
flake-registry = "";
auto-optimise-store = true;
warn-dirty = false;
max-jobs = 1;
use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
config = lib.mkIf config.swarselsystems.modules.general {
nixpkgs = {
overlays = [ outputs.overlays.default ];
config = {
allowUnfree = true;
};
channel.enable = false;
registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
};
nix =
let
flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
in
{
settings = {
experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
"cgroups"
"pipe-operators"
];
trusted-users = [ "@wheel" "${config.swarselsystems.mainUser}" ];
connect-timeout = 5;
bash-prompt-prefix = "$SHLVL:\\w ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]λ\[\e[0m\] ";
fallback = true;
min-free = 128000000;
max-free = 1000000000;
flake-registry = "";
auto-optimise-store = true;
warn-dirty = false;
max-jobs = 1;
use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
};
channel.enable = false;
registry = lib.mapAttrs (_: flake: { inherit flake; }) flakeInputs;
nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
};
system.stateVersion = lib.mkDefault "23.05";
system.stateVersion = lib.mkDefault "23.05";
};
}

81
modules/nixos/common/sops.nix
View file

@ -4,48 +4,51 @@ let
inherit (config.swarselsystems) mainUser homeDir;
in
{
sops = lib.mkIf (!config.swarselsystems.isPublic) {
options.swarselsystems.modules.commonSops = lib.mkEnableOption "sops config";
config = lib.mkIf config.swarselsystems.modules.commonSops {
sops = lib.mkIf (!config.swarselsystems.isPublic) {
age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${homeDir}/.ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${homeDir}/.ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${homeDir}/.dotfiles/secrets/general/secrets.yaml";
validateSopsFiles = false;
validateSopsFiles = false;
secrets = {
ernest = { };
frauns = { };
hotspot = { };
eduid = { };
edupass = { };
handyhotspot = { };
vpnuser = { };
vpnpass = { };
wireguardpriv = { };
wireguardpub = { };
wireguardendpoint = { };
stashuser = { };
stashpass = { };
githubforgeuser = { };
githubforgepass = { };
gitlabforgeuser = { };
gitlabforgepass = { };
"sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
"sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
};
templates = {
"network-manager.env".content = ''
ERNEST=${config.sops.placeholder.ernest}
FRAUNS=${config.sops.placeholder.frauns}
HOTSPOT=${config.sops.placeholder.hotspot}
EDUID=${config.sops.placeholder.eduid}
EDUPASS=${config.sops.placeholder.edupass}
HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
VPNUSER=${config.sops.placeholder.vpnuser}
VPNPASS=${config.sops.placeholder.vpnpass}
WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
'';
secrets = {
ernest = { };
frauns = { };
hotspot = { };
eduid = { };
edupass = { };
handyhotspot = { };
vpnuser = { };
vpnpass = { };
wireguardpriv = { };
wireguardpub = { };
wireguardendpoint = { };
stashuser = { };
stashpass = { };
githubforgeuser = { };
githubforgepass = { };
gitlabforgeuser = { };
gitlabforgepass = { };
"sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
"sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
};
templates = {
"network-manager.env".content = ''
ERNEST=${config.sops.placeholder.ernest}
FRAUNS=${config.sops.placeholder.frauns}
HOTSPOT=${config.sops.placeholder.hotspot}
EDUID=${config.sops.placeholder.eduid}
EDUPASS=${config.sops.placeholder.edupass}
HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
VPNUSER=${config.sops.placeholder.vpnuser}
VPNPASS=${config.sops.placeholder.vpnpass}
WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
'';
};
};
};
}

11
modules/nixos/common/store.nix
View file

@ -1,7 +1,10 @@
_:
{ lib, config, ... }:
{
nix.optimise = {
automatic = true;
dates = [ "weekly" ];
options.swarselsystems.modules.storeOptimize = lib.mkEnableOption "store optimization config";
config = lib.mkIf config.swarselsystems.modules.storeOptimize {
nix.optimise = {
automatic = true;
dates = [ "weekly" ];
};
};
}

21
modules/nixos/common/stylix.nix
View file

@ -1,14 +1,17 @@
{ lib, config, ... }:
{
stylix = lib.recursiveUpdate
{
targets.grub.enable = false; # the styling makes grub more ugly
image = config.swarselsystems.wallpaper;
}
config.swarselsystems.stylix;
home-manager.users."${config.swarselsystems.mainUser}" = {
stylix = {
targets = config.swarselsystems.stylixHomeTargets;
options.swarselsystems.modules.stylix = lib.mkEnableOption "stylix config";
config = lib.mkIf config.swarselsystems.modules.stylix {
stylix = lib.recursiveUpdate
{
targets.grub.enable = false; # the styling makes grub more ugly
image = config.swarselsystems.wallpaper;
}
config.swarselsystems.stylix;
home-manager.users."${config.swarselsystems.mainUser}" = {
stylix = {
targets = config.swarselsystems.stylixHomeTargets;
};
};
};
}

