{ self, lib, pkgs, config, ... }: let inherit (config.swarselsystems) mainUser homeDir xdgDir; iwd = config.networking.networkmanager.wifi.backend == "iwd"; owner = mainUser; sopsFile = self + /secrets/work/secrets.yaml; swarselService = name: description: execStart: { "${name}" = { enable = true; inherit description; serviceConfig = { ExecStart = execStart; User = mainUser; Group = "users"; Environment = [ "PATH=/run/current-system/sw/bin:/etc/profiles/per-user/${mainUser}/bin" "XDG_RUNTIME_DIR=${xdgDir}" "WAYLAND_DISPLAY=wayland-1" ]; Type = "oneshot"; StandardOutput = "journal"; StandardError = "journal"; }; }; }; in { options.swarselsystems = { modules.optional.work = lib.mkEnableOption "optional work settings"; hostName = lib.mkOption { type = lib.types.str; default = ""; }; fqdn = lib.mkOption { type = lib.types.str; default = ""; }; }; config = lib.mkIf config.swarselsystems.modules.optional.work { sops = let secretNames = [ "vcuser" "vcpw" "govcuser" "govcpw" "govcurl" "govcdc" "govcds" "govchost" "govcnetwork" "govcpool" "baseuser" "basepw" ]; in { secrets = builtins.listToAttrs ( map (name: { inherit name; value = { inherit owner sopsFile; }; }) secretNames ); templates = { "network-manager-work.env".content = '' BASEUSER=${config.sops.placeholder.baseuser} BASEPASS=${config.sops.placeholder.basepw} ''; }; }; boot.initrd = { systemd.enable = lib.mkForce true; # make sure we are using initrd systemd even when not using Impermanence luks = { # disable "support" since we use systemd-cryptenroll # make sure yubikeys are enrolled using # sudo systemd-cryptenroll --fido2-device=auto --fido2-with-user-verification=no --fido2-with-user-presence=true --fido2-with-client-pin=no /dev/nvme0n1p2 yubikeySupport = false; fido2Support = false; }; }; programs = { zsh.shellInit = '' export VSPHERE_USER="$(cat ${config.sops.secrets.vcuser.path})" export VSPHERE_PW="$(cat ${config.sops.secrets.vcpw.path})" export GOVC_USERNAME="$(cat ${config.sops.secrets.govcuser.path})" export GOVC_PASSWORD="$(cat ${config.sops.secrets.govcpw.path})" export GOVC_URL="$(cat ${config.sops.secrets.govcurl.path})" export GOVC_DATACENTER="$(cat ${config.sops.secrets.govcdc.path})" export GOVC_DATASTORE="$(cat ${config.sops.secrets.govcds.path})" export GOVC_HOST="$(cat ${config.sops.secrets.govchost.path})" export GOVC_RESOURCE_POOL="$(cat ${config.sops.secrets.govcpool.path})" export GOVC_NETWORK="$(cat ${config.sops.secrets.govcnetwork.path})" ''; browserpass.enable = true; _1password.enable = true; _1password-gui = { enable = true; polkitPolicyOwners = [ "${mainUser}" ]; }; }; networking = { inherit (config.swarselsystems) hostName fqdn; networkmanager = { wifi.scanRandMacAddress = false; ensureProfiles = { environmentFiles = [ "${config.sops.templates."network-manager-work.env".path}" ]; profiles = { VBC = { "802-1x" = { eap = if (!iwd) then "ttls;" else "peap;"; identity = "$BASEUSER"; password = "$BASEPASS"; phase2-auth = "mschapv2"; }; connection = { id = "VBC"; type = "wifi"; }; ipv4 = { method = "auto"; }; ipv6 = { addr-gen-mode = "default"; method = "auto"; }; proxy = { }; wifi = { cloned-mac-address = "permanent"; mac-address = "E8:65:38:52:63:FF"; mac-address-randomization = "1"; mode = "infrastructure"; ssid = "VBC"; }; wifi-security = { auth-alg = "open"; key-mgmt = "wpa-eap"; }; }; }; }; }; firewall = { enable = lib.mkDefault true; trustedInterfaces = [ "virbr0" ]; }; search = [ "vbc.ac.at" "clip.vbc.ac.at" "imp.univie.ac.at" ]; }; virtualisation = { docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true; spiceUSBRedirection.enable = true; libvirtd = { enable = true; qemu = { package = pkgs.qemu_kvm; runAsRoot = true; swtpm.enable = true; vhostUserPackages = with pkgs; [ virtiofsd ]; ovmf = { enable = true; packages = [ (pkgs.OVMFFull.override { secureBoot = true; tpmSupport = true; }).fd ]; }; }; }; }; environment.systemPackages = with pkgs; [ # (python39.withPackages (ps: with ps; [ # cryptography # ])) # docker stable24_11.python39 qemu packer gnumake libisoburn govc terraform opentofu dev.terragrunt graphviz azure-cli # vm virt-manager virt-viewer virtiofsd spice spice-gtk spice-protocol win-virtio win-spice ]; services = { spice-vdagentd.enable = true; openssh = { enable = true; extraConfig = '' ''; }; syncthing = { settings = { "winters" = { id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; }; "moonside@oracle" = { id = "VPCDZB6-MGVGQZD-Q6DIZW3-IZJRJTO-TCC3QUQ-2BNTL7P-AKE7FBO-N55UNQE"; }; folders = { "Documents" = { path = "${homeDir}/Documents"; devices = [ "magicant" "winters" "moonside@oracle" ]; id = "hgr3d-pfu3w"; }; }; }; }; udev.extraRules = '' # share screen when dongle detected SUBSYSTEM=="usb", ACTION=="add", ATTRS{idVendor}=="343c", ATTRS{idProduct}=="0000", TAG+="systemd", ENV{SYSTEMD_WANTS}="swarsel-screenshare.service" # lock screen when yubikey removed ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" ''; }; systemd.services = lib.mkMerge [ (swarselService "swarsel-screenshare" "Start screensharing after HDMI dongle is detected" "${pkgs.screenshare}/bin/screenshare -h") ]; # cgroups v1 is required for centos7 dockers # specialisation = { # cgroup_v1.configuration = { # boot.kernelParams = [ # "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" # "systemd.unified_cgroup_hierarchy=0" # ]; # }; # }; }; }