37
modules/nixos/common/sway.nix
View file

@ -1,23 +1,24 @@
{ pkgs, ... }:
{ lib, config, pkgs, ... }:
{
options.swarselsystems.modules.sway = lib.mkEnableOption "sway config";
config = lib.mkIf config.swarselsystems.modules.sway {
programs.sway = {
enable = true;
package = pkgs.swayfx;
wrapperFeatures = {
base = true;
gtk = true;
};
programs.sway = {
enable = true;
package = pkgs.swayfx;
wrapperFeatures = {
base = true;
gtk = true;
extraSessionCommands = ''
export XDG_SESSION_DESKTOP=sway
export SDL_VIDEODRIVER=wayland
export QT_QPA_PLATFORM=wayland-egl
export QT_WAYLAND_DISABLE_WINDOWDECORATION=1
export QT_QPA_PLATFORM_PLUGIN_PATH="${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins";
export MOZ_ENABLE_WAYLAND=1
export MOZ_DISABLE_RDD_SANDBOX=1
'';
};
extraSessionCommands = ''
export XDG_SESSION_DESKTOP=sway
export SDL_VIDEODRIVER=wayland
export QT_QPA_PLATFORM=wayland-egl
export QT_WAYLAND_DISABLE_WINDOWDECORATION=1
export QT_QPA_PLATFORM_PLUGIN_PATH="${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins";
export MOZ_ENABLE_WAYLAND=1
export MOZ_DISABLE_RDD_SANDBOX=1
'';
};
}

87
modules/nixos/common/syncthing.nix
View file

@ -3,49 +3,52 @@ let
inherit (config.swarselsystems) mainUser homeDir;
in
{
services.syncthing = {
enable = true;
user = mainUser;
dataDir = homeDir;
configDir = "${homeDir}/.config/syncthing";
openDefaultPorts = true;
settings = {
devices = {
"magicant" = {
id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
options.swarselsystems.modules.syncthing = lib.mkEnableOption "syncthing config";
config = lib.mkIf config.swarselsystems.modules.syncthing {
services.syncthing = {
enable = true;
user = mainUser;
dataDir = homeDir;
configDir = "${homeDir}/.config/syncthing";
openDefaultPorts = true;
settings = {
devices = {
"magicant" = {
id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
};
"sync (@oracle)" = {
id = "ETW6TST-NPK7MKZ-M4LXMHA-QUPQHDT-VTSHH5X-CR5EIN2-YU7E55F-MGT7DQB";
};
"winters" = {
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
};
};
"sync (@oracle)" = {
id = "ETW6TST-NPK7MKZ-M4LXMHA-QUPQHDT-VTSHH5X-CR5EIN2-YU7E55F-MGT7DQB";
};
"winters" = {
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
};
};
folders = {
"Default Folder" = lib.mkDefault {
path = "${homeDir}/Sync";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "default";
};
"Obsidian" = {
path = "${homeDir}/Nextcloud/Obsidian";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "yjvni-9eaa7";
};
"Org" = {
path = "${homeDir}/Nextcloud/Org";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "a7xnl-zjj3d";
};
"Vpn" = {
path = "${homeDir}/Vpn";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "hgp9s-fyq3p";
};
".elfeed" = {
path = "${homeDir}/.elfeed";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "h7xbs-fs9v1";
folders = {
"Default Folder" = lib.mkDefault {
path = "${homeDir}/Sync";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "default";
};
"Obsidian" = {
path = "${homeDir}/Nextcloud/Obsidian";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "yjvni-9eaa7";
};
"Org" = {
path = "${homeDir}/Nextcloud/Org";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "a7xnl-zjj3d";
};
"Vpn" = {
path = "${homeDir}/Vpn";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "hgp9s-fyq3p";
};
".elfeed" = {
path = "${homeDir}/.elfeed";
devices = [ "sync (@oracle)" "magicant" "winters" ];
id = "h7xbs-fs9v1";
};
};
};
};

15
modules/nixos/common/systemd.nix
View file

@ -1,8 +1,11 @@
_:
{ lib, config, ... }:
{
# systemd
systemd.extraConfig = ''
DefaultTimeoutStartSec=60s
DefaultTimeoutStopSec=15s
'';
options.swarselsystems.modules.systemdTimeout = lib.mkEnableOption "systemd timeout config";
config = lib.mkIf config.swarselsystems.modules.systemdTimeout {
# systemd
systemd.extraConfig = ''
DefaultTimeoutStartSec=60s
DefaultTimeoutStopSec=15s
'';
};
}

37
modules/nixos/common/time.nix
View file

@ -1,22 +1,25 @@
_:
{ lib, config, ... }:
{
time = {
timeZone = "Europe/Vienna";
# hardwareClockInLocalTime = true;
};
options.swarselsystems.modules.time = lib.mkEnableOption "time config";
config = lib.mkIf config.swarselsystems.modules.time {
time = {
timeZone = "Europe/Vienna";
# hardwareClockInLocalTime = true;
};
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "de_AT.UTF-8";
LC_IDENTIFICATION = "de_AT.UTF-8";
LC_MEASUREMENT = "de_AT.UTF-8";
LC_MONETARY = "de_AT.UTF-8";
LC_NAME = "de_AT.UTF-8";
LC_NUMERIC = "de_AT.UTF-8";
LC_PAPER = "de_AT.UTF-8";
LC_TELEPHONE = "de_AT.UTF-8";
LC_TIME = "de_AT.UTF-8";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "de_AT.UTF-8";
LC_IDENTIFICATION = "de_AT.UTF-8";
LC_MEASUREMENT = "de_AT.UTF-8";
LC_MONETARY = "de_AT.UTF-8";
LC_NAME = "de_AT.UTF-8";
LC_NUMERIC = "de_AT.UTF-8";
LC_PAPER = "de_AT.UTF-8";
LC_TELEPHONE = "de_AT.UTF-8";
LC_TIME = "de_AT.UTF-8";
};
};
};
}

23
modules/nixos/common/users.nix
View file

@ -1,16 +1,19 @@
{ pkgs, config, lib, ... }:
{
sops.secrets.swarseluser = lib.mkIf (!config.swarselsystems.isPublic) { neededForUsers = true; };
options.swarselsystems.modules.users = lib.mkEnableOption "user config";
config = lib.mkIf config.swarselsystems.modules.users {
sops.secrets.swarseluser = lib.mkIf (!config.swarselsystems.isPublic) { neededForUsers = true; };
users = {
mutableUsers = lib.mkIf (!config.swarselsystems.initialSetup) false;
users."${config.swarselsystems.mainUser}" = {
isNormalUser = true;
description = "Leon S";
password = lib.mkIf config.swarselsystems.initialSetup "setup";
hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
extraGroups = [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
packages = with pkgs; [ ];
users = {
mutableUsers = lib.mkIf (!config.swarselsystems.initialSetup) false;
users."${config.swarselsystems.mainUser}" = {
isNormalUser = true;
description = "Leon S";
password = lib.mkIf config.swarselsystems.initialSetup "setup";
hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
extraGroups = [ "networkmanager" "syncthing" "docker" "wheel" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
packages = with pkgs; [ ];
};
};
};
}

29
modules/nixos/common/xdg-portal.nix
View file

@ -1,19 +1,20 @@
{ pkgs, ... }:
{ lib, config, pkgs, ... }:
{
xdg.portal = {
enable = true;
config = {
common = {
default = "wlr";
options.swarselsystems.modules.xdg-portal = lib.mkEnableOption "xdg portal config";
config = lib.mkIf config.swarselsystems.modules.xdg-portal {
xdg.portal = {
enable = true;
config = {
common = {
default = "wlr";
};
};
wlr.enable = true;
wlr.settings.screencast = {
output_name = "eDP-1";
chooser_type = "simple";
chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or";
};
};
wlr.enable = true;
wlr.settings.screencast = {
output_name = "eDP-1";
chooser_type = "simple";
chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or";
};
};
}

13
modules/nixos/common/xserver.nix
View file

@ -1,9 +1,12 @@
_:
{ lib, config, ... }:
{
services.xserver = {
xkb = {
layout = "us";
variant = "altgr-intl";
options.swarselsystems.modules.xserver = lib.mkEnableOption "xserver keymap";
config = lib.mkIf config.swarselsystems.modules.packages {
services.xserver = {
xkb = {
layout = "us";
variant = "altgr-intl";
};
};
};
}

13
modules/nixos/common/zsh.nix
View file

@ -1,7 +1,10 @@
{ pkgs, ... }:
{ lib, config, pkgs, ... }:
{
programs.zsh.enable = true;
users.defaultUserShell = pkgs.zsh;
environment.shells = with pkgs; [ zsh ];
environment.pathsToLink = [ "/share/zsh" ];
options.swarselsystems.modules.zsh = lib.mkEnableOption "zsh base config";
config = lib.mkIf config.swarselsystems.modules.zsh {
programs.zsh.enable = true;
users.defaultUserShell = pkgs.zsh;
environment.shells = with pkgs; [ zsh ];
environment.pathsToLink = [ "/share/zsh" ];
};
}